Network Security Notes from PPT Course:

  1. Whois is a query response protocol for querying the domain registrar's database

  2. Whois runs on TCP port 43

  3. Whois is helpful in determining the Nameservers of a domain

  4. Nameservers store all DNS related information

  5. DNS:

    1. Definition: is a protocol for resolving IP address to domain names

    2. Purpose: a database or directory to map IPs to names

    3. DNS Structure:

      1. Resource Record

      2. TTL: determines the Start of Authority records

      3. Record Class

        1. Internet, Choas, Hesiod

  6. DNS Records:

    1. A: maps IP addresses to hostnames

    2. PTR: Pointer maps hostnames to IP addresses

    3. CNAME: maps alias hostnames to the domain . Every domain name have multiple aliases, these aliases are kept in CNAME file

    4. MX: specifies for mail servers that accept emails

    5. SOA: first in the zone file, it defines values for the zone such as serial number and expiration timeouts. There is only one SOA per zone

  7. Reverse Lookup takes IP address and determines the sub domains and hostnames connected to the IP

  8. Zone Transfer

    1. Zone Transfers are misconfigurations on the server. They should be ONLY enabled to a trusted IP
    2. when querying for zone transfer in a domain, it should return an error if configured properly. if returns the copy of the DNS database means the server is misconfigured

  9. DNS Enumeration

    1. Concept:

    2. Purpose:

    3. Tools:

      1. NSlookup is a command line tool to query for the domain name

  10. When enumerating a DNS MX record, keep in mind that the lowest the number the highest preferrable for mail services

    The most common number is 5 and 10

  11. Netblock is range of IP address

  12. Autonomous System: is made of one or more net block ranges. Ex: ISPs have autonomous systems while small corporation have net blocks

  13. ICMP Ping Sweeps: send requests to the hosts. if the hosts are alive, they send ICMP reply

  14. Most of the new devices and machines nowadays turn off the ICMP pings for security purposes. Also, they are no longer reliable for checking live hosts

  15. if Nmap runs ICMP scan from the same network, Nmap by default runs arp scan instead of ICMP. Diabling arp within the command will run the ICMP scan. --disable-arp-ping or --ip-scan

  16. DNS ports are TCP 53 and UDP 53

  17. Three way Handshake:

    1. Header contains:

      1. Sequence Number

      2. Acknowledgment Number

      3. SYN and ACK flags

    2. Step 1: the client sens a request packet with SYN flag and set a random sequence number

    3. Step 2: The server responses with a response packet set with SYN and ACK flags, along with random sequence number. Ack number is plus one of the sequence number of the SYN packet

    4. Step 3: When the synchronization is done, the client sends an acknowledgment packet to announce the end of the connection

  18. TPC/IP vs UDP: TCP is a reliable protocol as it relies on confirmation of packet receiving. While with UDP protocol confirmation is not essential

  19. Port 0 is reserved for TCP and 1 for UDP

  20. Ports Status:

    1. OPEN: SYN-ACK: means the port is open

    2. Close:

    3. Filtered: the status is not clear as there is firewall rules that prevents the accurate results

  21. HPING:

    1. Hping is crafting packet tool designed to send customized packet to the target machine

    2. SA flag indicated that the port is open

    3. RA flag indicate that the port is close

  22. Running ping sweep indicate an active scan on the network.

  23. Scanning random ports, can appear as a normal TCP request

  24. SYN scan is the best starting scan. It can perform half-open scan to know the port status of the machine

  25. The SYN scan sends syn packet to open up the communication. if the response is SYN/ACK means the port is open and if RST the port is close

  26. If no response was received, it means the port is close

  27. -sT [TCP scan]: is a full TCP scan

  28. UDP scanning is also important as there are services that run on UDP such DNS, SNMP, DHCP

  29. UDP Scans are slow and difficult to coduct, but important as TCP scans

  30. UDP scan process:

    1. Step 1: send a query

    2. Step 2: if the port is open a response query is sent back and if not ICMP packet is sent instead

    3. Step 3: ICMP is sent to close the communication

  31. Idle scanning or Zombie scanning : is a device on the network that does not send or receive packets on the network

  32. Zombie scanning pre-requisites:

    1. The host should not send or receive traffic that might mess with IP ID number

    2. Finding a zombie device, is looking for a host that increases the IP ID incrementally

  33. Identifying Zombie host can be done by using nmap OS scan with verbose switch to see if the host sends incremental IP IDs. Seeing incremental IDs by 1 means that the host does not send or receive packets

  34. if the port is open, the zombie host increments the IP ID by 2, and if port is close. the host increments the IP ID by 1

  35. When using nmap to perform Idle scanning (zombie), make sure to pick an open port on the zombie host

  36. The purpose of zombie scan is (hiding the original IP address of the scan). The target machine will the IP address of the zombie machine and not the original scan source. (stealthy scanning)

  37. TCP packets are tagged with 6 flags:

    1. SYN

    2. PUSH

    3. ACK

    4. RST

    5. FIN

    6. URG

  38. Null, XMAS, FIN scans exploits the loophole on TCP connection to differentiate between open or closed ports

  39. Banner grabbing is scanning technique to identify the running services on the host machine

  40. Banner Grabbing Tools: NETCAT, TELNET

  41. Firewall Evasion Techniques:

    1. Fragmentation: fragment the packet to bypass the firewall

    2. Decoy : sending a large amount of traffic from different spoofed IP addresses for evasion

      1. In order of the decoy to work, all the decoys should be up and running

      2. They should be set randomly otherwise they can be detectable

    3. Timing : this technique uses timing mechanism in order to slow down the scan

      1. T1: Paranoid

      2. T2: Sneaky

      3. T3: Polite

      4. T4 : Aggressive

      5. T5 : Insance

    4. Source Ports: The purpose of this technique is exploiting poor firewall protection by directing traffic use one of the allowed ports

  42. NetBIOS: is a service that allows different systems to communicate over LAN. The communication is in a form of share files, printers , folders and remote procedure calls [Network Basic Input Output System]

  43. NetBIOS ports : UDP 137, 138 | TCP 139

  44. NetBIOS Enumeration

  45. SNMP : Simple Network Management Protocol is a protocol for exchanging management information between network devices

  46. In SNMP protocol, there is a manager and agents. The agents either wait for information from the manager or send traps to to the manager. Traps are critical information about the network devices status

  47. SNMP Commands:

    1. Read : monitoring the network devices

    2. Write: configure the network devices

    3. Trap: is used to send events information to the monitoring system

    4. Traversal Operation: determined variables a specific device support

  48. SNMP receives a general message on UDP 161 and a trap on 162

  49. SNMP community string : public and private

    1. Public : for reading only

    2. Private : allows access to write rights

  50. SNMP community string is a form secure authentication in SNMP

  51. SMB: Server Message Block is a protocol for sharing files and folders

  52. MIBs [Managment Information Base] is a collection of definitions which define properties of the managed objects on the device. It is a database of information

  53. SNMP attacks:

    1. Flooding the network through initiating DOS attack

    2. Community : Use default community strings

    3. Brute force: using a tool to brute force to guess the community string in order to gain access to the system

  54. SNMP v1 and v2 use clear text communication. While SNMP v3 use some sort of encryption but still consider vulnerable

  55. Wireshark is a network packet analysis tool.

  56. Sniffing packets is not allowed If the network is protected. In other words, wireshark cannot be used to analyze the

    packets if there are filters show only traffic generated from your machine Only

  57. Hub propagate signals to all ports instead of one specific port. It operates on Layer 1

  58. Switch operates on layer 2 . Packets are forwarded to a specific destination

  59. Promiscuous Mode is receiving and handling all the packets on the segment regardless the MAC address

  60. Sniffing Action :

    1. Active Sniffing: Injecting packets

      1. MAC Flooding : flooding the CAM table of a switch to redirect the packets. CAM table [Content Address Memory Table ] is a table contains port number, MAC address and TTL

      2. ARP Poisoning : stealthy technique more covert than MAC flooding, it is commonly used in Man-In-Middle attack. The process mainly depends on redirecting traffic of the target machine to the attacker machine

    2. Passive Sniffing : Wireshark

  61. ARP : Address Resolution Protocol matches IP address (layer 3) with MAC address (layer 2)

  62. ARP has two types of packets, ARP request and ARP reply

  63. Gratuitous ARP request

  64. Gratuitous ARP reply

  65. ARP Poisoning : works on the poisoning the cache of the host machines in the network

  66. There are two types of ARP poisoning :

    1. Host Poisoning : sending ARP replies to both parts of the communication

    2. Gateway Poisoning : Sending ARP replies as the default gateway of the network

  67. Denial of Service can occur of the attacker machine forwards packets slowly

  68. ARP poisoning is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address

  69. DHCP is a UDP based protocol for assigning IP addresses dynamically .

  70. When a new device enters the network, it sends DHCP discovery packet on UDP 67

  71. DHCP Spoofing: is intercepting the traffic by pretending to be a DHCP server with longer lease time. During the spoofing, the attacker machine broadcasts a DHCPOFFER packet on the network, to fool hosts on the network thinking the server is the default gateway. once the client is connected, the traffic will go through the rogue DHCP server first, then the real gateway

  72. ACL is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file

  73. Exploitation is act of take advantage of a vulnerability in the system

  74. Most exploits are divided by :

    1. Client side exploits

    2. Remote Exploits

    3. Local Privilege Exploits Escalation

  75. Metasploit is an exploitation framework

  76. Windows Authentication Protocols :

    1. LM

    2. NTLM

    3. NTLMv2

    4. Kerbros

  77. Client-side exploit requires some type of user interaction such as: clicking a link, opening a file, etc.

  78. Client-side exploits can be installed applications, browser plugins,emails

  79. Remote Procedure Call: When a computer program calls a function or routine to execute in another computer on the shared network

  80. There are two types of privilege escalation :

    1. Vertical : is moving from lower privileged user to a root or administrator

    2. Horizontal : gaining access to another user of the same level of privilege

  81. In order to keep the session alive, migration to a different process will keep the connection open

  82. It is important to note that the migration into another process has the same level of privileges as the current session

  83. Migration to another process happens first thing after the exploitation for keeping persistent connection with the compromised machine

  84. UAC: User Access Control is a security technique used by Windows to prevent automatic execution of programs. This technique allows the user to have the ability whether to execute it or not.

  85. UAC is enabled in Windows Vista and above by default. XP is the only OS is not enabled by default

  86. Linux Privilege Escalation can be either through uploading the exploit and compiling on the target machine or compile the exploit on the attacker machine then upload it to the target machine.

  87. When compiling the exploit consider the architecture of the targeted system in order for the exploit to work

  88. Privilege escalation can be accomplish through exploiting :

    1. OS vulnerabilites

    2. Cracking the root/admin credentials

    3. Injecting the DLL or replaced with malicious ones

    4. Manipulating processes that have high level access

  89. Land Attack: works by sending a packet ti a vulnerable system, set with the source and destination IP address of the vulnerable system. This type of attack creates Denial of Service condition

results matching ""

    No results matching ""