- Kill chain
- Pyramid of pain
- Vulnerability types
- Threat hunting
- Cryptography attacks
- Network attacks
- Application attacks
- Social engineering
- Malware
- Infrastructure attacks
Kill chain
- reconnaissance
- weaponization
- delivery
- exploitation
- installation
- C&C
- actions
Pyramid of pain
- levels
- trivial: hash values
- easy: IP addresses
- simple: domain names
- annoying: artifacts (network, host)
- challenging: tools
- hard: TTPs
Vulnerability types
- human
- process
- software
- hardware
Threat hunting
TaHITI
- targeted hunting integrating threat intelligence
- hypothesis driven
- stage
- initiation
- hunt
- finalize
MITRE
ATT&CK
- adversarial tactics, techniques & common knowledge
- reconnaissance
- resource development
- initial access
- execution
- persistence
- privilege escalation
- defense evasion
- credential access
- discovery
- lateral movement
- collection
- command & control
- exfiltration
- impact
- threat hunting
- hacking technique descriptions and relevant mitigations
CAPEC and CWE
- common attack pattern enumeration and classification; common weakness enumeration
- app security focus, defense oriented
- weakness and attack cross-reference
- community-led
- attack domains
- software
- hardware
- communications
- supply chain
- social engineering
- physical security
- attack mechanisms
- engage in deceptive interaction
- abuse existing functionality
- manipulate data structures
- manipulate system resources
- inject unexpected items
- employ probabilistic techniques
- manipulate timing and state
- collect and analyze information
- subvert access control
Cryptography attacks
Padding oracle
- on CBC mode – without integrity check
- side channel attack
- PKCS padding: 0x01 for 1-byte padding, 0x0202 for 2-byte padding…
- CBC: Cᵢ₋₁ ⊕ D(Cᵢ) → change in Cᵢ₋₁ has the same effect on Pᵢ
- message consists of 2 blocks: C₁ and C₂
- add O to C₁: C₁ ⊕ O
- if decryption is correct, then the last bytes – PKCS padding
- if last byte is 0x01, then change in second-to-last byte has no effect (1 byte padding)
- if last bytes are 0x0202, then change in second-to-last byte corrupts decryption but change in third-to-last does not
- last padding byte with modification is known – X, with Õ ⊕ C₁
- P₂ = C₁ ⊕ D(C₂), X = C₁ ⊕ Õ ⊕ D(C₂) ⟹ P₂ = X ⊕ Õ – byte of P₂ is decrypted
- other bytes in block can be decrypted by choosing Õ for another padding (e.g. 0x0202) if necessary
- other blocks can be decrypted by replacing last block with target block
- Cₙ → Cᵢ
- X = D(Cᵢ) ⊕ (Cₙ₋₁ ⊕ Õ)
- Pᵢ = D(Cᵢ) ⊕ Cᵢ₋₁
- Pᵢ = X ⊕ (Cₙ₋₁ ⊕ Õ) ⊕ Cᵢ₋₁
- at most 255 attempts to decrypt a byte
Network attacks
Reconnaissance
- ICMP mask reply: correct subnet mask returned
- ICMP unreachable
- ICMP redirect
- IRDP
- Firewalk
- TTL is larger by 1 than scanned GW
- time exceeded = pass
- no response = ACL drop ⇒ ACL mapping
- ICMP tunneling (LOKI)
- OS fingerprinting
- ICMP reply TTL: Windows = 128, Linux = 64
DNS
- fast flux: rapid change of IP address for domain name + low TTL ⇒ IP blacklist bypass
- double fast flux: IP address for authoritative NS also changes the same way
- DGA
- domain generation algorithm
- changes domain name, IP remains the same
- subdomain can be used to exfiltrate data (e.g., <hex>.example.com)
- DNS Amplification
- DDoS
- amplifies traffic volume: small request → large response
- attacker usually spoofs victim’s address
ICMP
- LOKI: covert channel
- Smurf: directed broadcast ping from spoofed victim address
UDP
- Fraggle: Smurf with UDP
- LOIC
- low orbital ion cannon
- volumetric DDoS (can use TCP)
- C#
TCP
- SYN flood
- Xmas: all flags = 1
- Teardrop: oversized TCP segments, bug prevents reassembly
- Land: src IP = dst IP, src port = dst port; SYN → loop → crash
TLS/SSL
Logjam
- downgrade DH to weak ciphersuites
- weak ciphers ≡ US export restrictions (DHE_EXPORT)
- 512-bit parameters are picked
- MITM attacker modifies Client Hello to remove strong ciphers
- mitigation
- disable DHE_EXPORT
Poodle
- downgrade TLS to SSLv3 and execute oracle attack on CBC
- SSLv3 does not include padding in HMAC
- PKCS padding: last padding byte – padding length (excluding length byte)
- have to match the original length for HMAC to succeed
- HTTP has predictable format: attacker can influence padding length (e.g. XSS with JS code appending URI) – e.g., 0x01
- SSLv3 does not include padding in HMAC
- mitigation
- disable SSLv3
- client responds with TLS_FALLBACK_SCSV: server is notified about downgrade although client is capable of better cipher ≡ MITM → abort connection
Heartbleed
- OpenSSL did not check that claim keepalive message length corresponded to actual length
- 10 KB payload
- 20 KB claimed
- 20 KB buffer is allocated and sent back – buffer over-read
Application attacks
OS
- replace system libraries with forged malicious code in RAM: fixed with address space randomization (ASLR)
- execute code from non-code section: NX-bit (no-execute) on data memory pages
Web
- 302 cushioning
- HTTP redirect to proxy (gate) that forwards further to malware page
- gate addresses change frequently
- Slowloris: small HTTP requests to keep connection open, does not finish transactions
- HOIC:
- high orbit ion cannon
- HTTP DDoS
- C#
XSS
- cross-site scripting
- code insertion into a resource (e.g. script in MouseHover for image)
- user privileges
- mitigation: sanitize + escape input (replace special symbols ⇒ no longer a valid code)
- types:
- reflected: code received as an insertion from trusted website (URL, submit a form) through other channel (e.g. e-mail)
- persistent: code is stored in DB, website
- DOM-based: if page modifies itself based on URL, script ca be inserted into URL
CSRF
- cross-site request forgery
- provides URL with malicious parameters, utulizing further legitimate cookies on behalf of user
- mitigation
- POST, PUT, PATCH, DELETE: demand secret random token in request body that is allocated for the session
Input
- path traversal: using .. in URL
- Unicode encoding: replaces symbols with code = obfuscation + string filter bypass
DB
- inference
- figure out all info from pieces using aggregation
- mitigation: context-dependent access control
- cell suppression: does not show specific cells
- partitioning
- divide DB into pieces
- compicates inference
- noise: bogus info
- polyinstantiation
- several entries for same primary key
- entry is returned based on access level of requester ⇒ disinformation
- SQL Hammer: SQL keepalive spoofed from another server ⇒ keepalive loop
SQL injection
- whitelisting: permitting only specific symbols
- accept data only as paramters
- validate parameters
- Python: Cerberus with YAML ≈ XML schema
- types:
- inline: open feedback from SQL engine (e.g. debug) – get data directly
- blind: closed feedback (valid result or generic error only) from SQL engine – true/false based checks
- double-blind: no feedback from SQL engine (e.g. used only internally) – delay-based checks
Social engineering
Phishing
- spear phishing: targets small group, customized contents
- whaling: targets CxO
- pharming: redirect with DNS (contaminates NS, DHCP, hosts file)
- watering hole: targets specific group, looks as common phishing for the rest
- vishing: voice phishing
- smishing: SMS phishing
- SET toolkit: creates website copies
Malware
Keylogger
- mitigation: on-screen keyboard
Infrastructure attacks
Dictionary
- rainbow table
- human dictionary search
- mitigation
- OTP
- password rotation
- IDS
- complex passwords: length, symbols
- dictionary-cracking tools: requires authorization form management
Bruteforce
- war dialer: search for modems in number pool
- spray:
- try to access many accounts with a few common passwords
- delay after unsuccessful attempt – avoids lockout
- mitigation
- enumeration tool: requires authorization from management
- monitoring
- IDS
- lockout threshold (fail2ban)
Kerberos
- Mimikatz – exploit, steals passwords from RAM
Networking and IT 