🖥️ Incident Handling: Common Domain Attack Types

Introduction

Domain attacks are among the worst incidents that can happen to an organization, especially if they own their own domains and use them to interact with customers.

Domain Attack Types

1. Typosquatting
2. Domain Hijacking.
3. Pass the hash
4. Pass the Ticket
5. LDAP Reconnaissance
6. Brute Force

1. Typosquatting

Typosquatting is a domain attack that targets users who input a website address incorrectly into a web browser instead of using a search engine. For instance, instead of inputting www.bebank.com, a user may enter bebankk.com, which will lead them to a fake website without their knowledge. This type of attack usually involves using URLs that are common misspellings of legitimate domains to mislead users into accessing malicious websites. Users may be misled into submitting sensitive data onto these websites.

2. Domain Hijacking

Domain hijacking is a type of attack in which a third party obtains an organization's domain web address and then modifies the domain name registration without the legitimate owner's approval. That means that the legitimate owner of the domain is no longer the legal owner and the new legal owner is now the malicious entity. Domain hijacking can also refer to the unauthorized use of domain hosting and registrar platforms.

3. Pass the hash

Pass the hash (PtH) is a technique used to obtain users' credentials, granting the attacker the ability to move between different machines within a targeted network. In this attack vector, the attacker leverages the NTLM (New Technology LAN Manager) authentication protocol to log in as a user. Without knowing the plaintext password, the attacker relies solely on the NTLM hash of the user's password.

NTLM authentication

During NTLM authentication, the following steps occur.

1. Client sends a challenge message: The client initiates authentication by sending a challenge message that contains their username and timestamp to the server.
2. Server generates a random challenge: The server generates a random challenge and sends it to the client.
3. Client generates an NT hash: The NT hash, a one-way cryptographic hash function, is generated by the client using the user's timestamp and the random server challenge.
4. Client sends an authentication message: The client sends an authentication message to the server, which contains the username, the NT hash, and a message authentication code (MAC).
5. Server verifies NT hash: Authentication succeeds if the NT hash generated by the server matches the NT hash generated by the directory service.

4. Pass the Ticket

To learn about passing the ticket, let's first overview Kerberos.

Kerberos is an authentication protocol designed to enable users to authenticate themselves once and access various services without repeatedly entering credentials. This ticket is called a Ticket Granting Ticket (TGT), which serves as a session ticket that allows the user to access multiple Kerberos-protected services without the need to re-enter credentials.

A pass-the-ticket attack exploits the Kerberos authentication protocol to gain unauthorized access to network resources. Kerberos issues tickets during the authentication process to grant users access to various services without requiring them to repeatedly enter credentials. In this attack, the attacker intercepts or obtains a legitimate ticket and uses it to gain unauthorized access to network resources

5. LDAP Reconnasissance

LDAP (Lightweight Directory Access Protocol) is an open-standard network protocol for accessing and managing distributed directory information. It is specifically designed to provide a lightweight and efficient means of accessing and maintaining distributed directory information. LDAP is widely used in enterprise environments to manage user accounts, group memberships, and other directory information

LDAP reconnaissance is a technique used by attackers to gather information about an organization's LDAP server. This information can then be used to plan and carry out attacks, such as directory traversal attacks, privilege escalation attacks, and data exfiltration attacks. It can be used to gather a variety of information about an organization's LDAP server, including:

• Users and groups' names
• Users and groups' passwords
• Users and groups' permissions
• The directory structure
• The location of sensitive data

6. Brute Force

Brute force is a password attack method that involves guessing potential password combinations until the correct password is revealed. Depending on the length of the password, varying numbers of combinations will be attempted. Brute force may be time-consuming, difficult to conduct if multi-factor authentication is used, and, in some situations, even impossible. However, if a password is weak, an attacker might only need seconds and minimal effort to crack it

Reference

• A Guide to Web Attack Incident Handling