428 FINAL STUDY GUIDE

Cross-Site Request Forgery (CSRF or XSRF)

•Another type of browser based attack is a "Cross-Site Request Forgery" •Anatomy of a CSRF request •Connect to and login to a site that relies on a users identity (and remembers it) •Because a user logged in once, there is "trust" that requests trustworthy, and this trust is exploited •The users browser is then tricked into sending a HTTP request, and being it was already trusted, the request/operation is trusted •This is used on requests that make changes (e.g. have side effects)

Hexadecimal

•Another way to represent data is in hexadecimal •While binary has only 2 values (0,1) that numbers are build of •While decimal has 10 values (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) •Hexadecimal has 16 values (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F)

Subnets and Subnet masks

•IP Addresses can be broken into two parts •Network - what grouping of computers should this traffic be sent to? •Host - what is the specific computer this traffic is destined for •Without subnetting •Send traffic to IP address, just send it to everybody everywhere and hope you get it to the right place (in theory) •With subnetting •Use routing tables to get it to the network closest to the destination •Then let that destination handle getting it to the specific host

Disable Services

•If there is no need to use the service, disable it! •Having extra services running, "just because" increases the likelihood of an attacker finding a successful exploit •E.g. Windows server 2016 •If you are running it as a file server, disable the DNS server, you don't need it! •Open only what needs to be opened and close everything else •This reduces the attack surface - the amount of code a computer system exposes to unauthenticated outsiders

DNS Hijacking

•If you can get access to the DNS resolver, or a nameserver for a domain, you can send them anywhere you want! •Your address bar might say google.com, but because the DNS server was "hijacked", they send you to the fake google site. •This can be hard to detect, you would need to inspect the Ip addresses of the site you went to, and verify it was legitimate. •Best Practices •Use trusted DNS resolvers. Don't change the resolver, say, based on a phone call, etc.

Other Scans

•In a FIN scan, a packet with only the FIN flag is set •If port is closed a RST is returned •In a UDP scan a packet is sent to the target computers UDP port •If port is closed: If an ICMP Port unreachable is returned •If no response: might imply port is open (depends onn firewalls)

SYN Scan

•In a SYN (stealth) scan, a scanning machine sends a SYN packet to the target machine and depending on the response, makes an assesment: •If port is closed - RST/ACK is returned •If port is open - SYN/ACK is returned •Scanning machine then sends RST/ACK to end the connection before it is completed •In this attack, many operating systems do not log incomplete TCP connections. •By getting the target machine to respond, but terminating before the whole 3-way-handshake is completed, an attacker can gain information about a machines ports. •Basic port scan with nmap (SYN Scan) nmap <ip address/range> nmap 192.168.1.1 nmap 192.168.1.0/24 If Port is closed - target returns a RST/ACK packet If Port is open - target returns SYN/ACK, but the connection is never completed (RST is sent bacl)

NULL Scan

•In a null scan, all flags are turned off (e.g. no syn, no ack, etc). •In many operating systems (not necessarily windows) •If port is closed: responds with a RST packet •If port is open: either ignored or random response (varies based on OS) •If no return packet is received, may guess that port might be open •May be able to help identify an operating system based on response •Port scan that sends packets with no flags set Nmap -sN <ip address/range> nmap -sN 192.168.1.1 nmap -sN 192.168.1.0/24 If Port is closed - target returns a RST/ACK packet If Port is open - traffic is ignored (in some OS)

Eavesdropping

•In an eavesdropping attack, an attacker •Has access to a network segment •Listens to traffic communicated over that segment •Intercepts traffic communicated over that segment •Saves/analyzes this traffic •Eavesdropping attacks can enable an attacker to discover usernames and passwords and other secret information! •Counter Measure: Encrypt traffic and use trusted certificates

Buffer Overflow

•In this attack, •code may allocate, say, 8 bytes for a variable •The code does not validate input (e.g. it may accept 16 bytes of information) •The languages does not check, and writes the 16 bytes, even though only 8 bytes had been allocates •The extra information is written into space hopefully used to contain execution instructions!

Patching

•Keep your systems up to date! •Many mass vulnerability exploits are not 0-day, they have been around a while but systems were never updated •For a small number of systems •Windows update can be utilized manually to check for these updates •For larger networks, more advanced tools are necessary

Physical Security Attacks

•Keyloggers •Hardware Keyloggers - Often interjected into a keyboard plug to intercept and store data entered (often focused on passwords/credentials) •Premise Security •Keep in mind that not all locks are impenetrable! •Much more on this is outside the scope of this class, but needed to be mentioned.

Lateral Movement

•Launch attacks on other systems in the network as the compromised machine and repeat the lifecycle their

Linux Packages

•Linux has many tools that can be installed such as •Apache web servers •ftp/sftp servers •MYSql •OpenSSL •VNC •Each of these enables a functionality, but opens up an attack surface that was not originally available in the base OS

MS SQL Server

•Older versions of MS-SQL server have a serious vulnerability referred to as the null SA password •During configuration, if a certain set of options was chosen, it resulted in a System Administrators (SA) account being created with no password! •Due to the configuration options chosen with respect to where authentication occurs, the SA account is created with no password •This enabled admin access to the database, and possible the database server

Ports

•Once traffic makes it to a host machine, it does not magically end up where it needs to be, it is addressed to a port •There are 2^16 ports (65,535) (based on the size allocated in the TCP packet for the source and destination port) •0-1023 : reserved for privileged services •1024-49151: registered/user ports •>49151: dynamic/private ports

Pros of TCP

•Ordered Data Transfer - while packets may not arrive in the same order they were sent, the protocol will ENSURE that they are ordered before doing anything with them. •If part of the message gets lost, it will be retransmitted •As a result, there is error free data transfer •This relies on a sequences numbers

Types of XSS Attacks

•Persistant XSS - the malicious script is in the original websites database •Reflected XSS - the malicious script originates from the victims request •DOM-Based XSS - malicious script originates client side and never leaves the browser

Ping scan

•Ping scan - sends a ICMP ping request. If the host is up, it may respond. •Pros: portscanning is time consuming. If you try to scan the ports of machines that you know are up, you save a lot of time! •Cons: it is easy to block pings. Many secured machines do not respond to ping requests, but will still accept traffic. You may omit a machine that you could have detected with a ping scan •Ping Scan/Ping sweep with nmap nmap -sP <ip address/range> nmap -sP 192.168.1.1 Nmap 192.168.1.0/24 This is pretty easy to block with a firewall.

Types of Port Scans

•Ping scans •SYN scans •Connect scans •NULL scan •XMAS scan •ACK scan •FIN scan •UDP scan

FIN Scan

•Port scan that sends packets with no flags set Nmap -sF <ip address/range> nmap -sF 192.168.1.1 nmap -sF 192.168.1.0/24 If Port is closed - target returns a RST/ACK packet If Port is open - traffic is ignored (in some OS)

Samba

•While Microsoft had an entire section on commonly exploited utilities in the textbook, the section on *nix systems has 1 - Samba •And guess what, it is related to Windows! •It was found that it was nearly impossible for windows and *nix systems to share resources! •A utility called samba was created, which was an open source version of the Common Internet File System (CIFS) from Windows! •This enabled sharing of resources, but also increases the attack surface of a *nix machine

Steps to Connect DNS

1. Enter an address 2. Connect to a Recursive Resolver 3. Talk to a Root DNS Server 4. Talk to the TLD 5. Send request to the domains nameserver

Attack Lifecycle

1. Initial Recon (Network) 2. Penetration (Network) 3. Gaining a Foothold 4. Appropriating/Escalating Privileges 5. Internal Recon 6. Lateral Movement (Network) 7. Maintain Presence (Network) 8. Mission Accomplished (Network)

Embedded OS

1.) Embedded Operating Systems are ubiquitous 2.) Embedded Operating Systems are increasingly being networked. 3.) Embedded operating systems are extremely difficult to patch! 4.) embedded OS are in most networking devices! 5.) embedded OS are in most network peripherals (printers, scanners, multi purpose stations, etc)

tcpdump

A command-line protocol analyzer. Administrators use it to capture packets.

Nessus

A network-vulnerability scanner available from Tenable Network Security. Use hping3 to craft packets sudo hping3 -A -S -F -U -P 192.168.1.133 Use tcpdump to monitor them

CIA of Security

Confidentiality, Integrity, Availability

DNS

Domain Name System Converts IP addresses into alphabetical names for websites

Ethical Hacking

Three different types of "ethical hacking" •Penetration Testing: ethical hacker ACTIVELY attempts to break into a organizations network/applications •Vulnerability Assessment: testers do not actively attempt to gain access to the target network/application, but DO identify and enumerate/list potential vulnerabilities that a hacker may attempt to use •Security Test: In this type of test, ethical hackers may actively try to "break in", but also analyze/utilize the companies security policies to identify weaknesses.

Interpreted Packet Contents

Translated packet values

Social Engineering Methods

Urgency Quid Pro Quo Status Quo Kindness Passion

UDP

User Datagram Protocol

Difference between vulnerability and an exploit

Vulnerability = weakness in the system Exploit = taking advantage of said weakness in system 0-day vulnerabilities and patches -is a vulnerability in a system or device that has been disclosed but is not yet patched An exploit that attacks a zero-day vulnerability is called a zero-day exploit.

Types of Wireshark Packets

http, TCP and UDP Other types include ARP and DHCP

Explot

specifically crafted attack intended to take advantage of a vulnerability

Port scanning

the process of examining an ip address (or range of ip addresses) to determine what services are running on a network

DNS tools

whois nslookup dig

TCP Flags

•1 bit (on or off) •SYN Flag - beginning of a session •ACK Flag - acknowledgement •RST Flag - Reset flag resets or drops a connection •FIN Flag - indicates that the connection is finished •(others, not listed)

SQL Injection Defenses

•1.) Use Prepared Statements (with parametrized options) - Programming languages (php, java, etc) have methods for creating "PreparedStatements" that allow you to define your statement, provide spaces for the parameters then the values •2.) Use stored procedures (safe stored procedures): Prepare the statements and store them safely •3.)White List input validation - if you know what good values should be accepted, due strict white list validation (e.g. states) •4.) Escape all user supplied input - complex DB specific way to "escape" certain inputs.

MAC address

•12 digit (6 byte) hexadecimal number •MM:MM:MM:SS:SS:SS •Prefix MM:MM:MM •Identifies the vendor •Vendors register for their prefix •Address/Identification Number SS:SS:SS •Unique identifier for each vendor •MAC addresses can be used to look up information about the vendor who produced the NIC

Special IP Address

•127.0.0.1 - loopback - connects to yourself •Private Networks

Common Ports

•22: SSH/SFTP •25: SMTP (simple mail transfer protocol) •53: DNS (Domain Name System) •80: HTTP (Web Servers) •139: NetBIOS (windows) •443: HTTPS

Distributed Denial of Service

•A Distributed Denial of Service (DDOS) uses DoS techniques, but from 100's or 1000's of machines! •Often perpetrated by /controlled by botnets •The machines performing the attacks are unknowing/unwilling "zombies" (likely infected by some sort of malware discussed before) •Dark DDoS - a smokscreen attack to distract network defenders to hide a more damaging/stealthier attack

Connect Scan

•A connect scan completes the three way handshake, verifying that a tcp connection was created •This type of scan can easily be detected because most operating system log/track open tcp connections •Like knocking on the door, rattling the handle, and opening the door completely (instead of walking away after realizing the door was unlocked) •Port scan that attempts (And completes) connection if found Nmap -sT <ip address/range> nmap -sT 192.168.1.1 nmap -sT 192.168.1.0/24 If Port is closed - target returns a RST/ACK packet If Port is open - connection is opened, and completed, and then ended

Network Session Hijacking

•A particularly sophisticated attack, network session hijacking, occurs when a hijackers takes over a TCP connection •TCP is based on a "connection" model, but no physical connection exists •The train of sequence numbers, and original information during the three way handshake allow computers to keep this "virtual connection open" •Each new pieces has the next sequence number that is expected, and that is how the network knows how to put it all back together •In a network session hijacking, attack, an attacker takes advantage of this sequence number model for tracking connections •The ISN (Initial Sequence Number) is the starting point for the connections •If an attacker can guess what the ISN was, and guess where the sequence number is relative to that, they can trick the network into thinking a packet they sent is the next packet, even though it was sent by somebody completely else! •Each connection

ACK Scan

•Ack scans can be used to identify if a firewall/traffic filter exists, and if it can be circumvented •An ACK packet is the last piece of the 3 way handshake •Attacker just sends an ACK packet •Attempts to confirm a connection that the target has no record of •Many firewalls/filtering devices will look for the associated SYN packet •If no SYN packet was found, drops the traffic •If the target response with RST, can assume port is unfiltered •Port scan that sends packets with only ACK set Nmap -sA <ip address/range> nmap -sA 192.168.1.1 nmap -sA 192.168.1.0/24 Cannot tell if ports are open Can tell if ports are filtered!

Maintain Presence

•Additional backdoor software (rootkits, trojans, etc) •Use legitimate accounts/credentials to reduce suspicion •Gain access to alternative information sources such as web portals, etc

SQL Injection

•Another common type of web attack, similar to XSS is SQL injection •In this attack, you try to include additional SQL code that will be executed •The SQL code is specially crafted, such as adding OR 1=1 to ensure something is always true (e.g. logins)

Find your IP address

Mac/linux: ifconfig PC: ipconfig

Nmap

Open source port scanner •Can run a command as simple as nmap <ip address> to scan common ports •Can run complex commands with different flags set to customize how the scan will work!

Raw Packet Contents

Packets that have not been translated yet

5 Types of Social engineering attacks

Pure social engineering Shoulder surfing - unknown observation of a user entering a password or other secret material Dumpster diving - looking through the trash for recon, can find various things such as bills, reports, etc Piggybacking - following somebody into an area you are not authorized to be in Phishing - fake emails designed to trick users into providing information

Linux Countemeasures

Stay up to date Patch Principle of least privilege (minimize admin users)

Remote Procedure Call

•Another windows service, Remote Procedure Call (RPC) •Remote Procedure Call allows a program running on one host to execute code on another host •As this involves execution of code and trust between machines, this is an area that is •Remote Procedure Call (RPC) has had several high profile vulnerabilities that enabled arbitrary remote code execution! •October 23rd, 2008 - Microsoft released a security bulletin highlighting this vulnerability, and provided patches for remediating the problem •A month later, (November 21st, 2008) the Conficker Worm utilized this vulnerability to to infect many large networks (even though a fix was available) •2010, the same vulnerability was used to propogate the STUXNET worm!

Antivirus and Logging

•Antivirus •Big or small, anti-virus helps detect and remove known malware! •Don't forget to update the signatures as well •Logging •Be careful to configure logging to identify useful values! •Consider automation tools for log analysis •Look for suspicious activities that might raise red flags

Penetration

•Attacking vulnerabilities (metasploit) •Social engineering (spear phishing, XSS) •Web vulnerabilities (XSS)

Gaining a Foothold

•Backdoor software •Reverse shells

Enumeration

•Basic enumeration tools have already been discussed •Allow us to go from knowing where the "live" hosts are, and what ports are open •To knowing what operating systems are running •To knowing what protocols the host machine support •To know what services are running on those ports •To know the versions of those services •To identifying shared resources •To identifying potential usernames, passwords etc

CSRF Defense

•Best Defense (difficult to attack unless EXTREMELY lucky) •First: NO XSS (can defeat countermeasures) •Include CSRF Tokens •Include a hidden (Random) token on each page. •When the operation is clicked on, verify that the random token was provided matched the expected one •Check Referrer/origin in the HTTP header (a more in depth discussion of this it out of the scope of this class). Basically makes sure it is clear where a request is coming from, whether a legitimate link, or a link from a forged site

Linux OS Vulnerabilities

•Common Attack Surfaces •Samba •Other installed utilitites •Tools for identifying vulnerabilities •Greenbone/open VAS •Checking for rootkits •Keeping current •Secure configuration

Common Internet File System (CIFS)

•Common Internet File System (CIFS) (surprise, another sharing related service!) was designed to replace SMB in Windows 2000 and later •To enable backwards compatibility, ORIGINAL SMB was still used •It enabled the sharing of files, folders, printers and other resources throughout a network •CIFS built on some of the shortcomings in SMB that enabled •Locking for multiple user access •Better speed over slow dialup lines •Anonymous, share level and user level file security •Windows servers running CIFS often have access to thousands or millions of objects in a Global Catalog (GC) •E.g. searching for a printer with the word "color" in it would search such a catalog •This often runs on top of a special windows server called a Domain Controller •Domain Controllers are primarily used to authenticate accounts (often needed for user level security) •As a result, when enumerating and exploring network architecture, domain controllers are valuable targets due to the large amount of information they likely contain •Windows Server 2003/2008 running CIFS most often have the following ports open •DNS (53) •HTTP (80) •Kerberos (88) •RPC (135) •NetBIOS Name Service (137) •NetBIOS Datagram Service (139) •LDAP (389) •HTTPS (443) •SMB/CIFS (445) •LDAP over SSL (636) •Active Directory global catalog (3268)

Appropriating Privileges/Escalation of Privileges

•Cracking poor password hashes •Privilege escalation attacks (vulnerabilities) •Social engineering (gaining user information to guess common passwords)

Denial of Service

•Denial of Service (DoS) attack removed the availability of a system maliciously •Attackers are not interested in gaining access to the network, but crippling the network

Embedded Operation Systems

•Embedded Windows OS •Windows XP embedded •Windows CE •Used in a variety of technologies, including automotive versions •Windows Mobile •Used on older PDAs and smartphones •Windows 8/10 •More robust with more functionality from the full OS •May have access to tools such as the MSBA Custom •VxWorks - RTOS used in many high profile devices such as •Mars Curiosity Rover •Boeing 787 Dreamliner common core systems (CCS) •Lockheed Martin RQ-170 Sentinel UAV •Apple Airport Extreme...and many mare *nix •Linux/Unix variants make good embedded OS as they can easily be tailored for limited memory/storage devices •The Linux kernel supports a wide variety of hardware and the easy addition of features through kernel modules •*nix based embedded Operating Systems are found in •Cisco switches/routers •Tomtom/garmin GPS •PDAs, media players •Medical instruments •Android devices run a modified version of the Linux kernel •Even iOs (iPhones) is based on Mac OS X, which was based on Linux •Another interesting linux based OS is DD-WRT •Custom firmware for running on routers

NTFS Vulnerabilities

•Even though NTFS has made some significant leaps in security over FAT, it still has some features vulnerabilities* •*Depends on who you ask, whether it is a feature or a vulnerability! •What is an example? ADS (Alternate Data Streams) •ADS designed to provide some backward compatibility with apples Hierarchical File System (HFS) •It results in being able stream information behind an existing file, which results in the actual source being hidden

Framebusting

•Framebusting is a technique that enables a website originally displayed in an iFrame to "bust out" of the frame enabling it to "take over the window".

Hubs vs Switches vs Routers

•Hub - send traffic to all connected nodes •Assumes "honor" system of sorts, that other machines do not actively use traffic not meant for them •In general, NIC will drop traffic not for that NIC, but it is still send there •Can often observe this traffic in what is called promiscuous mode •Switch - tracks who is connected to which port, and directs traffic to a specific destination (instead of sending it to everybody) •More secure and more efficient from a network perspective •Routers - generally connect to network segments, an internal and an external •NAT - network address translation translates the external address into an internal address that can be routed to a final machine •It is like addressing mail to 1 ave of the art, and somehow it ends up in my mailbox in the department office.

Embedded OS Vulnerabilities

•Many "smart devices", and even devices that don't seem smart are running computers with their own special operating systems! •Common devices that are running operating systems of some sort, that also have resources include •Routers •Printers •Cars •Smart home devices (thermostats, alarms) •Many many more! •Embedded systems are usually powered by an Embedded Operating Systems (OS) which can be •Custom software designed specifically for a chip •Custom software designed specifically for a purpose •A stripped down/specialized version of an existing operating system •These operating systems usually •Are designed to be small •Use less computing resources •And as such, generally have less functionality than a full flavor operating system

DNS Spoofing

•Many times, organizations will use caching in DNS servers •I looked up google.com the hard way 5 minutes ago •No need for me to look it up again, I will just go to the cache •If you can trick an organizations DNS server into going to your bad server, even for just 1 visit resulting in the bad value being added to the cache •As a result, you think you visit google.com. The DNS resolver things you visit google.com, but you were visiting a fake site because it was cached •Be careful of what DNS servers you trust to get information from •Ignore DNS information unrelated to the original request

MBSA

•Microsoft Baseline Security Analyzer can be downloaded for free •Performs a variety of checks including •Security update checks •Missing security updates for windows, IIS, SQL Server, Exchange Server, IE, Media Player and more! •Windows Checks •Checks for basic password policy adherence and use of null passwords •Checks firewall status and automatic update statuses •And many more! If you want to check basic security settings for a windows machine, check out the MBSA

Internet Information Service

•Microsoft also created its own web server Internet Information Services (IIS) •Default configurations had many features enabled to increase ease of use, but, resulted in large attack surface that was often easy to exploit •In certain versions of windows server, it was actually installed automatically and administrators were not aware of it! (important to understand your own network!) •While newer versions of IIS (6.0-10.0) are installed as "secure by default", older versions that are lurking may still pose serious risks! •This is again, why it is important to update your OS and software! •As recently as September 2017, new malware has been discovered that takes advantage of a vulnerability in IIS 6.0 •Allowed them to take over the computer and use the resources to mine crypto currency!

Cross Site Scripting (XSS)

•Modern website often embed/incorporate complex scripts (e.g. javascript) which perform operations on the local machine (as opposed to being on executed on the webserver) •If a website is not properly secured, it may be possible to "inject" a malicious script into the webpage •This ability to inject a script that does not belong to the web page is referred to as cross site scripting or XSS •This attack can introduce serious problems, as scripts can manipulate the document object model (DOM) of the html, and change it for the worse!

OS Fingerprinting

•NMAP Operating System Guessing •Requires at least one port be open to make a guess! Nmap -O <ip address/range> nmap -O 192.168.1.1 nmap -O 192.168.1.0/24 •Results may be specific or generic •Still, you know more than it is just a live host!

Aggressive Scans

•NMAP can also perform more aggressive scans to gather information Nmap -A <ip address/range> nmap -A 192.168.1.1 nmap -A 192.168.1.0/24 •Not stealthy! •Provides more information than just versioning (e.g. server headers)

Service Versioning

•NMAP can guess service versions during a port scan too Nmap -sV <ip address/range> nmap -sV 192.168.1.1 nmap -sV 192.168.1.0/24 •Results may be specific or generic •Still, you know more than it is just a live host and the operating system!

NMAP Scripts

•NMAP has a scripting language that can automate information gathering tasks •From within the terminal in kali linux, you can type •locate *.nse •This will return all available scripts. •You can create your own scripts as well

NTFS

•NTFS - New Technology File System resolved many of these shortcomings with current versions supporting •Larger files/larger disk sizes •Compression •Journaling •Disk quotas •File level encryption •Transactions •And more

NetBIOS

•NetBIOS is a windows utility for handling the sharing of network resources •It is designed to allow efficient sharing over a variety of topologies and configuration, not just TCP/IP •As it involves the sharing of information, confidentiality and integrity concerns are definitely in play! •Newer versions of Windows can share without the use of NetBIOS, but problems with backwards compatibility are still an issue! •Network Basic Input/Output System (NetBIOS) is a windows utility •Designed for working with the handling the sharing of network resources •Operates at the Session Layer of the OSI Model (layer 5) •Most versions operate over TCP/IP, but early versions were designed to share across a variety of different topologies •As it involves the sharing of information, confidentiality and integrity concerns are definitely in play! •Newer versions of Windows can share without the use of NetBIOS, but problems with backwards compatibility are still an issue!

Binary

•Number system built out of 0 and 1 (base 2) •In decimal (base 10), you •Start at 0 •When you get to 9, you reset your value to 0, and add 1 to the next position •E.g. 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 •Anytime you get to the max value, you move it back to the base value and add 1 to the next position •E.g. 99 + 1 = 100 •Binary is similar, but only has two options 0, 1 •0, 1, 10, 11, 100, 101, 110, 111, 1000 •Binary works in powers of 2's •2, 4, 8, 16, 32, 64, 128, 256 etc. •256 is a common one we will use as it is a 8 bit number (2^8) •Used in IP addresses •65536 is another common one (2^16) •Used in the maximum number of ports in a TCP header •A series of 4 8 bit numbers are what build IPv4

IP Address

•Numerical address every computer on the network has one •4 8 bit numbers between 0-255 (32 bit) •Total of 4,294,967,296 available addresses •IPV6 (128 bit) •Proposed in 1995, refined in 1998, still being rolled out, but not in use everywhere, not really focused on in this class

Server Message Block (SMB)

•Server Message Block (SMB) was another tool for sharing files •(a common theme in many vulnerabilities is a good faith desire to increase availability through sharing) •SMB was utilized with NetBIOS and TCP/IP to facilitate sharing •The problem was that it was vulnerable to a man-in the middle attack •Even more problematic was, it relied on an weak form of password security (LM passwords) •As a result, there were two well known tools published to take advantage of these vulnerabilities •Despite this, it took 7 years for Microsoft to develop a patch! •SMB has been utilized in some high profile attacks •2014 Sony Pictures Attack - an attack (attributed to North Korea) took a claimed 100 terrabytes of data (2 months of copying) •This attack was performed via a worm that spread through SMB •Wanna Cry Ransomware (2017) gained its worm like abilitites through an exploit named EternalBlue which exploited SMB •Initially thought to have spread through phishing but now believed to be a vulnerable SMB port

Man in the Middle

•Similar to eavesdropping, a man-in-the-middle attack occurs when an attacker injects themselves between two nodes communicating on a network •They can observe the messages passed back and forth •They can manipulate the messages passed back and forth

"Bad Hackers"

•Someone who accesses a system or network without the authorization of the system's owner. Hackers may want to simply prove that they can access a vulnerable system, or to steal/destroy data on the system. Accessing a system without the authorization of the system's owner is breaking the law, and you can go to prison.

SCADA

•Supervisory Control and Data Acquisition Systems is a special system that is often used for monitoring and controlling •large equipment in industrial situations •Public works and utilities •Power generators and dams •Transportation systems (FAA control towers) •Manufacturing •SCADA systems are built of a variety of different embedded systems •In theory, SCADA systems were to be protected/separated from the internet by an "air gap" (Although this is not always the case) •Even with this separation, it was still found that SCADA was susceptible to vulnerability exploitation! •DHS project Aurora demonstrated how a cyberattack on a SCADA system could destroy the grid causing a million dollar diesel generator to explode •In 2015 a Ukrainian power plan was infected with malicious software called BlackEnergy leaving 700,00 people in the dark!

Common DOS Attacks

•Syn flood - •Network connection can only handle so many tcp connection requests (bounded memory) •Attacker initiates a bunch of connections with SYN, but never follows up •Zombie flood- •Attacker initiates (and completes) many connections, but users are not legitimate users •ICMP flood •Send large volume of ICMP traffic •Service Port Flood •Target, say, port 80 to overwhelm the service running there •Fragment flood •Send incomplete/fragmented packets to a server to overload them •Anomalous Packet Flood •Send packets with weird/incorrect packet configuration (bad headers)

Protocols

•TCP (Transmission Control Protocol) •Connection Oriented (virtual connection of sorts) •Connection initiated with a 3 way handshake SYN, SYN/ACK, ACK •Connection terminated by both sides when done UDP (User Datagram Protocol) •Connectionless datagram service •No verification that message will be received ICMP (Internet Control Message Protocol) •Used for diagnostic/control operations. Rarely used by end users other than ping and traceroute

TCP/IP

•TCP/IP - Transmission Control Protocol/Internet Protocol •TCP/IP is used ubiquitously for network connectivity, even if you are unaware of it. •We will do a lot with TCP/IP in this class •Often referred to as the TCP/IP stack, which can be broken down into 4 layers •There are other models with more layers, but for simplicity, we will stick with 4)

Initial Recon

•Target selection (network scanning, public web records such as WHOIS) •Target Research (OS fingerprinting, port scanning)

Windows File Systems

•The file system (regardless of OS) determines how an OS will store and manage information •The file system not only stores user generated files (e.g. papers written for a class, etc), but also the files used by the OS to boot and operate •It is not a far stretch to understand how a vulnerability or a shortcoming in the file system could open the door for an attacker to gain access! •What is wrong with FAT? •Does not support file-level access control! •In multi-user environments, FAT can be a serious vulnerability, as it is not possible to enforce authorization •Without authorization, it is not possible to implement the principle of least privilege! •Windows resolved some of these issues when it released an enterprise OS, Windows NT and - NTFS

XSS Defense

•The key? Identify and protect against untrusted data •What is untrusted data? Data that is controlled by the user •E.g. if your website dynamically puts information on a website based on users input

XMAS Scan

•The somewhat opposite of a NULL scan •A XMAS scan has some strange combination (e.g. FIN, PSH, URG) or all of the flags set •If port is closed: returns RST •If port is open: either ignored or random response (varies based on OS) •If no return packet is received, may guess that port might be open •May be able to help identify an operating system based on response •Port scan that sends packets with multiple flags set Nmap -sX <ip address/range> nmap -sX 192.168.1.1 nmap -sX 192.168.1.0/24 If Port is closed - target returns a RST/ACK packet If Port is open - traffic is ignored (in some OS)

Click Jacking

•This can also allow an attacker to include your webpage as an iframe in another webpage

Windows Vulnerabilities

•What aspects of the OS are often targeted by vulnerabilities? •Windows File System (FAT, NTFS) •Remote Procedure Call •NetBIOS •Server Message Block (SMB) •Common Internet File Systems (CIFS) •Web Services •Services •Buffer Overflows •Password Security

Internal Reconnaissance

•What processes are running? •What information is available on the resource?

Wireshark Filters

•When working with wireshark, there can often be thousands of packets which are unrelated to what you are working on •Many applications have background communication that is occuring •The network has its own coordination communication that is occuring (DNS, ARP Identify IP address of Interest, Right click on Packet, apply as filter, Selected

Pen Testing Methodologies

•White Box - tester is provided detailed information about the network, has access to interview IT personnel/employees •Makes the testing easier, but less realistic •Black Box - Tester is not given any information about the organizations networks/resources/employees. Employees are not warned in advance •Make testing more difficult but more realistic •Tester needs gather knowledge of the network the same way an outside attacker might •Allows a company to test security personnel's ability to detect/prevent identify/protect •Gray Box •Hybrid approach, some (partial) knowledge of network •May be incomplete or inaccurate •Examples include •May know target OS, but have no knowledge of the network structure •May know specific applications that run •etc

Windows Countermeasures

•With all the possibly avenues of attack, what can we do to help ensure our security while maintaining availability? •MBSA - Microsoft Baseline Security Analyzer •Patching Systems •Antivirus •Logging/Log Review •Disable unused service/filtering ports •Other Best Practices

Filter Services

•You can also make smart network decisions to filter traffic as well! •E.g. if you are trying to prevent an attack on SMB, filter ports 137-139 and 445 •If possible, filter it at the router, where your network interfaces with the rest of the internet! •This will allow internal traffic to flow on these ports, but prevent outsiders from connecting •Do this cautiously, you can disrupt service with this approach!

Networking - Physical

•Your networked device has some sort of physical network device, commonly referred to as a NIC (network interface card) •NICs have MAC addresses (media access control address) which is used to identify devices on a network •MAC addresses are often hardcoded or physically configured into the device •Virtualization can allow you to randomize and customize your MAC address as well •Tracking MAC addresses has been identified as a security problem by some, with some vendors using random MAC addresses when initiating contact with wireless access points