MODULE 3

Vulnerability Data Resources

 Vulnerability defined as the weakness that allows the attacker to enter in and harm, it may
be a flaw in design or misconfiguration.
 In order to exploit the vulnerability attacker should have applicable tool or technique that
connect to the system weakness.
 Following are the top sources to trace new vulnerabilities:
1. National Vulnerability Database
 NVD is the U.S. government repository of standards=based vulnerability management
data represented using the Security Content Automation Protocol (SCAP).
 This data enables the automation of vulnerability management, security measurement,
and compliance.
 NVD includes databases of security checklists, security-related software flaws,
misconfigurations, product names, and impact metrics.
2. Common Vulnerabilities And Exposures
 International in scope and free for public use, CVE is a dictionary of publicly known
information security vulnerabilities and exposures.
 CVE’s common identifiers enable data exchange between security products and
provide a baseline index point for evaluating coverage of tools and services.
 Scanning tools most commonly use CVEs for classification.
 SIEM tools would have the CVEs understanding while reporting.
 We can download CVE master copy from CVE website.Also find the list CVE
Coverage goals.As an most updated feature Common Vulnerability Scoring
calculator has been introduced.
3. CERT Vulnerability Notes
 The CERT Knowledgebase is a collection of internet security information related to
incidents and vulnerabilities.
 The CERT Knowledgebase houses the public Vulnerability Notes Database as well as
two restricted-access components.
 Vulnerability notes include summaries, technical details, remediation information, and
lists of affected vendors.
4. VulnDB – Vulnerability Intelligence
 Risk-Based Security offers the VulnDB, for comprehensive vulnerability intelligence
through a continuously updated data feed.
 Based on the largest and most comprehensive vulnerability database, our VulnDB
allows organizations to poll for the latest in software security vulnerability
information.
 The VulnDB data feed subscription offering provides organizations with timely,
accurate, and thorough vulnerability information.
 3rd Party Libraries - Over 2,000 software libraries identified and tracked for issues
 RESTful API – Ability to integrate data easily with custom CSV export and usage of
flexible RESTful AP
 Email Alerting – Ability to configure email alerts for multiple email addresses by
Vendor, Product, Version and Search criteria
 Research Team – Our team performs further in-depth analysis of select
vulnerabilities to provide customers with the most detailed information available on
cause and impact.
 CVE Mapping – ~ 100% mapping to CVE/NVD
 Timely Alerts – 24×365 Monitoring and Alerting
 Risk Scores – Extended classification system and our own CVSSv2 metrics, as well as
VTEM (Vulnerability Timeline and Exposure Metrics).
 Technical Analysis – Detailed analysis provided for vulnerabilities
 Detailed Information – Over 70 data fields including vulnerability source
information, extensive references, and links to solutions
 Impact Analysis
 Mitigation Guidance
 Links to Security Patches
 Links to Exploits
 Vendor and Product Evaluations
5. DISA IAVA Database And STIGS
 CVE IDs are mapped to the US Defense Information System Agency’s (DISA)
Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on
DISA’s public Security Technical Implementation Guides (STIG) website.
 “IAVA, the DISA-based vulnerability mapping database, is based on existing SCAP
sources, and once in a while it contains details for government systems that are not a
 part of the commercial world,” says Morey Haber, VP of technology at BeyondTrust.
“For any vendor doing .gov or .mil work, this reference is a must.”
6. Security Tracker
 Security Tracker is a third-party vulnerability database library that is updated daily.
 “The website tends to focus on non-OS vulnerabilities, but they are certainly included in
the feed,” says Morey Haber, VP of technology at BeyondTrust. “Infrastructure and IoT
tend to make the front page the most, and this site is a good third-party reference for
new flaws.”
7. Open Vulnerability and Assessment Language
 VAL® International in scope and free for public use, OVAL is an information security
community effort to standardize how to assess and report upon the machine state of
computer systems.
 OVAL includes a language to encode system details and an assortment of content
repositories held throughout the community.
 Tools and services that use OVAL for the three steps of system assessment —
representing system information, expressing specific machine states, and reporting the
results of an assessment — provide enterprises with accurate, consistent, and actionable
information so they may improve their security.
 Use of OVAL also provides for reliable and reproducible information assurance metrics
and enables interoperability and automation among security tools and services.
8. National Council of ISACs
 Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit,
member-driven organizations formed by critical infrastructure owners and operators to
share information between government and industry.
 The primary goal of ISACs is to quickly disseminate physical and cyberthreat alerts and
other critical information to the member organizations.
 If your business operates within a critical infrastructure sector, consider becoming a
member of an ISAC. Below you’ll find a small portion of the ISACs associated with the
national council of ISACs.

 There are many more on the National Council of ISACs website.

  MS-ISAC (multi-state): The MS-ISAC is the focal point for cyberthreat prevention,
protection, response, and recovery for the nation’s state, local, tribal, and territorial
(SLTT) governments.
 FS-ISAC (financial services): FS-ISAC is the global financial industry’s go-to resource
for cyber and physical threat intelligence analysis and sharing.
 A-ISAC (aviation): The aviation ISAC provides an aviation-focused information sharing
and analysis function to help protect global aviation businesses, operations, and
services.
 AUTO-ISAC (automotive): The automotive ISAC is a non-profit information-sharing
organization that is owned and operated by automotive manufacturers and suppliers —
98% of vehicles on the road in the United States are represented by member companies
in the AUTO-ISAC.
 ONG-ISAC (oil and gas): The oil and natural gas ISAC was created to provide shared
intelligence on cyber incidents, threats, vulnerabilities, and associated responses
present throughout the oil and gas industry.
 NH-ISAC (national healthcare): The official healthcare information sharing and
analysis center offers non-profit and for-profit healthcare stakeholders a community and
forum for sharing cyber and physical threat indicators, best practices, and mitigation
strategies.
 IT-ISAC (information technology): Members participate in national and homeland
security efforts to strengthen the IT infrastructure through cyber information sharing
and analysis.
 There also are a growing number of Information Sharing and Analysis Organizations, or
ISAOs, specific to various industries, groups, and regions. ISAOs stem from a 2015
Executive Order calling for the formation of more intel-sharing groups among specific
communities.

Exploit Databases

 Exploit Database (Exploit DB) is an archive of exploits for the purpose of public
security, and it explains what can be found on the database.
 The Exploit DB is a very useful resource for identifying possible weaknesses in your
network and for staying up to date on current attacks occurring in other networks.
 This archive allows us to learn more about hackers’ methods and increase our own
security accordingly.
 An exploit is a program, or piece of code, designed to find and take advantage of a
security flaw or vulnerability in an application or computer system, typically for
malicious purposes such as installing malware.
 An exploit is not malware itself, but rather it is a method used by cybercriminals to
deliver malware.
 For exploits to be effective, many vulnerabilities require an attacker to initiate a series of
suspicious operations to set up an exploit.
 Typically, a majority of the vulnerabilities are result of a software or system architecture
bug.
 Attackers write their code to take advantage of these vulnerabilities and inject various
type of malwares into the system.
 Many software vendors patch known bugs to remove the vulnerability. Security
software also helps by detecting, reporting, and blocking suspicious operations.
 It prevents exploits from occurring and damaging computer systems, regardless of what
malware the exploit was trying to initiate.
 The typical security software implemented by businesses to ward off exploits is referred
to as threat defense as well as endpoint, detection, and response (EDR) software.
 Other best practices are to initiate a penetration testing program, which is used to
validate the effectiveness of the defense.
 When developers produce an operating system (OS) for a device, write code for
software, or develop an application, bugs often appear due to inherent imperfections.
 These bugs can create a vulnerability in the system, and an exploit searches out such
vulnerabilities and looks for a way to exploit databases and networks or systems.
 If the bug is not reported and “patched,” it becomes an entryway, so to speak, for cyber
criminals to conduct an exploit.
 With so many devices connected together in the modern world, as in the Internet of
Things (IoT), for example, an exploit does not just compromise a singular device, but it
can become a security vulnerability for a whole network.
 Types of exploits:
1. Known exploits
After an exploit is made known to the authors of the affected software, the vulnerability
is often fixed through a patch to make the exploit unusable. This information is made
available to security vendors as well. For publicly known cybersecurity vulnerabilities,
 there are organizations that list each vulnerability and provide an identification number,
a description, and at least one public reference.
2. Unknown exploits
Exploits unknown to everyone but the people that developed them are referred to as
zero-day exploits. These are by far the most dangerous exploits, as they occur when a
software or system architecture contains a critical security vulnerability of which the
vendor is unaware. The vulnerability becomes known when a hacker is detected
exploiting the vulnerability, hence the term zero-day exploit. Once such an exploit
occurs, systems running the exploit software are vulnerable to a cyber-attack. Either
the vendor will eventually release a patch to correct the vulnerability or security
software detects and blocks the exploit and resultant malware.
Network Sniffing
 Sniffing is the technique used to monitor and record all data packets continuously that go
through a network.
 Network/system administrators employ sniffers to monitor and troubleshoot network
traffic.
 Attackers use sniffers to capture data packets carrying sensitive passwords and account
information.
 Sniffers are implemented as hardware or software in the system. A hostile intruder can
gather and analyse all network traffic by using a packet sniffer in promiscuous mode on a
network.
 A packet sniffer is another term for a network sniffer. Because every packet of data is
sniffed through the network to avoid network-related issues, it's called a packet sniffer.
 The packet sniffer tool is implemented to investigate cybercrime, hackers, and data theft.
It can be employed for both ethical and unethical reasons.
 Network Sniffing can be either Active or Passive.
I. Active Sniffing
 Active Sniffing involves sniffing in the switch.
 A switch is a network device that provides a connection between two points. The
switch controls the flow of data between its ports by continuously checking the MAC
address on each port, ensuring that data is sent to the correct destination.
 Sniffers actively spike traffic into the LAN to monitor communication between targets
and enable traffic sniffing.
 II. Passive Sniffing
 The attacker does not interact with the target in this sniffing.
 They connect to the network and collect packets sent and received by the network
and the packets sent and received between two devices.
 This sniffing is done through the hub. An attacker uses their PC to connect to the
hub. The attacker only needs a LAN account.
 the different types of Network Sniffers −
 Mac sniffers − Sniffers are used to sniff data relevant to the MAC address filter.
 Protocol sniffer − It sniffs the data on the network for network protocols.
 LAN sniffer − This type of device is primarily employed in internal systems or networks,
and it can inspect an entire range of IP addresses.
 IP sniffers − Sniff all data relevant to a specific IP filter. It records the data packets for
analysis and diagnosis. IP sniffers capture network traffic and log the information,
generally delivered in a human-readable format for analysis. They may be used by
network administrators and hackers of all stripes to assess the current condition of a
network, identify network vulnerabilities, and evaluate network performance.
 ARP sniffers − Rather than sending packets to the host only and passed to the network
administrator, packets are sent to the ARP caches of both network hosts in this sniffing. It
also allows attackers to map IP addresses to MAC addresses, carrying out packet spoofing
and other vulnerabilities or poisoning attacks.
 Password sniffers − It is a technique for extracting information from network traffic to
harvest passwords. Hackers used to target sessions to steal credentials and other
information. Websites that don't have an SSL protocol encryption to protect themselves
are vulnerable to attack and exploitation.
 Hackers primarily employ network sniffers to gather information on passwords and other
sensitive information.
 The sniffer decodes data in packets travelling from source to destination, between client
and server, or between organisations. They functioned as middlemen and employed a
packet injection attack to grab the data.
 For example, a network sniffer can track down someone using too much bandwidth at a
university or company by monitoring network traffic. They are also used to detect
security vulnerabilities in our system.
 Today, however, black hat hacking is a widespread application for them. In the wrong
hands, network sniffing tools can allow anyone with little to no hacking expertise to
 monitor network traffic across unsecured WiFi networks to steal passwords and other
sensitive data.
 This reason can give network sniffing tools a bad name, yet network sniffers have many
valid purposes.
 With the software's assistance for sniffing data packets, the Network sniffing tool
intercepts and logs the network traffic. This software allows you to access information
from a whole network or just a segment of one.
 As we all know, networks are used to send packets of data. The data can be large, and
transmitting it all in one packet places a load on the network, compromising the data's
integrity.
 As a result, once a data file is sent, it is usually broken down into small parts and sent to
the intended location.
 The destination address, number of packets, reassembly order, and source address are all
included in the data packet.
 The data packet's footers and headers were erased after it arrived at its destination. A filter
on the network can delete packets that are not addressed to the same network.
 Following the receipt of network data, the following steps are taken −
 Individual packets (sections of network data) or their contents are recorded.
 Software only saves the header segment of data packets to save space.
 The user can access and evaluate the information when the network data has been
decoded and formatted.
 Packet sniffers examine network communication failures, troubleshoot network
connections, and reconstruct whole data-streams meant for other computers.
 Some network sniffing applications retrieve passwords, PINs, and other confidential
information.
 There are a lot of network sniffer tools out there. These tools continuously monitor or
sniff data flowing via computer network links.
 This software tool might be a standalone program or a physical device with the necessary
software or firmware.
 Sniffers capture snapshots of data flowing across a network without rerouting or
modifying it.
 Some sniffers are only compatible with TCP/IP packets, but more advanced tools work
with a wide range of network protocols and at lower levels, including Ethernet frames.
Each tool has its own set of features and benefits.
 Some of the popular network sniffing tools are −
 Wireshark,
 TCPdump,
 Microsoft Message Analyzer,
 Ether App, and
 Network Miner.
 Any information can be captured, such as the websites visited by the user, contents on the
websites or emails, and details about any downloaded files using a sniffer tool.
 Businesses frequently use protocol analyzers to track employee network usage and are
included in many reputable antivirus software packages.
 Outward-facing sniffers examine incoming network traffic for specific elements of
malicious code, assisting in preventing computer virus infections and the spread of
malware.

Man-in-the-Middle (MITM) Attack

 A common type of cybersecurity attack that allows attackers to eavesdrop on the

communication between two targets.
 The attack takes place in between two legitimately communicating hosts, allowing the
attacker to “listen” to a conversation they should normally not be able to listen to, hence
the name “man-in-the-middle.”
 Types of Man-in-the-Middle Attacks
Rogue Access Point
Devices equipped with wireless cards will often try to auto-connect to the access point
that is emitting the strongest signal. Attackers can set up their own wireless access point
and trick nearby devices to join its domain. All of the victim’s network traffic can now be
manipulated by the attacker. This is dangerous because the attacker does not even have to
be on a trusted network to do this—the attacker simply needs a close enough physical
proximity.

ARP Spoofing
ARP is the Address Resolution Protocol. It is used to resolve IP addresses to physical MAC
(media access control) addresses in a local area network. When a host needs to talk to a host
with a given IP address, it references the ARP cache to resolve the IP address to a MAC
address. If the address is not known, a request is made asking for the MAC address of the
device with the IP address.

An attacker wishing to pose as another host could respond to requests it should not be
responding to with its own MAC address. With some precisely placed packets, an attacker
can sniff the private traffic between two hosts. Valuable information can be extracted from
the traffic, such as the exchange of session tokens, yielding full access to application accounts
that the attacker should not be able to access.

mDNS Spoofing

Multicast DNS is similar to DNS, but it’s done on a local area network (LAN) using
broadcast like ARP. This makes it a perfect target for spoofing attacks. The local name
resolution system is supposed to make the configuration of network devices extremely
simple. Users don’t have to know exactly which addresses their devices should be
communicating with; they let the system resolve it for them.

Devices such as TVs, printers, and entertainment systems make use of this protocol since
they are typically on trusted networks. When an app needs to know the address of a certain
device, such as tv.local, an attacker can easily respond to that request with fake data,
instructing it to resolve to an address it has control over. Since devices keep a local cache of
addresses, the victim will now see the attacker’s device as trusted for a duration of time.

DNS Spoofing

Similar to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves
domain names to IP addresses. When using a DNS spoofing attack, the attacker attempts to
introduce corrupt DNS cache information to a host in an attempt to access another host using
their domain name, such as www.onlinebanking.com. This leads to the victim sending
sensitive information to a malicious host, with the belief they are sending information to a
trusted source. An attacker who has already spoofed an IP address could have a much easier
time spoofing DNS simply by resolving the address of a DNS server to the attacker’s address.

 Man-in-the-Middle Attack Techniques

Sniffing

Attackers use packet capture tools to inspect packets at a low level. Using specific wireless
devices that are allowed to be put into monitoring or promiscuous mode can allow an attacker
to see packets that are not intended for it to see, such as packets addressed to other hosts.

Packet Injection

An attacker can also leverage their device’s monitoring mode to inject malicious packets into
data communication streams. The packets can blend in with valid data communication
streams, appearing to be part of the communication, but malicious in nature. Packet injection
usually involves first sniffing to determine how and when to craft and send packets.

Session Hijacking

Most web applications use a login mechanism that generates a temporary session token to use
for future requests to avoid requiring the user to type a password at every page. An attacker
can sniff sensitive traffic to identify the session token for a user and use it to make requests as
the user. The attacker does not need to spoof once he has a session token.

SSL Stripping

Since using HTTPS is a common safeguard against ARP or DNS spoofing, attackers use SSL
stripping to intercept packets and alter their HTTPS-based address requests to go to their
HTTP equivalent endpoint, forcing the host to make requests to the server unencrypted.
Sensitive information can be leaked in plain text.

 How to Detect a Man-in-the-Middle Attack

Detecting a Man-in-the-middle attack can be difficult without taking the proper steps. If
you aren't actively searching to determine if your communications have been intercepted,
a Man-in-the-middle attack can potentially go unnoticed until it's too late. Checking for
proper page authentication and implementing some sort of tamper detection are typically
the key methods to detect a possible attack, but these procedures might require extra
forensic analysis after-the-fact.
It's important to take precautionary measures to prevent MITM attacks before they occur,
rather than attempting to detect them while they are actively occurring. Being aware of
your browsing practices and recognizing potentially harmful areas can be essential to
 maintaining a secure network. Below, we have included five of the best practices to
prevent MITM attacks from compromising your communications.
 Man-in-the-Middle (MITM) Attack Prevention

Strong WEP/WAP Encryption on Access Points

Having a strong encryption mechanism on wireless access points prevents unwanted users
from joining your network just by being nearby. A weak encryption mechanism can allow
an attacker to brute-force his way into a network and begin man-in-the-middle attacking.
The stronger the encryption implementation, the safer.

Strong Router Login Credentials

It’s essential to make sure your default router login is changed. Not just your Wi-Fi
password, but your router login credentials. If an attacker finds your router login
credentials, they can change your DNS servers to their malicious servers. Or even worse,
infect your router with malicious software.

Virtual Private Network

VPNs can be used to create a secure environment for sensitive information within a local
area network. They use key-based encryption to create a subnet for secure
communication. This way, even if an attacker happens to get on a network that is shared,
he will not be able to decipher the traffic in the VPN.

Force HTTPS

HTTPS can be used to securely communicate over HTTP using public-private key
exchange. This prevents an attacker from having any use of the data he may be sniffing.
Websites should only use HTTPS and not provide HTTP alternatives. Users can install
browser plugins to enforce always using HTTPS on requests.

Public Key Pair Based Authentication

Man-in-the-middle attacks typically involve spoofing something or another. Public key

pair based authentication like RSA can be used in various layers of the stack to help
ensure whether the things you are communicating with are actually the things you want to
be communicating with.
 ARP Spoofing(ARP Attacks)
 An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack
that allows attackers to intercept communication between network devices.
 The attack works as follows:
1. The attacker must have access to the network. They scan the network to determine the
IP addresses of at least two devices—let’s say these are a workstation and a router.
2. The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out forged
ARP responses.
3. The forged responses advertise that the correct MAC address for both IP addresses,
belonging to the router and workstation, is the attacker’s MAC address. This fools
both router and workstation to connect to the attacker’s machine, instead of to each
other.
4. The two devices update their ARP cache entries and from that point onwards,
communicate with the attacker instead of directly with each other.
5. The attacker is now secretly in the middle of all communications.
 The ARP spoofing attacker pretends to be both sides of a network communication channel
 Once the attacker succeeds in an ARP spoofing attack, they can:
1. Continue routing the communications as-is—the attacker can sniff the packets and steal
data, except if it is transferred over an encrypted channel like HTTPS.
2. Perform session hijacking—if the attacker obtains a session ID, they can gain access to
accounts the user is currently logged into.
3. Alter communication—for example pushing a malicious file or website to the
workstation.
4. Distributed Denial of Service (DDoS)—the attackers can provide the MAC address of a
server they wish to attack with DDoS, instead of their own machine. If they do this for a
large number of IPs, the target server will be bombarded with traffic.
 A simple way to detect that a specific device’s ARP cache has been poisoned, using the
command line. Start an operating system shell as an administrator. Use the following
command to display the ARP table, on both Windows and Linux:
 arp -a

 If the table contains two different IP addresses that have the same MAC address, this
indicates an ARP attack is taking place.
 To discover ARP spoofing in a large network and get more information about the type of
communication the attacker is carrying out, you can use the open source Wireshark
protocol.
 A few best practices that can help you prevent ARP Spoofing on your network:
 Use a Virtual Private Network (VPN)—a VPN allows devices to connect to the Internet
through an encrypted tunnel. This makes all communication encrypted, and worthless for
an ARP spoofing attacker.
 Use static ARP—the ARP protocol lets you define a static ARP entry for an IP address,
and prevent devices from listening on ARP responses for that address. For example, if a
workstation always connects to the same router, you can define a static ARP entry for that
router, preventing an attack.
 Use packet filtering—packet filtering solutions can identify poisoned ARP packets by
seeing that they contain conflicting source information, and stop them before they reach
devices on your network.
 Run a spoofing attack—check if your existing defenses are working by mounting a
spoofing attack, in coordination with IT and security teams. If the attack succeeds,
identify weak points in your defensive measures and remediate them.

Denial of Service Attacks

 A denial-of-service (DoS) attack is a type of cyber-attack in which a malicious actor aims

to render a computer or other device unavailable to its intended users by interrupting the
device's normal functioning.
 DoS attacks typically function by overwhelming or flooding a targeted machine with
requests until normal traffic is unable to be processed, resulting in denial-of-service to
addition users.
 A DoS attack is characterized by using a single computer to launch the attack.
 A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from
many distributed sources, such as a botnet DDoS attack.
 The primary focus of a DoS attack is to oversaturate the capacity of a targeted machine,
resulting in denial-of-service to additional requests.
 The multiple attack vectors of DoS attacks can be grouped by their similarities.
 DoS attacks typically fall in 2 categories:
Buffer overflow attacks
An attack type in which a memory buffer overflow can cause a machine to consume all
available hard disk space, memory, or CPU time. This form of exploit often results in
sluggish behavior, system crashes, or other deleterious server behaviors, resulting in
denial-of-service.
Flood attacks
By saturating a targeted server with an over-whelming number of packets, a malicious
actor is able to oversaturate server capacity, resulting in denial-of-service. In order for
most DoS flood attacks to be successful, the malicious actor must have more available
bandwidth than the target.
 Historically, DoS attacks typically exploited security vulnerabilities present in network,
software and hardware design. These attacks have become less prevalent as DDoS attacks
have a greater disruptive capability and are relatively easy to create given the available
tools. In reality, most DoS attacks can also be turned into DDoS attacks.
 A few common historic DoS attacks include:
Smurf attack - a previously exploited DoS attack in which a malicious actor utilizes the
broadcast address of vulnerable network by sending spoofed packets, resulting in the
flooding of a targeted IP address.
Ping flood - this simple denial-of-service attack is based on overwhelming a target with
ICMP (ping) packets. By inundating a target with more pings than it is able to respond to
efficiently, denial-of-service can occur. This attack can also be used as a DDoS attack.
Ping of Death - often conflated with a ping flood attack, a ping of death attack involves
sending a malformed packet to a targeted machine, resulting in deleterious behavior such
as system crashes.
 While it can be difficult to separate an attack from other network connectivity errors or
heavy bandwidth consumption, some characteristics may indicate an attack is underway.
 Indicators of a DoS attack include:
o A typically slow network performance such as long load times for files or websites
o The inability to load a particular website such as your web property
o A sudden loss of connectivity across devices on the same network
 Denial of Service (DoS) attacks are becoming more frequent, it is a good time to review
the basics and how we can fight back.
Cloud Mitigation Provider – Cloud mitigation providers are experts at providing DDoS
mitigation from the cloud. This means they have built out massive amounts of network
bandwidth and DDoS mitigation capacity at multiple sites around the Internet that can
take in any type of network traffic, whether you use multiple ISP’s, your own data center,
or any number of cloud providers. They can scrub the traffic for you and only send
“clean” traffic to your data center.
Firewall – This is the simplest and least effective method. Python scripts are often written
to filter out malicious traffic, or existing firewalls can be utilized by enterprises to block
such traffic.
Internet Service Provider (ISP) – Some enterprises use their ISP to provide DDoS
mitigation. These ISPs have more bandwidth than an enterprise would, which can help
with large volumetric attacks.
 Features to help mitigate these attacks:
Network Segmentation: Segmenting the network can help prevent a DoS attack from
spreading throughout the entire network. This limits the impact of an attack and helps to
isolate the affected systems.
Implement Firewalls: Firewalls can help prevent DoS attacks by blocking traffic from
known malicious IP addresses or by limiting the amount of traffic allowed from a single
source.
Use Intrusion Detection and Prevention Systems: Intrusion Detection and Prevention
Systems (IDS/IPS) can help to detect and block DoS attacks by analyzing network traffic
and blocking malicious traffic.
Limit Bandwidth: Implementing bandwidth limitations on incoming traffic can help
prevent a DoS attack from overwhelming the network or server.
Implement Content Delivery Network (CDN): A CDN can help to distribute traffic and
reduce the impact of a DoS attack by distributing the load across multiple servers.
Use Anti-Malware Software: Anti-malware software can help to detect and prevent
malware from being used in a DoS attack, such as botnets.
Perform Regular Network Scans: Regular network scans can help identify vulnerabilities
and misconfigurations that can be exploited in a DoS attack. Patching these
vulnerabilities can prevent a DoS attack from being successful.
 Develop a Response Plan: Having a DoS response plan in place can help minimize the
impact of an attack. This plan should include steps for identifying the attack, isolating
affected systems, and restoring normal operations.
Hijacking Session with MITM Attack
 Session hijacking is a type of MITM attack in which the attacker waits for a victim to log
in to an application, such as for banking or email, and then steals the session cookie.
 The attacker then uses the cookie to log in to the same account owned by the victim but
instead from the attacker's browser.
 A session is a piece of data that identifies a temporary information exchange between two
devices or between a computer and a user.
 Attackers exploit sessions because they are used to identify a user that has logged in to a
website. However, attackers need to work quickly as sessions expire after a set amount of
time, which could be as short as a few minutes.
 The Session Hijacking attack consists of the exploitation of the web session control
mechanism, which is normally managed for a session token.
 Because http communication uses many different TCP connections, the web server needs
a method to recognize every user’s connection.
 The most useful method depends on a token that the Web Server sends to the client
browser after a successful client authentication.
 A session token is normally composed of a string of variable width and it could be used in
different ways, like in the URL, in the header of the http requisition as a cookie, in other
parts of the header of the http request, or yet in the body of the http requisition.
 The Session Hijacking attack compromises the session token by stealing or predicting a
valid session token to gain unauthorized access to the Web Server.
 The session token could be compromised in different ways; the most common are:
o Predictable session token;
o Session Sniffing;
o Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
o Man-in-the-middle attack
o Man-in-the-browser attack
 In the example, as we can see, first the attacker uses a sniffer to capture a valid token
session called “Session ID”, then they use the valid token session to gain unauthorized
access to the Web Server.
DNS Spoofing

 A Domain Name System (DNS) converts a human-readable name to a numeric IP

address.
 The DNS system responds to one or more IP-address by which your computer connects to
a website (such as geeksforgeeks.org) by using one of the IP-address.
 There is not only one DNS server. There are series of DNS servers used to resolve the
domain name.
 DNS uses cache to work efficiently so that it can quickly refer to DNS lookups it’s
already performed rather than performing a DNS lookup over and over again.
 Although DNS caching increase the speed of the domain name resolution process But the
major change in the domain then takes a day to reflect worldwide.
 DNS Spoofing means getting a wrong entry or IP address of the requested site from the
DNS server.
 Attackers find out the flaws in the DNS system and take control and will redirect to a
malicious website.

1. Request to Real Website: User hits a request for a particular website it goes to the
DNS server to resolve the IP address of that website.
2. Inject Fake DNS entry: Hackers already take control over the DNS server by
detecting the flaws and now they add false entries to the DNS server.
3. Resolve to Fake Website: Since the fake entry in the DNS server redirect the user to
the wrong website.

 To Prevent From DNS Spoofing –

o DNS Security Extensions (DNSSEC) is used to add an additional layer of security in
the DNS resolution process to prevent security threats such as DNS Spoofing or DNS
cache poisoning.
o DNSSEC protects against such attacks by digitally ‘signing’ data so you can be
assured it is valid.
 o Implement Source Authentication: Source authentication can be used to verify that
the source of the DNS request is legitimate. This can be achieved using techniques
such as IPsec or TLS to authenticate the requestor and ensure that the request has not
been tampered with in transit.
o Use Response Rate Limiting: Response Rate Limiting (RRL) is a technique that
limits the rate at which a DNS server responds to queries. This can help prevent DNS
amplification attacks by reducing the number of responses that can be generated by a
single query.
o Implement DNS Filtering: DNS filtering can be used to block traffic to known
malicious domains or IP addresses. This can be done using DNS blacklists or
whitelists that are regularly updated with known malicious or legitimate domains.
o Use DNS Monitoring and Analysis: DNS monitoring and analysis can be used to
detect anomalies in DNS traffic that may indicate a DNS spoofing attack. This can be
achieved using techniques such as packet capture and analysis, log analysis, or real-
time monitoring of DNS traffic.
o Regularly Update DNS Software and Patches: Regularly updating DNS software and
patches can help prevent known vulnerabilities from being exploited by attackers.
This can be achieved by regularly checking for updates and patches from the vendor
or using automated patch management tools.

Manipulating the DNS Records – DHCP Spoofing

 DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and
trying to list themselves (spoofs) as the default gateway or DNS server, hence,
initiating a man in the middle attack.
 With that, it is possible that they can intercept traffic from users before forwarding to
the real gateway or perform DoS by flooding the real DHCP server with request to
choke ip address resources.
 Adversaries may redirect network traffic to adversary-owned systems by spoofing
Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious
DHCP server on the victim network.
 By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect
network communications, including passed credentials, especially those sent over
insecure, unencrypted protocols.
 This may also enable follow-on behaviors such as Network Sniffing or Transmitted
Data Manipulation.
 DHCP is based on a client-server model and has two functionalities: a protocol for
providing network configuration settings from a DHCP server to a client and a
mechanism for allocating network addresses to clients.
 The typical server-client interaction is as follows:
1. The client broadcasts a DISCOVER message.
2. The server responds with an OFFER message, which includes an available
network address.
3. The client broadcasts a REQUEST message, which includes the network address
offered.
4. The server acknowledges with an ACK message and the client receives the
network configuration parameters.
 Adversaries may spoof as a rogue DHCP server on the victim network, from which
legitimate hosts may receive malicious network configurations.
 For example, malware can act as a DHCP server and provide adversary-owned DNS
servers to the victimized computers.
 Through the malicious network configurations, an adversary may achieve the AiTM
position, route client traffic through adversary-controlled systems, and collect
information from the client network.
 DHCP servers dynamically provide IP configuration information including IP address,
subnet mask, default gateway, DNS servers, and more to clients.
 A DHCP spoofing attack occurs when a rogue DHCP server is connected to the
network and provides false IP configuration parameters to legitimate clients.

 A rogue server can provide a variety of misleading information:

o Wrong default gateway - Attacker provides an invalid gateway or the IP address of its
host to create a man-in-the-middle attack. This may go entirely undetected as the
intruder intercepts the data flow through the network.
o Wrong DNS server - Attacker provides an incorrect DNS server address pointing the
user to a nefarious website.
o Wrong IP address - Attacker provides an invalid default gateway IP address and
creates a DoS attack on the DHCP client.
Remote Exploitation – Attacking Network Remote Services

 Remote services exploitation is a technique that allows an adversary to gain unauthorized

access into a network's internal systems by taking advantage of a vulnerability (such as a
programming error) or a valid account.
 Once a remote connection is made, an attacker might execute adversary-controlled code,
most likely with a goal to move laterally to that system.
 To identify vulnerable systems, attackers typically employ one or more discovery
techniques such as network service scanning to seek out unpatched software.
 Common ransomware and malware such as Ryuk, WannaCry and NotPeya, contain
features that use known exploits to execute code onto a network, ultimately resulting in
lateral movement and propagation.
 Remote Desktop Protocol (RDP) is a common target for remote service, and it's easy to
see why.
 It's prevalent in enterprise environments, it provides remote access to a Windows device,
and it leaves credentials exposed in memory.
 A remote attack is a malicious action that targets one or a network of computers. The
remote attack does not affect the computer the attacker is using.
 Instead, the attacker will find vulnerable points in a computer or network’s security
software to access the machine or system.
 The main reasons for remote attacks are to view or steal data illegally, introduce viruses
or other malicious software to another computer or network or system, and cause damage
to the targeted computer or network.

 Remote attacks are further classified into the following groups based on the tools and
methods the attacker uses to compromise the targeted system.

 Domain Name System (DNS) Poisoning: Tricks the DNS server into accepting falsified
data as authentic and originating from the domain owner. The false data are stored for a
time, allowing the attacker time to change DNS replies to computers asking for addresses
of domains. Users accessing poisoned DNS servers are redirected to websites where they
unknowingly download viruses and other malicious content rather than the original
content they intended.
 Transmission Control Protocol (TCP) Desynchronization: Triggered when the expected
number of packets of data differs from the actual number. The unexpected packets are
terminated. A hacker supplies the necessary packets with the exact sequential number.
The targeted system accepts the packets, and the hacker is able to interfere with peer-to-
peer or server-client communications.
 Denial of Service (DoS) Attacks: A technique that makes a server, computer or network
unavailable for its users and clients by flooding it with false client requests that simulate a
large usage spike. This obstructs communications between users because the server is
preoccupied with large amounts of pending requests to process.
 Internet Control Message Protocol (ICMP) Attacks: An Internet protocol used by
networked computers to send error messages. ICMP does not require authentication,
which means that an attacker can exploit this weakness and initiate DoS attacks.
 Port Scanning: Computer ports are responsible for allowing data to be sent and received.
Port scanners can help identify vulnerable data, exploit vulnerabilities and gain access to
take control of computers. If a port is always open so a website can send and receive
messages through it, a hacker can disguise himself as that website and gain access
through that port.

Overview of Brute Force Attacks – Traditional Brute Force

 A brute force attack is a hacking method that uses trial and error to crack passwords, login
credentials, and encryption keys.
 It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and
organizations’ systems and networks.
 The hacker tries multiple usernames and passwords, often using a computer to test a wide
range of combinations, until they find the correct login information.
 The name "brute force" comes from attackers using excessively forceful attempts to gain
access to user accounts.
 Despite being an old cyberattack method, brute force attacks are tried and tested and
remain a popular tactic with hackers.
 There are various types of brute force attack methods that allow attackers to gain
unauthorized access and steal user data.

1. Simple Brute Force Attacks

  A simple brute force attack occurs when a hacker attempts to guess a user’s login
credentials manually without using any software.
 This is typically through standard password combinations or personal identification
number (PIN) codes.
 These attacks are simple because many people still use weak passwords, such as
"password123" or "1234," or practice poor password etiquette, such as using the same
password for multiple websites.
 Passwords can also be guessed by hackers that do minimal reconnaissance work to
crack an individual's potential password, such as the name of their favorite sports
team.

2. Dictionary Attacks

 A dictionary attack is a basic form of brute force hacking in which the attacker selects
a target, then tests possible passwords against that individual’s username.
 The attack method itself is not technically considered a brute force attack, but it can
play an important role in a bad actor’s password-cracking process.
 The name "dictionary attack" comes from hackers running through dictionaries and
amending words with special characters and numbers.
 This type of attack is typically time-consuming and has a low chance of success
compared to newer, more effective attack methods.

3. Hybrid Brute Force Attacks

 A hybrid brute force attack is when a hacker combines a dictionary attack method
with a simple brute force attack.
 It begins with the hacker knowing a username, then carrying out a dictionary attack
and simple brute force methods to discover an account login combination.
 The attacker starts with a list of potential words, then experiments with character,
letter, and number combinations to find the correct password.
 This approach allows hackers to discover passwords that combine common or popular
words with numbers, years, or random characters, such as "SanDiego123" or
"Rover2020."

4. Reverse Brute Force Attacks

 A reverse brute force attack sees an attacker begin the process with a known password,
which is typically discovered through a network breach.
 They use that password to search for a matching login credential using lists of millions of
usernames.
 Attackers may also use a commonly used weak password, such as "Password123," to
search through a database of usernames for a match.

5. Credential Stuffing

 Credential stuffing preys on users’ weak password etiquettes. Attackers collect username
and password combinations they have stolen, which they then test on other websites to
see if they can gain access to additional user accounts.
 This approach is successful if people use the same username and password combination
or reuse passwords for various accounts and social media profiles.

Attacking SMTP – Attacking SQL Servers, Testing for Weak Authentication

 An SMTP hack abuses vulnerabilities found in the Simple Mail Transfer Protocol
(SMTP), allowing hackers to rely on the victim’s reputation when sending spam and
phishing emails.
 For example, when attackers hack into the SMTP server of Company A, they can send
emails using the victim’s domain. These emails could contain spammy messages or
malware but would look like they were from someone within the organization whose
domain was used.
 As a result, the hacked organization’s email domain or Internet Protocol (IP) address
could be blocklisted. But this is just the tip of the iceberg. The victim’s reputation can get
severely damaged because of the SMTP hack, causing clients to lose their confidence in
the company.
 SMTP is one of the most commonly used protocols in delivering email messages over the
Internet.
 Clients use it to send messages to servers, and servers utilize it to forward messages to
recipients.
 For example, when you send an email to a client, it gets sent to your mail server via
SMTP. Your SMTP relay server forwards the email to the recipient’s mail server, again
using SMTP.
 The recipient’s mail server would then forward the message to your client’s email
address.

 An SMTP attack is any exploitation of your SMTP server that enables attackers to gain
unauthorized access to it.
 When an SMTP hack occurs, attackers can see the email addresses stored on your server
and send messages to them while pretending to be you.
 The recipients, which can be clients or friends, will think that the email is from you since
the hackers used your email address.

 Aside from sending phishing and spam emails, an SMTP hack can also give way to
denial-of-service (DoS) attacks.
 Hackers can use your SMTP server to send a massive number of emails to other servers,
effectively drowning the targets until they crash.
 An SMTP hack is made possible by exploiting vulnerabilities in SMTP servers. Attackers
can gain unauthorized access to your SMTP server in several ways, including:
 Phishing and malware: A user within your organization may have downloaded a
malware-infected file or clicked a malicious link, allowing threat actors to harvest their
credentials.
Physical access: A lost or stolen device can also be used to gain access to your SMTP
server. Hackers can retrieve and breach email accounts on the device.
Lack of encryption: Even without the help of malware or stolen devices, SMTP can still
be committed since it does not use any encryption. Of course, your data is safe when
accessing emails on Gmail or other email providers’ servers. But when emails are sent
through SMTP, they can be intercepted by other people.
 Adding security layers to your SMTP server helps keep it safe from unauthorized access.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS), more commonly known
as SSL/TLS, is a standard method of encrypting data sent through SMTP.
 For utmost security, continuous education about phishing and malware should be
advocated in organizations. Users should be aware of the current phishing methods that
attackers employ. Bring Your Own Device (BYOD) policies must be implemented with
caution and clear guidelines to avoid risks associated with lost or stolen devices.
 SQL server attacks are one of the most painful attacks organizations can suffer.
 An organization’s database is one of its softest spots, with a wide surface area susceptible
to attacks. This results in it being an attractive target of attackers.
 Neglecting your organization’s SQL server security is equivalent to having a bomb
ticking in your organization’s IT infrastructure.
 SQL injection vulnerabilities occur whenever input is used in the construction of an SQL
query without being adequately constrained or sanitized.
 The use of dynamic SQL (the construction of SQL queries by concatenation of strings)
opens the door to these vulnerabilities.
 SQL injection allows an attacker to access the SQL servers and execute SQL code under
the privileges of the user used to connect to the database.
 As explained in SQL injection, a SQL-injection exploit requires two things: an entry
point, and an exploit to enter.

 Any user-controlled parameter that gets processed by the application might be hiding a
vulnerability. This includes:
 Application parameters in query strings (e.g., GET requests)
 Application parameters included as part of the body of a POST request
 Browser-related information (e.g., user-agent, referrer)
 Host-related information (e.g., hostname, IP)
 Session-related information (e.g., user ID, cookies)
 Microsoft SQL server has a few unique characteristics, so some exploits need to be
specially customized for this application.
 To perform an SQL injection attack, an attacker must locate a vulnerable input in a web
application or webpage.
 When an application or webpage contains a SQL injection vulnerability, it uses user input
in the form of an SQL query directly.
 The hacker can execute a specifically crafted SQL command as a malicious cyber
intrusion. Then, leveraging malicious code, a hacker can acquire a response that provides
a clear idea about the database construction and thereby access to all the information in
the database.
 SQL serves as the way of communication to the database. SQL statements are used to
retrieve and update data in the database.
 Attackers use malicious SQL statements in the input box, and in response, the database
presents sensitive information. This exploit of security aims at gaining access to the
unauthorized data of a website or application.
 Several websites and web applications store data in SQL databases. For any of these
applications, it becomes essential to perform vulnerability testing to ensure there are no
loopholes for executing SQL injection.
 How to Test
Understand the Primary Mechanism
Fully test the website’s primary authentication functions. This should identify how
accounts are issued, created or changed and how passwords are recovered, reset, or
changed. Additionally, knowledge of any elevated privilege authentication and
authentication protection measures should be known. These precursors are necessary to
be able to compare with any alternative channels.
Identify Other Channels
Other channels can be found by using the following methods:
 Reading site content, especially the home page, contact us, help pages, support articles
and FAQs, T&Cs, privacy notices, the robots.txt file and any sitemap.xml files.
 Searching HTTP proxy logs, recorded during previous information gathering and testing,
for strings such as “mobile”, “android”, blackberry”, “ipad”, “iphone”, “mobile app”, “e-
reader”, “wireless”, “auth”, “sso”, “single sign on” in URL paths and body content.
 Use search engines to find different websites from the same organization, or using the
same domain name, that have similar home page content or which also have
authentication mechanisms.
 For each possible channel confirm whether user accounts are shared across these, or
provide access to the same or similar functionality.
Enumerate Authentication Functionality
 For each alternative channel where user accounts or functionality are shared, identify if
all the authentication functions of the primary channel are available, and if anything extra
exists.
 In this example, mobile has an extra function “change password” but does not offer “log
out”. A limited number of tasks are also possible by phoning the call center. Call centers
can be interesting, because their identity confirmation checks might be weaker than the
website’s, allowing this channel to be used to aid an attack against a user’s account.
 While enumerating these it is worth taking note of how session management is
undertaken, in case there is overlap across any channels (e.g. cookies scoped to the same
parent domain name, concurrent sessions allowed across channels, but not on the same
channel).
Review and Test
Alternative channels should be mentioned in the testing report, even if they are marked as
“information only” or “out of scope”. In some cases the test scope might include the
alternative channel (e.g. because it is just another path on the target host name), or may be
added to the scope after discussion with the owners of all the channels. If testing is
permitted and authorized, all the other authentication tests in this guide should then be
performed, and compared against the primary channel.
Related Test Cases
The test cases for all the other authentication tests should be utilized.
Remediation
Ensure a consistent authentication policy is applied across all channels so that they are
equally secure.