Network security: Introduction to network security

Question 1

How does TCP/IP work

Question 2

How does routers work?

Question 3

How does ARP work?

Question 4

How is risk managed?

Answer 4

• Accepting the risk: watch for it (monitoring), not mitigating
• Transfer the risk (insurance, taking the risk and transfering the impact somewhere else)
• Remove the risk
• Mitigate the risk: Reduce impact, reduce the risk itself
• Policies and mechanisms implementation

Question 5

What is risk assessment?

Answer 5

Calculating impact of risk

Quantitative risk assessment: Monetary value for impact
Qualitative risk assessment: Categorize the levels of risk (Low, medium, high)

Question 6

What are threat trees?

Answer 6

Root node is the threat
The child-nodes are sub-threats
Relationships between sibling nodes can be AND or OR

Question 7

What is a threat matrix?

Answer 7

Tool that model and categorizes potential threats by applying a structured ranking process (low-severe)

Categories:
- Existence
- Capability
- History
- Intentions
- Targeting

Question 8

How does boolean values move in an attack tree

Answer 8

Parent node inherit value of children

AND children: I + P -> I
OR children: I + P -> P

Question 9

How does continuous values move in an attack tree

Answer 9

Most likely attack is the cheapest one that requires no special equipment

Values propagate upwards
OR: Parent get the cheapest child value
AND: Parent get sum

Question 10

Define Exposure Factor (EF)

Answer 10

Percentage of asset loss caused by identified threat

Question 11

What is Single Loss Expectancy (SLE)

Answer 11

Asset value times EF

Question 12

What is Annual Rate Occurrence (ARO)

Answer 12

Estimated frequency of a threat during a year

Question 13

What is Annual Loss Expectancy (ALE)

Answer 13

SLE * ARO

Question 14

What are the steps in theNetwork attack methodology?

Answer 14

Initial recon
Initial compromise
Establish foothold
[ -> loops
Escalate privileges
Internal recon
Move laterally
Maintain presence ->
] -> complete mission

Question 15

What is reconnaissance?

Answer 15

Attackers are likely to spend a lot of time on this step

Non technical: Dumpster diving, going through someone’s personal belongings, social media

Technical: Trying to identify the target’s OS, technical training, etc.

Question 16

What happens during the vulnerability identification phase of a network attack?

Answer 16

Identifying resources that are being exposed (IP address, software, OS, exposed ports)

Can there be any vulnerabilities in software, design mistake, misconfiguration

Question 17

What happens during the exploitation phase of an network attack

Answer 17

The attacker is gaining access, preferably root level- or admin access.

Getting control of a user - elevating that user’s privileges

Denial of service (DoS)

Question 18

What happens during post exploitation of an network attack?

Answer 18

This is the goal of the attack
Accessing and retrieving data.
Maintain long term access
Removing forensic information on the systems

Question 19

What is reconnaissance?

Answer 19

First step in a system attack.

Gathering information about the target before doing the attack itself.

Want to spend quite a bit of time in this step gathering information

Question 20

What information can be gathered during the reconnaissance step of a network attack?

Answer 20

• IP Addresses: Range of IP addresses used by the target
• Network topology information: Gathered through experimentation or probing the network.
• Domain names
• Account logins : What format of account login is used. Is account names inferred by email addresses, are they first + surname
• Operating systems and software: Look at job listings to see if they mention software
• Security policies: Password complexity policies, reset password procedures, can a user call up and have their password reset later in the attack
• Physical security systems: Can a goal be accomplished by visiting the target in person?
• Employee hangouts: Overhear conversation, look at mobile phones and laptops, ID badges

Low tech (dumpster diving - look for documents, physical break in, social engineering - take advantage of people’s emotions to get them to reveal information)

Question 21

What is the Google Hacking Database?

Answer 21

Indexes advanced searches that target information people have left online. Can be used to find specific information about your target. This, in addition to using Google advanced search correctly

Question 22

What is Cree.py?

Answer 22

Open source intelligence gathering application that can gather pictures from social network platforms and sort geolocation data from the pictures.

Question 23

What can an attacker use DNS for?

Answer 23

Domain registrants need to provide name, address and phone number for the admin and technical contact of their domain.

If an attacker has the IP Address of the DNS server, they can gather more information about the target

Question 24

What are the different types of DNS records? (10)

Answer 24

A, MX, NS, CNAME, SOA
SRV, RP, PTR, TXT, HINFO

Question 25

What is an A record (DNS)?

Answer 25

Address record describing the IP address of a node

Question 26

What is an MX record (DNS)?

Answer 26

Mail exchange
IP address of the server which handles mail for the domain

Question 27

What is a NS record (DNS)?

Answer 27

Name server.
The domain name server that serve this domain name

Question 28

What is a CNAME record (DNS)?

Answer 28

Canonical name
Aliases for host names

Question 29

What is a SOA record (DNS)?

Answer 29

First line of DNS file.
Indicates that this server is the best source of information for this domain

Question 30

What is a SRV record (DNS)?

Answer 30

Service record.
Information about available service in the domain
SIP ans XMPP use this

Question 31

What is a RP record (DNS)?

Answer 31

Responsible person.
Assign an email address to a specific host

Question 32

What is a PTR record (DNS)?

Answer 32

Pointer record.
Allows for reverse DNS lookup.
Typically required for MX hosts

Question 33

What is a TXT record (DNS)?

Answer 33

Originally for human readable information, but now used for things such as domain keys

Question 34

What is a HINFO record (DNS)?

Answer 34

Host info.
Supplies OS and other info about a host.
Generally not a good idea to have this record

Question 35

What can WHOIS be used for?

Answer 35

To lookup who owns a website or domain name

Question 36

What is Robtex and what is it used for?

Answer 36

Is a free DNS lookup tool

It is used for research of IP numbers, domain names, etc.

Robtex gathers public information about IP numbers, domain names, host names, autonomous systems, routes, etc.
Robtex then indexes the data in a database

Question 37

What is the Border Gateway Protocol (BGP)

Answer 37

The routing protocol that ties different autonomous systems together across the internet.

It’s common for internet service providers to leave a “looking glass” server open for anyone to access. We can then run our own trace routes, take a look at routing tables and gather information about how the target is connected to the internet.

Question 38

What is “Looking glass” servers?

Answer 38

A router with view-only access and no password protection

Question 39

What does traceroute do?

Answer 39

Uses ICMP packets to record the route from one computer to another through the internet.

Question 40

What is ICMP?

Answer 40

A network level protocol that communicates info about network connectivity issues back to the source of the compromised transmission.
It is connectionless, as it is not associated with transparent layer protocols such as TCP and UDP, meaning a device does not need to open a connection with another to send a packet.

Example of usage: Tracerout, ping

Question 41

What is SHODAN?

Answer 41

A search engine that indexes meta data that is found on devices connected to the internet.
Can search if any devices inside an organisation is running this and this software version.

E.g. a router: SHODAN will find out what version of software the router is running, what kind of router

Web server: Type of OS, type of web server, software version

Question 42

How can you identify available hosts within a given IP address space?

Answer 42

Do a ping sweep and see what is answered back.
The ping sweep is a network scanning technique used to find out which IP addresses map to live hosts.
Uses ICMP ECHO requests to communicate with multiple hosts at the same time.

Tool: Angry IP scanner

Question 43

What can you do if ping sweeps doesn’t work, and what is then the cause of them not working?

Answer 43

If a host-based firewall is configured to ignore ICMP packets, ping sweeps won’t work.

Instead we can leverage domain name systems (DNS).
DNS zone transfers regularly synchronize the primary and the backup DNS servers so that the backup periodically receives a copy of the primary server’s DNS database.
If this synch process is configured incorrectly, an attacker can pretend to be the backup DNS server, and then receive this data.

Question 44

What is “dig” and what is it used for?

Answer 44

dig-information-grouper is a linux tool designet to interrogate domain name servers.

Syntax:
dig @<DNS_SERVER_IP> <target_domain> -t AXFR</target_domain></DNS_SERVER_IP>

dig can be used by an attacker to pretend to be a backup dns server, perform a zone transfer, and receive data entries from the target DNS database

Question 45

What can be done if zone transfer isn’t possible?

Answer 45

Brute force attack
List potential host entries into a text file and throw them at the DNS server one by one.

If the DNS server responds with an IP address for one of the potential hosts, we know there are an entry in the DNS server’s database

Question 46

What is Split DNS?

Answer 46

A technique used to prevent internal information from the DNS database to be leaked.

Have two DNS servers. For machines that are designed to be available on the internet (email-server, web-server), place these entries in an external DNS server.

Internal employees uses an internal DNS server

Question 47

What is port scanning

Answer 47

Port scanning measures whether open TCP ports are open and listening by sending TCP and UDP packets to various ports and determine if a process is active on those ports.

Question 48

What is the connect scan/SYN scan?

Answer 48

A type of port scan that is based on the TCP three way handshake.
If you get this full handshake you can be sure that the port is open.

Send SYN to server, receive SYN/ACK and send back ACK - have now verified the port is open. (TCP Connect Scan)

If you don’t send back the ACK flag we may prevent the scan from being logged. Could also send a TSR to tear down the connection once the SYN/ACK is received to achieve the same thing. (TCP SYN Scan)

If the server sends back RST/ACK, it means the port is closed.

If no packages is received back from the initial SYN, there might also be a firewall filtering away the package.

Question 49

What is the TCP three way handshake?

Answer 49

The source machine first sends a SYN flag to the destination.
The destination answers with a SYN flag and an ACK flag
The source then answers with an ACK flag

Question 50

What is firewalk?

Answer 50

Tool used to determine if targets are available behind a firewall.
When an IP packet expires the machine router will reply back with ICMP “time exceeded” to the source. If we receive this outside the firewall, we can determine that the firewall is allowing traffic though

Question 51

What is HTTPRecon

Answer 51

Tool that look at a web server and captures the response headers that are coming back.
This will show information about the server being run.

Question 52

What is Vega?

Answer 52

An open source tool that scans application running on the web server and provides information about the server, type, what it’s running on and if there is any vulnerabilities precent on the web application.

Question 53

What is Vega-scanner?

Answer 53

Scans websites recursively, building a representation of the site in a tree-like datastructure comprised of entities known as “path state nodes”. These can be files, directories, files with GET or POST parameters, etc.

Question 54

How can attackers stay anonymous?

Answer 54

Using a proxy server.
An TCP connection from your machine would terminate at the proxy server. The proxy server would then reoriginate the TCP connection to the Web server and carry HTTP from the proxy to the web server.
The web server will only see the connections coming from the proxy

Question 55

What is IP spoofing, and why is it used?

Answer 55

IP spoofing is when someone changes the source IP address in a packet, so that the packet seems to come rom another machine on the network.
When changing the source IP, the attacker themselves won’t receive back a response packet from the recipient, this response goes to the IP address the attacker changed the source to.

This is done by attackers to avoid linking their actions back to them.

Question 56

Is IP spoofing possible with TCP?

Answer 56

In general, no. This is because the attacker won’t receive back the SYN/ACK flag, which would complete the connection.

There are, however, some exceptions. If the attacker is able to achieve a man-in-the-middle, they could be able to achieve IP spoofing

Question 57

What is ingress filtering?

Answer 57

A way to protect against IP spoofing.
This is where an organisation puts up a firewall that detects if any packages from the internal network has a source IP that is not in the organisation’s address space. The firewall would then know that a machine in an organisation’s network has spoofed their IP address and drops the packet.

The firewall can also have been put up by the internet service provider that would check if a packet from a client has a source IP that falls within the client’s address space.

Question 58

What is BGP filtering?

Answer 58

BGP is a routing protocol to route between autonomous systems (often internet service providers).

In BGP there is a hierarchical structure where for example a Tier 1 ISP serves Regional ISPs, and the Regional ISPs serves clients.
Each ISP will advertise what IP address-spaces they

Question 59

What is BGP filtering?

Answer 59

BGP is a routing protocol to route between autonomous systems (often internet service providers).

In BGP there is a hierarchical structure where for example a Tier 1 ISP serves Regional ISPs, and the Regional ISPs serves clients.
Each ISP will advertise what the IP address-spaces of the clients they serve are.
By doing this, the Tier 1 ISP can filter away all the packets from IP addresses that aren’t in the address spaces that the connected regional ISPs are advertising.

Question 60

What is a problem with BGP filtering happening at the Tier 1 ISP that serves regional ISPs each with multiple clients?

Answer 60

As the Tier 1 ISP allows IP addresses from all the regional ISPs clients, an attacker from lets say the 12.12/24 network can spoof their IP address to an address in one of the other clients address spaces, of the same Regional ISP, 34.34.1.1. This is possible because the Tier 1 ISP serving the regional ISP allows both 12.12./24 and 34.34/24.
Meaning, neighbouring networks can still spoof one another.

Question 61

How can an attacker achieve session hijacking?

Answer 61

By utilising spoofing and sniffing techniques to take control of one side of a TCP connection.

Question 62

What is Denial of Service (DoS) ?

Answer 62

Preventing a legitimate user from accessing resources and functionality that should be available to them.

Question 63

What is DoS attacks?

Answer 63

An application layer attack where an attacker sends a multitude of crafted packets from one single spoofed IP in order to crash an application that is connected to the internet.

DoS can happen if an attacker sends a special packet that crashes the server, or sends a large volume of packets that overflows the servers capacity.

Question 64

What is a DDoS attack?

Answer 64

In a Distributed Denial of Service attack, an attacker will organise thousand of compromised machines in a botnet so that the flooding traffic originates from multiple IP sources that are not spoofed. The machines aren’t spoofed because there is too many to effectively deny the IP packets.

Question 65

What is a Land attack?

Answer 65

A LAN sends a spoofed packet with the source and destination IP address port being the same. If a windows machine receives this, it will cause the machine to bluescreen.

Question 66

What is a ping of death attack?

Answer 66

An attacker send an over-sized ping packet in order to crash the receiving machine.

Question 67

What is a Jolt2 attack?

Answer 67

The attacker sends a stream of fragments, non of them having offset 0. Rebuilding will consume all of the processors capacity.

Question 68

What is a Teardrop, Newtear, Bonk and Syndrop?

Answer 68

They are all tools that send overlapping fragmented packets to crash the target machine.

Question 68

What is a Teardrop, Newtear, Bonk and Syndrop?

Answer 68

They are all tools that send overlapping fragmented packets to crash the target machine.

Question 69

What s a SYN flood attack?

Answer 69

An attacker spoofs their IP and sends a multitude of SYN packets, not letting the server respond in between. The server will then use up all its memory to track the half open connections, and will then crash.

Question 70

How can you defend against SYN floods?

Answer 70

We can protect by using SYN cookies.
When a server receives a SYN packet, the server calculates a hash based on the source and destination IP, and a randomly generated number.
The server then uses this hash as its initial sequence number in the SYN/ACK response.
Because of this, the server doesn’t have to allocate any memory to keep track of the connection.

If the source is legitimate, the server receives an ACK flag and computes the same hash to verify the source, before the TCP connection is opened.

If the server doesn’t receive back an ACK, there is no problem as the server doesn’t track the original SYN

Question 71

What is a reflection attack?

Answer 71

Uses the same topology as a DDoS attack by using numerous resources like bots or compromised web servers.
The attacker will look for a UDP protocol on the internet that sends a small amount of traffic to a source, and receives a large amount of traffic back.
E.G. a DNS lookup where we search for one host, but get a potentially large list back from the DNS server of areas whre the resource is located.

Question 72

What is an amplification attack?

Answer 72

Amplification attacks are attacks that amplify the traffic.
The attacker can also spoof their IP address to be the victims, so that the victim is the one receiving the traffic.

Question 73

Describe a DNS amplification attack.

Answer 73

A reflection based, volumetric, DDoS attack.
The attacker leverages the functionality of open DNS resolvers in order to overwhelm the target with amplified traffic.

Question 74

What is an NTP amplification attack?

Answer 74

A reflection based, volumetric, DDoS attack.
Attacker exploits Network Time Protocol (NTP) server functionality to overwhelm the target with UDP traffic.

Question 75

What is a memcached DDoS attack?

Answer 75

Attacker spoofs requests to a vulnerable UDP memcached server, which then floods a target with internet traffic.
While the target’s internet infrastructure is overloaded, other requests won’t be able to access resources resulting in DoS.

Question 76

How can you defend against DDoS?

Answer 76

• Don’t let your systems become bots
• Filter bad packets: If you can identify which packets are trying to overwhelm a system, try filtering these out
• Build more resources than the attacker: An attacker will have limited bandwith and computing power, if you have more - this can protect against an attack
• Create a distributed infrastructure: Distribute a resource that is likely to be targeted, so that there is no single point that can be overwhelmed.

Question 77

What is DNS poisoning?

Answer 77

When an attacker modifies the IP address in a DNS cache entry to point to their own resource. Can be used during phishing attacks.

Name servers do not however accept unsolicited replies where a record is simply inserted into a name server by sending a DNS reply message.
This is because name servers us IDs in DNS messages to match reply queries.

Attackers can send a reply to a request with a spoofed IP address. To achieve this, they need to guess the request’s sequence number and prevent the authorative name server to answer.

Question 78

What is reverse shell attacks?

Answer 78

An attacker can send a file or a link to a victim who then clicks on it. An example is when a link make the victim download software that compromises one of the applications on the target machine. Once this exploit is sent, the payload is delivered and a reverse shell is initiated from the victim and to the attacker.

As the target is behind a firewall, an attacker can’t directly connect to them. However, as firewalls allows connections from inside and to outside the connection can be made. In this case the target will connect to a pre-configured IP Address where the attacker can catch the connection.

Attackers will often use port 80 as they can often rely on this being open.

Question 79

What is the difference between an exploit and the payload?

Answer 79

An exploit is what will allow you to run code on a system, payload is the code itself. Payloads are often encoded so that anti-virus programs or IDS won’t detect them.

Example payload: Reverse TCP connection back to an outside system from behind a firewall.

Question 80

What are the different types of payloads?

Answer 80

• Inline: Shellcode is delivered in one block, single stage. A disadvantage is that it might be too big to deliver in a single stage.
• Staged: First payload is just a stub that then grabs the rest of the payload and can be loaded into another memory space. This removing the problem of too little memory space.
• Reversed: The payload on the exploited host connects back to the attacker. Good for inside firewalls.

Question 81

What is NoNX?

Answer 81

Payloads that are designed to circumvent Data Execution Protection (DEP)

Question 82

What is PassiveX?

Answer 82

Payloads that use ActiveX control to create a hidden instance of internet explorer for outbound access.

Question 83

What is Meterpreter?

Answer 83

“Mother of all payloads”
Operates by a DLL injection within windows.
Most common payload because of it being so flexible and can match up with different exploits.

Question 84

How are meterpreter payloads delivered?

Answer 84

• Exploit is delivered on a system, allowing for code execution (Exploit + 1st stage payload)
• Payload connects back to attacker
• 2nd stage DLL injection payload is sent
• Meterpreterserver send a full server DLL
• The client and the server now communicates

Question 85

What is pivoting?

Answer 85

When one compromised machine is used to exploit other hosts or networks.
Once an attacker owns a machine within a firewall, they can launch further attacks from the compromised machine.

Question 86

What three things can be done during Post exploitation?

Answer 86

Persistence - Maintaining access
Removing forensic evidence
Ex-filtretion

Question 87

What is a NS record?

Answer 87

A NS record, or Name Server record, is a DNS record that contains the name of an authortive name server within a domain or DNS zone.