CS Network Attacks
Network Attacks
There are several ways that protocols and apps hosted on the Network can be attacked. In this course, web applications are explored in separate sections.
It is possible for services to contain built-in vulnerabilities that hackers could take advantage of. In order to seize control of the process running the network service, these attacks usually entail sending special instructions to the Operating System through the susceptible service. Such attacks fall into the area of buffer overflows.
Usually, a network has a large number of apps, some with basic login features and others with more sophisticated features. Port scanning every asset in the target environment and taking screenshots of it is one technique to map out easy-to-exploit vulnerabilities and provide a broad overview of the attack surface.
This is achieved by programs such as EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness). The tool offers screenshots of each service and lets us rapidly see which assets are represented on the network. With the screenshots, we can quickly and readily determine which systems require more examination.
A service is abused when it is utilized for purposes other than those for which it was designed. This type of exploitation activity, known as RCE (“Remote Code Execution”), frequently indicates that the attackers are able to run their own code.
Buffer Overflow
Abusing an application’s memory management features is a common part of network service exploitation. memory control? Yes, in order for an application to function, data must be moved around within the computer’s memory. Programming languages may introduce issues such as buffer overflow when they allow the developer to have control over memory. Numerous vulnerabilities are similar, and we go over buffer overflows in this section.
Programmers have extensive control over memory management when using the C and C++ programming languages. Although it creates weaknesses, this is perfect for applications where developers must program very closely to the hardware. Because these errors are more difficult to make in programming languages like Java, JavaScript, C#, Ruby, Python, and others, buffer overflows are less common in applications written in these
Buffer Overflows occur when variables are filled with unclean input. On the operating system, these variables are represented by a structure of memory known as a stack. After then, the Return Pointer—a section of the stack—can be altered by the attacker.
Note: A program simply saves the variables and data it needs to run in the stack memory structure. The stack will be found in the RAM (“Random Access Memory”) of a computer.
The Return Pointer determines the next location for code execution by the CPU (or “Central Processing Unit”). All that the CPU does is decide which commands the system should execute at any given time. All that the return pointer is, is a memory address where the execution should take place. The return pointer gives the CPU the ability to tell where to run code, which is something it needs to know all the time.
An attacker can decide which instructions the CPU should execute when they have control over the Return Pointer!
Take into consideration the following code C example, for instance (don’t worry, you don’t have to be a C developer; just attempt to figure out what this straightforward application does):
#include <string.h>
void storeName (char *input) {
char name[12];
strcpy(name, input);
}
int main (int argc, char **argv) {
storeName(argv[1]);
return 0;
}
The main function in many programming languages, including C, is where the application launches. The code above illustrates this with the statement int main (int argc, char **argv) {. The software executes a function named storeName(argv[1]); inside the curly braces { and }. This will just provide the storeName function with anything the user types into the program.
Of the 11 lines of code in the application, concentrate on the line that says strcpy(name, input);. This function attempts to duplicate text from input into the name variable. The line char name[12]; indicates that the maximum number of characters that a name can include is 12. Is there a location where the code prohibits the supplied name from being longer than
Making sure the inputs’ lengths match the program’s expectations, there is no cleaning or sanitization in this application. It is simple for anyone executing the application to enter a value greater than the maximum that the name variable can store. What occurs when the CPU is instructed to write more characters than the 12 characters that the name variable can hold? It will just follow instructions and overwrite as much memory as necessary!
The CPU will continue to try writing a value into memory even if it is greater than anticipated. As a result, the CPU is essentially forced to alter additional memory locations, such as the Return Pointer, giving attackers complete control over the CPU. Once more, the attacker determines the code the CPU will run if they are able to modify and manipulate the Return Pointer.
Alice is seen in a graphical example writing her name into the program that we used in the previous example:
When Alice acts appropriately and gives the application a name, it functions as it should. When she enters her name, Alice, the application just writes it into memory.
Eve, on the other hand, enters the application with too many characters. Then, what occurs? In essence, the CPU receives her input, writes it to memory, and overwrites any existing values!
Eve’s input resulted in the return pointer being overwritten and the CPU writing significantly more data than the application had anticipated. The CPU is now instructed to run code at the address AAAAAAA when it tries to carry out the following instruction.
Eve would have to insert understandable code into the memory if she were to take over this server in place of writing A’s. Eve would then set the return pointer to a value that instructs the CPU to run her own CPU code.
To put it simply, buffer overflows let attackers carefully overwrite the victim’s memory in order to gain control of the victim’s CPU.
ARP Scan
Although the ARP protocol is limited to LANs, we can use it to try and reveal systems on the network if the hosts we need to find are on the LAN. We are attempting to force systems to respond by merely using the ARP protocol to loop over all IP addresses that are available on the LAN network.
This is how the scan appears:
Eve: Please Provide Mac Address of system 192.168.0.1
Eve: Please Provide Mac Address of system 192.168.0.2
Eve: Please Provide Mac Address of system 192.168.0.3
Eve: Please Provide Mac Address of system 192.168.0.4
Eve: Please Provide Mac Address of system 192.168.0.5-254
Default Gateway: 192.168.0.1 is me and my MAC Address is AA:BB:CC:12:34:56
Bob: 192.168.0.3 is me and my MAC Address is: BB:CC:DD:12:34:56
Alice: 192.168.0.4 is me and my MAC Address is: CC:DD:EE:12:34:56
ARP scanning is a quick and efficient method for locating hosts within a local area network (LAN), but not beyond.
Vulnerability Scanners
A vulnerability scanner automatically searches the network for common weaknesses in setups and applications. Instead of looking for new types of vulnerabilities, it looks for problems and vulnerabilities in services using a collection of pre-defined plugins, or modules. It’s not always on the lookout for zero-day vulnerabilities! A zero-day vulnerability is a novel vulnerability that was not previously known to the software vendor or the defenses; no known patch is presently available to address a zero-day vulnerability.
In addition to network mapping and port scanning capabilities, the scanners may investigate and identify security holes in the various apps they come across.
Often, a vulnerability scanner supports credential settings, which enables it to log onto systems and evaluate vulnerabilities rather than discovering them from an unauthenticated standpoint.
Note: Known vulnerabilities and misconfigurations are the main things that vulnerability scanners search for—not zero-day vulnerabilities!
Code Execution
Once an attacker has discovered a vulnerability that they can exploit, they must choose which payload to execute. The code that the attacker wishes to distribute via an exploit is known as the payload.
An attacker can choose from a wide variety of payloads; here are a few examples:
- Make the victim register with a C2 (“Command and Control”) server accepting commands from attackers
- Create a new backdoor user account on the system so the attacker can use it later
- Open a GUI (“Graphical User Interface”) with the victim so the attacker can remotely control it
- Receive a command line terminal, a shell, which attacker can send commands through
A bind-shell is a payload that attackers frequently use. The attacker connects and receives a shell when the victim starts to listen on a port.
In order to keep attackers from connecting to victims, firewalls are useful. As long as the port is blocked, a firewall would essentially prevent the victim from receiving any incoming connections. Attackers cannot listen on ports that are already in use unless they stop the service that is using that port since only one application is allowed to listen on it.
Attackers will instead attempt to establish a connection with the victim in order to get around this defensive mechanism by forcing the victim to grant access to the payload. Unfortunately, a lot of firewalls are not set up to block egress traffic, which gives attackers a great opportunity to succeed in their attack.
In this instance, the attacker connects to the victim by means of a reverse-shell.
Note: When an attacker executes code on a victim’s system, it is considered a code execution. It is up to them what code they use, but it usually entails giving attackers the ability to execute instructions on the target machine indefinitely.
Network Monitoring
Most of the time, an attacker needs the network in order to remotely control a victim. Attackers use a channel known as a Command and Control channel, also referred to as C&C or C2, to remotely control a target.
Malware that comes pre-programmed with payloads that don’t require C2 can corrupt systems. Even networks with air gaps can be compromised by this type of virus.
It is frequently possible to identify compromises by locating the C2 channel. C2 can exist in any form. For instance:
- Using HTTPS to communicate to attacker servers. This makes the C2 look like network browsing
- Using Social Networks to post and read messages automatically
- Systems like Google Docs to add and edit commands to victims
The only thing that limits C2 is an attacker’s inventiveness. Identifying statistical anomalies and irregularities on the network is frequently our only option when figuring out how to thwart attackers using cunning C2 channels. Tools for network monitoring, for instance, can identify:
- long connections used by C2, but which is unnatural for the protocol in question. HTTP is one of those protocols where it is not very common to have long connections, but an attacker using it for remote control might.
- Beacons used by C2 to indicate the victim is alive and ready for commands. Beacons are used by many kinds of software, not just attackers, but knowing which beacons exists and which you expect is good practice.
- Strobes of data suddenly bursting from the network. This might indicate a large upload from an application, or an attacker stealing data. Try understand which application and user is causing strobes of data happening and apply context to it. Is it normal or not?
Defenders have a variety of options for looking for anomalies. Data from the source system that is transmitting the data should be further linked with these anomalies.
Context should be used in network monitoring to help separate signal from noise. Thus, in order to increase the value of the data, a SOC (“Security Operations Center”) should attempt to enrich the data with context, for example, by adding Source and Destination IP Addresses.
The following scenario can be used to explain applying context: An Internet-based assault is launched, attempting to take advantage of a Linux vulnerability to target a Windows service. Normally, this would be regarded as noise and could be safely disregarded; however, what if the IP address carrying out the attack happens to be one that belongs to your own network or to a provider you trust? The context that we can use can then offer insightful information that will help us investigate the attack further. We don’t want trustworthy systems to be attacked, after all!
Peer to peer traffic
The majority of networks are set up client-to-server. Clients use servers to obtain information, and they usually use servers to communicate with one another as necessary.
However, a hacker would probably prefer to take advantage of low hanging fruit, such as reusing passwords or taking advantage of weak or susceptible clients, through peer-to-peer, or client-to-client, connections.
For instance, SMB’s use of port 445 is a useful indicator to look for compromise. In most contexts, clients shouldn’t be communicating with one another via SMB; but, in the event of a compromise, it’s likely that an attacker may attempt to use SMB to further compromise computers.
Lateral Movement and Pivoting
Once a system is compromised, an attacker can use it to investigate other networks to which the compromised system may be connected. This might occur in a setting where a hacked machine has increased access rights via the firewall or can connect to other networks by using an extra network card, for example.
When an attacker pivots, they leverage a compromised host to get access to different networks. Here is an example of this in action, where Eve has infiltrated one system and is utilizing it to search for and find other systems:
The act of manipulating the pivot to one’s advantage and exploiting another system is known as lateral movement. Now, more lateral movement and turning are possible with this new technology. In this instance, Eve makes advantage of Server X to learn more about System B.
