Cisco Modular Policy Framework (MPF) : A brief Introduction

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as traffic inspection, QoS etc. to the traffic transiting the firewall
There are 3 main components in creating a MPF.
1) Class Map
Class map is used to identify the type of traffic. This can be done by creating an ACL.
2) Policy Map
Policy Map specifies what action the ASA should take against the traffic identified by the Class Map.
3) Service Policy
Finally Service policy specifies where to apply it. The policy is applied to an interface or Globally.

Sample Illustration

Consider the following Command lines.

access-list OUTSIDE-TO-INSIDE permit tcp any any eq ftp
<--- The above ACL will allow FTP traffic. This ACL can be different than the Interface ACL--->
class-map FTP-CLASS-MAP
    match access-list OUTSIDE-TO-INSIDE
<--- The class map FTP-CLASS-MAP will look for the FTP traffic based on ACL --->
policy-map FTP-POLICY-MAP
    class FTP-CLASS-MAP
        inspect ftp
<--- What action need to be done? here inspect the ftp. --->
service-policy FTP-POLICY-MAP interface outside
<--- Apply the policy in the outside interface --->


The above illustration is just an example. MPF enables the administrator to assign different network policies to different traffic flows in a flexible and granular manner.

Read More

Crossover or Straight-through Cable? Its Auto-MDIX

On older devices, we should choose the type of cables for connectivity. If it's same kind of device, then a crossover cable and if they are different, then a Straight-through cable. To overcome this inconvenience , there is a feature introduced on network devices , Auto-MDIX.
This feature automatically detects the required cable connection type for a connection. That is, whether to use straight or Crossover. If either one of the connection device supports Auto-MDIX, then no matter the device, you can use a crossover or a straight-through cable. It also needs the speed and duplex auto-negotiation feature being enabled on the device. 

In other words, with this feature enabled, the interface automatically corrects for any incorrect cabling.
And Automatic medium-dependent interface crossover (Auto-MDIX) is enabled by default (from IOS 12.2(20)SE on-wards).

Sample Manual configuration is shown below.

Read More

Top 5 Accounts : Review and Adjust your Privacy Settings

So, May 2018 was a remarkable month in the world of data security. European GDPR is now in effect and almost all tech giants are adjusting themselves in order to comply with the data privacy standards.

I have consolidated the Privacy policies of the top 5 companies and the link for adjusting/controlling your data privacy. Review your privacy settings and control your own privacy.

Google

Privacy Policy : https://privacy.google.com/take-control.html
Adjust Privacy Settings : https://myaccount.google.com/intro/privacy

Facebook

Privacy Policy : https://www.facebook.com/privacy/explanation
Adjust Privacy Setting : https://www.facebook.com/settings?tab=privacy

Instagram

Privacy Policy : https://help.instagram.com/519522125107875
Adjust Privacy Settings : https://help.instagram.com/196883487377501

Yahoo

Privacy Policy : https://policies.oath.com/ie/en/oath/privacy/index.html
Adjust Privacy Settings  : https://policies.oath.com/us/en/oath/privacy/controls/index.html

Twitter

Privacy Policy : https://twitter.com/en/privacy
Adjust Privacy Settings : https://twitter.com/settings/account

Controlling your own public information on the internet is your own responsibility. Review your privacy settings frequently.

Read More

CEHv10 Exam Blueprint : Effective 1st October 2018

 An exam blueprint is a break down the sections of the Exam Syllabus and makes it easier for the test taker to  prepare for the exam. It helps the test taker to understand how many questions in various areas of practice should go on an exam.

Effective 1st October 2018, EC-Council will be introducing a new version of the CEH exam blueprint and it is mentioned below.

The current CEH blueprint is valid till September 30th 2018. You can find the current blueprint here :https://cert.eccouncil.org/images/doc/CEH-Exam-Blueprint-v2.0.pdf

Read More

DoS Attacks : Smurf,Fraggle,Land

Smurf attack.

Smurf is a DoS attacking method. In this flood attack, it floods the victim with the ICMP echo packets instead of TCP SYN packets. Also, it is a spoofed broadcast ping request using the victim IP address as the Source IP.
Most of the modern devices can deter these kind of attacks and SMURF is rarely a threat today.
#hping3 -1 --flood --spoof <target> <broadcast_address>

Fraggle attack.

Similar to Smurf attack, but instead of using ICMP, Fraggle uses UDP packets over UDP ports 7 and 19. Also will broadcast a UDP packet using spoofed IP address of the victim. All the devices on the network will then respond to the victim similar to the Smurf attack.

Land attack

In this, the attacker sends spoofed SYN packets to the victim using the Victim's IP address and both source and destination IP. This results in the system constantly replying to itself can  crash the system.
#hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood -a <victim_IP source spoof> <victim_IP>

Read More

Nmap : Basic overview on Scanning Techniques

Nmap. One of the top scanning tool used in Cyber/Networking. There are plenty of scanning techniques that can be used in Nmap. This post is intended to provide a the basic overview on NMap scanning techniques.

1) Ping Scan [-sP]

This types of scan is used to detect which computers or devices are online, rather than which ports are open.In this, NMap sends an ICMP ECHO REQUEST packet to the destination system. If an ICMP ECHO REPLY is received, the system is considered as up, and ICMP packets are not blocked.If there is no response to the ICMP ping request, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and hence it won't be responding to anything. When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods.Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established and thus it will result in a full TCP scan.
eg: #nmap -sP 192.168.1.1

2) Full Connect/TCP connect() Scan [-sT]

This type of scan will try to establish a full TCP connection and a 3-way handshake will happen. Hence the Full connect scan is noisy and the connection info will be logged by the IDS/Firewalls. If the scan result is open, then we can definitely able to connect to that particular port.
eg: #nmap -sT 192.168.1.1

3) Stealth Scan/ SYN scan [-sS]

This type of scan wont establish a TCP connection. It will scan by sending a SYN flag packet and if the port is open, then a SYN/ACK will be send back as a response by the target machine, thus result in a half embryo connection. Since a full connection wont establish, the connection info will not be logged by the Firewalls/IDSs and hence it is widely known as Stealth scan. If a RST pack is received as a response, then probably the post is closed.
eg: #nmap -sS 192.168.1.1

4)UDP scan [-sU]

Useful in very particular cases since most of the services uses TCP widely. UDP scan works by sending a UDP packet to the targeted port. If no response is received, then the port will be considered as Open | filtered. Filtered because some firewalls wont respond to the blocked UDP ports.If the port is closed, then an ICMP response(ICMP port unreachable error type 3, code 3) will be send by the target device.
eg: #nmap -sU 192.168.1.1

5) TCP NULL [-sN], FIN [-sF], and Xmas scans [-sX]

Null scan (-sN) - Does not set any bits (TCP flag header is 0)
FIN scan (-sF) - Sets just the TCP FIN bit.
Xmas scan (-sX) - Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.   
If a RST packet is received, the port is considered closed, while no response means it is open|filtered.
The port is marked filtered if an ICMP unreachable error is received.
eg: #nmap -sN 192.168.1.1
      #nmap -sF 192.168.1.1
      #nmap -sX 192.168.1.1

6)TCP ACK scan [-sA]

This type of scan uses the ACK flags. Unlike other scans, ACK scan is not used to determine whether the port is Open or Closed.It is used to map out firewall rule-sets, determining whether they are stateful or not and which ports are filtered.Stateful Firewalls, will respond with a RST packet as the sequence is not in order.
eg: #nmap -sA 192.168.1.1

7)Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be used in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection
eg: #nmap -sV 192.168.1.1

[Learn more and download the tool @ https://nmap.org/ ]

Read More

Why you should not believe in Online Reviews and Social networking sites?

Most of us, before buying a product from Amazon/Flipkart, or before booking a movie ticket, we might go through the review section to see what others think about it, how good it is?, what are the pros and cons? etc.

Let me tell you a fact. Though there are genuine reviews written by genuine customers/users, majority of the reviews are paid reviews. Similarly paid opinions can be seen in forums like Quora, Yahoo Answers.When it comes to social networking websites, there are big companies working for corporate, political parties, ideological institutions.

Many of us are addicted to these social networking sites and we like and share things which we are not sure about. All want to monetize their profit and for that they will do even the worst methods to make things viral.These institutions pay millions of money to distribute and publicize their propaganda. In short, to brainwash the audience.

When thousands write a good review of a bad product, that product automatically becomes good in the public.

Most of the companies are running affiliate programs. Which means, you promote us and if someone buys a product through you, we will give a commission to you. One of the Site defines it's affiliate program as,

"You can use various promotional methods to earn easy commissions including placing banners, links, and writing product reviews on your website or blog. You will receive customized links for all the promotions, through which we will track sales. When any customer, referred by you, makes a purchase, you get paid."

There are plenty of online job sites serves over the internet. If you signup, you can see many online job offerings such as harvesting likes,up-votes, review writings, data entry etc.

It's funny that, you don't even need to find words to write a review. The review content is also provided by the marketing company and all you need to do is copy and paste it on relevant blogs, forums websites under your account (even from multiple accounts).

I have taken few screenshots from one of those site. Lets go through that and understand how companies can brainwash you with reviews and posts. When thousands write a good review of a bad product, that product automatically becomes good in the public.

The following screenshots are job advertisements , the employer is paying money to publicize their hashtag and their product.

 

 Another job, the worker need to signup, comment and give a link to the product website.

See the instructions. Just follow this and get paid. Spread the propaganda, or publicize a product no matter how good or bad it is.

This job is to do the up-votes..lol.

Due to the large influence of Social Networking sites on common people, any one can throw money to circulate and publicize their propaganda. Even the Visual medias are also working like that.

So with this article, i remind each and everyone that Use your Brain, Think and Act. Don't blindly believe everything on the Internet. Don't blindly believe in what others says.

Everything around us are trying to brainwash our thoughts. So again, Use your Brain ! Always!

Read More

Microsoft Windows Server 2016 Virtualization Based Security and Credential Guard

Virtualization Based Security is a major Microsoft windows feature released with Windows Server 2016 and Windows 10 Operating System.Credential Guard Feature is available with Windows Server 2016 and Windows 10 Operating Systems to prevent the memory read attempt or in other words protect the Domain Credentials (Kerberos and NTLM) thus Preventing Pass the Hash Attacks (Credential Theft Attack)
Credential Guard leverages Virtual Secure Mode (VSM) feature of Virtualization Based Security (VBS) to create Isolate User Modes to process the Codes preventing it from being stolen.The device guard feature also rely on the Virtualization based Security (VBS)

Pass the Hash is a fundamental function of Windows for remote administration which will be taken care by the LSASS process (User Mode Process responsible for Authentication and Isolation of users).LSASS is a User Mode Process manages the hash that needs to be passed for remote administration. Upon Enabling Credential Guard, the Local Security Authority Subsystem Service (LSASS.exe) runs sensitive codes in Isolated mode as an Isolated LSA Process (LSAISO.exe) to protect the NTLM and Kerberos Codes.

How the Virtual Secure Mode (VSM) Works

VSM leverages the Hyper-V Hypervisor and Second Level Address Translation (SLAT) Features to create isolated Virtual Trust Levels (VTL) or Modes.
- SLAT is a hardware CPU feature leveraged by Hyper-V that helps to reduce the overhead of virtual to physical memory mapping.
- VTLs are numbered and higher the number, more secured is its memory space.
- Hyper-V is a Type-1 Microkernel and VMware is a Type-1 Monolithic Kernel

VSM Operation Flow,
1.    Boot Process:

• When the Machine Boots, “bootmgr.efi”  is validated by Secure Boot and loaded.
• Bootmgr then execute the “winload.efi”(Windows Loader)
• Winload loads and checks the VBS Configuration (Hyper-V and VTL0/1 Components)
• Winload starts Hyper-V.

2.    The SLAT assigns separate isolated memory blocks to each Virtual Trust Levels. (Resulting in VTL Isolation)
3.    The Virtual Trust Levels are assigned with appropriate access permissions and a secure separate run time environment is created
4.    The code running in Normal kernel & user mode cannot access the code running in Secure Kernel/ Isolated User mode as shown in the above figure
5.    Another LSASS.exe then runs as a Trustlet (Trusted Process) in the Isolated User Mode as LSAISO.exe. (LSASS.exe still runs in the VTL0)
6.    LSAISO.exe communicates with LSASS.exe over a secure encrypted Remote Procedure Call (RPC) Connection.
7.    All the secure/trusted processed (Trustlets) which includes NTLM Hashes and Kerberos Tokens   runs only in the Isolated User Mode thus preventing is from being stolen.
-Even if the Normal Kernel mode of VTL0 is compromised, it cannot access the secure pages in IUM.
-The Secure kernel cannot be extended or in other words we cannot create a secure driver to run in Secure kernel and run malicious codes in the isolated user Mode (Microsoft Can perform it).
-Also, it’s not possible for Normal Kernel drivers to load DLL into IUM (Isolated User Mode) Process for threat injection.

Enable Credential Guard in Windows Server 2016

1.    Install the Hyper-V Role.
2.    Turn on the Device Guard as below.
Computer Configuration > Administrative Templates > System > Device Guard >> Edit the policy “Turn on Virtualization Based Security”.
##Below Settings are only to Turn on Device Guard ##

 After Enable, we can verify the new LSAISO.exe status from Task Manager.

More: Read Arjun's article on Microsoft Windows NLB Feature for Stateful Applications here.

Read More

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works.

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address.

We can see the ARP entries on our computers by entering the command arp -a.

So, back to the topic on what is a Gratuitous reply, here is a better explanation.
Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packet where the source and destination IP are both set to the IP of the machine issuing the ARP packet and the destination MAC is set to the broadcast address ff:ff:ff:ff:ff:ff.
Some devices will send gratuitous arp when they boot up, which announces their presence to the rest of the network. Also Many devices will send a gratuitous arp if there is a change on its IP address.

Summarize,A gratuitous ARP reply is a reply to which no request has been made.

And how this Gratuitous ARP is used in network attacks?
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. Hence poisoning the ARP table of the devices int he network. After this, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host, Which we call as a "man-in-the-middle attack".An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.

Eg: Assume there are three devices connected to a switch. One router and two PCs. PC2 is an attacker.

PC2 will send Gratuitous ARP  to the router with the IP address of PC1(Spoofed) and its own MAC address as source. Once this is learned by the router, router will think that PC2 is actually PC1 and all the packets destined to PC1 will be forwarded to PC2.

Similarly the PC2 will send another Gratuitous ARP to PC1 with its own MAC address and the IP address of Router as source. So the PC1 will learn that the router is PC2 and will send all packets to PC2. PC2 may forward those packets to the router and there by executing a Man-in -the-Middle attack.

Network administrators can use Dynamic ARP inspection (DAI) to prevent the ARP poisoning/spoofing attacks. DAI is a security feature that validates Address Resolution Protocol (ARP) packets in a network by determining the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the trusted DHCP snooping binding database.

How to configure DAI on switches depends on the vendor. A google search can provide the configuration guide on that.

This is for answering Nikhil's query :

Question: If the machine already learned the real MAC and have the ARP entry, then a G-ARP packet will be accepted or not.
Answer : When the Spoofing attack is On, the ARP table will be updated with the spoofed MAC entry.

I have captured couple of Wireshark captures for demonstrating the ARP poisoning attack. Note the target machine is 192.168.209.131. The machines learned the actual MAC address. After that, I performed the ARP spoofing using a gratitious ARP and let it run in the background on my Kali Linux. We can see the ARP entry for 192.168.209.131 has been changed due to the spoofing attack. Then I tried to ping the target 192.168.209.131 and it used the spoofed MAC as the destination.

However, it did throw a message on the IP conflict but it won't matter when the spoofing attack is on. When i stop the attack, the spoofed MAC entry gets cleared as well.

Read More

Is the Employee Data as Important as Customer data?

Hi guys, There is this Organization, that boasts about standards and policies. Yes, though these things are inevitable for the reputation of the company and data security, it actually matters only if it really implemented in practice.

I have seen many organizations, that creates policies only for the Audit/Compliance sake. 

Do you have a policy on data security? YES

Do you have a data security policy implemented in practice? hmmmm!!!.

Companies might be certified and meeting the regulatory standards but nothing has actually in practice. 

Let me share with you an incident.I accidentally discovered this thing in a normal google search. I searched something and i found an interesting result. Out of curiosity, i clicked on that particular Google search result and it took me to that Company's Employee directory. The Whole directory. I can search any Employee , i can see their Employee code, department and location. If you want to know how big the list is? Yes, a few thousands.

I first encounter this result more than a year back. I knew some of the Guys from that organization and i informed them. Some of them understood its importance and as per them, they escalated it. And hoped that they resolved it.

Last week, i saw that same result again in the Google search. Same database. 

They are supposed to show this information only once an employee is properly authenticated. Somehow, they are not bothered to show it directly without any authentication required. I searched about this organization and they holds certifications like ISO 27001 ,ISO 9001. Also they handles projects for various Governments and private firms. Such a big company should have some level of responsibility on keeping employee's information securely. These information can be used for social engineering and other privacy misuse. In many Countries, these info is considered as Personally Identifiable Information (PII) and breach of this can lead to million dollar fine. And its reputation will be a Question. 

So ever after 1 year of informing, they are not bothered of securing the employee info. This can be called as a Big Negligence. Despite of being an ISO 27001 certified organization, and have data security policies, they are not bothered of this data leak. So many questions will arise. 

• What audit has actually happened and how they are certified? 
• Do they periodically audit their information/data infra? 
• Who is responsible if this data is misused?
• Is their enough data security mechanisms for other information such as Customer info,Project details?

I discussed this with one person and he raised this concern with me.

Recent breaches reveals that the personal/official , financial data is not as secure as we are told... But your point put forward an open ended question: “can a company secure their client’s data when they can’t secure their employee data?” ...

So what actually matters is, Are you really practicing a Security policy? Is everyone aware of it?

Does your employee/management have that due care and due diligence?

Have the certifications, but not for an accreditation sake. Have everything in practice rather that boasting. 

Note: The data is available on web and can be searched using the google search. No manipulation or no tools needed. They reveal their employee info just like that. A technically sound person can manipulate the URL and may spill more info. This was also informed to them, sadly it seems nobody is bothered. Company Name is not mentioned due to privacy.

Read More