Ethical Hacking - From Zero to Hero - A Summarization
Ethical Hacking
Ethical hackers are expected to report all the vulnerabilities and weakness found during the process to the management.
Attack: Method followed by a hacker/Individual to break into the system. Denial of service attack, Misconfiguration attacks, Operating system attacks, Virus, and Worms are all example of Attacks.
Attack vectors: Path or means by an attacker gains access to an information system to perform malicious activities.
1. Confidentiality
Confidentiality ensures that an Information is accessible to only an authorized user. The main pupose of confidentiality is to protect the sensitive information from reaching the wrong hands.It is used to maintain the privacy of the people. Encryption is a good example of confidentiality.
2. Availability
Information should be available to an authorised person when it is requested for. It is the guarantee of access to the authorised individual to information. Keeping all the hardware and software up to date and keeping back up, taking proper recovery measures will ensure availability of data.
3. Integrity
Integrity maintains the correctness or accuracy of the information while the data is in transit, storage or processing. It is the guarantee that information is trust worthy and not tampered. This attribute ensures that an unauthorised person will not be able to modify the data.
RSA digital signature, SHA1 hash codes are good examples.
4. Authentication
It is verifying whether the user, data, transactions involved is genuine. This attribute ensures that only genuine or right people are given access to the information. Login mechanisms can be used to verify the authenticity of users
5. Non-Repuditiation
This is a property of information which is used to holds a person responsible for the information he sent or received. In future, he cannot deny his role in sending or receiving the information.
Types of penetration testing:
Black box: The penetration tester will not be given any details pertaining to the network, or infrastructure of the network/ organization
White Box: the penetration tester will be aware of the complete details of the infrastructure to be tested
Gray box: The penetration tester will be provided with a limited knowledge about the systems to be tested.
Information such as ip address, Whois records, DNS information, an operating system used, employee email id, Phone numbers etc is collected.
Footprinting helps to
Know Security Posture – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc.
Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focussing on.
Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization.
Draw Network map – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information.
This is the process of collecting information related to a target network. Information like Domain name, subdomains, network blocks, IP addresses of reachable systems, IDSes running, Rouge websites/private websites, TCP & UDP services running, VPN points, networking protocols, ACL's, etc are collected.
Collect System Information --
The information related to the target system like user and group names, system banners, routing tables, SNMP information, system names etc are collected using various methods.
Collect Organization's information –
The information related to employee details, organization website, Location details, security policies implemented, the background of the organization may serve as an important piece of information for compromising the security of the target using direct or social engineering attacks.
Active: Directly interacting with the target to gather information about the target. eg. Using Nmap tool to scan the target
Passive: Trying to collect the information about the target without directly accessing the target. This involves collecting information from social media, public websites etc.
Various methods used to collect information about the target organization. They are
Footprinting through Search Engines
This is a passive information gathering process where we gather information about the target from social media, search engines, various websites etc. Information gathered includes name, personal details, geographical location detrails, login pages, intranet portals etc. Even some target specific information like Operating system details, IP details, Netblock information, technologies behind web application etc can be gathered by searching through search engines
Eg: collecting information from Google, Bingo etc
Google Hacking:
Google hacking refers to collecting information using google dorks (keywords) by constructing search queries which result in finding sensitive information.details collected include compromised passwords, default credentials, competitor information, information related to a particular topic etc.
Eg:inurl:, site:, allintitle etc
Examining HTML Source and Examining Cookies:
Html source codes of a web application may give us an understanding of the application functionality, hidden fields, comments, variable names etc. Cookies are used to identify a user in his session. these cookies may be stored in the browser or passed in the URL, or in the HTTP header.
The entire website can be mirrored using tools like HTTtracker to gather information at our own phase.
Extract website Archives: older versions of website can be obtained
which may reveal some information related to the target.
eg: www.archive.org
Email Footprinting
email header reveals information about the mail server, original sender’s email id, internal IP addressing scheme, as well as the possible architecture of the target network
Competitive Intelligence
Competitive intelligence gathering is the process of gathering information about the competitors from resources such as the Internet.
Eg: company website, search engine, internet, online databases, press releases, annual reports, trade journals
Google Hacking/Google Dorks
This is a process of creating search queries to extract hidden information by using Google operators to search specific strings of text inside the search results.
Some google operators, site, allinurl, inurl, allintitle
Whois Footprinting
Whois databases and the servers are operated by RIR - Regional Internet Registries. These databases contain the personal information of Domain Owners. Whois is a Query response protocol used for querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone numbers, and other details about a specified domain name.
DNS Footprinting
DNS is a naming system for computers that converts human-readable domain names into computer readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests. A zone subsequently stores all information, or resource records, associated with a particular domain into a zone file; Resource records responded by the name servers should have the following fields:
Domain Name — Identifying the domain name or owner of the records
Record Types — Specifying the type of data in the resource record
Record Class — Identifying a class of network or protocol family in use
Time to Live (TTL) — Specifying the amount of time a record can be stored in cache before discarded.
Record Data — Providing the type and class dependent data to describe the resources.
A (address)—Maps a hostname to an IP address
SOA (Start of Authority)—Identifies the DNS server responsible for the domain information
CNAME (canonical name)—Provides additional names or aliases for the address record
MX (mail exchange)—Identifies the mail server for the domain
SRV (service)—Identifies services such as directory services
PTR (pointer)—Maps IP addresses to hostnames
NS (name server)—Identifies other name servers for the domain
HINFO = Host Information Records
DNS servers perform zone transfers to keep themselves up to date with the latest information. A zone transfer of a target domain gives a list of all public hosts, their respective IP addresses, and the record type.
Footprinting through Social Engineering:
Social media like twitter, facebook are searched to collect information like personal details, user credentials, other sensitive information using various social engineering techniques. Some of the techniques include
Eavesdropping: It is the process of intercepting unauthorized communication to gather information
Shoulder surfing: Secretly observing the target to gather sensitive information like passwords, personal identification information, account information etc
Dumpster Diving: This is a process of collecting sensitive information by looking into the trash bin. Many of the documents are not shredded before disposing them into the trash bin . Retrieving these documents from trash bin may reveal sensitive information regarding contact information, financial information, tender information etc.
Creating awareness among the employees and users about the dangers of social engineering
Limiting the sensitive information
encrypting sensitive information
using privacy services on whois lookup database
Disable directory listings in the web servers
Enforcing security policies
> WHOIS
> Port Scanners (NMAP, MASSCAN)
> Google Search Syntax (GHDB)
Internet Scanners
> SHODAN
> CENSYS
> BINARYEDGE
Automation Tooling
> MALTEGO
> SPIDERFOOT
> THEHARVESTER
OSINT Tool
> OSINT FRAMEWORK
> CHECKUSERNAMES
> HAVEIBEENPWNED
> BEENVERIFIED
> GOOGLE DORKS
http://whois.domaintools.com Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.
https://www.robtex.com/ Information in a more proper and systematic way.
http://centralops.net/co Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6. Some source code included.
https://w3dt.net The Internet's one stop, all-in-one, domain toolbox.
http://www.intodns.com intoDNS checks the health and configuration of DNS and mail servers.
http://builtwith.com Web technology information profiler tool. Find out what a website is built with.
http://www.domaincrawler.com Domain information, whois & dns report
http://www.domaintools.com Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.
http://www.who.is Find information on any domain name or website. Large database of whois information, DNS, domain names, name servers, IPs, and tools for searching and monitoring domain names
https://www.whois.net Secure Domain Name Searches, Registration & Availability. Use Our Free Whois Lookup Database to Search for & Reserve
http://en.dnstools.ch online tools for the daily administration of networks.
http://www.dnsstuff.com DNS tools, Network tools, Email tools, DNS reporting and IP information gathering. Explore monitoring products and free DNS tools at DNSstuff.
https://geoiptool.com View IP information
https://archive.org/index.php Internet Archive is a non-profit digital library offering free universal access to books, movies & music, as well as 436 billion archived web pages.
https://pipl.com The most comprehensive people search on the web. Pipl finds high-quality results in pages that cannot be found on regular search engines. Free People Search.
http://www.zabasearch.com Find people free with Zabasearch directory engine that includes free people search, reverse phone number lookup, address lookup, and more.
https://www.tineye.com TinEye is a reverse image search engine. Search by image: Give it an image and it will tell you where the image appears on the web.
http://www.searchenginecolossus.com Find search engines from the UK, USA, and many other countries.
http://zuula.com Zuula is an innovative Internet search service that gives its users quick access to web, image, news blog and job search results from all the major search engines.With Zuula, users have the ability to get search results from their favorite search engine, such as Google or Yahoo!, but they also have one-click access to search results from a number of other search engines.
http://www.myipneighbors.com Reverse IP Lookup & Domain Check DNS Tool by myIPneighbors to find all domains hosted on an IP address by domain or IP address.
What is Scanning?
Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to create a profile of the target organization.
Scanning refers to collecting more information using complex and aggressive reconnaissance techniques.Three types of scanning are involved:
Port scanning: This phase involves scanning the target for the information like open ports, Live systems, various services running on the host.
Check for Live Systems: Ping scan checks for the live system by sending ICMP echo request packets. If a system is alive, the system responds with ICMP echo reply packet containing details of TTL, packet size etc.
Check for Open Ports: Port scanning helps us to find out open ports, services running on them, their versions etc. Nmap is the powerful tool used mainly for this purpose.
We have various types of scan:
Connect scan: Identifies open ports by establishing a TCP handshake with the target.
Nmap command: nmap -sT -v -p- <TargetIP>
Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not completing the TCP handshake by abruptly resetting the communication.
Source: https://www.safaribooksonline.com
Nmap command: nmap -sS -v <TargetIp>
XMAS scan: This is also called as inverse TCP scanning. This works by sending packets set with PSH, URG, FIN flags. The targets do not respond if the ports are open and send a reset response if ports are closed.
Source: https://www.information-security.fr
FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while closed ports send a reset response.
Source: https://securitcrs.wordpress.com
Nmap command: nmap -SF <targetIp>
ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's port status is gathered based on window size and TTL value of RESET packets received from the target.
Source: https://www.hackingloops.com
Nmap command: nmap -SA -v <targetip>
Null Scan: Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet.
Nmap Command: nmap -sN -p- <targetIP>
Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the network to probe the status details of target ports.
Source: https://en.wikipedia.org/wiki/Idle_scan
Nmap command : nmap -Pn -sI ZombieIp TargetIp
Banner Grabbing
Banner grabbing is a process of collecting information like operating system details, the name of the service running with its version number etc.
Vulnerability scanning:
Mainly automated tools are used for this purpose. These automated scanners scan the target to find out vulnerabilities or weakness in the target organization which can be exploited by the attackers. Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network vulnerabilities, operating system vulnerabilities etc.
Some examples include operating system is not updated, default passwords used, plain text protocols used, vulnerable protocols running etc.
Tools: Nessus, Acunetix
Draw Network Diagrams
With the information gathered, the attacker can come up with a network diagram which might give him information about network and architecture of the target organization helping him to identify the target easily
Tools: Network View, Opmanager etc
Prepare Proxies
Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture information passing through it since it acts as an intermediary between client and server and the attacker can access the resources remotely using the proxies.
Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc
Countermeasures:
Configure IDS and firewall to block probes.
Keep firewall, routers, IDS firmware update
Run port scanners to verify the security of the target.
Add rules in firewall restricting access to ports.
Disable ICMP based scanning at firewall.
This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a system, he has to increase his privilege to administrator level so he can install an application he needs or modify data or hide data.
Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or persist the connection in the background without the knowledge of the user. This can be done using Trojans, Rootkits or other malicious files. The aim is to maintain the access to the target until he finishes the tasks he planned to accomplish in that target.
No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him. This involves modifying/corrupting/deleting the values of Logs, modifying registry values and uninstalling all applications he used and deleting all folders he created.
Enumeration and its Types
Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase.
Types of information enumerated by intruders:
Network Resource and shares
Users and Groups
Routing tables
Auditing and Service settings
Machine names
Applications and banners
SNMP and DNS details
Techniques for Enumeration
Extracting user names using email ID's
Extract information using the default password
Brute Force Active Directory
Extract user names using SNMP
Extract user groups from Windows
Extract information using DNS Zone transfer
Services and Port to Enumerate
TCP 53: DNS Zone transfer
TCP 135: Microsoft RPC Endpoint Mapper
TCP 137: NetBIOS Name Service
TCP 139: NetBIOS session Service (SMB over NetBIOS)
TCP 445: SMB over TCP (Direct Host)
UDP 161: SNMP
TCP/UDP 389: LDAP
TCP/UDP 3368: Global Catalog Service
TCP 25: Simple Mail Transfer Protocol (SMTP)
NetBIOS Enumeration
NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers.
NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type.
Attackers use the NetBIOS enumeration to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Policies and passwords
Commands and tools used:
Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details
Superscan: GUI tool used to enumerate windows machine
Net view: command line tool to identify shared resources on a network
SNMP Enumeration
SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc.
SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.
It consists of three major components:
Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc.
Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol.
Network Management System (NMS): These are the software systems that are used for monitoring of the network devices.
An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details.
Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
Two types of community strings:
Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.”
when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it.
Few tools:
OpUtils Network Monitoring Toolset - http://www.manageengine.com
SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com
command line tools: SNMP-WALK, SNMP-CHECK
Countermeasures:
Remove or disable SNMP agents on hosts
Block port 161 at all perimeter network access devices
Restrict access to specific IP addresses
Use SNMPv3 (more secure)
Implement the Group Policy security option called "Additional restrictions for anonymous connections"
Access to null session pipes, null session shares, and IPsec filtering should also be restricted
LDAP Enumeration
The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack.
Tools:
Jxplorer - http://www.jxplorer.org/
LDAP Admin Tool - http://www.ldapsoft.com
Countermeasures:
Use NTLM or Basic authentication to limit access to known users only.
By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic.
Select a username different from your email address and enable account lockout.
NTP Enumeration
The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client system in a network. All this information can be enumerated by querying NTP server.
SMTP Enumeration
The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. SMTP generally runs on port 25.
SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in SMTP commands, they are
VRFY - This command is used for validating users.
EXPN - This command tells the actual delivery address of aliases and mailing lists.
RCPT TO - It defines the recipients of the message.
Tool:
NestScanTools Pro
Countermeasures:
Configure SMTP server either to ignore email messages to unknown recipients.
Don’t include information like mail relay systems being used, Internal IP address or host information.
Disable open relay feature.
DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS record provides an overview of types of resource records (database records) stored in the zone files of the Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses.
DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text.
Tools:
nslookup, maltego, dnenum,dnsrecon
Countermeasures:
Disable Zone transfer by untrusted hosts
Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers.
Use premium registration services.
_____________________________________________________________________________________
SYSTEM HACKING
Goals of System Hacking
Goals:
Gaining Access
Escalating privileges
Executing applications
Hiding files
Clearing tracks
Gaining Access
The goal here is to collect enough information to gain access to the target.
Password Cracking:
There are few basic methods of password cracking:
Bruteforce: trying all possible combinations until the password is cracked.
Dictionary attack: This is a compiled list of meaningful words, compared against the password field till a match is found.
Rule based attack: If some details about the target are known, we can create rules based on the information we know.
Rainbow table: Instead of comparing the passwords directly, taking the hash value of the password, comparing them with a list of pre-computed hash values until a match is found.
Rainbow table method gives an advantage to the attacker since no account lockout is enabled for wrong hashes against the password. To prevent rainbow table attack, salting can be used. Salting is a process of adding random numbers to the password so the attacker will not be able to crack the hash without that salt added.
Types of Password Attacks
Passive online attacks
A passive attack is an attack on a system that does not result in a change to the system in any way.
The attack is to purely monitor or record data.
Wire Sniffing
Man in the middle
Replay attack
Active online attack
An active online attack is the easiest way to gain unauthorized administrator-level access to the system
Password guessing
Trojan/spyware/keyloggers
Hash injection
Phishing
Offline attacks
Offline attacks occur when the intruder checks the validity of the passwords. Offline attacks are often time to consume.
Pre-computed hashes
Distributed Network
Rainbow
Non-electronic attacks
Non-electronic attacks are also known as non-technical attacks. This kind of attack doesn't require any technical knowledge about the methods of intruding into another system.
Social engineering
Shoulder surfing
Dumpster Diving
How to defend against password cracking:
Don't share your password with anyone
Do not use the same passwords during password change
Enable security auditing to help monitor and track password attack
Do not use cleartext protocols and protocols with weak encryption
Set the password change policy to 30 days
Monitor the server’s logs for brute force attacks on the user’s accounts
Avoid storing passwords in an unsecured location
Never use passwords such as date of birth, spouse, or child’s or pet’s name
Enable SYSKEY with the strong password to encrypt and protect the SAM database
Lockout an account subjected to too many incorrect password guesses.
Privilege Escalation
An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privilege.
Escalation of Privileges:
There are two types of Privilege Escalation:
Horizontal Privilege Escalation occurs when a malicious user attempts to access resources and functions that belong to peer users, who have similar access permissions.
Vertical Privilege Escalation occurs when a malicious user attempts to access resources and functions that belong to a user with higher privileges, such as application or site administrators.
Executing Applications
Intruder executes malicious applications after gaining administrative privileges so they can run malicious programs remotely, to capture all sensitive data, crack passwords, capture screenshots or to install a backdoor.
Tool: RemoteExec, PDQ Deploy, DameWare NT Utilities
Keylogger
keystroke loggers are programs or hardware devices that monitor each keystroke a user types on a keyboard, logs onto a file, or transmits them to a remote location.
keyloggers are placed between the keyboard hardware and the OS
A key logger can
Record each keystroke
capture screenshots at regular intervals of time showing user activity such as when he or she types a character or click a mouse button
Track the activities of users by logging window titles, names of launched applications and other information
monitor online activity of users by recording addresses of the websites that they are have visited and with the keywords entered by them
record all the login names, bank and credit card numbers and passwords including hidden passwords or data that are in asterisk or blank spaces
record online chat conversion
Types of Keylogger
Hardware Keylogger
Software Keylogger
Spyware
Spyware is stealthy computer monitoring software that allows you to secretly record all activities of a computer user.
Rootkits
Rootkits are programs that hackers use in order to evade detection while trying to gain unauthorized access to a computer. Rootkits when installing on a computer, are invisible to the user and also take steps to avoid being detected by security software.
A rootkit is a set of binaries, scripts and configuration files that allows someone to covertly maintain access to a computer so that he can issue commands and scavenge data without alerting the system's owner.
Depending on where they are installed there are various types of rootkits:
Kernel Level Rootkits
Hardware/Firmware Rootkits
Hypervisor (Virtualized) Level Rootkits
Boot loader Level (Bootkit) Rootkits
NTFS DATA Stream
Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. Using Alternative Data Streams a user can easily hide files that can go undetected unless close inspection.
Steganography
The art of hiding a data inside another data/medium is called steganography.
For eg: hiding data within an image file
The secret message is called overt file and the covering file is called covert file.
Types of Steganography :-
Image Steganography
Document Steganography
Folder Steganography
Video Steganography
Audio Steganography
White Space Steganography
Covering Tracks
Once an attacker finishes his work, he wants to erase all tracks leading the investigators tracing back to him. This can be done using
Disable auditing.
Clearing logs.
Modifying logs, registry files.
Removing all files, folders created.
________________________________________________________MALWARE THREATS
Malware is malicious software which when enters the target host, gives an attacker full or limited control over the target. They can either damage or modify the functionalities of target host helping an attacker to steal or destroy information.
Various types of malware
Virus
Trojans
Worms
Rootkits
Spyware
Ransomware
Virus
A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document.
It infects other programs,
Alters Data
Transforms itself
Encrypts Itself
Corrupt files and Programs
Self Propagates
Different types of Viruses:
Boot sector virus: Replaces itself with boot sector moving boot sector into another location on the hard disk
File overwriting or cavity Virus: Replaces the content of files with some other content leaving the file unusable
Crypter: Encrypts the contents of the file which causes the file unusable for the user
Polymorphic virus: The virus code mutates itself by keeping the algorithm intact.
Tunnelling Virus: These viruses trace the steps of interceptor programs that monitor operating system request so that they get into the BIOS and DOS to install themselves. To perform this activity they even tunnel under anti-virus software programs
Metamorphic virus: They rewrite themselves every time, reprogram themselves into a completely different code and back to normal vice versa
Macro Virus: Infects Microsoft products like WORD and EXCEL. They are usually written in the macro language visual basic language or VBA
Cluster Virus: Modifies the directory entries so it always directs the user to the virus code instead of the actual program
Stealth/ tunnelling virus: They intercept the anti-virus call to the operating system and give back uninfected version of the files requested for thereby evading anti-virus
Extension Virus: Hides the extension of the virus files, deceiving the unsuspecting user to download the files.
Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behaviour as well as their appearance.
Add-on Virus: Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning.
Trojans
Trojans are malicious files which are used by the attacker to create a backdoor without the knowledge of the user. It usually deletes or replaces operating system critical files, steal data, send notifications to remote attacker, and remotely control the target. Trojans usually hide behind a genuine code or program or file to avoid getting noted by the user. Behind the original program, it establishes a backdoor connection with the remote attacker. It has 3 parts
Dropper: This is the code which installs malicious code into the target.
Malicious code: This is the code which exploits the system and gives the attacker control over the target.
Wrapper: Wrapper wraps dropper, malicious code, genuine code into one exe package.
When victims try to download an infected file, dropper installs the malicious code first and then the genuine program.
Purpose of Trojans
Steal information such as passwords, security codes, credit card information using keyloggers
Use victim´s PC as a botnet to perform DDoS attacks
Delete or replace OS critical files
Generate fake traffic to create DoS
Download spyware, adware and malware
Record screenshots, audio and video of victim´s PC
Disable fw and av
Infect victim´s PC as a proxy server for relaying attacks
Use victim´s PC as a botnet to perform DoS, spamming and blasting email messages
There are various types of Trojans like
Hypervisior Trojan
HTTP/HTTPS Trojan
Remote access Trojan
FTP Trojans
VNC Trojans
Banking Trojans
DOM based Trojan
Destructive Trojan
Botnet Trojan
Proxy Trojan
Data hiding Trojan
Countermeasures:
Avoid opening emails from unknown users
Do not download free software’s from untrusted sites
Always upgrade and keep firewalls, IDS and anti-virus updated with latest patches and signatures
Block all unnecessary ports
Periodically check startup programs and processes running to find any malicious files running.
Worms
Definition:
The worm is a standalone malicious program which spreads from computer to computer, but unlike a virus, it has the capability to travel without any human action. A worm takes advantage of file or information transport features on the system, which is what allows it to travel unaided. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it.
Difference between Worms and Viruses
Virus:
A virus is a program that replicates, i.e. it spreads from file to file on your system
It may be programmed to erase or damage data.
A virus is a set of code which adds itself to existing files.
Worm:
A worm is a malicious program that originates on a single computer and searches for other computers connected through a local area network or Internet Connection.
When a worm finds another computer, it replicates itself onto that computer and continues to look for other connected computers on which to replicate.
A worm continues to attempt to replicate itself indefinitely or until a self-timing mechanism halts the process.
It does not infect other files.
A worm code is a stand-alone code. In other words, a worm is a separate file.
Rootkits, Spyware and Ransomware
Rootkits
A rootkit is a collection of malicious computer software created to get access to a target computer and often hides its existence or the existence of other software. The term rootkit is a concatenation of "root" (the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool).
A rootkit can be installed by an attacker directly or remotely by exploiting a known vulnerability. Once installed, it hides and runs with administrator privilege. Rootkit detection is difficult because a rootkit intercepts operating system calls by antivirus and return a good version of the software. It either duplicates or replaces OS system files making it difficult to detect it.
Methods of Detection:
Behavioural-based methods
signature scanning,
Integrity scanning by taking snapshots
Memory dump analysis.
The usual solution is to reinstall the operating system.
When dealing with firmware rootkits, removal may require hardware replacement or specialized equipment.
Spyware
This malware when installed on the target, monitor the Target for every action and report to the remote attacker. Cookie stealing, Password stealing, identity theft, information theft are few attacks which are common using spyware
Ransomware
These are malicious software which restricts access to computer system files and folders asking for an online ransom amount to remove the restrictions.
Usually, they encrypt the data, making the user pay them a huge ransom to get the decrypted data.
How to Detect Malicious Software
There is a degradation of system performance
New folders and files on the system
Unknown processes running in the task manager
Scan for suspicious ports
Scan for suspicious registry entries
New programs in the startup section
Tools used for monitoring: Currports, Process manager, TCPview, RegScanner are few tools
Countermeasures:
Turn on the firewall
Use updated Anti-virus, IDS
Shut down unnecessary ports
Scan for the process running periodically
Run anti-spyware anti-adware
Do not open files which look suspicious
Do not open emails from unknown users or suspicious attachments
_____________________________________________________________________________________SNIFFING
Sniffing and its Types
What is Sniffing?
Sniffing is a process of monitoring and capturing all data packets passing through given network. Sniffers are used by network/system administrator to monitor and troubleshoot network traffic. Attackers use sniffers to capture data packets containing sensitive information such as password, account information etc. Sniffers can be hardware or software installed in the system. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic.
There are two types:
Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target. In order to capture the traffic between target sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can be done in various ways.
Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing through the non-switched or unbridged network segment can be seen by all machines on that segment. Sniffers operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. This is called passive since sniffers placed by the attackers passively wait for the data to be sent and capture them.
ARP and CAM Table
ARP Table
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. A table is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
Source: www.pnj.ac.id
CAM Table
Content Addressable Memory (CAM) table is a system memory construct used by Ethernet switch logic which stores information such as MAC addresses available on physical ports with their associated VLAN Parameters. The CAM table, or content addressable memory table, is present in all switches for layer 2 switching. This allows switches to facilitate communications between connected stations at high speed and in full-duplex regardless of how many devices are connected to the switch. Switches learn MAC addresses from the source address of Ethernet frames on the ports, such as Address Resolution Protocol (ARP) response packets.
Source: http://www.ciscopress.com/articles/article.asp?p=2348265&seqNum=2
Protocols vulnerable to sniffing
Telnet and Rlogin: Keystrokes including usernames and passwords.
HTTP: Data sent in clear text.
SMTP: Passwords and data sent in clear text.
NNTP: Passwords and data sent in clear text.
POP: Passwords and data sent in clear text.
FTP: Passwords and data sent in clear text.
IMAP: Passwords and data sent in clear text.
Active Sniffing Attacks
Mac-Attacks:
MAC-flooding is an attack where the CAM table is flooded with fake MAC-IP pairs, so CAM table overflows causing traffic to flood all ports on switch (i.e) changing switch to behave like a hub
ARP Spoofing:
In this case, an attacker can spoof the MAC address of a trusted host and forge ARP request/replies to overload the Switch. Then the switch is set in “forward mode” an attacker can now sniff the packets on the traffic.
ARP Poisoning:
Attacker chooses targets and floods their ARP cache with forged entries thus replacing the MAC address of targets with MAC address of attacker. ARP poisoning is used in Man in the middle attack.
Source:http://www.shortestpathfirst.net/2010/11/18/man-in-the-middle-mitm-attacks-explained-arp-poisoining/
Man-in-the-middle Attack:
It’s a targeted attack, where attacker sniffs the traffic and chooses targets. It uses ARP poisoning method to forge fake ARP request/reply to targets forcing them to update their ARP cache with MAC address of Attacker machine in the place of the genuine target. So the traffic between target’s will be split into two. One connection between target1 and attacker and other between target2 and attacker. So the attacker being the man in the middle can modify/replay the traffic. He will be able to capture sensitive information between the targets.
Source: www.gregsowell.com
DHCP Poisoning
Introduction
Dynamic Host Configuration Protocol (DHCP) is used to assIP's DHCP-enabled clients. The server holds valid TCP/IP configuration parameters, valid IP addresses and time period of the lease offer. When a client needs an IP, it sends a request to the DHCP server. The DHCP server asks the client to send the required parameters and once it receives the parameters, DHCP server sends the acknowledgement which contains the IP address of the client.
Source: http://l4wisdom.com
The DHCP client requests an IP address by broadcasting a DHCP Discover message to the local subnet.
The client is offered an address when a DHCP server responds with a DHCP Offer message containing an IP address and configuration information for lease to the client.
The client indicates acceptance of the offer by selecting the offered address and broadcasting a DHCP Request message in response.
The client is assigned the address and the DHCP server broadcasts a DHCP Ack message in response, finalizing the terms of the lease.
When the client receives the acknowledgement, it configures its TCP/IP properties by using the DHCP option information in the reply and completes its initialization of TCP/IP.
DHCP Starvation attack:
Source: https://www.briefmenow.org/ec-council/how-do-you-defend-against-dhcp-starvation-attack-2/
It’s a denial of service attack, an attacker sends forged DHCP requests to the server and leases all the available IP’s thus the legitimate clients will not get an IP assigned; or the Attacker may send bogus request/replies luring the client to connect to attacker’s machine instead of valid DHCP server.
DNS poisoning attack:
Source: https://www.keycdn.com/support/dns-spo
Here the attacker sends fake DNS packets to the server, thus causing fake entries in the DNS table for the target website. So when a client sends a request to the website, DNS server resolves the domain to IP using injected DNS records and redirects the user to a Fake or malicious website intended by the attacker.
Countermeasures:
Enable Port security.
DHCP snooping binding must be enforced.
Use HTTPS instead of HTTP.
Use SFTP instead of FTP.
Use SSH instead of telnet.
Avoid using clear text protocols.
Always encrypt the wireless traffic using WPA2.
Check whether NIC’s running in promiscuous mode.
Implement DNSSEC.
Use Firewall.
Some tools:
Cain and Able
Yersinia for DHCP starvation
Wireshark
_____________________________________________________________________________________SOCIAL ENGINEERING
Introduction
Social engineering is the art of convincing people to reveal confidential information. By taking advantage of, basic human nature like trust or a lack of knowledge, the attacker deceives people to reveal sensitive information.
The social engineering attacks can be grouped into three types:
Human-based
Mobile-based
Computer-based
Human-Based Attacks:
Impersonation: Acting like someone else to get access to the information.
They may act as a legitimate user and request for information or they pose as a higher authority and may ask for sensitive information or they pose as a technical support person and try to gather sensitive and confidential details.
Other types are Human-based attacks are:
Tailgating: When an authorised person enters into a restricted area, the unauthorised person also enters the restricted AREA without the employee’s knowledge.
Piggybacking: Here the attacker may pose as an employee and ask the authorised employee to allow him to enter along with him. He may give fake reasons like he forgot his smart badge, etc.
Dumpster Diving: Any confidential or sensitive document should be properly shredded before disposed into the dustbin. If not, an attacker may just look into the dustbin to access the confidential information.
Eavesdropping: Unauthorised listening to conversations thereby collecting important data is called as eavesdropping.
Shoulder surfing: It is a direct observation technique like looking over someone’s shoulder to know the sensitive information like password, pin numbers, etc.
Reasons:
Due to loose security policies.
The individuals are unaware of the consequences of social engineering attacks.
It’s difficult to detect a social engineering attack.
It’s also an individual responsibility.
There are no hardware or software tools to prevent it.
Computer and Mobile Based Social Engineering
Computer-Based Social Engineering:
Hoax Letters: These are fake emails sending warnings about malware, virus and worms causing harm to the computers.
Chain letters: Asking people to forward emails or messages for money.
Spam Messages: These are unwanted irrelevant emails trying to gather information about users.
Instant Chat messengers: Gathering personal information from a single user by chatting with them.
Phishing: Creating a cloned fake website trying to gather sensitive information about users. It can be done by sending a fake email as though coming from an original website and then trying to collect confidential information.
Phishing can also be executed through fake mobile applications.
Mobile based Attacks:
SMS based: Sending a fake SMS saying that the user has won a bounty, urging him/her to register with confidential information or try and collect other important details.
Through Malicious Apps: Applications downloaded from third party sources may be malicious; they can access authentication information and other sensitive details.
Through Email and messengers: Attackers can send spam emails or malicious links through messenger applications. When the victim clicks on it- he may be redirected to a malicious site, or a malware could be downloaded or it may lead to some other malicious activity.
Social engineering on corporate side:
Find an insider: It can be a disgruntled employee who may be the target.
Develop relationship: Develop a friendship with this person and maintain this relationship to the point he trusts you.
Exploit the relationship: Extract the information about the company and other sensitive information exploiting the trust that he placed in you.
Insider Attacks:
An insider attack is very difficult to detect. If a disgruntled employee wants to take revenge; he can install malicious applications to steal/modify information, causing significant damage to the organization or he can be bribed by the competitor to reveal or steal company secrets, intellectual property information, etc.
Countermeasures:
Educating the employees about the security policies and frameworks, best practices, etc.
Creating awareness among the users and employees about social engineering attacks.
Enforcing strict perimeter policy, authentication mechanisms.
Coming up with effective security policies.
Enforcing proper access privileges.
Classifying information and protecting access to them.
Using Updated antivirus, anti-phishing tools.
Monitoring and auditing.
_________________________________________________DENIAL OF SERVICE
Introduction
Denial of service attack (DOS) is an attack against computer or network which reduces, restricts or prevents accessibility of its system resources to authorized users.
Distributed Denial of Service (DDoS) attack is an attack where multiple compromised systems simultaneously attack a single system; thereby, causing a DOS attack for the users of the target.
An attacker can select the Zombies randomly or topologically and once compromised, he sets up a command and controller to control the zombies that attack the target. A bot is a malicious software installed on compromised machines, this gives the attacker control over the zombies. The network of Bots is called botnet.
Source: https://www.infoworld.com/article/3144471/security/ntp-fixes-denial-of-service-flaws.html
Types of DOS:
Volumetric attacks:
This is an Attack where the entire bandwidth of a network is consumed so the authorized clients will not be able to get the resources. This is achieved BY flooding the network devices like hubs or switches with numerous ICMP echo request/reply packets so the entire bandwidth is consumed, and no other clients are able to connect with the target network.
Syn flooding:
Is another attack where an attacker compromises multiple zombies and simultaneously floods the target with multiple SYN packets. The target will be overwhelmed by the SYN requests, either it goes down or its performance is reduced drastically.
Source: https://swordfish.wordpress.com/2006/03/16/denial-of-service-attacks-dos/
Fragmentation attacks:
This is an attack that fights against the reassembling ability of the target. Numerous fragmented packets are sent to the target, making it difficult for the target to reassemble them; thereby, denying access to the valid clients.
TCP-State exhaustion attack:
The attacker sets up and tears down TCP connections and overwhelms the stable tables; thereby, causing a DOS attack.
Application Layer Attacks:
The attacker takes advantage of the programming errors in the application to cause the denial of service attack. It is achieved by sending numerous application requests to the target to exhaust the target’s resources so it will not be able to service any valid clients. A programming error in the case of buffer overflow attack- if the memory allocated to a variable is smaller than the requested, then it may lead to memory leakage or crashing the entire application.
E.g., Buffer overflow attack, Account lockout, Request flooding, etc.
Plashing:
This is done by causing a permanent damage to the system hardware by sending fraudulent updates to the hardware thereby making them completely unusable. The only solution is to re-install the hardware.
Counter Measures:
Use up-to-date anti-virus and IDS tools.
Perform network analysis to find out the possibility of DOS attack.
Shut down unnecessary services in the target network.
Find and neutralize handlers. Protect secondary victims.
Perform proper activity profiling and ingress/egress filtering to filter out unwanted traffic.
Enforce in-depth packet Analysis.
Use Defense-in–depth approach.
Add additional load balancers to absorb traffic and set up a throttle logic to control traffic.
Correct program errors.
Use Strong encryption mechanisms.
_________________________________________________SESSION HIJACKING
Introduction
Session hijacking is defined as taking over an active TCP/IP communication session without the user’s permission. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user. Identity theft, Information theft, stealing sensitive data are some of the common impacts of session hijacking.
Source: http://techgenix.com/understanding-man-in-the-middle-attacks-arp-part3/
Types of session hijacking attacks:
There are two types of session hijacking depending on how they are done. If the attacker directly gets involved with the target, it is called active hijacking, and if an attacker just passively monitors the traffic, it is passive hijacking.
Active:
The attacker will silence one of the machines, usually the client computer, and take over the clients’ position in the communication exchange between the workstation and the server. The active attack also allows the attacker to issue commands on the network making it possible to create new user accounts on the network, which can later be used to gain access to the network without having to perform the session hijack attack.
Source: https://www.hackingloops.com/session-hijacking-how-to-hack-online-sessions/
Passive:
In Passive session hijacking attack, the attacker monitors the traffic between the workstation and server. The primary motivation for the passive attack is to monitor network traffic and potentially discover valuable data or passwords.
Session Hijacking Process
Source: https://www.slideshare.net/teknetir/cehv9-module-10-session-hijacking
The first step in the session hijack attack is locating a target user. Attackers look for two things prior to their attack- first, they look for networks that have a high level of utilization; high volume networks help attackers to remain anonymous and they also provide a healthy supply of users to choose from, which also helps the attack. Secondly, users who use insecure network protocols such as Telnet, rlogin (remote login), and FTP (file transfer protocol) are easy targets due to their inherently insecure design. Packet sniffing software can be used to sniff network traffic for the purpose of locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to identify servers that have FTP, Telnet, or rlogin ports open.
1. Sniffing into Active Session:
The attacker then finds an active session between the target and another machine and places himself between them. Using a sniffer like Wireshark, he captures the traffic and tries to gather information about the session.
2. Monitor:
He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc., and tries to find any valid authentication packets passing through.
3. Session Id Retrieval:
The attacker tries to predict the session id using available information. Now that a target has been chosen, the next step in the session hijacking process is sequence number prediction. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases.
4. Stealing:
In application-level hijacking, active attacks are pursued to steal the session Id. Man in the middle attack, cross-site scripting, sniffing are used to steal the session id.
Brute Forcing: This is a time-consuming process.
While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process.
5. Take One of the Parties Offline:
Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm.
6. Take over the Session and Maintain the Connection:
The final phase of the session hijack attack entails taking over the communication session between the workstation and server. The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session.
Session Hijacking Levels
Session Hijacking can be done at two levels:
Network Level
Application Level
Network Level hijacking includes TCP and UDP sessions.
Application Level hijacking occurs with HTTP Sessions.
Application Level Hijacking:
Here the valid session token is stolen or predicted to take over the session. Various attacks involved here are-
Man in the middle attack:
By using automated tools/spoofing methods the attacker splits the connection between the targets into two. One connection between the client and attacker and another one between attacker and server. Since the attacker becomes the man in the middle, all the traffic goes through him, hence he can capture the session Id.
Cross-site scripting:
Client-side vulnerabilities like XSS attacks allow an attacker to craft a malicious script to get the session Id from the application.
Using Proxy:
By setting up a proxy and causing the traffic to flow through the proxy, one can capture the session Id details.
Man-in the–Browser:
By installing a Trojan in the victim’s browser will notify the attacker the session Id.
Session Replay:
Capturing the authentication packets by sniffing the traffic; replaying those packets after a time interval may cause the attacker to successfully login to the session of the authorized user.
Network or TCP Session Hijacking
TCP guarantees delivery of data, and also guarantees that packets will be delivered in the same order in which they were sent. In order to guarantee that packets are delivered in the right order, TCP uses acknowledgement (ACK) packets and sequence numbers to create a "full duplex reliable stream connection between two endpoints", with the endpoints referring to the communicating hosts. The connection between the client and the server begins with a 3-way handshake.
After the handshake, it is just a matter of sending packets and incrementing the sequence number to verify that the packets are getting sent and received.
Image Source: http://www.bvkmohan.com/2011/02/tcp-flags-hackers-playground-and.htmlThe goal of the TCP session hijacker is to create a state where the client and server are unable to exchange data; enabling him/her to forge acceptable packets for both ends, which mimic the real packets. Thus, the attacker is able to gain control of the session.
Source: https://www.owasp.org/index.php/Session_hijacking_attack
IP Spoofing: IP spoofing is a technique which is used to gain unauthorized access to computers where the intruder sends a message to a computer with an Ip address indicating that the message is coming from a trusted host.
Man in the middle Attack: Attacker tries to get the session Id by doing ARP spoofing and man in the middle attack.
Source: http://slideplayer.com/slide/6005679/
Blind Hijacking: In cases where source routing is disabled, the session hijacker can also use blind hijacking where he injects his malicious data into intercepted communications in the TCP session. It is called blind because he cannot see the response; though the hijacker can send the data or commands, he is basically guessing the responses of the client and server.
UDP session Hijacking: UDP is a connectionless protocol. UDP/IP provides very few error recovery services offering. There is no direct way to send and receive datagrams over an IP network. Therefore, the delivery integrity, non-duplication and orders are not guaranteed. UDP doesn't use sequence numbers like TCP, it is mainly used for broadcasting messages across the network or for doing DNS queries.
Counter Measures:
Using secure protocols instead of clear text protocols like HTTP, FTP.Telnet, Rlogin, etc.
Encrypting session id will increase the complexity of the session id prediction.
Sending session id over SSL.
Use long random numbers for session id.
Implement timeout for the session when the session is logged out, or session id expires.
Having different session id for each page.
Use switches rather than hubs.
Ensure server side and client side protection software.
Use IDS for detecting ARP spoofing/Poisoning.
Do not click on suspicious links.
Check the web application for all errors.
Using IPSec is a valid defence mechanism.
_________________________________________________HACKING WEB SERVERS
Introduction
Websites are hosted on web servers. Web servers are themselves computers running an operating system; connected to the back-end database, running various applications. Any vulnerability in the applications, Database, Operating system or in the network will lead to an attack on the web server. Vulnerability stack of a web server is given below (source: White hat security)
Source: http://black-shado.blogspot.com/2006/11/vulnerability-stack.html
E.g. IIS and Apache
DOS attack:
An attacker may cause a denial of service attack by sending numerous service request packets overwhelming the servicing capability of the web server, or he may try to exploit a programming error in the application causing a DOS attack.
E.g. buffer overflow attack, SYN flooding, HTTP get Request Flooding, Ping of death.
Website Defacement:
SQL injection attacks are used to deface the website. When an attacker finds out that input fields are not sanitized properly, he can add SQL strings to maliciously craft a query which is executed by the web browser. He may store malicious/unrelated data in the database; when the website is requested, it will show irrelevant data on the website, thus displaying a defaced website.
Directory Traversal:
This is vulnerability where an attacker is able to access beyond the web root directory from the application. If he is able to access beyond web root directory, he might execute OS commands and get sensitive information or access restricted directories.
Misconfiguration attacks:
If unnecessary services are enabled or default configuration files are used, verbose/error information is not masked; an attacker can compromise the web server through various attacks like password cracking, Error-based SQL injection, Command Injection, etc.
Phishing Attack:
An attacker may redirect the victim to malicious websites by sending him/her a malicious link by email which looks authentic, but redirects him/her to malicious web page thereby stealing their data.
There are a lot of other web application attacks which can lead to a web server attack- Parameter form tampering, Cookie tampering, unvalidated inputs, SQL injection, Buffer overflow attacks.
Methodology:
Information Gathering:
Information related to the target server is collected from various sources like
From websites
WHOIS information
Netcraft information
Banner grabbing
Port scanning with Nmap.
Mirroring a website using Htttrack.
Vulnerability Scanning:
There are automated tools for scanning a web server and applications running on it. The results may show various threats and vulnerabilities on the target web server; these vulnerabilities may later be exploited using tools or manually.
E.g. Acunetix, Nikto, Vega etc
Password Attacks:
Guessing/Default passwords
Brute Forcing
Dictionary Attacks
Countermeasures:
Update and patch web servers regularly.
Do not use the default configuration.
Store configuration files securely.
Scan the applications running on the web server for all vulnerabilities.
Use IDS and firewall with updated signatures.
Block all unnecessary protocols and services.
Use secure protocols.
Disable default accounts, follow strict access control policy.
Install Anti-virus, and update it regularly.
All OS and software used should be latest and updated.
_________________________________________________WEB APPLICATION ATTACKS
Introduction
Web application provides an interface between the web server and the client to communicate. Web pages are generated at the server, and browsers present them at the client side. The data is passed between client and server in the form of HTML pages through HTTP protocol.
There are client-side vulnerabilities and server-side vulnerabilities which lead to a web application attack.
Attacks:
Parameter Tampering:
This involves modifying parameters exchanged between client and server, which may lead to XSS attack and SQL injection attack. Usually, HTML data goes as a name-value pair; if the attacker is able to modify the values of the parameter during transfer, it may lead to many other attacks.
Source: screenshot
Unvalidated inputs:
Web applications accept user inputs, queries are constructed based on dynamic user input. If these inputs are not properly sanitised they will open a way for the attacker to launch attacks like XSS, SQL injection attack, Directory traversal attack, etc., identity theft, data theft are dangerous outcomes of this attack.
Directory traversal Attack:
This is a type of vulnerability where an attacker is able to access beyond the web root directory, into the restricted directories on the web server. Then an attacker will be able to access system files, run OS commands, access configuration information, etc.
Source: https://www.pinterest.com.au/pin/433964114063467723/
Injection Flaws
SQL Injection:
User login screens, URLs, search boxes are the point of interest to an attacker since they are dynamic inputs, based on which web application requests are constructed. If an attacker is successful in making the browser construct a malicious query and get it executed by the back-end database, it is called SQL injection. An attacker may modify, delete or even do a DOS attack on the database.
Source: http://computersecuritypgp.blogspot.com/2016/01/what-is-sql-injection-attack.html
Command Injection:
If a user is able to inject operating system commands on any user input field, it may lead to attacker injecting malicious commands to get sensitive information from the web server.
LDAP injection:
Lightweight Directory Access Protocol is an active directory on IP, where the information is arranged in a hierarchical manner based on user attributes. LDAP injection works the same as SQL injection where the attacker tries to enter arbitrary data to craft malicious queries to be executed by the LDAP server.
Source: http://computersecuritypgp.blogspot.com/2016/01/what-is-ldap-injection-attack.html
Cross Site Scripting
XSS enables attackers to inject client-side scripts into web pages by exploiting vulnerabilities in dynamically generated web pages. An attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application and cause various damages including data theft, session hijacking, redirecting the web page to another website, etc.
Reflected XSS:
Here the attacker will send a script as an input, and the attacker's contents will be reflected back to the victim. He can craft malicious scripts to get session cookies, redirect to a malicious web page, inject data, execute system commands and much more.
Source: https://itechhacks.com/xss-full-guide-tutorials/
Stored XSS:
Here the input entered by the attacker will be stored in the database; e.g. blog. Anyone visiting the page will have this script running, thus affecting everyone who visits that page.
Source: https://itechhacks.com/xss-full-guide-tutorials/
Denial of Service attack:
An attacker with/without the help of bots can flood the target system and reduce, restrict or prevent the target system from providing service to the authorised clients.
Web Services Attacks
The vulnerabilities in the web service protocols like SOAP, WSDL, UDDI can be exploited to do various kinds of attacks like SQL injection, XML poisoning, etc.
File Uploads:
This attack happens wherein a user is able to upload all types of file extensions even though the upload is intended only for few extensions. This is due to improper validation against the type of files getting uploaded, an attacker will be able to upload malicious files.
DNS Hijacking/Poisoning:
If an attacker is able to get access to the DNS files, he can modify the contents of the DNS records so that he can redirect the victim to a malicious web page, though they are requesting for a legitimate web page. DNS Server does the domain to IP resolving; so when a DNS poisoning is executed to modify the IP corresponding to a domain to some other IP, the attacker can trick the victim into browsing the pages he intended them to instead of the original ones.
Poisoning can be done at cache/DNS server, or an attack can modify the IP on the fly by intercepting the traffic too.
Image Source: https://commons.wikimedia.org/wiki/File:Dns-cache-poisoning.png
Image Source: https://www.keycdn.com/support/dns-spoofing/Hacking Methodology
Web footprinting:
Gathering information related to the web application like-
Whois information
Netcraft information
Firewall information
Ports and services running
Server and OS discovery
Hidden contents
Vulnerability scanners:
Scanners like Nikto, Nessus, URLscan, Acunetix can be used to find out vulnerabilities in a web application.
Identify Entry Points and Attack surface:
The next step is to know the entry points like login screens, URLs, cookies, and output points like display screens, reports, etc. We need to find vulnerabilities to bypass the access controls and break into the application. All the above discussed attacks should be tested for the possibility.
Countermeasures:
Always validate the input fields.
Limit the entry in the input fields.
Check for arbitrary inputs like scripts, SQL injection codes, etc.
Use a Web application firewall.
Run database accounts with minimal access rights.
Use input/output encoding.
Use prepared statements and parameterised sql queries to avoid Sql injection.
Configure the firewall with strict rules.
Use secure protocols.
Encrypt cookies.
Use random numbers for cookies and proper session expiry.
_________________________________________________SQL INJECTION
SQL injection is an attack where the hacker makes use of unvalidated user input to enter arbitrary data or SQL commands; malicious queries are constructed and when executed by the backend database it results in unwanted results. The attacker should have the knowledge of background database and he must make use of different strings to construct malicious queries to post them to the target.
For Example, in user login screen, username and password are the dynamic fields where users enter the data. Depending upon the user’s inputs dynamic queries will be constructed; the usual query will be
Select * from users table where username=’Username.txt’ and password=’Password.txt’.
If the input fields are not sanitized properly, then the malicious user can enter some data like this
Username = blah’ or 1=1—
Password = password
Here both username and password are incorrect. But the query which is constructed will be
Select * from users where username=’blah’ or 1=1—and password=’password’
The query will run and the user will be granted access. This is because the first part of the query is
Select * from users where username=’blah’ or 1=1—
Because – is a comment line in SQL, everything following that will be ignored. The query will only validate between username=’blah’ or 1=1.
Because 1=1 is always true, the user will be granted access.
Types of SQL Injection
Error based Injection:
The attacker sends some malicious query to the database which results in errors. The errors should be very generic, otherwise, they may give useful hints to the attacker.
Comment-Line: Using comment line to cause the database to ignore a part of a valid query.
E.g. Select * from stores where product_id = blah’ or 1=1-- (everything after this will be neglected)
Tautology: There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’ ‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.
E.g. Select * from users where username=’blah’ or ‘a’=’a’ -- and password=’pass’
Union Based SQL injection:
Using union command in SQL query to execute additional queries; thereby, modifying/inserting/deleting or dropping the contents of the table.
E.g. Select * from stores where product_id=1 union select 1,database(),user(),4#
Stored procedures: Creating malicious inputs to execute malicious queries.
Incorrect queries: Coming up with logically incorrect queries to see the error messages to get more information about the target database.
Select * from stores where id=1’
The above query will result in a syntax error and might reveal the backend database type.
Blind SQL injection:
This is a type of SQL injection where we don’t have a clue as to whether the web application is vulnerable to injection attack or not.
Types:
Boolean: Only correct queries show the result, wrong queries do not return anything. Attackers should try to generate logically correct queries.
If suppose the original query to the database is
Select * from users where id=’id.txt’
If we give blah’ and 1=1# as input which evaluates to be a right query
Select * from users where id=’blah’ or 1=1#, we will see the user results.
If we give blah’ and 1=2# as input which is a wrong query then we don’t see any results.
Select * from users where id=’blah’ or 1=2#
Time delay: Depending on some conditions, setting a time delay. If that condition is satisfied, we can observe the time delay; thereby, concluding that the input we gave produced a positive result. This is a time consuming process.
Tools:
SQLMAP, Marathon tool.
Perimeter tools (IDS) Evasion Techniques:
Use encryption.
Obfuscate string to avoid pattern matching.
Use Concatenation to confuse the IDS.
Use encoding like ASCII encoding, hexadecimal encoding to avoid detection.
Insert inline comments between query.
_________________________________________________HACKING WIRELESS NETWORKS
Wireless networks come with excellent advantages- connectivity beyond walls, wireless connection, easy to access internet even in areas where laying cables is difficult, speed and sharing. But, wireless networks have a few disadvantages, the major issue being- the questionable security.
Important Terms:
Access Point: The point where the mobile device, computers connect to the wireless network.
SSID: Service Set Identifier identifies the access point, it is a human-readable text which when broadcasted leads to the identification of an access point.
BSSID: Mac address of the Access point.
Bandwidth: Amount of information that can be transferred over the connection.
There are various standards for wireless transmission:
Source: http://www.computer-networking-success.com/wireless-networking-basics.html#sthash.tihe8vJl.dpbsAuthentication:
Open Authentication:
Source: https://www.tutorialspoint.com/wireless_security/wireless_security_wifi_authentication_modes.htmWhen a client wants to connect to an open access point he/she sends a probe request, and the AP sends a probe response; the client then sends an authentication request. Upon receiving a response, the client establishes an association with the AP.
Shared Key Authentication Process:
Here, the client sends a probe request, and the access point sends the probe response; then, the client requests for an authentication request, the AP sends an authentication challenge to the client. The client needs to send the shared key as authentication challenge response. AP, then, verifies the client and authenticates him/her, who then establishes a connection with the access point.
Image Source: http://documentation.netgear.com/wpn802/enu/202-10101-01/WPN802-09-09.htmlCentralised Authentication:
In the corporate environment, instead of an Access point verifying client’s authentication details, a centralised server does the job of verifying the client. RADIUS is a centralised authentication server which verifies clients who want to connect with the access point.
Image Source: https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SecurityAuthenticationTypes.htmlEncryption Types
WEP: Wired Equivalent Privacy
It is the simple encryption technique which used the 40-bit key with the 24-bit initialisation vector and utilized the RC4 algorithm for encryption. It also used CRC-32 for integrity check mechanism; because the initialisation vector was very small, there was a possibility that the IV’s getting reused. This weakness caused the algorithm to be broken easily.
WPA: Wi-Fi Protected Access
This algorithm uses 48 bit IV and is based on the 802.11i standard. The RC4 algorithm used temporal keys of 128-bit size and 64 bit MIC check which made the encryption stronger than WEP. Here 128-bit temporal keys, mixed with 48 bit IV and MAC address of the sender create the key stream to encrypt the data using RC4. Temporal keys are changed every 10,000 packets.
WPA2: Wi-fi Protected Access with EAP
This is for enterprise use with strong data protection and network access control. Here, instead of RC4, AES (Advanced encryption standard) is used for encryption with temporal keys. The key size is 128-bit keys. It makes use of centralised RADIUS server for authentication.
Wi-Fi Attacks
Major Wi-fi attacks are done by setting up a rogue Access Point.
Evil Twin attack:
Here the attacker sets up a fake access point with a similar name to that of a corporate AP near the company premises. When an employee unknowingly connects to this access point thinking that to be the genuine AP of the company, he/she gives away the authentication details of the original access point. The attacker, thus, is able to compromise the connection.
Image Source: http://syworks.blogspot.in/2014_04_01_archive.htmlJamming Signals:
An attacker can disrupt the network connection by jamming the signal, there are functioning tools for this purpose also called as creating noise.
Misconfiguration Attacks:
If a router is set up using the default configuration, weak credentials, weak encryption algorithms, then the attacker can easily break into the network.
Honey spot Attack:
An attacker can set up fake access points/hotspots with the same SSID as that of a public wi-fi AP; thus, he can set traps for the users who connect to these AP’s.
Unauthorised/Ad-Hoc connection attacks:
An attacker can enable an AD-HOC connection in a user’s system utilizing Trojan, malware, or if an employee is already using an AD-HOC connection to share the internet with peers. The attacker can compromise the connection operating in AD-HOC mode since this mode does not provide stronger encryption to the connection.
Methodology:
An attacker has to find out the wireless devices through methods like war-walking, warchalking, war-driving. There are tools like NetStumbler, Kismet to find out wireless access points and capture the traffic.
Once he captures the traffic of that connection, he has to analyse the traffic using protocol analysers to identify the authentication method used, SSID, and connected devices and how to compromise the connection.
Depending upon the protocol used for encryption, he has to follow different tools/methods to break into the network and gain access to the unauthorised network.
Countermeasures:
Always use WPA/WPA2 encryption.
Do not share your credentials.
Do not open untrusted emails.
Use IDS/Firewalls to filter the connections.
Change the default configurations.
Enable MAC-address filtering.
Use centralised server for authentication.
Do not connect to untrusted/public wifi hotspots.
_________________________________________________HACKING MOBILE DEVICES
The mobile device has become an inseparable part of life today. The attackers are easily able to compromise the mobile network because of various vulnerabilities, the majority of the attacks are because of the untrusted apps. SMS is another way the attackers are gaining access to the mobile devices by sending phishing messages/spam messages to users. The main operating systems used are:
Android
IOS
Windows
Blackberry
Android:
Android occupies the major share of the world’s mobile market because of its user friendliness. Android uses a Linux operating system, it uses Dalvik virtual machine which runs the java files by converting them to .dvk files for faster speed and performance. The native libraries and modules are used for various functions of android. The applications communicate with other applications through messages called intents.
Image Source: https://bharatandroidapplicationdevelopment.wordpress.com/android-architecture/Types of Android Attacks
Untrusted APK’s:
Attackers lure users to download applications from untrusted sources. These APK’s may contain malicious software inside them, giving the attacker remote access to the mobile device when the APK is installed by the user.
SMS:
The user may come across a suspicious SMS giving them big bounty’s. When the users click that particular link in the message, they may be redirected to a malicious website giving away their sensitive information or may lead to financial loss.
Email:
Phishing emails may redirect the users to malicious websites compromising the user’s details. SPAM emails may steal information from the users.
Spying:
Some applications may spy on the mobile users and report to the remote attackers.
App sandboxing issues:
Sandboxing is the process of testing an App in a limited resource environment against various threats and attacks. If sandboxing has issues, it means that malicious applications can bypass this mechanism.
Rooting:
Rooting is done for increasing speed and performance of an android device. This is not a recommended solution by the android authorities. When a phone is rooted, it loses its warranty and may open the door for various malware and allows the attacker to take control of the device remotely.
Countermeasures:
Do not root your phone.
Do not download applications from untrusted third party sources.
Do not click on suspicious emails.
Do not open suspicious SMS.
Use strong passwords/patterns.
Use Device administration API to set up password policy, remote wipe, etc.
Do not store passwords on phone.
Update the operating system regularly.
Use strong anti-virus.
IOS
IOS uses proprietary software. The attacks on these phones are limited since they are not open source systems.
Image Source: https://intellipaat.com/tutorial/ios-tutorial/ios-architecture/Types of IOS Attacks:
Jailbreaking:
Jailbreaking may put the device at risk. It is done to gain administrative privileges and to download third-party application extensions, etc. Though, the device may lose its warranty, get infected with malware, drop in performance, etc. There are three ways jailbreaking can be done-
Tethered:
After a device is jailbroken, it will no longer have a patched kernel; it might go to a partially functioning state and requires re-jailbreaking using the same computer.
Semi-tethered:
When the device is turned off and on, it will no longer be jailbroken. The device can be used for normal functions.
Untethered:
The device once jailbroken remains jailbroken, and the kernel will be patched completely after reboot.
Countermeasures:
Do not jailbreak the device.
Apply strong encryption.
Always connect to safe networks.
Follow common security guidelines.
Do not open links/attachments from unknown sources.
Mobile Device Management
In the era of BYOD (Bring Your Own Device) policy where employees are allowed to use their personal devices on the corporate network, there are a lot of advantages as well as disadvantages.
Though,
Corporates can reduce their infrastructure costs.
Can increase the efficiency of work.
There persist disadvantages,
The personal data getting mixed with corporate data.
If compromised devices are connected to corporate networks, that may compromise the corporate networks too.
Corporates cannot monitor all the downloads the employees are making.
Data leakage
The problem of stolen devices.
Disgruntled employees can cause greater damage.
There is always the risk of information theft, fraud, espionage, etc.
MDM software is management software, which monitors the BYOD devices. They have many security policies which the devices should agree to. These MDM’s will monitor and report any kind of malicious activity from BYOD
devices on the corporate network. It also helps the administrators in deploying and maintaining various applications on all devices. MDM software helps the administrators in enforcing various policies to enable business
continuity, security, configuration over the air, distribution of software, etc.An administrator has to:
Come up with strong security policies.
Use complex password policies.
Install Updates to Antivirus software.
Publish enterprise policy for the cloud.
Specify session timeout through the gateway.
_________________________________________________EVADING FIREWALLS, IDS AND HONEY POTS
Firewall
It is a wall of separation between the insecure internet and secure internal network. Firewall monitors incoming and outgoing connections, for various rules and patterns, and filters the connections passing through them.
Types of firewall:
Packet Filtering Firewall:
This type of firewall monitors the TCP packet header at TCP level and looks for the source address, destination address, source port, destination port and the protocol used. Depending on these details they either allow or disallow the packets according to the rules written.
Any Any Any 80 Allow – This rule tells the firewall to allow any packet coming from any source going to any source to the port 80 to be allowed.
Circuit level Firewall:
They operate at the session layer and filter at the connections. Even before the packets are transmitted they look for trusted connections and filter based on those trusted connections.
Application Firewalls:
Otherwise called as Proxy firewall; they act at the application layer, filtering the application level packets. At the proxy, different rules can be given to filter the data. The web servers which are usually accessed by the internet users are placed outside the internal network as proxy servers and all connections can be directed to the proxy; thus, protecting the internal network from outside connections.
Stateful Firewall:
This is the combination of all three firewalls. It operates at the Network Layer, filtering transport level packets, session level connections and application data as well. This has a state table which maintains the status of various connections and a rules table. It also keeps track of sequence numbers to protect against related attacks.
Image Source: http://www.linuxjournal.com/article/7296Evading Firewall:
Using Fragmented Packets.
Using Firewalking to scan beyond the firewall for open ports.
Using Source routing, avoiding the route of Firewall.
HTTP-tunnelling and ICMP-tunnelling.
IDS: Intrusion Detection System
IDS’ are the security systems which monitor the traffic and alert or notify the administrator on traffic of concern. They do not prevent the attack but they just alert the administrator.
Types:
Network-Based IDS:
IDS can be installed at the perimeter of the network- on LAN, on subnets, on the important server, etc. The organisation can be centralised where the agents are installed on all major entry points, and all these agents send their log/report to the centralised manager who takes the decision; or it can be in distributed mode, where each agent has some decision making capability and the centralised manager takes complex decisions.
Host-based IDS:
It is a tedious process to install IDS on all host machines.
Image Source: https://www.hackthis.co.uk/articles/basics-of-intrusion-detection-systemsWays of Detecting Attacks
Signature-based:
A database containing all patterns will be matched against incoming packets. When a match is found, the IDS alerts the administrator.
Behaviour Based:
The present scenario of traffic is compared to the baseline version, the administrator is notified of any peak differences.
Protocol anomaly based:
If there are any deviations in the way a protocol is functioning at the entry points, the administrators are notified.
Evasion Techniques:
Insertion Attacks:
Sending more packets to IDS, and fewer packets to the internal network or target; thus, causing IDS to miss the pattern.
Image Source: http://insecure.org/stf/secnet_ids/secnet_ids.htmlEvasion Technique:
Sending fewer packets to IDS and more packets to target, the IDS may accidentally drop few packets; thus, it may not be able to recognise the attack pattern but when the packets enter the target they become an attack.
Image Source: http://insecure.org/stf/secnet_ids/secnet_ids.htmlEncryption: Encrypted text cannot be recognised by IDS
Encoding: By Using various encoding techniques like ASCII encoding, hexadecimal encoding, etc.
Using Obfuscated codes
Taking advantage of reassembly timeouts of IDS: Sending a large number of fragmented packets to IDS may cause a DOS kind of attack on IDS; thus, bypassing IDS.
Honey bot:
It’s a trap to research and understand the attacker’s behaviour on the network. Either the honey bot can be designed as high interaction one, allowing the attacker to completely compromise all services; thus, studying the pattern and attack methods, or designing a low interaction one, where only limited services are opened for attackers to compromise. The basic need is to study the attack pattern and update the signature database for new signatures and patterns.
_________________________________________________CRYPTOGRAPHY
Cryptography is the art of converting text into another form for secret transmission and reception. It works by converting plain text into cipher text using some encryption algorithm at the sender’s side and converting ciphertext into plain text at the receiver’s. Cryptography is used to provide confidentiality, integrity, authenticity and non-repudiation.
Key terms:
Plain text: Message to be encrypted
Ciphertext: Encrypted message
Encryption: Process of converting plain text into cipher text.
Decryption: Process of converting ciphertext into plain text.
Algorithm: The method used to encrypt/decrypt the plain text.
Key: The data used for encrypting/decrypting.
There are various cryptographic algorithms present, generally we categorise them as follows-
Symmetric cryptography:
Here one single key is used for encryption and same key is used for decryption. DES and AES are examples of symmetric key cryptography.
Image Source: http://www.jayitsecurity.comAsymmetric cryptography/Public key cryptography:
Here two keys are used, Public key is used for encryption and Private key is used for decryption; e.g. RSA.
Block Cipher:
The input plain text is broken into fixed size blocks and they are encrypted /decrypted as a block; e.g. DES, AES.
Stream cipher:
The incoming data is encrypted or decrypted byte by byte; e.g. RC4.
Image Source: https://www.tutorialspoint.com/cryptography/modern_symmetric_key_encryption.htmDigital Signatures:
Digital signatures are used to identify the genuinity of the source; the sender signs with his private key, and at the receiver’s end it can be decrypted only with the public key of the sender. This enables the receiver to know who has sent the message.
Hash Algorithms:
Hash algorithms are used to maintain the integrity of the data by finding a definite number for the file and verifying it at the receiver’s end.
Image Source: https://www.tutorialspoint.com/cryptography/cryptography_hash_functions.htmAt the sender’s side, the hash algorithm generates a fixed size number for any-sized file. This number or hash value is sent along with the cipher text to the receiver. At the receiver’s end, the cipher text is first decrypted, and then using hash algorithm a hash value is generated. If the hash value matches with the hash value that came with the cipher text, then the message was not corrupted. If it is different, then we can understand that the message has been intercepted and modified.
There are various hash algorithms
SHA1, SHA 256 , MD5, etc.
PKI: Public Key Infrastructure:
PKI is a set of roles, policies and procedures needed to create, manage, distribute, use, store, and revoke digital certificates, and manage public-key encryption. Here the binding of the public key to respective identities, like people or organisation is done. In public environment, where third-party verifications are required, this PKI is used. There are three parties involved here-
Registration authority
Validation Authority
Certification authority
When a user needs a public key certificate he first goes to the certification authority, which then redirects him to the registration authority. RA collects all information like name, personal identity information, public key, etc., and creates a certificate and passes it on to the certification authority. The certifying authority gets one copy of the certificate and signs it using the private key, authorising the public key of the user. One copy is stored in the database of validation authority; at any future point in time, the user’s public key can be verified with validation authority.
Every certificate issued by CA has an expiry date, the private key of CA and the public key of the user. Upon expiry, or if stolen, the certificate can be renewed or re-issued.
Image Source: https://computersecuritypgp.blogspot.in/2016/05/public-key-infrastructure-and-blockchain.htmlSSL: Secure Socket Layer:
Secure Socket Layer is a public key cryptosystem, which is used over application layer to provide encryption to the data passing over HTTP. SSL breaks the incoming data into fixed size blocks, fragments them, compresses them, encrypts and adds a MAC header and passes it to the receiving end. It has four protocols.
Handshake protocol- Used for establishing a connection.
Cipher-spec protocol- To notify the handshake is over.
Record–protocol– Carries actual data.
Alert protocol– Used for any notification.
Cryptography attacks:
Chosen plaintext attack
Chosen ciphertext attack
Known plaintext attack
Meet in the Middle attack
Rubber hose attack
Timing Attack
_________________________________________________CLOUD COMPUTING
Cloud computing is the on-demand delivery of IT capabilities on metered services. It is the practice of using a network of remote servers hosted on the internet to store, manage, and process data; rather than a local server, or a personal computer.
Advantages:
Cost Efficient
Distributed Storage
Rapid elasticity
Virtualization technology
Backup and recovery
Quick Deployment
Easy access to information
Flexibility
Disaster recovery
Automatic updates
Increased Collaboration
Environment-friendly
Focus on innovation
Strategic values
Scalability
Storage options
Types of Cloud Computing
Cloud computing is typically classified in two ways:
Location of the cloud computing
Type of services offered
Location of the cloud
Cloud computing is typically classified in the following three ways:
Public cloud: In the Public cloud, the computing infrastructure is hosted by the cloud vendor at the vendor’s premises, it is open for public use.
Private cloud: The computing infrastructure is dedicated to a particular organization and not shared with other organizations. Private clouds are more expensive and more secure when compared to public clouds.
Hybrid cloud: It is a combined hosting of two or more clouds. Organizations may host critical applications on private clouds and other applications on the public cloud. The entities are unique but are bound together.
Community cloud: Involves sharing of computing infrastructure in between organizations of the same community.
Types of Services Offered
Based upon the services offered, clouds are classified in the following ways:
Infrastructure as a service (IaaS): Involves offering virtual machines, abstracted hardware and operating systems using the principles of cloud computing. As the name implies, only the infrastructure is purchased while the software is owned by the user. Leading vendors that provide Infrastructure as a service are, Amazon EC2, Amazon S3, Rackspace Cloud Servers and Flexiscale.
Platform as a Service (PaaS): Involves offering a development platform, configuration management on the cloud. Platforms provided by different vendors are typically not compatible.Examples include Googles Application Engine, Microsoft's Azure, Salesforce.com, force.com.
Software as a service (SaaS): Provides complete software offering on the cloud. Users can use on-demand basis, e.g. Salesforce.com, Google cs and Microsoft online version of office called BPOS (Business Productivity Online Standard Suite).
Benefits, Threats and Attacks on Cloud Computing
Economical
Infrastructure cost is greatly reduced.
Less maintenance cost
Less cost of ownership
Fewer capital Expenses
Operational
Flexibility
Resiliency
Efficiency
Backup and disaster recovery
Automatic updates
Scalable
Quick application deployment
Staffing
Less Staffing required
Less personal training
Sharing of resources
Security
Automatic patch application and updates.
Less cost on security configurations.
Swift responses received on security breaches.
Better disaster recovery.
Audit and monitoring did on provider’s side.
Better management of security systems.
Threats and attacks on cloud
Deletion without a backup
Data Breach
Hardware failures
Natural disasters
Authentication attacks
VM level attacks
Malicious insiders
Unknown risk profile
Vulnerable co-existents
Compliance risks
E-discovery is difficult across cross-borders.
Loss of the encoding key
Unauthorized access
Account, Service & Traffic Hijacking
Man-in-the-middle attacks
Denial-of-service attacks.
Cloud service provider may go out of business.
Cloud service provider may decide to hold the data as a hostage if there is a dispute.
Need to ensure that its private data is stored separately from others. If another client is the victim of a hack attack, it might affect the availability or integrity of the data of other companies located in the same environment.
Data transfer across borders makes the laws to be applied even more complicated and consequently resulting in the private information to be even more vulnerable.
SQL injection attacks allow attackers to gain unauthorized access to a database.
Cross Site Scripting (XSS)
Cryptanalysis attacks
Side channel attacks
Social engineering attacks
DNS attacks
Security in Cloud
A defence in depth security policy should be applied to cloud architecture in order to secure it.
At the application level proper SDLC should be followed, using a web application firewall is a good option. At the information level using encryption, Key management and access control list will protect the data. At the management level, proper patch management, configuration management and monitoring have to be done. Deploying multiple defences at various layers of the cloud will provide us with a secure cloud.
Other useful security improvements could be:
Proper Load balancing.
Configuration management
Disaster recovery plan
Quality of Service and service level agreements with providers.
Implementing strong key encryption.
Logging and auditing
Strong authentication and Authorization.
Strong security policies for users.
Vulnerability and risk assessment
Establish incident detection and response system.
Comments
Post a Comment