CSEC 701 Proxy

proxy server

an intermediary for connecting with other computers

proxy server uses

proxy firewall, filtering out unsuitable traffic, remotely access intranets, NAT, hide source IP

proxy server malicious uses

impersonating a fake source 

anonymizers 

private web surfing- eliminates all identifying information 

anonymizer types

network(eavesdropping) and single point(traffic analysis)

proxy chaining

attacker can increase his anonymity, traffic can be encrypted end-to-end, slow

proxy switcher 

multiple internal proxy servers that can switch among them periodically 

ToR

onion router that encapsulates messages in layers of encryption

ToR network

6000+ relay nodes, accessible with Tor browser

ToR operation

relays: entry, middle, exit

hidden service: use rendezvous points to run web server anonymously

creates darknet, darkweb, and deep web

ToR anonymity

supposedly broken in 2024 by german authorities, states to still be safe however

setting up proxy on windows

1. go to internet options

2. click connections tab

3. click LAN settings

4. type proxy address

web manipulation proxy

intercepts the HTTP/HTTPS traffic, let the user verify the content or change them (cookies, form fields), and submit the page. Similar to MITM but on attackers own machine 

how web manipulation proxies do SSL

two SSL connections; one between web browser and web app manip proxy, one between internet and web server

vulnerability scanning

identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited

vulnerability scanning discovers 

network vulnerabilities, open ports & running services, application & services vulnerabilities, application & services configuration errors, tools 

Nessus

most popular vulnerability scanner

buffer overflow attack

stuffing too much data into a data container (if you dont validate input, data will keep writing beyond its container), most common type of remote and local vulnerability, many subtypes of overflows

buffer overflow example 

gets(name)

strcpy(temp_name, name)

how programs run (stack overflow)

fetch and execute instructions sequentially one by one, instruction pointer is incremented, at jump 3 the instruction pointer is altered to begin fetching instructions in a different location

the exploit

an arbitrary command (usually shell program) to be executed in the context and with the permissions of the vulnerable program, is specific to the target machine type and OS

normal stack

buffer 2, buffer 1, return pointer, function call arguments 

smashed stack

buffer 2, machine code, new pointer to exec code, function call arguments

stack

a dynamic structure, location of stack frames varies,

NOP sled

include NOPs before the executable code so that execution will continue down until it gets to your exploit 

payload

piece of software that lets you control a computer system after its been exploited (=shellcode)

exploit

a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system (=delivery script)

metasploit

allows developing new attacks from existing tools, and test the attack

active exploit

actively exploit a host

passive exploits

waits for incoming hosts, then exploits them

payload inline

contains the exploit and shellcode, stable, large size 

payload staged

exploits victim, establishes connection w attacker, pulls down the payload

payload meterpreter

advanced dynamic payload, extended pver the network, extensible through modules and plugins

metasploit payload

establishes a communication channel between the MSF and the victim host

bind connection

local server gets started on victim machine, attacker connects to victim, /bind_tcp

reverse connection

local server gets started on attacker machine, victim connects to attacker, /reverse_tcp

NOP

no operation in the x86 architecture

metasploit NOP

generates a no-operation instructions used for blocking out buffers, using generate commans

metasploit auxiliary 

can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing, run or exploit command

encoders

scrambles the NOPs and payloads making it looks like normal traffic or garbage to IDS

DoS attack

attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users, attack on availability (malformed packet & packet flooding)

malformed packet attack

sending a very large ping packet to a victim can crash some operating systems

land attack

send a TCP SYN packet with the source address spoofed to victims address, causing it to continuously crash

teardrop attack

sending IP fragments with overlapping oversized payloads

Winnuke attack

sending data to TCP port 139 crashes the victim

phlashing

permanent DoS, attacks that cause irreversible damage to system hardware (sabatoge)

bricking a system

attackers send fraudulent hardware updates to the victims, when installed the attacker gets complete control

DDoS

a multitude of compromised systems attacking a single target, attacker uses botnets and attacks a single system

bots

software applications that run automated tasks over the internet and perform simple repititive tasks, such as web spidering and search engine indexing

botnet

a huge network of the compromised systems and can be used by an attacker to launch denial of service attacks 

volumetric attacks

consumes the bandwidth of target network or service using botnets, measured in bps, (flood attack, amplification attack), UDP & ICMP flood, ping of death, smurf

protocol attack

consumes computing resources such as connection state table in load balancers, FW, servers, measured in pps, (SYN & ACK flood, TCP exhaustion, fragmentation attack)

application layer attacks

consumes the application resources or services thereby making it unavailable to legitimate users, measured in rps, (HTTP GET/POST attack, slowloris attack)

application layer attacks

peer to peer attacks, application level flooding, reflection attack (DNS)

transport layer attacks

SYN flooding, UDP flooding

network layer attack

ICMP flooding

link layer attacks

permanent DoS

smurf attack

ICMP flood attack, smurf sends ICMP echo request (ping) to a networks broadcast address with spoofed IP address as the victims address, easy prevention 

distributed reflection denial of service DRDoS

spoofed attack, uses multiple intermediary (compromised) and secondary (uncompromised) machines, larger attack bandwidth and impossible to trace attack

DNS amplification attack

attacks using thousands of name servers can direct gigibits of data per second against the target

service request flooding

a group of zombies attempts to exhaust server resources by setting up and tearing down connections, targets memory of server, 

SYN flooding

attacker sends many SYN packets to a victim with a spoofed source IP address

SYn flooding effects

takes advanatge of a flaw in TCP 3 way handshake, victim cant open a new connection because listen queue is filled up

SYN flood mitigation

increase connection queue size and reduce timeout

SYN cookies

the sequence number in the SYN-ACK is a set as a function of the clients IP address, need to know sequence number**, echo 1 > /proc/sys/net/ipv4/tcp_syncookies, no memory allocated

SYN cookies t

a 32 bit counter which increments every 64 seconds

SYN cookies K 

a secret key selected by server for uptime of server

application layer DoS attacks

attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests, result in loss of service

application level flood attacks

flood servers with high rate of connections form valid source, HTTP GET/POST attacks, slowloris attacks

sockstress

affects window size and memory available 

multi vector attack

combination of volumetric, protocol, and application attacks to confuse the victims IT department