Network Attack Techniques

1.Denial-of-Service:-

                                    A denial-of-service attack overwhelms a system's resources so that it cannot respond to service requests. A DDoS attack is also an attack on system resources , but it is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.

A.TCP SYN flood attack:-

                                    An attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker’s device floods the target system’s small in-process queue with connection requests, but it does not respond when the target system replies to those requests. This causes the target system to time out while waiting for the response from the attacker’s device, which makes the system crash or become unusable when the connection queue fills up.

B. Teardrop Attack:-

                                    This attack causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap one another on the attacked host; the attacked system attempts to reconstruct packets during the process but fails. The target system then becomes confused and crashes.

C. Smurf Attack:-

                                  This attack involves using IP spoofing and the ICMP to saturate a target network with traffic. This attack method uses ICMP echo requests targeted at broadcast IP addresses. These ICMP requests originate from a spoofed “victim” address. For instance, if the intended victim address is 10.0.0.10, the attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.10, overwhelming the network. This process is repeatable, and can be automated to generate huge amounts of network congestion.

D. Ping of Death Attack:-

                                    This type of attack uses IP packets to ‘ping a target system with an IP size over the maximum of 65,535 bytes. IP packets of this size are not allowed, so attacker fragments the IP packet. Once the target system reassembles the packet, it can experience buffer overflows and other crashes. Ping of death attacks can be blocked by using a firewall that will check fragmented IP packets for maximum size.

E. Botnets:-

                                        Botnets are the millions of systems infected with malware under hacker control in order to carry out DDoS attacks. These bots or zombie systems are used to carry out attacks against the target systems, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in differing geographic locations.

2.Man-in-the -middle:-

                                    A MitM attack occurs when a hacker inserts itself between the communications of a client and a server.

A. Session Hijacking:-

                                         In this type of MitM attack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client.

B. IP Spoofing :-

                                    IP spoofing is used by an attacker to convince a system that it is communicating with a known, trusted entity and provide the attacker with access to the system. The attacker sends a packet with the IP source address of a known, trusted host instead of its own IP source address to a target host. The target host might accept the packet and act upon it.

C. Replay:-

                                    A replay attack occurs when an attacker intercepts and saves old messages and then tries to send them later, impersonating one of the participants. This type can be easily countered with session timestamps or nonce.

3.Phishing And Spear Phishing Attacks :-

                                    Phishing attack is the practice of sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing  users to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information. Spear phishing is a very targeted type of phishing activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phishing can be very hard to identify and even harder to defend against. One of the simplest ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the information in the “From” section of the email is falsified, making it appear as if it is coming from someone you know, such as your management or your partner company. Another technique that scammers use to add credibility to their story is website cloning — they copy legitimate websites to fool you into entering personally identifiable information (PII) or login credential.

4.Drive-by Attack:-

                                      Drive-by download attacks are a common method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window. Unlike many other types of cyber security attacks, a drive-by doesn’t rely on a user to do anything to actively enable the attack — you don’t have to click a download button or open a malicious email attachment to become infected. A drive-by download can take advantage of an app, operating system or web browser that contains security flaws due to unsuccessful updates or lack of updates. 

Scanning And Vulnerability Gathering

                                        Vulnerability Scanning is  a process of proactively identifying network , application and security vulnerabilities. The scanning process includes detecting and classifying system weaknesses in networks, communications equipment, and computers. In addition to identifying security holes, the vulnerability scans also predict how effective countermeasures are in case of a threat or attack. A vulnerability scanning service uses piece of software running from the standpoint of the person or organization inspecting the attack surface in question. The vulnerability scanner uses a database to compare details about the target attack surface.

                                            A vulnerability scanner allows early detection and handling of  know security problems. A new device or even a new system may be connected to the network without authorization. A vulnerability scanner helps to verify inventory of all devices on the network. 

                                        There are different type of vulnerability Identification And Assessment techniques :-

1. Port Scanner:- 

                              A port scanner is an application designed to probe a server or host for open ports . Such an application may be used by administrators to verify security policies of their network and by attackers to identify network services running on a host and exploit vulnerabilities.

A. nmap:-

                    Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages.

For More Information:-https://nmap.org/

2. Network Vulnerability Scanner:-

                                                           Network Vulnerability Scanning is an inspection of the potential point of exploit on a network to identify security holes.

 A. Scapy:-

                    Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics.

For More Information: - https://scapy.net/

B. Nessus:-

                    Nessus is a remote security scanning tool ,which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to network . It does this by running over 1200 checks on a given computer testing to see if any of these attacks could be used to break into the computer or otherwise harm it. Nessus is a paid vulnerabilities scanner.

For More Information :- https://www.tenable.com/products/nessus

C.SAINT:-

                      Security Administrator's Integrated Network Tool is computer software used for scanning computer networks for security vulnerabilities and exploiting found vulnerabilities .SAINT scanner screens every live system on a network for TCP and UDP services. For each service it finds running it launch a set of probes designed to detect anything that could allow attacker to gain unauthorized access create a denial of service or gain sensitive information about the network.

For More Information:-https://en.wikipedia.org/wiki/SAINT_(software)

D. OpenVAS :-

                            OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management. All OpenVAS products are free software, and most components are licensed under the GNU General Public License. Plugins for OpenVAS are written in the Nessus Attack Scripting Language, NASL.

For More Information:-https://www.openvas.org/

3.Web Application Security Scanner:-

                                Web Application Security Scanner are automated tools that scan web application, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration.

A. Nikto :-

                    Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

For More Information:-https://cirt.net/Nikto2

B. w3af:-

                    w3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications. It provides information about security vulnerabilities for use in penetration testing engagements.

For More Information :- https://w3af.org/

4.Database Security Scanner :-

                                                    Database Security in which user have to secure data from hacker there are different tools which we can use for Database Security . 

A. Scuba Database Scanner :-

                                            Scuba is free database security software tool from the vendor Imperva that is used for analyzing more than 2,000 common problems such as weak passwords, known configuration risks, and missing patches on a range of database platforms. Scuba is being used across enterprises as a database patch up enhancer.

B. MSSQL Datamask:-

                                                MSSQL Data Mask provides developers the ability to mask data for development, testing, or outsourcing projects, involving the SQL Server databases. MSSQL Data Mask has tools that are categorized for data masking and is used for protecting data that is classified as personally identifiable data, sensitive personal data or commercially sensitive data.

For More Information:-https://download.cnet.com/MSSQL-DataMask/3000-2144_4-75185204.html

5. Host Based Vulnerability Scanner :-

                                            A host based scanner is installed on every host on the system that you want to monitor. Host-based vulnerability assessment tools can provide an insight into the potential damage that can be done by insiders and outsiders once some level of access is granted or taken on a system.

A. Lynis :-

                    Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.

For More Information :- https://cisofy.com/lynis/

B. ovaldi :-

                    The OVAL Interpreter is a freely available reference implementation that demonstrates the evaluation of OVAL Definitions. Based on a set of OVAL Definitions the interpreter collects system information, evaluates it, and generates a detailed OVAL Results file.

For More Information:-https://oval.mitre.org/

6.ERP security scanner :-

                                            ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.

A. ERPScan :-

                        ERPScan SAP Pentesting Tool is a freeware intended for pentesters and security professionals. With the help of it you can conduct penetration testing and vulnerability assessment of SAP systems using Black Box testing methodologies. You do not need to have any information or credentials of the target system. All the necessary data will be collected by SAP Pentesting tool.

For More Information :-https://erpscan.io/research/free-pentesting-tools-for-sap-and-oracle/'

DNS Enumeration

Types of enumeration that use DNS include the following:-

1.Standard Record enumeration:-

                    In order to perform stander DNS enumeration with the DNSRecon the command that we have to use the ./dnsrecon.py - d <domain>

2.Zone Transfer :-

                The security problem with DNS zone transfer is that it can be used to decipher the topology of a company network . Specifically when a user is trying  to perform a zone transfer it sends a DNS query to list all DNS information like name server , host names ,MX and CNAME records , zone serial number ,Time to Live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays . However DNSRecon provides the ability to perform Zone Transfers with the commands;

./dnsrecon.py -d <domain>-a or ./dnsrecon.py -d <domain> - axfr

3.Reverse Lookup :-

                        reverse DNS lookup is the determination of domain name with the asssociated IP address. DNSRecon can perform a reverse lookup for PTR records against IPv4 and IPv6 address ranges../dnsrecon.py -r <startIP-enIP> must be used. Also reverse lookup can be performed against all ranges in SPF records with the command ./dnsrecon.py -d <domain> -s

4.Domain Brute-Force:-

                        For performing this technique all we have to do is to give a name list and it will try to resolve the A, AAA and CNAME records against the domain by teying each entry one by one . In order to run the Domain Name Brute-Force we need to type:

./dnsrecon.py -d <domain> -D <namelist> -t brt

5.Cache Snooping :-

                                    DNS cache snooping is occurred when the DNS server has a specific DNS record cached . This DNS record will often reveal plenty of information . However DNS cache snooping is not happing very record will often reveal plenty of information .However DNS cache snooping is not happing very often. The command that can be used in order to perform cache snooping is the following:- ./dnsrecon.py -t snoop -n Sever -D<Dict>

6.Zone Walking:-

                            This technique may unveils internal records if zone is not configured properly. The information that can be obtained can help us to map network hosts by enumerating the contents of a zone. In order to perform the zone walking we need to type the command:

./dnsrecon.py -d <host> -t zonewalk

Load Balance Detection

   

                     Load Balancing Detector is tool in which a given domain uses DNS and /or HTTP Load-Balancing . The tool is proof of concept and can hence provide false positives.

Web Application Firewall Detection

Web Application Firewall:-          

                   Web Application Firewall is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally , these rules cover common arracks such as Cross-site Scripting and SQL Injection. While proxies generally protect clients ,WAFs protect servers . A WAF is deployed to protect a specific web application or set of web application . A WAF can be considered a reverse proxy. WAFs may came in the form of an appliance , server plugin or filter and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Fingerprinting:-

                            Fingerprinting is the method used to gather information about the target as much possible. The most common method for the pentesters is to fingerprint the target web presence.With this fingerprinting the pentester may develop an accurate attack scennario , which will find an vvulnerablity futher according to ethical hacking.

Web Application Firewall Detection Tools:-

1.http-waf-detect:-

                            There are tools that help you detect if the website your are looking at has any form of IPS or IDS , its not 100%  accurate , but it can identify Apache ModSecurity , Barracuda Web Application Firewall ,PHPIDS , dotDefender ,Imperva Web Firewall And Blue Coat SG 400.This script is use in nmap tool .

                                #nmap -p80 --script=http-waf-detect <host>

                Telnet is a tool mostly used by network administrators. Telnet allows you to connect remote computer on any port as mentioned. Many of the web application firewall leave HTTP parameters in response headers with the help of telnet you can find basic fingerprinting information like sever , cookies which can be in fingerprinting.

                                                                #telnet <host> <port>

                    wafw00f is the most well know tool to detect the web application firewall . wafw00f sends the http request which identifies the web application firewall. 

For More Information:-https://github.com/EnableSecurity/wafw00f.git

Information Gathering

                                Information Gathering is important part of the penetration testing in which gathering information like critical assets or web applications that belongs to the client or victim which help hacker get access , related domain and subdomain of the client or victim in this hacker can get hidden domain which login which help to gain access , registration details of each domain which help , server architecture of the application running on the these web application which give details about  which version are running in victim server which help to exploit , other web application running in the same server as the target domain if we get access to  other web application then it will help to get access to victim web application  and  older snapshot of the web application it help to understand the working and other information of victim web application.

                                In Below there are tools which can we use for Information Gathering:-

Information Gathering Tools:-

A. Maltego Tools:-

                                         Maltego Is an open source intelligence (OSINT) and gathering like analysis    tool for gathering and connecting information for inverstingative task. It is  inbuilt tool in kali  linux. Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter. Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.

B. Search Engines(Google Hacking):-

                                                                    With help of Google we can find Advisories and vulnerabilties ,Error messages that give away far too much information, Files containing confidential information ,Files containing passwords ,File containing username , Footholds Helping an attacked get  into web server , some site contain admin login portal page , Sometime   we can find sensitive directories , some time hacker can find connected devices to the web    application  , some time live webcams can found on the internet like inurl:/view/index.shtml etc. also there is google cheat sheet in which user can find information like above .Form more information on google cheat sheet.  https://www.webfx.com/blog/wp-content/uploads/2016/11/infographic-google-final-fixed-1.png

C. WhatWeb : -

                                     WhatWeb is a next generation web scanner.WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses,        account IDs, web framework modules, SQL errors, and more. 

             Download Tool :- http://whatweb.net.

D. HttpRecon : -

                                         HTTPRecon or HTTP Fingerprinting is a tool developed by computec.ch and     modified by w3dt to help return highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. HTTPRecon improves the easiness and efficiency of Server HTTP Fingerprinting / Identification and this kind of enumeration. Traditional approaches such as banner-grabbing, status code enumeration and header ordering analysis are used, however many other analysis techniques have been introduced to HTTPRecon to help increase the possibilities of accurate web server fingerprinting. Some of these methods have been discussed in the book "Die Unset des Penetration Testing" .

 For More information :-https://w3dt.net/tools/httprecon.

E. SSL Scan :- 

                                This free online services performs a deep analysis of the configuration of any SSL web server on the public Internet. sslscan queries SSL/TLS services and reports the protocol version , cipher suites , key exchange  , signature algorithms and certifications in use. This helps the user understand which parameters are weak from a security standpoint.  For More Information :-https://www.ssllabs.com/ssltest/

F. host : - 

                        host is a simple utility for performing DNS lookup. It is normally used to convert names to IP addresses and vice versa  . When no arguments or options are given, host prints a short summary of its command line arguments and options. 

G.  Fierce :-  

                             Fierce is  DNS scanner that helps locate non-contiguous IP space and hostname against specified domains. It  is  a  semi-lightweight scanner that helps locate non-contiguous IP space and  hostnames against specified domains. It's really meant as a pre-cursor to nmap, Open‐VAS,  nikto,  etc, since all of those require that you already know what IP space you are looking for.  This does not perform exploitation and does not scan the whole  internet  indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you  will  often find misconfigured networks that leak internal address space. That's especially useful in  targeted  malware. For More information :-https://tools.kali.org/information-gathering/fierce

H. sslstrip:-  

                            sslstrip is a tool that transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For More Information:-

https://github.com/moxie0/sslstrip

I. whois:- 

                        whois is a protocal that queries and receives response from the database that store the registration information of a domain or an IP address .whois also tool in kali linux which help user to guess the right server to ask for the specified object. If no guess can be made it will connect to severs  for IPv4 addresses and network names.For More Information :-https://www.whois.com/

J. Reverse IP Lookup:-

                                                A reverse ip lookup lookup the ip address and give a list of all domains running on the same servers.For More Information:-https://reverseip.domaintools.com/