ack O)

f or c e Att ver (CAT

e- o
Brut unt Take ing
o
A cc S f
tu f
or porate edential icket
C Cr en T g )
Gold r Surfin at (APT) oisoning
u l d e T h r e P P
Sho tent g (AR
d P ersis Poisonin (MitB)
nce col ck )
Adva on Proto ser Atta nd Spray
t i o w a
esolu e-Br (Low
d r e ss R Man-in-th praying ter
Ad S re
word Meterp ofing king
)
Pass S s po s i d e-jac
HTTP (Cookie vil Twin)
ing (E
n H ijack ropping g
io sd in
Sess i-Fi Eave ail hijack g )
W Em i n ning
L S trip he poiso
p
SS cac
n g (DNS fing

Saldırı
f i oo
spoo IP sp katz )
DNS MITM
Mi i Attack (
m
iddle
i n the M
Man

Çeşitleri
Brute Force Attack (Deneme Yanılma Yöntemi)
Simple brute force attack: Sistematik olarak şifre kombinasyonları denemek
Hybrid brute force attacks: starts from external logic to determine which password variation may be most likely to succeed, and then continues
with the simple approach to try many possible variations.
Dictionary attacks: Finding the plaintext of password hashes by using dictionaries
Rainbow table attacks: RainbowCrack gibi yazılımlar kullanarak a rainbow table is a precomputed table for reversing cryptographic hash functions.
It can be used to guess a function up to a certain length consisting of a limited set of characters. RainbowCrack
Reverse brute force attack (Password spraying): uses a common password or collection of passwords against many possible usernames.
Targets a network of users for which the attackers have previously obtained data.
Credential stuffing: uses previously-known password-username pairs, trying them against multiple websites. Exploits the fact that many users have
the same username and password across different systems.

Brute Force programları: Aircrack-ng, John the Ripper, Rainbow Crack,

Cain and Abel, L0pthCrack, OphCrack, HashCat, SAMInside, THCHydra,
Dictionary Attacks
Using a dictionary create a huge lookup table of digests and their pre-matched
plaintext passwords.
If there is a match they get the password
Corporate Account Takeover
There are different ways to protect against CATO, depending on the type of account and how it is accessed.
Generally speaking, the following protection measures are used:

• Multifactor authentication, which prevents access to an account without a second factor of authentication
that is implemented as a separate hardware device (i.e. smartcard, OTP token, biometric sensor, etc), or
installed/stored on a separate computing device – typically a mobile device belonging to the accountholder.

• Phishing prevention solutions that aim to prevent credential theft.

• Malware protection to prevent malware-based credential theft.

• Fraud prevention technology that analyzes transaction originated from an account to identify the anomalous
ones that do not follow normal patterns, which may indicate fraud.

For example, the Patco Construction Company sued Ocean Bank after Patco’s computers became infected
with malware, allowing fraudsters to make six wire transfers amounting to more than $588,000 using the
Automated Clearing House (ACH) transfer system. Only $243,000 of the stolen money was recovered.
 A Golden Ticket attack is when an attacker has complete and unrestricted access to
an entire domain — all computers, files, folders, and most importantly, the access
control system itself.

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented
using Kerberos tickets issued to authenticated users by a Key Distribution Service. The attacker gains control over
the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the
attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. With valid
TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (
MITM Saldırıları

There are eight types of man in the middle attacks:

1. DNS spoofing.

2. IP spoofing.

3. Wi-Fi eavesdropping

4. HTTPS spoofing.

5. SSL hijacking.

6. Email hijacking.

7. Session Hijacking

8. Man in the Browser

Address Resolution Protocol Poisoning
ARP saldırısı, bir saldırganın bir yerel ağa yanlış bir ARP mesajı göndererek o ağı kullanan bir kullanıcının IP adresi ile kendi MAC adresini
eşleştirerek gerçekleştirdiği bir MITM saldırısıdır.

ARP spoofing is a type of attack in which an attacker sends false ARP (Address Resolution Protocol)
messages over a local network (LAN). This results in the linking of an attacker’s MAC address with
the IP address of a legitimate machine on the network. Once the attacker’s MAC address is linked to
an authentic IP address, the attacker will begin receiving any data that is intended for that IP address,
assuming the identity of the legitimate MAC address. ARP spoofing can enable malicious parties to
intercept, modify or even stop data being transmitted between parties. ARP spoofing attacks only
occur on local area networks that utilize the Address Resolution Protocol.

SMURF ATTACK: The Smurf attack is a distributed denial-of-service attack where a large numbers of Internet Control Message
Protocol (ICMP) packets are broadcast to a computer network from a spoofed source IP. Spoofing the source IP can be done using ARP poisoning.
Böylece kullanıcıları ağdan düşürmek mümkün olabilir.

MAC SPOOFING: is a technique for changing a hard-coded Media Access Control (MAC) address of a network interface
controller (NIC) on a networked device. Changing the address is typically done by manipulating the software of the device driver. MAC
spoofing is done to enable bypassing of access control lists on servers or routers by either hiding a computer on a network or by
allowing it to impersonate another network device.
E-Mail Spoofing

Pasif saldırı yöntemi. Bir e-posta hesabına erişim sağladıktan sonra mail trafiğini
takip etme.
Evil Twin Attack
SSL Stripping
HTTPS bağlantılarını HTTP bağlantısına dönüştürerek yapılır.

HOW CAN SSL STRIPPING BE IMPLEMENTED?

The most common way of creating an SSL Striping man in the middle attack are:

1) Manually set the proxy of the browser to route all traffic

2) Address Resolution Protocol (ARP) Poisoning

3) Create a Hotspot and allow the victims connect to it

Session Hijacking/Cookie Side Jacking
Session hijacking, also known as cookie side-jacking, is another form of man-in-the-middle attack that will
give a hacker full access to an online account. When you sign into an online account such as Facebook or
Twitter, the application returns a “session cookie,” a piece of data that identifies the user to the server and
gives them access to their account. As long as the user’s device holds on to that session token, the server will
enable them to use the application.

When a user signs out of an application, the server invalidates the session token and all further access to the
account requires the user to re-enter their login credentials.

In a session hijacking attack, the hacker steals the user’s session token and uses it to access the user’s
account. There are several ways that an attacker can stage a session hijacking attack, such as inflicting the
user’s device with a malware that monitors and steals session data. Another method is the use of cross-site
scripting attacks, in which an attacker uploads a programming script into a webpage that the user frequently
visits and forces the user’s computer to send the session cookie data to the server. Other methods of session
hijacking leverage flaws in the application’s programming to guess or reveal session cookie information.
Meterpreter
Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can
explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a
result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as
Meterpreter injects itself into the compromised process, from which it can migrate to other running
processes. As a result, the forensic footprint of an attack is very limited.

Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing
of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that
alarms may be triggered when a new process starts in the target system.
Mimikatz
Mimikatz is a credential dumping open source program used to obtain
account login and password information, normally in the form of a hash
or a clear text password, from an operating system or software.
Credentials can then be used to perform lateral movement and access
restricted information.

Mimikatz is a Windows x32/x64 program to extract passwords, hash,

PINs, and Kerberos tickets from memory. It is used as an attack tool
against Windows clients, allowing the extraction of cleartext passwords
and password hashes from memory. The program was coded in C by Benjamin Delpy in 2007 to learn more
about Windows credentials (and as a Proof of Concept).

There are two optional components that provide additional features, mimidrv (driver to interact with the
Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for
WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain
actions and interact with the LSASS process (depending on the action requested).
Dinlediğiniz için teşekkürler