# Network Security 101 ###### tags: `cyber security` `network security` `recon` `nmap` ## Passive Recon We use: * whois to query WHOIS servers * nslookup to query DNS servers * dig to query DNS servers * DNSDumpster * Shodan.io These are all publicly available records and hence do not alert the target. Passive recon relies on publicly available knowledge which can be accessed without directly interacting with the target. ### Whois WHOIS is a request and response protocol that follows the RFC 3912 specification. A WHOIS server listens on TCP port 43 for incoming requests. The domain registrar is responsible for maintaining the WHOIS records for the domain names it is leasing. The WHOIS server replies with: * Registrar: Via which registrar was the domain name registered? * Contact info of registrant: Name, organization, address, phone, among other things. (unless made hidden via a privacy service) * Creation, update, and expiration dates: When was the domain name first registered? When was it last updated? And when does it need to be renewed? * Name Server: Which server to ask to resolve the domain name? ### nslookup vs dig You can use ```nslookup OPTIONS DOMAIN_NAME SERVER``` These three main parameters are: * OPTIONS contains the query type as shown in the table below. e.g A for IPv4 addresses and AAAA for IPv6 addresses. * DOMAIN_NAME is the domain name you are looking up. * SERVER is the DNS server that you want to query. You can choose any local or public DNS server to query. Cloudflare offers 1.1.1.1 and 1.0.0.1, Google offers 8.8.8.8 and 8.8.4.4, and Quad9 offers 9.9.9.9 and 149.112.112.112. You can opt for others as well. |Query |Result| | :-----------| --------| |A |IPv4 Addresses| |AAAA |IPv6 Addresses| |CNAME |Canonical Name| |MX |Mail Servers| |SOA | Start of Authority| |TXT |TXT Records| Dig provides more details than nslookup and its syntax is as shown below ``` dig tryhackme.com MX # If you want to query a 1.1.1.1 DNS server, you can execute: dig @1.1.1.1 tryhackme.com MX. ``` ### dnsdumpster Great goto at [dnsdumpster](https://dnsdumpster.com/) ### Shodan Great goto at shodan.io ## Active Recon ### Telnet * Developed in 1969 to communicate with a remote system via CLI. Uses the telnet protocol for remote administration. * telnet sends all the data, including usernames and passwords, in cleartext. * Sending in cleartext makes it easy for anyone, who has access to the communication channel, to steal the login credentials. * The secure alternative is SSH (Secure SHell) protocol. ```=1 telnet [ip] [port] GET / HTTP/1.1 host:telnet # press enter twice ``` ### nmap Here is a link to the [nmap 101 series.](https://hackmd.io/@codeAssassin/rJIpZylCt) * You can provide a file as input for your list of targets, nmap -iL list_of_hosts.txt. * To check the list of hosts that Nmap will scan, use nmap -sL TARGETS, use the -n flag to disable dns resolution. * ARP has one purpose: sending a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing its MAC (hardware) address. * If you want to ping a system on the same subnet, an ARP query should precede the ICMP Echo. * Although TCP and UDP are transport layers, for network scanning purposes, a scanner can send a specially-crafted packet to common TCP or UDP ports to check whether the target will respond. This method is efficient, especially when ICMP Echo is blocked. When no host discovery options are provided, Nmap follows the following approaches to discover live hosts: 1. When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is root or a user who belongs to sudoers and can run sudo. 1. When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request. 1. When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443. To use Nmap to discover online hosts without port-scanning the live systems, you can issue ```nmap -sn TARGETS``` * ARP scan is possible only if you are on the same subnet as the target systems. * On an Ethernet (802.3) and WiFi (802.11), you need to know the MAC address of any system before you can communicate with it. * The MAC address is necessary for the link-layer header; the header contains the source MAC address and the destination MAC address among other fields. * To get the MAC address, the OS sends an ARP query. A host that replies to ARP queries is up. The ARP query only works if the target is on the same subnet as yourself, i.e., on the same Ethernet/WiFi. * To perform an ARP scan without port-scanning, you can use ``` nmap -PR -sn TARGETS ```, where -PR indicates that you only want an ARP scan. * To scan for alive hosts on the subnet using ICMP use ``` nmap -PE -sn MACHINE_IP/24.``` This scan will send ICMP echo packets to every IP address on the subnet. * Because ICMP echo requests tend to be blocked, consider using ICMP Timestamp or ICMP Address Mask requests to tell if a system is online. * Nmap uses timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). The -PP option tells Nmap to use ICMP timestamp requests. ```nmap -PP -sn MACHINE_IP/24``` can be used to discover alive hosts on the target subnet. * Nmap uses address mask queries (ICMP Type 17) and checks whether it gets an address mask reply (ICMP Type 18). This scan can be enabled with the option -PM. ```nmap -PM -sn MACHINE_IP/24``` * To use TCP SYN ping, you can do so via the option -PS followed by the port number, range, list, or a combination of them. ### arp-scan Is a scanner built around ARP queries. ```arp-scan --localnet``` / ```arp-scan -l``` sends ARP queries to all valid IP addresses on your local networks. You can also specify the interface as such: ```sudo arp-scan -I eth0 -l ```, this would send ARP queries for all valid IP addresses on the eth0 interface. Note that the packet capture for arp-scan and nmap -PR -sn yield similar traffic patterns. ### Host discovery with TCP and UDP #### TCP SYN scan ```=1 # To get nmap to use TCP SYN ping, use the flag -PS followed by the port number, range, list, or a combination of them. # example: target port 21 nmap -PS21 # example: target ports 21, 22, 23, 24, and 25. nmap -PS21-25 # example: target three ports 80, 443, and 8080. nmap -PS80,443,8080 ``` #### TCP ACK scan ```=1 # requires elevated privileges # By default, port 80 is used. # The syntax is similar to TCP SYN ping. # -PA should be followed by a port number, range, list, or a combination of them. # example: target port 21 nmap -PA21 # example: target ports 21, 22, 23, 24, and 25. nmap -PA21-25 # example: target three ports 80, 443, and 8080 nmap -PA80,443,8080. #If no port is specified, port 80 will be used. # to discover the online hosts on the target’s subnet sudo nmap -PA -sn MACHINE_IP/24 ``` #### UDP ping Similar to TCP SYN and ACK scans, except that the flag used is ```-PU``` ### Masscan Masscan uses a similar approach to discover the available systems. However, to finish its network scan quickly, it is quite aggressive with the rate of packets it generates. ```=1 masscan MACHINE_IP/24 -p443 masscan MACHINE_IP/24 -p80,443 masscan MACHINE_IP/24 -p22-25 masscan MACHINE_IP/24 ‐‐top-ports 100 ``` ### Using Reverse DNS lookup Use the -R flag to enale this. ## Nmap Cheat sheet | Scan type | flags | | :----------------| -----------| |ARP Scan | sudo nmap -PR -sn MACHINE_IP/24| |ICMP Echo Scan | sudo nmap -PE -sn MACHINE_IP/24 | |ICMP Timestamp Scan | sudo nmap -PP -sn MACHINE_IP/24| |ICMP Address Mask Scan | sudo nmap -PM -sn MACHINE_IP/24| |TCP SYN Ping Scan | sudo nmap -PS22,80,443 -sn MACHINE_IP/30| | TCP ACK Ping Scan | sudo nmap -PA22,80,443 -sn MACHINE_IP/30 | | UDP Ping Scan | sudo nmap -PU53,161,162 -sn MACHINE_IP/30 | | flag | purpose | | :------------| ----------| |no DNS lookup | -n | | reverse-DNS lookup for all hosts | -R | | host discovery only | -sn | ## nmap basic port scans The TCP header flags are: 1. URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments. 1. ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment. 1. PSH: Push flag asking TCP to pass the data to the application promptly. 1. RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer. 1. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment. 1. FIN: The sender has no more data to send. | Port scan type | example command | | :--------------| ----------------| | TCP connect scan | nmap -sT ip | | TCP syn scan | nmap -sS ip | | UDP scan | nmap -sU ip | | flag | purpose | | :------------| ----------| | -p- | all ports| | -p1-1023 | ports 1 to 1023 inclusive | | -F | 100 most common ports | | -r | scan ports in consecutive order | | -T<0-5> | paranoid(0), sneaky(1), polite(2), normal(3), aggressive(4), insane(5)| | --max-rate 50 | rate <=50 packets/sec | | --min-rate 15 | rate >=15 packets/sec | | --min-parallelism 100 | at least 100 probes in parallel | ## nmap Advanced port scans | Scan type | Command | | :--------------------| -------------------| | TCP Null Scan | sudo nmap -sN [ip] | | TCP FIN Scan | sudo nmap -sF [ip]| | TCP Xmas Scan | sudo nmap -sX [ip] | | TCP Maimon Scan | sudo nmap -sM [ip] | | TCP ACK Scan | sudo nmap -sA [ip] | | TCP Window Scan | sudo nmap -sW [ip] | | Custom TCP Scan | sudo nmap --scanflags URGACKPSHRSTSYNFIN [ip] | | Spoofed Source IP | sudo nmap -S SPOOFED_IP [ip] | | Spoofed MAC Address | --spoof-mac SPOOFED_MAC | | Decoy Scan | nmap -D DECOY_IP,ME 10.10.96.13 | | Idle (Zombie) Scan | sudo nmap -sI ZOMBIE_IP 10.10.96.13 | | Fragment IP data into 8 bytes | -f | | Fragment IP data into 16 bytes | -ff | | option | purpose | | :------------------| --------------| |--source-port PORT_NUM | specify source port number | | --data-length NUM | append random data to reach given length | | --reason | explains how Nmap made its conclusion | | -v | verbose | | -vv | very verbose | | -d | debugging | | -dd | detailed debugging | ## nmap reports | options | meaning | | :----------------------| --------------------| | -sV | determine service/version info on open ports | | -sV --version-light | try the most likely probes (2) | | -sV --version-all | try all available probes (9) | | -O | detect OS | | --traceroute | run traceroute to target | | --script=SCRIPTS | Nmap scripts to run | | -sC or --script=default | run default scripts | | -A | equivalent to -sV -O -sC --traceroute | | -oN | save output in normal format | | -oG | save output in grepable format | | -oX | save output in XML format | | -oA | save output in normal, XML and Grepable formats | ### script types | script category | description | | :------------------------| ---------------| | auth | Authentication related scripts | | broadcast | Discover hosts by sending broadcast messages | |brute | Performs brute-force password auditing against logins | | default | Default scripts, same as -sC | | discovery | Retrieve accessible information, such as database tables and DNS names | | dos | Detects servers vulnerable to Denial of Service (DoS) | | exploit | Attempts to exploit various vulnerable services | | external | Checks using a third-party service, such as Geoplugin and Virustotal | | fuzzer | Launch fuzzing attacks | | intrusive | Intrusive scripts such as brute-force attacks and exploitation | | malware | Scans for backdoors | | safe | Safe scripts that won’t crash the target | | version | Retrieve service versions | | vuln | Checks for vulnerabilities or exploit vulnerable services | ## Protocols and servers | Protocol | Tcp port | Applications | Data security | | :-------------| ------ | --------| ----------| | FTP | 21 | file transfer | clear text | | HTTP | 80 | www | clear text| | IMAP | 143 | Email MDA | clear text | | POP3 | 110 | Email MDA | clear text | | SMTP | 25 | Email MTA | clear text | | Telnet | 23 | remote access | clear text | Servers implementing these protocols are subject to different kinds of attacks. To name a few, consider: * Sniffing Attack (Network Packet Capture) * Man-in-the-Middle (MITM) Attack * Password Attack (Authentication Attack) * Vulnerabilities ### Sniffing Attack For Capturing network packets consider: 1. Tcpdump - a free open source command-line interface (CLI) program that has been ported to work on many operating systems. 1. Wireshark - a free open source graphical user interface (GUI) program available for several operating systems, including Linux, macOS and MS Windows. 1. Tshark - a CLI alternative to Wireshark. ### MITM For MITM consider: [Ettercap](https://www.ettercap-project.org/) [Bettercap](https://www.bettercap.org/) * MITM can also affect other cleartext protocols such as FTP, SMTP, and POP3. * Mitigation against this attack requires the use of cryptography. * The solution lies in proper authentication along with encryption or signing of the exchanged messages. * Transport Layer Security (TLS) protects from MITM attacks with the help of Public Key Infrastructure (PKI) and trusted root certificates. ### TLS: SSL (Secure Sockets Layer) started when the world wide web started to see new applications, such as online shopping and sending payment information. Netscape introduced SSL in 1994, with SSL 3.0 being released in 1996. But eventually, more security was needed, and TLS (Transport Layer Security) protocol was introduced in 1999. They fit into the Presentation Layer of the OSI model. An existing cleartext protocol can be upgraded to use encryption via SSL/TLS. | Protocol | default port | secured protocol | secured port | |:-------|------------|--------------|----------| | HTTP | 80 | HTTPS | 443 | | FTP | 23 | FTPS | 990 | | SMTP | 25 | SMTPS | 465 | | POP3 | 110 | POP3S | 995 | | IMAP | 143 | IMAPS | 993 | * Considering the case of HTTP. Initially, to retrieve a web page over HTTP, the web browser would need at least perform the following two steps: * Establish a TCP connection with the remote web server * Send HTTP requests to the web server, such as GET and POST requests. * HTTPS requires an additional step to encrypt the traffic. The new step takes place after establishing a TCP connection and before sending HTTP requests. This extra step can be inferred from the ISO/OSI model in the image presented earlier. Consequently, HTTPS requires at least the following three steps: 1. Establish a TCP connection 1. Establish SSL/TLS connection 1. Send HTTP requests to the webserver To establish an SSL/TLS connection, the client needs to perform the proper handshake with the server as shown below based on [RFC 6101](https://datatracker.ietf.org/doc/html/rfc6101): ```sequence client -> server : ClientHello \n server -> client : ServerHelloCertificate, ServerKeyExchange \n CertificateRequest , Server Hello done client -> server : CertificateClientKeyExchange \n Certificate Verify, [ChangeCipherSpec] Finished server -> client : [ChangeCipherSpec] Finished ``` ### Hydra | Option | Explanation | | :------------|-------| | -l [username]| username | | -P [path] | path to wordlist | | server service | set server address and service to attack | |-s [port] | use in case of non-default service port # | | -v or -vv | show username and password attempts | | -d | display debugging output|