Learn about malware, attacks to the network, social engineering attacks from scratch.
Malware
Malware can be very problematic that can lock access of files and demand money to pay. It happened to many police office. They had to pay Money to the malware software created to get back the access of the data.
Reference: https://www.youtube.com/playlist?list=PL0bbor\_qrUHjy81QzEs0n63duuhQUdr8W
3 Main areas of Malware are:
- Nuisance Adds, Spyware and Marketing
- Remote Access / Keyloggers : Get in to our system and steal password
- Remote Attacks / DDos : Use our machine as a botnet and do remote attack against some 3rd party application
Adware
Malware that is installed on an infected machine to deliver ads
. Use Malwarebytes Anti-Malware software to prevent Adware.
Virus
Malicious code that require user interaction
to install and replicate.
Spyware
Malicious software that capture user activity
and reports back. ( keystrokes, web browsing activity etc.)
Trojan
Seemingly friendly software that contains hidden
malicious software. Normally, it comes from Remote Access Tools (RAT).
Rootkits
Malicious code that install itself at the OS or Kernel
level to avoid detection. They load before OS load while bootup. So anti-virus can not detect it. Kasper Sky Lab
TDSSKiller
it can scan boot sector, services and drivers. It is free.
Backdoor
Software that installs for the purpose of opening ports and installing additional software
. Backdoor can steal passwords. Full access to the system.
Logic Bomb
Malicious code that triggers
after a period of time based on some date
or specific activity
. Normally in backup files or codes they hide. An employee who wants to destroy company by installing logic bomb that triggers after he gets fired.
Botnet
Malicious code that infects large numbers
of hosts for the purpose of launching large scale attacks
on specific targets
.
A botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor.
Command and Control (C&C) servers can control thousands of bots( zombies ) for massive DDoS attacks.
They can target Military, Google, Amazon, Yahoo etc.
Ransomware
Malicious applications that scare
or scam
users into taking some type of action
. Typically paying the creator for removal.
Polymorphic Malware
Malware that changes
on each install to avoid detection
like changing ports, destination IP addresses etc.
Armored Virus
Malicious code that is designed to avoid
, detection
and analysis
( Encryption, obfuscation, additional useless code, etc. )
Types of Attacks to the Network
4 Categories of attacks:
- Denial of Service: DDoS
- Traffic Capture: Sniffers
- Password Crack: Brute force
- DNS & Host File: Website Spoofing
Here is the list of all attacks:
- Man-in-The-Middle
- Replay
- DDoS
- DoS
- Smurf Attack : Broad-cast ping request from victim machine to large number of pcs.
- Spoofing : Masquerading as another using their IP address used in DDoS
- Spam : using DDoS attacks spam email server
- Phishing : Email contains malicious links looks like original ebay or amazon.
Spim : SPAM over instant messaging
Vishing : Voice Phishing
Spear Phishing : Targeted & Focused phishing campaign
Xmas Attack : Scan of a host to determine what type of system it is. NMap initiates Xmas Attack and creates xmas flags.
Pharming : Redirecting a website’s traffic somewhere else.
If attacker modify DNS Server to redirect the site to Hacker server. Also called as DNS Poising and ARP PoisingDNS Poisoning and ARP Poisoning
Privilege Escalation : Obtaining elevated privileges
Malicious Insider Threat : Hard to guard this one. Threats from internal employees. They can do logic bomb etc.
Transitive Access : Hard to guard this one. Granted by virtue of being granted access to intermediatory component. If A trusts B and B trusts C then A trusts C by nature of transitivity.
Client-Side attacks : Attack initiated by client machine. Firewall can not guard against this attack. Layered defences can only save us from client-side attacks. Something like WAF web application firewall on the PC and stop this attack.
Password attacks : Attempting to crack password.
Man In Middle
Hacker can use Packet sniffing software (WIRESHARK) to intrude the connection. Get the sender and receiver server information. He can get access to the website as Alice or Bob.
Replay
Sniffing the wired network. Capture packet and put them back in the connection in the network. If you don’t get packet on sequence or delay then it is an alert for replay or man in middle attack.
DDoS
Large scale attack against a target. Botnet is Army of a Zombie
DoS
Similar type of attack but on much smaller scale.
DDoS attack from China to USA
Social Engineering Attacks (Important Topic)
- Shoulder surfing: A person sitting side to you and get your pin
- Dumpster diving: Stealing personal info from dustbin
- Tailgating:
- Impersonating:
- Hoaxes: An email looks genuine on click install virus.
- Whaling: A fake company that can steal your money
- Vishing: A phone call take your personal/company information.
Reasons for Social Engineering Attacks
- Intimidation
- Consensus or Social proof
- Familiarity/Liking
- Trust
- Scarcity or Urgency
Wifi Scams
- Rogue access points: Hacker put their WAP and do malicious activity.
- War Driving
- Bluejacking: Sending vCard to someone’s phone.
- Bluesnarfing: Get data from someone’s phone
- IV attacks: Initialization Vector Attacks. Hackers can easily cracked encryptions WEP 24 bit encryption data.
Packet Sniffing: Someone can use tools (like WIRESHARK ) to read data from the network’s packets. You can look source, destination, protocol, and the actual query, data etc.
NFC (Near Field Communication): Allow to communicate between 2 phone with 2-3 inch near.
WPS (Wifi Protected Setup) attack: Router pin is compromised.
WEP/WPA attacks
Application Attacks
- Cross-site scripting (XSS): technique to hijack sessions. Browser will run the malicious code because it was served from the server it trust.
- Cross-site Request Forgery (XSRF)
Hacker can manipulate the header of the packet. Here server will run the malicious code because it trust the client. You can use VPN or SSL/TLS to prevent XSRF attack.
XSS vs XSRF
SQL injection
Add malicious sql code into the data stream that is running on SQL server. Throw error to crash app, or get info about tables in SQL.
- LDAP injection
LDAP is used to authenticate users. Pass a malicious LDAP query to the webserver that will execute in LDAP server and return additional data.
Therefore, sanitize the input value coming from client in webserver before executing to protect this attack.
- XML injection
Inject xml query to alter the path or query of resource. Make a $harmless query in the .ini file present in the server.
Fuzzing used by application to detect security holes.
- Directory traversal/command injection
Inject ./
or ../
to navigate to other directories.
Buffer overflow
Integer overflow
Zero-day
Cookies and attachments EverCookies don’t delete ever and they track user’s browsing habits.
LSO (locally shared objects)
Flash Cookies don’t delete ever and they track user’s browsing habits.
Flash Cookies
Malicious add-ons
Session hijacking
Header manipulation
Arbitrary code execution/remote code execution
Monitoring and Hardening servers and applications
You want to maintain CIA Triad. Your system is secure, users can access to the data they need and make sure that access is secure.
Monitoring System Logs
Hardening servers and applications
Network Security
Security Posture
Reporting
Detection controls vs Prevention controls
Network Security
Defending the perimeter of our network!
Security Posture
Reporting
Reporting is required to avoid the false alarms.
Detection controls vs Prevention controls
- IDS: Log alerts, events, analyze it is reactive.
- IPS: New platform, enable prevention, automatically shut down the port.
Discovering Security Threats and Vulnerabilities
- Security Assessment Tools
- Risk Assessment Tools
- Assessment Types
- Assessment Techniques
Security Assessment Tools
All of the tools produce lot of results. How to interpreted the data produced by these tools.
- Protocol Analyzer
- Vulnerability Scanner
- Honeypots
- Honeynets
- Port Scanner
- Passive vs. Active Tools
- Banner Grabbing
Protocol Analyzer
It is known as packet sniffer. It can get layer-2,3 information. Capture package you can save it or analyze it.
- Wireshark
- Netmon (Microsoft)
- Retina
Vulnerability Scanner
Scan entire network, segment of network or specific host.
- Nmap
- Nessus
- Retina
- SAINT
Honeypots & Honeynets
You create a trap for hacker and let them do their business. Meanwhile you can identify them learn hacker’s techniques, tools etc.
Port Scanner
NMap is a port scanner tool, it can search for open ports. There are 65,536
ports available. Common ports are:
- HTTP = 80
- FTP = 21 and 22
- SMTP = 58
- SMTP = 25
- DNS = 53
- SSL = 443
Banner Grabbing
Telnet and Netcat are used to know what services are running on the specific ports. Hacker can crack that specific service or application.
Passive vs. Active Tools
Passive Tools: Don’t interact directly with host, just monitor traffic and see what host is doing. Active Tools: It is visible to the host and admin. Here you interact with host and get info out of the host. ( Honeypots/honeynets, Port scanner, banner grabbing, penetration testing)
Risk Assessment Tools
Threat vs Likelihood. Business owner has to find out the risk of tolerance.
- AV = Asset Value
- EF = Exposure Factor
- ALE ( Annual Loss Expectancy ) : How much monitory loss u can expect in a year.
ALE = SLE x ARO
- SLE ( Single Loss Expectancy ) : How much monitory loss u can expect at anytime.
SLE = AV x EF
- ARO ( Annualized Rate of Occurrence ) : Probability of the server failure during the year.
Example: If your business Annual Loss = 121K , Fixing cost = 500K Would you do fix or bear loss? For Amazon they will fix it because they are obsessed of customer and you care for them and don’t let your business down that will impact your customer.
Assessment Types
- Risk
- Threat
- Vulnerability
Assessment Technique
- Baseline reporting
- Code review
- Determine attack surface
- Review Architecture
- Review Design
Determine attack surface
Attack Surface Reduction (ASR) has the goal of mitigating risk.
Penetration testing vs Vulnerability Scanning
Penetration Testing (Pen Testing): Attacking a computer system with the intention of finding it’s weaknesses and security vulnerability. This is a intrusive test. So business has to sign off for penetration testing. It could bring servers down and business may be impacted.
Penetration testing
- Bypass security control
- XSS attacks
- IP or MAC Spoofing : Check switch are only allowing few IP’s.
- MiTM attacks
- Protocol Analyzer or Packet Sniffers
- Actively Test security controls
- This is a intrusive test. So business has to sign off for this test. It could bring servers down and business may be impacted.
- Exploiting Vulnerabilities
- Nessus and Metasploit tool can be used to find missing patches and security misconfigurations.
Vulnerability Scanning
It is a non-intrusive testing and it does not impact business.
Intrusive vs Non-intrusive Security Testing
Different Types of Testing
- False Positive
- Black Box
- tester has no prior knowledge of network or environment.
- use fuzzing technique
- use injection attack
- White Box
- full knowledge of network or environment
- done by internal employee
- Grey Box
- some knowledge, no access of documents, but they know where to go and test
Things to Remember
- Take Business consent for Vulnerability or Penetrating Testing
- Review company
guidelines and rules of engagement
- Make sure You have skills and background to do Pen testing. This is very expensive test. If you make mistake and did detail testing or deep scan it will shut down network and environment.
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.
💖 Say 👋 to me!
Rupesh Tiwari
Founder of Fullstack Master
Email: rupesh.tiwari.info@gmail.com
Website: RupeshTiwari.com
Top comments (0)