June 20, 2019
🕴️ Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).
Some questions refer to files contained within this ZIP file: 🔗 Spring 2019 Cyber Quest Resources .
The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity.
(2*8) + 3 =19
Reference :
https://tools.ietf.org/html/rfc5424#page-11
The query she performed Router#show logging | include 172.16.7.94. *\-\>.*\(137\)
is to identify logs for which the source IP address was 172.16.1.92
and the destination port was 137
.
The router logs show the following:
172.16.7.94
17587
, 585564
, 17755
192.168.2.1
137
%SEC-6-IPACCESSLOGP
which is identify a packet matching the log criteria for the given access list has been detected (TCP or UDP).list 155
denied tcp
>
References :
https://www.cisco.com/c/en/us/about/security-center/access-control-list-logging.html
https://www.cisco.com/c/en/us/about/security-center/identify-incidents-via-syslog.html
First let's understand each option:
So we need application layer protocol inspection to perform a deep packet inspection of traffic that transits the firewall to mitigate SQL attacks & Application bypass >
References :
https://www.alienvault.com/blogs/security-essentials/explain-how-firewalls-work-to-me
https://www.sciencedirect.com/topics/computer-science/packet-filtering-firewall
https://www.owasp.org/index.php/Web_Application_Firewall
https://en.wikipedia.org/wiki/Virtual_private_network
https://en.wikipedia.org/wiki/Stateful_firewall
https://en.wikipedia.org/wiki/Application_firewall
First let's understand each option:
we will use this protocols >
References :
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://www.snmp.com/snmpv3/snmpv3_intro.shtml
https://www.globalsign.com/en/blog/the-difference-between-http-and-https/
https://en.wikipedia.org/wiki/Telnet
https://www.ssh.com/ssh/protocol/
The gain of antennas is expressed in decibels (dB). In the wireless communication sector, the power output and input are in milliWatts (mW).
The first thing to understand about dBm is that we're working in negatives. -30 is a higher signal than -80, because -80 is a much lower number.
Next, it's important to know that dBm does not scale in a linear fashion like you'd expect, instead being logarithmic. That means that signal strength changes aren't smooth and gradual. The Rule of 3s and 10s highlights the logarithmic nature of dBm. To be simple, let’s see the so-called Rule of 10s and 3s, that allows us to calculate output power of an access point:
So based on data provided:
9 dB = 3 + 3 + 3
2 mW + 9 dB = (((2*2)*2)*2 = 16 mW
The new transmit power should be
References :
https://www.tanaza.com/blog/understand-the-power-gain-with-the-rule-of-10s-and-3s/
https://www.youtube.com/watch?v=VqoUS-ecw4Y
1) Open ping.pcap file in Wireshark
2) Basic analysis for the file you will find the following:
10.1.1.153
and 10.1.1.159
ICMP type 8
Echo Request
3) If you select any connection and expanded > Internet Control Message Protocol
> Data
, you will find same Payload (96 bytes) transmitted in all connections.
4) Let's grab & analysis this payload to get the message:
Right click on data value a from previous step > show packet bytes..
Select Decode as
> Base64
The message : the next drop off location will be @ 43.0828201,-79.0763516. Good luck!
5) Convert latitude and longitude to location using Google Maps
Location >
References :
http://www.networksorcery.com/enp/protocol/icmp/msg8.htm
https://en.wikipedia.org/wiki/Ping_(networking_utility)#ECHO-REQUEST
120
280
143
125
Let's lookup the typical mail ports for hosts which will be using mail client:
110
: POP3995
: SSL-POP143
: IMAP993
: IMAPS25
: SMTP587
: SMTP465
: SMTPAlso check other ports usage:
280
http-mgmtThe port we should open on the host firewall is
References :
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
https://www.linode.com/docs/email/running-a-mail-server/
# iptables -A FORWARD -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 6881:6890 -j ALLOW
Let's begin with understanding Iptables Basics :
Linux kernel provides an interface to filter both incoming and outgoing traffic packets using tables of packet filters.
Iptables is a command line application and a Linux firewall that you can use to set-up, maintain and inspect these tables. Multiple tables can be defined.
Each table can contain multiple chains. A chain is nothing but a set of rules. Each rule defines what to do with the packet if it matches with that packet.
When the packet is matched, it is given a TARGET. A target can be another chain to match with or one of the following special values:
ACCEPT
: It means the packet will be allowed to pass through.DROP
: It means that packet will not be allowed to pass through.RETURN
: It means to skip the current chain and go back to the next rule from the chain it was called in.REJECT
is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP
so it is a terminating TARGET, ending rule traversal.]One of the default tables called filter. Filters table has three chains ( sets of rules).
INPUT
– This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.FORWARD
– This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.OUTPUT
– This chain is used to filter packets that are going out from your server.Here’s the Iptables command formatted with regular options.
iptables -A -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.> -j <target>
-A
stands for append. The chain refers to the chain we want to append our rules.
The interface
is the network interface on which you want to filter the traffic.
The protocol
refers to the networking protocol of packets you want to filter.
You can also specify the port
no of the port on which you want to filter the traffic.
We want to accept
TCP
packets on destination ports 6881-6890
INPUT
tcp
6881:6890
ACCEPT
Our rule will be >
References :
http://ipset.netfilter.org/iptables.man.html
https://www.hostinger.com/tutorials/iptables-tutorial
log tcp any any <> any 23 (session:printable; sid:;)
✅
The signature id (sid) keyword is used to uniquely identify Snort rules:
So we will use >
References :
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html#SECTION00444000000000000000
https://security.berkeley.edu/network-intrusion-detection-systems/more-information-about-snort-rules
✅
HTTP proxy logs uses the format: <UNIX timestamp>.<Centiseconds>
.
Using Unix Timestamp Conversion Tool epochconverter.com :
1439038269.433
> Saturday, August 8, 2015 12:51:09.433 PM GMT
1439135269.433
> Sunday, August 9, 2015 3:47:49.433 PM GMT
Some of the events took place at >
# iptables -A INPUT -s -p tcp --dport 23 -j REJECT
✅
let's analysis the rule based knowledge we now from the answer of question no. 8 :
-A INPUT
This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.-s
Source IP address-p tcp
Networking protocol of packets you want to filter.--dport 23
number of the port on which you want to filter the traffic, port 23 used for Telnet protocol.-j REJECT
is used to send back an error packet in response to the matched packet.The purpose of this rule >
References :
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
✅
Intrusion prevention systems (IPS) control the access to an IT network and protect it from abuse and attack. These systems are designed to monitor intrusion data and take the necessary action to prevent an attack from developing.
The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network. If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:
To prevent an exploit from succeeding an IPS can take the following action:
References :
https://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/cliEvAct.html
https://www.forcepoint.com/cyber-edu/intrusion-prevention-system-ips
Let us begin by attacks definition:
The type of attack is being described is >
Ethernet switches via port security provide the opportunity to filter network data traffic on the OSI layer 2.
Once a connection has been established from one segment to another, the intermediate coupling element checks the MAC address of the sender device and matches it with an administrator-created whitelist. If it’s an unknown address, the switch blocks the respective port and stops the communication attempt. But MAC spoofing enables hackers to get around security measures like this.
References:
https://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp-poisoning
https://www.ionos.com/digitalguide/server/know-how/what-is-mac-spoofing/
https://www.iplocation.net/ip-spoofing
https://wiki.wireshark.org/Gratuitous_ARP
DataCenter1(config)#do sh run | inc user
username administrator password 7 08314D1B5C0E550516
✅
do sh run
This command is show running-configuration command that shows the router, switch, or firewall's current configuration. The running-configuration is the config that is in the router's memory.
inc user
to list all user accounts
password 7 08314D1B5C0E550516
password is type 7
Cisco password Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak and can easily cracked w/ utilities that are available on the net. using online Cisco Type 7 Passwords Decrypt tool :
08314D1B5C0E550516
pa55w0rd
✅
Statistical anomaly detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation.
It's a two-step approach that involves first training a system with data based on statistical modeling, to establish some notion of normality and then use the established profile on real data to flag deviations.
Main disadvantage is
References:
https://www.symantec.com/connect/articles/statistical-based-intrusion-detection
https://www.paloaltonetworks.com/cyberpedia/what-is-an-intrusion-prevention-system-ips
https://ebrary.net/26723/computer_science/anomaly-based_detection
https://www.cloudflare.com/learning/ddos/ddos-low-and-slow-attack/
There are 3 types of frames used in the 802.11 layer 2 communications happening over the air which manages and controls the wireless link.
Management frames are used by stations to join and leave a BSS (Basic Service Sets).
Station or AP can send a De-authentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). It is subtype 12 (0x0c) management frame (type 0).
The 16-bit Reason Code field is part of the frame to indicate what the sender has done incorrectly.
Reason code 4 explanation: Inactivity timer expired and station was disassociated.
References:
https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/
https://www.oreilly.com/library/view/80211-wireless-networks/0596100523/ch04.html
List of WiFi Access Point BSSIDs
24:f5:a2:11:f7:6a
e0:55:3d:21:e5:5a
18:64:72:d3:d7:b0
00:01:e3:41:bd:6e
✅
We will use MAC lookup to displays the name of the company that manufactured each network card, using this online tool https://macvendors.com/ :
24:f5:a2:11:f7:6a
Belkin International Inc.e0:55:3d:21:e5:5a
Cisco Meraki18:64:72:d3:d7:b0
Aruba, a Hewlett Packard Enterprise Company00:01:e3:41:bd:6e
Siemens AGThe BSSID should perform the capture on >
# tcpdump -n -i eth0 -w analysis.pcap -C 100 'host 10.3.2.34'
✅
Let's analysis tcpdump command :
-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.-i eth0
Listen on interface eth0
.-w analysis.pcap
Write the raw packets to file rather than parsing and printing them out.-C 100
Before writing a raw packet to a save file, check whether the file is currently larger than file_size and, if so, close the current save file and open a new one.'host 10.3.2.34'
dump traffic that’s going to or from this hostReferences:
https://www.tcpdump.org/manpages/tcpdump.1.html
https://danielmiessler.com/study/tcpdump/
✅
TCP flags are used within TCP packet transfers to indicate a particular connection state or provide additional information. Therefore, they can be used for troubleshooting purposes or to control how a particular connection is handled.
We need to do Hex conversion on TCP flag to get the semantic meaning of that value
Take the hexadecimal value 0x018
and convert it to binary value 0001 1000
Use the following layout of flags and bits set (0 is off, 1 is on) to get the flag:
|C|E|U|A|P|R|S|F|
|0 0 0 1 1 0 0 0| > PSH-ACK
This flag signify >
References:
http://rapid.web.unc.edu/resources/tcp-flag-key/
https://www.manitonetworks.com/flow-management/2016/10/16/decoding-tcp-flags
https://danielmiessler.com/study/tcpflags/
https://www.aqua-calc.com/convert/number/hexadecimal-to-binary
✅
The Cisco Discovery Protocol is a proprietary protocol that all Cisco devices can use by default. CDP discovers other Cisco devices that are directly connected, which makes possible to the devices to auto-configure their connection in some cases, simplifying configuration and connectivity.
CDP messages are not encrypted, This is a moderate security risk as you announce quite detailed information about your system to the network - info about software versions, hardware, and whether some protocols are enabled.
References:
https://howdoesinternetwork.com/2011/cdp-attack
✅
1) Open network.pcap file in Wireshark :
2) By doing a Basic analysis you will notice the host 13.13.13.1
sending UDP packet to 24.24.24.2
with different TTL.Also replies to source with ICMP message "Time to live exceeded" .
And if you expanded packet details > Internet Control Message Protocol
> Destination Port
>
[Expert Info (Chat/Sequence): Possible traceroute: hop #1, attempt #3]
This is a possible traceroute via UDP packets . So how traceroute works ?
References:
https://www.hackingarticles.in/working-of-traceroute-using-wireshark/
https://samsymons.com/blog/how-traceroute-works/