Overview Of Security Concepts And Attacks
Rainbow Tables and Time Memory Trade-off
Question 1
- a)Answer: The main differences between real time brute force password recovery attacks and table based pre computation password recovery attacks are as follows:
- i) Brute force password recovery attack is extremely easy to crack and also takes up lower time whereas the pre-computation password recovery attack could not be cracked easily and takes up longer time.
- ii) Brute force password recovery attack is utilized for checking weak passwords and it is completely opposite for pre-computation password recovery attack.
- b)Answer: The three best practice approaches for designing the schemes of password hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
- i) Lookup Tables are the most effective ways for cracking all hashes of same type extremely fast.
- ii) The Reverse Lookup Tables helps to create a particular lookup table, which eventually maps a password hash from the database of a user. The attacker then hashes the password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
- c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the attacker in applying the attack to several hashes simultaneously, without pre-computing the reverse lookup table. It does affect the complexity of brute force attack. The second approach that affects the complexity of brute force attack is rainbow table. They help to sacrifice he speed of hash cracking.
- ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely effective for the complexities of this type of attack. The main advantage of this type of attack is that it saves computation time and makes running less stressful.
- d) Answer: In UNIX systems, the user passwords are protected in the password files known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
- e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking password hashes. It eventually reversed the functions of cryptographic hash. The plaintext password can be recovered up to a specific length that comprises of a restricted character collection. Rainbow tables are defined as the time memory trade off techniques and are extremely effective in increasing the effectiveness of password cracking tools.
Question 2
- a) Answer: The three steps of XSS attack are as follows:
- i) Searching for the Vulnerable Website: The hackers utilize google dork for searching any vulnerable site and thus target the users.
- ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by injecting the own script.
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the targeted website.
- b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the web server like the search result, error message or other responses. It includes most of the input that is sent to the server as a request. When the user is tricked into clicking on any malicious link, the injected code enters into the website that reflects back the attack in the browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be stored permanently on the targeted servers like in a visitor log, database, and comment field and message forum. The victim eventually retrieves the infected script from server when the stored information is requested. This type of attack is also known as Persistent or Type I XSS.
- c) Answer: Poor data or input validation can be defined as the data is not strongly typed, improper syntax or does not contain permitted characters within ranged boundaries.
- i) While entering month number, when user gives input as number 13, it is wrong.
- ii) When user wrongly puts name in place of address, it is poor data validation.
- d) Answer: The sanitization approach helps to accept the user data. There is a broad range of acceptable input.
For example, when there is a form filed like <input type=”text” id=”title” name=”title” />
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the output. The option is known as escaping.
- e) Answer: The differences between XSRF and XSS attacks are as follows:
XSRF attacks occur in authenticated sessions, where the server builds trust on the user or browser. Whereas, XSS attacks do not require any authenticate session and thus could be exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 5
- a) Answer: The popular methodology for security testing is OSSTMM or Open Source Security Testing Methodology Manual.
- b) Answer: CVE system gives a typical reference method for publicly recognized information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized information security vulnerabilities.
CVE identifiers are extremely useful for security testing as it has a number with it and it makes it a unique identifier.
- c) Answer: A well known automated vulnerability scanner is OpenVAS or Open Vulnerability Assessment System.
- i) The benefit of performing vulnerability identification manually is that it helps to identify programming errors, which can be cyber attacks.
- ii) The benefit of performing vulnerability identification automatically is that it helps to gather information.
- d) Answer: Fuzzing is the technique of automated software testing, which involves including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it helps to remove the software vulnerabilities.
- e) Answer: The three OS countermeasures, which could be utilized for protecting against the buffer overflow attacks, are as follows:
- i) Stack Canaries: These are values, which are inserted in known locations within memory for detecting buffer overflows.
- ii) ASLR: Address Space Layout Randomization introduces the randomness in layout of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it through system.
- f) Answer: The goals of Maintaining Access phase is to detect and filter the transfer content to all internal devices or external sites and also prevent direct session initiation amongst the servers in data centre and network.
The goals of Covering Tracks phase are to hide the intrusion and all possible controls for future visit. Moreover, it helps to provide personal firewalls and anti malware solutions.
The two methods, used in Maintaining Access phase are Privilege escalation and Creating own credentials.
The two methods, used in Covering Tracks phase are Remove Logging and Installation of rootkits.
Question 2
- a) Answer: Poor data or input validation can be defined as the data is not strongly typed, improper syntax or does not contain permitted characters within ranged boundaries.
Reflected and Stored XSS Attacks
- i) While entering month number, when user gives input as number 13, it is wrong.
- ii) When user wrongly puts name in place of address, it is poor data validation.
- b) Answer: Code injection tacks are the exploitation of any particular computer bug, which is caused by the procession of invalid data. Hackers inject code in any computer program and thus code injection attacks are done. This is extremely vulnerable for any user.
The two examples of code injection attacks are Cross Site Scripting or XSS attack and OS command attack.
- c) Answer: SQL injection attacks are specific types of code injection that is utilized for attacking any data driven application, where the nefarious SQL statements are solely inserted in the entry field for the purpose of execution. The hacker searches for an input in the web application, which is included in the SQL query. Then the vulnerable website requires to be directly included by the user input within the SQL statement.
- d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which verifies whether the database is true or false and determines if the answer is based on various applications response. This type of attack mainly occurs when configuration of web application is done for showing generic error messages.
- e)Answer: The two countermeasures against SQL injection attacks are as follows:
- i) Performing systematic input validation.
- ii) Utilization of parameterized stored processed for accessing database to ensure whether the strings of input is not treated.
Question 3
- Answer: The Security Testing Methodologies and Frameworks mainly include OSSTMM or Open Source Security Testing MethodologyManual, OWASP or Open Web Application Security Project, MSF or Metaspoilt Framework, ISSAF or Information Systems Security Assessment Framework and BSIMM or Building Security in Maturity Model.
The main domains of OSSTMM are information security, process security, internet technology security, communication security and wireless security.
The phases of OWASP include before development begins, during definition and design, during development, during deployment, and finally maintenance and operations.
The five phases of MSF include envisioning, planning, development, stabilizing and deploying.
The phases of ISSAF include Planning, Assessment, Treatment, and Accreditation.
The domains of BSIMM include governance, intelligence, secure software development lifecycle (SSDL) touch points, and deployment.
Question 4
- a) Answer: The buffer overflow aims to force the execution of any malicious codes for providing root shell to the user. These instructions are solely stored within a buffer and it is overflowed in allowing unexpected utilization of process to change several memory sections.
- b) Answer: The three OS countermeasures, which could be utilized for protecting against the buffer overflow attacks, are as follows:
- i) Stack Canaries: These are values, which are inserted in known locations within memory for detecting buffer overflows.
- ii) ASLR: Address Space Layout Randomization introduces the randomness in layout of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it through system.
- c) Answer: This type of attack occurs when the arithmetic operation is attempted for the creation of any numeric value, which is outside of its range. This can be either larger or smaller.
- d) Answer: Fuzzing is the technique of automated software testing, which involves including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it helps to remove the software vulnerabilities.
Question 1
- a) Answer: The steps are as follows:
Step 1: Understand Attack Scenarios
Step 2: Analyze Causes and Countermeasures
Step 3: Start Testing and Exploring
Step 4: Fine-tune Test Cases
- b) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by the tested web application as this type of attacks occur in authenticated sessions, where the server builds trust on the user or browser. Poor data validation is one of the major cause of this type of attack.
- c) Answer: The two countermeasures for protecting XSRF attacks are as follows:
- i) Trick the victim in clicking a link.
- ii) Send a crafted request in victim’s browser.
- d) Answer: The differences between XSRF and XSS attacks are as follows:
XSRF attacks occur in authenticated sessions, where the server builds trust on the user or browser. Whereas, XSS attacks do not require any authenticate session and thus could be exploited when the vulnerable website does not do the basic of escaping or validating input.
Question 3
- a) Answer: The main differences between real time brute force password recovery attacks and table based pre computation password recovery attacks are as follows:
- i) Brute force password recovery attack is extremely easy to crack and also takes up lower time whereas the pre-computation password recovery attack could not be cracked easily and takes up longer time.
- ii) Brute force password recovery attack is utilized for checking weak passwords and it is completely opposite for pre-computation password recovery attack.
- b)Answer: The three best practice approaches for designing the schemes of password hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
- i) Lookup Tables are the most effective ways for cracking all hashes of same type extremely fast.
- ii) The Reverse Lookup Tables helps to create a particular lookup table, which eventually maps a password hash from the database of a user. The attacker then hashes the password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
- c) Answer: i) Brute Force Password Recovery Attacks: This type of attack enables the attacker in applying the attack to several hashes simultaneously, without pre-computing the reverse lookup table. It does affect the complexity of brute force attack. The second approach that affects the complexity of brute force attack is rainbow table. They help to sacrifice he speed of hash cracking.
- ii) Pre-Computation Password Recovery Attack: The lookup tables are extremely effective for the complexities of this type of attack. The main advantage of this type of attack is that it saves computation time and makes running less stressful.
- d) Answer: In UNIX systems, the user passwords are protected in the password files known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
- e) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking password hashes. It eventually reversed the functions of cryptographic hash. The plaintext password can be recovered up to a specific length that comprises of a restricted character collection. Rainbow tables are defined as the time memory trade off techniques and are extremely effective in increasing the effectiveness of password cracking tools.
Question 4
- a) Answer: CVE system gives a typical reference method for publicly recognized information security exposures and vulnerabilities.
CVE Identifiers are common unique identifiers for the publicly recognized information security vulnerabilities.
- b) Answer: A well-known automated vulnerability scanner is OpenVAS or Open Vulnerability Assessment System.
- i) The benefit of performing vulnerability identification manually is that it helps to identify programming errors, which can be cyber attacks.
- ii) The benefit of performing vulnerability identification automatically is that it helps to gather information.
- c) Answer: Functional testing is the procedure for testing software that is utilized within the software development, where this software could be tested for ensuring that it fulfils all requirements.
Robustness testing is the procedure of verification of the robustness of test cases in any particular test process. This is extremely important when the software is tested through system interface.
- d) Answer: Fuzzing is the technique of automated software testing, which involves unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it helps to remove the software vulnerabilities.
- e) Answer: The two techniques that are utilized for obtaining higher privileges in compromised host are as follows:
- i) Access Token Manipulation: This technique manipulates access token and thus the privilege is escalated.
- ii) Accessibility Features: This technique helps to access the features and thus the privilege is escalated.
- f) Answer: The three OS countermeasures, which could be utilized for protecting against the buffer overflow attacks, are as follows:
- i) Stack Canaries: These are values, which are inserted in known locations within memory for detecting buffer overflows.
- ii) ASLR: Address Space Layout Randomization introduces the randomness in layout of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it through system.
Question 1
- a) Answer: The three steps of XSS attack are as follows:
- i) Searching for the Vulnerable Website: The hackers utilize google dork for searching any vulnerable site and thus target the users.
- ii) Testing the Vulnerability: The vulnerability of the site needs to be tested by injecting the own script.
iii) Exploiting the Vulnerability: The third step is to exploit the vulnerability of the targeted website.
- b) Answer: The differences between reflected and stored XSS attacks are as follows:
Reflected attacks are those attacks where an injected script is solely reflected from the web server like the search result, error message or other responses. It includes most of the input that is sent to the server as a request. When the user is tricked into clicking on any malicious link, the injected code enters into the website that reflects back the attack in the browser of the user. This is also known Non Persistent or Type II XSS.
Stored XSS attacks are those particular attacks where the script that is injected can be stored permanently on the targeted servers like in a visitor log, database, and comment field and message forum. The victim eventually retrieves the infected script from server when the stored information is requested. This type of attack is also known as Persistent or Type I XSS.
- c) Answer: Poor data or input validation can be defined as the data is not strongly typed, improper syntax or does not contain permitted characters within ranged boundaries.
- i) While entering month number, when user gives input as number 13, it is wrong.
- ii) When user wrongly puts name in place of address, it is poor data validation.
- d) Answer: The sanitization approach helps to accept the user data. There is a broad range of acceptable input.
For example, when there is a form field like <input type=”text” id=”title” name=”title” />
The data could be sanitized with sanitize_text_field() function.
It is extremely useful for protecting against the XSS attacks as it helps to secure the output. The option is known as escaping.
Sanitization approach should utilize whitelists of allowed symbols as blacklists detect dangerous patterns and characters such as apostrophe or string. There is a high risk that the attacker can get access of these filters.
- e) Answer: Yes XSRF vulnerabilities are due to the poor data or input validation by the tested web application as this type of attacks occur in authenticated sessions, where the server builds trust on the user or browser. Poor data validation is one of the major cause of this type of attack.
Question 4
- a) Answer: The buffer overflow aims to force the execution of any malicious codes for providing root shell to the user. These instructions are solely stored within a buffer and it is overflowed in allowing unexpected utilization of process to change several memory sections.
- b) Answer: The three OS countermeasures, which could be utilized for protecting against the buffer overflow attacks, are as follows:
- i) Stack Canaries: These are values, which are inserted in known locations within memory for detecting buffer overflows.
- ii) ASLR: Address Space Layout Randomization introduces the randomness in layout of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it through system.
- c) Answer: This type of attack occurs when the arithmetic operation is attempted for the creation of any numeric value, which is outside of its range. This can be either larger or smaller.
This type of attacks can be stopped by not using signed integer for array indexing.
- d) Answer: Fuzzing is the technique of automated software testing, which involves including unexpected, invalid and random data as the input to any computer program.
Fuzzing method can be utilized during security assessment of an organization as it helps to remove the software vulnerabilities.
Question 1
- a) Answer: Poor data or input validation can be defined as the data is not strongly typed, improper syntax or does not contain permitted characters within ranged boundaries.
- i) While entering month number, when user gives input as number 13, it is wrong.
- ii) When user wrongly puts name in place of address, it is poor data validation.
- b) Answer: Code injection tacks are the exploitation of any particular computer bug, which is caused by the procession of invalid data. Hackers inject code in any computer program and thus code injection attacks are done. This is extremely vulnerable for any user.
The two examples of code injection attacks are Cross Site Scripting or XSS attack and OS command attack.
- c) Answer: SQL injection attacks are specific types of code injection that is utilized for attacking any data driven application, where the nefarious SQL statements are solely inserted in the entry field for the purpose of execution. The hacker searches for an input in the web application, which is included in the SQL query. Then the vulnerable website requires to be directly included by the user input within the SQL statement.
SQL query for SQL injection is as follows:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
- d) Answer: Blind SQL injection attack is the kind of SQL injection attack, which verifies whether the database is true or false and determines if the answer is based on various applications response. This type of attack mainly occurs when configuration of web application is done for showing generic error messages.
Example of Blind SQL is as follows:
A shop’s web portal that displays items, which could be sold. For the item number 34, following query could be run.
SELECT name, description, price FROM Store_table WHERE id = 34;
The attacker will manipulate this to SELECT name, description, price FROM Store_table WHERE ID = 34 and 1=2;
Next time, if the hacker will give 1=2, the query would be true and thus item number 34 would be displayed.
- e) Answer: The two countermeasures against SQL injection attacks are as follows:
- i) Performing systematic input validation.
- ii) Utilization of parameterized stored processed for accessing database to ensure whether the strings of input is not treated.
These two countermeasures can be easily utilized against the SQL injection attacks.
Question 3
- a) i) Answer: The main differences between real time brute force password recovery attacks and table based pre computation password recovery attacks are as follows:
- i) Brute force password recovery attack is extremely easy to crack and also takes up lower time whereas the pre-computation password recovery attack could not be cracked easily and takes up longer time.
- ii) Brute force password recovery attack is utilized for checking weak passwords and it is completely opposite for pre-computation password recovery attack.
- a) ii) Answer: The main differences between brute force and dictionary based password recovery attacks are as follows:
- i) The brute force attack utilizes different types of possible key combinations, whereas dictionary attack utilizes list of all known passwords.
- ii) Brute force attack has large number of combination of keys and dictionary attack is limited to specific common keys.
These are the major and the most significant differences between dictionary and brute force password recovery attacks.
- b) Answer: The three best practice approaches for designing the schemes of password hashing are Lookup Tables, Reverse Lookup Tables and Rainbow Tables.
- i) Lookup Tables are the most effective ways for cracking all hashes of same type extremely fast.
- ii) The Reverse Lookup Tables helps to create a particular lookup table, which eventually maps a password hash from the database of a user. The attacker then hashes the password guess and utilizes the lookup table for getting the user’s list of guessed password.
iii) The Rainbow Tables can be defined as the techniques of time memory trade off.
- c) Answer: In UNIX systems, the user passwords are protected in the password files known as /etc/password, which is world readable. Later it is moved to /etc/shadow and then backed up in /etc/shadow-. This is read by root and the passwords are hashed and salted.
- d) i) Answer: Pre-computed hash tables or rainbow tables are utilized for cracking password hashes. It eventually reversed the functions of cryptographic hash. The plaintext password can be recovered up to a specific length that comprises of a restricted character collection.
- d) ii) Answer: Rainbow tables are defined as the time memory trade off techniques and are extremely effective in increasing the effectiveness of password cracking tools. This is extremely effective and thus could be certainly termed as the most effective table for password cracking.
Question 5
- a) i) Answer: Control flow and local memory is organized on the modern operating system by reducing organization and data flow.
- ii) Answer: The buffer overflow aims to force the execution of any malicious codes for providing root shell to the user. These instructions are solely stored within a buffer and it is overflowed in allowing unexpected utilization of process to change several memory sections.
- b) Answer: The three OS countermeasures, which could be utilized for protecting against the buffer overflow attacks, are as follows:
- i) Stack Canaries: These are values, which are inserted in known locations within memory for detecting buffer overflows.
- ii) ASLR: Address Space Layout Randomization introduces the randomness in layout of virtual memory of any process for changing the binary mapping.
iii) DIFT: Dynamic Information Flow Tracking tags the un trusted data for tracking it through system.
- c) i) Answer: Format string attacks occur when there is a specific output and the submitted data of the input string is calculated as a specific command by an application.
- ii) Answer: The measure for preventing format string attack includes avoiding poor input validation.
- d) Answer: This type of attack occurs when the arithmetic operation is attempted for the creation of any numeric value, which is outside of its range. This can be either larger or smaller.
Allen, L., Heriyanto, T., & Ali, S. (2014). Kali Linux–Assuring security by penetration testing. Packt Publishing Ltd.
O’Connor, T. J. (2012). Violent Python: a cookbook for hackers, forensic analysts, penetration testers and security engineers. Newnes.
Spasojevic, B. (2011). Gray Hat Hacking. 3rd Edition. McGraw Hill.
Stevens, W. R. (1994). TCP/IP illustrated, volume 1: The protocols. addison-Wesley.
Stuttard, D., & Pinto, M. (2011). The web application hacker’s handbook: Finding and exploiting security flaws. John Wiley & Sons.
Wilhelm, T. (2013). Professional penetration testing: Creating and learning in a hacking lab. Newnes.