3. Proprietary & Confidential
@GoCyberSec | January, 2021
Attack Introduction
• Sniffing attack
–Protocol Analyzer
• DoS and DDoS
–Disruption of Service
• DNS Poisoning attack
–Corrupt cache with different data
6. Proprietary & Confidential
@GoCyberSec | January, 2021
Basic Networking Protocols
• Reviewing Basic Connectivity Protocols
–IPv4 and IPv6
–ICMP
• Commonly blocked at firewalls
• If ping fails, ICMP may be blocked
• ARP - Resolves MAC addresses for IPv4
• NDP - Resolves MAC addresses for IPv6 (and more)
• Routing Protocols
–RIP, IGRP, EIGRP, OSPF, BGP
7. Proprietary & Confidential
@GoCyberSec | January, 2021
Protocols and Use Cases
• Transport voice and video over network
–RTP & SRTP
• Transfer files over a network
–FTP
–TFTP
–SSH
–SSL
–TLS
–IPsec
–SFTP
–FTPS
8. Proprietary & Confidential
@GoCyberSec | January, 2021
Reviewing Application Protocols
• HTTP – Port 80
• HTTPS – Port 443
• FTP – Ports 20 and 21
• SFTP – Port 22 (uses SSH)
• FTPS – Port varies
–Sometimes uses 989 and 990
• TFTP – UDP port 69
• DNS – Port 53
• RDP- Port 3389
9. Proprietary & Confidential
@GoCyberSec | January, 2021
Reviewing Encryption Protocols
• SSH (Secure Shell) – Port 22
• SCP (Secure Copy) – Port 22 with SSH
• SSL (Secure Sockets Layer)
• TLS (Transport Layer Security)
–SSL and TLS use port 443 with HTTPS
–SSL and TLS use port 636 with LDAP
• IPsec (Internet Protocol security)
–Port 500 with VPNs
10. Proprietary & Confidential
@GoCyberSec | January, 2021
Reviewing Encryption Protocols
• Authentication Header (AH)
–Protocol ID number 1
• Encapsulating Security Payload (ESP)
–Protocol ID number 50
11. Proprietary & Confidential
@GoCyberSec | January, 2021
Protocols and Use Cases
• Email and web usage
–SMTP
–POP3 & Secure POP
–IMAP4 and Secure IMAP
–HTTP
–HTTPS
• Directory services
–LDAP – 389
• Port 636 when encrypted with SSL or TLS
• Kerberos – Port 88
12. Proprietary & Confidential
@GoCyberSec | January, 2021
Protocols and Use Cases
• Remote access
- SSH
- Netcat / Telnet
- RDP
• Time synchronization
- NTP
- SNTP
15. Proprietary & Confidential
@GoCyberSec | January, 2021
Network Address Allocation
• Private IP Addresses
Class Private IP address Subnet Mask CIDR No. of Hosts
A 10.0.0.0 – 10.255.255.255 255.0.0.0 /8 16,777,212
B 172.16.0.0 – 172.16.31.255 255.255.0.0 /16 8190
C 192.168.0.0 – 192.168.255.255 255.255.255.0 /24 65,534
Private IPAddress
16. Proprietary & Confidential
@GoCyberSec | January, 2021
Network Address Allocation
• IPv4 – 32 bits (192.168.1.5 )
• Each node / host / computer requires
• IP Address (Always required)
• Subnet Mask (Always required – Identifies NW and host
• Default Gateway (Address of router on your subnet)
• DNS Server (Required for name resolution to IP address)
17. Proprietary & Confidential
@GoCyberSec | January, 2021
Network Address Allocation
• IPv6 – 128 bits
–fe80:0000:0000:0000:02d4:3ff7:003f:de62
• Zero compression
–Omit leading zeroes: fe80:0:0:0:2d4:3ff7:3f:de62
–Zero compression: fe80::02d4:3ff7:003f:de62
–Both rules: fe80::2d4:3ff7:3f:de62
• IPsec built into IPv6
18. Proprietary & Confidential
@GoCyberSec | January, 2021
Understanding DNS
• Resolves names to IP addresses
• Queries to DNS server use UDP port 53
• Zone transfers between servers use TCP port 53
• DNSSEC
• DNS poisoning
19. Proprietary & Confidential
@GoCyberSec | January, 2021
Understanding and Identifying Ports
• Port used to direct traffic to correct protocol/service or application
• Server ports
• Client ports
• Ports range from 0 – 65,535
• 0 – 1,023 = Well-known ports, server-side ports
• 1,024 – 49,151 = Registered ports
• 49,152 – 65,535 = Client side ports
• Blocking ports blocks protocol traffic
23. Proprietary & Confidential
@GoCyberSec | January, 2021
Switches
• Switching Loop
–Caused when there on or more path to a port
–STP and RSTP protect against switching loops
• Port security
–Disable unused ports
–MAC address filtering
24. Proprietary & Confidential
@GoCyberSec | January, 2021
Flood Attack Flood Guard
• Flood attack on switch
–Overloads a switch with different MAC addresses for a single
port
–Runs out of memory – operates in fail-open state
• Flood guard
–Might limit memory used for a port
–Typically sends an SNMP trap
–Might limit number of MAC addresses for a port
25. Proprietary & Confidential
@GoCyberSec | January, 2021
Access Control Lists (ACLs) Services
• List of rules to define access
• Identify what is allowed and what is not allowed
• ACLs often use an implicit deny policy
–NTFS uses a DACL to identify who is allowed access to a file
or a folder
• All others blocked
• Firewalls define what traffic is allowed
–Deny any any rule blocks all other traffic
26. Proprietary & Confidential
@GoCyberSec | January, 2021
Routers
• Route traffic between networks
• Do not pass broadcasts
• Routers and ACLs
–Filter based on
• IP addresses and networks
• Ports
• Protocols
29. Proprietary & Confidential
@GoCyberSec | January, 2021
Firewall
• Host-based vs Network-based firewall
• Firewall rules
• Last rule
–deny any any
• Linux
–iptables
–ipv6tables
–arptables
30. Proprietary & Confidential
@GoCyberSec | January, 2021
Firewall
• Application-based firewalls
–Software running on a system
–Filters traffic to and from system
• Network-based firewalls
–System with two or more NICs
–All traffic passes through it
–Filters traffic to and from network
31. Proprietary & Confidential
@GoCyberSec | January, 2021
Firewall
• Stateless
–Permission (deny, allow)
–Protocol (TCP, UDP, Any)
–Source (IP address or IP block)
• IP address example: 192.168.1.20/32
• IP block example: 192.168.1.0/24
• Destination (IP address or IP block)
• Port or protocol (80 for HTTP, 25 for SMTP)
• Ends with deny any any (or something similar)
32. Proprietary & Confidential
@GoCyberSec | January, 2021
Firewall
• Stateful
–Makes decisions based on context, or state, of traffic
–Can ensure TCP traffic is part of an established TCP session
• If not, traffic is blocked
34. Proprietary & Confidential
@GoCyberSec | January, 2021
Firewall Rule Example
• Allow all HTTP traffic to a web server with an IP of 192.168.1.25
• Allow all HTTP and HTTPS traffic to a web server with an IP of
192.168.1.25
• Allow DNS queries from any source to a computer with an IP of
192.168.1.10
• Block DNS zone transfer traffic from any source to any
destination
• Block all DNS traffic from any source to any destination
• Implement implicit deny
Sniffer attack
Sniffing is a process of monitoring and capturing all data packets passing through given network. Placing a packer sniffer / protocol anaylzer on a network a malicious individual can capture and analyze network traffic.
Cache Poisoning attack
Cache is a temporary storage used by web server to improve performance. They store responses for a specific periods of time
All ISP have there own DNS Server.
Your home router functions as a DNS server, which caches information from your ISP’s DNS servers. Your computer has a local DNS cache, so it can quickly refer to DNS
A DNS cache can become poisoned if it contains an incorrect entry. For example, if an attacker gets control of a DNS server and changes some of the information on it — for example, they could say that google.com actually points to an IP address the attacker owns
Your home router functions as a DNS server, which caches information from your ISP’s DNS servers. Your computer has a local DNS cache, so it can quickly refer to DNS
Transmission Control Protocol/Internet Protocol – TCP/IP
The Open Systems Interconnection (OSI) model is a conceptual model created by the International Organization for Standardization which enables diverse communication systems to communicate using standard protocols. In plain English, the OSI provides a standard for different computer systems to be able to communicate with each other.
is a suite of communication protocols used to interconnect network devices on the internet.
Application (Layer 7): The Application layer integrates network functionality into the host operating system and enables communication between network clients and services. – HTTP, Telnet, FTP, TFTP, SNMP
Presentation (Layer 6): The Presentation layer formats, or presents, data in a compatible form for receipt by the Application layer or the destination system.
Session (Layer 5): The Session layer manages the sessions in which data are transferred
Transport (Layer 4): The Transport layer provides a transition between the upper and lower layers of the OSI model,
End-to-end flow control.
Port and socket numbers.
Segmentation, sequencing, and combination.
Connection services, either reliable (connection-oriented) or unreliable (connectionless) delivery of data.
Network (Layer 3): The Network layer describes how data is routed across networks and on to the destination.
Data Link (Layer 2): Logical Link Control (LLC): The Data Link layer defines the rules and procedures for hosts as they access the Physical layer
Physical (Layer 1) The Physical layer of the OSI model sets standards for sending and receiving electrical signals between devices. Protocols at the Physical layer identify
Three way hand shake is how two systems usually a client and a server establish communication
Step 1 (SYN) : In the first step, client wants to establish a connection with server, so it sends a segment with SYN(Synchronize Sequence Number) which informs server that client is likely to start communication and with what sequence number it starts segments with
Step 2 (SYN + ACK): Server responds to the client request with SYN-ACK signal bits set. Acknowledgement(ACK) signifies the response of segment it received and SYN signifies with what sequence number it is likely to start the segments with
Step 3 (ACK) : In the final part client acknowledges the response of server and they both establish a reliable connection with which they will start the actual data transfer
TCP - Transmission Control Protocol
Transport layer of the OSI (Open System Interconnection) model
Application to application communication movement of data btw application
TCP is a connection-oriented protocol, which means a connection is established and maintained until the application programs at each end have finished exchanging messages
Provide error-free data transmission -- handles retransmission of dropped or garbled packets as well as acknowledgement of all packets that arrive.
Slow
Reliable
Positive Acknowledgement with Re-transmission(PAR)
UDP - user datagram protocol
No connection oriented
No guarantees delivery
Used for streaming media - video and audio
Fast
UnReliable
ICMP - Internet Control Message protocol
Neighbor Discovery Protocol - NDP
RTP - Real Time Transport Protocols ( work on the application layer)
RTP (RFC 1889) provides end-to-end transport functions for applications that require real time transmissions, such as audio and video over unicast or multicast packet network services
• RTP normally runs on top of UDP but not limits to this
• RTP does not provide QoS guarantees
• RTP deals with jitter, loss, timing recovery and inter-media synchronization
The Real-time Transport Protocol is a network protocol used to deliver streaming audio and video media over the internet, thereby enabling the Voice Over Internet Protocol (VoIP).
Examples
• Audio conference (multicast)
• Audiovisual conference (multicast)
The scp command allows you to copy files over ssh connections
Authentication Header (AH)
Authentication Header (AH) is an IPSec protocol that provides data integrity, data origin authentication, and optional anti-replay services to IP.
Encapsulating Security Payload (ESP) is a protocol within the IPSec for providing authentication, integrity and confidentially of network packets data/payload in IPv4 and IPv6 networks. ESP provides message/payload encryption and the authentication of a payload and its origin within the IPSec protocol suite
DNS poisoning
Description
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record,
Switching Loop one or more path to a port.
Spanning Tree Protocol / Rapid Spanning Tree Protocol
allowing a singular path to destinations when having multiple (redundant) links such as this. In a STP environment,
MAC address flooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address
Flood guards serve as preventive control against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
NTFS (New Technology Files System)
Antispoofing is a technique for identifying and dropping packets that have a false source address. In a spoofing attack, the source address of an incoming packet is changed to make it appear as if it is coming from a known, trusted source.
A bridge operates at data link layer. A bridge is a repeater, with add on the functionality of filtering content by reading the MAC addresses of source and destination. It is also used for interconnecting two LANs working on the same protocol. I
Network Address Translation
DNAT has pool of Public IP address and expensive
SNAT – One on one mapping of Public IP and Private IP – and never changes
Port Address Translation
Many Private IP to One Public IP
192.169.4.6:5467 = 75.46.238.101:9001
192.169.4.11:5467 = 75.46.238.101:9001
192.169.4.7:5467 = 75.46.238.101:9001
192.169.4.82:5467 = 75.46.238.101:9001
An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks