GitHub/school-of-sre
1
0
Fork 0
mirror of https://github.com/linkedin/school-of-sre synced 2026-01-20 07:28:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs (level 101): fix typos, punctuation, formatting (#160)

Browse Source 
* docs: formatted for readability

* docs: rephrased and added punctuation

* docs: fix typos, punctuation, formatting

* docs: fix typo and format

* docs: fix caps and formatting

* docs: fix punctuation and formatting

* docs: capitalized SQL commands, fixed puntuation, formatting

* docs: fix punctuation

* docs: fix punctuation and formatting

* docs: fix caps,punctuation and formatting

* docs: fix links, punctuation, formatting

* docs: fix code block formatting

* docs: fix punctuation, indentation and formatting
This commit is contained in:
Jana R
2024-07-28 17:38:19 +05:30
committed by GitHub
parent bdcc6856ed
commit 4239ecf473
58 changed files with 1522 additions and 1367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

296
courses/level101/security/network_security.md
View File

@@ -6,7 +6,7 @@
- The OSI model is a seven-layer architecture. The OSI architecture is similar to the TCP/IP architecture, except that the OSI model specifies two additional layers between the application layer and the transport layer in the TCP/IP architecture. These two layers are the presentation layer and the session layer. Figure 5.1 shows the relationship between the TCP/IP layers and the OSI layers. The application layer in TCP/IP corresponds to the application layer and the presentation layer in OSI. The transport layer in TCP/IP corresponds to the session layer and the transport layer in OSI. The remaining three layers in the TCP/IP architecture are one-to-one correspondent to the remaining three layers in the OSI model.
![image14](images/image14.png)
Correspondence between layers of the TCP/IP architecture and the OSI model. Also shown are placements of cryptographic algorithms in network layers, where the dotted arrows indicate actual communications of cryptographic algorithms
Correspondence between layers of the TCP/IP architecture and the OSI model. Also shown are placements of cryptographic algorithms in network layers, where the _dotted arrows_ indicate actual communications of cryptographic algorithms
The functionalities of OSI layers are briefly described as follows:
@@ -15,7 +15,7 @@ The functionalities of OSI layers are briefly described as follows:
3. The session layer is responsible for creating, managing, and closing a communication connection.
4. The transport layer is responsible for providing reliable connections, such as packet sequencing, traffic control, and congestion control.
5. The network layer is responsible for routing device-independent data packets from the current hop to the next hop.
6. The data-link layer is responsible for encapsulating device-independent data packets into device-dependent data frames. It has two sublayers: logical link control and media access control.
6. The data-link layer is responsible for encapsulating device-independent data packets into device-dependent data frames. It has two sublayers: logical link control (LLC) and media access control (MAC).
7. The physical layer is responsible for transmitting device-dependent frames through some physical media.
- Starting from the application layer, data generated from an application program is passed down layer-by-layer to the physical layer. Data from the previous layer is enclosed in a new envelope at the current layer, where the data from the previous layer is also just an envelope containing the data from the layer before it. This is similar to enclosing a smaller envelope in a larger one. The envelope added at each layer contains sufficient information for handling the packet. Application-layer data are divided into blocks small enough to be encapsulated in an envelope at the next layer.
@@ -48,13 +48,13 @@ The functionalities of OSI layers are briefly described as follows:
### PGP & S/MIME : Email Security
- There are several security protocols at the application layer. The most used of these protocols are email security protocols namely PGP and S/MIME.
- SMTP (“Simple Mail Transfer Protocol”) is used for sending and delivering from a client to a server via port 25: its the outgoing server. On the contrary, POP (“Post Office Protocol”) allows the users to pick up the message and download it into their inbox: its the incoming server. The latest version of the Post Office Protocol is named POP3, and its been used since 1996; it uses port 110
- SMTP (“Simple Mail Transfer Protocol”) is used for sending and delivering from a client to a server via port 25: its the outgoing server. On the contrary, POP (“Post Office Protocol”) allows the users to pick up the message and download it into their inbox: its the incoming server. The latest version of the Post Office Protocol is named POP3, and its been used since 1996; it uses port 110.
PGP
- PGP implements all major cryptographic algorithms, the ZIP compression algorithm, and the Base64 encoding algorithm.
- It can be used to authenticate a message, encrypt a message, or both. PGP follows the following general process: authentication, ZIP compression, encryption, and Base64 encoding.
- The Base64 encoding procedure makes the message ready for SMTP transmission
- The Base64 encoding procedure makes the message ready for SMTP transmission.
GPG (GnuPG)
@@ -65,25 +65,25 @@ GPG (GnuPG)
S/MIME
- SMTP can only handle 7-bit ASCII text (You can use UTF-8 extensions to alleviate these limitations, ) messages. While POP can handle other content types besides 7-bit ASCII, POP may, under a common default setting, download all the messages stored in the mail server to the user's local computer. After that, if POP removes these messages from the mail server. This makes it difficult for the users to read their messages from multiple computers.
- SMTP can only handle 7-bit ASCII text messages (You can use UTF-8 extensions to alleviate these limitations.) While POP can handle other content types besides 7-bit ASCII, POP may, under a common default setting, download all the messages stored in the mail server to the user's local computer. After that, if POP removes these messages from the mail server. This makes it difficult for the users to read their messages from multiple computers.
- The Multipurpose Internet Mail Extension protocol (MIME) was designed to support sending and receiving email messages in various formats, including nontext files generated by word processors, graphics files, sound files, and video clips. Moreover, MIME allows a single message to include mixed types of data in any combination of these formats.
- The Internet Mail Access Protocol (IMAP), operated on TCP port 143(only for non-encrypted), stores (Configurable on both server & client just like PoP) incoming email messages in the mail server until the user deletes them deliberately. This allows the users to access their mailbox from multiple machines and download messages to a local machine without deleting it from the mailbox in the mail server.
- The Internet Mail Access Protocol (IMAP), operated on TCP port 143 (only for non-encrypted), stores (Configurable on both server & client just like PoP) incoming email messages in the mail server until the user deletes them deliberately. This allows the users to access their mailbox from multiple machines and download messages to a local machine without deleting it from the mailbox in the mail server.
SSL/TLS
- SSL uses a PKI to decide if a servers public key is trustworthy by requiring servers to use a security certificate signed by a trusted CA.
- When Netscape Navigator 1.0 was released, it trusted a single CA operated by the RSA Data Security corporation.
- The servers public RSA keys were used to be stored in the security certificate, which can then be used by the browser to establish a secure communication channel. The security certificates we use today still rely on the same standard (named X.509) that Netscape Navigator 1.0 used back then.
- Netscape intended to train users(though this didnt work out later) to differentiate secure communications from insecure ones, so they put a lock icon next to the address bar. When the lock is open, the communication is insecure. A closed lock means communication has been secured with SSL, which required the server to provide a signed certificate. Youre obviously familiar with this icon as its been in every browser ever since. The engineers at Netscape truly created a standard for secure internet communications.
- Netscape intended to train users (though this didnt work out later) to differentiate secure communications from insecure ones, so they put a lock icon next to the address bar. When the lock is open, the communication is insecure. A closed lock means communication has been secured with SSL, which required the server to provide a signed certificate. Youre obviously familiar with this icon as its been in every browser ever since. The engineers at Netscape truly created a standard for secure Internet communications.
- A year after releasing SSL 2.0, Netscape fixed several security issues and released SSL 3.0, a protocol that, albeit being officially deprecated since June 2015, remains in use in certain parts of the world more than 20 years after its introduction. To standardize SSL, the Internet Engineering Task Force (IETF) created a slightly modified SSL 3.0 and, in 1999, unveiled it as Transport Layer Security (TLS) 1.0. The name change between SSL and TLS continues to confuse people today. Officially, TLS is the new SSL, but in practice, people use SSL and TLS interchangeably to talk about any version of the protocol.
- Must See:
- <https://tls.ulfheim.net/>
- <https://davidwong.fr/tls13/>
- <https://tls.ulfheim.net/>
- <https://davidwong.fr/tls13/>
## Network Perimeter Security
## Network Perimeter Security
Let us see how we keep a check on the perimeter i.e the edges, the first layer of protection
Let us see how we keep a check on the perimeter, i.e the edges, the first layer of protection.
### General Firewall Framework
@@ -96,28 +96,28 @@ Let us see how we keep a check on the perimeter i.e the edges, the first layer o
### Packet Filters
- It inspects ingress packets coming to an internal network from outside and inspects egress packets going outside from an internal network
- Packing filtering only inspects IP headers and TCP headers, not the payloads generated at the application layer
- Packet-filtering only inspects IP headers and TCP headers, not the payloads generated at the application layer.
- A packet-filtering firewall uses a set of rules to determine whether a packet should be allowed or denied to pass through.
- 2 types:
- Stateless
- It treats each packet as an independent object, and it does not keep track of any previously processed packets. In other words, stateless filtering inspects a packet when it arrives and makes a decision without leaving any record of the packet being inspected.
- Stateless
- It treats each packet as an independent object, and it does not keep track of any previously processed packets. In other words, stateless filtering inspects a packet when it arrives and makes a decision without leaving any record of the packet being inspected.
- Stateful
- Stateful filtering, also referred to as connection-state filtering, keeps track of connections between an internal host and an external host. A connection state (or state, for short) indicates whether it is a TCP connection or a UDP connection and whether the connection is established.
- Stateful
- Stateful filtering, also referred to as connection-state filtering, keeps track of connections between an internal host and an external host. A connection state (or state, for short) indicates whether it is a TCP connection or a UDP connection and whether the connection is established.
### Circuit Gateways
- Circuit gateways, also referred to as circuit-level gateways, are typically operated at the transportation layer
- Circuit gateways, also referred to as circuit-level gateways, are typically operated at the transportation layer.
- They evaluate the information of the IP addresses and the port numbers contained in TCP (or UDP) headers and use it to determine whether to allow or to disallow an internal host and an external host to establish a connection.
- It is common practice to combine packet filters and circuit gateways to form a dynamic packet filter (DPF).
### Application Gateways(ALG)
### Application Gateways (ALG)
- Aka PROXY Servers
- An Application Level Gateway (ALG) acts as a proxy for internal hosts, processing service requests from external clients.
- An ALG performs deep inspections on each IP packet (ingress or egress).
- In particular, an ALG inspects application program formats contained in the packet (e.g., MIME format or SQL format) and examines whether its payload is permitted.
- Thus, an ALG may be able to detect a computer virus contained in the payload. Because an ALG inspects packet payloads, it may be able to detect malicious code and quarantine suspicious packets, in addition to blocking packets with suspicious IP addresses and TCP ports. On the other hand, an ALG also incurs substantial computation and space overheads.
- Thus, an ALG may be able to detect a computer virus contained in the payload. Because an ALG inspects packet payloads, it may be able to detect malicious code and quarantine suspicious packets, in addition to blocking packets with suspicious IP addresses and TCP ports. On the other hand, an ALG also incurs substantial computation and space overheads.
### Trusted Systems & Bastion Hosts
@@ -128,8 +128,8 @@ Let us see how we keep a check on the perimeter i.e the edges, the first layer o
- Its system management is appropriate.
- Bastion Hosts
- Bastion hosts are computers with strong defence mechanisms. They often serve as host computers for implementing application gateways, circuit gateways, and other types of firewalls. A bastion host is operated on a trusted operating system that must not contain unnecessary functionalities or programs. This measure helps to reduce error probabilities and makes it easier to conduct security checks. Only those network application programs that are necessary, for example, SSH, DNS, SMTP, and authentication programs, are installed on a bastion host.
- Bastion hosts are also primarily used as controlled ingress points so that the security monitoring can focus more narrowly on actions happening at a single point closely.
- Bastion hosts are computers with strong defence mechanisms. They often serve as host computers for implementing application gateways, circuit gateways, and other types of firewalls. A bastion host is operated on a trusted operating system that must not contain unnecessary functionalities or programs. This measure helps to reduce error probabilities and makes it easier to conduct security checks. Only those network application programs that are necessary, for example, SSH, DNS, SMTP, and authentication programs, are installed on a bastion host.
- Bastion hosts are also primarily used as controlled ingress points so that the security monitoring can focus more narrowly on actions happening at a single point closely.
---
@@ -138,9 +138,9 @@ Let us see how we keep a check on the perimeter i.e the edges, the first layer o
### Scanning Ports with Nmap
- Nmap ("Network Mapper") is a free and open-source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
- The best thing about Nmap is its free and open-source and is very flexible and versatile
- The best thing about Nmap is its free and open-source and is very flexible and versatile.
- Nmap is often used to determine alive hosts in a network, open ports on those hosts, services running on those open ports, and version identification of that service on that port.
- More at http://scanme.nmap.org/
- More at [http://scanme.nmap.org/](http://scanme.nmap.org/).
```
nmap [scan type] [options] [target specification]
@@ -149,48 +149,48 @@ nmap [scan type] [options] [target specification]
Nmap uses 6 different port states:
- **Open**An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what interests us the most because they are the ones that are vulnerable to attacks. Open ports also show the available services on a network.
- **Closed**A port that receives and responds to Nmap probe packets but there is no application listening on that port. Useful for identifying that the host exists and for OS detection.
- **Filtered**Nmap cant determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules. Often little information is given from filtered ports during scans as the filters can drop the probes without responding or respond with useless error messages e.g. destination unreachable.
- **Unfiltered**Port is accessible but Nmap doesnt know if it is open or closed. Only used in ACK scan which is used to map firewall rulesets. Other scan types can be used to identify whether the port is open.
- **Open/filtered**Nmap is unable to determine between open and filtered. This happens when an open port gives no response. No response could mean that the probe was dropped by a packet filter or any response is blocked.
- **Closed/filtered**Nmap is unable to determine whether a port is closed or filtered. Only used in the IP ID idle scan.
- **Open**&mdash;An open port is one that is actively accepting TCP, UDP or SCTP connections. Open ports are what interests us the most because they are the ones that are vulnerable to attacks. Open ports also show the available services on a network.
- **Closed**&mdash;A port that receives and responds to Nmap probe packets but there is no application listening on that port. Useful for identifying that the host exists and for OS detection.
- **Filtered**&mdash;Nmap cant determine whether the port is open because packet filtering prevents its probes from reaching the port. Filtering could come from firewalls or router rules. Often little information is given from filtered ports during scans as the filters can drop the probes without responding or respond with useless error messages, e.g. destination unreachable.
- **Unfiltered**&mdash;Port is accessible but Nmap doesnt know if it is open or closed. Only used in ACK scan which is used to map firewall rulesets. Other scan types can be used to identify whether the port is open.
- **Open/filtered**&mdash;Nmap is unable to determine between open and filtered. This happens when an open port gives no response. No response could mean that the probe was dropped by a packet filter or any response is blocked.
- **Closed/filtered**&mdash;Nmap is unable to determine whether a port is closed or filtered. Only used in the IP ID idle scan.
### Types of Nmap Scan:
1. TCP Connect
- TCP Connect scan completes the 3-way handshake.
- If a port is open, the operating system completes the TCP three-way handshake and the port scanner immediately closes the connection to avoid DOS. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.
- TCP Connect scan completes the three-way handshake.
- If a port is open, the operating system completes the TCP three-way handshake and the port scanner immediately closes the connection to avoid DOS. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.
2. UDP Scan
- This scan checks to see if any UDP ports are listening.
- Since UDP does not respond with a positive acknowledgement like TCP and only responds to an incoming UDP packet when the port is closed,
- This scan checks to see if any UDP ports are listening.
- Since UDP does not respond with a positive acknowledgement like TCP and only responds to an incoming UDP packet when the port is closed.
3. SYN Scan
- SYN scan is another form of TCP scanning.
- This scan type is also known as “half-open scanning” because it never actually opens a full TCP connection.
- The port scanner generates a SYN packet. If the target port is open, it will respond with an SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.
- If the port is closed but unfiltered, the target will instantly respond with an RST packet.
- SYN scan has the advantage that the individual services never actually receive a connection.
- SYN scan is another form of TCP scanning.
- This scan type is also known as “half-open scanning” because it never actually opens a full TCP connection.
- The port scanner generates a SYN packet. If the target port is open, it will respond with an SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.
- If the port is closed but unfiltered, the target will instantly respond with an RST packet.
- SYN scan has the advantage that the individual services never actually receive a connection.
4. FIN Scan
- This is a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead.
- This is a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead.
5. ACK Scan
- Ack scanning determines whether the port is filtered or not.
6. Null Scan
- Another very stealthy scan that sets all the TCP header flags to off or null.
- This is not normally a valid packet and some hosts will not know what to do with this.
- ACK scanning determines whether the port is filtered or not.
6. NULL Scan
- Another very stealthy scan that sets all the TCP header flags to off or NULL.
- This is not normally a valid packet and some hosts will not know what to do with this.
7. XMAS Scan
- Similar to the NULL scan except for all the flags in the TCP header is set to on
- Similar to the NULL scan except for all the flags in the TCP header is set to on.
8. RPC Scan
- This special type of scan looks for machine answering to RPC (Remote Procedure Call) services
- This special type of scan looks for machine answering to RPC (Remote Procedure Call) services.
9. IDLE Scan
- It is a super stealthy method whereby the scan packets are bounced off an external host.
- You dont need to have control over the other host but it does have to set up and meet certain requirements. You must input the IP address of our “zombie” host and what port number to use. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.
- It is a super stealthy method whereby the scan packets are bounced off an external host.
- You dont need to have control over the other host but it does have to set up and meet certain requirements. You must input the IP address of our “zombie” host and what port number to use. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.
Scan Techniques
A couple of scan techniques which can be used to gain more information about a system and its ports. You can read more at <https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca>
A couple of scan techniques which can be used to gain more information about a system and its ports. You can read more at <https://medium.com/infosec-adventures/nmap-cheatsheet-a423fcdda0ca>.
### OpenVAS
@@ -198,12 +198,12 @@ A couple of scan techniques which can be used to gain more information about a s
- OpenVAS is a framework of services and tools that provides a comprehensive and powerful vulnerability scanning and management package
- OpenVAS, which is an open-source program, began as a fork of the once-more-popular scanning program, Nessus.
- OpenVAS is made up of three main parts. These are:
- a regularly updated feed of Network Vulnerability Tests (NVTs);
- a scanner, which runs the NVTs; and
- an SQLite 3 database for storing both your test configurations and the NVTs results and configurations.
- <https://www.greenbone.net/en/install_use_gce/>
- a regularly updated feed of Network Vulnerability Tests (NVTs);
- a scanner, which runs the NVTs; and
- an SQLite 3 database for storing both your test configurations and the NVTs results and configurations.
- <https://www.greenbone.net/en/install_use_gce/>
### WireShark
### Wireshark
- Wireshark is a protocol analyzer.
- This means Wireshark is designed to decode not only packet bits and bytes but also the relations between packets and protocols.
@@ -211,103 +211,118 @@ A couple of scan techniques which can be used to gain more information about a s
A simple demo of Wireshark
1. Capture only udp packets:
- Capture filter = “udp”
1. Capture only UDP packets:
- `Capture filter = “udp”`
2. Capture only tcp packets
- Capture filter = “tcp”
2. Capture only TCP packets:
- `Capture filter = “tcp”`
3. TCP/IP 3 way Handshake
3. TCP/IP three-way Handshake:<br/><br/>
![image17](images/image17.png)
4. Filter by IP address: displays all traffic from IP, be it source or destination
- ip.addr == 192.168.1.1
- `ip.addr == 192.168.1.1`
5. Filter by source address: display traffic only from IP source
- ip.src == 192.168.0.1
- `ip.src == 192.168.0.1`
6. Filter by destination: display traffic only form IP destination
- ip.dst == 192.168.0.1
- `ip.dst == 192.168.0.1`
7. Filter by IP subnet: display traffic from subnet, be it source or destination
- ip.addr = 192.168.0.1/24
- `ip.addr = 192.168.0.1/24`
8. Filter by protocol: filter traffic by protocol name
- dns
- http
- ftp
- arp
- ssh
- telnet
- icmp
- dns
- http
- ftp
- arp
- ssh
- telnet
- icmp
9. Exclude IP address: remove traffic from and to IP address
- !ip.addr ==192.168.0.1
- `!ip.addr ==192.168.0.1`
10. Display traffic between two specific subnet
- ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24
- `ip.addr == 192.168.0.1/24 and ip.addr == 192.168.1.1/24`
11. Display traffic between two specific workstations
- ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2
- `ip.addr == 192.168.0.1 and ip.addr == 192.168.0.2`
12. Filter by MAC
- eth.addr = 00:50:7f:c5:b6:78
- `eth.addr = 00:50:7f:c5:b6:78`
13. Filter TCP port
- tcp.port == 80
14. Filter TCP port source
- tcp.srcport == 80
15. Filter TCP port destination
- tcp.dstport == 80
16. Find user agents
- http.user_agent contains Firefox
- !http.user_agent contains || !http.user_agent contains Chrome
17. Filter broadcast traffic
- !(arp or icmp or dns)
18. Filter IP address and port
- tcp.port == 80 && ip.addr == 192.168.0.1
- `tcp.port == 80`
14. Filter TCP port source
- `tcp.srcport == 80`
15. Filter TCP port destination
- `tcp.dstport == 80`
16. Find user agents
- `http.user_agent contains Firefox`
- `!http.user_agent contains || !http.user_agent contains Chrome`
17. Filter broadcast traffic
- `!(arp or icmp or dns)`
18. Filter IP address and port
- `tcp.port == 80 && ip.addr == 192.168.0.1`
19. Filter all HTTP GET requests
- `http.request`
20. Filter all HTTP GET requests and responses
- `http.request or http.response`
21. Filter three-way handshake
- `tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)`
19. Filter all http get requests
- http.request
20. Filter all http get requests and responses
- http.request or http.response
21. Filter three way handshake
- tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0 and tcp.analysis.initial_rtt)
22. Find files by type
- frame contains “(attachment|tar|exe|zip|pdf)”
- `frame contains “(attachment|tar|exe|zip|pdf)”`
23. Find traffic based on keyword
- tcp contains facebook
- frame contains facebook
- `tcp contains facebook`
- `frame contains facebook`
24. Detecting SYN Floods
- tcp.flags.syn == 1 and tcp.flags.ack == 0
- `tcp.flags.syn == 1 and tcp.flags.ack == 0`
**Wireshark Promiscuous Mode**
- By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.
### DumpCap
- By default, Wireshark only captures packets going to and from the computer where it runs. By checking the box to run Wireshark in Promiscuous Mode in the Capture Settings, you can capture most of the traffic on the LAN.
- Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcaps native capture file format is pcapng, which is also the format used by Wireshark.
- By default, Dumpcap uses the pcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets time stamps into a pcapng file. The capture filter syntax follows the rules of the pcap library.
- The Wireshark command-line utility called 'dumpcap.exe' can be used to capture LAN traffic over an extended period of time.
- Wireshark itself can also be used, but dumpcap does not significantly utilize the computer's memory while capturing for long periods.
### Dumpcap
- Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the packets to a file. Dumpcaps native capture file format is `pcapng`, which is also the format used by Wireshark.
- By default, Dumpcap uses the `pcap` library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets time stamps into a `pcapng` file. The capture filter syntax follows the rules of the `pcap` library.
- The Wireshark command-line utility called `dumpcap.exe` can be used to capture LAN traffic over an extended period of time.
- Wireshark itself can also be used, but Dumpcap does not significantly utilize the computer's memory while capturing for long periods.
### DaemonLogger
- Daemonlogger is a packet logging application designed specifically for use in Network and Systems Management (NSM) environments.
- The biggest benefit Daemonlogger provides is that, like Dumpcap, it is simple to use for capturing packets. In order to begin capturing, you need only to invoke the command and specify an interface.
- daemonlogger i eth1
- This option, by default, will begin capturing packets and logging them to the current working directory.
- Packets will be collected until the capture file size reaches 2 GB, and then a new file will be created. This will continue indefinitely until the process is halted.
- DaemonLogger is a packet logging application designed specifically for use in Network and Systems Management (NSM) environments.
- The biggest benefit DaemonLogger provides is that, like Dumpcap, it is simple to use for capturing packets. In order to begin capturing, you need only to invoke the command and specify an interface.
- `daemonlogger i eth1`
- This option, by default, will begin capturing packets and logging them to the current working directory.
- Packets will be collected until the capture file size reaches 2 GB, and then a new file will be created. This will continue indefinitely until the process is halted.
### NetSniff-NG
### netsniff-ng
- Netsniff-NG is a high-performance packet capture utility
- While the utilities weve discussed to this point rely on Libpcap for capture, Netsniff-NG utilizes zero-copy mechanisms to capture packets. This is done with the intent to support full packet capture over high throughput links.
- To begin capturing packets with Netsniff-NG, we have to specify an input and output. In most cases, the input will be a network interface, and the output will be a file or folder on disk.
- netsniff-ng is a high-performance packet capture utility
- While the utilities weve discussed to this point rely on `libpcap` for capture, netsniff-ng utilizes zero-copy mechanisms to capture packets. This is done with the intent to support full packet capture over high throughput links.
- To begin capturing packets with netsniff-ng, we have to specify an input and output. In most cases, the input will be a network interface, and the output will be a file or folder on disk.
```shell
netsniff-ng i eth1 o data.pcap
```
`netsniff-ng i eth1 o data.pcap`
### NetFlow
### Netflow
- NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:[1]
- NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<sup>[1]</sup>
- Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.
- Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
@@ -317,7 +332,7 @@ A simple demo of Wireshark
### IDS
A security solution that detects security-related events in your environment but does not block them.
IDS sensors can be software and hardware-based used to collect and analyze the network traffic. These sensors are available in two varieties, network IDS and host IDS.
IDS sensors can be software- and hardware-based used to collect and analyze the network traffic. These sensors are available in two varieties, network IDS and host IDS.
- A host IDS is a server-specific agent running on a server with a minimum of overhead to monitor the operating system.
- A network IDS can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic.
@@ -325,7 +340,7 @@ IDS sensors can be software and hardware-based used to collect and analyze the n
Signature Based IDS
- The signature-based IDS monitors the network traffic or observes the system and sends an alarm if a known malicious event is happening.
- It does so by comparing the data flow against a database of known attack patterns
- It does so by comparing the data flow against a database of known attack patterns.
- These signatures explicitly define what traffic or activity should be considered as malicious.
- Signature-based detection has been the bread and butter of network-based defensive security for over a decade, partially because it is very similar to how malicious activity is detected at the host level with antivirus utilities
- The formula is fairly simple: an analyst observes a malicious activity, derives indicators from the activity and develops them into signatures, and then those signatures will alert whenever the activity occurs again.
@@ -342,7 +357,7 @@ Policy-Based IDS
Anomaly Based IDS
- The anomaly-based IDS looks for traffic that deviates from the normal, but the definition of what is a normal network traffic pattern is the tricky part
- The anomaly-based IDS looks for traffic that deviates from the normal, but the definition of what is a normal network traffic pattern is the tricky part.
- Two types of anomaly-based IDS exist: statistical and nonstatistical anomaly detection
- Statistical anomaly detection learns the traffic patterns interactively over a period of time.
- In the nonstatistical approach, the IDS has a predefined configuration of the supposedly acceptable and valid traffic patterns.
@@ -355,7 +370,7 @@ Host-Based IDS & Network-Based IDS
Honeypots
- The use of decoy machines to direct intruders' attention away from the machines under protection is a major technique to preclude intrusion attacks. Any device, system, directory, or file used as a decoy to lure attackers away from important assets and to collect intrusion or abusive behaviours is referred to as a honeypot.
- The use of decoy machines to direct intruders' attention away from the machines under protection is a major technique to preclude intrusion attacks. Any device, system, directory, or file used as a decoy to lure attackers away from important assets and to collect intrusion or abusive behaviors is referred to as a honeypot.
- A honeypot may be implemented as a physical device or as an emulation system. The idea is to set up decoy machines in a LAN, or decoy directories/files in a file system and make them appear important, but with several exploitable loopholes, to lure attackers to attack these machines or directories/files, so that other machines, directories, and files can evade intruders' attentions. A decoy machine may be a host computer or a server computer. Likewise, we may also set up decoy routers or even decoy LANs.
---
@@ -373,46 +388,45 @@ Honeypots
IP Spoofing Detection Techniques
- Direct TTL Probes
- In this technique we send a packet to a host of suspect spoofed IP that triggers reply and compares TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked; it is a spoofed packet.
- This Technique is successful when the attacker is in a different subnet from the victim.
![image19](images/image19.png)
- In this technique, we send a packet to a host of suspect spoofed IP that triggers reply and compares TTL with suspect packet; if the TTL in the reply is not the same as the packet being checked; it is a spoofed packet.
- This Technique is successful when the attacker is in a different subnet from the victim.
![image19](images/image19.png)
- IP Identification Number.
- Send a probe to the host of suspect spoofed traffic that triggers a reply and compares IP ID with suspect traffic.
- If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed
- If IP IDs are not in the near value of packet being checked, suspect traffic is spoofed.
- TCP Flow Control Method
- Attackers sending spoofed TCP packets will not receive the targets SYN-ACK packets.
- Attackers cannot, therefore, be responsive to change in the congestion window size
- When the receiver still receives traffic even after a windows size is exhausted, most probably the packets are spoofed.
- Attackers sending spoofed TCP packets will not receive the targets SYN-ACK packets.
- Attackers cannot, therefore, be responsive to change in the congestion window size.
- When the receiver still receives traffic even after a windows size is exhausted, most probably the packets are spoofed.
### Covert Channel
- A covert or clandestine channel can be best described as a pipe or communication channel between two entities that can be exploited by a process or application transferring information in a manner that violates the system's security specifications.
- More specifically for TCP/IP, in some instances, covert channels are established, and data can be secretly passed between two end systems.
- Ex: ICMP resides at the Internet layer of the TCP/IP protocol suite and is implemented in all TCP/IP hosts. Based on the specifications of the ICMP Protocol, an ICMP Echo Request message should have an 8-byte header and a 56-byte payload. The ICMP Echo Request packet should not carry any data in the payload. However, these packets are often used to carry secret information. The ICMP packets are altered slightly to carry secret data in the payload. This makes the size of the packet larger, but no control exists in the protocol stack to defeat this behaviour. The alteration of ICMP packets allows intruders to program specialized client-server pairs. These small pieces of code export confidential information without alerting the network administrator.
- ICMP can be leveraged for more than data exfiltration. For eg. some C&C tools such as Loki used ICMP channel to establish encrypted interactive session back in 1996.
- Deep packet inspection has since come a long way. A lot of IDS/IPS detect ICMP tunnelling.
- Check for echo responses that do not contain the same payload as request
- Check for the volume of ICMP traffic especially for volumes beyond an acceptable threshold
- Ex: ICMP resides at the Internet layer of the TCP/IP protocol suite and is implemented in all TCP/IP hosts. Based on the specifications of the ICMP Protocol, an ICMP Echo Request message should have an 8-byte header and a 56-byte payload. The ICMP Echo Request packet should not carry any data in the payload. However, these packets are often used to carry secret information. The ICMP packets are altered slightly to carry secret data in the payload. This makes the size of the packet larger, but no control exists in the protocol stack to defeat this behavior. The alteration of ICMP packets allows intruders to program specialized client-server pairs. These small pieces of code export confidential information without alerting the network administrator.
- ICMP can be leveraged for more than data exfiltration. For eg. some C&C tools such as Loki used ICMP channel to establish encrypted interactive session back in 1996.
- Deep packet inspection has since come a long way. A lot of IDS/IPS detect ICMP tunnelling.
- Check for Echo responses that do not contain the same payload as request.
- Check for the volume of ICMP traffic especially for volumes beyond an acceptable threshold.
### IP Fragmentation Attack
- The TCP/IP protocol suite, or more specifically IP, allows the fragmentation of packets.(this is a feature & not a bug)
- The TCP/IP protocol suite, or more specifically IP, allows the fragmentation of packets. (this is a feature & not a bug)
- IP fragmentation offset is used to keep track of the different parts of a datagram.
- The information or content in this field is used at the destination to reassemble the datagrams
- The information or content in this field is used at the destination to reassemble the datagrams.
- All such fragments have the same Identification field value, and the fragmentation offset indicates the position of the current fragment in the context of the original packet.
- Many access routers and firewalls do not perform packet reassembly. In normal operation, IP fragments do not overlap, but attackers can create artificially fragmented packets to mislead the routers or firewalls. Usually, these packets are small and almost impractical for end systems because of data and computational overhead.
- A good example of an IP fragmentation attack is the Ping of Death attack. The Ping of Death attack sends fragments that, when reassembled at the end station, create a larger packet than the maximum permissible length.
- A good example of an IP fragmentation attack is the Ping of Death (PoD) attack. The Ping of Death attack sends fragments that, when reassembled at the end station, create a larger packet than the maximum permissible length.
TCP Flags
- Data exchange using TCP does not happen until a three-way handshake has been completed. This handshake uses different flags to influence the way TCP segments are processed.
- There are 6 bits in the TCP header that are often called flags. Namely:
- 6 different flags are part of the TCP header: Urgent pointer field (URG), Acknowledgment field (ACK), Push function (PSH), Reset the connection (RST), Synchronize sequence numbers (SYN), and the sender is finished with this connection (FIN).
- six different flags are part of the TCP header: Urgent pointer field (URG), Acknowledgment field (ACK), Push function (PSH), Reset the connection (RST), Synchronize sequence numbers (SYN), and the sender is finished with this connection (FIN).
![image20](images/image20.png)
- Abuse of the normal operation or settings of these flags can be used by attackers to launch DoS attacks. This causes network servers or web servers to crash or hang.
@@ -430,8 +444,8 @@ TCP Flags
SYN FLOOD
- The timers (or lack of certain timers) in 3 way handshake are often used and exploited by attackers to disable services or even to enter systems.
- After step 2 of the three-way handshake, no limit is set on the time to wait after receiving a SYN. The attacker initiates many connection requests to the webserver of Company XYZ (almost certainly with a spoofed IP address).
- The timers (or lack of certain timers) in three-way handshake are often used and exploited by attackers to disable services or even to enter systems.
- After step 2 of the three-way handshake, no limit is set on the time-to-wait after receiving a SYN. The attacker initiates many connection requests to the webserver of Company XYZ (almost certainly with a spoofed IP address).
- The SYN+ACK packets (Step 2) sent by the web server back to the originating source IP address are not replied to. This leaves a TCP session half-open on the webserver. Multiple packets cause multiple TCP sessions to stay open.
- Based on the hardware limitations of the server, a limited number of TCP sessions can stay open, and as a result, the webserver refuses further connection establishments attempts from any host as soon as a certain limit is reached. These half-open connections need to be completed or timed out before new connections can be established.
@@ -474,7 +488,7 @@ Mechanism:
- The first task can be achieved in two ways: by injecting the code in the right address space or by using the existing code and modifying certain parameters slightly. The second task is a little more complex because the program's control flow needs to be modified to make the program jump to the dirty code.
CounterMeasure:
Counter Measure:
- The most important approach is to have a concerted focus on writing correct code.
- A second method is to make the data buffers (memory locations) address space of the program code non-executable. This type of address space makes it impossible to execute code, which might be infiltrated in the program's buffers during an attack.
@@ -485,10 +499,10 @@ Address Resolution Protocol Spoofing
- The Address Resolution Protocol (ARP) provides a mechanism to resolve, or map, a known IP address to a MAC sublayer address.
- Using ARP spoofing, the cracker can exploit this hardware address authentication mechanism by spoofing the hardware address of Host B. Basically, the attacker can convince any host or network device on the local network that the cracker's workstation is the host to be trusted. This is a common method used in a switched environment.
- ARP spoofing can be prevented with the implementation of static ARP tables in all the hosts and routers of your network. Alternatively, you can implement an ARP server that responds to ARP requests on behalf of the target host.
- ARP spoofing can be prevented with the implementation of static ARP tables in all the hosts and routers of your network. Alternatively, you can implement an ARP server that responds to ARP requests on behalf of the target host.
DNS Spoofing
- DNS spoofing is the method whereby the hacker convinces the target machine that the system it wants to connect to is the machine of the cracker.
- The cracker modifies some records so that name entries of hosts correspond to the attacker's IP address. There have been instances in which the complete DNS server was compromised by an attack.
- To counter DNS spoofing, the reverse lookup detects these attacks. The reverse lookup is a mechanism to verify the IP address against a name. The IP address and name files are usually kept on different servers to make compromise much more difficult
- To counter DNS spoofing, the reverse lookup detects these attacks. The reverse lookup is a mechanism to verify the IP address against a name. The IP address and name files are usually kept on different servers to make compromise much more difficult.