Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Practical Network Scanning

You're reading from   Practical Network Scanning Capture network vulnerabilities using standard tools such as Nmap and Nessus

Arrow left icon
Product type Paperback
Published in May 2018
Publisher
ISBN-13 9781788839235
Length 326 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Ajay Singh Chauhan Ajay Singh Chauhan
Author Profile Icon Ajay Singh Chauhan
Ajay Singh Chauhan
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Fundamental Security Concepts 2. Secure Network Design FREE CHAPTER 3. Server-Level Security 4. Cloud Security Design 5. Application Security Design 6. Threat Detection and Response 7. Vulnerability Assessment 8. Remote OS Detection 9. Public Key Infrastructure-SSL 10. Firewall Placement and Detection Techniques 11. VPN and WAN Encryption 12. Summary and Scope of Security Technologies 13. Assessment 14. Other Books you may enjoy

Security issues, threats, and attacks

Every day we use our computers and phones to connect to the internet, open emails, do online transactions, check our social media, create files, take photos of our friends, family or favorite places.

IoT security risk

The next big thing, which is going to play a big role in our life, is going to be Internet of Thing (IoT). Everything will be connected to the internet—fans, tube lights, refrigerators, doors, cars, even in medical terms, our heart—could be connected to an IoT sensor. This list will be long. Think about the situation if a person's heart rate controlled by an IoT sensor is hacked.

One of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything.

Computer security risk

Computer security risks are events that may damage or steal data or allow unauthorized access to a computer without notifying the user. Your computer is all about operating systems and applications, the majority of such attacks come along with malicious applications, or bad software, in other words. It is commonly believed that all damages are only done by computer viruses, but in reality there are several types of bad software. Features such as back door, dialer, spyware, virus and worm, key logger, adware, and many more can result in a computer security risk.

Security Risk-Border Gateway Protocol

In the networking world, imagine a situation where attackers plug their cable into your network, establish a Border Gateway Protocol (BGP) session, and sniff all the data going into the wire. This is not limited to sniffing your information, but you can cause a lot of trouble for others.

For example:

  • YouTube blockage by PTA:
    • Scenario: Pakistan telecom was connected to the global internet via PCCW telecom
    • Problem: PCCW did not validate a prefix advertised by Pakistan telecom and there was no built-in mechanism in the BGP protocol to authenticate information
    • Impact: DoS to customers, traffic redirection, prefix hijacking, and AS hijacking
  • On 24 February 2008, Pakistan Telecom Authority (PTA) began to advertise a specific prefix of YouTube. PTA intended to block access to YouTube in Pakistan and advertised the specific prefix 208.65.153.0/24. This was part of the prefix used by YouTube 208.65.152.0/22-208.65.155.255. The intention was that YouTube's traffic would be forwarded to Null0 interface and, consequently, YouTube would get blocked within Pakistan. However, the same route was advertised to upstream ISP (PCCW AS number 3491). PCCW presented this information to other peers as well. YouTube then initiated a more specific prefix (208.65.153.128/25) to recover traffic.

 

  • MAN in the Middle (MITM): This is another example. Think about a situation in which someone from your organization can do the sniffing inside your network by configuring SPAN for switch where all finance employees are connected. All username and password information can be extracted if they are not using a secure way to access the finance portal. This is the reason I say there should be HTTPS for everything. Even hackers can gain access to sniff data, but they cannot decode encrypted data from the system. All these types of hacking come under MITM where attackers have access to data wire or are able to divert traffic.
  • Address Resolution Protocol (ARP): Spoofing can be a similar kind of attack. For local area network-address resolution protocol, it is required to know the computer identity on Local Area Network (LAN). Let's assume you are internet gateway configured in your LAN and all the internet traffic travels via that device. The attacker can do the ARP-spoofing and advertise a new system as an internet gateway. Now all the traffic for internet goes through the attacker's system, and they can sniff your data. There are many tools available on the market for spoofing, which do nothing but change the MAC address of your machine.

MITM attacks can be further divided into two categories: WAN and LAN.

Security and threats

In a growing connected world, security threats are constantly evolving to find new ways to steal or damage data. For any organization and any individual who has an internet enabled system, it becomes very important to protect that information. Malicious or ignorant human activity are major threats to computers. Malicious action always has a goal to achieve and a specific target to be attacked.

Attackers generally have motives or goals. These motives and goals usually abide by the following formula:

Motive + Method + Vulnerabilities = Attack:

As the following diagram shows, security threats are driven either by humans or natural disasters. Threats driven by humans can be further categorized into external or internal threats, or can be put down to user ignorance. We will discuss each of these in detail:


Natural disasters

A natural disaster is a major adverse event resulting from the natural processes of the earth. Examples include floods, hurricanes, tornadoes, volcanic eruptions, earthquakes, tsunamis, and other geologic processes. Nobody can prevent nature from taking its course. Such events can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and Business Continuity Plans (BCP) in place.

Human threats

Human threats consist of inside attackers or outside attackers. Insiders can be employees, vendors, or contractors with privileged access to systems. They can also be organizations and outside attacks by non-employees or groups of individuals just looking to harm and disrupt an organization due to a motive or aim.

The most dangerous form of attackers are usually insiders, because they have access to the system and know security measures that are already in place. Insider attacks can be malicious or negligent and can also be accidental.

All companies in this world have to deal with employee work force reduction and expansion. Consequently, controlling and changing the permission on system assets is a very important action item. Lack of process and failure to remove access to sensitive assets for employees who no longer have a business requirement increase an asset's exposure to unauthorized access. This can be a common cause of insider attacks, which is often overlooked.

Since there is usually a trust between employee and employer, most employees are not out to harm them. However, there's no way to ensure that this is the case with all employees, so the best practice is to be cautious and take the appropriate measures to prevent inside threat.

Here is one classic example:

A company's important application was operated by the personal credentials of an employee who had been working there for many years. However, one day the company laid that employee off. The next day, the IS department deleted his credentials. The application then stopped working. An issue like this can cause major damage to a system, and it will definitely take time to identify and fix the problem.

Human security threats can be something as simple as a person opening an attachment loaded with malicious script or malware that opens the system's back door and allows outsiders to extract information. The worst-case scenario often isn't a hacker breaching internal systems, but an employee that loses his smartphone or has his laptop stolen. The best defense lies in securing the data, not just the devices. This means encrypting at the file-level, so confidential information is protected even it is stolen.

Security vulnerabilities

A malicious attacker uses a method to find the resources of a target, finds known vulnerabilities of targeted resources, and then exploits vulnerabilities in order to achieve a goal. Vulnerabilities are weaknesses, misconfigurations or loopholes in security that an attacker exploits in order to gain access to the network or resources on the network.

Security vulnerabilities are not limited to web, SQL DB, or operating systems. The same approach goes for any infrastructure networking gears.

These are the three main categories:

  • Technology weaknesses
  • Configuration weaknesses
  • Security policy weaknesses

Technology weaknesses

These include TCP/IP protocol weaknesses, operating system weaknesses, software weaknesses running on operating systems and network equipment weaknesses.

TCP/IP is a protocol suite, which is used to transfer data through networks. The most important part of the suite is IP, which is the user identity on a network. The main protocols associated are:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Internet Control Message Protocol (ICMP)

TCP ports numbers identify an application. For example:

  • Port 21: FTP
  • Port 23: Telnet
  • Port 80: HTTP
  • Port 443: HTTPS

TCP/IP was meant to provide a reliable connection between two hosts but does not provide any inbuilt security functions, such as encryption or authentication. Protocols like HTTP, FTP, TFTP, and TELNET are insecure since all the information is in clear text.

A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a targeted victim in an attempt to utilize all available server resources to make the system unavailable to legitimate traffic.

This is normal behavior for TCP three-way handshake. The SYN packet is sent by a user who is then acknowledged by the server and, finally, by ACK.

In the case of SYN, flood systems are unavailable to process SYN packets. Attackers in green send a series of SYN packets and get ACK as well. Meanwhile, attackers consume all server resources, hence real users in violet do not even get SYN-ACK.

The UNIX, Linux, Macintosh, Windows, and OS/2 operating systems all have security problems. Security updates and bug fixes are released by these companies from time to time.

Network equipment such as routers, firewalls, optical equipment, and switches have security weaknesses that must be recognized and protected.

In upcoming chapters, we will discuss these kind of attacks in detail, looking at how to deal with them in a live network.

Configuration weaknesses 

As a network/system administrator, we should know what configuration weaknesses are and what the corrective measures are for their computing and network devices.

User account information might be transmitted in clear text across the network, exposing usernames and passwords to an intruder. For example, if you manage your devices over Telnet, your username and password can be sniffed. The same thing is also applicable when you manage devices using GUI on HTTP.

Misconfigurations of the devices can cause significant network equipment security problems and open doors for unauthorized access. For example, misconfigured access lists, routing protocols, or SNMP community strings can open large security holes. Misconfigured encryption, lack of encryption, or low encryption ciphers for remote-access controls can also cause significant security issues.

Authentication and authorization is a major concern. If you are interested in knowing who is doing what on a piece of network equipment or system, then you might want to centralize authentication with a single authentication platform by accounting logs enabled to perform an audit regularly.

To reduce the threats to your network, the best option is to disable any unused services on all your networking devices and computing system. For instance, if you have a web server, you should disable FTP, SMTP, and other services. Another example would be if you are managing your devices with SSH, you can disable Telnet, HTTP, and FTP running on the same box.

You should only run the applications that are necessary on a device. All unnecessary applications and services should be disabled, to minimize exposure to the outside world.

Security policy weaknesses

Security policy weaknesses can create unforeseen security threats. The network infrastructure can pose security risks to itself if the system administrator does not follow the security policy, and best practices being used in the industry. Every organization must have a security policy and that should be enforced to all users/admin/infrastructure. Security weaknesses emerge when there is no clear-cut or written baseline security policy document.

Always follow a baseline for all infrastructure gears and networks for compliance with the policy. Systems should be in place to verify non-compliance devices. For example, if you have millions of devices in a network, it's very hard to check if all of them are matching compliances or not. However, a system like HPNA and other tools can scan a baseline set of configuration for all devices and reports can be generated.

Single password verification: There are three basic methods for authentication:

  • Username and password
  • One-time password
  • Certificates

In the first methods, passwords are basically user defined, and certificates are computer generated and based on keys. Brute-force attacks can easily crack passwords; passwords are easy to forget and are often reused on multiple services or applications. These passwords are like symmetric keys and are stored somewhere within the service. It is the duty of the service provider to protect your password. However, on the news we also often hear that password databases are hacked and millions of passwords are leaked. The third method is based on keys and strong algorithms, but even they are not 100% foolproof as private keys can be stolen as well.

Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides password information by combing two methods to verify that users are who they say they are. Two-factor authentication provides an additional layer of security by keeping half of the part of a password static in nature and the rest of the part dynamic, constantly changing after a given interval. This makes it harder for attackers to gain access to a person's devices and online accounts; knowing the victim's password alone is not enough to pass the authentication check, because a combined password is dynamic in nature and has an expiry associated with it. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have sniffed or stolen a password.

Best practices are being followed by companies like Google. Even if you change your smartphone or browsers you get notified immediately. Companies follow methods of smart card authentication along with phone authentication in order to validate the identity of users. The banking sector distributed RSA tokens for 2FA.

Using unencrypted or weak encryption for a website

Protocols such as Telnet, HTTP, or FTP opens doors for MITM attacks. The main reason behind that is that these protocols do not offer end-to-end encryption. File transfer protocol is used for data transfer between two hosts, and every time you need to enter usernames and passwords, which are in clear text, and it is very easy for attackers to sniff credentials and data being transferred. To protect information from attackers, we should not use any protocol that does not support encryption. For example, for management purposes, we should use SSH instead of Telnet on any device. All websites must offer HTTPS, and instead of FTP data transfer should be done using SCP or SFTP. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

SSL SHA1, an extremely popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared almost 10 years ago. In 2012, some calculations showed that breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016. 

Protect Domain Controller: Eliminates use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos. Kerberos is a token-based system. Refresh time is so fast that even if someone hacked your session, you would get new tokens as refresh time makes it more reliable.

In the same way, you should float guidelines for the secure management of assets. All the servers and assets should be managed by domain controller security groups. Using interactive logon with a service account can cause major damage too, hence interactive logon for service accounts should be disabled. The reason behind this is that if a system is compromised, attackers can gain access to the domain controller as well.

Connect to unsecured Wi-Fi network access: Connecting through a public Wi-Fi network or hotspot can compromise your computer/mobile security and put your information at risk. Whether you are on your computer or your mobile device, it's relatively easy for hackers to access the information you type and send over an unsecured Wi-Fi network, including your login and password information.

Users need to be educated on how to use Wi-Fi with their computer devices. Here are some important tips that every company employee should know:

  • If possible, make sure that you connect to secure networks only 
  • Use strong passwords for all your online accounts and change them often
  • Use VPN for accessing corporate resources
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime