6- Network Applications
SMTP reply code second digit categorizes the result
0 = syntax 1 = information 2 = connection 3 = unspecified 4 = unspecified 5 = mail system
SMTP reply code first digit denotes the success or failure of the SMTP command
1 = command accepted but pending confirmation (example, 101 can't open connection) 2 = success (example, 250 OK) 3 = okay so far (example, 354 go ahead, also called start mail input)) 4 = temporary failure (example, 452 mailbox full) 5 = permanent failure (example, 550 user unknown)
2 major threats to an organization's email system
1. A flood of unsolicited and unwanted email, called spam, which wastes employee time through sheer volume and uses valuable resources like bandwidth and storage 2. Malicious email, which comes in two basic forms of attacks: embedded attacks and targeted attacks.
Basic DDNS operations
1. After the end-user host received a new dynamic IP address from the ISP, the DDNS client program on end-user host connects to the DDNS provider to inform the DDNS provider its new IP address, the DDNS provider links the end-user host new IP address to the end-used hostname in the domain name system. 2. Another user queries for the IP address of the end-user hostname. In this example, the end-user hostname is example.ddns-provider.com. 3. The other user receives the IP address of example.ddns-provider.com, and connects to example.ddns-provider.com using the IP address.
Recursive DNS process
1. DNS resolver (client) sends query message to DNS recursor for http://www.cisco.com. 2. DNS recursor sends query message to root name servers for .com domain name space. 3. Root name servers send DNS referral response message to DNS recursor informing it to ask the gTLD name servers for .com domain name space. 4. DNS recursor sends query message to gTLD name servers for .cisco.com domain name space. 5. gTLD name servers send DNS referral response message to DNS recursor informing it to ask cisco.com name servers, ns1.cisco.com or ns2.cisco.com, about this domain name space. 6. DNS recursor sends query to Cisco name servers for http://www.cisco.com. 7. The .cisco.com name servers send an authoritative DNS query response message to DNS recursor with the A (address) RR information for http://www.cisco.com. 8. DNS recursor sends a DNS query response message to DNS resolver with the A (address) RR information for http://www.cisco.com.
3 parts of the SMTP conversation
1. Envelope: envelope specifies recipient & sender 2. Headers: are sent after receiving a 354 (go ahead) SMTP reply code from the SMTP server. The headers contain the following information: sender's display name and email, the recipient's display name and email, and the subject and date. A blank line separates headers from any message content. 3. Body
SMTP flow or stages of mail delivery
1. The sending client sends email to sending MTA. 2. The sending MTA needs to determine the destination MTA. It does a DNS query for that domain. 3. The sending MTA sends the email to the destination MTA. 4. If the sending MTA's reputation is good, the receiving MTA performs an LDAP lookup to determine if the recipient user exists, then forwards the email to the mail server. 5. The exchange mail server then sends the email to the mail user agent on recipient's computer.
How cookies are created
1. The web server sends info to the web browser in the HTTP response header to create a cookie on the web browser. 2. The web browser sends the cookie information back to the web server in the HTTP request header. 3. The web server responds with Set-Cookie headers.
Uses of scripting
1. to deliver malware 2. to redirect the user to malicious websites 3. to create dynamic content on a webpage
Reasons to use HTTPS
1. to encrypt data sent between browser and web server 2. ensure identity, trust & validity of web server 3. avoid detection when it's used to transport the attack CnC traffic
SMTP Reply Codes
3-digit SMTP reply codes define the server response to the SMTP client
DNS queries and responses use port
53 [UDP for queries & responses, TCP for zone transfers]
URL:URI
A URL is a subset of a URI that defines the location of a specific resource and how to retrieve it. The URL has the "access mechanism/protocol" or "network location," such as http://, https://, and ftp://.
Groupware server
A server that accepts, forwards, delivers, and stores messages on behalf of users who only need to connect to the email infrastructure, e.g. Exchange
To use domain names:
Attackers can register their domains with a stolen credit card, compromise a legitimate registrar account and create new DNS records, or use a DDNS service.
PTR record
PTR points to a canonical name- this is reverse mapping
SOA record
Start of Authority record identifies the name server that is the best source of information for the data within the zone.
HTTP Status Code groups
Status codes starting with: 1xx are Informational 2xx are Success 3xx are Redirection 4xx are Client Error 5xx are Server Error
stub DNS resolver
The client side of DNS
URI
Uniform Resource Identifier
URL
Uniform Resource Locator
How to inspect HTTPS traffic
Use a next-generation firewall [NGFW] or web proxy that can act as an MITM to decrypt, inspect, and re-encrypt the SSL/TLS traffic
DNS A record
Used to locate the IP address of the MTA specified by the MX record
DNS recursive resolver
a DNS server that processes the clients' DNS queries
HTTP
a client/server protocol where the web browser is the client and the web server is the server; a stateless application layer protocol
stateless protocol
a communications protocol that treats each request as an independent transaction unrelated to any previous request so the communication consists of independent pairs of request and response. No session info is retained.
Each DNS mapping type is defined in
a different type of RR- resource record [the DNS data types in the database]
Parameters start with
a question mark (?) and are separated with an ampersand (&).
MTA [Mail Transfer Agent]
aka SMTP daemon; computer program or software agent that transfers electronic mail messages from one computer to another
Targeted attacks
aka directed attacks or phishing attacks. might direct employees to inadvertently browse malicious websites that distribute malware to computer endpoints and can mislead employees into releasing sensitive information
DDNS- Dynamic DNS
allows the automated discovery and registration of the client system's public IP addresses
HTTP Referer
an HTTP request header that shows the address of the previous web page from which a link to the currently requested page was followed
Network application
any application that runs on one host and provides services to another application running on a different host over the network
POP [Post Office Protocol]
application-layer protocol that is used by the MUA to retrieve email from a mail server; TCP port 110
MAPI [Messaging Application Programming Interface]
application-layer protocol that is used by the MUA to retrieve email from a mail server; TCP port 135
IMAP [Internet Message Access Protocol]
application-layer protocol that is used by the MUA to retrieve email from a mail server; TCP port 143
TXT record
associates any arbitrary text with a hostname
How a URI identifies a resource
by location, or a name, or both
Browsing activity recorded by cookies
clicking particular buttons, logging in, or recording which pages were visited in the past
Network applications use a
client-server architecture
Implementing a JavaScript
define the JavaScript in a separate file, then link to the JavaScript file using the src attribute of the script tag
HTTPS
encrypts the data while in transit, not when at rest
Previously typed info remembered by cookies
form fields such as name and address
sessionToken cookie
identifies a particular session
SMTP client
initiates the connection request to an SMTP server that is located within the same enterprise or out on the Internet
SQL injection attack
involves the alteration of SQL statements that are used within a web application by using attacker-supplied data
Stateful info in cookies
items in a shopping cart
MX record
maps a domain name to a list of mail servers for that domain
A record
maps host name to IPv4 address
AAAA record
maps host name to IPv6 address
NS record
maps the name server for the domain
HTTP/HTTPS
protocols used as the communication channel between client and DDNS provider
nslookup
queries the DNS database for domain names, IP address mapping, or any specific DNS record. It also shows the DNS server.
SMTP server
receives the connection request from the SMTP client
Authoritative DNS server
responsible for all the domain's RRs
HTTP cookie
small piece of data sent from the web server and stored in the user's web browser while the user is browsing
MUA [Mail user agent]
software client application like Outlook that accesses a groupware server, for example, an exchange server, to send or receive mail
CNAME record
specifies that a domain name is an alias for another domain name, which is the "canonical" domain name
DNS MX record
specifies the mail server (MTA) name responsible for accepting email for that domain
Zone file
text file that describes a DNS zone, and contains a list of the zone's resource records
Attackers frequently use a DDNS service, because
the sub-domains can be quickly and easily generated.
Server-side scripting
used in web applications development which involves using scripts on a web server to produce a response that is customized for each user's request to the website. The scripts may be written in any programming language, such as PERL, Python, PHP, and so on.
SQL [Structured Query Language]
used to query, operate, and administer relational database management systems such as Microsoft SQL server, Oracle, or MySQL
Client-side scripting
uses a language that is designed for the script to be executed by the client's web browser. Examples of client-side scripting languages include JavaScript, Visual Basic Script, and so on.
Embedded attacks
viruses and malware that perform actions on the end device when clicked
Common HTTP Status Codes
•100 = Continue: Server received request headers and client send the request body (for example, a POST request). •200 = OK: client's request processed successfully. •301 = Moved Permanently: to a different URI. •302 = Found: temporarily under a different URI. The client is invited by a response with this code to make a second, otherwise identical, request to the new URL specified in the location field. •307 = Temporarily Moved: The request should be repeated with another URI; however, future requests should still use the original URI. •401 = Unauthorized (Authentication Required): request requires authentication with the server. •403 = Forbidden: Access is denied. •404 = Not Found: server can't find requested URI. •407 = Proxy Authentication Required: The request first requires authentication with the proxy. •500 = Internal Server Error: when an unexpected condition is encountered and no more specific message is suitable.
SQL functions
•Create databases and tables •Define data in database and manipulate that data. •Access the data in the database. •Set the database permissions.
Common network applications and protocols which can be leveraged to perform attacks
•DNS •HTTP •HTTPS •SQL •Protocols for mail delivery-SMTP, POP & IMAP
Attackers goals for SQL commands
•Exfiltrating data - SELECT •Modifying data - UPDATE, INSERT, TRUNCATE •Modifying database structure - DROP, ALTER
HTTP Request Methods
•GET- retrieves data from specified resource. •HEAD- asks for data like a GET request, but without the response body •POST- creates data on the specified resource. •PUT- request is used to update data on the specified resource. •DELETE method deletes the specified resource.
Common SMTP Commands
•HELLO (HELO) or EHLO (Extended HELLO) used to identify SMTP client to SMTP server •MAIL FROM- used to initiate a mail transaction in which the mail data is delivered to an SMTP server •RCPT TO used to identify an individual recipient •DATA- message body will follow •QUIT- specifies that the receiver must send an OK reply, and then close the transmission channel
HTTP response has 3 parts:
•HTTP protocol name and version, and the status code. •The HTTP response headers are used to define the operating parameters of the HTTP transaction, and to provide information about the web server. •The HTTP response body
Parts of a URL:
•Protocol- e.g., http •Host= prefix + sub-domain [if used] + domain + top-level domain •Port •Path- e.g., /video •Parameters- e.g., ?docid=96673783583808&hl=en which is the specific video •Fragment or named anchor- e.g., #00h01m15s which means to skip 1 min, 15 sec. into a video
Web Scripting types
•Server-side scripting •Client-side scripting
HTTP request has 3 parts:
•The HTTP request method, URI, and the HTTP protocol name and version •The HTTP request headers are used to define the operating parameters of the HTTP transaction, and to provide information about the client. •The HTTP request body
Entity that issues and signs digital certificates and is trusted by the browser
Certificate Authority
Dynamic DNS characteristics
Client's IP address changes frequently Client has a dynamic IP address range
Zones
DNS name space is partitioned into zones to simplify DNS database management [a.b.com vs. b.com]
Open DNS recursive resolvers
DNS recursive resolvers that allow queries from all IP addresses and are exposed to the Internet
SMTP reply code third digit adds finer detail.
Examples: •211 = system status, or system help reply •220 (FQDN of server) = service ready •421 (FQDN of server) = service not available •451 = local error in processing •500 = command not recognized •502 = command not implemented
gTLD
Generic top-level domains
True of DDNS
Home users who wish to host a website use it. It's used by attackers for CnC servers.
What can expose web applications to SQL injection attacks?
Insufficient input validation
FQDN- Fully Qualified Domain Name
Maximum 255 characters
Resource record fields
NAME, TYPE, CLASS, TTL, RDLENGTH, and RDATA
