Rupesh Tiwari

I help students and professionals to become Full Stack Software Developer in less than a year!

Security Threats and Vulnerabilities

Learn about malware, attacks to the network, social engineering attacks from scratch.

Malware

Malware can be very problematic that can lock access of files and demand money to pay. It happened to many police office. They had to pay Money to the malware software created to get back the access of the data.

Reference: https://www.youtube.com/playlist?list=PL0bbor_qrUHjy81QzEs0n63duuhQUdr8W

3 Main areas of Malware are:

Nuisance Adds, Spyware and Marketing
Remote Access / Keyloggers : Get in to our system and steal password
Remote Attacks / DDos: Use our machine as a botnet and do remote attack against some 3rd party application

Adware

Malware that is installed on an infected machine to deliver ads. Use Malwarebytes Anti-Malware software to prevent Adware.

Virus

Malicious code that require user interaction to install and replicate.

Spyware

Malicious software that capture user activity and reports back. ( keystrokes, web browsing activity etc.)

Trojan

Seemingly friendly software that contains hidden malicious software. Normally, it comes from Remote Access Tools (RAT).

Rootkits

Malicious code that install itself at the OS or Kernel level to avoid detection. They load before OS load while bootup. So anti-virus can not detect it. Kasper Sky Lab TDSSKiller it can scan boot sector, services and drivers. It is free.

Backdoor

Software that installs for the purpose of opening ports and installing additional software. Backdoor can steal passwords. Full access to the system.

Logic Bomb

Malicious code that triggers after a period of time based on some date or specific activity. Normally in backup files or codes they hide. An employee who wants to destroy company by installing logic bomb that triggers after he gets fired.

Botnet

Malicious code that infects large numbers of hosts for the purpose of launching large scale attacks on specific targets.

A botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor.

Command and Control (C&C) servers can control thousands of bots( zombies ) for massive DDoS attacks.

They can target Military, Google, Amazon, Yahoo etc.

Ransomware

Malicious applications that scare or scam users into taking some type of action. Typically paying the creator for removal.

Polymorphic Malware

Malware that changes on each install to avoid detection like changing ports, destination IP addresses etc.

Armored Virus

Malicious code that is designed to avoid, detection and analysis ( Encryption, obfuscation, additional useless code, etc. )

Types of Attacks to the Network

4 Categories of attacks:

Denial of Service: DDoS
Traffic Capture: Sniffers
Password Crack: Brute force
DNS & Host File: Website Spoofing

Here is the list of all attacks:

Man-in-The-Middle
Replay
DDoS
DoS
Smurf Attack: Broad-cast ping request from victim machine to large number of pcs.
Spoofing: Masquerading as another using their IP address used in DDoS
Spam: using DDoS attacks spam email server
Phishing: Email contains malicious links looks like original ebay or amazon.
Spim: SPAM over instant messaging
Vishing: Voice Phishing
Spear Phishing: Targeted & Focused phishing campaign
Xmas Attack: Scan of a host to determine what type of system it is. NMap initiates Xmas Attack and creates xmas flags.

NMap software if u give ip address of router then it will give all details of your machine.
Pharming: Redirecting a website’s traffic somewhere else.
If attacker modify DNS Server to redirect the site to Hacker server. Also called as DNS Poising and ARP Poising

If attacker modify Client PC to redirect the site to Hacker server.
DNS Poisoning and ARP Poisoning
Privilege Escalation: Obtaining elevated privileges
Malicious Insider Threat: Hard to guard this one. Threats from internal employees. They can do logic bomb etc.
Transitive Access: Hard to guard this one. Granted by virtue of being granted access to intermediatory component. If A trusts B and B trusts C then A trusts C by nature of transitivity.
Client-Side attacks: Attack initiated by client machine. Firewall can not guard against this attack. Layered defences can only save us from client-side attacks. Something like WAF web application firewall on the PC and stop this attack.
Password attacks: Attempting to crack password.
- Brute Force: keep trying the password till you crack.
- Dictionary Attacks: use tools like Crack to get possible password.
- Hybrid: brute force attack combined with dictionary attack.
- Birthday Attacks: Try all combination of alphanumeric value to get the hash value that match with user’s password hash value.
- Rainbow Tables: Precomputed cryptographic hash that gives you large list of hashes to try.
- Typo Squatting/URL Hijacking: Hackers register domain names with wrong spelling and fool user. Example: Google, Googel, Googgle etc. They just get tons of traffic and they can route them to other site and earn money from them.
- Watering Hole Attack: Attackers plant malware on the Less secure website where user of targeted company frequently go.

Man In Middle

Hacker can use Packet sniffing software (WIRESHARK) to intrude the connection. Get the sender and receiver server information. He can get access to the website as Alice or Bob.

{: .full}

Replay

Sniffing the wired network. Capture packet and put them back in the connection in the network. If you don’t get packet on sequence or delay then it is an alert for replay or man in middle attack.

DDoS

Large scale attack against a target. Botnet is Army of a Zombie

DoS

Similar type of attack but on much smaller scale.

DDoS attack from China to USA

Shoulder surfing: A person sitting side to you and get your pin
Dumpster diving: Stealing personal info from dustbin
Tailgating:
Impersonating:
Hoaxes: An email looks genuine on click install virus.
Whaling: A fake company that can steal your money
Vishing: A phone call take your personal/company information.

Intimidation
Consensus or Social proof
Familiarity/Liking
Trust
Scarcity or Urgency

Wifi Scams

Rogue access points: Hacker put their WAP and do malicious activity.

War Driving

Bluejacking: Sending vCard to someone’s phone.
Bluesnarfing: Get data from someone’s phone
IV attacks: Initialization Vector Attacks. Hackers can easily cracked encryptions WEP 24 bit encryption data.
Packet Sniffing: Someone can use tools (like WIRESHARK) to read data from the network’s packets. You can look source, destination, protocol, and the actual query, data etc.
NFC (Near Field Communication): Allow to communicate between 2 phone with 2-3 inch near.

WPS (Wifi Protected Setup) attack: Router pin is compromised.
WEP/WPA attacks

Application Attacks

Cross-site scripting (XSS): technique to hijack sessions. Browser will run the malicious code because it was served from the server it trust.

Cross-site Request Forgery (XSRF)

Hacker can manipulate the header of the packet. Here server will run the malicious code because it trust the client. You can use VPN or SSL/TLS to prevent XSRF attack.

XSS vs XSRF
SQL injection

Add malicious sql code into the data stream that is running on SQL server. Throw error to crash app, or get info about tables in SQL.

LDAP injection

LDAP is used to authenticate users. Pass a malicious LDAP query to the webserver that will execute in LDAP server and return additional data.

Therefore, sanitize the input value coming from client in webserver before executing to protect this attack.

XML injection

Inject xml query to alter the path or query of resource. Make a $harmless query in the .ini file present in the server.

Fuzzing used by application to detect security holes.

Directory traversal/command injection

Inject ./ or ../ to navigate to other directories.

Buffer overflow
Integer overflow
Zero-day

This are the virus that are not yet fixed by antivirus softwares. Zero-day attack can’t be stopped by anti-virus. Stuxnet attack was using 4 zero-day attack. Google, Microsoft, big private companies, government companies, hackers company they all buy and horde zero-day exploits.
Cookies and attachments EverCookies don’t delete ever and they track user’s browsing habits.
LSO (locally shared objects)

Flash Cookies don’t delete ever and they track user’s browsing habits.

Flash Cookies
Malicious add-ons
Session hijacking
Header manipulation
Arbitrary code execution/remote code execution

Monitoring and Hardening servers and applications

You want to maintain CIA Triad. Your system is secure, users can access to the data they need and make sure that access is secure.

Monitoring System Logs
- Event Logs
- Audit Logs
- Security Logs
- Access Logs
Hardening servers and applications
- Disabling unnecessary services
- Protecting management interfaces and applications
- Password protection
- Disabling unnecessary accounts
Network Security
- MAC limiting and filtering
- 802.1x
- Disabling unused interfaces and unused application service ports
- Rogue machine detection
Security Posture
- Initial baseline configuration
- Continuos security monitoring
- Remediation
Reporting
- Alarms
- Alerts
- Trends
Detection controls vs Prevention controls
- IDS ( Intrusion Detection Systems ) vs IPS (Intrusion Prevention Systems)
- Camera vs. guard

Network Security

Defending the perimeter of our network!

Security Posture

Reporting

Reporting is required to avoid the false alarms.

Detection controls vs Prevention controls

IDS: Log alerts, events, analyze it is reactive.
IPS: New platform, enable prevention, automatically shut down the port.

Discovering Security Threats and Vulnerabilities

Security Assessment Tools
Risk Assessment Tools
Assessment Types
Assessment Techniques

Security Assessment Tools

All of the tools produce lot of results. How to interpreted the data produced by these tools.

Protocol Analyzer
Vulnerability Scanner
Honeypots
Honeynets
Port Scanner
Passive vs. Active Tools
Banner Grabbing

Protocol Analyzer

It is known as packet sniffer. It can get layer-2,3 information. Capture package you can save it or analyze it.

Wireshark
Netmon (Microsoft)
Retina

Vulnerability Scanner

Scan entire network, segment of network or specific host.

Nmap
Nessus
Retina
SAINT

Honeypots & Honeynets

You create a trap for hacker and let them do their business. Meanwhile you can identify them learn hacker’s techniques, tools etc.

Port Scanner

NMap is a port scanner tool, it can search for open ports. There are 65,536 ports available. Common ports are:

HTTP = 80
FTP = 21 and 22
SMTP = 58
SMTP = 25
DNS = 53
SSL = 443

Telnet and Netcat are used to know what services are running on the specific ports. Hacker can crack that specific service or application.

Passive vs. Active Tools

Passive Tools: Don’t interact directly with host, just monitor traffic and see what host is doing. Active Tools: It is visible to the host and admin. Here you interact with host and get info out of the host. ( Honeypots/honeynets, Port scanner, banner grabbing, penetration testing)

Risk Assessment Tools

Threat vs Likelihood. Business owner has to find out the risk of tolerance.

AV = Asset Value
EF = Exposure Factor
ALE ( Annual Loss Expectancy ) : How much monitory loss u can expect in a year. ALE = SLE x ARO
SLE ( Single Loss Expectancy ) : How much monitory loss u can expect at anytime. SLE = AV x EF
ARO ( Annualized Rate of Occurrence ) : Probability of the server failure during the year.

Example: If your business Annual Loss = 121K , Fixing cost = 500K Would you do fix or bear loss? For Amazon they will fix it because they are obsessed of customer and you care for them and don’t let your business down that will impact your customer.

Assessment Types

Risk
Threat
Vulnerability

Assessment Technique

Baseline reporting
Code review
Determine attack surface
Review Architecture
Review Design

Determine attack surface

Attack Surface Reduction (ASR) has the goal of mitigating risk.

Penetration testing vs Vulnerability Scanning

Penetration Testing (Pen Testing): Attacking a computer system with the intention of finding it’s weaknesses and security vulnerability. This is a intrusive test. So business has to sign off for penetration testing. It could bring servers down and business may be impacted.

Penetration testing

Bypass security control
- XSS attacks
- IP or MAC Spoofing : Check switch are only allowing few IP’s.
- MiTM attacks
- Protocol Analyzer or Packet Sniffers
Actively Test security controls
- This is a intrusive test. So business has to sign off for this test. It could bring servers down and business may be impacted.
Exploiting Vulnerabilities
- Nessus and Metasploit tool can be used to find missing patches and security misconfigurations.

Vulnerability Scanning

It is a non-intrusive testing and it does not impact business.

Intrusive vs Non-intrusive Security Testing

Different Types of Testing

False Positive
Black Box
- tester has no prior knowledge of network or environment.
  - use fuzzing technique
  - use injection attack
White Box
- full knowledge of network or environment
- done by internal employee
Grey Box
- some knowledge, no access of documents, but they know where to go and test

Things to Remember

Take Business consent for Vulnerability or Penetrating Testing
Review company guidelines and rules of engagement
Make sure You have skills and background to do Pen testing. This is very expensive test. If you make mistake and did detail testing or deep scan it will shut down network and environment.

Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.

💖 Say 👋 to me!
Rupesh Tiwari
Founder of Fullstack Master
Email: rupesh.tiwari.info@gmail.com
Website: RupeshTiwari.com