62 - Bezpečnost systémů a sítí Flashcards

1
Q

Základy bezpečnosti

A

CIA - důvěrnost, integrita, dostupnost

Bezpečnost, funkcionalita a jednoduchost užívání (trojúhelník) - musíme balancovat (nejbezpečnější je zahrabat na dně moře, ale pak to asi nebude moc použitelné)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Typy hackerů a fáze hackování

A

• White Hats - Ethical hackers, hired by a customer for testing, improving their security or other defensive purposes.
Well respected and don’t use their skills and knowledge without prior consent.

• Black Hats - Using their skills illegally for either personal gain or malicious intent.
Black Hats do not ask for permission or consent.

• Gray Hats - Neither good, nor bad.
They are either curious about hacking or they feel like it’s their duty, with or without customer permission, to demonstrate security flaws in systems without permission.

  • Hacktivist - hacker with political or ideological motivation
  • Suicide Hacker
  • Ethical Hacker

Hacking Stages

• Reconnaissance - Gather evidence and information on the targets before attack.

  • Passive – gathering without the knowledge
  • Active – may or may not be discovered (more risk of discovery)
  • Scanning and enumeration - Gather more in-depth information
  • Gaining access - The main attack phase, bypassing security controls, abusing vulnerabilities, ..
  • Escalation of privileges - Gaining more privileges within the system (from user to root)
  • Maintaining access - Ensuring there is a way back to the system using backdoor
  • Covering tracks - Hide before discovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Typy testování

A

• Black Box - Method of software testing without knowledge of internal structure and code of the testing application.

  • Usually used for purposes of testing from perspective of real attacker.
  • Black box testing is designed to simulate the real unknown hacker from outside.

• White Box - Method of testing with access to internal structure of the application and/or code.

  • It usually refers to a methodology where a tester has full knowledge of the testing application/system.
  • Designed to simulate internal threat – insider, disgruntled employee

• Grey Box -Combination of black-box and white-box testing,

  • which benefits from straightforward technique of black-box testing and combines it with the knowledge base of code oriented white-box testing method.
  • Tester starts with some level of privileges targeting the escalation within the tested application, over network or system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Reconnaissance - Průzkum

A

• Seven-Step Information-Gathering Process (CEH)

  • Information gathering
  • Determining the network range
  • Identifying active machines
  • Finding open ports and access points
  • OS fingerprinting
  • Fingerprinting services
  • Mapping the network attack surface

• Social networks
• Social engineering
• Tools: nmap
———————————————-

Footprinting (Looking for any information, no matter how big or small, that might give a better insight into the target)

= Process of gathering information on systems, applications and network
• Active Footprinting - Require to take actions on the target - Scan against computers, banner grabbing
• Passive Footprinting - Without interacting or communicating with the target (Public information, web, DNS, Social Engineering, Competitive intelligence)
• Anonymous vs. Pseudonymous

DNS Footprinting - trying to access the information about the internal structure, IP addresses, systems, etc.
• DNS – mapping service for names and IP addresses
• IANA – Internet Assigned Numbers Authority
- Full of information about internal structure, IP addresses, systems
• Record Types:
SRV Service
SOA Start of Authority
PTR Pointer
NS Name Server
MX Mail Exchange CNAME Canonical Name A Address
• DNS poisoning and DNSSEC
• Tools: whois, nslookup, dig, tracert, traceroute

Google hacking
Vulnerabilities
- “#-Frontpage-“ inurl:administrators.pwd
- cache:”access denied for user” “using password”

Cameras
• inurl:”ViewerFrame?Mode=“ • inurl:control/userimage

Server files
• intitle:index.of
• cache:define inurl:/conf

Anonymous googling:
• Use cache, “&strip=1”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Scanning and enumeration - Gather more in-depth information

Skenování a výčet - Získejte více podrobných informací

A

Scanning and Enumeration = Process of discovering systems on a network and open ports and identifying applications

Identify live systems
• Ping each IP address of the subnet to see which IP is alive
• Using ICMP protocol, TCP scanning
• Could be blocked by FW, IDS/IPS systems

Discover open ports
• Scanning ports of the systems to identify listening services
• Horizontal Scan – a scan of multiple hosts against one port
• Vertical Scan – scan of one host and all ports
• Portrange:0–1023–49151–65535

Nmap - Open-source network scanning tool (determine life systems, TCP sweet, SYN scan, UDP scan,..)

Identify operating system and services
• Fingerprinting – analyze OS and service replies to identify the operating system
• Banner grabbing – analyzing the banner of the service to identify version, os, type of service, and more
- Commonly by telnet, proxy for web applications, and other tools (get server version, mail server data, version, etc..)

Scan for vulnerabilities
• Versions of services and OS with known vulnerabilities
• Specialized tools: Nessus
- Scan Types and TCP Flags with response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hiding (proxies, anonymyziers, ..)

A

Proxy
• Using specialized systems to hide IP address by replicating traffic through proxy
• TOR – onion designed proxy service

IP spoofing
• Obscure the source IP address
• Spoofing IP address may lead the packet never finds its way back

Source routing
• Specifying the route of a packet regardless of route tables
• The attacker can use an IP address of another machine on the subnet and have all the return traffic sent back, regardless of which routers are in transit.
• Most firewalls and routers detect and block source-routed packets

Anonymizers
• services to hide the identity, IP address, country of origin, etc. • http://www.anonymouse.org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Sniffing

A

Sniffing = Capturing packets from wire or air to analyze and find interesting information
Promiscuous mode of the network interface for capturing all packets regardless of source and destination IP address
• Portable devices, phones, tablets?

Collision domains
• Sharing the transport medium
• Switched network – how to sniff?

Open protocols without encryption
• All information available for sniffer
• HTTP without SSL
• Username / Passwords

tcpdump, wireshark, ettercap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Evade Security Controls

A

ARP protocol
• ARP is broadcast protocol for communication within collision domain
• IP address translated to MAC address
• CAM table – content addressable memory, all MAC addresses

ARP Flooding
• Generating ARP packets to fill CAM table. When CAM table is full and switch receives a message with no entry in CAM table, it will broadcast the message to all ports turning itself into a hub.
• In case of multiple entries in CAM table, the last record is used.
• Port security – manually assign MAC address to a specific port

MAC spoofing
• Valid user with MAC 0A-1B-2C-3D-4E-6F is connected to port 2. An attacker connects to port 3 and spoof 0a-1B-2C-3D-4E-5F MAC address. The switch will notice that the MAC address of valid user, formally on port 2, seems to have moved to port 3 and updates CAM table. The attacker will see all communication to valid user as long as this is kept up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Intrusion Detection Systems

A

= Tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity

  • Network system for monitoring and detection network activities of malicious or unwanted behavior
  • Alert administrator or other security mechanisms
  • Capture and analyze communication on the network interface
  • Detect malicious code
  • Provides information about illegal acivity
  • Passive mechanism (does not prevent the malicious behavior)
  • Host, Network based IDS and IPS systems
  • Evasion: IP fragmentation, Unicode characters, Slow actions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Firewalls, honeypots and password cracking

A

Firewalls
• Rule-based packet filters. First rule matched executes.
• Stateful inspection firewalls – tracks the entire status of the connection
• ICMP blocked with error code Type 3 Code 13
• Firewalking – determine what is opened on Firewall
• WAF – Web Application Firewall
• HTTP Tunneling – evasion technique tunneling protocols over HTTP
• ACK Tunnel – communicating with ACK messages

Honeypots
• Honey pot – Invitation for attackers as easy meat, often vulnerable to various types of attacks, full of services
• Capability of obtaining a lot of information about an attack, malware
• Can record the attack vector, characteristics and behavior, used tools, methods, exploits
• Best way to get new type of attacks, zero-day vulnerabilities, codes, programs to further analysis
——————————————-
Password cracking
Bad Passwords
• Short, blank, usernames, common dictionary, default values
• Dictionary words: password, Heslo123, qwerty, asdasdasd, test, …

Password attacks
• Dictionary attack – enumerate commonly used passwords
• Bruteforce attack – all possible combinations
• Hybrid attack – dictionary attack with variable upper/lower case, numbers
• Replay attack – Don’t break hash, replay the packet/message

Kerberos

Keyloggers
• Software, Hardware
• AV software can detect?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Windows and Linux Security

A

Patch Management
• Most problematic security threat is out-of-date windows machine
• 0-day (zero-day) vulnerabilities and exploits – Microsoft has zero day to patch the vulnerability

Passwords
• Stored in SAM file, located in c:\windows\system32\config directory.
• LAN Manager, NTLM, NTLMv2 – MD5
• Rainbow Tables

Escalating Privileges
1. Obtain administrator password
2. Take advantage of found vulnerability
3. Use Metasploit
4. Social Engineering
----------------------------------
Linux Security
• File-system security
• Access control through users permissions -  chmod 777 file
• Dangerous SUID bits

Passwords
• Located in clear-text in /etc/passwd, if shadowed in /etc/shadow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Buffer Overflow

A
  • The faulty code does not check that the source buffer is too large to fit in the destination buffer.
  • When the function returns, the CPU unwinds the stack frame and pops the (now modified) return address from the stack.
  • Control does not return to the function as it should. Instead, arbitrary code (chosen by the attacker when crafting the initial input) is executed.
 #include 
void f(char* s) {
    char buffer[10];
    strcpy(buffer, s);
}

Defense:
• Code auditing
• Non-executable stacks
• Randomize virtual address space

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security Hardening

A

Least Privileges
• Grant only those privileges that are necessary
• Run services with non-privileged users
• Restrict remote access to privileged accounts

Minimalize attack surface
• Stop and remove all unnecessary services
• Remove all not used personal and non-personal accounts
• Remove all unused libraries, tools, packages

Keep security high
• Set policy for password strength (8 length, characters, numbers, special chars, not dictionary)
• Set firewall with least privilege rules policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Rootkits

A

= Collection of software put in place by an attacker that is designed to obscure system compromise
- sada počítačových programů, pomocí kterých lze maskovat přítomnost zákeřného softwaru v počítači, například přítomnost virů, trojských koní, spywaru a podobně.

  • Application level - Works within the application, change application’s behavior, user rights level, and actions
  • Kernel level - Attacks boot sectors and kernel level of the operating system, most dangerous and difficult to detect
  • Library level - Uses system-level calls to hide its existence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Attacks - Human vs. computer based and other attacks

A

Human Based

Dumper Diving
• Rifling through the dumpsters, paper-recycling bins, and office trashcans

Impersonation
• Pretending to be employee, a valid user, executive (VIP)

Technical Support
• Form of impersonation aimed at technical support to solve problems such forgot password

Shoulder Surfing
• Look over the shoulder to watch them log in or access sensitive data even from long distance

Tailgating and Piggybacking
• Follow authorized person through open door

Piggybacking – ask for help, convincing lost or forget badge

Computer Based

Social networks
• Facebook, Google+, Linkedin, Twitter, …
• Plenty of personal or professional information for attack
• Friend of a friend

Phishing
• Crafting an e-mail that appears legitimate, but in fact contains malware, links to fake websites or to download malicious content
• No security technology is able to detect

Rogue security software
• Modern implementation of malware
• Fake AV programs carrying malware

Disgruntled employee
• Easy to convince, lot of sensitive information
• Biggest threat to company

Reflected / Spoofed attack
• Spoofing target IP address and sending huge amount of SYN, SYN/ACK packets to list of zombies. They reply with RST to the target.

Ping of Death
• RFC unspecified behavior with large ping payload crashing target operating system

Smurf attack
• Sent large number of ICMP packets with source IP address of target to broadcast, all machines will reply to target use all bandwidth preventing legitimate traffic to reach the destination.

SYN flood
• Large number of SYN packets sent to target “half-open” the target connection saturating the number of connections. The client is not able to receive more connections denying legitimate ones.

Teardrop attack
• Using IP fragmentation with over-sized payloads. After re-assembling the packets on the target machine, crashing due to vulnerability in the re-assembling code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly