CompTIA Security+ Exam

SY0-601

* can exploit weaknesses in a protocol to calculate hash


* matches hash to a dictionary word or brute forces it

password crackers

rainbow tables

attacker uses set of related plaintext passwords and hashes to crack passwords

Pre-Shared Key (PSK)

* using a passphrase to generate the key used to encrypt communications
* AKA group authentication → group of users share same secret

Wifi Protected Access (WPA)

* encryption scheme for protecting Wifi communications


* made to replace WEP

botnet

uses bots to help attackers to exploit multiple computers and mount attacks

botnet uses

* launch Distributed Denial of Service (DDoS) attacks
* launch mass-mail spam attacks
* establish connection from host to a Command and Control (2C) server

keyloggers

* aggressive spyware and a Trojan
* attempt to steal confidential info
* ex: when user enters credit card number into a website → records keystrokes and has info

spyware

* program that monitors user activity and sends info to someone else
* can occur with/without user’s knowledge
* can spawn browser pop-up windows
* can modify DNS queries to direct user to other websites

Potentially unwanted programs (PUP)

* also potentially unwanted applications (PUA)
* software installed with a package/from computer store that user didn’t request
* not a threat to system

Trojans

* malware concealed within an installer package for software that appears to be legit
* real threat to system

ransomware

* type of malware that tries to extort money from victim
* may display threatening messages
* computer remains locked until victim pays

viruses

* malware that’s not necessarily hidden
* very noticeable by virus scanners
* usually in executables (.exe) or Dynamic-link Library (DLL) files

logic bomb

* malicious program/script that runs under particular circumstances or in response to a defined event
* ex: runs if admin’s account becomes disabled

mine

* scripted trap that runs in event that an account gets deleted/disabled
* not usually detected by anti-virus → security specialists can’t discover script
* only uncovered once it gets executed and causes damage

Remote Access Trojan (RAT)

* backdoor
* allows attacker to access PC, upload files, and install software
* can allow attacker to use computer in a botnet

worm

* type of virus that spreads through memory and network connections


* doesn’t infect files
* lives in memory

worm effects

* primary effect: rapidly consumes network bandwidth as worm replicates
* may perform Denial of Service (DOS) attack → crashes operating systems and servers

program virus

* sequences of code insert themselves into another executable program
* when executing the app, the virus code becomes active

multipartite virus

uses propagation methods: boot sector and executable file infection

macro virus

uses programming features available in Microsoft Office files

birthday attack

* type of brute force attack aimed at exploiting collisions in hash functions
* can forge a digital signature

collision

function produces same hash value for 2 different plaintexts

Pass-the-Hash attack

if attacker obtains hash of user’s password → can authenticate with the hash without cracking it

downgrade attack

* can facilitate a Man-in-the-Middle (MITM) attack or On-Path attack
* requests server to use lower specification protocol with weaker ciphers/key lengths

MITM attack

form of eavesdropping → attacker makes independent connection between 2 victims and steals info to use fraudulently

Command and Control attack

* AKA 2C
* a host or network that can manage and control the various bots remotely

computer bots

* computer that attacker has infected with backdoor exploits
* connected to C2 host/network
* can work individually or in unison

crypto malware

* class of ransomware that encrypts data files on any fixed/removable/network drives
* user can’t access files without attacker’s private encryption key

skimming

uses counterfeit card reader to capture card details → programs a duplicate

card cloning

* making 1+ copies of an existing card
* attacker can physically duplicate a lost/stolen card with no cryptographic protections

adware browser plug in

* displays commercial offers and deals
* spyware-like behavior → tracking websites a user visits, displays targeted ads

fileless malware

* uses “live off the land” techniques to avoid detection → uses legit scripting tools
* uses lightweight shellcode to create backdoor
* uses low observable characteristics (LOC) attacks → can be less intrusive than other malware
* does NOT write code to disk → uses memory resident techniques to run own process

password spraying

* horizontal brute-force attack
* attacker chooses 1+ common passwords and uses them with multiple usernames
* uses multiple usernames and passwords

online password attack

* hacker interacts directly with authentication service
* submits multiple passwords (and variations) to gain access with a single/root account

offline password attack

uses captured database of known passwords/password hashes

dictionary attack

* used when there’s a good chance of guessing the plaintext or non-complex password → using common word in a dictionary
* software enumerates values in a dictionary wordlist → password complexity makes them hard to guess/compromise

rainbow table attack

* allows attacker to use a set of plaintext passwords and their hashes to crack passwords
* used when passwords are not “salted” with random value → ciphertext is vulnerable

brute force

attempts every possible combination in key space to get plaintext password from a hash

hybrid password attack

* targets naively strong passwords
* password cracking algorithm tests dictionary words/names in combo with numeric prefixes/suffixes

rootkit

* backdoor malware that changes core system files
* programs interfaces so that local shell processes don’t reveal their presence

birthday attack

to protect against it:

* encryption algorithms must demonstrate collision avoidance → reduce chance that diff inputs will produce the same output

operating system hardening

process of making OS config secure by:

* enabling and allowing access to only necessary services
* installing monitoring software to protect against malware/intrusions
* establishing a maintenance schedule to ensure OS patch is secure

captive portal

* requires login credentials
* helps protect against unauthorized users accessing wifi hotspot

lightweight directory access protocol (LDAP) injection

* attacker exploits client’s unauthenticated access to submit LDAP queries
* queries can create/delete accounts and change authorizations/privileges
* uses port 389

extensible markup language (XML) injection

* submitted XML data takes advantage of spoofing, request forgery, and injection of arbitrary code
* XML has no encryption or input validation checks

structured query language (SQL) injection

* embeds/inserts SQL code to website to query and output info from a database (ex: password hashes)
* happens when threat actor modifies basic SQL functions to some input accepted by an app
* runs other malicious SQL queries/parameters

dynamic link library (DLL) injection

* causes OS to allow a process to attach to another
* forces process to load a malicious link library
* software vulnerability that can occur when Windows-based application attempts to force another app to load a DLL in memory → victim app can leak sensitive info or experience instability

improper input handling attacks

types:

* overflow
* injection

overflow type

* type of improper input handling attack
* attacker submits input to store that’s larger than the variables assigned by application

injection type

* type of improper input handling attacks
* attacker embeds code within input or appends code to input → executes when server processes the submission

social engineering

activity where deception and trickery is used to convince unsuspecting users to provide sensitive data/violate security guidelines

Advanced Persistent Threat (APT)

* ongoing ability of an adversary to compromise network security using diff tools/techniques
* aims to obtain and maintain access

buffer overflow vulnerability

attacker passes data that deliberately overfills the buffer (area of memory) that application reserves to store expected data

race condition vulnerability

* multiple threads are attempting to write at the same memory location
* attackers use race conditions as an anti-virus evasion technique

integer overflow attack

causes target software to calculate a value that exceeds upper/lower bounds

pointer dereference

* software vulnerability that can occur when code tries to remove relationship between pointer and thing it points to
* may crash application and corrupt memory

race condition

* occurs when outcome from execution processes fail to execute properly
* execution processes depend on order/timing of events

time of check to time of use (TOCTTOU) vulnerability

takes advantage of race condition timing to modify data before using it

error/exception handling

* process of responding to error occurrence in the form of a outputted message
* can provide insight to issues in the code which aren’t necessarily related to security

privilege escalation

elevated access of an administrative/root account to perform high system level changes

directory traversal

* an injection attack
* uses specific code to request for info from web server’s root directory by submitting directory path

error handling processes

* may not handle exceptions properly (ex: web application)
* might show error page that reveals type/configuration of a database server → this can further an attack

server-side request forgeries (SSRF)

* causes server application to process an arbitrary request that targets another service (on same or another host)
* abuses functionality and services of backend servers to read/update internal resources
* can expose database info without an authenticated session

client-side request forgery (XSRF)

* AKA cross-site request forgery
* attack that forces a user to execute unwanted actions to a web server that user is currently authenticated to

cross-site request forgery (XSRF)

* malicious script hosted on attacker’s site
* can exploit a session started on another site in the same browser
* successful if server doesn’t check if user made the request

reflected cross-site scripting (XSS)

* server-side input validation exploit
* injects a script into a website
* once victim visits infected site → malicious code executes in user’s browser

stored cross-site scripting (XSS)

* AKA persistent XSS
* server-side script attack that inserts code into back-end database used by trusted site

document object model (DOM) cross-site scripting (XSS)

* exploits vulnerabilities in client-side scripts
* used to modify the content/layout of a web page

application programming interface (API) intrusion

* attacker takes advantage of unsecure communication with application services
* used to perform DOS attacks using multiple API calls

secure socket layer (SSL) stripping

* an on-path attack using ARP poisoning
* redirects clients to an HTTPs site in an unsafe way (when attempting an HTTP connection)

replay attack

* attacker captures some data (ex: cookie file) used to log on/start a session legitimately
* attacker resends data to re-enable the connection
* attacker __intercepts__ key/passwords and __reuses__ it to gain access to a resource
* to prevent → use once-only session tokens, timestamp sessions

clickjacking

attacker inserts an invisible layer into a trusted web page that can intercept/redirect input without the user realizing

resource exhaustion attack

overloads resources using DOS requests (ex: CPU time, memory, disk space)

shim

* code library that intercepts/redirects calls to enable legacy mode on a system
* shows that malware with local admin privileges can run on reboot (persistence)

directory traversal

* injection attack
* submits request for a file outside the web server’s root directory → submits path to navigate to parent directory (../)
* access permissions on file are same as on web server directory

command injection attack

* runs OS shell commands from the browser
* allows commands to operate outside of server’s directory root → forces commands to run as web “guest” user

transitive access

problem of authorizing a request for a service that depends on an intermediate service

privilege escalation

* practice of exploiting flaws in an operating system/other app
* used to gain greater level of access than intended for user/app
* ex: attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks

null pointer exception

* caused when pointer is set to a null value by a malicious process
* process will crash
* to prevent → use logic statements to test a pointer before using it

memory leak

* vulnerability that occurs when software doesn’t release allocated memory when it’s finished using it
* could lead to system instability

pass-the-hash attack

* attacker steals hashed credentials and uses them to authenticate to the network
* to prevent → once-only session token, timestamp sessions

API calls

* use keys to authorize requests to web application
* keys exposed to unsecure connection (ex: HTTP) → attacker can use key to perform other calls

improper error handling

* when errors occur → default app settings may expose more info than necessary
* exposing info over HTTP connection → can provide insight of the environment to attacker

denial of service (DOS) attacks

* can occur when application is bombarded with API calls
* to fix this → reconfig default web settings

memory leak

* can happen in OS kernel → serious af!!
* can be sign of malicious/corrupted process

refactoring

* code performs same function using diff methods
* antivirus software might no longer identify malware by its signature

SYN flood attacks

* cause resource exhaustion on host’s processing requests
* consume CPU cycles and memory
* delays processing of legit traffic, and could crash host system

amplification attack

* AKA DRDoS attack
* more powerful TCP SYN flood attack
* attacker spoofs victim’s IP address → tries to open connections with multiple servers

packet filtering

* Layer 3 firewall tech
* compares packet headers against access control lists (ACLs) to determine which network traffic to accept

man in the browser (MITB) attack

* attacker compromises web browser by installing malicious plug-ins, scripts, or intercepting API calls
* attackers can install vulnerability exploit kits on a website → actively try to exploit vulnerabilities in clients browsing the site

HTTP Response Splitting

attacker creates a malicious URL and convinces victim to submit it to the web server

locally shared objects (LSOs)

* AKA flash cookies
* data stored on user’s computers by websites that use Adobe Flash Player
* sites may be able to track a user’s browsing behavior

near field communications (NFC)

* does NOT provide encryption
* MITM attacks and eavesdropping are possible → attacker can find way to intercept communications, software services are not encrypting data

radio frequency ID (RFID)

way of encoding info to passive tags → can easily attach to devices, structures, clothing, etc.

bluetooth devices

have known security issues → device discovery, pairing authentication, worms and exploits

wifi

* can be easily intercepted
* forms of encryption → WEP, WPA, and WPA2

Visual Basic for Applications (VBA)

* scripting language for Microsoft Office
* uses **macros** to perform sequence of actions in context of a word processor/spreadsheet/presentation file

bash

* AKA Bourne again shell
* command-line terminal for Linux environment
* bash scripting attack → malicious shellcode commands targeting a Linux OS

PowerShell

* method of performing Windows administrative tasks
* common cmdlets → Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-Service, etc.

Python

* popular language for development projects
* codes with multiple logic/looping statements found in .py file → may be python scripting attempt