CompTIA® Security+ Exam Notes : Compare And Contrast Types Of Attacks

1. Threats, Attacks and Vulnerabilities

1.2 Compare and contrast types of attacks

Social engineering:

Social engineering is a skill that an attacker uses to trick an innocent person such as an employee of a company into doing a favor.

For example, the attacker may hold packages with both the hands and request a person with appropriate permission to enter a building to open the door.

Social Engineering is considered to be the most successful tool that hackers use.

The term "social engineering" refers to tricking someone into revealing useful information, such as a password.

Social engineering can be used to collect any information an attacker might be interested in, such as the layout of your network, names and/or IP addresses of important servers, installed operating systems and software.

The information is usually collected through phone calls or as new recruit or guest to your boss.

Social engineering is a technique in which an attacker tricks an innocent person into doing something that helps the attacker perform some unlawful activity.

The tricks used may be simple. For instance, the attacker may act like system administrator and ask the victim for his login and password for some kind of troubleshooting.

Social Engineering exploits human behavior.

Defense against social engineering may be built by:

1. Including instructions in your security policy for handling it, and

2. Training the employees what social engineering is and how to deal with it.


Staff training is the most effective tool for preventing attacks by social engineering. Social engineering, and Trojan attack are two well-known problems associated with Discretionary Access Control (DAC).

Cross-site request forgery: It is also known as XSRF or CSRF (pronounced see-surf), is an attack against web-hosted apps whereby a malicious web app can influence the interaction between a client browser and a web app that trusts that browser. These attacks are possible because web browsers send some types of authentication tokens automatically with every request to a website. This form of exploit is also known as a one-click attack or session riding because the attack takes advantage of the user's previously authenticated session. XSRF involves unauthorized commands coming from a trusted user to the website. This is often done without the user's knowledge, and it employs some type of social networking to pull it off.

Cross-site scripting: It is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

  • Cross-site scripting (XSS) exploits the trust a user has for a particular site, where as, CSRF exploits the trust that a site has in a user's browser.
  • In cross-site scripting (XSS), the attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a web page served to a visitor to fool him and gather data from his computer.
  • Note that the code used in XSS is always client side scripting, and not server side scripting.
  • Here, for example, the user clicks on an innocent looking hyperlink and get a malicious code installed on his computer.

SQL injection: It is a code injection technique that might destroy your database. SQL injection works by placement of malicious code in SQL statements, via web page input.

Phishing: Phishing is the act of sending an e-mail to a user claiming to be a reputed organization (such as a bank) in an attempt to scam the user into providing information over the Internet. The e-mail directs the user to a Web site where they are prompted to provide private information, such as credit card, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information. Phishing is the practice of enticing unsuspecting Internet users to a fake Web site by using authentic-looking email with the legitimate organization's name, in an attempt to steal passwords, financial or personal information, or introduce a virus attack.Phishing is a form of social engineering in which the attacker asks you for a piece of information by making it look as if it is a legitimate request. Usually, in phishing attack, the fraudster will just send one phishing email that will direct you to a website requesting you to enter your personal information such as User ID and Password.

Whaling: Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern. Sometimes, the whaling email will claim to be from the Better Business Bureau, seeking to confirm a complaint against the target company. Though Phishing, spaming, and email spam are also appropriate, Whaling is a form of spear phishing that attempts to target high-level executives. Whaling is nothing more than phishing or spear phishing, but for big users. Instead of sending out a To Whom It May Concern message to thousands of users, the whaler identifies one person from whom they can gain all of the data they want - usually a manager or owner - and targets the phishing campaign at them.

In Phishing and Whaling, the attacker e-mail to trick a user into revealing personal information or clicking on a link. A phishing attack will often send the user to a malicious website that appears to the user as a legitimate site such as Paypal, a bank of Microsoft.

The "phisher" doesn't know if the recipient has an account at the company, but, if the attacker sends out enough e-mails, the chances are good that someone who receives the e-mail has an account.

Tailgating: When a person just follows another authorized person through an open door that is otherwise secured is called tailgating. Other terms are distractions only.

Vishing: The telephone version of phishing is called vishing. Vishing relies on "social engineering" techniques to trick you into providing information that others can use to access and use your important accounts. People can also use this information to assume your identity and open new accounts. Vishing is the act of using the telephone (voice or VOIP) in an attempt to scam the user into giving private information that will be used for identity theft. The attacker usually pretends to be a legitimate business. Vishing is telephone equivalent of phishing.

To avoid being fooled by a vishing attempt:

  • If you receive an email or phone call requesting you call them and you suspect it might be a fraudulent request, look up the organization's customer service number and call that number rather than the number provided in the solicitation email or phone call.
  • Forward the solicitation email to the customer service or security email address of the organization, asking whether the email is legitimate.

Spoofing: A spoofing attack is an attempt by someone or something to masquerade as someone else. This type of attack is usually considered an access attack

SPIM is the same thing as Spam - unsolicited advertisements. The difference is that SPIM appears through instant messaging programs instead of email. SPIM messages are automated messages that urge the person receiving the message to visit a Web site. These systems use special software programs to troll the Internet looking for instant messaging screen names, which are then added to the "spimmer's" contact list.

Scareware: Scareware, also known as rogueware or fake antivirus software, has become one of the fastest-growing, and most prevalent, types of internet fraud.

Vulnerability: Vulnerability refers to what extent a system is prone to attack from a hacker. Soft intrusion is a fictitious answer.

Driver Manipulation: Two popular methods of driver manipulation are shimming and refactoring.

Shimming : A shim is a small library that is created to intercept API calls transparently and do one of three things: handle the operation itself, change the arguments passed, or redirect the request elsewhere. Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security.

Refactoring : Refactoring is the name given to a set of techniques used to identify the flow and then modify the internal structure of code without changing the code's visible behavior. In the non-malware world, this is done in order to improve the design, to remove unnecessary steps, and to create better code. In other words, refactoring consists of improving the internal structure of an existing program's source code, while preserving its external behavior.

Cryptographic Attacks:

Rainbow tables: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a password (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. Rainbow table attack refers to a method wherein known MD5 signatures are stored and corresponding text based password is deduced. However, it is not possible to deduce the text based password with certainity because MD5 is a hash algorithm. It is just taking a chance. The tables wherein the MD5 and corresponding text based passwords (guessed) are known as Rainbow tables.This type attack occurs when an attacker uses Rainbow tables (tables matching clear text passwords to hash code) to access a victim's account.

Hijacking and related attacks

Typosquatting : It is also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "" instead of ""). When users make such a typographical error, they may be led to an alternative website owned by a hacker that is usually designed for malicious purposes.

An attacker purchases similar domain names in typo squatting attacks for malicious intentions like using it for selling similar fake products, advertising, etc. Users visit the typo squatting domain when they enter the URL with a typo error.

Example: and

Watering hole attack: Occurs when an attacker places some malicious code on a website known to be frequented by some company executives. The attacker then plants some kind of remote access code on the visitors computer with the intention of exploiting the visitors computer.

Dictionary attack: A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.

Cognitive password : A cognitive password is a form of authentication password that relates to the user in some form or the other. For example, a user may have to input his/her mother's maiden name or the color of his first car. By divulging such information in social web sites, it is possible for a hacker to use cognitive passwords to exploit the victim's account on a server.

LSO (Locally Shared Objects): LSO attack (also known as Flash cookie attack) results from misusing the Flash cookie by an attacker. Note that Flash cookies are stored in different locations and not deleted when you delete normal text based cookies. For example, such a cookie may be used to track the visitors Internet access over a period of time. Flash Cookie is not stored in the same folder as that of normal cookies when you are browsing a Flash enabled website. They are stored in several different locations. Several spammers use this to their advantage. A Flash cookie may be programmed such that it tracks the User activity over the Internet, and report it back to the spammer. Normal deletion of cookies will not delete Flash cookies.

Arbitrary code execution attack: Here, when a user visits a malicious website, malware application is downloaded and installed on the victim's computer. The malicious program then runs by itself, causing the target system vulnerable to various attacks.

Remote code execution: is some what similar to that of arbitrary code execution, however, here the victims computer becomes accessible by the attacker from a remote location after the malware is installed. As a result, an attacker would be able to run commands on the victim's computer.

Session hijacking: Also known as cookie hijacking, it exploits a valid computer session (also called a session key) to gain unauthorized access to information or services in a computer system.

Malicious add-ons: As the name implies, malicious add-ons are add-on to a browser such as pop-up blocker. A malicious add-on appears to be genuine, but installs a malware that may be used to exploit the victim's computer. One needs to be very careful when trying to install any browser add-ons.

Header manipulation: It is done by manipulating the header of a TCP/IP packet. For example, an attacker may gain access to the session cookie using cookie hijack. Then, he may use the session code in the TCP/IP packet header. If the server is only relying on the session key to validate the user access, then it may give control of the session to the attacker. Thus the attacker effectively taken control of the session by manipulating the TCP/IP header.

Clickjacking: Clickjacking involves an attacker using multiple transparent or opaque layers to trick a user into clicking a button or link on another page when they were intending to click the top-level page.

Application/Service attacks:

Buffer-overflow attack: The extra data sometimes holds specific instructions for actions intended by a hacker or malicious user; for example, the data could trigger a response that damages files, changes data or unveils private information.

Web servers are most prone to CGI script exploits, and buffer overflow attacks. CGI scripts run at server side performing a given functionality, such as writing to database or reading from database etc. Hackers may use the loopholes the scripts to hack in to the web server. Similarly, buffer-overflow can be used to run undesirable code on the server making it vulnerable.

Java applets are executable programs that run within the browser window. The environment in which a Java applet runs is known as JVM (Short for Java Virtual Machine). Vulnerabilities associated with Java applets include buffer overflow, excessive utilization of computer resources, opening up of back-door for hacking, etc.

CGI is a server side script, and does not run on a browser. Javascript, and XHTML, though client side scripts, are not appropriate choice here.

DoS attack: The Internet architecture provides an unregulated network path to attack innocent hosts. Denial-of-service (DoS) attacks exploit this to target mission-critical services. DoS attacks, are explicit attempts to block legitimate users system access by reducing system availability. Any physical or host-based intrusions are generally addressed through hardened security policies and authentication mechanisms. Although software patching defends against some attacks, it fails to safeguard against DoS flooding attacks, which exploit the unregulated forwarding of Internet packets.

A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master", also called as "zombie". It is from the zombie that the intruder identifies and communicates with other systems that can be compromised. The intruder loads hacking tools on the compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target.

Distributed Denial of Service (DdoS): It is an attack where multiple compromised systems (which are usually infected with a Trojan) are used to send requests to a single system causing target machine to become unstable or serve its legitimate users.


The DoS and DdoS attacks are associated with denial of service. Smurf attack is a denial-of-service attack that uses spoofed broadcast ping messages to flood a target system

Man-in-the-middle: A man-in-the-middle attack attempts to fool both ends of a communications session into believing that the system in the middle is the other end.

Zero-day: A man-in-the-middle attack attempts to fool both ends of a communications session into believing that the system in the middle is the other end.

Replay: An attack that captures portions of a session to play back later to convince a host that it is still talking to the original connection. In Replay attack, the hacker intercepts the victim's encrypted user name and password while it is being transmitted to a server, and uses the same to access the server fraudulently by replaying the reply. Here the attacker gets the same privileges as that of the victim's computer since the user name and password match those.

Input validation refers to validation of user input in a browser based form. It is done in two ways:

1. Client side validation: Here the validation is done in the browser itself. It is possible that a hacker may use direct html input and also disable script validation. Therefore, client-side input validation needs to be supplemented by server side validation of user input.

2. Server side validation: When using server side validation, it is not possible for the attacker to manipulate the method to send the User input. Various types of attacks that may result due to non-implementation or insufficient implementation of server-side input validation are as given below:

1. Buffer-overflow attack

2. SQL injection attack

3. Command injection attack

4. Cross-site scripting attack

Malicious add-ons occur when you mistake a browser add-on for a genuine add-on. A malicious add-on installs malware on the victims computer.

DNS poisoning: This is also known as cache poisoning. Here, a rogue machine caches the DNS replies from a DNS server and uses the information fraudulently to redirect the victim's browser to attacker's site.

TCP/IP hijacking: TCP/IP hijacking occurs when an attacker replaces the victim's system with his own, without being detected. This allows access privileges to be kept in the session. Hijacking attacks take advantage of the sequencing numbers used in TCP sessions.

ARP poisoning: Address Resolution Protocol (ARP) poisoning, convinces the network that the attacker's MAC address is the one associated with the victim's IP address. As a result, the traffic sent to that IP address is wrongly delivered to the attacker's machine.

IP address spoofing: IP address spoofing is a technique that involves replacing the IP address of an IP packet's sender with another machine's IP address. The IP address spoofing technique can enable an attacker to send packets on a network without having them be intercepted by the packet filtering system (firewall). Firewall systems are usually based on filtering rules indicating the IP addresses that are authorized to communicate with the network's internal machines. In IP spoofing, the attacker uses somebody else's IP address as the source IP address. Since routers forward packets based on the destination IP address, they simply forward the packets to the destination without verifying the genuineness of the source IP address.

Cryptographic attacks:

Given below are some of the widely known password guessing methods:

1. Dictionary: this is the method in which dictionary terms are used for guessing a password.

2. Birthday: It takes advantage of probabilities, much like two people in a 50-person room shared the same birthday. With every person, the chances of two people having the same birth date increases. In the same way, when you start guessing the password, the chances of a hit keep increasing.

3. Brute force: In a Brute Force attack, muscle (in this case, CPU and/or network muscle) is applied to break through a particular security mechanism, rather than using particular intelligence or logic. "Brute force" is most commonly applied to password guessing, taking advantage of computer power available to an attacker, to try every possible password value, until the right one is found. In cryptography, a brute-force attack is an attempt to recover a cryptographic key or password by trying every possible combination until the correct one is found. How quickly this can be done depends on the size of the key, and the computing resources applied.

4. Rainbow tables: Rainbow tables are huge lists of keys or passwords. A password-guessing program uses these lists of keys or passwords rather than generating each key or password itself.

Wireless Attacks:

Rogue AP: A Rogue Access Point is a Wi-Fi Access Point which is setup by an attacker for the purpose of sniffing wireless network traffic. 802.11 (Wi-Fi) utilizes SSIDs (Service Set Identifiers) to authenticate NICs to wireless access points. There is no similar protocol for authenticating wireless access points. It is possible to place a rogue wireless access point into an 802.11 network. This rogue wireless access point can then be used to hijack the connections of legitimate network users.

An evil twin is a rogue access point set up by an attacker that produces a stronger signal than the legitimate access point. Therefore, by virtue of stronger signal, the users are attracted to the rogue access point.

Hoax: A virus hoax typically offers millions of dollars on providing some personal information or asks for doing something else such as deleting some file. You should notify the system admin about such viruses.

Weak encryption: WEP encryption allows an attacker using readily available software to crack the key within minutes. WEP encryption uses a shared key authentication and sends the same key with data packets being transmitted across the wireless network. If malicious users have enough time and gather enough data they can eventually piece together their own key. Another disadvantage to using WEP encryption is that if the master key needs to be changed, it will have to be manually changed on all devices connected to the network. This can be a tedious task if you have many devices connected to your network.

RFID: RFID, short for Radio Frequency Identification, is a technology that enables identification of a tag (that is normally attached with an entity) by using electromagnetic waves. The function served by RFID is similar to bar code identification, but line of sight signals are not required for operation of RFID.

IV: IV, short for Initialization Vector, an attack that involves looking at repeated results in order to crack the WEP secret key.

NFC: NFC, short for Near field communication is a form of contactless communication between devices like smartphones or tablets. Contactless communication allows a user to wave the smartphone over a NFC compatible device to send information without needing to touch the devices together or go through multiple steps setting up a physical connection.

Bluejacking: Blue jacking is a term given to unsolicited messages on your blue tooth enabled phone. For example, assume that a message "'Hello, you've been bluejacked" has just been received on your mobile. This is a case of blue jacking. You can prevent this kind of annoyances by turning off the blue tooth when not required. It is the sending of unsolicited messages over a Bluetooth connection.

Bluesnarfing: Bluesnarfing is the theft of information from a wireless device such as a mobile phone or PDA through a Bluetooth connection. By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information such as the user's calendar, contact list and e-mail and text messages.

Previous   Contents   Next

Security+ Cram Notes Contents ad