Posted on

Data-Link layer attacks

Hello, aspiring ethical hackers. In this blogpost, you will learn about various Data-Link Layer attacks (various hacking attacks that take place on the Data-Link layer).

The Data-link layer is the second layer of the seven-layer OSI model. This layer is the protocol layer that transports data between network nodes in a wide Area Network or nodes in the same Local Area Network (LAN). It is responsible for ensuring and confirming that the bits and bytes received are similar to the bits and bytes being transmitted. In this layer, data is transferred in frames and communication takes place using MAC addresses instead of IP addresses. The attacks in the Data-link Layer take place in a LAN.

Data Link Layer Attacks 1 1

What is a Network Hub?

A network hub is a hardware device that connects multiple devices to a network and allows them to communicate with each other and share resources.

Just imagine, you have a router with 5 LAN ports. Using LAN cables, you can connect 5 devices to this router. Now, what if you want to connect 10 devices to the same network. This is where the use of network hub comes. You can connect a network Hub to one of the ports of a router. Let’s say this network hub has 10 LAN ports. So you can connect 10 computer devices to the same network. Similarly you can connect Network Hub to all ports of the routers to extend the network.

Data Link Layer Attacks 3
Network Hub
Image Source: Wikipedia

The only disadvantage with Hub is that it sends traffic intended to be between two machines to all the devices of the network. Other than consuming bandwidth, it also poses security threats like sniffing.

For example, let’s say someone from machine “B” in a network is logged into telnet server on machine “A”. You have seen in our packet sniffing blogpost that in telnet protocol, data is transferred in plain text format. So in a Hub based network, the network traffic intended to be between “A” and “B” will even go to another machine in the network “C”. If a hacker is on machine “C” he can view the telnet credentials by sniffing.

What is a Network Switch?

Data Link Layer Attacks 2 1
Fig: Network Switch
Image source: Wikipedia

The above reasons are why, network Hubs have been replaced by Network Switches. A Switch, similar to a Network Hub in a hardware device that connects all the device of a network. The only difference in switch sends the traffic to the intended device instead of all the devices in the network

What is a MAC address?

Just now, you have read that communication between devices in a LAN takes place using MAC addresses. But what is a MAC address? Every computing device on Internet (Desktop, Laptop and Mobiles etc) has a Network Interface Card (NIC). This Network Interface Card (NIC) is a hardware circuit in the computing devices that enables the devices to be able to connect to a network.

Each NIC is given a unique hardware address that is also popularly known as a Media Access Control (MAC) address. A MAC addresses is a 48-bit number consisting of six groups of two hexadecimal digits. To learn how MAC addresses are assigned to devices and how to find MAC address of your device, you can read this blogpost.

Data Link Layer Attacks 4

Types of Data-Link layer attacks

Since now you have understood how Data-Link layer works and what is a MAC address, let’s learn about various Data-link layer attacks.

  1. MAC spoofing
  2. MAC flooding
  3. ARP spoofing or poisoning
  4. DNS spoofing
  5. DHCP starvation

Let’s learn about each attack in detail.

1. MAC spoofing:

Although every computing device has its unique MAC address, it can be spoofed. Normally, when a MAC address of a device (say A) is spoofed to that of another device (say B) all the traffic that is intended to move toward device B goes to device A and the attacker can view all the traffic belonging to device B.

2. MAC flooding:

You have just now learnt about what is a Hub and what is a Switch and the differences between a Hub and Switch. You also learnt about CAM table or ARP table. In a MAC flooding attack, the CAM table is bombarded with a number of fake MAC addresses disabling the Switch’s ability to detect which MAC address belongs to which port.

To overcome this problem, a network Switch uses its broadcast address to transmit frames to the intended destination. In typical sense, the network switch here behaves like a Hub and you know about the dangers of using a Hub. A hacker already in the network can monitor the network traffic he wants via packet sniffing.

3. ARP spoofing and poisoning:

In this type of attack, the attacker sends fake ARP packets to the network from the attacker-controlled system (System A). Here, the attacker-controlled system acts as the gateway. This leads to all other devices querying the attacker-controlled system resulting in the attackers using packet sniffing again to sniff on traffic.

4. DNS spoofing:

This attack requires ARP spoofing to work. In this type of attack, attacker responds to DNS queries of the target system instead of the legitimate DNS server.

Posted on

Beginners guide to IDS and IPS

Hello, aspiring ethical hackers. This blogpost is a beginner guide to IDS (Intrusion Detection System) and IPS (Intrusion Preventions System). IDS and IPS are two of the security technologies used for securing the network of any organization from hackers.

What is an IDS and what is an IPS?

Intrusion Detection system (IDS) is an appliance or software that detects any malicious activity on the network and reports it. Intrusion Prevention System (IPS) on the other hand acts just like Intrusion Detection System but, unlike it doesn’t just make a report but tries to prevent its occurrence. This malicious activity can be anything like modification of system or important files, suspicious network traffic and execution of some files etc. Both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are useful in enhancing the security of the network.

IDS and IPS 1

Based on the mode of operation, Intrusion Detection System and Intrusion Prevention System can be classified into two types. They are, 1) Host based (Software) 2) Network based (Hardware).

  1. Host based Intrusion Detection and Prevention Systems: They work by detecting or preventing threats on a single system.
  2. Network based Intrusion Detection and Prevention Systems: These are most probably a hardware appliance that detects or prevents threats on the entire network.

Types of IPS and IDS

IDS and IPS 2

Based on the techniques they use to identify and prevent threats, Intrusion Detection Systems and Intrusion Prevention Systems can be classified into two types. They are,

    1. Signature-based :

    This type of Intrusion Prevention Systems and Intrusion Detection Systems detect threats by comparing actions with predefined signatures. For example, If action of an executable matches with a pre-defined signature of an IDS or IPS, it is classified as a threat.

    2. Anomaly based:

    Anomaly based Intrusion Detection Systems and Intrusion Prevention Systems detect threats by observing the behavior of the assumed threat. If the IDS and IPS see any different behavior than that is considered to be normal, it classifies it as a threat. For example, if a program being installed is trying to alter system files, this can be considered as an anomaly.

    Posted on

    POST exploitation guide for beginners

    Hello, aspiring ethical hackers. In this blogpost, you will learn about POST-exploitation. POST-exploitation comes after the phase of gaining access in ethical hacking.

    POST Exploitation 1 781x1024

    What is POST-exploitation?

    POST- exploitation refers to all the operations that are performed after gaining initial access on the target system. It is done to further gain control of the target system and network. POST -Exploitation consists of three phases mainly. They are,

    1. Privilege escalation.
    2. Maintaining access.
    3. Covering tracks.

    Let’s learn about each in detail.

    1. Privilege escalation:

    Privilege escalation is an act of gaining elevated access to resources that are normally restricted to an application or user. Privilege escalation is an act or process of gaining access to privileges of the other user account using any means or techniques. Normally privileges of user account with higher privileges are targeted by hackers. Learn more about privilege escalation.

    2. Maintaining access:

    Maintaining access is the fourth phase in the total5 phases of ethical hacking. In this phase, hackers try to hold on to the initial access or foothold they have gained on the network. For this, they use various techniques like elevating privileges, installing backdoors, running persistence scripts and tunneling.

    3. Covering Tracks:

    Covering tracks or clearing tracks is the phase of ethical hacking in which a hacker tries to erase all the evidence on the target system that can lead back to the hacker. For covering tracks, hackers perform various actions like clearing logs, time stamping files etc.

    Posted on

    Covering tracks in ethical hacking

    Hello, aspiring ethical hackers. In this blogpost, you will learn about covering tracks which is the last of the 5 phases of ethical hacking.

    What is Covering tracks?

    Covering tracks or clearing tracks is the phase of ethical hacking in which a hacker tries to erase all the evidence on the target system that can lead back to the hacker. For covering tracks, hackers perform various actions. They are,

    1. Uninstalling executables and scripts:

    Hackers install many scripts and executables on the target system as part of their hacking attack. These scripts may help hackers cracking passwords, privilege escalation, maintaining access etc. Detection of these scripts and executables on the target system can lead the investigators to the hacker. So, hackers uninstall or delete any scripts or executables they have used in carrying the hacking attack.

    2. Clearing logs:

    Every operating system has its own logs that record different operational activities being performed on the operating system. They also record any actions performed by hackers. When an incident investigator observes these logs, he can easily deduce what the hacker did on the target system. To prevent this, hackers clear these logs to hide whatever they did on the target system.

    Covering Tracks 2 1
    Fig: Event Viewer in Windows where all logs can be viewed
    Covering Tracks 3 1
    Fig: In Linux all logs are stored in the “/var/log/” directory

    3. Timestamping files:

    Every file on the operating system has a time stamp which reveals information about the file like the date of its creation, last modified time etc. Hackers change this timestamp of the files appropriately to prevent detection of the modifications they made to files inadvertently while hacking.

    Covering Tracks 4 1
    Fig: Timestamp of a file in Windows
    Covering Tracks 5
    Fig: Timestamp of a file in Linux

    4. Modifying registry values:

    The Windows Registry in the Windows operating system is a hierarchical database that contains information, settings, options, and other values for programs and hardware installed on the Windows operating system. Changes made to some program can also be detected by viewing this registry. So, hackers also modify these registry values to hide their malicious activity.

    Covering Tracks 6
    Fig: Windows Registry
    Posted on

    Beginners guide to a web shell

    Hello, aspiring ethical hackers. In this blogpost you will learn about web shell. In our previous blogpost you learnt what is a shell, what it does and the types of shell. A web shell is a type of shell but it is used in relation to websites and web server.

    What is a web shell?

    A web shell is a type of shell that gives attacker access to a website or web server. It is usually uploaded after already the website is compromised as a means to have persistent access to the website in future.

    Web shells have various features. Most important of them are,

    1. Persistent access.
    2. Uploading additional files to the web server.
    3. Downloading files from the web server.
    4. Executing additional scripts on the web server.
    5. Dumping databases of the web server.
    6. Pivoting to other devices on the network.
    7. Privilege escalation etc.

    We can say that once a web shell is uploaded to the website, it gives complete control over the website to the attackers.

    How are web shells uploaded?

    Some vulnerabilities and attack allow hackers to upload web shells to the website to keep having persistent access. Some of these vulnerabilities are.

    1. File upload vulnerabilities:

    File upload or Remote file inclusion (RFI) vulnerabilities allow attackers to upload arbitrary files to the web servers. These arbitrary files are most probably web shells.

    2. Path traversal vulnerabilities:

    In some cases, path traversal or Local File Inclusion (LFI) vulnerabilities also allow attackers to upload web shells.

    3. XSS vulnerability:

    Not just file inclusion vulnerabilities, even cross site scripting (XSS) vulnerabilities in some cases allow uploading of web shells.

    4. Password cracking:

    After the password of the website is successfully cracked, attackers can upload web shells to a website for future access.

    Types of web shells

    Web shells are easily available on internet. There are various types of web shells with variety of features in various languages. Needless to say, the web shell being uploaded to the website should be of same languages as the server-side scripting language used on the web server or website. Now, let’s study about some web shells.

    1. Weevely:

    Weevely2

    Weevely is a web shell designed for POST-exploitation with almost 30 modules to assist in administrative tasks, maintaining access, elevate privileges and spreading over the network. Learn more about it here.

    2. Web shells in Kali Linux

    Webshells1

    Kali Linux itself has some web shells ready to be deployed. Although their functionality is simple, they are quite good for beginners. Learn about them here.

    3. Metasploit/MSFvenom

    Is there anything Metasploit can’t create? Yes, you can create your own web shell with msfvenom. Learn how.

    4. C99 shell

    C99shell1 1024x467

    Peering to the Black Hat side, C99 shell or its variants are still being used by Black Hat Hackers in real world. Learn more about C99 shell here.