Module 8: Networking Threats, Assessments, and Defenses
Due to the impact of macro malware, Microsoft has implemented several protections:
-Protected View. Protected View is a read-only mode for an Office file in which most editing functions are disabled and macros cannot run. When opened, files will display a Protected View warning message if they are from an Internet site, potentially unsafe location, or another user's OneDrive storage; received as an email attachment; or have active content (macros or data connections). -Trusted Documents. A trusted document is a file that contains active content that can open without a warning. Users can access the Office Trust Center to designate files as trusted. However, files opened from an unsafe location cannot be designated as a trusted document. A system administrator can also turn off the ability to designate a trusted document. -Trusted Location. Files retrieved from a trusted location can be designated as safe and open in standard rather than Protected View. It is recommended that if a user trusts a file that contains active content, it should be moved to a trusted location instead of changing the default Trust Center settings to allow macros.
Steps in DNS Hijacking:
-The attackers send a request to a valid DNS server asking it to resolve the name www.evil.net. -Because the valid DNS server does not know the address, it asks the responsible name server, which is the attackers' ns.evil.net, for the address. -The name server ns.evil.net sends the address of not only www.evil.net but also all of its records (a zone transfer) to the valid DNS server, which then accepts them. -Any requests to the valid DNS server will now respond with the fraudulent addresses entered by the attackers.
Host tables stores in
/etc/ directory in UNIX, Linux, and macOS. Windows\System32\drivers\etc
DD
A DD file is the image file generated out of dd commands. It is a powerful and easy command-line used to create disk images, copy files, etc. of hard drives on Unix or Linux Operating System.77
Tcpdump
A Linux command-line protocol analyzer.
memdump
A command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps
Tcpdump
A command-line protocol analyzer. Administrators use it to capture packets.
OpenSSL
A cryptography library that offers open source applications of the TLS protocol. Cryptography library that offers open source applications of the TLS protocol. It was first released in 1998 and is available for Linux, Windows, and macOS platforms. OpenSSL allows users to perform various SSL-related tasks, including CSR (Certificate Signing Request), private key generation, and SSL certificate installation.
ICMP flooding
A denial-of-service (DoS) attack. In this type of attack, instead of sending SYN packets, the attacker sends a flood of ICMP packets to a target system.
War Nibbling/Bluecasing
A hacker tries to find unsecured or unpatched Bluetooth connections, then steal information. War Nibbling is similar to War Diving, which is performed on the wireless network.
VBA is most often used to create macros
A macro is a series of instructions that can be grouped together as a single command. Macros are used to automate a complex task or a repeated series of tasks. Macros are generally written using VBA, are stored within the user document (such as in an Excel .xlsx worksheet or Word .docx file), and can be launched automatically when the document is opened.
Rogue Access Points
A rogue access point is an access point that has not been authorized by the network administrator in an organization. For example, a user brings a wireless access point from home and installs it on the network by plugging in the Ethernet cable. This is the simplest example of a rogue access point.
bollard
A stone guard to prevent damage to a wall; also a freestanding stone post to divert vehicular traffic.
Tcpreplay
A tool for editing packets and then replaying the packets back onto the network to observe their behavior.
closed circuit television (CCTV)
Activity captured by video surveillance cameras that transmit a signal to a specific and limited set of receivers.
demilitarized zone (DMZ)
An area that separates threat actors from defenders.
MAC Flooding
An attack in which the memory of a switch is flooded with spoofed packets to force it to function like a network hub and broadcast frames to all ports. A MAC flooding attack is another attack based on spoofing, MAC cloning, and the MAC address table of a switch. A threat actor overflows the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address, each appearing to come from a different endpoint. This can quickly consume all the memory (called the content addressable memory or CAM) for the MAC address table. Once the MAC address table is full and cannot store any additional MAC addresses, the switch enters a fail-open mode and broadcasts frames to all ports. A threat actor can then install software or a hardware device that captures and decodes packets on one client connected to the switch to view all traffic.
Later 2 Attack: Address Resolution Protocol Poisoning
An attack that corrupts the ARP cache. Threat actors take advantage of a MAC address stored in a software ARP cache to change the data so that an IP address points to a different device.
DNS Hijacking
An attack that infects an external DNS server with IP addresses pointing to malicious sites.
Man-in-the-middle (MITM)
An attack that intercepts legitimate communication to eavesdrop on the conversation or impersonate one of the parties
Mac Cloning Attack
An attack that spoofs a MAC address on a device so that the switch changes its MAC address table to reflect the new association of that MAC address with the port to which the attacker's device is connected
DNS Poisoning
An attack that substitutes DNS addresses in a local lookup table so that the computer is automatically redirected to an attacker's device.
distributed denial of service (DDoS)
An attack that uses multiple zombie computers (even hundreds or thousands) in a botnet to flood a device with requests.
Industrial camouflage
An attempt to make the physical presence of a building as nondescript as possible so that to a casual viewer, the building does not look like it houses anything important.
Arp command
Arp command is used to display the Address Resolution table on a host. The Address Resolution table is used by a host to store information of other hosts on the network. This information can be used to determine if there any unauthorized hosts connected to the network.
Robot Sentries
Automated devices that patrol and use CCTV with object detection in public areas.
Bash scripting
Bash scripting is using Bash to create a script (a script is essentially the same as a program, but it is interpreted and executed without the need for it to be first compiled into machine language).
Media Access Control Attacks
Besides ARP poisoning, other attacks manipulate MAC addresses through spoofing. The target for these attacks is a network switch. MAC Cloning MAC Flooding
Threats to Bluetooth Devices
Bluetooth is an open standard wireless technology that is used to exchange information and files between two devices. Bluetooth works only with short‐range radio frequencies. When two devices connect with each other using a Bluetooth connection, they create a Wireless Personal Area Network (WPAN). Bluejacking Bluesnipping Bluesnarfing War Nibbling/Blue Casing
Cuckoo
Cuckoo is a malware analysis tool. It provides the following details as the result of the analysis: Native functions and Windows API calls stack Copies of created files and removed from the file system Memory dump of processes Full memory dump of the target machine Screenshots of the desktop during the overall execution of the malware analysis Network dump created by the machine used for the analysis.
Tomaso is explaining to a colleague the different types DNS attacks. Which DNS attack would only impact a single user?
DNS poisoning attack
DNS-Based Attack
DNS-based attack substitutes a DNS address so that the computer is silently redirected to a different device.
T/F: A session ID is a unique number that a web browser assigns for the duration of that user's visit.
False
File Manipulation: grep
Grep is a Linux command line tool used to search for a string of characters in a specified file.
Techniques to steal active Session IDs
Hijacks and altered communication between two users Endpoint attacks (cross-site scripting, trojans, malicious javascript coding)
Calix was asked to protect a system from a potential attack on DNS. What are the locations he would need to protect?
Host table and external DNS server
Hping
Hping is similar to ping but uses TCP/IP packets to check connectivity using Linux devices. It is commonly used for testing networks, firewalls and security auditing.
Evil Twin
In a normal scenario, a user would connect to a Wireless Access Point (WAP). The attacker first finds the target WAP and sets up another WAP with the same SSID. The attacker tends to choose a busy WAP because when the users are not able to connect to the WAP, they may choose the evil twin with the same SSID. The attackers use the same SSID as a legitimate WAP and start broadcasting it. In the evil twin attack, the attacker uses a fraudulent WAP and prompts the victim to enter sensitive information such as a password. The attacker can use Wi-Fi Pineapple to automate the setup of an Evil Twin. If the users do not automatically connect to the Evil Twin, then the attackers can launch a de-authentication or a disassociation attack, which will disconnect the users from the existing WAP. The users may then connect to the Evil Twin.
Initialization Vector (IV)
In an Initialization Vector (IV) attack, by learning the plaintext of one packet, the attacker tries to compute the RC4 keystream generated by the IV. Other packets sent by the same IV can be decrypted using this keystream. Using this method, the attacker can build a decryption table, using every possible set, to decrypt all the packets sent over a wireless connection.
Domain hijacing
In this attack, the attacker gains access to the domain registration to get hold of the primary DNS information. Then the attacker simply changes the domain information to point to a domain server controlled by the attacker.
man-in-the-browser (MITB)
Intercepts communication between parties to steal or manipulate the data. Attack occurs between a browser and the underlying computer. Seeks to intercept and then manipulate the communication between the web browser and the security mechanisms of the computer.
Layer 2 Compromise
Layer 2 of the OSI model is particularly weak in this regard and is a frequent target of threat actors. Layer 2, the Data Link Layer, is responsible for dividing the data into packets along with error detection and correction, and performs physical addressing, data framing, and error detection and handling. A compromise at Layer 2 can affect the entire communication
Tools used in DDoS attack
Low Orbit Ion Cannon (LOIC) HOIC XOIC HTTP Unbearable Load King (HULK) UDP Flooder R-U-Dead-Yet (RUDY) Nemesy ToR's Hammer Pyloris OWASP Switchblade DAVOSET
Deacon has observed that the switch is broadcasting all packets to all devices. He suspects it is the result of an attack that has overflowed the switch MAC address table. Which type of attack is this?
MAC flooding attack
domain name resolution
Mapping computer and device names to IP addresses.
DNS poisoning on the local device involves:
Modifying the local host table. TCP/IP still uses host tables stored on the local device. When a user enters a symbolic name, TCP/IP first checks the local host table to find an entry; if no entry exists, it uses the external DNS system. Attackers can target a local HOSTS file to create new entries that redirect users to a fraudulent site.
Threat actors several advantages gained w/ MITB
Most MITB attacks are distributed through Trojan browser extensions, which provide a valid function to the user but also install the MITB malware, making it difficult to recognize that malicious code has been installed. Because MITB malware selects websites to target, an infected MITB browser might remain dormant for months until triggered by the user visiting a targeted site. MITB software resides exclusively within the web browser, making it difficult for standard antimalware software to detect it.
Near Field Communication (NFC)
Near Field Communication (NFC) includes two wireless devices communicating through touching or bringing them in close proximity. Several RFID attacks also apply to NFC. These attacks are: Eavesdropping Data modification MITM
Netcat
Netcat is a network troubleshooting tool used to identify networks and scan for open ports. It works on UDP or TCP and can be used to initiate a connection to ports.
Netstat
Netstat command is used to look at the current communication on a host. It also helps in identifying open ports and established connections. It is most often used for troubleshooting to determine if a host is listening on specific ports.
VBA can even control one application from another application using
Object Linking and Embedding (OLE) automation.
barricade
Objects generally designed to block the passage of traffic.
Address Resolution Protocol (ARP)
Part of the TCP/IP protocol for determining the MAC address based on the IP address. If the IP address for an endpoint is known, but the MAC address is not, the sending endpoint delivers an ARP packet to all devices on the network that in effect says, "If this is your IP address, send me your MAC address." The endpoint with that IP address sends back a packet with the MAC address so the packet can be correctly addressed. The IP address and the corresponding MAC address are stored in an ARP cache for future reference. In addition, all other endpoints that hear the ARP reply also cache that data.
The Harvester
Penetration testers use this tool for footprinting of the network infrastructure. It can gather information on emails, subdomains, hosts, employee names and open ports.
Man-in-the-middle. Two phases:
Phase 1 - Intercept Traffic Phase 2 - Decrypt transmissions
Ping/pathping
Ping command can be used across platforms and uses ICMP (Internet Control Message Protocol) to communicate with hosts. It is used to check if remote hosts are reachable on the network. The pathping command can be used on Windows devices to determine more in detail information on the network statics, for example, the delay it takes to communicate to specific routers on the network.
Radio Frequency Identifier (RFID)
RFID is being used across different industries. One of the most common uses is using them as tags to identify a piece of hardware or even an item in the supply chain. A chip is placed on each device or item, and readers can communicate with the chips. Each chip is assigned a unique identifier. The inventory management system tracks both the chips and readers. Just like any other technology, RFID is also prone to various types of attacks, which are: Eavesdropping - an unauthorized reader listens to the communication between the RFID card and the reader. Replay - the communication between the legitimate reader and the card is recorded and played at a later time. The information can be replayed to the legitimate reader to gain access to the information. Sniffing - an attacker sniffs the communication between the card and the reader. Man-in-the-middle (MITM) - the attacker intercepts the original communication between the reader and the card and then replaces the communication with its own. Cloning - a method of duplicating the card information to another card. Spoofing - occurs after the cloning part is complete. With the cloned card, the attacker can access information.
Scanless
Scanless is an automated port scan scrapper. It is a command line utility for vulnerability exploitation that also performs an open port scan.
Bluejacking
Sends an unsolicited message to another device that has its Bluetooth connection open.
Tcpreplay
Tcpreplay is used to modify and replay network traffic, which is already captured by tools like tcpdump and Wireshark. It allows interception of traffic as client or server, rewrite Layer 2, 3 and 4 packets, and replay the traffic back onto the network. Tcpreplay allows both single and dual NIC modes for validating both sniffing and in-line devices. Tcpreplay is used by different firewalls, IDS, IPS, NetFlow and other networking vendors, enterprises, universities, labs and open source projects. Tcpreplay is intended to work with network hardware and usually does not penetrate deeper than Layer 2 of the OSI model.
File Manipulation: cat
The 'cat' command has various uses ranging from displaying the content of a file to adding lines to a file.
What is the result of an ARP poisoning attack?
The ARP cache is compromised.
BASH
The command language interpreter for the Linux/UNIX OS.
Curl command
The curl command is used for transferring data over networks using specific protocols, for example, HTTP, HTTPS or FTP. This command can be used without user intervention and is ideal when used in shell scripting. It is specifically used on Linux devices.
File Manipulation: head
The head command will display the first ten lines of a file if no additional parameters are specified. To display a specific number of lines in a file, the -n parameter can be used to display the specified number of lines from the beginning of the file.
Jamming
The jamming attack is a Denial of Service (DoS) attack against the wireless medium. The attacker can use various devices or equipment to do this. For example, the attacker can generate the interference signals to block any type of communication being sent to the channel that was being used. The idea is to prevent users from using a legitimate WAP. Jamming could be used as a precursor to the evil twin attack. When the attacker jams the signals, the users tend to connect to the WAP with the same name, which leads to the evil twin attack. Two types of jammers can achieve jamming. An Active jammer always keeps the channel busy and blocks the communication. The Reactive jammer keeps quiet until a session is established using the channel.
File Manipulation: logger
The logger command allows adding messages to the /var/log/syslog file from the command line or other files.
OSI (Open Systems Interconnection) model
The model separates networking steps into a series of seven layers. Within each layer, different networking tasks are performed that cooperate with the tasks in the layers immediately above and below it. Each layer in the sending device corresponds to the same layer in the receiving device.
File Manipulation: tail
The tail command lets you display the last ten lines of any file. Similar to the head command, the tail command also allows the 'n' option to display the specified number of lines
dnsenum
This tool is used for DNS enumeration to discover IP blocks. DNS Enumeration is the process of collecting DNS information of a specific company, which can then be used to evaluate the company's security posture.
MITB usally brings by:
Trojan injecting computer Installing an extension into browser configuration (opening browser activates extension User enters URL of site, extension checks whether site is targeted for attack User signs into the site, extensions waits for specific webpage to be displayed and captures vital information (account number, password, etc) when user submits the entrey.
T/F: ARP poisoning is successful because no authentication procedures verify ARP requests and replies.
True
T/F: In a MAC cloning attack, a threat actor will discover a valid MAC address of a device connected to a switch, spoof that MAC address on his device, and send a packet onto the network.
True
T/F: Session IDs are usually at least 128 bits in length and hashed using a secure hash function such as SHA-256.
True
T/F: The advantage of a DNS poisoning attack is that all domains one victim uses can be controlled by a threat actor. In contrast, the advantage of a DNS hijacking attack is that although fewer domains are controlled, all users accessing the DNS server are redirected.
True
SYN flooding
Type of denial-of-service (DoS) attack, is conducted by an attacker to send a flood of SYN packets to a target. When there is a flood of a large number of SYN packets, the target cannot respond to them. In responding to these SYN packets, the target system starts consuming all its resources and eventually exhausts them. As a consequence of running out of system resources, the target becomes non-responsive or hangs.
Session replay attack
Type of replay attack, which involves intercepting and using a session ID to impersonate a user.
Two consequences of DNS attacks:
URL Redirection (An attack in which a user is redirected to another site). Domain Reputation (An attack in which the status of a site is manipulated to earn a low domain reputation score).
Bluesniping
Uses a directional antenna to establish connections with Bluetooth‐enabled devices. Bluetooth has a distance limitation, which may prevent a hacker from establishing a connection. In this situation, the hacker can use a directional antenna to establish connections for up to a mile (1.6 kilometers).
Bluesnarfing
Uses the Bluejacking method to connect to the device, then gain access to the address book, contact information, email, and text messages. Bluesnarfing uses bluetooth to steal information from a wireless device. A Bluesnarfing attack can occur using unintended Bluetooth pairing.
two-person integrity/control
Using two security guards to prevent a single guard from acting maliciously.
Replay Attack
Variation of MITM attack. Makes a copy of the legitimate transmission before sending it to the recipient. Copy used later when the MITM "replays" the transmission
WinHex
WinHex is a commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics.
n scenarios where proof might be used in civil or criminal litigation, it is vital for an organization to form a chain of custody
also known as a chain of evidence.
File Manipulation: chmod
chmod is the command used on Linux operating systems to change permissions of files.
Administrative tasks in PowerShell are performed by:
cmdlets ("command-lets")
Packet analysis typically examines:
entire contents of the packet, which consists of the header information and the payload.
Visual Basic for Applications (VBA)
event-driven Microsoft programming language. VBA allows developers and users to automate processes that normally would take multiple steps or levels of steps. It can be used to control many tasks of the host application, including manipulating user interface features such as toolbars, menus, forms, and dialog boxes.
Three of the most common interception attacks are:
man-in-the-middle session replay man-in-the-browser attacks.
Basic concepts of forensics include
order of volatility, chain of custody, legal hold and data acquisition.
egal hold is a method that
organization might use to store all relevant information when litigation is expected. The legal hold process is typically initiated by a communication from legal counsel to an organization to suspend the normal disposal of records, such as the recycling of tape backups or the archiving or deletion of data.
sn1per
sn1per is an automated scanner used during a penetration test to enumerate and scan for network vulnerabilities. You can automate the process of collecting data for exploration using sn1per.
cmdlets:
specialized commands for completing common tasks in PowerShell
Session ID
unique number that a web server assigns a specific user for the duration of the user's visit (session)
