Security engineering basing on gracenolan notes. part 2
From the Oscakampala open source cyber security branch.
Table of contents
- What are firewalls?
- NAT (Network Address Translation):
- DNS:
- DNS exfiltration:
- DNS configs:
- ARP (Address Resolution Protocol):
- DHCP (Dynamic Host Configuration Protocol):
- Multiplex:
- Traceroute:
- Nmap:
- Intercepts (PitM - Person in the middle):
- VPN:
- Tor:
- Proxy:
- BG/buP:
- Network traffic tools:
- HTTP/S:
- SSL/TLS: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
- TCP/UDP:
- CMP:
- Mail:
- SSH:
- Telnet:
- ARP:
- DHCP:
- IRC:
- FTP/SFTP:
Welcome back. let's seize the moment!
Let's look at firewalls.
What are firewalls?
- A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules and policies. The main purpose of a firewall is to prevent unauthorized access to or from a private network and to block malicious or unwanted traffic. Firewalls can be hardware-based or software-based and are commonly used to protect networks connected to the internet.
Rules to prevent incoming and outgoing connections:
Firewall rules are used to control incoming and outgoing network traffic based on predefined criteria such as IP address, port number, protocol, and other parameters. These rules can be used to:
Block incoming traffic from certain IP addresses or ranges. Allow incoming traffic only from specific IP addresses or ranges.
Block incoming traffic on certain ports.
Allow incoming traffic only on specific ports.
Block outgoing traffic to certain IP addresses or ranges.
Allow outgoing traffic only to specific IP addresses or ranges.
Block outgoing traffic on certain ports.
Allow outgoing traffic only on specific ports.
Inspect and filter traffic based on protocol, such as HTTP or HTTPS.
Inspect and filter traffic based on application layer data, such as file types or keywords.
The rules are applied to the firewall in a specific order, and the firewall evaluates each packet of incoming and outgoing network traffic against the rules in that order. If a packet matches one of the rules, the firewall will take the action specified in that rule, such as allowing or blocking the traffic.
The specific code for configuring firewall rules will depend on the software or hardware firewall you are using. Here are some examples of firewall rule configurations for different platforms:
IPTables (Linux):
iptables -A INPUT -s 192.168.1.0/24 -j DROP
This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
This command will block all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255
Windows Firewall (Windows):
netsh advfirewall firewall add rule name="Block incoming traffic from 192.168.1.0/24" dir=in remoteip=192.168.1.0/24 action=block
This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255
netsh advfirewall firewall add rule name="Allow outgoing traffic to 10.0.0.0/8" dir=out remoteip=10.0.0.0/8 action=allow
This command will allow all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255
pf (FreeBSD, OpenBSD):
block in quick on $ext_if from 192.168.1.0/24
This command will block all incoming traffic from the IP address range 192.168.1.0 to 192.168.1.255
block out quick on $ext_if to 10.0.0.0/8
This command will block all outgoing traffic to the IP address range 10.0.0.0 to 10.255.255.255
Note:
Please note that the above commands are examples and might not work in your specific environment.
That's it for firewalls. let's dive into NAT (Network Addressing Table)
NAT (Network Address Translation):
is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used for ease of rerouting traffic in IP networks without readdressing every host.
NAT operates on a router, usually connecting two networks, and translates the private (not globally unique) addresses in the internal network into legal addresses, e.g. Internet Protocol (IP) addresses, on the external network (the Internet). This allows computers on a private network to communicate with the Internet as if they had a globally unique IP address, while still maintaining the benefits of a private network (for example, security, addressing, and so on).
NAT is typically used to allow multiple hosts on a private network to access the Internet using a single public IP address, which is typically assigned by an Internet Service Provider (ISP) to the router. This is often used in home and small office networks, where obtaining a block of public IP addresses would be impractical or too costly.
NAT can also be used for other purposes, such as load balancing or connecting multiple networks. Additionally, NAT can be implemented on a host, rather than a router, allowing a single host to communicate with the Internet using a different IP address than its own.
IPv4 and IPv6 are the two versions of Internet Protocol (IP) in use today.
IPv4, the first version of IP, was first implemented in the early 1980s and has a 32-bit address space, which allows for a total of about 4.3 billion unique addresses. This address space is rapidly being exhausted as more and more devices are connected to the Internet. To solve this problem, IPv6 was developed, which has a 128-bit address space, allowing for a total of about 3.4 x 10^38 unique addresses.
One of the main differences between IPv4 and IPv6 is the size of the addresses. IPv4 addresses are 32 bits long, written in dot-decimal notation (for example, 192.168.1.1), while IPv6 addresses are 128 bits long, written in hexadecimal notation (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
This larger address space in IPv6 allows for many more unique addresses and eliminates the need for NAT (Network Address Translation) which is used to map multiple private IP addresses to a single public IP address.
Another difference is that IPv6 uses a simplified header format compared to IPv4. This allows for faster packet processing and more efficient routing. IPv6 also has built-in support for IPsec (Internet Protocol Security), which is an optional feature in IPv4. IPv6 also includes support for multicast (one-to-many) and anycast (one-to-nearest) addressing, which allows for more efficient communication in certain situations.
In summary, IPv4 and IPv6 are different versions of Internet Protocol, IPv4 is the first version that has a 32-bit address space which is becoming scarce, IPv6 was developed as a solution to this problem by having a 128-bit address space, simplified header format and built-in support for IPsec, multicast and anycast addressing
DNS:
DNS (Domain Name System) is a hierarchical, decentralized system for naming and addressing Internet resources. It is used to translate human-friendly domain names, such as www.example.com, into IP addresses that machines can understand, such as 192.0.2.1. This makes it easier for users to access Internet resources, as they can remember and type in domain names instead of IP addresses.
DNS is organized into a hierarchical tree-like structure, with the root of the tree at the top. The root is the highest-level domain and is not associated with any specific organization or country. It has a number of top-level domains (TLDs) such as .com, .org, .edu, .gov, and country-code TLDs (ccTLDs) such as .us, .uk, .fr, etc. Each TLD is managed by a separate organization, known as a registry.
Underneath the TLDs, there are second-level domains, such as example.com. These are typically registered by organizations or individuals and can be further divided into subdomains, such as www.example.com.
The process of resolving a domain name to an IP address is handled by DNS servers, which are responsible for maintaining a database of domain names and their corresponding IP addresses. When a user requests a specific domain name, their computer sends a query to a DNS server, which then looks up the IP address associated with that domain name and returns it to the user's computer.
DNS is a critical infrastructure for the internet and it's usually used for name resolution for websites, email and other services. Without DNS, users would have to manually enter IP addresses every time they wanted to access a website or other online resource, which would be impractical and time-consuming.
(53):
The number 53 refers to the port number used by the Domain Name System (DNS) protocol. DNS uses the User Datagram Protocol (UDP) on port 53 to serve DNS queries. When a computer needs to resolve a hostname to an IP address, it sends a DNS query to a DNS server on port 53. The DNS server then responds with the requested IP address or with a referral to another DNS server that may have more information.
Port 53 is a well-known port, which means it is a registered port that is commonly used by DNS. As such, firewalls and other security devices are often configured to allow traffic to and from this port.
It's important to note that DNS can also use TCP port 53 when the response size is too large to fit in a single UDP packet and the client supports TCP.
Since DNS is a fundamental infrastructure for the internet, it is important to have DNS servers running on port 53, to ensure that domain names can be resolved to IP addresses and internet services can be accessed.
Note:
Requests to DNS are usually UDP unless the server gives a redirect notice asking for a TCP connection. Look-up in the cache happens first. DNS exfiltration. Using raw IP addresses means no DNS logs, but there are HTTP logs. DNS sinkholes.
DNS requests are usually sent using the User Datagram Protocol (UDP) on port 53, but in some cases, if the DNS server responds with a "Truncated" flag, indicating that the response is too large to fit in a single UDP packet, the client may switch to using the Transmission Control Protocol (TCP) on port 53 to continue the transaction.
When a DNS query is made, the client will first check its local cache to see if it already has the requested information. If the information is not in the cache, the client will send a query to a DNS server. The DNS server will then check its cache and, if necessary, will forward the query to other DNS servers until it gets a response.
DNS exfiltration is a technique used to covertly exfiltrate data from a network by encoding it in DNS queries and responses. This can be done by using a domain name that looks like a normal domain name but is controlled by the attacker. The attacker can then use this domain name to send and receive data in a way that is difficult to detect.
Using raw IP addresses instead of domain names to access websites or other online resources can help evade detection by DNS logs. However, it is important to note that there are other types of logs, such as HTTP logs, that can still be used to track activity.
DNS sinkholes, also known as blackholes, are a security measure used to block access to malicious or unwanted domain names by redirecting DNS queries for those domain names to a non-existent IP address. This effectively prevents the client from reaching the domain name and can be used to block access to phishing sites, malware-hosting sites, and other types of malicious domains.
In a reverse DNS lookup, PTR might contain- 2.152.80.208.in-addr.arpa, which will map to 208.80.152.2. DNS lookups start at the end of the string and work backwards, which is why the IP address is backwards in PTR.
A reverse DNS lookup, also known as a PTR (pointer) record lookup, is the process of looking up the hostname associated with a given IP address. The PTR record is used to map an IP address to a hostname and is stored in a special domain called in-addr.arpa.
In a reverse DNS lookup, the IP address is reversed and appended with "in-addr.arpa" to form the domain name used in the lookup. For example, a reverse DNS lookup for the IP address 208.80.152.2 would use the domain name 2.152.80.208.in-addr.arpa.
The reason the IP address is reversed in PTR is because the in-addr.arpa domain is organized hierarchically, with the octets of the IP address being used to form the labels of the domain name in reverse order. This allows the DNS system to perform lookups in a hierarchical manner, starting at the root of the tree and working down to the specific PTR record.
It's important to note that not all IP addresses have a corresponding PTR record and a reverse DNS lookup may return a negative response.
DNS exfiltration:
DNS exfiltration is a technique used to covertly exfiltrate data from a network by encoding it in DNS queries and responses. One way this can be done is by sending data as subdomains of a domain name controlled by the attacker. For example, an attacker could encode data in a subdomain such as 26856485f6476a567567c6576e678.badguy.com. This can be difficult to detect as it does not show up in HTTP logs and may not be flagged as suspicious by security systems that are not specifically looking for this type of activity.
Another way to do this could be by using a domain name that looks like a normal domain name but is controlled by the attacker. The attacker can then use this domain name to send and receive data in a way that is difficult to detect.
It's important to note that DNS exfiltration is a highly advanced and sophisticated attack method that requires a deep understanding of the DNS protocol and the ability to encode and decode data in a way that is not easily detectable. The use of this method requires a lot of stealth, as it is a well-known technique used by attackers to evade detection.
It is important to have good security systems and monitoring in place to detect and prevent this type of attack, such as using software that can detect abnormal DNS traffic. Additionally, keeping the DNS servers and the software up-to-date and patching vulnerabilities promptly is also important.
DNS configs:
Start of Authority (SOA).
IP addresses (A and AAAA).
SMTP mail exchangers (MX).
Name servers (NS).
Pointers for reverse DNS lookups (PTR).
Domain name aliases (CNAME).
are several types of DNS configuration records that are used to configure and manage a domain name:
Start of Authority (SOA) - This record is used to define the primary DNS server for a domain, as well as other information such as the administrative contact and the serial number of the zone file.
IP addresses (A and AAAA) - These records are used to map a hostname to an IPv4 or IPv6 address respectively.
SMTP mail exchangers (MX) - These records are used to identify the mail servers for a domain so that email can be delivered to the correct server.
Name servers (NS) - These records are used to identify the DNS servers that are responsible for a domain so that DNS queries can be forwarded to the correct server.
Pointers for reverse DNS lookups (PTR) - These records are used to map an IP address to a hostname in a reverse DNS lookup.
Domain name aliases (CNAME) - These records are used to create an alias for a hostname so that multiple hostnames can resolve to the same IP address.
These are the most common DNS configurations, but there are other types of records as well, such as SRV, TXT and others that can be used for specific purposes.
It is important to note that DNS configurations can be complex and require a good understanding of the DNS protocol and the specific needs of the domain. Misconfiguring DNS records can cause problems such as email delivery failures, web server failures, or even complete loss of internet access.
ARP (Address Resolution Protocol):
is a protocol used to map a network layer protocol address (such as an IP address) to a link layer (MAC) address on a local network. ARP is used to determine the link-layer (MAC) address corresponding to a given network-layer (IP) address, and it is typically used when a host wants to communicate with another host on a LAN.
When a host wants to communicate with another host on a LAN, it needs to know the MAC address of the destination host. It does this by broadcasting an ARP request message, which contains the IP address of the destination host, to all devices on the LAN. The device with the matching IP address responds with its MAC address, which is then used by the sender to send the data.
It's important to note that ARP is a broadcast protocol and it is not authenticated, which means that it can be subject to ARP spoofing attacks, where an attacker sends fake ARP messages to map its own MAC address to the IP address of another device on the network, allowing the attacker to intercept and possibly modify network traffic. To prevent this, techniques such as static ARP entries, ARP protection and DHCP snooping can be used.
DHCP (Dynamic Host Configuration Protocol):
is a network protocol used to dynamically assign IP addresses, subnet masks, default gateways, and other network configuration parameters to devices on a network. It operates over UDP (User Datagram Protocol) on ports 67 and 68. DHCP allows devices to automatically obtain IP addresses and other network configuration information, eliminating the need for manual configuration.
When a device wants to obtain an IP address, it sends a broadcast message called DHCPDISCOVER to the network, asking for an available IP address. The DHCP server, which is typically a router or a dedicated DHCP server, receives the DHCPDISCOVER message and responds with a DHCPOFFER message, which contains an available IP address and other network configuration information.
The device then sends a DHCPREQUEST message to the DHCP server, requesting the offered IP address. The DHCP server then sends a DHCPACK message to the device, confirming that the IP address has been assigned to the device.
It's important to note that DHCP also has several other message types like DHCPNAK, DHCPRELEASE, DHCPINFORM, and DHCPFORCERENEW which are used for specific purposes like indicating that an IP address is not available, releasing an IP address or renewing an IP address.
DHCP is widely used in networks to automatically configure IP addresses for devices, which is useful for networks that have a high turnover of devices or for devices that are not easily configured manually. However, DHCP can also be subject to DHCP spoofing attacks, where an attacker sends fake DHCPOFFER messages to assign a rogue IP address to a device, which can be mitigated by using DHCP snooping.
Multiplex:
Multiplexing is the process of simultaneously transmitting multiple signals over a single communication channel. There are several types of multiplexing techniques, including:
Time-division multiplexing (TDM) - In TDM, each signal is assigned a specific time slot within a larger time frame, and the time slots are used to transmit each signal in turn. This allows multiple signals to be transmitted over a single channel, by effectively "sharing" the channel over time.
Frequency-division multiplexing (FDM) - In FDM, each signal is assigned a specific frequency band within a larger frequency range, and the frequency bands are used to transmit each signal simultaneously. This allows multiple signals to be transmitted over a single channel, by effectively "sharing" the channel over frequency.
Statistical multiplexing - In statistical multiplexing, the channel capacity is adaptively shared among multiple signals, based on the instantaneous demand of each signal. This allows the channel to be used more efficiently, as the capacity is allocated to the signals that need it most.
Code-division multiplexing (CDM) - In CDM, each signal is assigned a unique code and all signals are transmitted simultaneously over the same channel by using the unique codes to distinguish the signals from one another.
These are the most common types of multiplexing, but there are other types as well. It's important to note that multiplexing can be useful in a variety of contexts, such as telecommunications, computer networks, and other applications where multiple signals need to be transmitted over a single channel.
Traceroute:
- Traceroute is a network troubleshooting tool that is used to trace the path that a packet takes from the source to the destination. It uses a combination of ICMP Echo Request (ping), UDP packets and TCP SYN packets to determine the path, and the time it takes for each hop (router) to respond. It is typically used to determine the path that a packet takes from the source to the destination, and to identify any bottlenecks or failures along the way. It uses the hop-limit, or Time-to-Live (TTL) field in the IP header to control the number of hops that the packet can make before it is discarded. The initial hop limit is typically set to 64 for *nix systems and 128 for windows.
Nmap:
- Nmap is a network discovery and security auditing tool that can be used to identify hosts and services on a computer network and discover vulnerabilities. It can be used to scan a single host, a range of IP addresses, or an entire network. It can be used to identify open ports on a host and to determine the operating system and version of the host. It can also be used to discover vulnerabilities and conduct security assessments.
Intercepts (PitM - Person in the middle):
- A "man-in-the-middle" (MitM) attack is a type of cyberattack where an attacker intercepts and alters the communication between two parties. This can be done by intercepting traffic between a client and a server, by intercepting DNS lookups, or by using other methods. To mitigate MitM attacks, it is important to use encryption and to use PKI (Public Key Infrastructure) to authenticate the identity of the parties involved in the communication.
VPN:
- A Virtual Private Network (VPN) allows users to securely connect to a private network over the internet. VPNs use encryption and authentication to secure the connection and protect the data being transmitted. While VPNs can be used to protect traffic from being seen by the ISP, it is important to note that the traffic is still visible to the VPN provider.
Tor:
- Tor (The Onion Router) is a network that is designed to provide anonymity and privacy to its users. It uses a system of relays to route traffic through multiple layers of encryption, making it difficult to trace the origin of the traffic. While Tor can make it difficult for investigators to find individuals on the network, they may still be able to identify the individual by analyzing other factors such as the timing, location, and type of traffic being sent.
Proxy:
- A proxy is a server that acts as an intermediary between a client and a server. Proxies can be used to improve security and privacy, but they are not foolproof solutions. Using multiple proxies, or "chaining" them, will not necessarily provide more security or privacy. It is also important to note that the traffic is still visible to the proxy server.
BG/buP:
- Border Gateway Protocol (BGP) is a protocol that is used to exchange routing information between routers in a network. BGP is used to connect different networks and is a crucial protocol that helps to hold the internet together.
Network traffic tools:
- Wireshark, Tcpdump, and Burp Suite are all tools that can be used to analyze and capture network traffic. Wireshark is a popular tool that allows you to capture, analyze and filter network traffic. Tcpdump is a command-line tool that is used to capture and analyze network packets. Burp Suite is a tool that can be used for web application security testing, it contains a proxy, spider and scanner.
HTTP/S:
- HTTP (Hypertext Transfer Protocol) is a protocol that is used to transfer data over the internet. HTTPS (HTTP Secure) is an extension of HTTP that uses SSL/TLS to encrypt the data being transmitted, it uses port 443.
SSL/TLS: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
- are protocols that are used to encrypt the data being transmitted over a network. They are commonly used to secure web traffic, email and other types of internet communication. It's important to understand the various algorithms and protocols used in SSL/TLS, including handshakes, encryption, signing, certificate authorities, and trust systems. There are many known vulnerabilities in SSL/TLS, like POODLE, BEAST, CRIME, BREACH, and HEARTBLEED, that have been discovered and patched over the years.
TCP/UDP:
- TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are transport layer protocols that are used to transmit data over a network. TCP is a connection-oriented protocol that guarantees the delivery of data by retransmitting lost packets, while UDP is a connectionless protocol that does not guarantee delivery. Web traffic, chat, VoIP, and traceroute are examples of applications that use TCP or UDP. Streaming applications can slow down network connections that use TCP.
CMP:
- CMP stands for Common Management Protocol, and it is used for managing network devices. The most common CMPs are ping and traceroute. Ping is a utility used to check if a specific IP address is reachable. Traceroute is a utility used to trace the path that a packet takes to reach a destination.
Mail:
- SMTP (Simple Mail Transfer Protocol) is used for sending emails, it uses ports 25, 587 and 465. IMAP (Internet Message Access Protocol) is used for accessing emails on a server, it uses ports 143 and 993. POP3 (Post Office Protocol version 3) is used for retrieving emails from a server, it uses ports 110 and 995.
SSH:
- SSH (Secure Shell) is a protocol that is used to securely log into remote computers. SSH uses port 22 and it uses asymmetric encryption to exchange a symmetric key.
Telnet:
- Telnet is a protocol that allows remote communication with hosts. It uses ports 23 and 992. Telnet transmits data in clear text, so it is not secure.
ARP:
- ARP is the Address Resolution Protocol. It is used to map an IP address to a MAC address on a LAN. When a device wants to communicate with another device on the LAN, it will first check its ARP cache to see if it already knows the MAC address associated with the IP address. If it doesn't, it will broadcast an ARP request packet asking "Who has IP address X? Tell Y" where X is the IP address it is trying to reach and Y is its own IP address. The device with IP address X will respond with its MAC address, and the sender will then update its ARP cache with this information.
DHCP:
- DHCP (Dynamic Host Configuration Protocol) is used to dynamically assign IP addresses to devices on a network. DHCP uses ports 67 and 68 for servers and ports 546 and 547 for clients. DHCP can be configured to assign addresses automatically, leases IP addresses to devices and remembers the MAC and IP pairing in a table, or it can be configured to assign addresses manually, where static IP addresses are set by an administrator.
IRC:
- IRC (Internet Relay Chat) is a protocol for real-time text communication. It is used by hackers to create botnets, which are networks of infected computers that are controlled remotely.
FTP/SFTP:
- FTP (File Transfer Protocol) is used to transfer files between computers. It uses port 21. SFTP (Secure File Transfer Protocol) is an extension of FTP that provides a secure way to transfer files. It uses port 22, the same port as SSH.
HTTP headers are a part of the HTTP request and response that provide additional information about the request or response. They contain various information, such as the type of request (verb), the requested path, the HTTP version, the domain, the accepted language, the accepted character set, the accepted encoding, the connection status (close or keep-alive), the referrer, the return address and the expected size. These headers are used by servers and clients to understand the request and provide the appropriate response. They are also used by web developers to optimize the performance of their web pages and by security professionals to detect and prevent attacks.
Broadcast domains refer to the area of a network where broadcast traffic can be heard by all devices. Collision domains refer to the area of a network where a collision can occur, such as on a shared Ethernet network.
A Root store is a collection of trusted root certificates used to verify the authenticity of digital certificates used in SSL/TLS connections.
CAM table overflow occurs when a switch's Content Addressable Memory (CAM) table reaches its maximum capacity and can no longer store new MAC addresses. This can cause issues with network connectivity and is typically resolved by upgrading the switch or increasing its CAM table size.
Well, here we are. Finally done with networking. I encourage you to read deeply to understand networking before jumping to the next part.
In the next article, we are going to dive into web applications.