Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Education Archives - Page 2 of 2 - Cyber Security News
Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS), are widely used protocols for secure online communication. They provide encryption and authentication between two applications over a network, ensuring the confidentiality and integrity of data transmitted between them.
However, SSL/TLS is not invulnerable, and over the years, several vulnerabilities have been discovered that can compromise the security of online transactions. One of the most significant vulnerabilities is the POODLE attack, discovered in 2014, which affects the older versions of SSL/TLS. This vulnerability allows an attacker to exploit the way SSL/TLS handles padding in the encryption process, enabling them to read encrypted information, including sensitive information such as passwords and credit card numbers.
Another vulnerability is the BEAST attack, which exploits a vulnerability in the way SSL/TLS handles block ciphers in older versions of the protocol. This attack allows an attacker to intercept and decrypt secure HTTPS cookies, potentially giving them access to sensitive data.
A third vulnerability is known as the DROWN attack, which can exploit weak encryption protocols such as SSLv2. The attack allows an attacker to read encrypted data transmitted over an SSL/TLS connection by exploiting a flaw in the SSLv2 protocol. Even though SSLv2 is now considered obsolete and no longer used, some older systems may still have it enabled, leaving them vulnerable to attack.
To ensure the maximum security of your online transactions, it’s essential to be aware of the potential vulnerabilities of SSL/TLS and to take necessary precautions. To start with, it’s recommended to use the latest version of TLS, which is currently TLS 1.3, and to disable support for older, insecure protocols like SSLv2 and SSLv3.
It’s also important to use strong encryption ciphers and to regularly test your TLS configuration for potential vulnerabilities. This can be done using tools like SSL Labs’ SSL Server Test, which can check the strength of your TLS configuration and identify any potential vulnerabilities.
Another crucial step is to regularly update your TLS certificates, which verify the identity of the server you’re communicating with and ensure that your data is not intercepted by an attacker. TLS certificates have an expiration date, so it’s essential to keep them up to date to ensure maximum security.
Finally, consider using other security measures like firewalls, antivirus software, and two-factor authentication to provide an additional layer of protection.
By taking these necessary precautions, you can significantly reduce the risk of SSL/TLS vulnerabilities and ensure the maximum security of your online transactions.
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs.
The goal is to support all those methods (including automatic ones) to control and prevent software errors. It can be used at the development stage, during the Code Review activity, and later on during the penetration test activity to classify and communicate the vulnerability type to developers. The system is at version 4.7 and contains over 600 categories of weaknesses and vulnerabilities
The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Description The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles,…
Description The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing…
Description The software uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to…
Description When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.…
Description The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. While logging is a good practice in general, and very high levels of logging are appropriate for debugging stages of development, too much logging in a production environment might hinder a…
Description The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High …
Description The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. Padding schemes are often used with cryptographic algorithms to make the plaintext less predictable and complicate attack efforts. The OAEP scheme is often used with RSA to nullify the impact of predictable common text.…
Description The software defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided. When an IOCTL uses the METHOD_NEITHER option for I/O control, it is the responsibility of the IOCTL to validate the addresses that have been supplied to it. If validation is missing…
Description The software implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-749 CWE-781 Consequences Integrity, Availability, Confidentiality: Attackers can invoke any functionality that the IOCTL offers. Depending on the…
Description The program uses an expression in which operator precedence causes incorrect logic to be used. While often just a bug, operator precedence logic errors can have serious consequences if they are used in security-critical code, such as making an authentication decision. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-670…
Description The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms…
Description The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX. Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others. Windows provides…
Description The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification…
Description The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-1038 Consequences Access Control, Other: Bypass Protection Mechanism, Other Potential Mitigations CVE References CVE-2008-1685 C compiler optimization, as…
Description The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Software has certain assumptions about what constitutes…
Description The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Low Related Weaknesses CWE-664 CWE-691 Consequences Integrity, Confidentiality, Availability, Access Control, Other:…
Description The software does not adequately filter user-controlled input for special elements with control implications. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-74 Consequences Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands Potential Mitigations Phase: Requirements Effectiveness: Description: Programming languages and supporting technologies might…
Description The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. Many functions will return some value about the success of their actions. This will alert the program whether or not to handle any errors caused by…
Description The software does not handle or incorrectly handles an exceptional condition. Modes of Introduction: – Implementation Likelihood of Exploit: Medium Related Weaknesses CWE-703 Consequences Other: Other Potential Mitigations CVE References CVE-2021-3011 virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a…
Description The software does not return custom error pages to the user, possibly exposing sensitive information. Modes of Introduction: Likelihood of Exploit: Related Weaknesses CWE-755 CWE-209 Consequences Confidentiality: Read Application Data Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other…
Description A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. When a security mechanism can be forced to downgrade to…
Description The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. This can lead to resultant weaknesses when the required properties change, such as when the software is ported to a different platform or if an interaction…
Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.…
Description The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to…
Description The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult. Modes of…
Description The application calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-763 CWE-404 Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute…
Description The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. Modes of Introduction: – Implementation Likelihood of Exploit: Low Related Weaknesses CWE-763 CWE-404 Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS:…
Description The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-404 CWE-404 CWE-404 Consequences Integrity, Availability, Confidentiality: Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or…
Description The software locks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly locks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…
Description The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. When software is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock’s implementation, and the resource being protected. In some situations such…
Description The software declares a critical variable, field, or member to be public when intended security policy requires it to be private. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-1061 Consequences Integrity, Confidentiality: Read Application Data, Modify Application Data Making a critical variable public allows anyone with access…
Description The software defines a public method that reads or modifies a private variable. If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further…
Description The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to…
Description The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses Consequences Other: Alter Execution Logic Potential Mitigations CVE References
Description The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet”…
Description The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakness covers three distinct situations. A “missing” protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An “insufficient” protection mechanism might provide some defenses…
Description The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. If the software assumes that each resource has a unique identifier, the software could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier. Modes of…
Description The software uses low-level functionality that is explicitly prohibited by the framework or specification under which the software is supposed to operate. The use of low-level functionality can violate the specification in unexpected ways that effectively disable built-in protection mechanisms, introduce exploitable inconsistencies, or otherwise expose the functionality to attack. Modes of Introduction: –…
Description The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-691 Consequences Integrity: Alter Execution Logic Potential Mitigations CVE References CVE-2019-9805 Chain: Creation of the packet…
Description The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses Consequences Other: Varies by Context Potential Mitigations CVE References CVE-2016-10003 Proxy performs incorrect comparison of request headers, leading to infoleak
Description The web application sends a redirect to another location, but instead of exiting, it executes additional code. Modes of Introduction: – Implementation Likelihood of Exploit: Related Weaknesses CWE-705 CWE-670 Consequences Other, Confidentiality, Integrity, Availability: Alter Execution Logic, Execute Unauthorized Code or Commands This weakness could affect the control flow of the application…
Description The default error page of a web application should not display sensitive information about the software system. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-756 Consequences Confidentiality: Read Application Data A stack trace might show the attacker a malformed SQL query string, the type of database being…
Description The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses Consequences Confidentiality, Availability, Integrity: Read Application Data, DoS: Crash, Exit, or Restart, Unexpected State Potential Mitigations CVE References
Description The software does not correctly convert an object, resource, or structure from one type to a different type. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-664 Consequences Other: Other Potential Mitigations CVE References
Description The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-691 Consequences Other: Alter Execution Logic, Other Potential Mitigations CVE References CVE-2014-1266 chain: incorrect “goto”…
Description The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-664 CWE-99 Consequences Confidentiality, Integrity: Read Application Data, Modify Application Data Potential Mitigations…
Description The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses Consequences Other: Other Potential…
Description The software assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors outside of the intended control sphere. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses CWE-282 CWE-345 Consequences Confidentiality, Integrity: Read…
Description This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62. Modes of Introduction: Likelihood of Exploit: Related Weaknesses Consequences Potential Mitigations CVE References
Description The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. Modes of Introduction: – Architecture and Design Likelihood of Exploit: Related Weaknesses Consequences Other: Other Potential Mitigations Phase: Implementation Effectiveness: Description: Document and closely follow coding standards.…
Description The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if…
Description The software allows user input to control or influence paths or file names that are used in filesystem operations. Modes of Introduction: – Architecture and Design Likelihood of Exploit: High Related Weaknesses CWE-642 CWE-610 CWE-20 CWE-22 CWE-41 CWE-98 CWE-434 CWE-59 Consequences Integrity, Confidentiality: Read Files or Directories, Modify Files or Directories The…
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Vulnerability analysis includes the detection, assessment, classification and treatment based on the risk they pose to the company.
Vulnerability Identification
A security team can detect vulnerabilities following different approaches. As part of a vulnerability management process, it is good practice to subscribe to the mailing lists in which vulnerabilities and related countermeasures are disclosed. This service is usually offered by the vendor or, if not available, through third parties. It is a very time expensive but necessary task. You must perform it on a daily basis to promptly detect vulnerabilities and to comply with several standards/regulations. Other inputs could derive from the analysis of the hardening procedures reports/tasks, the periodic review of the access rules and of the company policies and procedures.
Tools
Thanks to tools like Nessus and OpenVAS, it is possible to partially automate the discovery and analysis of vulnerabilities. After verifying the active hosts and the related services, we can deepen our analysis and determine the operating system and application versions.
As shown in the figure, Nessus provides the list of vulnerabilities to which each analyzed host is potentially vulnerable. Potentially because the scanner does not attempt to exploit the vulnerability. This phase, often manual, is not part of the vulnerability analysis process and is normally carried out within a penetration test.
CVSS
In the report, vulnerabilities are classified according to the CVSS (Common Vulnerability Scoring System), a framework used to classify software vulnerabilities. CVSS is an important tool that simplifies the vulnerability management process.
Let’s pretend you are in a meeting with the company management and you have to share the results of your vulnerability analysis. The test results were not good: you need at least three system administrators for one month to implement the remediation plan. You need to install patches, implement countermeasures, and you have to do it fast. During the meeting, you could try to tell management that you found several RCE-type vulnerabilities on systems deployed in your DMZ. Attackers do not need system/applications credentials to perform the attack and exploits are readily available on the Internet. Or you could report the presence of several CVSS 10 vulnerabilities on critical systems. For more information on CVSS, in its two versions 2.0 and 3.0, I suggest reading our article.
CVE & NVD
Each vulnerability has a Common Vulnerability and Exposures (CVE) ID, in the form of CVE-YYYY-NNNN. The assignment of an ID to each vulnerability allows one to keep track of it and to automate/simplify the integration of the different tools available to an analyst.
Let’s say you have just detected a vulnerability on your firewall appliance. Since it is a well-known vulnerability, it has got a specific CVE-ID. Assuming that your firewall vendor catalogues their vulnerabilities and patches by CVE, it is going to be easy to ask the vendor for additional information, search for the relevant patches and to minimize the possible impacts of applying remediation on the infrastructure. Furthermore, it is going to be easy to find the relevant signature in your IDS/IPS. CVE is operated by “The Mitre Corporation“. More details can be obtained on the cve.org website.
NVD (National Vulnerability Database) is managed by NIST (National Institute of Standards and Technology). NVD is a vulnerability database: for each CVE information such as countermeasure, criticality and impact is provided.
CWE & OWASP
CWE (Common Weakness Enumeration) is a list of common types of hardware and software defects that have security implications. The CWE list can be used as a framework to describe and communicate such vulnerabilities in terms of CWEs. The CWE Top 25 Most Dangerous Software Weakness List is a list of the most common programming errors that can lead to software vulnerabilities. Vulnerabilities present in the CWE Top 25 are usually easy to detect and exploit. For example, the CWE-79 is related to Cross-Site Scripting while the CWE-89 to SQL Injection. A similar project is Top Ten Owasp (Open Web Application Security Project). Compared to the CWE Top 25, the Top Ten OWASP focuses solely on vulnerabilities of web applications. The CWE Most Important Hardware Weakness List serves the same purpose, but it focuses on hardware defects.
Vulnerabilty Analysis steps
Vulnerability analysis comprehends different phases.
Preparatory phase
it is not possible to carry out a thorough and reliable analysis without having a deep knowledge of the infrastructure/application under examination. If the procedure for managing IT services and their related assets is not implemented, it is not going to be possible to classify and prioritize vulnerabilities. Let’s say our vulnerability scanner found 300 vulnerabilities on approximately 30 hosts. Which vulnerabilities should I prioritize? Which one shall I remediate immediately? The answer relies not only on the vulnerability severity but also on how important are the hosts and services affected by it.
Discovery and analysis of vulnerabilities
You performed vulnerability scans, you analysed security advisories, system configurations, your company policies and procedures. You have a comprehensive list of vulnerabilities. You can now prioritise them, identify false positives (and false negatives), and improve the results with your knowledge of the infrastructure/application. At the end of this phase, your security team will produce a vulnerability scan report.
Post assessment
It is now possible to define a remediation plan. The remediation plan is not a mere list of the patches, countermeasures and IPS rules: if your analysis has shown the presence of several SQL Injection, CRSF and XSS vulnerabilities in the software developed internally (or by a specific supplier), you must immediately schedule secure programming training classes for your developers.
If these kinds of vulnerabilities are found on software purchased from third parties, you must tell the service owner to look for a new vendor.
While the first scenario is a symptom of a poor security awareness policy, the second one highlights a poor supplier policy: do you review your supplier security policies after you sign a contract? Do you ask to review their development procedures? Do they regularly perform code reviews? Is security fully integrated into their development life-cycle? Outsourcing has hidden costs that you always need to consider.
Once the remediation plan has been implemented, the security team shall verify it has been properly implemented. Depending on its size, the implementation of the remediation activities can take several weeks, if not months. It is crucial to plan periodic meetings to keep the team focused and to check the progress.
What’s next?
In the next articles, we will analyse the vulnerability management process and its implications for regulations like ISO27001 and PCI-DSS. In the meantime, we suggest reading our articles about CVSS and the Metasploit lab.
Regardless of your motivations (attacker or defender), you need to know the ports, hosts and services available within a network.
From a defender’s point of view, the task is a precondition of several keys procedure:
Asset Management – whoever manages the infrastructure (and its security) must know which devices are active and present within our infrastructure. Furthermore, it helps to detect unauthorized hosts that could derive from malicious activities (or more commonly, your system administrators forgot to document them… and maybe to apply the company’s hardenization procedures).
Network scanning is a fundamental step of a company vulnerability management procedure. Here is a non-comprehensive list of its possible benefits:
it allows the detection of unauthorized services and the presence of obsolete systems;
it helps to verify the correspondence between the specifications document and the actual implementation;
it helps to verify the correct application of the hardening procedures.
Penetration test – independently from the approach in use, it is necessary to determine the active hosts and the exposed services. You have to do it even in a white-box penetration test to confirm your client/colleagues inputs.
From an attacker point of view… Well, that goes without saying 🙂
The network scanning procedure aims to identify active hosts. On the other hand, port scanning seeks to detect the ports that hosts disclose and with which it is possible to interact. Starting from the output of a network/port scanning, an attacker, or a newly hired CISO, can outline different traits of a company security posture.
In these articles we will see:
the different steps of a network scan;
some examples with the NMAP tool.
Host discovery
Port scanning involves sending several packets to the host and verifying its response. Usually, the analysis is restricted to the 1024 most common ports (it depends on the available time and the final goal of the analysis). As you may expect, performing this task for all the hosts within a network/infrastructure is time-expensive and generates a lot of noise.
In most cases, only a tiny fraction of IP addresses are active at any given moment. To avoid wasting time, the tester first perform the host discovery phase to determine the active hosts in the tested networks and infrastructure.
There are several techniques:
ARP Ping scan;
ICMP Ping scan;
UDP Ping Scan;
TCP SYN/ACK Ping scan;
IP Protocol Ping scan.
As stated in the official documentation, the default NMAP host discovery strategy involves sending an ICMP echo request (-PE), a TCP SYN segment to port 443 (-PS443), a TCP ACK segment to port 80 (-PA80), and an ICMP timestamp request (-PP).
ARP ping scans are the most effective method to detect active hosts inside a LAN. Its limits are the impossibility of applying the technique on the subnet to which it does not belong. Even if you supply other -P* options to NMAP, the tool performs by default an ARP/Neighbor Discovery against targets on a local Ethernet network since it is the fastest and more reliable technique.
An ICMP scan consists of sending ICMP echo requests to hosts on the network. If a host is found to be active, it will return an ICMP echo response. The technique has limited usability as blocking ICMP requests is part of firewalls and systems’ basic hardening rules.
A TCP scan consists in sending TCP segment to the hosts and analysing the host response. There are two different modes: TCP SYN Ping scan and TCP ACK Ping Scan.
TCP SYN SCAN
As illustrated in the figure, a TCP Syn ping scan consists of the following steps:
The tester sends a TCP SYN segment to port 80.
If the port is closed, the host responds with an RST segment.
If the port is open, the host responds with a TCP SYN/ACK segment indicating that a connection can be established.
Afterwards, an RST segment is sent to reset this connection.
Since it is a normal attempt to establish a TCP connection, traffic is not blocked by firewalls and does not require administrator permissions.
A TCP ACK ping scan instead consists of the following steps:
The tester sends an empty TCP segment with the ACK flag set to port 80 (the nmap default port, but another port can be used).
If the host is offline, it should not respond to this request.
Otherwise, it will return an RST segment and will be treated as online. An RST is sent because the TCP ACK is not associated with any valid existing connection.
ACK Ping Scan requires administrator privileges. Since it is recognized and blocked by a stateful firewall, its main goal is to get information about the filter configurations, not port status.
Port Scan
Once the active hosts within a network have been determined, a portscan can be performed to determine exposed ports and services.
Several techniques are available:
TCP Scan (Connect and Half Open Scan);
UDP Scanning;
SCTP Scanning;
SSDP Scanning.
Only the first two strategies will be considered. Please see the NMAP manual for additional information on SCTP and SSDP Scanning.
TCP Scan
With a TCP Connect scan, a TCP connection is established with the host. That is, the whole 3-way handshake is performed.
The least expensive and most performing variant, the TCP Half Open scan (TCP SYN Scan) sends the SYN segment. If an open SYN+ACK segment is received, the port will be identified as open. In case of RST, the door will be judged closed.
A third typology, foresees the TCP FIN, NULL and Xmas Scans, foresees the modification of the flags of the TCP segment (FIN, URG, PSH, NULL) in an attempt to induce a response from the server.
The technical functionality exclusively on operating systems with implementations of the TCP/IP suite compliant with RFC793. For example, it does not work with Windows systems as these return an RST in both cases.
THE SEGMENT IS COMING
If the state is CLOSED (i.e., TCB does not exist), then all data in the incoming segment is deleted. An on the way the segment containing an RST is deleted. An incoming segment no containing an RST causes an RST to be sent in response. The confirmation and sequence field values are selected to render the recovery sequence acceptable to the TCP that sent the error segment.
If the port is open, the system will not produce any while the response will return an RST/ACK segment if it is closed.
To understand the origin of the name, just look at the image below. Nmap’s -sX flag “Sets the FIN, PSH, and URG flags, illuminating the package like a Christmas tree.”
UDP scan
UDP connection does not involve a handshake. If a UDP packet is sent to a port on which no service is listening, the system will respond with an ICMP Port Unreachable. In case of no answer, the port can be considered closed or filtered.
Contermeasures
To detect and prevent network scanning attempts, we suggest the following countermeasures:
carefully design your services to reduce your attack surface; exposing only necessary services and always keep in mind the principles of least privileges and need to know.
Configure your firewalls to block all traffic that has not got a business justifications;
Periodic reviews your firewall ruleset to keep it aligned to your business needs;
Harden your servers, disabling all unused services;
Perform network and port scans to ensure your firewall/server policies are aligned to your business needs.
Configure an IDS/IPS to promptly detect network and port scans.
The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:
personal data, skills, experience and interests of company’s employees;
company headquarters;
technologies in use (middleware, operating systems);
suppliers and consultants who collaborate periodically with the company;
blocks and network topology;
DNS records.
We can divide footprinting techniques into two macro areas:
active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.
Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.
When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.
Footprinting with search engines and social networks
Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.
The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.
Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.
Like search engines, social networks provide an enormous quantity of information to attackers.
An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.
Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.
Footprinting through job posting sites
The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.
The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.
You are getting information not only about the used technologies but you are also outlining the security posture of the company.
Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?
Tools and services:
We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.
Contermeasures
Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.
The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.
The term hacker often takes on a negative connotation.
In the past, we often focused on the distinction between a hacker, a person with deep security knowledge who explores technologies, systems and related vulnerabilities out of pure passion, and crackers, the “malicious” counterpart, who uses his knowledge to cause damage and steal data. a certain value (for example, credit cards).
RFC1392 provides the following definitions:
hacker
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
cracker
A cracker is an individual who attempts to access computer system without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Unfortunately, media have never bothered to understand the distinction and, for the masses, there is no difference between crackers and hackers.
In our opinion, here is the correct terminology to be used in the security sector:
Black hats (Crackers)
Crackers, or black hats, have got extraordinary computing skills but they lack ethics. They may violate laws by committing malicious or destructive acts.
Script Kiddies
An unskilled cracker who compromises systems using tools, scripts and software developed by others.
White Hats (Ethical Hacker)
An individual who uses his hacking skill for defensive purposes.
They analyse computer systems or networks to detect security issues and give recommendations for improvement to their owners.
A white hat will penetrate a system only with the authorisation and upon request of the infrastructure owner.
Gray Hats
Gray hats use their skills both offensively and defensively.
They often look for system vulnerabilities without the permission or knowledge of the owner. If they find a security issue, they may reveal it to the owner upon the payment of a small fee. Sometimes, their ultimate goal is to show their skills and create awareness about the intrinsic insecurity of the Internet.
It may be useful to know some additional terms. State-sponsored hackers are employed by the government to penetrate other government systems to damage or gain top-secret information. You have surely heard about Cyber Terrorists, individuals moved by political or religious beliefs to create fear among civilians and influence the policy of the targeted governments.
