If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of common and advanced types of attacks launched against systems and networks. By understanding these, you’ll be better prepared to comprehend the improved attacks as they emerge and the improved countermeasures.
For example, can you answer this question?
Q. An attacker has been analyzing encrypted data that he intercepted. He knows that the end of the data includes a template sent with all similar messages. He uses this knowledge to decrypt the Which of the following types of attacks BEST describes this attack?
A. Known ciphertext
B. Known plaintext
C. Brute force
D. Rainbow table
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Known Plaintext Attacks
Many cryptographic attacks attempt to decrypt encrypted data. Plaintext is human-readable data. An encryption algorithm scrambles the data, creating ciphertext.
An attacker can launch a known plaintext attack if he has samples of both the plaintext and the ciphertext. As an example, if an attacker captures an encrypted message (the ciphertext) and knows the plaintext of the message, he can use both sets of data to discover the encryption and decryption method. If successful, he can use the same decryption method on other ciphertext.
A chosen plaintext attack is similar, but the attacker doesn’t have access to all the plaintext. As an example, imagine a company includes the following sentences at the end of every email:
“The information contained in this email and any accompanying attachments may contain proprietary information about the Pay & Park & Pay parking garage. If you are not the intended recipient of this information, any use of this information is prohibited.”
If the entire message is encrypted, the attacker can try various methods to decrypt the chosen plaintext (the last two sentences included in every email). When he’s successful, he can use the same method to decrypt the entire message.
In a ciphertext only attack, the attacker doesn’t have any information on the plaintext. Known plaintext and chosen plaintext attacks are almost always successful if an attacker has the resources and time. However, ciphertext only attacks are typically only successful on weak encryption algorithms. They can be thwarted by not using legacy and deprecated encryption algorithms.
Password attacks attempt to discover or bypass passwords used for authentication on systems and networks, and for different types of files. Some password attacks are sophisticated cryptographic attacks, while others are rather simple brute force attacks.
Password Hashes
Most systems don’t store the actual password for an account. Instead, they store a hash of the password. Hash attacks attack the hash of a password instead of the password. A hash is simply a number created with a hashing algorithm such as Message Digest 5 (MD5) or Secure Hash Algorithm 3 (SHA-3). A system can use a hashing algorithm such as MD5 to create a hash of a password.
As an example, if a user’s password is IC@nP@$$S3curity+, the system calculates the hash and stores it instead. In this example, the MD5 hash is 75c8ac11c86ca966b58166187589cc15. Later, a user authenticates with a username and password. The system then calculates the hash of the password that the user entered, and compares the calculated hash against the stored hash. If they match, it indicates the user entered the correct password.
Unfortunately, tools are available to discover many hashed passwords. For example, MD5 Online (http://www.md5online.org/) allows you to enter a hash and it gives you the text of the password. If the password is 12345, the hash is 827ccb0eea8a706c4c34a16891f84e7b. If you enter that hash into MD5 Online, it returns the password of 12345 in less than a second. MD5 Online uses a database of hashed words from a dictionary. If the hash matches a database entry, the site returns the password.
The password is rarely sent across the network in cleartext. Protocol analyzers show how an attacker can capture and view a password if it is sent across a network in cleartext. To prevent this, a protocol can calculate the hash of the password on the user’s system and then send the hash across the network instead of the password. Unfortunately, if the hash is passed across the network in an unencrypted format, the attacker may be able to capture the hash and use it to log on to a system. Instead, most authentication protocols encrypt the password or the hash before sending it across the network.
Pass the Hash Attacks
In a pass the hash attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user. Any authentication protocol that passes the hash over the network in an unencrypted format is susceptible to this attack. However, it is most associated with Microsoft LAN Manager (LM) and NT LAN Manager (NTLM), two older security protocols used to authenticate Microsoft clients. They are both susceptible to pass the hash attacks.
Any system using LM or NTLM is susceptible to a pass the hash attack. The simple solution (and the recommended solution) is to use NTLMv2 or Kerberos instead. NTLMv2 uses a number used once (nonce) on both the client and the authenticating server. The authentication process uses both the client nonce and the server nonce in a challenge/response process.
Unfortunately, many existing applications still use NTLM, so it can still be enabled on many Windows systems for backward compatibility. However, Microsoft recommends configuring clients to only send NTLMv2 responses and configuring authenticating servers to refuse any use of LM or NTLM. This is relatively easy to do via a Group Policy setting.
Q. An attacker has been analyzing encrypted data that he intercepted. He knows that the end of the data includes a template sent with all similar messages. He uses this knowledge to decrypt the Which of the following types of attacks BEST describes this attack?
A. Known ciphertext
B. Known plaintext
C. Brute force
D. Rainbow table
Answer is B. This describes a known plaintext attack because the attacker knows some of the plaintext data used to create the encrypted data. More specifically, this is a chosen plaintext attack (but that wasn’t available as an answer) because the attacker knew a portion of the plaintext.
In a known ciphertext attack, the attacker doesn’t have any information on the plaintext.
A brute force attack attempts to guess a password.
A rainbow table attack uses a table of hashes to identify a password from a matched hash.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on common attacks.