Sunday, January 27, 2019

Cisco Iperf Equivalent or Cisco-based Bandwidth Testing

by Scott Hebert

If you've worked on networks long enough, you're probably familiar with Iperf. This application is great for testing throughput between two computers on your network. Unfortunately, if you find yourself in a situation where you have less than two computers to test with, Iperf is less than ideal.
Fortunately, Cisco includes TTCP on most of its platforms. TTCP is a networking tool for measuring throughput between 2 systems. It is very similar to Iperf, and most users accustomed to the operation of Iperf should find TTCP very easy to work with.
Be aware that the ttcp command is hidden in Cisco IOS and will not be found in the normal command lists. Like, Iperf, you will need to set up both a client and server. Either side can be a PC or a Cisco device. For more information, see Cisco's Using Test TCP (TTCP) to Test Throughput.

Sunday, January 13, 2019

Have your s*it together

It’s hard to nail down exactly what it means to “have your shit together,” but you always know when you meet someone who does.
These people are functional and competent, but never pretentious or elitist. They make their beds and do their jobs and always seem to be level-headed about all the nonsense the rest of us conflate into huge crises.
No matter what your personal goals are, at the root of them all, you just want to have your shit together too.
But, while this might be hard to believe, the truth is that nobody really has it all together—not entirely, not all the time. But aspiring to function well in your life, own personal responsibility, have real diplomacy and social grace, a healthy temperament, and other similar traits is definitely noble, if not crucial, to being well-received by the world.
Therefore, here is your official cheat sheet to getting your shit together… or at the very least, convincing everyone else you do.

1. Have a Uniform Style

Decide what you love and then wear it often. Either have a signature scent, accessory, or color scheme that sets you apart. When people see you, your appearance should align with who you say you are and what you say you care about. Your style should match your personality, and it should stay as consistent as possible. Think of CEOs who wear the same thing every day or cartoon characters who stay in the same clothes. People respond well to consistency.

2. Don’t Flaunt Weaknesses

If you don’t want people thinking your life is a hot mess, then stop talking about it being a hot mess on every platform every chance you can. There’s a huge, enormous, world-altering difference between being authentic and capitalizing on your struggles to earn sympathy or whatever else some dark corner of your mind thinks you’re achieving by complaining every hour of the day. You can keep it real without overemphasizing what you’re not that great at. What you share is what builds other people’s image of you.

3. Stop Oversharing

On the same note, realize that the 2012-2014 era of confessional essays is over. Not every single person online and in your personal life needs to know every single detail about your life. Not only that, but they don’t even want to know. If you feel truly moved to share your struggle in some part of your life hoping it will be therapeutic and help another person going through it—amazing, please do that. But if you are just constantly telling people way more information than is appropriate to share, it might seem as though you don’t understand healthy boundaries.

4. Keep Things Clean

This might seem really obvious, but it’s totally overlooked: People who have their shit together have one really simple thing in common—they are always clean. They clean themselves, their spaces, and their belongings. They take care of themselves, their spaces, and their belongings. This doesn’t require much money and really only minimal effort. Keeping your life a little more tidy and organized will go a really long way.

5. Assume What You Say in Private Is Actually Public

I’m not saying nobody is trustworthy, but we are all dealing with what I’m going to call the “one person” phenomenon. Every single time you tell a secret or important information to someone, if it’s interesting enough, they will tell their one person. Then that person will their one person. Ultimately, what you tell one person is what you tell everyone at the end of the day—so don’t say anything in private you do not want repeated in public.

6. Minimize Drama

Instead of being someone who creates drama and issues, be someone who problem solves and innovates with new ideas. Instead of creating more chaos around a disagreement or issue, create a solution.

7. Talk About Things, Not Other People

Other people and their lives are not topics of conversation. This is a lazy way to forge connection with others if you have nothing more important or interesting to discuss. Ultimately, being a gossip isn’t a good look. It makes you seem vindictive and judgmental. Find things to talk about that aren’t other people’s business. Your relationships will be better for it.

8. Be Clear About Who You Are

For people to respect you, they first have to understand you, and that really begins with your language and approach to explaining yourself, both online and in person. In general, you should have a single sentence explanation that adequately sums up what you do professionally and then another that sums up what you’re interested in personally. If you can’t sum it up easily, you’re assuming your life is too complex and nuanced—but you’re achieving the opposite effect than you desire because you’ll just seem sort of lost.

9. Don’t Act Like an Authority When You’re Not

We do one another a disservice by insisting on answering immediately and impulsively in conversations and arguments. This is not how brains work. This is also not how intelligent people behave. Instead of spewing out whatever first comes to mind when you’re questioned about something, pause, think about what you want to say, and calmly express that you haven’t done enough research or hold enough expertise to speak on it with authority, but you’d like to share your opinion or viewpoint. And what isn’t in your authority? Anything you’re not an actual expert in or don’t have personal, direct experience with. So most things you talk about—but that’s okay. The point is to try to share opinions with one another to generate more conversation, not to convince one other about what’s absolute fact.

10. Keep Your Composure

People who fly off the handle at every little thing do not seem strong and tough, they seem weak and weak-willed. Anger is like gasoline when there’s some kind of friction between people. It raises people’s defenses and pushes a resolution farther away. If nobody else can manage it, be the person in the room who can keep their composure and speak clearly and calmly.

11. Stop Complaining

Complaining isn’t venting. Venting is what you do when you need to get something off your chest. If you have to vent every single time you see one of your friends, there’s something wrong. Otherwise, you’re just in the habit of complaining, and you need to get out of it. It’s ungrateful and, a lot of the time, shortsighted. If you really think about it, you have a lot more to appreciate than you have to stress about, but emphasizing the latter will make your life seem worse than it is, and that’s not what you want.

12. Have Principles

Principles are the rules and guidelines you use to govern and manage your life. If you value relationships, prioritize them by principle. If you want to improve your self-care, do it regularly by principle. No, you will not always want to wash your face, put on moisturizer, or drink another glass of water when you need to. But if you succumb to your impulses all the time, you’ll end up a shell of the person you’re meant to be—all because you don’t have principles.

13. Receive Help When You Need Help

Behaving as though you can do absolutely everything yourself limits you. When you need help, you need help. Ask for it, receive it, and understand that it does not make you less dignified.

14. But Remember You’re Responsible for You

You are ultimately responsible for whatever experience of life you want to have. You are responsible for your electric bill, for how well you keep up with current events, for how you interact with others, for how well you do at work, and for how much you sleep. You have to take an active role in your life, not a passive one. Don’t think and act like life is just happening to you and you have to accept it. Start taking creative control.

15. Compliment Others

Your willingness to uplift others is a sign of real confidence. People who are not happy with themselves cannot be happy with others. And there’s even more benefit to you because the more you are willing to affirm and love others, the more you are going to see yourself with more love and appreciation. Remember, your relationships with others are reflections of your greatest relationship—which is the one you have with yourself.

16. Organize Your Paperwork, Clean Your Linens, and Know How to Cook At Least One Meal

Absolutely no adult is beyond this.

17. Be Aware of Your Finances

If you don’t want to be the person who questions whether their card will be declined somewhere, make sure you’re checking on your accounts before you actually go out and spend money. You should know your debts, your incomes, and your goals. You shouldn’t be in the dark about your financial health.

18. Know Your Limits

Feed yourself when you’re hungry; rest when you’re tired; know how to gracefully bow out of a social situation, relationship, house party or job when you need to. If you wait until you’ve passed your limits, you’re going to burn out and burn bridges at the same time.

19. Stop Thinking Everyone’s Thinking About You—They’re Not

In the age of social media, so it’s easy to become victim to the spotlight complex, which is the idea that everyone is thinking about you and evaluating your life decisions frequently. They aren’t. Everyone is thinking about themselves all the time, in the same way that you are thinking about yourself all the time. Those coincidences you’re so sure mean everyone deeply cares about the intricacies of your life? It’s probably confirmation bias, your brain’s way of filtering information to affirm what it already believes. The first step to being self-aware is recognizing that other people’s thoughts do not revolve around you.

20. Keep It Simple

People who are able to simplify their lives come across as sophisticated. People who complicate their lives do not. People who have their shit together are able to live simply, to enjoy simple things, to show up as they are, and to sort through issues with clarity.
Most importantly, remember that the point of getting your shit together is to make your life easier and more enjoyable—not to impress anyone else. But like most anything else, getting your shit together is a matter of faking it until you make it, and this is the best place to start.






France Telecom SFR call for change

France Telecom-Orange CEO, Stephane Richard calls for reforms in telecommunications

France Telecom-Orange,реформы в Европе
The regulatory framework for European telecommunication providers needs to change totally if Europe is to keep up with the US in promoting faster wireless data networks, according to France Telecom-Orange CEO, Stephane Richard. Speaking to CNBC at the Mobile World Congress in Barcelona, ​​Richard said 2013 will see the deployment of high-speed broadband services across the continent, including 4G services and the roll out of FTTH (fiber-to-the-home) programs, reports Globalpost.
If telecommunication companies want to provide such services, Richard claimed, the regulatory framework needs to fall.

"Regulation in the past 15 years has led towards a single purpose," Richard said, "which is to provide a short-term benefit for the consumer. That's it. Today, this continent realizes that the industry is weak, that the main operators are in weak positions, the markets don't like them, and they are still indebted. ""At the same time we need a lot of money and resources to provide connectivity to Europe. Everyone wants Europe to be a connected-continent for the future," he added.
With around 140 operators in Europe - compared to just four in the USA and three in China - Richard said regulators should stop increasing the number of competitors in the market. He also called on a more "sensible" approach to pressing issues and a focus on investment. "They should be sensible in the way they are selling spectrum," Richard said. "They should be sensible in the way they levy taxes. They should provide incentives and plans in order to help the industry to invest in the network. Now, we have to think in terms of financing investments in the networks in a joint initiative by private operators and governments."

Richard's comments come after the European Telecommunications Network Operators' Association, which represents 37 carriers, announced it will ask the European Commission to allow more mergers across the continent.Richard's attack on the regulatory framework was echoed by Ren Obermann, the CEO of Deutsche Telekom, although his German counterpart was more optimistic about changes occurring sooner rather than later.

While Obermann said the European Commission had led a "wrong regulatory regime" that was unfriendly towards investors for many years, Neelie Kroes, the European Commissioner for Digital Agenda, was a welcome change."She sees that this regulatory regime is not going to lead anywhere," Obermann told CNBC. "The digital agenda for Europe is not going to happen unless she makes changes, and she is willing to make those changes. She has announced a very good agenda for the years to come and I hope that this gets translated fast into the national regulatory regimes."

Information from "SV-consulting". According National Commission for the State Regulation of Communications and Informatization, there are 1738 telecommunications operators and 660 telecommunications providers in Ukraine.

Tuesday, January 8, 2019

CP-79xx series vulnerable to XSS (10/2018)


Details

cisco-cve201815434-xss (150750)   reported Oct 3, 2018

Cisco Unified IP Phone 7900 Series is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Workaround:
Disable web-management interface access in CUCM and activate only when needed.

Monday, January 7, 2019

Sogu - PlugX Malware Detection


Full Code Repository:
https://github.com/DHS-NCCIC/Sogu/SoguFileSearch.psm1

import-module SoguFileSearch.ps1
 
ShowFileNames         Displays a list of all possible Sogu log filenames generated for each drive.

CustomSerial          1. Displays a list of all possible Sogu log filenames generated based on the 
                      Serial Number provided by the user. 
                      2. A user can provide a single or list of serials in the form of an array in the powershell 
                      console or a user generated text file.
                      3. If the Serial Number entered does not correlate to an active local drive on the machine 
                      the user is prompted with an error message.
                      4. The Serials used in the examples for this parameter will cause the script to throw an error, 
                      unless a drive is found with a serial that matches.
                      
SearchFiles           1. Searches the filesytem for the presence of Sogu log files.
                      2. Information for each file is saved as an object in a hashtable named output.
                      3. The output hashtable separates the file information based on the presence/absence of each Sogu log on disk.
                      4. The information collected by this option can be exported to log files for review.

Examples

Import module for use and display a list of Sogu file names generated based on local disk serial numbers.
PS> Get-SoguFileNames -ShowFileNames
Displays a list of Sogu file names based on a single serial number provided by the user.
PS> Get-SoguFileNames-CustomSerial AAAAAAAA
Displays a list of Sogu file names based on a list of serial numbers provided by the user in the powershell console.
PS> $Serials = @('AAAAAAAA','BBBBBBBB','CCCCCCCC','DDDDDDDD') PS> foreach($Serial in $Serials) { Get-SoguFileNames -CustomSerial $Serial }
Display a list of Sogu file names based on a list of serial numbers provided by the user in a text file.
PS> $Serials = Get-Content PS> foreach($Serial in $Serials) { Get-SoguFileNames -CustomSerial $Serial } 
  Searches the drives for files with the generated names and saves the output to a vatiable.
PS> $SoguFiles = Get-SoguFileNames -ShowFileNames-SearchFiles

The following commands explain how to display the output or pipe the data to a log file.

Displays the "FilesFound" output from the $SoguFiles variable created in the example above.
PS> $SoguFiles.FilesFound 
  Displays the "FilesNotFound" output from the $SoguFiles variable created in the example above.
PS> $SoguFiles.FilesNotFound
Export the "FilesFound" output from the $Sogufiles variable to a log file.
PS> $SoguFiles.FilesFound | Out-File -FilePath \.txt
Export the "FilesNotFound" output from the $Sogufiles variable to a log file.
PS> $SoguFiles.FilesNotFound | Out-File -FilePath \.txt
 
 
 The powershell output:
 
Drive D: (801221BF) ------------------------------------------------------
Type1 CC VictimID       HD Serial 801221BF   Filename: qcrugzwgvzacyug
Type1 CX ConfigBlock    HD Serial 801221BF   Filename: vtzxxqtzff
Type1 KL KeylogCache    HD Serial 801221BF   Filename: bnpnzw
Type1 HZ LearnedProxies HD Serial 801221BF   Filename: rmvfafwy
Type2 CC VictimID       HD Serial 801221BF   Filename: qwxfxwmgweywtbv
Type2 CF ConfigBlock    HD Serial 801221BF   Filename: nvponiqvlfnx
Type2 KL KeylogCache    HD Serial 801221BF   Filename: bhrgxm
Type2 HP LearnedProxies HD Serial 801221BF   Filename: blukacjozrqzpskuxh 
 
 
 
LICENSE: https://github.com/DHS-NCCIC/Sogu/LICENSE.md
 
The Detection Tool for PlugX Malware (Technology) is a work developed by
 the U.S. Government Agency and its contractors and provided to the 
Department of Homeland Security, Office of Cybersecurity and 
Communications (CS&C). Pursuant to Federal Acquisition Regulation, 
the United States. Pursuant
to Federal Acquisition Regulation, the United States Government  has 
unlimited rights in the copyright in the Technology,
which is sufficient to allow end users to download, access, install, 
copy and use the Technology for its intended purpose. 
The Technology is subject to United States Copyright law. 
 

Sunday, January 6, 2019

APT defenses (Advanced Persistent Threat = Cybercrime, Military & Government Malware )

Network Architecture

Restricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access.

Virtual Private Network Connection Recommendations
  • Use a dedicated Virtual Private Network (VPN) for MSP connection. The organization’s local network should connect to the MSP via a dedicated VPN. The VPN should use certificate-based authentication and be hosted on its own device.
  • Terminate VPN within a demilitarized zone (DMZ). The VPN should terminate within a DMZ that is isolated from the internal network. Physical systems used within the DMZ should not be used on or for the internal network.
  • Restrict VPN traffic to and from MSP. Access to and from the VPN should be confined to only those networks and protocols needed for service. All other internal networks and protocols should be blocked. At a minimum, all failed attempts should be logged.
  • Update VPN authentication certificates annually. Update the certificates used to establish the VPN connection no less than annually. Consider rotating VPN authentication certificates every six months.
  • Ensure VPN connections are logged, centrally managed, and reviewed. All VPN connection attempts should be logged in a central location. Investigate connections using dedicated certificates to confirm they are legitimate.
Network Architecture Recommendations
  • Ensure internet-facing networks reside on separate physical systems. All internet-accessible network zones (e.g., perimeter network, DMZ) should reside on their own physical systems, including the security devices used to protect the network environment.
  • Separate internal networks by function, location, and risk profile. Internal networks should be segmented by function, location, and/or enterprise workgroup. All communication between networks should use Access Control Lists and security groups to implement restrictions.
  • Use firewalls to protect server(s) and designated high-risk networks. Firewalls should reside at the perimeter of high-risk networks, including those hosting servers. Access to these networks should be properly restricted. Organizations should enable logging, using a centrally managed logging system.
  • Configure and enable private Virtual Local Area Networks (VLANs). Enable private VLANs and group them according to system function or user workgroup.
  • Implement host firewalls. In addition to the physical firewalls in place at network boundaries, hosts should also be equipped and configured with host-level firewalls to restrict communications from other workstations (this decreases workstation-to-workstation communication).
Network Service Restriction Recommendations
  • Only permit authorized network services outbound from the internal network. Restrict outbound network traffic to only well-known web browsing services (e.g., Transmission Control Protocol [TCP]/80, TCP/443). In addition, monitor outbound traffic to ensure the ports associated with encrypted traffic are not sending unencrypted traffic.
  • Ensure internal and external Domain Name System (DNS) queries are performed by dedicated servers. All systems should leverage dedicated internal DNS servers for their queries. Ensure that DNS queries for external hosts using User Datagram Protocol (UDP)/53 are permitted for only these hosts and are filtered through a DNS reputation service, and that outbound UDP/53 network traffic by all other systems is denied. Ensure that TCP/53 is not permitted by any system within the network environment. All attempts to use TCP/53 and UDP/53 should be centrally logged and investigated.
  • Restrict access to unauthorized public file shares. Access to public file shares that are not used by the organization—such as Dropbox, Google Drive, and OneDrive—should be denied. Attempts to access public file share sites should be centrally logged and investigated. Recommended additional action: monitor all egress traffic for possible exfiltration of data.
  • Disable or block all network services that are not required at network boundary. Only those services needed to operate should be enabled and/or authorized at network boundaries. These services are typically limited to TCP/137, TCP/139, and TCP/445. Additional services may be needed, depending on the network environment, these should be tightly controlled to only send and receive from certain whitelisted Internet Protocol addresses, if possible.

Authentication, Authorization, and Accounting

     Compromised account credentials continue to be the number one way threat actors are able to penetrate a network environment. The accounts organizations create for Suppliers increase the risk of credential compromise, as some suppliers accounts typically require elevated access.
     It is important organizations’ adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network. Provided below are key items organizations should implement and routinely audit to ensure these risks are mitigated.

Account Configuration Recommendations
  • Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the Enterprise Administrator (EA) or Domain Administrator (DA) groups.
  • Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
  • Ensure MSP account passwords adhere to organizational policies. Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
  • Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
  • Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. Additionally, if MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
  • Use a network architecture that includes account tiering. By using an account tiering structure, higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.
Logging Configuration Recommendations
  • Enable logging on all network systems and devices and send logs to a central location. All network systems and devices should have their logging features enabled. Logs should be stored both locally and centrally to ensure they are preserved in the event of a network failure. Logs should also be backed up regularly and stored in a safe location.
  • Ensure central log servers reside in an enclave separate from other servers and workstations. Log servers should be isolated from the internet and network environment to further protect them from compromise. The firewall at the internal network boundary should only permit necessary services (e.g., UDP/514).
  • Configure local logs to store no less than seven days of log data. The default threshold for local logging is typically three days or a certain file size (e.g., 5 MB). Configure local logs to store no less than seven days of log data. Seven days of logs will cover the additional time in which problems may not be identified, such as holidays. In the event that only size thresholds are available, NCCIC recommends that this parameter be set to a large value (e.g., 512MB to1024MB) to ensure that events requiring a high amount of log data, such as brute force attacks, can be adequately captured.
  • Configure central logs to store no less than one year of log data. Central log servers should store no less than a year’s worth of data prior to being rolled off. Consider increasing this capacity to two years, if possible.
  • Install and properly configure a Security Information and Event Management (SIEM) appliance. Install a SIEM appliance within the log server enclave. Configure the SIEM appliance to alert on anomalous activity identified by specific events and on significant derivations from baselined activity.
  • Enable PowerShell logging. Organizations that use Microsoft PowerShell should ensure it is upgraded the latest version (minimum version 5) to use the added security of advanced logging and to ensure these logs are being captured and analyzed. PowerShell’s features include advanced logging, interaction with application whitelisting (if using Microsoft’s AppLocker), constrained language mode, and advanced malicious detection with Antimalware Scan Interface. These features will help protect an organization’s network by limiting what scripts can be run, logging all executed commands, and scanning all scripts for known malicious behaviors.
  • Establish and implement a log review process. Logs that go unanalyzed are useless. It is critical to network defense that organizations establish a regular cycle for reviewing logs and developing analytics to identify patterns.

Operational Controls

Building a sound architecture supported by strong technical controls is only the first part to protecting a network environment. It is just as critical that organizations continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs. Listed below are key operational controls organizations should incorporate for protection from threats.

Operational Controls Recommendations

  • Create a baseline for system and network behavior. System, network, and account behavior should be baselined to make it easier to track anomalies within the collected logs. Without this baseline, network administrators will not be able to identify the “normal” behaviors for systems, network traffic, and accounts.
  • Review network device configurations every six months. No less than every six months, review the active configurations of network devices for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.
  • Review network environment Group Policy Objects (GPOs) every six months. No less than every six months, review GPOs for unauthorized settings (consider reviewing more frequently). Baseline configurations and their checksums should be stored in a secure location and be used to validate files.
  • Continuously monitor and investigate SIEM appliance alerts. The SIEM appliance should be continuously monitored for alerts. All events should be investigated and documented for future reference.
  • Periodically review SIEM alert thresholds. Review SIEM appliance alert thresholds no less than every three months. Thresholds should be updated to reflect changes, such as new systems, activity variations, and new or old services being used within the network environment.
  • Review privileged account groups weekly. Review privileged account groups—such as DAs and EAs—no less than weekly to identify any unauthorized modifications. Consider implementing automated monitoring for these groups.
  • Disable or remove inactive accounts. Periodically monitor accounts for activity and disable or remove accounts that have not been active within a certain period, not to exceed 30 days. Consider including account management into the employee onboarding and offboarding processes.
  • Regularly update software and operating systems. Ensuring that operating systems and software is up-to-date is critical for taking advantage of a vendor’s latest security offerings. These offerings can include mitigating known vulnerabilities and offering new protections (e.g., credential protections, increased logging, forcing signed software).
It is important to note that—while the recommendations provided in this TA aim at preventing the initial attack vectors and the spread of any malicious activity—there is no single solution to protecting and defending a network. NCCIC recommends network defenders use a defense-in-depth strategy to increase the odds of successfully identifying an intrusion, stopping malware, and disrupting threat actor activity. The goal is to make it as difficult as possible for an attacker to be successful and to force them to use methods that are easier to detect with higher operational costs.

Report Unauthorized Network Access

Contact DHS or your local FBI office immediately.
To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).

Privilege Escalation

     This is the most important part after gaining shell is to gain root access on the system, for that there are numerous ways, but first I like to go the old classic way by finding what permission the user have if we have user access, what is running on the crontab, what file permission we have and what are the binary file which have suid or guid permission on the server and on what kernel the server is running on, based on these enumeration we can try to privilege our user to get root level access.

Firewall Evasion Rules with Nmap

As a penetration tester you will come across with systems that are behind firewalls and they are blocking you from getting the information that you want.So you will need to know how to avoid the firewall rules that are in place and to discover information about a host.This step in a penetration testing called Firewall Evasion Rules.
Nmap has different options to :-
  • 1) Fragment Packets:- This technique was very effective especially in the old days however you can still use it if you found a firewall that is not properly configured.The Nmap offers that ability to fragment the packets while scanning with the -f option so it can bypass the packet inspection of firewalls.
    root@kali:~/Desktop# nmap -f 192.168.1.50
  • 2) Use a specific MTU:-
    • Nmap is giving the option to the user to set a specific MTU (Maximum Transmission Unit) to the packet.This is similar to the packet fragmentation technique that we have explained above.
    • During the scan that size of the nmap will create packets with size based on the number that we will give.In this example we gave the number 24 so the nmap will create 24-byte packets causing a confusion to the firewall.Have in mind that the MTU number must be a multiple of 8 (8,16,24,32 etc).
    • You can specify the MTU of your choice with the command –mtu number target.
      root@kali:~/Desktop# nmap –mtu 24 192.168.1.50
  • 3) Use Decoy addresses:- In this type of scan you can instruct Nmap to spoof packets from other hosts.In the firewall logs it will be not only our IP address but also and the IP addresses of the decoys so it will be much harder to determine from which system the scan started.There are two options that you can use in this type of scan:-
    • root@kali :~/Desktop# nmap -D RND:10 [target] (Generates a random number of decoys)
    • root@kali :~/Desktop# nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses of the decoys)
    • root@kali :~/Desktop# nmap –D 192.168.1.40,192.168.1.45 192.168.1.50
  • 4) Idle Zombie Scan:-
    • This technique allows you to use another host on the network that is idle in order to perform a port scan to another host.The main advantage of this method is that it very stealthy because the firewall log files will record the IP address of the Zombie and not our IP.However in order to have proper results we must found hosts that are idle on the network.
    • Metasploit framework has a scanner that can help us to discover hosts that are idle on the network and it can be used while implementing this type of scan.
      msf > use auxiliary/scanner/ip/ipidseq
      msf auxiliary(ipidseq) > set RHOST 192.168.1.2-192.168.1.50
    • using this scanner you can find which IP is idle in the network and are potential candidate for use on an idle Zombie Scan. In order to implement an Idle Zombie scan we need to use the command :-

    root@kali:~/Desktop# nmap -sI [Zombie IP] [Target IP]
  • 5) Source port number specification:- A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.The –source-port option of Nmap can be used to exploit this misconfiguration.Common ports that you can use for this type of scan are: 20,53 and 67
    root@kali:~/Desktop# nmap –source-port 53 scanme.nmap.org
  • 6) Append Random Data:-
    • Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan. This is because many scanners are sending packets that have specific size.In order to avoid that kind of detection you can use the command –data-length to add additional data and to send packets with different size than the default.
    • In the below nmap command we have changed the packet size by adding 25 more bytes. By default the packet size is 58 bytes but after adding 25 more bytes the packet size will be 83 bytes.
      root@kali:~/Desktop# nmap –data-length 25 192.168.1.50
  • 7) Scan with Random Order:-
    o In this technique you can scan a number of hosts in random order and not sequential.The command that you use to instruct Nmap to scan for host in random order is –randomize-hosts.
    o This technique combined with slow timing options in nmap command can be very effective when you don’t want to alert firewalls.
    o root@kali:~/Desktop# nmap –randomize-hosts 192.168.1.50-80
    
  • 8) MAC Address Spoofing:-
    • Another method for bypassing firewall restrictions while doing a port scan is by spoofing the MAC address of your host.This technique can be very effective especially if there is a MAC filtering rule to allow only traffic from certain MAC addresses so you will need to discover which MAC address you need to set in order to obtain results.
    • Specifically the –spoof-mac option gives you the ability to choose a MAC address from a specific vendor,to choose a random MAC address or to set a specific MAC address of your choice.Another advantage of MAC address spoofing is that you make your scan more stealthier because your real MAC address it will not appear on the firewall log files.
      • Specify MAC address from a Vendor —-> –spoof-mac Dell/Apple/3Com
      • Generate a random MAC address —-> —spoof-mac 0
      • Specify your own MAC address —-> —spoof-mac 00:01:03:25:46:AK
      • root@kali :~/Desktop# nmap -sT -Pn –spoof-mac Dell 192.168.1.50
  • 9) Send Bad Checksums:-
    • Checksums are used by the TCP/IP protocol to ensure the data integrity. However sending packets with incorrect checksums can help you to discover information from systems that is not properly configured or when you are trying to avoid a firewall.
    • You can use the command nmap –badsum IP in order to send packets with bad checksums to your targets.If you didn’t get any results. It means that the system is suitable configured.
    root@kali :~/Desktop# nmap –badsum 192.168.1.50

Linux Kernel issues fixed

USN-3836-2
the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces

 USN-3835-1
procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. Jann Horn discovered that the mremap system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service , expose sensitive information, or possibly execute arbitrary code.

USN-3839-1
WavPack incorrectly handled certain WAV files. An attacker could possibly use this issue to cause a denial of service.

USN-3846-1
an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information.


FreeBSD

Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. It is possible that the buffer overflow could lead to a Denial of Service or remote code execution.

NTP
the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Issues addressed include buffer overflow, code execution, and denial of service vulnerabilities.

USN-3847-1
an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service.

Red Hat Security Advisory 2018-3843-01
The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service and null pointer

Linux Security Advisory 4354-1
Mozilla - use-after-free vulnerabilities, execution of arbitrary code or bypass of the same-origin policy

Red Hat Security Advisory 2019-0010-01
Perl is a high-level programming language that is commonly used for system administration utilities and web programming. Issues addressed include a buffer overflow vulnerability.

CVE-2018-1888
An untrusted search path vulnerability in IBM i Access for Windows versions 7.1 and earlier on Windows can allow arbitrary code execution via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. IBM X-Force ID: 152079.


DDoS - Types of Attacks


Types of DDoS Attacks Explained

DDoS attacks are a major concern for online businesses. According to the Q3 2015 Security Report by Akamai, there’s a 179.66% increase in the total number of DDoS attacks!

This figure suggests that, in the last two years, an alarming number of businesses have been targeted by criminals, activists, and hackers for nefarious reasons. It can not only deny service to the business’ users but also result in expensive bills. Some DDoS attacks can even be financially devastating for a business!

From trying to flood a target with ping command based ICMP echo request to multi-vector attacks, DDoS attacks have grown bigger and sophisticated over the years. In this post, we will take a look at the different types of DDoS attacks. Here’s a list of the different DDoS attack types.

Application Level Attacks

DDoS attacks can target a specific application or a badly coded website to exploit its weakness and take down the entire server as a result. WordPress (we now offer the best WordPress hosting on the web) and Joomla are two examples of applications that can be targeted to exhaust a server’s resources – RAM, CPU, etc. Databases can also be targeted with SQL injections designed to exploit these loopholes.

The exhausted server is then unavailable to process legitimate requests due to exhausted resources. Websites and applications with security loopholes are also susceptible to hackers looking to steal information.

Zero Day (0day) DDoS

This is a standard term (like John Doe) used to describe an attack that is exploiting new vulnerabilities. These ZERO Day DDoS vulnerabilities do not have patches or effective defensive mechanisms.

Ping Flood

An evolved version of ICMP flood, this DDoS attack is also application specific. When a server receives a lot of spoofed Ping packets from a very large set of source IP it is being targeted by a Ping Flood attack. Such an attack’s goal is to flood the target with ping packets until it goes offline.

It is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it can easily resemble legitimate traffic.

IP Null Attack

Packets contain IPv4 headers which carry information about which Transport Protocol is being used. When attackers set the value of this field to zero, these packets can bypass security measures designed to scan TCP, IP, and ICMP. When the target server tries to put process these packets, it will eventually exhaust its resources and reboot.

CharGEN Flood

It is a very old protocol which can be exploited to execute amplified attacks. A CharGEN amplification attack is carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running CharGEN. These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target.

Most internet-enabled printers, copiers etc., have this protocol enabled by default and can be used to execute a CharGEN attack. This can be used to flood a target with UDP packets on port 19. When the target tries to make sense of these requests, it will fail to do so. The server will eventually exhaust its resources and go offline or reboot.

SNMP Flood

Like a CharGEN attack, SNMP can also be used for amplification attacks. SNMP is mainly used on network devices. SNMP amplification attack is carried out by sending small packets carrying a spoofed IP of the target to the internet enabled devices running SNMP.

These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. However, amplification effect in SNMP can be greater when compared with CHARGEN and DNS attacks. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

NTP Flood

The NTP protocol is another publicly accessible network protocol. The NTP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to internet enabled devices running NTP.

These spoofed requests to such devices are then used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

SSDP Flood

SSDP enabled network devices that are also accessible to UPnP from the internet are an easy source for generating SSDP amplification floods. The SSDP amplification attack is also carried out by sending small packets carrying a spoofed IP of the target to devices.

These spoofed requests to such devices are used to send UDP floods as responses from these devices to the target. When the target tries to make sense of this flood of requests, it will end up exhausting its resources and go offline or reboot.

Other Amplified DDoS Attacks

All amplified attacks use the same strategy described above for CHARGEN, NTP, etc. Other UDP protocols that have been identified as possible tools for carring out amplification flood attacks U.S. CERT are:

SNMPv2
NetBIOS
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol

Fragmented HTTP Flood

In this example of a sophisticated attack on a known loophole, BOTs with a valid IP are used to establish a valid HTTP connection with a web server. Then, HTTP packets are split by the bot into tiny fragments and sent to the target as slowly as it allows before it times out. This method allows the attackers to keep a connection active for a long time without alerting any defense mechanisms.

An attacker can use one BOT to initiate several undetected, extended and resource consuming sessions. Popular web servers like Apache do not have effective timeout mechanisms. This is a DDoS security loophole that can be exploited with a few BOTs to stop web services.

HTTP Flood

The real IP of the BOTs is used to avoid suspicion. The number of BOTs used to execute the attack is same as the source IP range for this attack. Since the IP addresses of the BOTs are not spoofed, there is no reason for defense mechanisms to flag these valid HTTP requests.

One BOT can be used to send a large number of GET, POST or other HTTP requests to execute an attack. Several bots can be combined in an HTTP DDoS attack to completely cripple the target server.

Single Session HTTP Flood

An attacker can exploit a loophole in HTTP 1.1 to send several requests from a single HTTP session. This allows attackers to send a large number of requests from a handful of sessions. In other words, attackers can bypass the limitations imposed by DDoS defense mechanisms on the number of sessions allowed.

Single Session HTTP Flood also targets a server’s resources to trigger a complete system shutdown or poor performance.

Single Request HTTP Flood

When defense mechanisms evolved to block many incoming packets, attacks like Single Packet HTTP Flood were designed with workarounds to dodge these defenses. This evolution of an HTTP flood exploits another loophole in the HTTP technology. Several HTTP requests can be made by a single HTTP session by masking these requests within one HTTP packet.

This technique allows an attack to stay invisible while exhausting a server’s resources by keeping packet rates within the allowed limits.

Recursive HTTP GET Flood

For an attack to be highly successful, it must remain undetected for as long as possible. The best method to go undetected is to appear as a legitimate request by staying within all the limitations while another attack is being executed. Recursive GET achieves this on its own by collecting a list of pages or images and appearing to be going through these pages or images.

This attack can be combined with an HTTP flood attack for maximum impact.

Random Recursive GET Flood

This attack is a purpose built variation of Recursive GET attack. It is designed for forums, blogs and other websites that have pages in a sequence. Like Recursive GET it also appears to be going through pages. Since page names are in a sequence, to keep up appearance as a legitimate user, it uses random numbers from a valid page range to send a new

GET request each time.

Random Recursive GET also aims to deflate its target’s performance with a large number of GET requests and deny access to real users.

Multi-Vector Attacks

We talked about attackers combining Recursive GET attacks with HTTP flood attacks to amplify the effects of an attack. That’s just one example of an attacker using two types of DDoS attacks at the same time to target a server. Attacks can also combine several methods to keep the engineers dealing with the DDoS attack confused.

These attacks are the toughest to deal with and are capable of taking down some of the best-protected servers and networks.

SYN Flood

This attack exploits the design of the three-way TCP communication process between a client, host, and a server. In this process, a client initiates a new session by generating a SYN packet. The host assigns and checks these sessions until they are closed by the client. To carry out a SYN Flood attack, an attacker sends a lot of SYN packets to the target server from spoofed IP addresses.

This attack goes on until it exhausts a server’s connection table memory –stores and processes these incoming SYN packets. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

SYN-ACK Flood

The second step of the three-way TCP communication process is exploited by this DDoS attack. In this step, a SYN-ACK packet is generated by the listening host to acknowledge an incoming SYN packet. A large amount of spoofed SYN-ACK packets is sent to a target server in a SYN-ACK Flood attack. The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process this flood of requests.

The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

ACK & PUSH ACK Flood

During an active TCP-SYN session, ACK or PUSH ACK packets carry information to and from the host and client machines till the session lasts. During an ACK & PUSH ACK flood attack, a large amount of spoofed ACK packets is sent to the target server to deflate it.

Since these packets are not linked with any session on the server’s connection list, the server spends more resources on processing these requests. The result is a server unavailable to process legitimate requests due to exhausted resources until the attack lasts.

ACK Fragmentation Flood

Fragmented ACK packets are used in this bandwidth consuming version of the ACK & PUSH ACK Flood attack. To execute this attack, fragmented packets of 1500 bytes are sent to the target server. It is easier for these packets to reach their target undetected as they are not normally reassembled by routers at the IP level.

This allows an attacker to send few packets with irrelevant data through routing devices to consume large amounts of bandwidth. This attack affects all servers within the target network by trying to consume all available bandwidth in the network.

RST/FIN Flood

After a successful three or four-way TCP-SYN session, RST or FIN packets are exchanged by servers to close the TCP-SYN session between a host and a client machine. In an RST or FIN Flood attack, a target server receives a large number of spoofed RST or FIN packets that do not belong to any session on the target server.

The attack tries to exhaust a server’s resources – its RAM, CPU, etc. as the server tries to process these invalid requests. The result is a server unavailable to process legitimate requests due to exhausted resources.

Synonymous IP Attack

To take a server down, a large number of TCP-SYN packets carrying the target server’s Source IP and Destination IP are sent to the target server. Even though the packets are carrying the target server’s source and destination IP information, this data is not important.

The goal of the Synonymous IP attack is to exhaust a server’s resources – RAM, CPU, etc. as it tries to compute this anomaly. The exhausted server is then unavailable to process legitimate requests due to exhausted resources.

Spoofed Session Flood

Some of the above DDoS attacks are unable to fool most modern defense mechanisms but DDoS attacks are also evolving to bypass these defenses. Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying a SYN, multiple ACK and one or more RST or FIN packets.

This attack can bypass defense mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the target’s resources and result in a complete system shutdown or unacceptable system performance.

Multiple SYN-ACK Spoofed Session Flood

This version of a fake session attack contains multiple SYN and multiple ACK packets along with one or more RST or FIN packets. A Multiple SYN-ACK Fake Session is another example of an evolved DDoS attack. They are changed up to bypass defense mechanisms which rely on very specific rules to prevent such attacks.

Like the Fake Session attack, this attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.

Multiple ACK Spoofed Session Flood

SYN is completely skipped in this version of Fake Session. Multiple ACK packets are used to begin and carry an attack. These ACK packets are followed by one or more RST or FIN packets to complete the disguise of a TCP session.

These attacks tend to be more successful at staying under the radar as they generate low TCP-SYN traffic compared to the original SYN-Flood attacks. Like its source, the Multiple ACK Fake Session attack can also exhaust a target’s resources and result in a complete system shutdown or unacceptable system performance.

Session Attack

To bypass defenses, instead of using spoofed IPs, this attack uses the real IP address of the BOTs being used to carry out an attack. The number of BOTs used to execute the attack is same as the source IP range for this attack. This attack is executed by creating a TCP-SYN session between a BOT and the target server.

This session is then stretched out until it times out by delaying the ACK packets. Session attacks try to exhaust a server’s resources through these empty sessions. That, in turn, results in a complete system shutdown or unacceptable system performance.

Misused Application Attack

The attackers first hack client machines that host high traffic apps like P2P services. The traffic from these client machines is then redirected to the target server. The target server exhausts its resources as it tries to accept and negotiate the excessive traffic. Defensive mechanisms aren’t triggered in this case as the hacked client machines are actually trying to make a valid connection to the target server.

After successfully redirecting the traffic to the target, as the attack is going on, the attacker drops off the network and becomes untraceable. Misused Application Attack targets a server’s resources and tries to take it down or destroy its performance.

UDP Flood

As the name suggests, in this type of DDoS attack a server is flooded with UDP packets. Unlike TCP, there isn’t an end to end process of communication between client and host. This makes it harder for defensive mechanisms to identify a UDP Flood attack. A large number of spoofed UDP packets are sent to a target server from a massive set of source IP to take it down.

UDP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the attacking packets. The goal of such an attack is to consume the bandwidth in a network until all available bandwidth has been exhausted.

UDP Fragmentation Flood

It is another one of those cleverly masked DDoS attacks that are not easily detected. The activity generated by this attack resembles valid traffic and all of it is kept within limits. This version of the UDP Flood attack sends larger yet fragmented packets to exhaust more bandwidth by sending fewer fragmented UDP packets.

When a target server tries to put these unrelated and forged fragmented UDP packets together, it will fail to do so. Eventually, all available resources are exhausted and the server may reboot.

DNS Flood

One of the most well-known DDoS attacks, this version of UDP flood attack is application specific – DNS servers in this case. It is also one of the toughest DDoS attacks to detect and prevent. To execute, an attacker sends a large amount of spoofed DNS request packets that look no different from real requests from a very large set of source IP.

This makes it impossible for the target server to differentiate between legitimate DNS requests and DNS requests that appear to be legitimate. In trying to serve all the requests, the server exhausts its resources. The attack consumes all available bandwidth in the network until it is completely drained out.

VoIP Flood

This version of application specific UDP flood targets VoIP servers. An attacker sends a large number of spoofed VoIP request packets from a very large set of source IP. When a VoIP server is flooded with spoofed requests, it exhausts all available resources while trying to serve the valid and invalid requests.

This reboots the server or takes a toll on the server’s performance and exhausts the available bandwidth. VoIP floods can contain fixed or random source IP. Fixed source IP address attack is not easy to detect as it masks itself and looks no different from legitimate traffic.

Media Data Flood

Like VoIP flood, a server can also be attacked with media data such as audio and video. A large number of spoofed media data packets are sent by an attacker from a very large set of source IP. When a server is flooded with spoofed media data requests, it exhausts all available resources and network bandwidth to process these requests.

This attack is similar to VoIP floods in every way other than using spoofed media data packets to attacks the server. It can also be hard to detect these attacks when they are using fixed source IP as this gives them a legitimate appearance. The attack is designed to consume all available server resources and bandwidth in the network until it is completely drained out.

Direct UDP Flood

The target server is attacked with a large number of Non-Spoofed UDP packets. To mask the attack, the attacker does not spoof the BOTs actual IP address. The number of BOTs used to execute the attack is same as the source IP range for this attack. The attack is designed to consume all available bandwidth and resources in the network until it is completely drained out and shuts down. This type of DDoS attack is also not easy to detect as it resembles legitimate traffic.

ICMP Flood

Like UDP, the ICMP stack also does not have an end to end process for data exchange. This makes it harder to detect an ICMP Flood attack. An attacker sends a large number of spoofed ICMP packets from a very large set of source IP. When a server is flooded with massive amounts of spoofed ICMP packets, its resources are exhausted in trying to process these requests. This overload reboots the server or has a massive impact on its performance.

ICMP flood attacks can target random servers or a specific server within a network by including the target server’s port and IP address in the packets. The goal of such an attack is to consume bandwidth in the network until it has exhausted the available bandwidth.

ICMP Fragmentation Flood

This version of ICMP Flood attack sends larger packets to exhaust more bandwidth by sending fewer fragmented ICMP packets. When the target server tries to put these forged fragmented ICMP packets with no correlation together, it will fail to do so. The server eventually exhausts its resources and reboots.