Sec+ 004: Network Attacks Indicators

My mum once told me that in the olden days, it was a common practice for people to communicate with their potential spouses through intermediaries (called "Alarina" in the Yoruba Language) before getting married.
The role of the Alarina, or intermediary, was not to prevent the man from approaching the lady directly, but rather to provide consultation and deeper understanding. The man would contact a trusted friend who would eventually become the Alarina, not out of shyness or fear, but to gain insights into the lady and her family. The Alarina, who knew the lady and her family well, acted as an intermediary between the two families, fostering communication and understanding in the marriage process.
My question is, were people not scared that the Alarina could manipulate the information to create misunderstandings and misinterpretations, thereby disrupting the relationship?

The story of "Alarina" as a middleman between potential spouses raises concerns about the possibility of manipulation and disruptions in the communication process. Now, let's take this to the digital world, EVER HEARD OF THE MAN-IN-THE-MIDDLE ATTACK? it is an attack that involves interception and manipulation of communication between two entities. leading to unauthorized actions. Although both scenarios involve intermediaries who have the power to influence the flow of information, raising concerns about the trustworthiness and integrity of the communication process, Alarina's role is based on trust and consultation, a man-in-the-middle attack is an act of deception and malicious intent.

In this post, you will learn about the indicators of network attacks. These indicators provide details about the nature of the attack, what is happening, and the required countermeasures.

Stay plugged!!!

4.1 Wireless Attack Types

Wireless networking technology is widely utilized, with several protocols and techniques available to connect users to networks without the use of physical wires. Wireless networking, like any other software system, is vulnerable to hacker efforts. Let's look at the types of wireless attacks:

Evil twin

An evil twin involves a rogue WAP masquerading as a legitimate one

It may share the same name (SSID) as the real one

This attack involves an attacker using their own AP that looks like a stronger connection.

The attacker has the ability to intercept network traffic from users who connect to the malicious access point, potentially gaining access to private data.

Rogue access point

This is an unauthorized access point that is installed with malicious intent or not.

Attackers can set up rogue access points to create backdoor, eavesdrop on network traffic, launch man-in-the-middle attacks, or gain unauthorized access to the network.

Ensure that you periodically survey the site to detect rogue WAPs

Use 802.1X (Network Access Control) to mandate authentication for all connections

Bluesnarfing

An attack where an attacker uses a Bluetooth connection to obtain unauthorized access to data on a target device

Bluejacking

It involves sending unsolicited(SPAM) text (or picture/video) message or vCard (contact details) to Bluetooth-enabled devices.

Disassociation Attack

Disassociation attacks are attempts to disconnect a host from the wireless access point and the wireless network.

A disassociation attack sends spoofed frames by taking advantage of the lack of encryption in management frame communication.

Attackers can prevent genuine users from connecting to the network by delivering fake disassociation signals, which results in denial-of-service (DoS) problems.

It can be mitigated by configuring Management Frame Protection (MFP/802.11w) , both on clients and WAP

Jamming

An attack in which radio waves interferes with 802.11 wireless signals.

it can result from installing a WAP with a stronger signal

To detect the source of interference, use a spectrum analyzer

To mitigate, locate and disable the malicious radio source or boost the signal on the legitimate source.

Radio frequency identification (RFID) Attack

RFID is used on anything that requires tracking; such as access badges

Attackers might take advantage of flaws in RFID technology to intercept or alter information being sent between RFID tags and readers, thereby obtaining access or tampering with the data.

Skimming(unauthorized capture of information from RFID tags) is a good example of RFID Attack.

Near-field communication (NFC)

NFC is a 2-way (peer to peer) radio communications system that enables contactless payments across very short distances.

it is a high-frequency subset of RFID

NFC is mainly used for contactless point-of-sale transactions. Customers enter their credit card details into a mobile wallet app to set up a payment service. Instead of transmitting the actual credit card data, the app sends a one-time token that the merchant links to the correct client account.

Attackers can perform Remote capture, frequency jamming that will lead to a DoS attack

Initialization vector (IV)

IV is a random value used in cryptographic algorithms, particularly in wireless encryption protocols like WEP (Wired Equivalent Privacy)

IV is a type of nonce (generated once) and used at the beginning of a connection. its primary aim is to prevent replay attack

IV-related attacks take advantage of weaknesses in the creation or maintenance of the IV, giving attackers access to wireless networks and the ability to decrypt encrypted data.

4.2 On-path attack/Man-in-the-Middle attack/Man-in-the-Browser Attack

This is a type of eavesdropping where an attacker establishes a separate link between two victims and steals information

The threat actor positions themselves between two hosts and intercepts, watches and broadcasts all of their communication

In Man-in-the-Browser attack, a malware attack installs a trojan element on the target machine. This trojan can act as a proxy and modifies the browser's behavior by utilizing browser helper objects or extensions.

On-path attacks can be defeated using mutual authentication, where both hosts exchange secure credentials.

4.3 Layer 2 attacks

Local addressing decisions are made at Layer 2 of a network. Switches and MAC address operate at this layer. Here are types of Layer 2 attacks

Address Resolution Protocol (ARP) poisoning

ARP matches IP addresses to MAC addresses on a local network

An attacker uses ARP poisoning to deliver fake ARP packets to a target computer, forcing it to link wrong MAC addresses with specific IP addresses

All traffic destined for remote networks will be sent to the attacker

The attacker can use a man-in-the-middle attack by monitoring the communications and then sending them to the router, or by changing the packets before transferring them or DOS attack by not forwarding the packets.

Media access control (MAC) flooding

This is an attack on the switch

The MAC address table is used by the switch to decide which port to utilize to forward unicast traffic to the correct destination.

It involves an attacker exhausting the switch's memory capacity by flooding it with a high number of false MAC addresses.

Overwhelming the table result to the switch to abandon MAC-based forwarding and flood unicast traffic out of all ports, effectively acting as a hub. This leads to the attacker eavesdropping on network traffic

MAC cloning/MAC address spoofing

This involves an attacker forging the network interface card's (NIC) factory-assigned MAC address in order to impersonate another device on a network.

The manufacturer assigns a unique MAC address to each network interface. An attacker can trick network switches and routers into associating their own device with the cloned MAC address by cloning the MAC address of another device.

It can be used to bypass MAC address filtering

4.4 Domain name system (DNS) Attack Types

The Domain Name System (DNS) of port 53, resolves Fully Qualified Domain Name (FQDNs) to IP addresses. It makes use of a distributed database system to store information about domains and hosts within those domains.

Domain hijacking/Brandjacking

This is the unauthorized takeover of a domain name by compromising the domain registrar or DNS (Domain Name System) credentials.

The attacker gets control of the domain name and can modify its DNS records, routing traffic intended for the genuine domain to a different website

The whois command can be used to check up domain registration information in order to detect misuse.

DNS poisoning

Also called DNS cache poisoning or DNS spoofing

It corrupts the DNS cache by inserting fake DNS information into it, forwarding a domain name to an IP address of the attacker's choice and redirecting visitors to malicious websites.

it can also be achieved via Man in the middle attack.

Uniform Resource Locator (URL) redirection

A uniform resource locator (URL) is an address for website pages and files.

URL redirection is the use of HTTP redirecting to open a page other than the one requested by the user.

Malicious actors might utilize the URL redirection mechanism to redirect users to phishing websites.

Types of URL redirection is Typosquatting/brandjacking

Domain reputation

This is the assessment of a domain's integrity and reputation

If your domain, website, or email servers have been compromised, they are likely to be exploited for malware distribution. Monitor your site via talosintelligence.com/reputation_center to detect misuse early.

DNS Security

Local DNS servers should only allow recursive requests from authenticated local hosts and not from the Internet on a private network.

Establish access control techniques on the server to prevent a malicious user from manually modifying records.

Clients should also be limited to using authorized resolvers for name resolution.

Implement DNS Security Extensions (DNSSEC) to provide a validation mechanism for DNS answers, which helps to mitigate spoofing and poisoning attacks.

To prevent Footprinting, Implement Access Control List to block zone transfers to unapproved hosts or domains, preventing an external server from learning about the private network architecture.

NOTE: DNS footprinting is the process of acquiring information about a private network by utilizing its DNS server to make a zone transfer (all the records in a domain) to a rogue DNS server or by querying the DNS service with a tool like nslookup or dig.

4.5 Distributed denial-of-service (DDoS)

DOS attacks impair resource availability, whereas DDOS attacks flood a service with traffic from several infected hosts. DDOS attack can be mitigated by high availability services and stateful firewalls. ACLs, blackholes or sinkhole can also be used to mitigate against a DDoS attacks with blackholes being preferred to preserve processing resources. Although Legitimate traffic is dropped with DDoS packets in if sinkhole or blackhole is implemented.

Sinkhole refers to the process of transferring flooding traffic to a different network for investigation allowing the source to be identified and filtering rules to be applied.

While A blackhole is a network segment that is inaccessible to the rest of the network. The blackhole method is preferable since it reduces the impact of the attack on the ISP's other customers.

Network: DoS attack in which the attacker makes multiple SYN requests to a target server in the hope of using enough resources to prevent legitimate traffic from being sent.

Application: DoS attack that targets vulnerabilities in the headers and payloads of application protocols or resource-intensive activities within web applications or servers.

Operational technology (OT): OT network is established between embedded systems devices and their controllers. DDoS attacks against vital infrastructure, such as industrial control systems (ICS), Supervisory Control and Data Acquisition(SCADA)systems

4.6 Malicious code or script execution

Scripting promote speed, accuracy, reproducibility, and portability, it can be used for good intent as well as for bad intent. The following are different programming languages or scripting environments:

PowerShell: is a command-line interface and scripting language based on the.NET Framework. It is a primary way for executing Windows administrative tasks.

Python: it is a high-level programming language popular for automation. It can be used for data theft, network scanning, or the creation of botnets.

Bash: It is a Unix-like command shell and scripting language. It can be used to perform privilege escalation, data exfiltration, or creating backdoors.

Macros: are short pieces of code that are inserted within documents, such as Microsoft Office files, to automate repetitive activities.

Visual Basic for Applications (VBA):Programming languages used in Office document automation to construct macros and scripting.Microsoft Office use the Visual Basic for Applications (VBA) programming language, whereas PDF documents employ JavaScript. ALT+F11 can be used to inspect Microsoft Office document macros.