Cyber Security Lab Flashcards

Information Technology Act - Indian Perspective

Section 65: Tampering with Computer Source Documents

• Description: Intentionally concealing, destroying, or altering computer source code when it is required by law to be maintained.
• Penalty: Imprisonment up to three years, a fine up to two lakh rupees, or both.

Section 66: Computer Related Offences

• Description: Committing any act mentioned in Section 43 dishonestly or fraudulently.
• Penalty: Imprisonment up to three years, a fine up to five lakh rupees, or both.

Amendments to Section 66:

• 66A: Punishment for sending offensive messages through communication services.
• 66B: Punishment for dishonestly receiving stolen computer resources or communication devices.
• 66C: Punishment for identity theft.
• 66D: Punishment for cheating by personation using computer resources.
• 66E: Punishment for violation of privacy.
• 66F: Punishment for cyber terrorism.

Section 67: Publishing or Transmitting Obscene Material in Electronic Form

• Description: Distributing or sending obscene material electronically.
• Penalty: Imprisonment up to three years and a fine up to five lakh rupees. Repeat offenses may result in imprisonment up to five years and a fine.

Section 67A: Publishing or Transmitting Sexually Explicit Material in Electronic Form

Section 67B: Publishing or Transmitting Material Depicting Children in Sexually Explicit Acts in Electronic Form

Section 67C: Preservation and Retention of Information by Intermediaries

Section 68: Power of Controller to Give Directions

• Description: The Controller can direct a Certifying Authority or its employee to take or cease actions to ensure compliance.
• Penalty: Imprisonment up to two years, a fine up to one lakh rupees, or both.

Section 69: Power to Issue Directions for Interception or Monitoring or Decryption of any Information Through any Computer Resource

• Description: Empowers the Central or State Government to direct agencies to monitor, intercept, or decrypt information transmitted, generated, received, or stored in any computer resource.
• Penalty: Imprisonment up to seven years and a fine.

Section 69B: Power to Authorize to Monitor and Collect Traffic Data or Information Through any Computer Resource for Cyber Security

Section 70: Protected System

• Description: The Government can declare a computer resource affecting Critical Information Infrastructure as a protected system.
• Penalty: Imprisonment up to ten years and a fine.

Section 70A: National Nodal Agency

Section 71: Penalty for Misrepresentation

• Description: Making misrepresentations or concealing facts to the Controller or Certifying Authority to obtain a permit or certificate.
• Penalty: Imprisonment up to two years, a fine up to one lakh rupees, or both.

Section 72: Penalty for Breach of Confidentiality and Privacy

• Description: A government official disclosing records and information accessed during their duties without consent.
• Penalty: Imprisonment up to two years, a fine up to one lakh rupees, or both.

Section 72A: Punishment for Disclosure of Information in Breach of Lawful Contract

Section 73: Penalty for Publishing Certificate False in Certain Particulars

• Description: Publishing an electronic Signature Certificate that is false in certain details.
• Penalty: Imprisonment up to two years, a fine up to one lakh rupees, or both.

Section 74: Publication for Fraudulent Purpose

• Description: Intentionally creating, distributing, or making available a certificate for fraudulent or unlawful purposes.
• Penalty: Imprisonment up to two years, a fine up to one lakh rupees, or both.

Section 75: Act to Apply for Offence or Contravention Committed Outside India

• Description: Applies to offenses or contraventions committed outside India involving a computer, computer system, or computer network located in India.

Section 76: Confiscation

• Description: Any computer, computer system, or related accessories used in contravention of the Act are subject to seizure.

Section 77: Compensation, Penalties or Confiscation Not to Interfere with Other Punishment

• Description: Compensation, penalties, or confiscation under this Act do not prevent other punishments under other laws.

Section 77A: Compounding of Offences

Section 77B: Offences with Three Years Imprisonment to be Bailable

Section 78: Power to Investigate Offences

• Description: A police officer not below the rank will investigate any offense under this Act.

Recent Cyber Incidents / Vulnerabilities

A. Siloscape Malware

1. Original Issue Date: June 14, 2021
2. Virus Type: Malware Targeting Windows Containers
3. Description: Targets misconfigured Kubernetes clusters, using Windows container escape techniques to execute code on the underlying node and spread within the cluster. It can steal credentials, confidential files, and databases, and leverage resources for cryptomining.
4. Behavior:
   • Uses Windows container escape techniques.
   • Abuses node credentials to spread in the cluster.
   • Uses Tor proxy for anonymous connection to its command and control (C2) server.
5. Best Practices and Countermeasures:
   • Restrict node privileges to prevent new deployments.
   • Use Hyper-V containers instead of Windows Server containers for security.
   • Regularly backup critical information and store backups offline.
   • Check database integrity and backup files for unauthorized content.
   • Disable PowerShell/Windows script hosting if not required.
   • Restrict user abilities to install and run unwanted software.
   • Enable personal firewalls on workstations.
   • Enable Windows Defender Application Guard with whitelisted trusted sites.
   • Conduct Vulnerability Assessment and Penetration Testing (VAPT).

B. Sarbloh Ransomware

1. Original Issue Date: March 12, 2021
2. Virus Type: Ransomware
3. Description: Spreads via spear-phishing emails with malicious documents containing obfuscated VBA code. It downloads the Sarbloh Ransomware, encrypts files (audio, images, video, databases, documents), renames them with the ".Sarbloh" extension, and demands ransom via a note named "README_SARBLOH.txt".
4. Best Practice and Remedial Measures:
   • Maintain updated antivirus software.
   • Keep the operating system and third-party applications updated with the latest patches.
   • Avoid opening attachments or clicking URLs in unsolicited emails.
   • Follow safe web browsing practices.
   • Perform regular backups of critical information, stored offline.
   • Check database integrity and backup files for unauthorized content.
   • Disable PowerShell/Windows script hosting if not required.
   • Restrict users' abilities to install and run unwanted software.
   • Enable personal firewalls on workstations.
   • Enable Windows Defender Application Guard with whitelisted trusted sites.
   • Enable Exploit Protection.
   • Turn on attack surface reduction rules.
   • Implement strict external device usage policy.
   • Employ data-at-rest and data-in-transit encryption.
   • Consider installing Enhanced Mitigation Experience Toolkit.
   • Block attachments of file types like .exe, .pif, .tmp, etc.
   • Carry out VAPT and information security audits regularly.
   • Do not pay the ransom.

C. Adrozek Malware

1. Original Issue Date: December 11, 2020
2. Virus Type: Browser Modifiers
3. Description: Distributed via drive-by download schemes, redirecting users from legitimate sites to malicious domains. It installs the Adrozek malware, which achieves reboot persistence via a registry key. The malware targets browsers like Microsoft Edge, Chrome, Firefox, and Yandex Browser, modifying DLL files to alter browser settings and disable security features.
4. Adrozek include :
   • Disabling browser updates.
   • Disabling file integrity checks.
   • Disabling the Safe Browsing feature.
   • Registering and activating the extension they added in a previous step.
   • Allowing their malicious extension to run in incognito mode.
   • Allowing the extension to run without obtaining the appropriate permissions.
   • Hiding the extension from the toolbar.
   • Modifying the browser's default home page.
   • Modifying the browser's default search engine.

Information Gathering Tools in Kali Linux

Live Host Identification

Hping3

• Similar to ping but more advanced; bypasses firewalls and uses TCP, UDP, ICMP, and RAW-IP protocols. Includes a traceroute mode.
  • Example: hping3 172.16.0.7
  • Example: hping3 --scan 1-30,70-90 -S sscoetjalgaon.ac.in
• Here are some key commands of Hping3
  • ICMP Ping:
    • Command: hping3 -1 10.0.0.25
    • Function: Sends ICMP echo requests to a specified IP, similar to ping.
  • ACK Scan on Port 80:
    • Command: hping3 -A 10.0.0.25 -p 80
    • Function: Performs an ACK scan to check if a host is alive.
  • UDP Scan on Port 80:
    • Command: hping3 -2 10.0.0.25 -p 80
    • Function: Sends UDP packets to a specified port to determine port status.
  • Collecting Initial Sequence Numbers:
    • Command: hping3 192.168.1.103 -Q -p 139 -s
    • Function: Collects TCP sequence numbers.
  • SYN Scan on Port 50-60:
    • Command: hping3 -8 50-60 -S 10.0.0.25 -V
    • Function: Performs a SYN scan on a specified range of ports.
  • FIN, PUSH, and URG Scan on Port 80:
    • Command: hping3 -F -P -U 10.0.0.25 -p 80
    • Function: Performs FIN, PUSH, and URG scans on port 80.
  • Scanning Entire Subnet for Live Hosts:
    • Command: hping3 -1 10.0.1.x --rand-dest -I eth0
    • Function: Performs ICMP ping scans on an entire subnet to find live hosts.
  • SYN Flooding Attack: hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
    • The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS attack.
  • Determine Number of Pings: hping3 -c 3 10.10.10.10
    • -c 3 means defining the amount for packets to send.
  • Use Random Source Address for Hping Command: --rand-source
  • Set Data Size: --data <size>
  • Spoof Source Address: hping3-S <IP address attacked> -a <spoofed IP address>

NMAP (Network Mapper)

• NMAP is mainly used to determine hosts on network, its services, its OS, and firewall usage.
• OS Type/Version Detection: nmap -O 172.16.0.7
• To scan all TPC Ports: nmap -p 1-65535 -T4 172.16.0.7

NMAP Stealth Scan

• SYN scan, also known as half-open scan, does not complete the TCP three-way handshake. Sends a SYN packet; a SYN/ACK response indicates the port is listening, while an RST response indicates the port is inactive or closed.
  • nmap -sS 172.16.0.7

DNS Analysis: dnsenum

• Helps retrieve DNS information (MX, A records) for a domain.
  • dnsenum sscoetjalgaon.ac.in

SSL Analysis: tlssled

• Evaluates the security of a target SSL/TLS (HTTPS) web server implementation.
  • tlssled sscoetjalgaon.ac.in 443

Dmitry

• Gathers information about a host, including whois lookups and subdomain searches.
  • dmitry -w sscoetjalgaon.ac.in

pof

• Identifies the operating system of a target host by analyzing network traffic, bypassing packet firewalls.
  • pof -i eth0 -p -o filename

Vulnerability Analysis Tools in Kali Linux

Fuzzing Tools: BED (Bruteforce Exploit Detector)

• Checks daemons for potential buffer overflows and format string vulnerabilities.
  • bed -s HTTP -t 172.16.0.7
  • Example Usage: bed -s HTTP -t 192.168.1.15

Web Application Analysis Tools in Kali Linux

Web Application Proxies: Burpsuite

• Burpsuite can be further used as as sniffing tool to find web app parameters.
• Configuration: Proxy -> Options; Check the box under Running for interface 127.0.0.1.

Key Features:

• Proxy: Acts as a man-in-the-middle, intercepting and modifying traffic between the browser and web servers. Breaks TLS connections to view and modify encrypted data.

Steps for Configuration (Burp Suite):

• Configure the proxy listener in Burp Suite. Navigate to the "Proxy" > "Options" tab. The interface can be set to 127.0.0.1 and can be set under any port (e.g., 8080).
• Configure external browser using one of the setups:
  • Configuring Firefox to work with Burp
  • Configuring Chrome to work with Burp
  • Configuring Safari to work with Burp
  • Configuring Internet Explorer to work with Burp.
• Check Browser Proxy Configuration
• Install Burp's CA Certificate so that you can also test applications using HTTPS.

Core Functionality:

• Intercept Requests and Responses: Allows manual review and modification of HTTP messages, which is key for understanding the application\\'s attack surface and identifying security vulnerabilities.
• Using the Proxy History: Maintains a full history of all requests and responses for analysis. The history can be sorted to identify anomalous items.

Burp Proxy Testing Workflow:

• Context Menus: Enable sending interesting items between Burp tools for different tasks.
  • Send requests to Repeater to manually modify and reissue them.
  • Send requests to Intruder to perform automated customized attacks.
  • Send requests to Sequencer to analyze the quality of randomness in tokens.
• To open Burpsuite -> Applications -> OWASP ZAP

Key Configuration Options for Burp Proxy:

• Proxy Listener: Modify to bind to different interfaces, redirect requests, handle server TLS certificates, or support invisible proxying.
• HTTP Response Modification: Configure to automatically modify HTTP responses.
• Match/Replace Rules: Set up to automatically change the content of requests and responses.

ZAP (Zed Attack Proxy)

• ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is a Java interface.

Install and Configure ZAP

• ZAP has installers for Windows, Linux, and Mac OS/X. There are also Docker
  images available on the download site listed below.
  Step 1 - To open ZapProxy, go to Applications 03-Web Application
  Analysis → ZAP.
  Step 2 - Click "Accept". ZAP will start to load.

• Step 3 - Choose one of the Options and click “Start”.. Preferably select “No, I
  do not want to persist this session at this moment in time”.

• click "Attack".

• Step 4 - Enter URL of the testing web at "URL to attack"
  After the scan is completed, on the top left panel you will see all the crawled
  sites. In the left panel "Alerts", you will see all the findings along with the
  description.

• Step 5 Click "Spider" and you will see all the links scanned.

Database Assessment Tools in Kali Linux

Sqlmap

• Automates SQL injection flaw detection and database server takeover.
  • Step 1 - To open sqlmap, go to Applications → 04-Database Assessment → sqlmap.
  • Step 2 - To start the sql injection testing, type "sqlmap - u URL of victim”.
  • Step 3 - From the results, you will see that some variable are vulnerable.

Features:

• Supports MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAP MaxDB database management systems.
• Supports six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries, and out-of-band.
• Connects directly to the database without SQL injection, using DBMS credentials, IP address, port, and database name.
• Enumerates users, password hashes, privileges, roles, databases, tables, and columns.
• Automatically recognizes password hash formats and cracks them using a dictionary-based attack.
• Dumps database tables, entries, or specific columns, with options to dump a range of characters from each column.
• Searches for specific database names, tables across all databases, or columns across all tables to identify those containing custom application credentials.
• Downloads and uploads files from the database server underlying file system (MySQL, PostgreSQL, or Microsoft SQL Server).
• Executes arbitrary commands and retrieves the standard output on the database server’s operating system (MySQL, PostgreSQL, or Microsoft SQL Server).
• Establishes an out-of-band stateful TCP connection between the attacker machine and the database server’s operating system.
• Supports database process’s user privilege escalation via Metasploit’s Meterpreter getsystem command.

Sniffing and Spoofing Tools in Kali Linux

Wireshark

• A network protocol analyzer for inspecting network activity at a microscopic level.
• Capture interface: -i <interface> name or idx of interface (def: first non-loopback)
• Capture stop conditions: -c <packet count> stop after n packets (def: infinite)
• Output: -w <outfile-> set the output filename (or '-' for stdout)

Forensics Tools in Kali Linux

Forensic Image Tools: ddrescue

• Copies data from one file or block device to another, prioritizing the rescue of good parts in case of read errors. It is automatic and efficient when used with a mapfile.
  • dd_rescue infilepath outfilepath

PDF Forensics Tools: pdf-parser

• Parses a PDF document to identify fundamental elements, typically used for suspected malicious PDFs.
  • pdf-parser -o 10 filepath, where -o is the number of objects.

Reporting Tools in Kali Linux

Dradis Framework

• A centralized repository for security assessment information, facilitating report generation.
  • Step 1-To start Dradis, type "service dradis start".in terminal.
  • Step 2-To open - Applications → Reporting Tools →dradis.
  • Step 3 - After logging in, you can import files from NMAP, NESSUS, NEXPOSE. To do so, go to "Import from file" →click "new importer(with real-time feedback)”.
  • Step 4 - Select the file type that you want to upload. In this case, it is