11.4. Types of Attacks
Once the work is taking place, what are some of the specific sorts of attacks that you will be conducting? Each type of vulnerability has its own associated exploitation techniques. This section will cover the various classes of vulnerabilities that you will interact with most often.
No matter what category of vulnerability you are looking at, Kali makes these tools and exploits easy to find. The Kali menu on your graphical user interface is divided up into categories to help make the right tool easier to find. In addition, the Kali Tools website has comprehensive listings of the various tools available in Kali, organized by category and tagged for easy browsing. Each entry contains detailed information about the tool as well as example usage.
Denial of service attacks leverage a vulnerability to create a loss of service, often by crashing the vulnerable process. Thecategory of the Kali Linux menu contains a number of tools for this purpose.
When many people hear the term "denial of service attack", they immediately think of resource consumption attacks that are sent out from multiple sources at once against a single target. These would be a distributed denial of services attack, or DDoS. These sorts of attacks are rarely part of a professional security assessment.
Instead, a singular denial of service attack is most often the result of an improper attempt to exploit a vulnerability. If an exploit writer releases partially functional, or proof-of-concept (PoC) code and it is used in the field, this could create a denial of service condition. Even a properly-coded exploit may only work under very specific circumstances but cause a denial of service under lesser circumstances. It may seem that the solution is to only use safe and tested exploit code, or to write your own. Even with this solution, there are no guarantees and this severely limits the assessor, causing undue constraints, which results in a lesser assessment. Instead, the key is compromise. Avoid PoC code and untested exploits in the field and always make sure a lawyer has you covered for other mishaps.
Typically, denial of service attacks are not launched intentionally. Most automated vulnerability tools will declare denial of service vulnerabilities as lower risk due to the fact that while you can remove a service from operation, that service can't be exploited for code execution. However, it is important to remember that not all exploits are released publicly and a denial of service vulnerability may mask a deeper, more serious threat. A code execution exploit for a known denial of service may exist but not be public. The point is, pay attention to denial of service vulnerabilities and encourage your customer to get them patched regardless of their (often low) threat rating.
A memory corruption happens when a location within the memory space of a process is accidentally modified due to programming mistakes. Memory corruption bugs usually lead to unpredictable program behavior, however in many cases, these bugs allow process memory manipulation in such a way that the program execution flow can be controlled, allowing attacker-defined activity.
These attacks are typically referred to as buffer overflows, although this term is an over-simplification. The most common types of memory corruption are vastly different from one another and have their own tactics and techniques required for successful exploitation.
Stack Buffer Overflow: When a program writes more data to a buffer on the stack than there is space available for it, adjacent memory can be corrupted, often causing the program to crash.
Heap Corruption: Heap memory is allocated at run- time and usually contains data from the running program. Heap corruptions occur by manipulating the data to overwrite through the linked list of heap memory pointers.
Integer Overflow: These overflows occur when an application tries to create a numeric value that can't be contained within its allocated storage space.
Format String: When a program accepts user input and formats it without checking it, memory locations can be revealed or overwritten, depending on the format tokens that are used.
Due to the fact that modern web sites are no longer static pages, but instead dynamically generated for the user, the average website is quite complex. Web vulnerabilities take advantage of this complexity in an effort to attack either the back end page generation logic or the presentation to the visitor of the site.
These sorts of attacks are extremely common, as many organizations have reached the point where they have very few externally facing services. Two of the most prevalent web application attack types are SQL injection and cross-site scripting (XSS).
SQL injection: These attacks take advantage of improperly-programmed applications that do not properly sanitize user input, leading to the ability to extract information from the database or even the complete takeover of the server.
Cross-site scripting: As with SQL injection, XSS attacks result from improper sanitization of user input, allowing attackers to manipulate the user or site into executing code in the context of their own browser session.
Complex, rich, and complicated web applications are very common, presenting a welcome attack surface for malicious parties. You will find a large number of useful tools in the kali-tools-web metapackage.menu category and the
Password attacks are attacks against the authentication system of a service. These attacks are often broken into online password attacks and offline password attacks, which you will find reflected in the kali-tools-gpu metapackage contains a number of tools that tap into this power.menu category. In an online password attack, multiple passwords are attempted against a running system. In an offline password attack, the hashed or encrypted values of the passwords are obtained and the attacker attempts to obtain the clear text values. The protection against this sort of attack is the fact that it is computationally expensive to work through this process, limiting the number of attempts per second you can generate. However, workarounds for this do exist, such as using graphic processor units (GPUs) to accelerate the number of attempts that can be made. The
Most commonly, password attacks target vendor-supplied default passwords. As these are well-known values, attackers will scan for these default accounts, hoping to get lucky. Other common attacks include custom dictionary attacks where a wordlist is created that has been tailored to the target environment and then an online password attack against common, default, or known accounts is conducted where each word is attempted in sequence.
In an assessment, it is very important to understand the potential consequences of this sort of attack. First, they are often very noisy due to the repeated authentication attempts. Secondly, these attacks can often result in an account lock out situation after too many invalid attempts are performed against a single account. Finally, the performance of these attacks is often quite slow, resulting in difficulty when attempting to use a comprehensive wordlist.
Most attacks are conducted against servers, but as services have become harder to attack, easier targets have been selected. Client-side attacks are a result of this, where an attacker will target the various applications installed on the workstation of an employee within a target organization. Themenu category has a number of excellent applications that can help conduct these types of attacks.
This sort of attack were commonly exploited by Flash, Acrobat Reader, and Java in the early 2000s. Currently HTML Application (HTA) is the popular method. In the above cases, attackers would try to solicit a target to visit a malicious web page. These pages would contain specialized code that would trigger either vulnerabilities in these client-side applications or trick the user, resulting in the ability to run malicious code on the targets system.
Client-side attacks are incredibly difficult to prevent, requiring a great deal of user education, constant application updates, and network controls to effectively mitigate the risk.