Chapter 3 - Ethical hacking
TCP services
1. Reliable delivery TCP incorporates acknowledgments to guarantee delivery, instead of relying on upper-layer protocols to detect and resolve errors. If a timely acknowledgment is not received, the sender retransmits the data. Requiring acknowledgments of received data can cause substantial delays. Examples of application layer protocols that make use of TCP reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others. 2. Flow control TCP implements flow control to address this issue. Rather than acknowledge one segment at a time, multiple segments can be acknowledged with a single acknowledgment segment. 3. Stateful communication TCP stateful communication between two parties occurs during the TCP three-way handshake. Before data can be transferred using TCP, a three-way handshake opens the TCP connection. If both sides agree to the TCP connection, data can be sent and received by both parties using TCP.
DHCP Spoofing Attack
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information: 1. Wrong default gateway Threat actor provides an invalid gateway, or the IP address of its host to create a MITM attack. This may go entirely undetected as the intruder intercepts the data flow through the network. 2. Wrong DNS server Threat actor provides an incorrect DNS server address pointing the user to a malicious website. 3. Wrong IP address Threat actor provides an invalid IP address, invalid default gateway IP address, or both. The threat actor then creates a DoS attack on the DHCP client.
DoS and DDoS Attacks
A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. There are two major types of DoS attacks: Overwhelming Quantity of Traffic : The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service. Maliciously Formatted Packets: The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.
DDoS Attacks
A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.
Gratuitous ARP
A client sends an unsolicited ARP Reply w its mac address. This is often done when a device first boots up to inform all other devices on the local network of the new device's MAC address. When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the gratuitous ARP in their ARP tables. This feature of ARP also means that any host can claim to be the owner of any IP or MAC. A threat actor can poison the ARP cache of devices on the local network, creating an MITM attack to redirect traffic. The goal is to target a victim host, and have it change its default gateway to the threat actor's device. This positions the threat actor in between the victim and all other systems outside of the local subnet.
Firewalls
A firewall is a system, or group of systems, that enforces an access control policy between networks. Click Play in the figure to view an animation of how a firewall operates. All firewalls share some common properties: Firewalls are resistant to network attacks. Firewalls are the only transit points between internal corporate networks and external networks because all traffic flows through the firewall. Firewalls enforce the access control policy. There are several benefits of using a firewall in a network: They prevent the exposure of sensitive hosts, resources, and applications to untrusted users. They sanitize protocol flow, which prevents the exploitation of protocol flaws. They block malicious data from servers and clients. They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network. Firewalls also present some limitations: A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure. The data from many applications cannot be passed through firewalls securely. Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack. Network performance can slow down. Unauthorized traffic can be tunneled or hidden so that it appears as legitimate traffic through the firewall.
Other types of Malware: Worm
A worm is a self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software. It uses the network to search for other victims with the same vulnerability. The intent of a worm is usually to slow or disrupt network operations
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of these types of attacks is to gain entry to web accounts, confidential databases, and other sensitive information. Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status.
Other types of Malware: Adware
Adware is usually distributed by downloading online software. Adware can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website. Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close them.
An attack vector
An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack vectors originate from inside or outside the corporate network. For example, threat actors may target a network through the internet, to disrupt network operations and create a denial of service (DoS) attack.
Internal attack vector
An internal user, such as an employee, can accidentally or intentionally: Steal and copy confidential data to removable media, email, messaging software, and other media. Compromise internal servers or network infrastructure devices. Disconnect a critical network connection and cause a network outage. Connect an infected USB drive into a corporate computer system. Internal threats have the potential to cause greater damage than external threats because internal users have direct access to the building and its infrastructure devices. Employees may also have knowledge of the corporate network, its resources, and its confidential data.
Security Terms
Assets An asset is anything of value to the organization. It includes people, equipment, resources, and data. Vulnerability A vulnerability is a weakness in a system, or its design, that could be exploited by a threat. Threat A threat is a potential danger to a company's assets, data, or network functionality. Exploit An exploit is a mechanism that takes advantage of a vulnerability. Mitigation Mitigation is the counter-measure that reduces the likelihood or severity of a potential threat or risk. Network security involves multiple mitigation techniques. Risk Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively affecting an organization. Risk is measured using the probability of the occurrence of an event and its consequences.
Vulnerability Scanners
These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Types of viruses
Boot sector virus Virus attacks the boot sector, file partition table, or file system. Firmware virus Virus attacks the device firmware. Macro virus Virus uses the MS Office or other applications macro feature maliciously. Program virus Virus inserts itself in another executable program. Script virus Virus attacks the OS interpreter which is used to execute scripts.
Content Security Appliances
Cisco Email Security Appliance (ESA) The Cisco Email Security Appliance (ESA) is a special device designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes. Cisco Web Security Appliance (WSA) The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting. Cisco WSA provides complete control over how users access the internet. Certain features and applications, such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization's requirements. The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, web application filtering, and encryption and decryption of web traffic.
Most organizations follow the CIA information security triad:
Confidentiality Only authorized individuals, entities, or processes can access sensitive information. It may require using cryptographic encryption algorithms such as AES to encrypt and decrypt data. Integrity Refers to protecting data from unauthorized alteration. It requires the use of cryptographic hashing algorithms such as SHA. Availability Authorized users must have uninterrupted access to important resources and data. It requires implementing redundant services, gateways, and links. Network security consists of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The CIA above is a good practice to follow
DNS Attacks
DNS open resolver attacks DNS stealth attacks DNS domain shadowing attacks DNS tunneling attacks
The four elements of securing communications:
Data Integrity Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still widely in use but it is inherently insecure and creates vulnerabilities in a network. The use of MD5 should be avoided. Origin Authentication Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with protocols, such as hash message authentication code (HMAC). Data Confidentiality Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms. Data Non-Repudiation Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.
Data Loss
Data is likely to be an organization's most valuable asset. Organizational data can include research and development data, sales data, financial data, human resource and legal data, employee data, contractor data, and customer data. Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world. The data loss can result in: Brand damage and loss of reputation Loss of competitive advantage Loss of customers Loss of revenue Litigation/legal action resulting in fines and civil penalties Significant cost and effort to notify affected parties and recover from the breach
DNS Domain Shadowing Attacks
Domain shadowing involves the threat actor gathering domain account credentials in order to silently create multiple sub-domains to be used during the attacks. These subdomains typically point to malicious servers without alerting the actual owner of the parent domain.
Other types of Malware: Ransomware
Ransomware typically denies a user access to their files by encrypting the files and then displaying a message demanding a ransom for the decryption key. Users without up-to-date backups must pay the ransom to decrypt their files. Payment is usually made using wire transfer or crypto currencies such as Bitcoin.
Attack Types
Eavesdropping Attack This is when a threat actor captures and "listens" to network traffic. This attack is also referred to as sniffing or snooping. Data Modification Attack If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver. IP Address Spoofing Attack A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet. Password-Based Attacks If threat actors discover a valid user account, the threat actors have the same rights as the real user. Threat actors could use that valid account to obtain lists of other users, network information, change server and network configurations, and modify, reroute, or delete data. Denial of Service Attack A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users. Man-in-the-Middle Attack This attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently. Compromised-Key Attack If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack. Sniffer Attack A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.
Data Loss Vectors
Email/Social Networking Intercepted email or IM messages could be captured and reveal confidential information. Unencrypted Devices If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data. Cloud Storage Devices Sensitive data can be lost if access to the cloud is compromised due to weak security settings. Removable Media One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost. Hard Copy Confidential data should be shredded when no longer required. Improper Access Control Passwords or weak passwords which have been compromised can provide a threat actor with easy access to corporate data.
Encryption Tools
Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, and Stunnel.
DNS Stealth Attacks
Fast Flux Threat actors use this technique to hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts. The DNS IP addresses are continuously changed within minutes. Botnets often employ Fast Flux techniques to effectively hide malicious servers from being detected. Double IP Flux Threat actors use this technique to rapidly change the hostname to IP address mappings and to also change the authoritative name server. This increases the difficulty of identifying the source of the attack. Domain Generation Algorithms Threat actors use this technique in malware to randomly generate domain names that can then be used as rendezvous points to their command and control (C&C) servers.
Fuzzers to Search Vulnerabilities
Fuzzers are tools used by threat actors to discover a computer's security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
Describe the term Hacker
Hacker is a common term used to describe a threat actor. Originally the term referred to someone who was a skilled computer expert such as a programmer and a hack was a clever solution. The term later evolved into what we know of it today. The terms white hat hacker, black hat hacker, and gray hat hacker are often used to describe a type of hacker.
Hacking started in the 1960s
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using audio frequencies to manipulate phone systems. At that time, telephone switches used various tones to indicate different functions. Early hackers realized that by mimicking a tone using a whistle, they could exploit the phone switches to make free long-distance calls. In the mid-1980s, computer dial-up modems were used to connect computers to networks. Hackers wrote "war dialing" programs which dialed each telephone number in a given area in search of computers. When a computer was found, password-cracking programs were used to gain access.
IPV4 and IPV6 attacks
ICMP attacks Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables. Amplification and reflection attacks Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks. Address spoofing attacks Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing. Man-in-the-middle attack (MITM) Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication. They could eavesdrop by inspecting captured packets, or alter packets and forward them to their original destination. Session hijacking Threat actors gain access to the physical network, and then use an MITM attack to hijack a session.
ICMP Messages used by Hackers
ICMP echo request and echo reply: This is used to perform host verification and DoS attacks. ICMP unreachable: This is used to perform network reconnaissance and scanning attacks. ICMP mask reply: This is used to map an internal IP network. ICMP redirects: This is used to lure a target host into sending all traffic through a compromised device and create a MITM attack. ICMP router discovery: This is used to inject bogus route entries into the routing table of a target host.
Address Spoofing Attacks
IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack. Spoofing attacks can be non-blind or blind: Non-blind spoofing The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session. Blind spoofing The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks. MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host
DNS open resolver attacks
Many organizations use the services of publicly open DNS servers such as Google DNS (8.8.8.8) to provide responses to queries. This type of DNS server is called an open resolver. A DNS open resolver answers queries from clients outside of its administrative domain. DNS open resolvers are vulnerable to multiple malicious activities. DNS cache poisoning attacks Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver to redirect users from legitimate sites to malicious sites. DNS cache poisoning attacks can all be used to inform the DNS resolver to use a malicious name server that is providing RR information for malicious activities. DNS amplification and reflection attacks Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of attacks and to hide the true source of an attack. Threat actors send DNS messages to the open resolvers using the IP address of a target host. These attacks are possible because the open resolver will respond to queries from anyone asking a question. DNS resource utilization attacks A DoS attack that consumes the resources of the DNS open resolvers. This DoS attack consumes all the available resources to negatively affect the operations of the DNS open resolver. The impact of this DoS attack may require the DNS open resolver to be rebooted or services to be stopped and restarted.
TCP Attacks
Network applications use TCP or UDP ports. Threat actors conduct port scans of target devices to discover which services they offer. TCP SYN Flood Attack TCP Reset Attack TCP Session Hijacking
Network Scanning and Hacking Tools
Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
DLP
Network security professionals must protect the organization's data. Various Data Loss Prevention (DLP) controls must be implemented which combine strategic, operational and tactical measures.
Types of Access Attacks
Password Attacks In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools. Spoofing Attacks In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. Other Access attacks include: Trust exploitations Port redirections Man-in-the-middle attacks Buffer overflow attacks
Password Crackers
Password cracking tools are often referred to as password recovery tools and can be used to crack or recover a password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Types of Social Engineering Attacks
Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient. Phishing A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information. Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization. Spam Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content. Something for Something Sometimes called "Quid pro quo", this is when a threat actor requests personal information from a party in exchange for something such as a gift. Baiting A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware. Impersonation This type of attack is where a threat actor pretends to be someone they are not to gain the trust of a victim. Tailgating This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area. Shoulder surfing This is where a threat actor inconspicuously looks over someone's shoulder to steal their passwords or other information. Dumpster diving This is where a threat actor rummages through trash bins to discover confidential documents.
Overview of Network Attacks
Reconnaissance Attacks Access Attacks DoS Attacks
Reconnaissance Attacks
Reconnaissance is information gathering. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks. Perform an information query of a target: The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more. Initiate a ping sweep of the target network: The information query usually reveals the target's network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active. Initiate a port scan of active IP addresses: This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools. Run vulnerability scanners This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS. Run exploitation tools The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Types of Trojan Horses
Remote-access Trojan horse enables unauthorized remote access. Data-sending Trojan horse provides the threat actor with sensitive data, such as passwords. Destructive Trojan horse corrupts or deletes files. Proxy Trojan horse will use the victim's computer as the source device to launch attacks and perform other illegal activities. FTP Trojan horse enables unauthorized file transfer services on end devices. Security software disabler Trojan horse stops antivirus programs or firewalls from functioning. Denial of Service (DoS) Trojan horse slows or halts network activity. Keylogger Trojan horse actively attempts to steal confidential information, such as credit card numbers, by recording key strokes entered into a web form.
Other types of Malware: Rootkit
Rootkits are used by threat actors to gain administrator account-level access to a computer. They are very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to conceal their presence. They can provide a backdoor to threat actors giving them access to the PC, and allowing them to upload files, and install new software to be used in a DDoS attack. Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.
Hacking Terms
Script Kiddies These are teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit. Vulnerability Broker These are usually gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards. Hacktivists These are gray hat hackers who publicly protest organizations or governments by posting articles, videos, leaking sensitive information, and performing network attacks. Cyber criminals These are black hat hackers who are either self-employed or working for large cybercrime organizations. State-Sponsored These are either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking.
Hacking Operating Systems
These are specially designed operating systems preloaded with tools optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, Knoppix, BackBox Linux.
Other types of Malware: Spyware
Similar to adware, but used to gather information about the user and send to threat actors without the user's consent. Spyware can be a low threat, gathering browsing data, or it can be a high threat capturing personal and financial information.
Social Engineering Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in-person while others may use the telephone or internet. Social engineers often rely on people's willingness to be helpful. They also prey on people's weaknesses. For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access. T he threat actor could appeal to the employee's vanity, invoke authority using name-dropping techniques, or appeal to the employee's greed.
TCP Session Hijacking
TCP session hijacking is another TCP vulnerability. Although difficult to conduct, a threat actor takes over an already-authenticated host as it communicates with the target. The threat actor must spoof the IP address of one host, predict the next sequence number, and send an ACK to the other host. If successful, the threat actor could send, but not receive, data from the target device.
Debuggers
These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.
TCP Reset Attack
Terminating a TCP Connection A TCP reset attack can be used to terminate TCP communications between two hosts. TCP can terminate a connection in a civilized (i.e., normal) manner and uncivilized (i.e., abrupt) manner. The civilized manner when TCP uses a four-way exchange consisting of a pair of FIN and ACK segments from each TCP endpoint to close the TCP connection. The uncivilized manner is when a host receives an TCP segment with the RST bit set. This is an abrupt way to tear down the TCP connection and inform the receiving host to immediately stop using the TCP connection. A threat actor could do a TCP reset attack and send a spoofed packet containing a TCP RST to one or both endpoints.
DNS
The Domain Name Service (DNS) protocol defines an automated service that matches resource names, such as www.cisco.com, with the required numeric network address, such as the IPv4 or IPv6 address. It includes the format for queries, responses, and data and uses resource records (RR) to identify the type of DNS response.
What is SET?
The Social Engineering Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. Enterprises must educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
TCP SYN Flood Attack
The TCP SYN Flood attack exploits the TCP three-way handshake. A threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to a target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive (cuz the spoofed source ip addresses don't exists). Eventually the target host is overwhelmed with half-open TCP connections, and TCP services are denied to legitimate users.
What is a virus?
The first and most common type of computer malware is a virus. Viruses require human action to propagate and infect other computers. For example, a virus can infect a computer when a victim opens an email attachment, opens a file on a USB drive, or downloads a file. The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer. Viruses can: Alter, corrupt, delete files, or erase entire drives. Cause computer booting issues, and corrupt applications. Capture and send sensitive information to threat actors. Access and use email accounts to spread. Lay dormant until summoned by the threat actor.
Forensic Tools
These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
Packet Sniffers
These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
Packet Crafting Tools
These tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
Vulnerability Exploitation Tools
These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
ARP Cache Poisoning
The threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated destination IP addresses. PC-A updates its ARP cache with its default gateway which is now pointing to the threat actor's host MAC address. R1 also updates its ARP cache with the IP address of PC-A pointing to the threat actor's MAC address. The threat actor's host is executing an ARP poisoning attack. The ARP poisoning attack can be passive or active. Passive ARP poisoning is where threat actors steal confidential information. Active ARP poisoning is where threat actors modify data in transit, or inject malicious data.
Data Confidentiality
There are two classes of encryption used to provide data confidentiality: Symmetric encryption algorithms Such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if possible. Characteristics of symmetric encryption include: Use the same key to encrypt and decrypt data Key lengths are short (40 bits - 256 bits) Faster than asymmetric encryption Commonly used for encrypting bulk data such as in VPN traffic To ensure that the encryption is safe, use a minimum key length of 128 bits. Use a longer key for more secure communications. Characteristics of asymmetric encryption include Uses different keys to encrypt and decrypt data Key lengths are long (512 bits - 4096 bits) Computationally tasking therefore slower than symmetric encryption Commonly used for quick data transactions such as HTTPS when accessing your bank data. Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted while shorter key lengths are considered unreliable.
Rootkit Detectors
This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
ICMP Attacks
Threat actors use ICMP for reconnaissance and scanning attacks. They can launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat actors also use ICMP for DoS attacks. Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks. Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files. In the case of large networks, security devices such as firewalls and intrusion detection systems (IDS) detect such attacks and generate alerts to the security analysts.
What is a trojan horse?
Threat actors use Trojan horses to compromise hosts. A Trojan horse is a program that looks useful but also carries malicious code. Trojan horses are often provided with free online programs such as computer games. Unsuspecting users download and install the game, along with the Trojan horse.
DNS Tunneling
Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often circumvents security solutions when a threat actor wishes to communicate with bots inside a protected network, or exfiltrate data from the organization, such as a password database. When the threat actor uses DNS tunneling, the different types of DNS records are altered. This is how DNS tunneling works for CnC commands sent to a botnet: 1. The command data is split into multiple encoded chunks. 2. Each chunk is placed into a lower level domain name label of the DNS query. 3. Because there is no response from the local or networked DNS for the query, the request is sent to the ISP's recursive DNS servers. 4. The recursive DNS service will forward the query to the threat actor's authoritative name server. 5. The process is repeated until all the queries containing the chunks of are sent. 6. When the threat actor's authoritative name server receives the DNS queries from the infected devices, it sends responses for each DNS query, which contain the encapsulated, encoded CnC commands. 7. The malware on the compromised host recombines the chunks and executes the commands hidden within the DNS record. To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay close attention to DNS queries that are longer than average, or those that have a suspicious domain name. DNS solutions, like Cisco OpenDNS, block much of the DNS tunneling traffic by identifying suspicious domains.
Origin Authentication
To add authentication to integrity assurance, use a keyed-hash message authentication code (HMAC). HMAC uses an additional secret key as input to the hash function. Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key. Only parties who have access to that secret key can compute the digest of an HMAC function. This defeats man-in-the-middle attacks and provides authentication of the data origin. If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message. This is because the other party possesses the secret key.
IPS
To defend against fast-moving and evolving attacks, you may need cost-effective detection and prevention systems, such as intrusion detection systems (IDS), or the more scalable intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network. IDS and IPS technologies share several characteristics. IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices: 1. A router configured with Cisco IOS IPS software 2. A device specifically designed to provide dedicated IDS or IPS services 3. A network module installed in an adaptive security appliance (ASA), switch, or router IDS and IPS technologies detect patterns in network traffic using signatures. A signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).
The Defense-in-Depth Approach
To ensure secure communications across both public and private networks, you must secure devices including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth approach to security. This is also known as a layered approach. It requires a combination of networking devices and services working together. VPN - a router provide secure VPN services to corporate sites and remote access support for remote users using secure encrypted tunnels. ASA Firewall - dedicated device that provides stateful firewall services. It ensures that internal traffic can go out and come back, but external traffic cannot initiate connections to inside hosts. IPS - An Intrusion Prevention System monitors incoming and outgoing traffic looking for malware, network attack signatures and more. If it recognizes a threat, it can immediately stop it. ESA/WSA - Email Security Appliance (ESA) filters spam and suspicious emails The Web Security Appliance filters known and suspicious internet malware sites. AAA Server - This server contains a secure database of who is authorized to access and manage network devices. Network devices authenticate administrative users using this database.
ARP Spoofing
When a threat actor has taken the default gateway router's MAC address and pretends to be the default gateway for a PC. (Same MAC addresses, not same ip addresses)
UDP Segment Header and Operation
UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media streaming or VoIP. UDP is a connectionless transport layer protocol. It has much lower overhead than TCP because it is not connection-oriented and does not offer the sophisticated retransmission, sequencing, and flow control mechanisms that provide reliability. The UDP segment structure, 8 bytes, is much smaller than TCP's segment structure (20 bytes).
UDP Attacks
UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by default. The lack of encryption means that anyone can see the traffic, change it, and send it on to its destination. Changing the data in the traffic will alter the 16-bit checksum, but the checksum is optional and is not always used. When the checksum is used, the threat actor can create a new checksum based on the new data payload, and then record it in the header as a new checksum. The destination device will find that the checksum matches the data without knowing that the data has been altered. This type of attack is not widely used. UDP Flood Attacks You are more likely to see a UDP flood attack. In a UDP flood attack, all the resources on a network are consumed. The threat actor must use a tool like UDP Unicorn or Low Orbit Ion Cannon. These tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The program will sweep through all the known ports trying to find closed ports. This will cause the server to reply with an ICMP port unreachable message. Because there are many closed ports on the server, this creates a lot of traffic on the segment, which uses up most of the bandwidth. The result is very similar to a DoS attack.
The 6 Control bits of the TCP segment in a packet
URG - Urgent pointer field significant ACK - Acknowledgment field significant PSH - Push function RST - Reset the connection SYN - Synchronize sequence numbers FIN - No more data from sender
Hacker types
White Hat Hackers These are ethical hackers who use their programming skills for good, ethical, and legal purposes. White hat hackers may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be exploited. Gray Hat Hackers These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. Gray hat hackers may disclose a vulnerability to the affected organization after having compromised their network. Black Hat Hackers These are unethical criminals who compromise computer and network security for personal gain, or for malicious reasons, such as attacking networks.
Wireless Hacking Tools
Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.