HTTP RESPONSE-SPLITTING ATTACK (EXAM FAVORITE)
Core Definition
| Item | Memorize |
|---|---|
| Attack Type | Web-based attack |
| Exploits | Improper input validation |
| Mechanism | Injecting new lines into HTTP headers |
| Result | Server splits one response into two |
| Injection Type | CRLF (Carriage Return + Line Feed) |
HTTP Response-Splitting — Core Logic
| Step | Action |
|---|---|
| 1 | Attacker injects CRLF into input |
| 2 | Server includes injected data in header |
| 3 | Server generates two HTTP responses |
| 4 | Attacker controls first response |
| 5 | Browser discards second response |
MEMORY HOOK:
CRLF → Header break → Double response
Exploitable Outcomes
| Outcome |
|---|
| Cross-Site Scripting (XSS) |
| Cross-Site Request Forgery (CSRF) |
| SQL Injection |
| Web Cache Poisoning |
| User redirection |
Exam Traps
| Trap | Correct |
|---|---|
| Happens in body | NO (headers) |
| Browser executes both responses | NO |
| Requires authentication | NO |
WEB CACHE POISONING ATTACK
Core Definition
| Item | Memorize |
|---|---|
| Attack Type | Cache integrity attack |
| Target | Intermediate web cache |
| Result | Users receive poisoned content |
| Persistence | Until cache is flushed |
Web Cache Poisoning — Core Logic
| Step | Action |
|---|---|
| 1 | Attacker forces cache flush |
| 2 | Attacker sends crafted request |
| 3 | Malicious response stored in cache |
| 4 | Users request cached resource |
| 5 | Users receive malicious content |
MEMORY HOOK:
Poison once → infect many
Key Dependencies
| Dependency |
|---|
| HTTP response-splitting flaws |
| Improper cache key handling |
| Inadequate validation |
Exam Traps
| Trap | Correct |
|---|---|
| DNS poisoning | NO |
| Affects one user | NO |
| Temporary | NO (persistent until flush) |
SSH BRUTE FORCE ATTACK
Core Definition
| Item | Memorize |
|---|---|
| Protocol | SSH |
| Port | TCP 22 |
| Attack Type | Credential brute force |
| Goal | Unauthorized SSH access |
SSH Brute Force — Core Logic
| Step | Action |
|---|---|
| 1 | Attacker scans port 22 |
| 2 | SSH service identified |
| 3 | Automated brute-force login attempts |
| 4 | Valid credentials found |
| 5 | SSH tunnel compromised |
MEMORY HOOK:
Encrypted tunnel ≠ safe login
Tools (CEH EXPECTED)
| Tool | Purpose |
|---|---|
| Nmap | Service discovery |
| Ncrack | SSH brute force |
| THC Hydra | Credential attacks |
Exam Traps
| Trap | Correct |
|---|---|
| SSH encryption blocks brute force | NO |
| Attack targets encryption | NO |
| Single login attempt | NO |
FTP BRUTE FORCE WITH AI
Core Definition
| Item | Memorize |
|---|---|
| Protocol | FTP |
| Attack Type | Brute-force authentication |
| Enhancement | AI-generated attack commands |
| Credential Exposure | Plaintext |
AI-Assisted FTP Brute Force Logic
| Step | Action |
|---|---|
| 1 | Attacker uses AI to generate command |
| 2 | Hydra performs brute-force attack |
| 3 | Wordlists used for credentials |
| 4 | FTP access gained |
Hydra Command Structure (MEMORIZE FLAGS)
| Flag | Meaning |
|---|---|
| hydra | Execute Hydra |
| -L | Username list |
| -P | Password list |
| ftp://IP | Target FTP server |
Exam Traps
| Trap | Correct |
|---|---|
| AI performs attack | NO |
| FTP encrypts credentials | NO |
| Hydra optional | NO |
HTTP/2 CONTINUATION FLOOD ATTACK
Core Definition
| Item | Memorize |
|---|---|
| Attack Type | Denial-of-Service |
| Protocol | HTTP/2 |
| Exploited Element | CONTINUATION frames |
| Target | Server memory and CPU |
HTTP/2 Continuation Flood — Core Logic
| Step | Action |
|---|---|
| 1 | Attacker establishes TCP connection |
| 2 | Sends HEADERS frame |
| 3 | END_HEADERS flag omitted |
| 4 | Sends multiple CONTINUATION frames |
| 5 | Server allocates memory repeatedly |
| 6 | Resources exhausted |
| 7 | Server crashes or hangs |
MEMORY HOOK:
No END_HEADERS → infinite wait → DoS
Exam Traps
| Trap | Correct |
|---|---|
| Requires many connections | NO |
| Uses high bandwidth | NO |
| Exploits HTTP/1.1 | NO |