LitNotes CyberOps 5 - Avalonian Memex

- Typical problems that are exploited in the TCP/IP protocol suite are IP address spoofing, TCP sequence number prediction, port scanning, and DoS. - [**5.1** Introduction](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/1) - [**5.2** Address Resolution Protocol](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/2) - Ox086 is header for ARP - ARP operates between 2 and 3 OSI - [**5.3** Legacy TCP/IP Vulnerabilities](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/3) - Rlogin utilities plaintext - [**5.4** IP Vulnerabilities](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/4) - Trinoo, TFN, TFN2K, and Stacheldraht for DDOS - Teardrop for DoS - Smurf for broadcast responses - [**5.5** ICMP Vulnerabilities](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/5) - ToS bye of 0xC0 indicates linux, also the ttl being 64 instead of 128 for ping responses. - Do not fragment (DF) bit set elicits icmp port unreachable - ICMP redirect as a mitm - ICMP RD router discovery as DoS for bad entries in routing table - Firewalk as increasing TTL by one to get an unreachable if forwarded through firewall (otherwise no response) - [**5.6** TCP Vulnerabilities](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/6) - Syn Flood, Session Hijacking, Reset vulnerabilities - Direct, Spoofed Syns with noreply to synacks, distributed direct (though can also spoof diff ranges too) - Firewall in front of direct blocks syn-ack so target data structure stays half-open - If attackers manage to predict the ISN, they can actually send the last ACK data packet to the server, spoofing as the original host, and then hijack the TCP connection. - Non-blind can see traffic, blind, cannot (ISNs range from 1-4 million so would need some other accurate way of predicting) - Tools that can be used to perform session hijacking attacks include Juggernaut, Hunt, TTY Watcher, and T-Sight. - The TCP reset attack, also known as forged TCP reset or spoofed TCP reset packet, is a technique of maliciously killing TCP communications between two hosts. A TCP connection is terminated by using the FIN bit in the TCP flags or by using the RST bit. The regular way that a TCP connection is torn down is by using the FIN bit in the TCP flags. - Attacker could spoof server and sent RSTs as a DoS. Also used by IPS to stop communications. - [**5.7** UDP Vulnerabilities](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/7) - Most UDP attacks are resource starvation. - Software, such as Low Orbit Ion Cannon and UDP Unicorn, can be used to perform UDP flooding attacks. - When an instance receives a keepalive packet with the value of 0x0A on UDP port 1434, it generates and returns to the sender a keepalive packet with the same 0x0A value. If the first keepalive packet has been spoofed to appear to come from another SQL Server system's UDP port 1434, both servers will continually send packets with the value of 0x0A to each other, generating a packet storm that continues until one of the servers is brought offline or rebooted. - SNMP is UDP based and can be exploited. DNS, TFTP, gaming. - [**5.8** Attack Surface and Attack Vectors](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/8) - Recon, known vulnerabilities, SQLi, phshing, apt, malware, weak auth - [**5.9** Reconnaissance Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/9) - nessus, openvas (vulns), shodan, nmap, fping, wireshark, ettercap, network miner - VLANS, Private VLANs (hosts on same vlan can't talk) - [**5.10** Access Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/10) - ncrack, aircrack-ng, john, rainbowcracker, medusa, crunch, cewl - filter unwanted ranges by acl, for example, do not allow any inbound 10 traffic if internal net is 10. MFA, WPA2, IDS/IPS, strong password generators, AAA - [**5.11** Man-in-the-Middle Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/11) - Gratuitous ARP to update mac.Clear Text like Telnet/http especially vuln. Common tools are ettercap and dsniff. - Prevention with Dynamic ARP Inspection and IP spoofing detection as well as DHCP snooping to make sure that devices are not able to come onto the network, pretend to be someone else, and inject themselves into our conversations. - Examples of OSI layer MITM attacks include the following: - **Physical layer: **Tap someone's physical connection, and send all packets to the MITM - **Data link layer: **Use ARP poisoning to cause victims to send all their packets to the MITM - **Network layer:** Manipulate packet routing to route all the packets to the MITM - **Session layer: **The SSL/TLS MITM de-crypts, examines, then re-encrypts the HTTP over SSL/TLS traffic. For this attack to work, the victim's web browser must trust the certificate that is presented by the SSL/TLS MITM which can be caused by first injecting some malware into the victim's web browser. - Application Layer - banking site lookalikes. - ARP Poisoning, ICMP redirect spoofed to router - DNS poisoning - DHCP DoS and false responses - [**5.12** Denial of Service and Distributed Denial of Service](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/12) - DarkSeoul, Ping of Death (Fragment offset too much allocated, v4/v6), Cryptolocker on network drives - Sometimes used as distraction. Wipers, timed. - [**5.13** Reflection and Amplification Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/13) - **no** **ip** **directed-broadcast** default on cisco to stop smurf - Mirroring reflection is when ip is spoofed so return overwhelms - Difficult to trace because spoofed address is being attacked. - DNS amp with open resolvers, NTP amp with monlist which returns a lot more data than the req. - [**5.14** Spoofing Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/14) - Snort, arpwatch, cisco firepower can detect spoofing - IP, MAC, application are types of spoofing. App like rogue dhcp - Which type of attack forces a machine to respond to a SYN message by sending a packet to itself on the same port it received the SYN? Land attack. - [**5.15** DHCP Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/15) - DHCP Starvation with spoofed MAC so users get a 169 and no response from DHCP server. - DHCP spoofing responds to broadcasts before real server, and default gateway is MITM that forwards. - Defense is dhcp snooping or ip source guard, and rate limiting for starvation - [**5.16** Explore TCP/IP Attacks](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/pages/16) - Window size can fingerprint - Nping can syn scan like sysinternals - IP Personality and Stealth Patch can obfuscate active fingerprinting - arpspoof -t target defgateway - **sysctl -w net.ipv4.ip_forward=1** - dsniff -c - [**5.17** Summary Challenge](https://ondemandelearning.cisco.com/cisco/cbrops10/sections/5/assessments/1)