Cyber Security Note PDF

(1) WHAT IS CYBER SECURITY a. Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks. It aims to reduce the risk of cyber attunauthorised exploitation of systems, networks and technologies. b. Cyber security is the practice of defending computers, servers, mobile devices, electronic system, networks and data from malicious attacks. CYBER SECURITY/ETHICAL HACKING Introducing information security and cyber security (CIA) Confidenciality, Integrity and Availability. The major problem to this and common attack is the DDOS attack. In cyber security incidence response is very important, which is the (DFIR) which stands for Data Forencies Incidence Response. Security Operation center (SOC) where different analyst are looking at different system for incidence response. ------------------------------- DIAGRAM ------------------------------- UNDERSTANDING THE CYBER KILL CHAIN The cyber kill chain was a framework that was part of the intellegence driven defence provided by a company call Lockheedmartin (lockheedmartin.com). Another framework that is out there is the attack.mitre.org, you can hear them using this in the industry (TTP) which stands for Tactics, Techique and Procedure, If we visit this website and check out the discovery and click account discovery, this has a different sub-technique and i can click on local account, and will see how attackers has done this types of attack previously. HELPFUL WEBSITE LINK THAT YOU MIGHT WANT TO LOOK AT: PEN TESTING METHODOLOGIES http://www.pentest-standard.org OWASP TESTING GUIDE (Open web application) http://www.owasp.org/index.php/OWASP_Testing_project NIST 800-115: TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT http://nvlpubs.nist.gov/nistpubs/legacy/SP/nistspecialpublicationsw-115.pdf OPEN SOURCE SECURITY TESTING METHODOLOGY http://www.isecom.org/research Intelligence gathering: This is where you do your reconnaissance using your passive or active and public avaliable data or open source intellegence. Threat Model: Here you create your attack map probaly network diagram base on the information you gather previously. Vulnerability Analysis: Hopefully you find vulnerability there are different tools and different methodologies. Exploitation: Ths is where you try to a exploit those vulnerabilities. Post Exploitation: This is where you might be able to by pass security controls, cover your track, such as security monitoring. Report: At the end of this pentest you have to provide a report, to provide findings, the vulnerabilities and also how they can avoid it in the future. (2) UNDERSTANDING INFORAMTION SECURITY CONTROLS, LAWS AND STANDARD Different States and different Government have many different security regulations, rules and laws. That is where scoop come into play. where they will give you the GET OUT OF JAIL KEY CARD which will get you out of trouble. Below is the link where you can get some of the rules and laws of regulation. 1. https://ncsl.org 2. https://gdpr-info.eu FOOTPRINING Foot printing is the first step in the tracking industry which is also know as reconnansance also known as open source intellegence (OSINT) useful website: https://attack.mitre.org What you will see in this website is all the tactics that are used for the attack, if you click on recconnanassance, this will cover more detail of each of those technique that were used. Active Recconnanassance: This can be done when you are interacting with the victim system. Passive Reconnanassance: This is when you go for open source inttellegence such as public records, DNS, public financial records etc. Example of website that can be used: http://secretcorp.org PERFORMING FOOT PRINTING THROUGH WEB SERVICES AND WEBSITE Using this website (http://secretcorp.org) You can verify the security of this website by clicking on the padlock symbol at the left of the url, and you can also verify if the website is using a robots.txt by typing: secretcorp.org/robots.txt. PERFORMING RECONNAISSANCE THROUGH SOCIAL NETWORKING WEBSITE We can use twitter account by typing twitter.com/santosomar UNDERSTANDING WEBSITE FOOTPRINTING This is a simple website which is scanning the internet 24 X 7 as we speak. it's an organization shodan.io, they do this from many location all over the world and they put it in a database. You can type a search in the search to verify something like maybe "telnet", After that you can click on exploy, there are many things that are automatically discovered that has been reported as exposed. If you check on devoloper, it can show you how to implement your own tools and a lot of pre-package tool. I can also make search on cisco smart install. UNDERSTANDING EMAIL FOOTPRINTING Tool: Maltego community edition It is used for penetration testing and open intellegence. You can also use it to search a domain and you will get the email associated with that domain. UNDERSTANDING WHOIS FOOTPRINTING An attacker can use this to find information of an organization. In Linux terminal type: whois h4cker.org, where (https://h4cker.org) is the organization website. UNDERSTANDING DNS FOOTPRINT One of the ways dns attack is done is by using zone transfer attack. DNS zone transfer attack is when one dns server is used to update another DNS server by transfering the content of their database, one of the name resolution we can use is the nslookup. I will just type nslookup h4cker.org (comand) nslookup host h4cker.org (command) zone transfer example: dig axfr @nsztm1.digi.ninja zonetransfer.me This is to simulate a zone transfer between both domains listed above. UNDERSTANDING NETWORK FOOTPRINT >host h4cker.org Then let's do whois to the first IP address in the result eg: whois 185.199.111.153 >nmap -sn 10.6.6.0/24 (see available devices) SOME NMAP COMMAND TO ISSUE: nmap -sS -sU -T5 -A -v 192.168.1.12 -sS: syn scan -sU: UDP scan -T5: Aggresive fin scan -A : Operating system information base scanning -v : Verbose scanning We can ping wikileak.org and get ip address eg: ping www.wikileak.org If i want to list the information of all the live ip address in wikileak, example if the ip address is 192.168.34.14, I will then use: nmap -sL 192.168.34.0/24 -vv SCANNING FOR TARGET MACHINE nmap -sP -n 192.168.1.33 SCANNING FOR PORT FOR ALL DEVICES nmap -sT -O -T5 192.168.1.0/24 -p 80, 443 We can also verify IP address using wireshark by entering a filter eg: ip.src == 192.168.1.17, this will enable us to see what machine the ip address is communicating with. We can also filter the communication by clicking it and select conversation filter and then choose tcp, here we can see complete conversation SCANNING FOR UDP PORT nmap -sU 192.168.4.22 -p 53 SCANNING FOR ALL THE AVAILABLE PORT nmap -sT 192.168.2.0/24 -p- FOOTPRINTING COUNTER MEASURES TOOLS (websploit.org) Install Linux and run this Command: Curl -sSL https://websploit.org/install.sh | sudo bash and it will install everything for you. WHAT IS PHISHING Phishing is a scam where Internet fraudster attempt to steal personal or financial account information by sending deceptive electronic messages that trick unsuspecting customers into disclosing personal information. Phishing emails and text messages often tell a story to trick you into clicking on a link or open an attachment. Messages like: 1. Say they've noticed some suspicious activity or login attemps. 2. Claim there's a problem with your account or your payment information. 3. Say you must confirm some personal information and it also include a fake invoice. www.yahoo.com www.facebook.com www.winHplaptop.com/facebook.com/bonaza Example of an HTML Form: HTML CODE BLOCK SCANNING NETWORK Scanning network is the use of a computer system to systematically probe a target network to gather information regarding systems. -------------------------------------------------- DIAGRAM -------------------------------------------------- SCANNING METHODOLOGY Method used when scanning a Network: 1. check for live system 2. Check for listening ports 3. Grab banners 4. Vulnerability scanning 5. Network Diagramming 6. Avoid OS Detection VULNERABILITY SCANNING TOOLS General purpose scanning 1. Metasploit 2. Nmap / hpings Vulnerabilities scanning. Metasploit. Tenable Nesus (Commercial). QualysGuard (Commercial). OWASP listing Metasploit is a framework for penetration testing NMAP: This is a network mapper application, it is use for network scanning and security auditing (nmap.org) HPING: This is a TCP/IP packet assembler/analyzer, it extend ping to add TCP, UDP, ICMP, Raw IP to:. Firewall testing. Network testing using different protocols, fragmentation. Advance trace route, under all the supported protocols. Remote uptime guesing. Advance port scanning. Manual path MTU discovery. Remote OS finger printing. TCP/IP stacks Auditing (https://hping.org) TCP CONNECT SCAN A tcp connect scan or full open scan will attempt to complete a three-way handshake with the target.. When the destination computer sent back ACK (open port). When the destination computer sent back RST (Close port) XMAS SCAN A christmas tree packet takes advantage of the operation of tcp on certain OS by setting the FIN, PSH and URG flags to 1, the receiving host will either silently drop or reset the connection and we can drive the service state.. When the destination computer sent back no response (open port). When the distination computer sent back RST (close port) FIN SCAN The fin scan will send a tcp segment with the fin flag set. A listening service will reset the connection non-listening will silently discard the segment. NULL SCAN The null scan will send a tcp segment with no flag set. LINKS TO SCANNING TOOLS 1. Network tools pro (http://netscantools.com) 2. NMAP (https://nmap.org) 3. PRTG Network Monitor (https://paessler.com) 4. Softper feet Network Scanner (https://softperfect.com) 5. Advanced Port Scanner (https://advance-port- scanner.com) NETWORK SCANNING COUNTERMEASURES 1. Use stateful firewalls 2. Update IDS/IPS signatures to detect network scanning. 3. Proactive scan your assets from inside and outside 4. Filter ICMP (at least to/from the internet) 5. Employ HIPS with behavior monitoring to detect and block scanning sources RISK: Unprotected services can led to successful footprinting and eventual data loss. ----------------------------------------------------- ----------------- ENUMERATION ---------------------- ----------------------------------------------------- Enumeration is define as a process which establish an active connection to the target host to discover potential attack vectors in the system and the same can be used to further exploitation of the system by using active queries. Which can be: 1. Users/Groups 2. Machine Names 3. SNMP info 4. DNS Names 5. Network Shares 6. Routing Tables 7. Services 8. Banners ENUMERATION TECHNEQUES 1. Default passwords 2. User Group Extraction 3. Usernames from email 4. Active Directory 5. SNMP walking 6. DNS zone transfer Tools that can be used:. nbtstat (included in windows). Hyena (https://systemtools.com). nbtscan (https://unixwiz.net/tools) LINUX OPERATING SYSTEM COMMAND sudo nbtscan -r 10.1.0.0/25 This can pull out ip addresses from the network and from the results, an IP can be taken from it and uses the command enam4linux ip address name You can also try to connect to the same IP address to see if something can be scrach of using nmap script eg: sudo nmap -su --script nbstat.nse -p137 the ip address SNMP ENUMERATION Simple network management protocol It is used to manage and monitor the device on the network Manager: Handles polling and trap reception Agent: Installed on all devices in the network Commonly used for network devices management There are SNMP enumeration tools that you should be familiar with: 1. snmpwalk (most linux distributions) 2. Getif (https://www.wtcs.org) 3. Net-SNMP (https://net-snmp.sourceforge.net) 4. Spiceworks Network monitor (https://spiceworks.com) 5. SNMP scanner (https://secure-bytes.com) Light weight Access Protocol(LDAP) ENUMERATION 1. Distributed directory services over IP 2. Open Protocol 3. LDAP TCP/389 4. LDAPs: TCP/638 5. Unique ID: Distinguish Name ENUMERATION TOOLS AND LINKS: 1. Admin tool (https://idapsoft.com) 2. LDAP Admin (https://idapadmin.org) 3. AD Domain Services mgmt pack (www.microsoft.com) 4. AD Explorer(docs.microsoft.com/eu-us/sysinternals) ENUMERATION COUNTER MEASURES EMAILS: 1. Silently ignore unknown recipients 2. Disable relay for other domains LDAP: 1. Authenticate queries to only domain users 2. Use LDAPs 3. Disable File/Printer Sharing 4. Separate email address and login names 5. Use SSL to encrypt LDAP 6. Encrypt drives that stores LDAP databases DNS: 1. Disable Zone Transfer 2. Use split DNS, don't share internal IP address 3. Don't use personal names when registering domains SNMP: 1. Remove SNMP agent if not in use 2. Use SNMPv3 with authetication 3. Change community names 4. Disable open relay 5. Drop unknown recipient 6. Never include email server info in your email or posts ---------------------------------------------------- -------------------SNIFFING ------------------------ ---------------------------------------------------- Sniffing is the capture and analysis of computer networks traffic via wiretap. Which can be Legitimate or inlegitimate in their uses. Using information discovering tools or incline and packet copy methods Which includes the discovering of:. Usernames. Password. Relay. DNS information. Log information. Websites. Chat. FTP/TELNET The action of secretly listening to other people's conversations by connecting a listening device to their phone.. Listening device, hardware/software. Active or Passive STUFFING LAWFUL INTERCEPT. Communications data capture. Law enforcement agency (LEA) inttiated. Legitimate Evidence gathering and analysis. Network signaling and communications content. Vendor offered L1. Cisco service independent intercept. Juniper flow tap Some Protocol that provides username and password in plain text: 1. Telnet 2. POP 3. IMAP 4. SMTP 5. NNTP 6. FTP 7. HTTP Encryption is important for this protocol CONDUCTING DHCP ATTACK (DHCP) Dynamic Host Configuration Protocol is used to dymamically assign IP addresses to an host in a subnet. DHCP STARVATION This involves (a) DHCP denial of services, which they (b) can spoof source and request many addresses, then (c) new hosts can not get an IP address. Some of the tools that can be used are: 1. Yersinia (https://yersinia.net) 2. Dhcpstarv (https://dhcpstarv.sourceforge.net) COUNTER MEASURES Layer 2 protection features will depend on the vendor Cisco enable port-security maximum mac feature and also enable DHCP snooping. ARP OPERATION Address Resolution Protocol (ARP) is used to map Layer 2 Mac addresses to Layer 3 IP addresses. And an intruder can poison the arp. ARP POISONING 1. Hosts will accept an unsolicited ARP relay 2. Poisoned ARP cache 3. By spoofing the ARP Reply for both victim and router, we can become machine in the middle for traffic between the two. The risk of poisoning ARP cache since the attacker is logically in the middle traffic can be: 1. To modifeid 2. To Sniffed 3. To capture VOIP data 4. To Hijacked Sessions 5. To reset connection This can be reffered to as Machine in the middle attack. https://ettercap.github.io/ettercap COUNTER MEASURES 1. Use subnet based monitoring of MAC address changes 2. Email alerting systems https://xarp.net ARP protection features will depend on the vendor. SPOOFING ATTACKS Spoofing is an inpersonating of another user by sourcing traffic from their MAC address using sofware like Technitium MAC address changer. This is a freeware utility to spoof MAC address instantly. COUNTER MEASURES ARP attack protection will depend on the vendor CISCO offers: 1. Dynamic ARP inspection (DAI) 2. DHCP snooping 3. IP source Guard DNS POISONING The DNS spoofing areas of focus is: 1. Machine in the middle (MITM) 2. DNS cache poisoning 3. Proxy MitM Ettercap is one tools that can be used for this attack DNS cache poisoning refers to tauting the resolver cache on recursive resolvers. Example: HOST A: Hey DNS, what's the IP of bank.com? DNS: I don't know, let me find out for you ATTACK: Hi DNS, thanks for asking here's the response (bad website IP) Similar to the MitM attack, the attacker spoofs response from the upstream DNS, poisoning the local cache. If a previous exploit via trojan was successful, an attacker can set the proxy server address on the victim to intercept web traffic. SNIFFING TOOLS 1. wireshark 2. tcpdump 3. Observer analyzer 4. LiveAction Omnipeck Network ANalyzer 5. Capsa Network Analyzer..................... PRACTICALS ON ETTERCAP............................ First we will start by installing the Ettercap software and it is better to install wincap before installing the software. When installing ettercap make such you select all the plugins by checking the box or radio button seen during installation and then click Next. Select location for installation directory, click Next and click Install. USING ETTERCAP To get Host from the Network: 1. Select Sniff >> unified sniffing 2. Select the network interface card and 3. Click OK. Again goto: 1. Host >> Host list There will be no host because we didn't search for anything 2. Now goto Host >> scan for Host This will scan for any host present in the network 3. Then go back to Host >> host list, then you will see all the available host displayed. We can then save this by going to Host >> save to file at the output file give it a name maybe hostlist1. And it you close the scan list, you can load it again by going to: Host >> Load from file, and select the name of the file and click OK. HOW TO DO ARP POISONING 1. Select one of the IP address that you got from your scanning. 2. Click add to target 1 3. Click MitM >> ARP poisoning, a dialog box appears. 4. Click sniff remote connections and click OK 5. Then goto Start >> Start sniffing Now if you look at the list you might be able to see maybe username and password info and also website address. HOW TO LOG MESSAGES WHEN THE SNIFFING IS TAKING LONG 1. Click loging >> log all packets and infos 2. Select one of the IP and click add to target 1 3. Goto logging >> all packet and infos, dialog box appears give it a name maybe log1 and click OK 4. Goto start >> start sniffing 5. MitM >> ARP Poisoning, and check the box sniff remote connections and click. After some time you will see the log files coming out USING ETTERCAP TO LOOK FOR USERNAME AND PASSWORD, SESSION ID AND COOKIES 1. select sniff >> unified sniffing 2. select the network interface card and click OK 3. goto host >> scan for host 4. goto host >> host list And add two IP address to target1 and target2 5. Goto target >> current target We can also lunch wireshark so as to capture the traffic between these machines, Start the capture process and move on to ettercap 6. MitM >> ARP Poisoning 7. Check the snif remote connections and click ok, if you doing this that means you are poisoning the ARP cache of all the machines. Then you can login using any server that they are poisoning, and because there is a man in the middle attack going on within that period, if you go to ettercap you will probally see the username and password of the machine. WATERING HOLE ATTACKS If the attacker locate a website that can be compromised, the website is then injected with a javascript or other similar code injection that is designed to redirect the user whwn the user returns to that site, the user is then redirected to a site with some sort of exploit code. UNDERSTANDING THE INSIDER THREAT An insider is anyone that has access or inside knowledge of your organisation. It can be a trusted employee, a contractor a business partner etc. THE UN-INTENDED INSIDER The un-intensionally insider threat is a current or former employee, a contractor or a business partner who has or had authorized access to your system or data and who even though their acts where not of malicious intent, they cause harm or substntially increases the probalility of future serious harm to the confidentiality, integrity or availability of your system. For more information visit: https//www.cisa.gov/insider-threat-mitagation INPERSONATION ON SOCIAL NETWORKING SITES Tools: Social-Engineer Toolkit (trustedsee.com) UNDERSTANDING IDENTITY THEFT Identity(ID) theft happens when someone steals your personal information to commit fraud. the identity thief may use your information to apply for credit, taxes or get medical services these art can damage your credit status and cost you time and money to restore your good name. ----------------------------------------------------- SOCIAL ENGINEERING ----------------------------------------------------- SOCIAL ENGINEERING DEFINITION Social engineering is a manipulation technique that exploits human error to gain private information, access or valuables. In cybercrime. These "human hacking", scam tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attack can happen online, in-person and via other interactions. Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating user's behavior. Once an attacker understands what motivates a user's actions they can deceive and manipulate the user effectively. ----------------------------------------------------- SOCIAL ENGINEERING COUNTER MEASURE ----------------------------------------------------- User Education: Train user to demand proof of identity over the phone and in person. Define value for type of information, like username, password, network addresses etc. The greater the value, the higher the security around those items should be maintained. If someone request previledge information, have employee find out why they want it and whether they are authorized to obtain it. Take advantage of email security features in email servers and services sometimes email servers or cloud services can add a text to the subject or an email if they come from a domain/address outside of the organisation. ----------------------------------------------------- STEGANOGRAPHY ----------------------------------------------------- Steganography is the technique of hiding secret data within an ordinary, non-secret file or message in other to avoid detection. The secret data is then extracted at it's destination. The use of steganography can be combined with encryption as an extra step for hiding or protecting data. To hid a file inside a photo can be done using the command prompt or a specialise software. For example if i want to hid a file call "root.txt" in a photo call "brace.jpg", i will use the command in the command prompt pointing the location where both image and file is: copy /b brace.jpg + root.txt brace2.jpg AND PRESS ENTER ON THE KEYBOARD brace.jpg : The image where i want to hid the data root.txt : The document that i want to hid brace2.jpg: The final image where the root.txt is hiding. You can also hide multiple files to an image using steganography by ziping the files together, method of doing this is: 1. zip the files together Process: Put all the files you want to hide inside the image in a folder, and select all of them by hightlighting them and right click, then select send to compress zip folder. After this is done a new file will be created in the same folder containing all the files. Make sure the image to be used is in the same folder with the compress file. Then open your command prompt and locate the directory where the image and the compress file is and then you can issue this command below, assuming the file name is "pencil.zip" and the image name is "conlin.jpg", the command will be written this way: copy /b conlin.jpg + pencil.zip colin2.jpg When this is done a new image will be created call colin2.jpg containing the hidden file. This command can also be written in this manner: copy /b conlin.jpg + pencil.zip Writing the above command will hide the pencil.zip inside the original image conlin.jpg STEGANOGRAPHY PURPOSE The purpose of steganography is to conceal and deceive. It is a form of covert communication and can involve the use of any medium to hide a message. It's not a form of cryptography, because it doesn't involve scrambling data or using a key, instead it is a form of data hiding and can be executed in clever ways. HOW DO HACKER USE STEGANOGRAPHY It is a technique used by attackers to hide malicious code within the image that is mainly employed by exploiting kits to hide their malvertising traffic. the attackers use a publicly available script call invoke-PSimage that helps to embed malicious scripts in the pixels of a PNG file. IS STEGANOGRAPHY A THREAT Cyber criminals use steganography to hide stolen data or malicious code in images, audio files and other media. Cyber criminals have figured out how to hide valuable data or melevolent software in images, audio files, messages between computer servers and more. HOW SECURE IS STEGANOGRAPHY When steganography is used by itself, it's security through obscurity, which can lead to the secret message being revealed. if you want to hid a message from adversaries, but also protect it in case it is discovered, it's best to combine steganography with cryptography. ----------------------------------------------------- DENIAL OF SERVICES ----------------------------------------------------- This is a purposeful attack on a network or resourses to prevent legitimate access to services, this can include:. Volumetric. Protocols. Applications Usually outside -> in VOLUMETRIC ATTACK 1. Links are flooded with bogus valid request 2. System/link overloaded 3. Legitimate traffic unable to access services This request appears to be legitimate, Network will be overwhelmed, Usually requires vast resources. Eg: One computer on the internet can't fill 10gb bus but 1000 can. Examples: 1. Smurf attack 2. ICMP flood 3. IP/ICMP fragmentation attacks PROTOCOL ATTACKS 1. System flooded with bogus invalid request. 2. System overloaded, and can't service valid request And this could be devices in the path, eg firewalls and load balancers, that can result in a system inability to allocate resources for new connections. Example of this attacks are: 1. SYN Flood 2. UDP Flood 3. TCP Connection exhaustion APPLICATION ATTACKS 1. Application flooded with bogus valid request 2. System overloaded and can't service valid request This request appears legitimate, application unable to service that many request, and fewer resources required to attack. Example of this attacks are: 1. HTTP/HTTPS flood 2. DNS Attack 3. Application exploit that results in app crash. 4. Data deletion, eg: "Drop table customer;" DOS / DDOS ATTACK 1. Many sources 2. Source may or may not be aware 3. Zombies often used 4. Command and controls. DOS Symptoms 1. Network Unavailable 2. Abnormally slow connectivity 3. ISP alarms 4. IP-based services unavailable DOS EFFECTS What happens when a company is attacked 1. Financial loss 2. Loss of customers 3. Network disabled 4. Organization disable 5. Company distracted by DOS while other attacks are occurring. BOTNET This is a Network of compromised hosts running software that automates tasks through remote command and control. If you need one you can rent one from the darkweb. Botnet software can propagate to grow the network in an automated fashion. Botnet Uses: 1. Lunches DDOS attacks. Which causes negative impact to businesses. Generates spam emails. Advertising. Extort money to stop DDOS DOS ATTACK TOOLS Several off the sheef applications are available to initiate a DOS attacks 1. Metasploit 2. Slowloris 3. Tor's Hammer 4. PHP DOS 5. Exploit-DB DOS COUNTER MEASURES (DOS DETECTION) Often when a volumetric DDOS occurs the abnormal bump in incoming data can be noticed. 1. Deploy monitoring solutions 2. Baseline must exist 3. Set baseline threshold alerts COUNTER MEASURE STRATEGIES 1. Absorb: Scale on demand to absorb the attack requires money and fore thought. 2. Shutdown: Disable the services under attack for the duration 3. Degrade: Stop non critical services 4. Prevent: Treat intelligent services DOS COUNTER MEASURE 1. Network and host anti-virus/anti-trojan breach detection 2. Disable unnecessary services 3. User Education 4. Software updates -------------------------------------------------------------------- SESSION HIJACKING -------------------------------------------------------------------- Session Hijacking concepts:. web application handles many clients at once.. Session tokens are used to keep track of which traffic belongs to which use.. Successful authentication results in a provided token. Token used in subsequent connections The session hijacking attack conpromises the session taken by stealing or predicting a valid session token to gain unauthorized access to a web server. If someone can steal or derive your token, then he can forge a request uing your token. COMMON SESSION HIJACKING METHODS 1. Predictable session token 2. Session sniffing and replay 3. Client side attack 4. XSS 5. Malicious Javascript 6. Trojans 7. Machine in the middle attack (MitM) 8. Man in the browser attack (MitB) Today web applications occasionally authenticates for user convenience, session ID are sometimes sent in plain text, if not using TLS, session IDs are exposed. Session IDs might expire a long time from now, cookies can be spoofed. Example of a PHP Session Cookie TOOLS THAT CAN BE USED 1. Ettercap / Bettercap 2. Burp Suite 3. OWASP Zed Attack proxy This attack can come in from malicious browser extension, if users accepts permission. Extension can: 1. Capture data from form fields 2. Inject Javascript 3. Exfiltrate data. 4. Hijack autheticated sessions SESSION HIJACKING COUNTER MEASURES 1. Think before you click 2. Ask yourself the question, have you been to this website before? 3. Is the url properly formed. 4. Don't open files you were not expecting 5. Use logout functions 6. Clear browser history, cache and cookies FOR WEB SERVER SECURITY 1. Probe systems, pen testing 2. Use TLS, use signed certificates 3. Disable insecure HTTP or at least redirect from port 80 to 445 4. Don't expose session keys in query string. 5. Use header's cookies. 6. Patch webservers for vulnerabilities. WIRESHARK Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communictions protocol development and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trade mark issues. What to look for as an indication of compromise: 1. (DNS): Suspect DNS Acitivity (Strange Domain Name) 2. (HTTP) Suspect HTTP Activity (POST, Strange user agent, strange files) 3. Unusual GeoIP Locations 4. Command and control Traffic (Sometimes over HTTP) 5. Could becmoe a spam Bot (TCP port 25, 587) And we need to know how to identify them in the packet level. We will learn how to:. Filter for Network scans. Spot traffic exfiltration. Top 10 attack patterns. Identify common (IoCs) Indicators of compromise. How to approach packet level analysis for incidense response.. Where to capture, and how to capture. where does wireshark fit in. Packet analysis and the MITRE ATTACK / Framework/Cyber kill chain ATTACK FOLLOW A PATTERN 1. Reconnaissance 2. Initial Access 3. Lateral Movement 4. C2 and Exfiltration Also take note that attack are constantly evolving. START WITH ALERT AND LOG (IDS) The two inportant pieces of information 1. They tell us the time an event occurs 2. Who was impacted by that event Then we can use packet data to address this or we can use it to find things our alert system missed. These are things a Cyber security expert should master 1. statistic 2. Filtering/coloring rules 3. Custom columns 4. Exporting object/files 5. GeoIP Locations But also remember to follow the pattern above (ATTACK PATTERNS) (Lab 1) DETECTING NETWORK DISCOVERY SCANNING WITH WIRESHARK The lab one is showing a network scan, and this is a trace file At line 13 you will notice that the IP address ".7" has a length of 42 ans at line 16 it has a length of 60. The different is that one has a padding the the other has not. One thing we need to know is who has replied, we can just start tracing it down to see these IP that replies or we just come down to the "OPcode request (1)" right click >> prepared as filter >> selected. The ARP opcode is going to be (1) which is request, so we just use (2) which is reply then we can see the system that has replied to the scan. (LAB 2 ) PORT SCAN How you can see the source and destination IP address where same IP address is contacting different IP address using ICMP. Click the first TCP SYN: at the bottom expand your transmission control protocol. We can add packet comment by right clicking >> Packet comment, then we can document strange behavior by typing what we notice in the comment box. We can also expand the "Flags" and right click on the SYN: set >> prepare for filter >> Selected, that will give us all the syn we have on that trace. We can copy all what we have on the top and then go to view >> colouring rules, then we add a rule and call it tcp syn or a name that best discribe it's behaviour. If a packet matches this, it will show that color you chooses. We can also use the Statistic >> conversations, then click the tcp tab, then you can see all the number of port the attacker is trying to access, possibly is checking for any responses from the machines. To see if any one responded we can right click any of the tcp syn >> conversation >> tcp we can also type it in a filter at the top bar, to check all the responses going to the said IP address Type: tcp.flags.syn==1 and tcp.flags.ack==1 and ip.dst==10.0.2.15 (LAB 3) CHECKING FOR ATTACK ANALYSIS WHAT DO WE LOOK OUT FOR: 1. What is the IP address of the device that is ARPing for the whole 10.6.1.X 2. How many device responed? What address are active on this network. 3. What address range does the infected machine then ping 4. Does the ping sweep happen sequentially? (in order) 5. Did the attack machine received any ping reply. 6. The infected machine then tries to discover open ports on the other active devices on the network, what port does it try to accessed. 7. What filter could you set that could only show the open ports from the port scan of theis devices? (Note: Focus on the syn/ack packet) We can type ARP on the filter to see address range and to check what station are active or who responded type: arp.opcode==2 We can also check "ICMP" filter by typing it also We can also visualise it by going to statistic>>conversation and pick IPV4, when we are done we can clear. Now we can check for all the tcp address attempt made to contact the machine. (Type: tcp and ip.addr==10.6.1.1) here we will see all the tcp attempt that was made to the 1.1 box. He try to make contact with port 445 and failed. Now we can check for anothe address that replies which is 10.16.1.6 here we can see that it is talking to the machine. We can also goto statistic >> convensation and select tcp so we will be able to see the trafic between the system and what part the attacker is trying to take advantage of. type: tcp.flags.syn==1 and tcp.flags.ack==1 and ip.src==10.6.1.6 --------------------------------------------------------------- EVADING IDS, FIREWALLS AND HONEYSPOTS --------------------------------------------------------------- Network base IDS and IPS Detection Methodologies: 1. Pattern marching and stateful pattern matching recognition 2. Protocol Analysis 3. Heuristic based analysis 4. Anomaly based analysis 5. Global Treat intellegence and correlation capabilities HoneyPots: These are fake systems designed to lure and "jail" an attacker so that real systems are not targeted. A honeypot might be configured to look like it has security holes or vulnerabilities. A great resource for information about honeypots is the honeypot project which you can find at "honeynet.org". ---------------------------------------------------------------- HACKING WEB SERVER ---------------------------------------------------------------- Web url sample: https://theartofhacking.org:8123/dir/test;id=89?name=omar&x=true Looking at the url above the session "test;id=89?" is call the url parameters, while the session "name=omar&x=true" is call the query string. NATIONAL INSTITUTE OF STANDARD & TECHNOLOGY (NIST) METHODOLOGY DIAGRAM We can do our scanning with burp suite or OWASP ZAP 1. We can scan 10.6.6.23 with OWASP ZAP 2. We can scan with Linux using nikto By typing nikto -h https://10.6.6.23 using the linux terminal PATCH MANAGEMENT Patch management is the planning, testing, implimentation and auditing of patches. You must adopt a proper patch management program to include all your operating systems firmware of your devices in your infrastructure and applications (On-premises and in the cloud.) PATCH MANAGEMENT BEST PRACTISES 1. Inventory your systems 2. Assign risk level to your systems 3. consolidate software versions (And software itself) 4. Mitigate patch exceptions 5. Keep up with vendor patch annocement 6. Test patches before applying everywhere 7. Apply application patches as quickly as possible 8. Automate open source patches. SECURING WEB SERVER 1. Harden before you deploy 2. Exercise good patch management 3. Disable unneeded services 4. Lock down the file system 5. Log and audit 6. Perform ongoing scanning or vulnerability 7. Automate backup WEB SERVER SECURITY TOOLS 1. On-premises and cloud web application Firewall (WAF) 2. Cloud security monitoring tools 3. End point detection and responses for servers -------------------------------------------------------------- HACKING WEB APPLICATION -------------------------------------------------------------- Web hacking refers to exploitation of applications via HTTP which can be done by manipulating the application via its graphical web interface, tampering the Uniform Resource Identifier (URI) or tampering HTTP elements not contained in the URI. To hack application you have to know about the HTTP METHODS 1. GET: Retrieves information from the server. 2. HEAD: Basically, this is the same as a GET, but it returns only HTTP headers and no document body. 3. POST: It sends data to the server (Typically using HTML forms, API request and the likes) 4. TRACE: Does a message loop-back test along the path to target source 5. PUT: Uploads a representation of the specified URI 6. DELETE: Delete the specified resource 7. OPTIONS: Returns the HTTP methods that the server supports 8. CONNECT: Coverts the request connection to a transparent TCP/IP tunnel. Analysing web application using burp suit Type burpsuit in your terminal. Click on proxy. And then click on "open browser". Then you can type the url you want as it's opening it will be scanning the url.. Then go to HTTP history is see all the details USING OWASP ZAP 1. Type: zaproxy, this will bring up the interface. 2. Click on automated scan 3. Enter the url and Click "attack" ATTACKING AUTHETICATION 1. Authetication and session management 2. Credential brute force and stealing 3. Session Hijacking 4. Redirects 5. Default Credetials and/or weak credentials 6. Protocol vulnerability 7. Weak implementation of Auth2, OpenID connect INPUT VALIDATIONS Important: Alwasy make sure that only properly form data is entering the workflow in an appliation or a system. Preventing malform data from persisting in the database and triggering malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferable as soon as the data is received from the external party. OWASP input validation cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/inpu_validation_cheat_sheet.html WHAT IS CROSS SITE SCRIPTING Cross site scripting is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross site scripting vulnerablility may be used by attackers to bypass access controls such as the same policy origin.. Input validation vulnerability in a web application that target the end user or client. Exploitation could lead to installation or execution of malicious code, account compromise session cookie stealing, redirection and more. WHERE TO FIND XSS? 1. Search fields that echo a search string back to user. 2. HTTP headers. 3. Input field that echo user data. 4. Error messages that return user supplied text. 5. Hidden fields that may include user input data. 6. Applications (or websites) that display user supplied data WHAT IS PHISHING Phishing is the fraudukent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal informtion, such as passwords and credit card numbers. "an email that is likely a phishing scam" ITEMS NEEDED FOR PHISHING 1. A clone of the mimic website. 2. A php script to collect victims datas. 3. A text file to store the data. WHAT IS OPEN REDIRECT Open redirection vulnerabilities arise when an application incorportes user controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the appliation that causes a redirection to an arbitrary external domain. CODE FOR OPEN REDIRECTION Chance to win HP Laptop iframe{opacity: 1;} center{position: absolute; left: 200px;} button{postion: absolute; top: 780px; left: 350px} Chance to win HP Laptop Click here! ---------------------------------------------------------------------------- SQL INJECTION --------------------------------------------------------------------------- SQL injection is a code injection technique used to attack data driven applications, in which malicious SQL statements are inserted into an emtry field for execution. Example Website: w3schools.com/sql/trysql.asp?filename=trysql_op_in Select * from employees where firstname like '%Nancy%' or 1=1 Understanding The type of SQL Injection In-band: The attascker uses the same channel of communication to launch their attacks and to gather their results. Inferential (Blind): The attacker sends data payloads to the server and observers the response and behaviour of the server to learn more about it structures. This is call blind because the data is not transferred from the web app database to the attacker, thus the attacker can not see inforamtion about the attack in-band. Out of band: The attacker can only carry this form of attack when certain features are enabled on the database server used by web applications. This form of attack is primaryly used as an alternative to the in-band and inferential SQLi techniques. EXPLORING THE SQL INJECTION METHODOLOGIES Error-Based: The attacker performs action that cause the database to produce error messages and can potentially use these error message to garther information about the structure of the database. Union-based: The attacker take advantage of the union SQL operator, which combine multiple select statements generated by the database to get a single HTTP response. This response can contain data that can be leverage by the attacker. Boolean: The attacker sends a SQL query and the result will vary depending on whether the query is true or false for example Omar' or1=1; Time-Base: The attacker sends an SQL query to the database that cause the database to wait (for a period of seconds) before it can react. The attacker can observed the amount of time the database takes to respond or if the message sent returned true or false. EXPLORING SQL INJECTION TOOLS (Popular SQL injection tools) 1. SQLmap 2. JSQL injection 3. BBQSQL 4. NoSQLMap 5. DSSS 6. explo 7. Blind SQL injection via bitshifting 8. Havij Evation Technique url: owasp.org/www-community/attacks/SQL_injection_Bypassing_WAF UNDERSTANDING SQL INJECTION COUNTER MEASURES OWASP's SQL injection prevention recommendation. Use of prepared statements (with parmeterized queries). Use of stored procedures. Allow-list input validation. Escaping all user supplied input Additional Defenses. Enforcing lease priviledge. Performing allow-list input validation as a secondary defense. Useful link: https://cheatsheet.owasp.org/cheatsheets/SQL_injection_Prevention_Cheat_Sheet.html ------------------------------------------------------------------------ HACKING WIRELESS NETWORK ------------------------------------------------------------------------ WIRELESS OVERVIEW 1. Wireless local area network (WLAN) 2. IEEE 802.11 standard, WiFi Brand 3. Orginal Standard 1997 4. SOHO and enterprise Scale Solutions 5. 802.11b (1999). Became porpular as price reduced A wireless Network is a computer network that uses wireless data connections between network nodes. Wireless networking is a method by which homes, telecommunications networks and business installation are implemented. THE WAN PRIVACY (WLAN Security Algorithms). Wired Equivalent Privacy (WEP). WiFi Protected Access (WAP). WiFi Protected Access (WPA2). WiFi Protected Access (WPA3) UNDERSTANDING WIRELESS ENCRYPTIONS WPA/WPA2 1. WPA - 2003. Stop gap until WPA2 standard. Temporary key integrity protocol (TKIP). Still RC4 but 48 bit IV, 128 bit key WPA2 - 2004, IEEE 802.11. AES - 125 - 128 bit key length. AES based counter mode CBC - mac protocol (CCMP). WPA2 Certification required for WiFi, single 2005 WPA3 - 2018. AES 192-bit key length. AES based counter mode CBC Mac protocol (CCMP - 128). WPA3 certificate required for WiFi (since June 2018) ENCRYPTION ATTACK DEFENCE 1. Don't use WEP, use WPA2 or WPA3 1. Use Complex passwordphrases 3. Only use AES/CCMP, don't use TKIP 3. Use high level encryption such as IPSEC to protect your data. Wireless network can be attack by forging control or data frames to affect or gain to the network using: 1. IV Replay 2. RADIUS 3. WEP Injection 4. Data frame Injection 5. Data Replay 6. EAP Replay COMMON TOOLS USED FOR WIRELESS HACKING 1. Airodump-ng 2. Part of airCrack-ng suite 3. http://aircrack-ng.org 4. metageek complete (Commercial) link: https://metageek.com WIRELESS COUNTER MEASURES BEST PRACTICES: 1. Change SSID from the default, SSID isn't a password. 2. Change default username/password for router/AP 3. Disable SSID broadcasts 4. Disable remote administration fro the "WAN" side 5. Filter MAC addresses if administratively feasible 6. Use WPA3 or WPA2, disable WEP 7. Do not use identifying information in your SSID. 8. Use firewall and IDS TO COPY A PAGE ON A WEBSITE 1. Open the website using the url eg: loacast.com and press enter 2. When the webpage is opened, right click the page and select saveas 3. save the page into a folder in your computer, either on the desktop or my document or anywhere in your computer, using the extension.html 4. Then double click the html file to see the newly clone page. DOWNLOAD AND USING HTRACK TO CLONE A WEBSITE 1. Visit: www.google.com 2. Type httrack on the google search and press I am feeling lucky 3. This will take you directly to the download page, click one of the download file to download. 4. Install the downloaded file to your PC. 5. Open your installation file 6. A dialog box appears click Next 7. At the project name type the name of the project you want to clone. Leave every other things as it is and click Next. 8. At the Web Addresses (URL) enter the name of the website you want to clone eg: https://www.yahoo.com and click Next 9. At this point you can check the box disconnect when finished or check the box that said shutdown PC when finished. Or leave both uncheck as preffered and just click Finish. And httrack will begin to clone the entire website. When done your clone webpage can be gotten from your local disk drive c:/My Web Sites, once you open this location you will see your project name that you created previously, your clone website will be inside. WHAT IS HAVIJ Havij is an automatic SQL injection tool, distributed by ITSec Team, an Iranian security company. The name Havij means "carot", which is the tool's icon. The tool is designed with a user friendly GUI that makes it easy for an operator to retrieve the desired data. How to use Havij: 1. Install Havij 2. Lunch Havij, and type the url that you want to access the database on and click analyse 3. Click on table 4. Check the preferred table and click "Get DBs" 5. Check "informtion schema" 6. Click "Get tables" 7. Check the table you wanted and click Get Columns 8. Then check the user and password columns if available 9. And click Get Data WHAT IS ACUNETIX? Acunetix is a automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, cross site scripting and other exploitable vulnerabilities. To scan a website using acunetix, first you need to create a target by clicking on the target at the left side bar or top.. Click the add target. Enter the url or the website or the IP address. Enter description eg: text or target pc. Then click add target. After the target is created, then you can make ajustment as you wish, after making the changes you prefered using the settings click save to save your settings. Then click "Scan" to begin the scan process. Then choose the kind of scan you want and also the report type and your schedule, we can choose a full scan, affected items and instant respectively, and the scan will start automatically and acunetix will crawl the website and when it is done, you can view the vulnerabilities found in the website and also you can generate a report using acunetix. HOW TO ACCESS THE DARK WEB 1. First download the tor browser and install it in your system 2. VPN is optional to prevent sharing anything with your ISP 3. In the tor browser goto the onion symbol at the top left and click security settings. Adjust security to the top. Enter google, Type hidden wiki link. Click the top one Look for the "hidden wiki" and copy that link, and paste it in the browser.

Cyber Security Note PDF

Document Details

Tags

Related

Summary

Full Transcript