Professional Documents
Culture Documents
Untitled Presentation
Untitled Presentation
Untitled Presentation
Saldırı
f i oo
spoo IP sp katz )
DNS MITM
Mi i Attack (
m
iddle
i n the M
Man
Çeşitleri
Brute Force Attack (Deneme Yanılma Yöntemi)
Simple brute force attack: Sistematik olarak şifre kombinasyonları denemek
Hybrid brute force attacks: starts from external logic to determine which password variation may be most likely to succeed, and then continues
with the simple approach to try many possible variations.
Dictionary attacks: Finding the plaintext of password hashes by using dictionaries
Rainbow table attacks: RainbowCrack gibi yazılımlar kullanarak a rainbow table is a precomputed table for reversing cryptographic hash functions.
It can be used to guess a function up to a certain length consisting of a limited set of characters. RainbowCrack
Reverse brute force attack (Password spraying): uses a common password or collection of passwords against many possible usernames.
Targets a network of users for which the attackers have previously obtained data.
Credential stuffing: uses previously-known password-username pairs, trying them against multiple websites. Exploits the fact that many users have
the same username and password across different systems.
• Multifactor authentication, which prevents access to an account without a second factor of authentication
that is implemented as a separate hardware device (i.e. smartcard, OTP token, biometric sensor, etc), or
installed/stored on a separate computing device – typically a mobile device belonging to the accountholder.
• Fraud prevention technology that analyzes transaction originated from an account to identify the anomalous
ones that do not follow normal patterns, which may indicate fraud.
For example, the Patco Construction Company sued Ocean Bank after Patco’s computers became infected
with malware, allowing fraudsters to make six wire transfers amounting to more than $588,000 using the
Automated Clearing House (ACH) transfer system. Only $243,000 of the stolen money was recovered.
A Golden Ticket attack is when an attacker has complete and unrestricted access to
an entire domain — all computers, files, folders, and most importantly, the access
control system itself.
Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented
using Kerberos tickets issued to authenticated users by a Key Distribution Service. The attacker gains control over
the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the
attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain. With valid
TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (
MITM Saldırıları
1. DNS spoofing.
2. IP spoofing.
3. Wi-Fi eavesdropping
4. HTTPS spoofing.
5. SSL hijacking.
6. Email hijacking.
7. Session Hijacking
ARP spoofing is a type of attack in which an attacker sends false ARP (Address Resolution Protocol)
messages over a local network (LAN). This results in the linking of an attacker’s MAC address with
the IP address of a legitimate machine on the network. Once the attacker’s MAC address is linked to
an authentic IP address, the attacker will begin receiving any data that is intended for that IP address,
assuming the identity of the legitimate MAC address. ARP spoofing can enable malicious parties to
intercept, modify or even stop data being transmitted between parties. ARP spoofing attacks only
occur on local area networks that utilize the Address Resolution Protocol.
SMURF ATTACK: The Smurf attack is a distributed denial-of-service attack where a large numbers of Internet Control Message
Protocol (ICMP) packets are broadcast to a computer network from a spoofed source IP. Spoofing the source IP can be done using ARP poisoning.
Böylece kullanıcıları ağdan düşürmek mümkün olabilir.
MAC SPOOFING: is a technique for changing a hard-coded Media Access Control (MAC) address of a network interface
controller (NIC) on a networked device. Changing the address is typically done by manipulating the software of the device driver. MAC
spoofing is done to enable bypassing of access control lists on servers or routers by either hiding a computer on a network or by
allowing it to impersonate another network device.
E-Mail Spoofing
Pasif saldırı yöntemi. Bir e-posta hesabına erişim sağladıktan sonra mail trafiğini
takip etme.
Evil Twin Attack
SSL Stripping
HTTPS bağlantılarını HTTP bağlantısına dönüştürerek yapılır.
When a user signs out of an application, the server invalidates the session token and all further access to the
account requires the user to re-enter their login credentials.
In a session hijacking attack, the hacker steals the user’s session token and uses it to access the user’s
account. There are several ways that an attacker can stage a session hijacking attack, such as inflicting the
user’s device with a malware that monitors and steals session data. Another method is the use of cross-site
scripting attacks, in which an attacker uploads a programming script into a webpage that the user frequently
visits and forces the user’s computer to send the session cookie data to the server. Other methods of session
hijacking leverage flaws in the application’s programming to guess or reveal session cookie information.
Meterpreter
Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can
explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a
result, Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as
Meterpreter injects itself into the compromised process, from which it can migrate to other running
processes. As a result, the forensic footprint of an attack is very limited.
Meterpreter was designed to circumvent the drawbacks of using specific payloads, while enabling the writing
of commands and ensuring encrypted communication. The disadvantage of using specific payloads is that
alarms may be triggered when a new process starts in the target system.
Mimikatz
Mimikatz is a credential dumping open source program used to obtain
account login and password information, normally in the form of a hash
or a clear text password, from an operating system or software.
Credentials can then be used to perform lateral movement and access
restricted information.
There are two optional components that provide additional features, mimidrv (driver to interact with the
Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for
WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain
actions and interact with the LSASS process (depending on the action requested).
Dinlediğiniz için teşekkürler