You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sniffing involves scanning and monitoring data packets passing through a network using sniffers with interfaces that have the following capabilities.
Promiscuous Mode: Enables capturing all traffic on the network interface, not just traffic intended for the sniffer.
Packet Inspection: Once captured, packets can be inspected for sensitive information.
Types of Sniffing
Passive Sniffing:
Occurs on hubs where traffic is broadcasted to all ports.
No additional packets are sent; the attacker just listens.
Active Sniffing:
Used on switches where traffic is sent to specific ports via unicast packets.
Involves sending packets to manipulate network devices via the following
MAC flooding
DHCP attacks
DNS poisoning
ARP poisoning
Data Captured by Sniffing
Types of traffic captured:
SYSLOG
DNS
Web
Email, etc.
Sensitive information like usernames and passwords from protocols
HTTP
POP
IMAP
FTP
Telnet, etc.
Working of Sniffers
For Networks connected via a Hub it is easy to listen in on traffic as all packets are multicast by the hub
However for Switches maintain a mac table linking each mac address to a specific port on the switch so therefore techniques like port mirroring or SPAN are used (NOTE:: Both are the same thing)
Port Mirroring: Similar to port forwarding, the difference here is that packets are simply duplicated for debugging purposes i.e. the original flow of traffic is not affected
Hardware Protocol Analyzers
Used to capture and analyze network traffic without interference.
Advantages include mobility, flexibility, and high throughput.
Examples: Products from Keysight Technologies, RADCOM, Fluke.
SPAN Port
Used for network performance monitoring.
Allows capturing traffic from one port on a switch to another port using tools like Wireshark.
In essence it follows the logic of a wiretap where you are tapped into the flow of communication
Wiretapping
Active Wiretapping: Monitors and alters communications. Example can be port forwarding
Passive Wiretapping: Monitors and records without alteration. Example is SPAN
Lawful Interception: Legal wiretapping by law enforcement agencies.
PRISM
Planning Tool for Resource Integration (PRISM): Monitors internet traffic through US servers.
A program by NSA for monitoring communications passing through or stored on US servers that collects data to identify and monitor suspicious activities.
MAC Attacks
MAC Address and CAM Table:
MAC address: 48-bit unique identifier for network devices. Comprised of OUI-NIC
Offsets
24-bit Object Unique Identifier (OUI)
24-bit Network-Interface Controller (NIC)
Notable things
First Octet -> 7th Bit is for Globally Unique/Locally administered. 8th Bit is for Unicast/Multicast
CAM table: Used in switches to map MAC addresses to interface ports for packet forwarding.
Content Addressable Memory (CAM) -> Works by recording MAC addresses and their associated ports.
To prevent a reuse however, every MAC entry is set to age after a set period of time. Default is 300 seconds
MAC Flooding:
Overloads CAM table with fake MAC addresses to fake IP Addresses causing the switch to broadcast packets as there is no direct route to the target device anymore.
Tool -> MACOF
Switch Port Stealing (MITM Impersonation):
LAN-Only
Involves sending bogus ARP packets to update CAM table, redirecting traffic to the attacker.
Attacker sends a packet
Source ->Stolen Host MAC
Destination -> Target MAC for another device
Defending Against MAC Attacks
Port Security: Limits the number of MAC addresses per port and sets violation actions.
Dynamic Port Security: Configures allowed number of MAC addresses dynamically.
DHCP Attacks
DHCP Starvation:
Attacker sends spoofed requests to exhaust IP addresses in the DHCP pool.
Rogue DHCP Server:
Attacker sets up a fake DHCP server to direct traffic through it after starving the legitimate server.
Defending Against DHCP Attacks
DHCP Snooping: Filters untrusted DHCP messages and maintains a binding database of legitimate DHCP transactions.
Port Security: Limits the number of MAC addresses to mitigate attacks.
ARP Poisoning -> Uses MAC flooding to turn a switch into a hub, enabling packet sniffing.
ARP Spoofing:
Sends forged ARP packets to associate attacker's MAC address with the IP of a legitimate user to intercept traffic intended for them.
Consequences: Enables session hijacking, data interception, man-in-the-middle attacks, and more.
Safe Communication: Verify requests for personal data.
Secure Online Practices: Avoid sharing sensitive information on public Wi-Fi, enable two-factor authentication, use host security tools.
Examples of Social Engineering Attacks
Phishing: Deceptive emails or websites to steal information.
Pretexting: Creating a fabricated scenario to obtain information.
Tailgating: Following someone into a restricted area.
Additional Information (Not in PPT)
Social Engineering in Cybersecurity Context:
Often the first step in larger cyber attacks.
Can lead to more significant breaches like malware deployment, ransomware attacks, and data exfiltration.
Psychological Manipulation Techniques:
Reciprocity: People tend to return favors.
Commitment: Once a person commits to something, they are more likely to follow through.
Consistency: Aligning new requests with previous actions or beliefs.
Recent Trends:
Increasing sophistication of attacks.
Use of AI and deepfakes to enhance credibility.
Targeted attacks on remote workers due to the rise of telecommuting.
Lecture 21: DoS & DDoS
DoS/DDoS
Denial of Service (DoS) Attack
Definition: An attack designed to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Goal: To deny legitimate users access to services or resources.
Methods: Overloading the system with non-legitimate requests, making it unable to respond to legitimate traffic.
Distributed Denial of Service (DDoS) Attack
Definition: An attack where multiple compromised systems attack a single target, causing a Denial of Service (DoS) for users of the targeted system.
Mechanism: Uses a botnet to generate overwhelming traffic from numerous sources.
Types of DoS Attacks
Flooding Attacks
Overwhelming a system with excessive traffic.
UDP flood, ICMP flood.
Service Flooding
Overloading a service with more events than it can handle.
Overloading an IRC server with excessive connections.
Corrupt Packet Attacks
Crashing a TCP/IP stack by sending corrupt packets.
Unexpected Interactions
Crashing a service by interacting with it in unexpected ways.
Sending unexpected inputs to a service causing it to fail.
Infinite Loops
Causing a system to hang by making it enter an infinite loop.
Sending a specific sequence of packets that trigger an infinite loop in the service.
Impact of DoS Attacks
Resource Consumption
Bandwidth, disk space, CPU time.
Physical Damage
Destruction or alteration of network components.
Data Damage
Destruction of programs and files in a computer system.
Categories of DoS/DDoS Attack Vectors
Volumetric Attacks
Definition: Exhaust bandwidth either within the target network or between the target and the rest of the Internet.
Magnitude: Measured in bits per second (bps).
Techniques:
UDP Flood Attack: Overwhelming a target with UDP packets.
ICMP Flood Attack: Overloading a target with ICMP packets.
Ping of Death (PoD) Attack: Sending oversized packets causing buffer overflow.
Smurf Attack: Using IP broadcast with ICMP requests to flood a target.
Pulse Wave Attack: Alternating high-volume attacks to bypass mitigation strategies.
SYN Flood Attack: Exploiting TCP connection sequence by sending SYN requests and not responding to SYN-ACK.
Countermeasures for SYN Flood Attacks
Decrease Time-Out Period: Reducing the time connections remain in the half-open state.
SYN Cookies: Using cryptographic techniques to handle SYN requests without allocating resources until the connection is completed.
SynAttackProtect: Enabling built-in protection mechanisms in network devices and operating systems.
DDOS Detection and Countermeasures
Detection Techniques:
Identify unusual traffic patterns.
Implement rate-limiting to control traffic flow.
Use anomaly detection systems to detect deviations from normal behavior.
Deploy network traffic analysis tools to monitor real-time traffic.
Utilize signature-based detection for known attack patterns.
Implement behavioral analysis to detect abnormal user and network behavior.
Conduct regular vulnerability assessments and penetration testing.
Countermeasure Strategies:
Absorb the attack:
Requires preplanning + Additional Resources
Degrading Services:
Only keep critical functions running until attack has subsided
Shutting down
While mentioned in the slides, this is stupid as this is exactly what the attacker intends for
Protect Secondary Victims:
Implement network segmentation to isolate critical systems.
Use access control lists (ACLs) to restrict traffic to and from vulnerable areas.
Ensure robust backup systems to protect data integrity.
Educate secondary victims on security best practices.
Neutralize Handlers:
Identify and disable command and control (C&C) servers used by attackers.
Use threat intelligence to update blacklists of known malicious IP addresses.
Deploy honeypots to attract and neutralize malicious traffic.
Engage with ISPs to take down malicious domains and servers.
Prevent Potential Attacks:
Apply patches and updates to all systems and applications promptly.
Implement strong authentication and authorization mechanisms.
Use encryption to protect data in transit and at rest.
Employ proactive threat hunting to identify and mitigate threats before they materialize.
Enforce strict password policies and use multi-factor authentication (MFA).
Deflect Attacks:
Use deception technologies such as honeypots and honeynets to divert attackers.
Implement load balancers to distribute traffic and reduce the impact of attacks.
Deploy cloud-based DDoS protection services.
Use network address translation (NAT) to obscure internal network structure.
Mitigate Ongoing Attacks:
Deploy an incident response team to manage and mitigate the attack.
Use firewall rules to block malicious IP addresses and domains.
Implement rate limiting and traffic shaping to control traffic flow.
Engage with law enforcement and security vendors for assistance.
Isolate affected systems to prevent the spread of the attack.
Perform Post-Attack Forensics:
Collect and analyze logs from all relevant systems.
Preserve evidence for potential legal action.
Conduct a root cause analysis to determine how the attack occurred.
Review and update security policies and procedures based on findings.
Communicate findings and lessons learned to stakeholders and improve defenses.
Incident Response Planning:
Develop and maintain an incident response plan (IRP).
Conduct regular training and simulation exercises for the incident response team.
Establish clear communication channels for incident reporting and response.
Continuous Monitoring and Improvement:
Implement continuous monitoring of networks and systems for real-time threat detection.
Use security information and event management (SIEM) systems to aggregate and analyze security data.
Regularly review and update detection and countermeasure strategies based on emerging threats and vulnerabilities.
Perform regular security audits and compliance checks.
ISP Level Protection
Collaboration: Working with ISPs to implement large-scale defenses.
Protection Tools and Techniques
Firewalls: Configuring rules to block malicious traffic.
Intrusion Detection Systems (IDS): Monitoring network traffic for suspicious activity.
Honeypots: Deploying decoy systems to attract and analyze attacks (e.g., SSHHiPot, Artillery).
Rate Limiting: Controlling the rate of incoming traffic to prevent overload.
IP Blacklisting: Blocking traffic from known malicious IP addresses.
Traffic Analysis: Analyzing traffic patterns to identify and block attacks.
Behavior-Based Detection: Identifying attacks based on anomalous behavior patterns.
Additional Information (Added)
Advanced Mitigation Techniques: Use of AI and machine learning to predict and mitigate attacks.
Cloud-Based DDoS Protection: Leveraging cloud services for scalable DDoS protection.
Legal and Ethical Considerations: Understanding the legal implications and ethical considerations of implementing certain countermeasures.
Lecture 22: IDS, IPS, Firewall Evasion
Difference between IDS, IPS, FW, NGFW
IDS (Intrusion Detection System):
Function:
Monitors network traffic for suspicious activity and potential threats.
Generates alerts when potential intrusions are detected.
Deployment:
Can be network-based (NIDS) or host-based (HIDS).
Response:
Passive: Alerts administrators but does not take action to block threats.
Advantages:
Good for detecting a wide range of threats.
Provides detailed information on potential security incidents.
Limitations:
Cannot prevent or block attacks.
Requires manual intervention to respond to threats.
IPS (Intrusion Prevention System):
Function:
Monitors network traffic for suspicious activity and potential threats.
Takes action to block or prevent identified threats in real-time.
Deployment:
Can be network-based (NIPS) or host-based (HIPS).
Response:
Active: Automatically blocks or mitigates detected threats.
Advantages:
Proactively prevents attacks from causing harm.
Provides real-time threat mitigation.
Limitations:
Can cause false positives, blocking legitimate traffic.
May impact network performance due to real-time traffic inspection.
Capabilities:
Signature-based Intrusion Detection and Prevention:
Uses predefined signatures to identify known threats.
Effective at detecting well-known attacks quickly.
Network-based Anomaly Detection:
Monitors network traffic patterns to identify deviations from normal behavior.
Detects unknown or new threats by identifying anomalous activity.
Network-based Vulnerability Assessment:
Scans the network for vulnerabilities that could be exploited by attackers.
Helps in proactively identifying and addressing security weaknesses before they can be exploited.
FW (Firewall):
Function:
Controls incoming and outgoing network traffic based on predetermined security rules.
Acts as a barrier between a trusted internal network and untrusted external networks.
Deployment:
Typically placed at the network perimeter or between network segments.
Response:
Static: Filters traffic based on rules set by administrators.
Advantages:
Provides a first line of defense against external threats.
Can block known malicious IP addresses and ports.
Limitations:
Does not inspect the contents of traffic beyond basic header information.
Cannot detect or prevent sophisticated attacks that bypass basic filtering.
NGFW (Next-Generation Firewall):
Function:
Combines traditional firewall capabilities with advanced security features.
Inspects traffic at a deeper level, including application layer.
Deployment:
Placed at the network perimeter, similar to traditional firewalls.
Response:
Dynamic: Uses advanced techniques to detect and block threats in real-time.
Advantages:
Provides comprehensive security by combining multiple functions.
Can inspect encrypted traffic and user-specific activity.
Limitations:
More complex to configure and manage compared to traditional firewalls.
Higher cost due to advanced capabilities and features.
Capabilities:
Application Awareness and Control:
Identifies and controls applications regardless of port, protocol, or IP address used.
Enables granular policy enforcement based on application and user.
Web Content Filtering:
Filters web traffic to block access to malicious or inappropriate websites.
Protects against web-based threats like malware and phishing.
SSL Inspection:
Inspects encrypted traffic (SSL/TLS) to detect and block threats hidden within encrypted sessions.
Ensures security policies are enforced even on encrypted traffic.
User Identity Awareness:
Associates network traffic with specific users, enabling user-based policies.
Enhances visibility and control over user activity on the network.
Intrusion Detection System (IDS):
How an IDS Detects an Intrusion:
Monitors network traffic.
Identifies suspicious activities based on signatures and behavior.
General Indications of Intrusions:
Unusual login attempts.
Unauthorized file access.
Suspicious network traffic patterns.
Types of Intrusion Detection Systems:
Network-based IDS (NIDS).
Host-based IDS (HIDS).
Types of IDS Alerts:
True Positive.
False Positive.
True Negative.
False Negative.
Intrusion Prevention System (IPS):
An Intrusion Prevention System (IPS) is a proactive security measure that not only detects but also prevents malicious activities on a network.
How IPS Works:
Traffic Monitoring:
The IPS continuously monitors all network traffic, inspecting packet headers and payloads to identify potential threats.
Detection Methods:
Signature-based Detection:
Relies on a database of known threat signatures to identify and block malicious activity. This method is highly effective against known attacks but can struggle with zero-day threats.
Anomaly-based Detection:
Establishes a baseline of normal network behavior and flags deviations from this norm. This method can detect novel attacks but may produce false positives if normal behavior changes.
Policy-based Detection:
Uses predefined security policies to detect and respond to malicious activities. Policies can be based on organizational rules and compliance requirements.
Heuristic-based Detection:
Uses algorithms and heuristics to detect suspicious activities by identifying patterns that may indicate an attack.
Response Actions:
Blocking:
The IPS can block malicious traffic immediately, preventing it from reaching its intended target.
Dropping:
Malicious packets are discarded by the IPS to prevent them from causing harm.
Quarantining:
Infected devices or suspicious traffic can be isolated to prevent the spread of malware.
Alerting:
When a threat is detected, the IPS sends alerts to network administrators for further investigation.
Types of IPS:
Network-based IPS (NIPS):
Deployed at critical points in the network to inspect traffic across multiple segments.
Protects the network perimeter and internal network segments from a variety of threats.
Host-based IPS (HIPS):
Installed on individual hosts (e.g., servers, workstations).
Monitors and protects individual devices from both external and internal threats.
Provides granular control and protection for specific high-value assets.
Advantages of IPS:
Proactive Defense:
An IPS actively blocks threats, providing a proactive layer of defense.
Comprehensive Protection:
Protects against a wide range of attacks, including known and emerging threats.
Policy Enforcement:
Ensures adherence to security policies and compliance requirements.
Integration:
Can be integrated with other security solutions, such as firewalls and SIEM systems, for a comprehensive security posture.
Challenges and Limitations of IPS:
False Positives:
Incorrectly identifying legitimate traffic as malicious can disrupt business operations.
Performance Impact:
The inspection of large volumes of traffic can introduce latency and affect network performance.
Complex Configuration:
Requires skilled personnel to configure, manage, and fine-tune the system.
Evasion Techniques:
Sophisticated attackers may employ techniques to bypass IPS detection, necessitating constant updates and vigilance.
IPS Deployment Best Practices:
Proper Placement:
Position IPS devices strategically within the network to maximize coverage and effectiveness.
Regular Updates:
Keep signatures and detection rules up-to-date to defend against the latest threats.
Baseline Normal Traffic:
Establish a baseline of normal network behavior to improve the accuracy of anomaly detection.
Monitor and Tune:
Continuously monitor IPS alerts and adjust settings to minimize false positives and negatives.
Integration:
Integrate IPS with other security systems for a layered defense strategy.
Testing:
Regularly test the IPS to ensure it functions as expected and provides adequate protection.
IPS vs. IDS:
Intrusion Detection System (IDS):
Detects and alerts on potential threats but does not take action to prevent them.
Functions as a passive monitoring tool.
Intrusion Prevention System (IPS):
Actively blocks or mitigates detected threats, providing a proactive defense.
Functions as an active security measure.
Examples of IPS:
Snort:
An open-source network IPS and IDS.
Uses a rule-based language to detect and prevent network intrusions.
Suricata:
An open-source IDS, IPS, and network security monitoring engine.
Capable of real-time intrusion detection and prevention.
Cisco Firepower:
A commercial IPS solution by Cisco.
Integrates with Cisco’s security ecosystem for comprehensive threat protection.
Palo Alto Networks:
Next-generation firewalls with integrated IPS functionality.
Provides advanced threat prevention and real-time protection.
Normalize fragmented packets for proper reassembly.
Define DNS server with client resolver for routers and network devices.
Enhance security of modems, routers, and switches.
Disable switch ports associated with known attack hosts.
Conduct in-depth analysis of ambiguous network traffic.
Use TCP FIN or reset (RST) packets to terminate malicious TCP sessions.
Detect non-standard nop opcodes to defend against polymorphic shellcode.
Train users to recognize attack patterns and update systems regularly.
Deploy IDS after analyzing network topology, traffic nature, and host count.
Use traffic normalizers to remove ambiguity before packets reach IDS.
Block ICMP TTL expired packets at external interfaces and set large TTL values.
Regularly update antivirus signature databases.
Store attack information (IP addresses, timestamps) for future analysis.
Firewall Best Practices:
Run regular risk queries to identify vulnerable firewall rules.
Filter out intruder IP addresses in firewall configuration.
Set ruleset to deny all traffic by default, enabling only required services.
Monitor and restrict user access to firewall configurations.
Notify and document firewall changes to the security policy administrator.
Use unique user IDs for firewall services instead of administrator/root IDs.
Configure and protect a remote syslog server from malicious users.
Regularly monitor firewall logs and investigate suspicious entries.
Specify source and destination IP addresses and ports.
Control physical access to the firewall.
Disable all FTP connections by default.
Take regular backups of firewall ruleset and configuration files.
Review all inbound and outbound traffic allowed through the firewall.
Schedule regular firewall security audits.
Tools for IDS/IPS and Honeypots:
HoneyBOT
MongoDB-HoneyProxy
Modern Honey Network
Honeyd
Assignment 3 + 4: Host + Port Discovery
Host Discovery
defscan(nm, target, arguments=None):
# Perform the scannm.scan(
hosts=target, arguments=f"{arguments} --min-rate=5000 -T5 -reason", sudo=True
)
# Loop through the scan results and get the status and state of each hosthosts_list= [(x, nm[x]["status"]["state"]) forxinnm.all_hosts()]
# if hosts_list is emptu, then no hosts were discoverediflen(hosts_list) ==0:
print(
f"\t[!] No hosts discovered."
)
else:
print(
f"\t[!] Hosts discovered:"
)
forhost, statusinhosts_list:
# If host is X.X.X.1 or X.X.X.254, then it is a routerifhost.split(".")[-1] =="1"orhost.split(".")[-1] =="254":
print(
f"\t\t[+] {host} is a router."
)
else:
# If host is up, then get the reasonifnm[host]["status"]["state"] =="up":
# If host is up, then get the reasonreason=nm[host]["status"]["reason"]
print("\n")
# List of scan namesscanName= [
"ARP ping (-PR)",
"ICMP Echo ping (-PE)",
"ICMP Echo ping sweep (-PS)",
"ICMP timestamp ping (-PP)",
"ICMP Address Mask ping (-PM)",
"UDP Ping (-PU)",
"TCP SYN (-PS)",
"TCP ACK (-PA)",
"TCP NULL (-PN)",
"TCP FIN (-sF)",
"TCP XMAS (-sX)",
"IP Protocol ping (-PO)",
]
Port Discovery
defscan(nm, target, argument=None):
# Perform the scannm.scan(
hosts=target,
arguments=f"{argument} -F --min-rate=5000 -T5 --reason",
sudo=True,
)
# Loop through the scan results and get the status and state of each hosthosts_list= [(x, nm[x]["status"]["state"]) forxinnm.all_hosts()]
# if hosts_list is emptu, then no hosts were discoverediflen(hosts_list) ==0:
else:
downHosts=0forhost, statusinhosts_list:
# If host is X.X.X.1 or X.X.X.254, then it is a routerifhost.split(".")[-1] =="1":
continue# print(# f"\t\t[+] {host} is default gateway."# )elifhost.split(".")[-1] =="254":
continue# print(# f"\t\t[+] {host} is a broadcast address."# )else:
# If host is up, then get the reasonifnm[host]["status"]["state"] =="up":
# If host is up, then get the reasonreason=nm[host]["status"]["reason"]
ifreason=="localhost-response":
continue# Get port status of the host as wellforprotoinnm[host].all_protocols():
lport=list(nm[host][proto].keys())
lport.sort()
print(lport)
forportinlport:
state=nm[host][proto][port]["state"]
print("\n")
scanName= [
"ICMP Ping (-PE)",
"UDP Ping (-sU)",
"TCP SYN (-sT)",
"TCP SYN Silent|Half-Open (-sS)",
"Inverse TCP NULL (-sN)",
"Inverse TCP XMAS (-sX)",
"Inverse TCP Maimon (-sM)",
"ACK TTL-Based (-sA)",
"ACK Window (-sW)",
]