Category: Basics

If you’re starting your journey in networking or ethical hacking, one concept you’ll hear again and again is the OSI Model. At first, it might look complicated. Seven layers? Strange names? Technical terms? Don’t worry. In this guide, you’ll learn the OSI Model in a simple, beginner-friendly way, without any confusion.

What is the OSI Model?

The OSI Model stands for Open Systems Interconnection Model. It is a framework that explains how data travels from one computer to another over a network. Instead of thinking of communication as one big process, the OSI model breaks it into 7 layers.

Each layer has a specific role. Think of it like sending a package:

• You pack it
• Label it
• Ship it
• Deliver it

Each step is handled separately.

Why is the OSI Model Important?

If you are learning ethical hacking, You might wonder as to why you should learn about OSI Model. Here’s why:

1. It Helps You Understand Networks:

When you learn OSI model, you’ll know how data moves step by step from one device to another device.

2. It Makes Troubleshooting Easier:

You can easily identify where a problem is occurring in a network.

3. Essential for Ethical Hacking:

Many attacks target specific OSI layers. So, this is important for ethical hackers.

4. Foundation for Cybersecurity:

You may not like this but without this, advanced topics in cybersecurity won’t make sense.

The 7 Layers of the OSI Model

The seven layers of the OSI Model, from top to bottom are the Application Layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer and Physical Layer. Let’s break them down in the simplest way possible.

7. Application Layer (Top Layer):

The Application Layer is the top most layer of the OSI Model and is responsible for providing a user interface for network applications. Simply put, this is the layer users interact with. For example,

• Web browsers
• Email apps

It allows applications to communicate with the network. The Application Layer performs several key functions, including:

• Network Services: It provides network services to applications, including file transfer, email and other network-based applications.
• User Interface: It provides a user interface for network applications, allowing the user to interact with the network.
• Network Resource Access: It provides a means for applications to access network resources, such as databases or file servers.

Some protocols in Application Layer are,

• HTTP (Hypertext Transfer Protocol): This is the primary protocol used for web browsing and web application access.
• FTP (File Transfer Protocol): This is a protocol for transferring files between systems.
• SMTP (Simple Mail Transfer Protocol): This is a protocol used for sending mails.

6. Presentation Layer:

The Presentation Layer is responsible for providing a common format for data exchange between applications. This layer handles:

• Data formatting
• Encryption
• Compression

Simply put, it makes sure data is readable. Some of the Presentation Layer protocols are:

• MIME (Multipurpose Internet Mail Extensions): This is a protocol for the representation of multimedia content.
• SSL (Secure Sockets Layer) and TLS (Transport Layer Security): These are protocols for securing data transmission over the internet.

5. Session Layer:

The Session Layer is responsible for establishing, managing and terminating communication sessions between applications. A session is a continuous exchange of information between two applications and can involve multiple data transfers.

It provides a framework for applications to communicate with each other. It coordinates the communication process between the applications and ensures that the data is transmitted in an orderly and synchronized manner. The Session Layer also ensures that the communication between the applications is maintained until it is terminated by either the sender or the receiver. In simple words, it starts, maintains and ends sessions.

Some of the Session Layer protocols are,

• NFS (Network File System): This is a popular protocol for sharing files over a network.
• RDP (Remote Desktop Protocol): This is a protocol for remote access to a desktop.
• SSH (Secure Shell): This is a protocol for secure remote access to a computer.

4. Transport Layer:

The Transport Layer of the OSI (Open Systems Interconnection) Model is responsible for reliable data transfer between end systems. It is the layer that divides entire data being sent into manageable segments and ensures that each segment reaches its destination without any errors or lost data.

These segments are then transmitted and reassembled at the destination end. This layer also provides flow control, which prevents the sender from overwhelming the receiver and error control which detects and corrects any errors that may occur during transmission. In simple words, this is where data delivery is controlled.

Key functions:

• Error checking
• Data flow control

There are two main types of protocols in Transport Layer. They are,

• TCP (Transmission Control Protocol): This is a reliable, connection-oriented protocol which ensures that data is transmitted accurately and completely.
• UDP (User Datagram Protocol): This is an unreliable, connectionless protocol that does not guarantee the delivery or accuracy of data. It is used for applications that do not require reliable data transmission, such as video streaming.

3. Network Layer:

The Network Layer is deals with the routing of data between computer networks. It provides the means for transmitting data from one network to another and ensures that data is delivered to its intended destination. It also ensures that data is delivered to its intended destination by routing it through the network in an efficient and effective manner.

This layer handles:

• Routing
• IP addresses

It decides the best path data should take to reach its destination. Some examples of Network Layer protocols include IP (Internet Protocol) and ICMP (Internet Control Message Protocol).

2. Data-Link Layer:

The Data Link Layer is concerned with the delivery of data frames between computers belonging to a same network. It provides error detection and correction functions and defines the format of the data frames that are transmitted between devices in the same network.

The Data Link Layer is responsible for several key functions in a network, including:

• Defining the format of the data frames that are transmitted between devices
• Error detection and correction
• Flow control and media access control
• Media-independent transmission of data frames

This layer works with:

• MAC addresses
• Physical addressing

Simply put, it ensures data moves between devices on the same network.

1. Physical Layer:

The Physical Layer is the bottom most layer of the OSI Model. It ensures physical transmission of data between computers. It defines the electrical, mechanical and functional specifications for the physical connection between devices.

This is the hardware layer and includes:

• Cables
• Signals
• Bits

It physically transmits data.

How Data Travels (Simple Example)

Let’s see a simple example of OSI model in action when data travels. Let’s say you open a webiste in your favorite browser. Here’s what happens at each layer.

Step 1: Application Layer

You open your browser and visit a specific website.

Step 2: Presentation Layer

Data of your requested website is formatted and encrypted.

Step 3: Session Layer

A Connection is established.

Step 4: Transport Layer

Data is broken into small packets.

Step 5: Network Layer

These data packets are routed using IP protocol.

Step 6: Data Link Layer

Once packets reach your network, MAC addresses are used for delivering the data to your device.

Step 7: Physical Layer

Data is sent as electrical signals.

The same process happens in reverse on the receiving side.

Easiest Way to Remember OSI Layers

You can easily remember all OSI Layers from top to bottom by making the sentence given below with the first letter of all layers.

All People Seem To Need Data Processing

• Application
• Presentation
• Session
• Transport
• Network
• Data Link
• Physical

OSI Model in Ethical Hacking

Understanding OSI model helps you see where attacks actually happen in hacking. For example,

Application Layer Attacks:

Web attacks like SQL Injection and XSS attacks.

Presentation Layer Attacks:

SSL Striping and other decryption attacks.

Session Layer Attacks:

Session Hijacking and other Man in the Middle (MiTM) attacks.

Transport Layer Attacks:

DoS attacks

Network Layer Attacks:

IP Spoofing

Data Link Layer Attacks:

MAC spoofing, MAC flooding and EVil Twin in Wireless.

This helps ethical hackers:

• Identify weaknesses
• Choose attack methods
• and Defend systems

OSI Model in Real-world

In real-world networking, the TCP/IP model is more commonly used. But OSI is still the best way for beginners to learn concepts clearly.

Common Mistakes Beginners Make While Learning OSI Model

Here are some common mistakes beginners make while learning about OSI model.

1. Trying to memorize Without Undertanding:

Focus on what each layer does, not just their names.

2. Skipping the OSI Model altogether:

I did this mistake in my beginner days because I thought OSI model was boring. Don’t make the same mistake. This creates confusion later.

3. Overcomplicatng it:

Keep it simple. You don’t need to know deep technical details yet.

Tips to Learn Faster

Here are some tips for you to master OSI model faster.

1. Visualize it:

Imagine data moving through layers like a pipeline.

2. Relate to Real Life:

Think of sending a parcel or message.

3. Practice explaining:

If you can explain it simply, that means you understood it.

4. Revise Regularly:

Repetition helps retention.

Conclusion

The OSI Model is not just theory. It’s the foundation of networking and ethical hacking. Once you understand it:

• Networks become easier to understand
• Troubleshooting becomes logical
• Cybersecurity concepts make a LOT MORE sense

Hello, aspiring ethical hackers. In this article, you will learn how Windows authentication works. You have seen multiple tutorials in which we have dumped Windows password hashes as part of our hacking tutorials. We have done this with meterpreter, mimikatz etc. This should have brought some questions in the minds of the readers.
To better understand how these tools dump password hashes, you may need to understand how Windows authentication works and how it stores its password hashes.

Windows Logon process starts as soon as you go to the login screen of a Windows system. The Logon process is different in different network scenarios for Windows. There are two network types into which a Windows system is configured in real-world. They are,

1. WorkGroup
2. Domain

Windows systems in Workgroup network use Local Authentication whereas Windows systems connected in Domain network use Remote Authentication.

How Local authentication works in Windows?

Let’s first see how Local authentication takes place. In local authentication, the password hash is stored on the same computer on which users are trying to log on.
 In Windows, the passwords are stored in the form of a hash in a file known as Security Accounts Manager (SAM) file. The SAM file is located in  %SystemRoot%/system32/config/SAM location and it can neither be deleted nor copied while Windows is running.
This is because the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file which it will release only after the operating system has shut down or a “Blue Screen of Death” exception has been thrown. It is mounted on HKLM/SAM and SYSTEM privileges are required to view it. Readers have already learnt that passwords are stored in SAM file in encrypted form. These passwords are stored in two hash formats in SAM file.

1. Lan Manager Hash (LM Hash)                                       

2. New Technology Lan Manager Hash (NTLM Hash)

LAN Manager Hash

Lan Manager hashing was used by Windows operating systems prior to Windows NT 3.1. In LM hashing, the password hash is computed as follows,

a. The user’s password is restricted to a maximum of fourteen characters.  
b. The password of the user is converted to Uppercase.
c. Then user’s password is encoded in the System OEM code page.  
d. This password is NULL-padded to 14 bytes.  
e. This 14 bytes “fixed-length” password is then split into two 7-byte halves.  
f. Both of these 7-byte halves are used to create two DES keys, one from each 7-byte half. This is done by converting the seven bytes into a bit stream with the most significant bit first and then inserting a parity bit after every seven bits (so 1010100 becomes 10101000). This is done to generate the 64 bits needed for a DES key.  
g. Each of this two keys is used to DES-encrypt the constant ASCII string “KGS!@#$%” resulting in two 8-byte ciphertext values.  
h. These two ciphertext values are then concatenated to form a 16-byte value, which is the final LM hash.

Security of LAN Manager Hash

LM Hash has several weaknesses. The major weaknesses are :

1. The maximum length of Password while using LM authentication can only be 14 characters.
2. All passwords in LM hash are converted into UPPERCASE before generating the hash value. This means LM hash treats ABcd1234, ABCD1234 and abCD1234 and AbCd1234 as same as ABCD1234. This reduces the LM hash key space to just 69 characters.
3. As already explained above, 14 character password is broken into two halves of 7 characters each and then the LM hash is calculated for each half separately. This makes it easier to crack a LM hash, as the attacker only needs to brute-force 7 characters twice instead of the full 14 characters.
4. As of 2020, a computer equipped with a high-end graphics processor (GPUs) can compute 40 billion LM-hashes per second. At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character alphanumeric passwords can be tested and broken in 2 seconds.
5. If the password created is 7 characters or less than that, then the second half of hash will always produce same constant value which is (0xAAD3B435B51404EE). Therefore, if a password is les- s than or equal to 7 characters long, it can easily be identified even without using any tools.
6. While using Remote Login over a network, the LM hash value is sent to servers without any salting, thus making it vulnerable to man-in-the-middle attacks.
7. Without salting, it is also vulnerable to Rainbow Table Attack.
To overcome this weaknesses, Microsoft Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default.

NT Hash

Also called NTLM, this is the hash many modern Windows systems store the password hashes. Introduced in 1993. The process of calculating NT Hash is,

1. The password is converted into Unicode characters.
2. Then MD4 encryption is run on these converted characters to get the NT hash which is then stored in SAM database or NTDS file (Domain). NTHash is case sensitive but it still doesn’t provide salting.

The Local Logon rocess

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe handles the process by displaying  correct logon input boxes depending on the authenticator put in place. 
2. When users enter the password on the login interface, winlogon.exe collects those credentials and  passes them to the  lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
 3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT. 
4. The MSV authentication package is divided into two parts. In Local authentication, both parts run on the same computer. The first part of the MSV authentication package calls the second part.
5. The first part of the MSV authentication package converts the clear-text password both to a LAN Manager Hash and to a Windows NT hash. The second part then queries the SAM database for the password hashes and makes sure that they are identical.
6. If the hash is identical, access is granted.

How Windows Domain authentication takes place?

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe handles the process by displaying correct logon input boxes depending on the authenticator put in place. 
2. When users enter the password on the login interface, winlogon.exe collects those credentials and  passes them to the  lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT. 
4. The MSV authentication package is divided into two parts. The first part of the MSV authentication package runs on the computer that is being connected to and the second part runs on the computer that contains the user account. When the first part of the MSV authentication package recognizes that network authentication is required because the domain name passed is not its own domain name, it passes the request to the Netlogon service. Netlogon service is a Authentication Mechanism used in the Windows Client Authentication Architecture that is used to verify logon requests. It registers, authenticates and locates Domain Controllers. It’s functions include,

     a. Selecting the domain to pass the authentication request to.

     b. Selecting  the server within the domain.

     c. Passing the authentication request through to the selected server.

5. The Netlogon service (client computer) then forwards the login request to the Netlogon service on the destination computer (i.e domain controller). 
6. In turn, the Netlogon service passes the request to the second part of the MSV authentication package on that destination computer.
7. First, the second part queries the password hashes from the SAM database or from the Active Directory database. Then, the second part computes the challenge response by using the password hash from the database and the challenge that was passed in. The second part then compares the computed challenge response to passed-in challenge response.
8. If the hash is identical, access is granted.

That was all about how Windows authentication.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about malware and virus. In this blogpost, you will about Antivirus. But what is an Antivirus.

What is an Antivirus?

Antivirus, also called as Anti-malware is the software specifically created to detect and stop malware and virus from performing their malicious actions on the computer or mobile.

How Antivirus detects threats?

To identify and prevent malware, it uses many techniques. They are,
1. Signature based detection
2. Heuristic based detection
3. Behavior based detection
4. Sandbox based detection
5. Cloud based detection

1. Signature based detection:

This type of AV detects malware by comparing its code with known malware samples. This samples the Anti Malware uses for comparison are known as signatures. These signatures are regularly updated (in most cases, daily) by the anti malware in order to stay one step ahead of malware. This is the reason why antimalware needs regular updates.

2. Heuristics based detection:

The problem with signature based detection is that it can only detect known malware or malware that is around more. To overcome this problem, many of the antivirus nowadays detect malware using heuristic analysis. In this type of analysis, the Antivirus tries to identify malware by examining the code in a virus and analyzing the structure of malware.
By doing this, the antivirus actually tries to simulate running the code and see what it actually does. If it finds any malicious intention in the code like the malware replicating itself or trying to rewrite itself, it classifies the code program as malware. As already mentioned, this is used by almost all modern antimalware.

3. Behavior based detection:

In behavioral detection, the antivirus detects suspicious activity in the operating system. If the AV notices that any new program is trying to modify or make changes to system like altering files or running a code to communicate with external systems, then it flags the program as virus and blocks it. So instead of scanning the code of -the malware, it just scans for any suspicious activity.

4. Sandbox based detection:

In Sandbox detection, the Antivirus classifies a program as malware after executing the program in a contained environment separated from the operating system. This contained environment is known as sandbox. If the program performs any suspicious or malicious activity in the sandbox, the antivirus classifies the program as malware. This method of detection takes a heavy toll on the system resources.

These are the ways in which antivirus can detect malware or payloads we create in penetration testing. There are a few other concepts you need to understand about antivirus.

Security alerts of an Antivirus scan

As soon as a new program or file touches the hard disk, the AV scans the file using one or all the methods explained above and concludes. An AV can conclude to any of the four results given below after scanning a file.

1. True Positive (TP)
2. True Negative (TN)
3. False Positive (FP)
4. False Negative (FN)

1. True Positive (TP):

When antivirus detects a truly malicious file as malicious, it is called True Positive.

2. True Negative (TN):

When an antivirus doesn’t classify a genuine and harmless file as malicious, it is called as True Negative.

3. False Positive (FP):

When a genuine file is flagged as malicious by the antivirus, it is known as False Positive. False positive is not a problem but becomes a frustration and can also create some problems. For example, in May 2007, Symantec flagged essential operating system files as malicious and deleted them due to faulty virus signatures. This left thousands of PC’s unable to boot. Similarly, in October 2011, Microsoft Security Essentials, mistakenly flagged Google Chrome browser as Zbot banking trojan and removed it.

4. False Negative (FN):

However frustrating and problematic can be a false positive result, the most dangerous result of an Antivirus is False negative. This occurs when an Antivirus fails to identify a malicious program as malicious and flags it as harmless. Black Hat Hacker groups always try to achieve this False negative result while creating their payloads. It is when they get this result in AV’s it is called FUD payload.

Next, learn about IDS and IPS.