rest of ch03

2024-12-27 16:18:35 +01:00 · 2024-12-27 16:18:35 +01:00 · a6b2734b12
parent a8e8bfa879
commit a6b2734b12
4 changed files with 158 additions and 16 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,8 @@
-*.pdf
+*
 !*.md
 !img/
 !img/**
 !Makefile
 !.gitignore
 !*.yml
--- a/03_scanning.md
+++ b/03_scanning.md
@ -10,6 +10,14 @@
 ## Network tracing
 * discover routes that packets take between systems
    * allows constructing network diagrams
 * sends ICMP/UDP/TCP packets with varying TTL
 * requires routers to properly report dropped packets
    * often disabled for performance/security reasons
 * `traceroute` useful tool
 * web-based [tools](https://tools.keycdn.com/traceroute) also available
 ### IPv4 and IPv6
 * important IPv4 headers
@ -21,23 +29,11 @@
    * simpler than IPv4
-![IPv4 diagram](./img/ch03/ipv4_diagram.png)
+![IPv4 diagram](./img/ch03/ipv4_diagram.png) ![IPv6
-![IPv6 diagram](./img/ch03/ipv6_diagram.png)
+diagram](./img/ch03/ipv6_diagram.png)
 ### tracing
 * discover routes that packets take between systems
    * allows constructing network diagrams
 * sends ICMP/UDP/TCP packets with varying TTL
 * requires routers to properly report dropped packets
    * often disabled for performance/security reasons
 * `traceroute` useful tool
 * web-based [tools](https://tools.keycdn.com/traceroute) also available
 ## Scanning
 * Nmap does it all
 ### TCP
 * 16-bit ports
@ -97,3 +93,140 @@
 * traceroute
 * redirect messages expose network topology
 * ICMP address mask requests: determine subnet used by target host
 ### Nmap
 * port scanner and all-in toolkit
 * important tool when performing scanning
 * TCP port scanning
    * connect scan
        * complete 3-way handshake
        * can run without root
        * not stealthy (connections can be logged)
        * doesn't use nmap to craft packets
    * syn scan/half-open scan
        * runs as root
        * only send initial SYN and listen for response
        * detectable by firewall/NIDS
    * ACK scan
    * playing with control bits
        * FIN scan: FIN bit of all packets set
        * NULL scan: all bits set to 0
        * Xmas tree scan: FIN, PSH, URG set
        * Maimon scan: FIN and ACK set
 * UDP scanning
    * scans specific UDP ports
    * sends protocol-specific messages to well-known ports
 * firewall spotting
    * generate packets with invalid TCP or UDP checksum
    * targets will drop these
    * firewalls don't always check checksum and will send a RESET/ICMP port
      unreachable instead
    * allows detecting firewalls
    * can also look for varying TTL values
        * TTL on firewall RESET message will be higher as the firewall is
          closer
 * full support for IPv6
 * OS fingerprinting
    * detect quirks of protocol behaviors for OS versions
    * **active**: send special packets to detect behavior
    * **passive**: observe patterns of network traffic (stealthy but less
      accurate)
 * version scanning
    * detect versions of services running on host
    * send packets to specific service types that reveal version information
    * useful for crafting exploits
 ### Other stuff
 * automated monitoring
    * running nmap using cron can reveal changes in network
    * tools like [masscan](https://github.com/robertdavidgraham/masscan) well
      suited for this
    * monitoring web applications also important
        * [HTTPScreenshot](https://github.com/breenmachine/httpscreenshot):
          take screenshots of websites
        * [EyeWitness](https://github.com/RedSiege/EyeWitness): screenshots of
          webpages, RDP and VNC servers, tries to login with default
          credentials
 * scanning cloud infrastructure
    * lots of cloud usage
    * companies often don't configure cloud service correctly
    * very large IP addresses to search through
    * use tools like [Shodan](https://www.shodan.io/) or
      [Censys](https://search.censys.io/)
        * automatically perform scans that can be accessed online
        * allow monitoring target without direct contact
 * badly configured S3
    * buckets that allow writing without authorisation
    * subdomain takeover allows attacker to take over bucket URL
 * packet crafting
    * sometimes very specific/controlled packets are required
    * tools like [Scapy](https://scapy.net/) allow crafting packets for various
      protocols
        * Python tool
        * provides REPL to forge, send and receive packets
 ## Vulnerability scanning
 * process used to identify security weaknesses and vulnerabilities in a system,
  network or application
  * involves using automated tools to scan systems for known vulnerabilities
    and weaknesses
  * critical component of a robust cybersecurity strategy
  * automated scanning allows detecting problems before they're possibly
    exploited
 * key aspects
    * **goal**: identify and address security flaws before they're exploited
    * **scan types**
        * network scanning
        * web app scanning
        * host scanning
    * **process**
        1. discovery: identify all relevant devices, systems and applications
        2. scanning: use automated tools to scan targets for known
            vulnerabilities
        3. analysis: analyse results for vulnerabilities and prioritize them
        4. reporting: generate report detailing results
    * **frequency**: how often to perform scans
    * **compliance**: many regulatory standards require regular vulnerability scanning
 ### Methods
 * Nmap Scripting Engine (NSE)
    * allows extending nmap with Lua scripts
    * greatly broadens scope of nmap
    * nmap comes with a ton of ready-to-use scripts
    * perfect for vulnerability scanning
 * [Tenable](https://www.tenable.com/) Nessus
    * modern vulnerability scanner
    * can detect tens of thousands of vulnerabilities
    * free for personal use
 * [OpenVAS](https://github.com/greenbone/)
    * open-source vulnerability scanner
    * less expansive than Nessus
 ### Enumerating users
 * process of retrieving list of usernames for system
 * numerous methods
    * public sources of information (websites, emails...)
    * pentest: ask for list of users (grey box)
 * Linux
    * local: `/etc/passwd`
    * remotely
        * `finger @IP`
        * query NIS or LDAP server if present
        * `enum4linux` tool
 * Windows
    * list users using SMB session
        * possible anonymously on older versions of Windows
        * if single user is known, listing all users is possible
 ### Netcat
 * netcat is useful
 * general purpose TCP and UDP network tool
 * installed basically everywhere
 * used for setting up reverse shells among other things
 * it's just a useful network tunnel
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 samenvatting.pdf: *.md metadata.yml
-	pandoc --toc -o $@ $^
+	pandoc --standalone --toc -o $@ $^
--- a/metadata.yml
+++ b/metadata.yml
@ -1,5 +1,7 @@
 ---
 title: Network Security Summary
 geometry:
 - top=30mm
 - left=30mm
 - right=30mm
 ---
`@ -1,2 +1,2 @@`
	`samenvatting.pdf: *.md metadata.yml`	`samenvatting.pdf: *.md metadata.yml`
	`pandoc --toc -o $@ $^`	`pandoc --standalone --toc -o $@ $^`