Create New Article

Wiki Search

Personal tools


From Proprofs


You are here: Home > Schools > Comptia > Security+ Certification > Wiki Home > Study Guide

Security+ Study Guide


Table Of Contents


[edit section] Attacks and Malicious Users

(An example of a buffer-overflow attack)

A key aspect to any war is to know your enemy. If you consider the battle against malicious users a war, then understanding the attacks that they use is crucial. Below is a listing with descriptions of the most common kinds of attacks used by malicious hackers and other bad people.

[edit section] Social Engineering

This kind of attack is probably the most commonly successful and damaging of all attacks, yet it requires no technical ability. Social engineering is an attack by which the attacker manipulates people who work in a capacity of some authority so that the attacker can get those people to do something that he desires. For example, if an attacker calls into a business posing as a bank representative who is reporting foul activity on an account and then proceeds to ask for a routing number, that attacker is engaged in a social engineering attack. Remember, social engineering means manipulating people.

[edit section] Dumpster Diving

This is another low-tech attack. All you have to remember about this attack is that the name is very indicative of the nature of this attack – a dumpster diver would look through trash and other unsecured materials to find pertinent information to either launch an attack or carry out some other maliciously intended action.

[edit section] Password Cracking

This is an attack by which the attacker wishes to gain authentication (and authorization) to network resources by guessing the correct password. There are three basic kinds of password cracking attacks:

  • Brute Force – Every single possible combination of characters (aaa,aaA,aAA,AAA,aab…)
  • Dictionary – Enter passwords from a text file (a dictionary)
  • Hybrid - A variation of the Dictionary approach, but accounting for common user practices such as alternating character cases, substituting characters ("@" in place of "A", etc), using keyboard patterns ("1QAZ", etc), doubling passwords to make them longer, or adding incremental prefix/suffix numbers to a basic password ("2swordfish" instead of "swordfish, etc).

Attackers know that many users use the same or similar passwords for different systems. Using a sniffer to obtain a user's password on an unsecure platform will provide a good starting point for a quick hybrid attack on a different, more secure platform. For example, Yahoo Messenger transmits passwords in clear text. An attacker can easily obtain a user's Yahoo password, and then attempt to access their bank account, or other sensitive information, using that same password or a variant of that same password.

Most of the time when password cracking is attempted, the cracker has some means of entering username and password combinations quickly. Usually this is through a cracking program such as Brutus. One way to defend against cracking attacks is to put a mandatory wait time before login attempts. Another way is to lock out the login system after a certain number of attempts. Finally, limiting the number of concurrent connections to a login system can slow down a cracking attack.

[edit section] Flooding

Just like a flood can overwhelm the infrastructure of a locale, a flooding attack can overwhelm the processing and memory capabilities of a network system or server. In a flooding attack, the attacker sends an inordinate amount of packets to a server or a group of hosts in order to overwhelm the network or server. This would, of course, cause a denial of service to the hosts who demand whatever network resource has been overwhelmed. Some special kinds of flooding attacks:

  • SYN Flood – A flood of specially crafted SYN packets
  • ICMP Ping Flood – A flood of ICMP pings

[edit section] Spoofing

Spoofing is not always a form of attack but can be used in conjunction with an attack. Spoofing is any attempt to hide the true address information of a node and is usually associated with IP spoofing, or the practice of hiding the IP address of a node and replacing it with another (false) IP address. One implication of a successful spoof is that investigators cannot trace the attack easily because the IP address is false. Spoofing can be achieved through proxy servers, anonymous Internet services, or TCP/IP vulnerabilities.

[edit section] Birthday Attack

Any attack based on favorable probability is known as a birthday attack. This comes from the statistical truth that it is far more likely in a room of 100 people to find two people who have the same birthday than it is to find a person with a specific birthday. For the exam, just associate birthday attack with probability.

[edit section] Buffer Overflow

A buffer overflow attack is a very specific kind of attack that is very common when attacking Application level servers and services. Basically, a buffer is a memory stack that has a certain holding size. Through a specifically and maliciously crafted packet, information can overflow in that stack, causing a number of problems. Some buffer overflow attacks result in a simple denial of service while others can allow for system compromise and remote takeover of a system. Patches are usually issued to defend against specific buffer overflow issues.

[edit section] Sniffing

A sniffing attack is one in which an attacker “sniffs” information, either off the media directly or from regular network traffic, in order to compromise the confidentiality or integrity of information. Un-switched Ethernet traffic can easily be sniffed when the NIC operates in “promiscuous” mode, the mode in which the NIC reads all traffic regardless of the destination IP address. Sniffing can be thwarted by careful attention to media security and switched networks.

[edit section] Overview

While there is certainly a dearth of space here to list all of the wonderful tricks that hackers have up their collective sleeves, it is safe to say that the attacks that you will see on the Security+ have been covered above. Study each one carefully and try to associate one word with the attack that will help you remember what it’s all about; after a while, the distinction between attacks will become more obvious and clear to you.

[edit section] Quick Review

1. An attacker sends a series of malformed packets to a server causing him to gain access to the server as the “root” user. Which attack is this most likely to be?

a. Ping

b. Birthday

c. Spoofing

d. Sniffing

e. Buffer Overflow

2. You notice a dramatic increase in the traffic going through your network. After a close examination of the traffic, you realize that the majority of the new traffic is in the form of empty broadcast packets sent from a single host. What is most likely happening?

a. You are experiencing normal network activity

b. The network is revamping from under-utilization

c. The network is being flooded

d. The network is being spoofed

3. Which of the following courses of action would not prevent a social engineering attack?

a. Mandatory security training for new computer users

b. Administrative approval for any major system changes

c. Hiring a dedicated operator to handle undirected phone calls and emails

d. Installing a firewall with NAT technology

4. You notice that there have been over a thousand login attempts in the last minute. What might you correct in order to prevent a similar attack in the future?

a. Install Apache Web Server

b. Limit the timeout value

c. Mandate and configure a lockout time period

d. Change the access control method

[edit section] Answers:

1. In a buffer overflow attack, a malformed packet is sent to overflow the heap of memory that a server application uses. Some attacks can actually gain access to the root account. So, the answer is (E)

2. Since the network is experiencing a dramatic increase in basically meaningless traffic from a single host, it is likely to be an attempt at a flood attack. ( C )

3. All of the choices would inhibit the ability of an attacker to use a social engineering attack except for (D), which would not affect the ability of an attacker to manipulate people in any way.

4. By configuring a lockout time period ( C ) you can ensure that after a certain number of unsuccessful attempts, further logins are disabled.

<<                              Table Of Contents                               Next Page>>>

Home  |  Site Map  |  Contact
Copyright © 2005-2014 - Privacy & Terms