We reviewed TCP -
It is a 3-way handshake which establishes a connection with a system port & a connection oriented protocol. There are flag indicators, such as below:
Flag
|
Description
|
SYN
|
Starts a connection between hosts.
|
ACK
|
Acknowledges the receipt of a packet.
|
FIN
|
Indicates that no additional information will be sent.
|
RST
|
Resets a connection.
|
URG
|
Flags a packet as urgent.
|
PSH
|
Directs the sending system to send buffered data.
|
The handshake is completed by one device sending a SYN packet, the receiving device returns a SYN/ACK and the initiating device will then return an ACK packet to complete the process.
Port scans seeks open ports on a host or server.
nmap - this is a common tool used to find open ports.
A full connection or full open scan completes the handshake. Open ports respond with a SYN/ACK and closed ones reply with RST. This type of scan is not used often because it leaves a trace of you being there.
A half-open scan or stealth scan sends the SYN packet to the device, the responding device sends the SYN/ACK, but the initiator will not send back an ACK. A connection is not made and no security log is made.
A Xmas tree scan has all the flags turned on so that the receiving device doesn't know how to process this packet. The packet becomes dropped or ignored. If an RST packet is returned, the port is closed. No response can indicate that the port is potentially open.
Idle scans are when a hacker uses another system to take the blame when attacking a target machine. The system which takes the blame is the zombie machine. It is disposable and a distraction. If the zombie machine is found out, the hacker can just find another device to continue to scan.
Network scans search for live devices on a network.
Types of network scans:
Wardialing - dials a large block of phone numbers and scans for devices connected via modems. Fax machines, copiers are examples of devices which may still be connected through a modem device. When the scan receives a response, a connection is accepted, which this becomes the access point.
Ping - this is the most common method to scan a network. It sends ICMP messages between systems and through this transmission, you will be able to determine if a system is live and how fast packets travel between each device. A ping sweep scans a range of IPs for live systems. Due to how common this type of scan is, these types of attempts are often shut down by network administrators.
Vulnerability scans locate weaknesses in systems such as open ports and points of access.
OS fingerprinting -
Through differences in the TTL values, TCP window size, DHCP requests, ICMP requests, HTTP packets & open port patterns, a hacker can determine the operating system of the targeted device.
Banner grabbing is another method of scanning. Banners serve as welcome screens and display information like software version. Hackers can find the type of OS, version number, specific service packs and ports. Hackers can use a webpage called Shodan to find web servers, switches and routes. Terminal commands such as nmap, telnet, netcat can be used to grab banners.
Tools that can be used:
CurrPorts, ping, hping3, Colasoft, Angry IP, SolarWinds Port Scanner, IP-Tools
NetAuditor, SolarWinds, Network Topology Manager, Scany
Evasion is crucial to a hacker to lower the chances of detection. Some of the methods include:
ACK scan- this method will return valuable information about the firewall. It can determine if it is stateful or stateless. With an unfiltered port, open and closed ports return an RST packet. Filtered ports return error messages or no reply.
Fragmenting - It is a common method where a hacker can send broken packets so intrusion detection systems can't determine what they are. It is noted that you should avoid bombarding the system or else the activity may be detected.
Spoofing IP addresses - this method recrafts a packet to contain a different IP address from the source. This will leave no record of your IP address when sending requests.
Interestingly, proxy servers provide hackers the ability to remain anonymous and deters detection. They are used much like zombie machines.
Suggestions to remedy or at least prepare for these types of attacks are:
1. Regularly perform vulnerability tests
2. Keep your vulnerability testing tools up to date
3. Use a variety of tools to test vulnerability
4. Remind clients that hackers could be running these tools on a regular basis
5. Prevent banner grabbing by disabling, changing or removing banners (if not all, at least some), hide file extensions, enable custom error messages
The article that I found this week was on an alert from the
US in regards to malware attacks from North Korea. The article discussed the
malware identified as being linked to the DPRK. These hacks perform ‘illegal
activity, steal funds & evade sanctions’ (Balaji N). This malware targets
systems and networks in the government and private sectors. At the end of the article
it has security recommendations to help protect networks and devices from
infection. The full article can be read here at cybersecurity news:
No comments:
Post a Comment