TCP IP header flags list Tutorial for beginners

 

What is TCP IP header?

TCP IP header refers to Transmission Control Protocol is responsible to make communication between devices and send data over the network.

It provides reliable, ordered, and error check communications. Major internet applications rely on this protocol such as World wide web, email, remote administration, file transfer, etc. Applications that don’t require reliability use UDP (User Datagram Protocol).

• TCP has main operations at the time of communication:
• Establish connections
• Terminate connections
• Reliable Transmission
• Error Detection and check sum
• Flow Control
• Congestion control
• Decide maximum segment size
• Acknowledgment of transfer data
• Forcing data delivery

And these operations are handled by TCP IP header Communication flags. There are six types of Flags used by TCP

URG (Urgent)
Data with this flag should be processed immediately
FIN (finish)
this flag tell there is no more data remain for transmission on the remote system
RST (Reset)
It is used to reset the connection
PSH (Push)
It is used to instruct to send all buffered data immediately to the receiving system
ACK (Acknowledgement)
Used acknowledge the receipt data packets
SYN (Synchronize)
It is used to initiate the connection between the hosts

5 Nmap Scripts Examples in Kali Linux Tutorial for Beginners 2022

 

What are Nmap Scripts or NSE?

Have you heard about the Nmap? If not please read the article nmap commands in Kali Linux

If you don’t want to read the article, no problem at all, I am going to give a short description of Nmap.

Nmap is a powerful tool for scanning networks and finding out live systems, open ports, and running services. This tool is available for windows and Linux.

But if you want deeper information about the target machine you must use the Nmap scripting engine. I will describe step by step for beginners.

You will feel it as a knife on cack.

The Nmap Scripting Engine (NSE) is one of Nmap’s most influential and adaptable features. It permits clients to compose (and offer) straightforward scripts to automate a wide variety of systems networking tasks. Those Nmap scripts are then executed in parallel with the fast speed and productivity you anticipate from Nmap. Clients can depend on the developing and assorted set of scripts conveyed with Nmap, or compose their own particular to help.  Here I am going to check

So what is now, Check out the Nmap script’s location.  You can use the following command to see all Available scripts in nmap.

#locate *.nse

Nmap scripts Examples

–script-help

Shows help with Nmap scripts. For each script matching the given detail, Nmap prints the script name, its classifications, and its categories. The determinations are the same as those acknowledged by -script; so for instance on the off chance that you need help with the afp- and discovery, you would run the following command

#nmap –script-help “afp-* and discovery”.

–script-trace

This alternative works at the requisition level instead of the parcel by the bundle. In the event that this alternative is pointed out, all approaching and friendly correspondence performed by scripts is printed. The showed data incorporates the correspondence convention, source and target locations, and the transmitted information. In the event that more than 5% of transmitted information is unprintable, hex dumps are given.

–script-updatedb

It is just important to upgrade the database in the event that you have included or expelled NSE scripts from the default scripts catalog or in the event that you have changed the classifications of any script. This choice is utilized independently from anyone else without contentions:

#nmap -script-updatedb.

A simple script scan by using the default settings of Nmap scripts

#nmap –sC {Target_IP}

A script scan a target machine without port discovery. This scan only identify host is running or down.

#nmap -sn –sC {Target_IP}

#nmap –Pn -sn –sC {Target_IP}

This scan is used to scan networks without port scanning and host discovery.

Pnetration tester can execute a specific script with script tracing.

#nmap –script smb-os-discovery –script-trace {target_IP_Address}

Run a particular script that takes a script argument

What is Cybercrime? Types, Tools, Examples!

 

What is Cybercrime?

Cybercrime is defined as an unlawful action against any person using a computer, its systems, and its online or offline applications. It occurs when information technology is used to commit or cover an offense. However, the act is only considered Cybercrime if it is intentional and not accidental.

Example of Cybercrime

Here, are some most commonly occurring Cybercrimes:

• The fraud did by manipulating computer network
• Unauthorized access to or modification of data or application
• Intellectual property theft that includes software piracy
• Industrial spying and access to or theft of computer materials
• Writing or spreading computer viruses or malware
• Digitally distributing child pornography

Cybercrime Attack Types

Cybercrime can attack in various ways. Here, is some most common cybercrime attack mode:

Hacking:

It is an act of gaining unauthorized access to a computer system or network.

Denial Of Service Attack:

In this cyberattack, the cyber-criminal uses the bandwidth of the victim’s network or fills their e-mail box with spammy mail. Here, the intention is to disrupt their regular services.

Software Piracy:

Theft of software by illegally copying genuine programs or counterfeiting. It also includes the distribution of products intended to pass for the original.

Phishing:

Pishing is a technique of extracting confidential information from the bank/financial institutional account holders by illegal ways.

Spoofing:

It is an act of getting one computer system or a network to pretend to have the identity of another computer. It is mostly used to get access to exclusive privileges enjoyed by that network or computer.

Cyber Crime Tools

There are many types of Digital forensic tools

Kali Linux:

Kali Linux is an open-source software that is maintained and funded by Offensive Security. It is a specially designed program for digital forensics and penetration testing.

Ophcrack:

This tool is mainly used for cracking the hashes, which are generated by the same files of windows. It offers a secure GUI system and allows you to runs on multiple platforms.

EnCase:

This software allows an investigator to image and examine data from hard disks and removable disks.

SafeBack:

SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and restoring these images to some other hard disks.

Data dumper:

This is a command-line computer forensic tool. It is freely available for the UNIX Operating system, which can make exact copies of disks suitable for digital forensic analysis.

Md5sum:

A tool to check helps you to check data is copied to another storage successfully or not.

Summary:

• Cybercrime is an unlawful action against any person using a computer, its systems, and its online or offline applications.
• The fraud did by manipulating computer network is an example of Cybercrime
• Various types of Cyber crime attack modes are 1) Hacking 2) Denial Of Service Attack 3) Software Piracy 4) Phishing 5) Spoofing.
• Some important tool use for preventing cyber attack are 1)Kali Linux, 2) Ophcrack, 3) EnCase, 4) SafeBack, 5) Data Dumber
• Kali Linux is an open-source software that is maintained and funded by Offensive Security.
• Ophcrack is a tool that is mainly used for cracking the hashes, which are generated by the same files of windows.
• EnCase tool allows an investigator to image and examine data from hard disks and removable disks
• SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and restoring these images to some other hard disks.
• Data dumper is a command-line computer forensic tool.
• Md5sum is a helps you to check data is copied to another storage successfully or not.

Worm, Virus & Trojan Horse: Ethical Hacking Tutorial

 Some of the skills that hackers have are programming and computer networking skills. They often use these skills to gain access to systems. The objective of targeting an organization would be to steal sensitive data, disrupt business operations or physically damage computer controlled equipment. Trojans, viruses, and worms can be used to achieve the above-stated objectives.

In this article, we will introduce you to some of the ways that hackers can use Trojans, viruses, and worms to compromise a computer system. We will also look at the countermeasures that can be used to protect against such activities.

What is a Trojan horse?

A Trojan horse is a program that allows the attack to control the user’s computer from a remote location. The program is usually disguised as something that is useful to the user. Once the user has installed the program, it has the ability to install malicious payloads, create backdoors, install other unwanted applications that can be used to compromise the user’s computer, etc.

The list below shows some of the activities that the attacker can perform using a Trojan horse.

• Use the user’s computer as part of the Botnet when performing distributed denial of service attacks.
• Damage the user’s computer (crashing, blue screen of death, etc.)
• Stealing sensitive data such as stored passwords, credit card information, etc.
• Modifying files on the user’s computer
• Electronic money theft by performing unauthorized money transfer transactions
• Log all the keys that a user presses on the keyboard and sending the data to the attacker. This method is used to harvest user ids, passwords, and other sensitive data.
• Viewing the users’ screenshot
• Downloading browsing history data

What is a worm?

A worm is a malicious computer program that replicates itself usually over a computer network. An attacker may use a worm to accomplish the following tasks;

• Install backdoors on the victim’s computers. The created backdoor may be used to create zombie computers that are used to send spam emails, perform distributed denial of service attacks, etc. the backdoors can also be exploited by other malware.
• Worms may also slowdown the network by consuming the bandwidth as they replicate.
• Install harmful payload code carried within the worm.

What is a Virus?

• A virus is a computer program that attaches itself to legitimate programs and files without the user’s consent. Viruses can consume computer resources such as memory and CPU time. The attacked programs and files are said to be “infected”. A computer virus may be used to;
• Access private data such as user id and passwords
• Display annoying messages to the user
• Corrupt data in your computer
• Log the user’s keystrokes

Computer viruses have been known to employ social engineering techniques. These techniques involve deceiving the users to open the files which appear to be normal files such as Word or Excel documents. Once the file is opened, the virus code is executed and does what it’s intended to do.

Trojans, Viruses, and Worms counter measures

• To protect against such attacks, an organization can use the following methods.
• A policy that prohibits users from downloading unnecessary files from the Internet such as spam email attachments, games, programs that claim to speed up downloads, etc.
• Anti-virus software must be installed on all user computers. The anti-virus software should be updated frequently, and scans must be performed at specified time intervals.
• Scan external storage devices on an isolated machine especially those that originate from outside the organization.
• Regular backups of critical data must be made and stored on preferably read-only media such as CDs and DVDs.
• Worms exploit vulnerabilities in the operating systems. Downloading operating system updates can help reduce the infection and replication of worms.
• Worms can also be avoided by scanning, all email attachments before downloading them.

Trojan, Virus, and Worm Differential Table

	Trojan	Virus	Worm
Definition	Malicious program used to control a victim’s computer from a remote location.	Self replicating program that attaches itself to other programs and files	Illegitimate programs that replicate themselves usually over the network
Purpose	Steal sensitive data, spy on the victim’s computer, etc.	Disrupt normal computer usage, corrupt user data, etc.	Install backdoors on victim’s computer, slow down the user’s network, etc.
Counter Measures	Use of anti-virus software, update patches for operating systems, security policy on usage of the internet and external storage media, etc.

What is Social Engineering? Attacks, Techniques & Prevention

 

What is Social Engineering?

Social engineering is the art of manipulating users of a computing system into revealing confidential information that can be used to gain unauthorized access to a computer system. The term can also include activities such as exploiting human kindness, greed, and curiosity to gain access to restricted access buildings or getting the users to installing backdoor software.
Knowing the tricks used by hackers to trick users into releasing vital login information among others is fundamental in protecting computer systems
In this tutorial, we will introduce you to the common social engineering techniques and how you can come up with security measures to counter them.

How social engineering Works?

HERE,

• Gather Information: This is the first stage, the learns as much as he can about the intended victim. The information is gathered from company websites, other publications and sometimes by talking to the users of the target system.
• Plan Attack: The attackers outline how he/she intends to execute the attack
• Acquire Tools: These include computer programs that an attacker will use when launching the attack.
• Attack: Exploit the weaknesses in the target system.
• Use acquired knowledge: Information gathered during the social engineering tactics such as pet names, birthdates of the organization founders, etc. is used in attacks such as password guessing.

Common Social Engineering Techniques:

Social engineering techniques can take many forms. The following is the list of the commonly used techniques.

• Familiarity Exploit: Users are less suspicious of people they are familiar with. An attacker can familiarize him/herself with the users of the target system prior to the social engineering attack. The attacker may interact with users during meals, when users are smoking he may join, on social events, etc. This makes the attacker familiar to the users. Let’s suppose that the user works in a building that requires an access code or card to gain access; the attacker may follow the users as they enter such places. The users are most like to hold the door open for the attacker to go in as they are familiar with them. The attacker can also ask for answers to questions such as where you met your spouse, the name of your high school math teacher, etc. The users are most likely to reveal answers as they trust the familiar face. This information could be used to hack email accounts and other accounts that ask similar questions if one forgets their password.
• Intimidating Circumstances: People tend to avoid people who intimidate others around them. Using this technique, the attacker may pretend to have a heated argument on the phone or with an accomplice in the scheme. The attacker may then ask users for information which would be used to compromise the security of the users’ system. The users are most likely give the correct answers just to avoid having a confrontation with the attacker. This technique can also be used to avoid been checked at a security check point.
• Phishing: This technique uses trickery and deceit to obtain private data from users. The social engineer may try to impersonate a genuine website such as Yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.
• Tailgating: This technique involves following users behind as they enter restricted areas. As a human courtesy, the user is most likely to let the social engineer inside the restricted area.
• Exploiting human curiosity: Using this technique, the social engineer may deliberately drop a virus infected flash disk in an area where the users can easily pick it up. The user will most likely plug the flash disk into the computer. The flash disk may auto run the virus, or the user may be tempted to open a file with a name such as Employees Revaluation Report 2013.docx which may actually be an infected file.
• Exploiting human greed: Using this technique, the social engineer may lure the user with promises of making a lot of money online by filling in a form and confirm their details using credit card details, etc..

• Social Engineering Counter Measures

• Most techniques employed by social engineers involve manipulating human biases. To counter such techniques, an organization can;

  • To counter the familiarity exploit, the users must be trained to not substitute familiarity with security measures. Even the people that they are familiar with must prove that they have the authorization to access certain areas and information.
  • To counter intimidating circumstances attacks, users must be trained to identify social engineering techniques that fish for sensitive information and politely say no.
  • To counter phishing techniques, most sites such as Yahoo use secure connections to encrypt data and prove that they are who they claim to be. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
  • To counter tailgating attacks, users must be trained not to let others use their security clearance to gain access to restricted areas. Each user must use their own access clearance.
  • To counter human curiosity, it’s better to submit picked up flash disks to system administrators who should scan them for viruses or other infection preferably on an isolated machine.
  • To counter techniques that exploit human greed, employees must be trained on the dangers of falling for such scams.

Summary

• Social engineering is the art of exploiting the human elements to gain access to un-authorized resources.
• Social engineers use a number of techniques to fool the users into revealing sensitive information.
• Organizations must have security policies that have social engineering countermeasures.

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

 

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic."

Besides home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, have been victimized by the botnet to date, the prosecutors said.

Customers wanting to avail proxies from RSOCKS could rent access via a web-based storefront for different time periods at various price points ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased, criminal actors could then redirect malicious internet traffic through the IP addresses associated with the compromised victim devices to conceal their true intent, which was to carry out credential stuffing attacks, access compromised social media accounts, and send out phishing messages.

The action is the culmination of an undercover operation mounted by the Federal Bureau of Investigation (FBI) in early 2017, when it made covert purchases from RSOCKS to map out its infrastructure and its victims, allowing it to determine roughly 325,000 infected devices.

"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks," the DoJ said. "The RSOCKS backend servers maintained a persistent connection to the compromised device."

The disruption of RSOCKS arrives less than two weeks after it seized an illicit online marketplace known as SSNDOB for trafficking personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S.

BRATA Android Malware Gains Advanced Mobile Threat Capabilities

 

The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.

"In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information."

An acronym for "Brazilian Remote Access Tool Android," BRATA was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to trick users into downloading them.

The change in the attack pattern, which scaled new highs in early April 2022, involves tailoring the malware to strike a specific financial institution at a time, switching to a different bank only after the victim begins implementing countermeasures against the threat.

Also incorporated in the rogue apps are new features that enable it to impersonate the login page of the financial institution to harvest credentials, access SMS messages, and sideload a second-stage payload ("unrar.jar") from a remote server to log events on the compromised device.

"The combination of the phishing page with the possibility to receive and read the victim's sms could be used to perform a complete Account Takeover (ATO) attack," the researchers said.

Additionally, Cleafy said it found a separate Android app package sample ("SMSAppSicura.apk") that used the same command-and-control (C2) infrastructure as BRATA to siphon SMS messages, indicating that the threat actors are testing out different methods to expand their reach.

The SMS stealer app is said to be specifically singling out users in the U.K., Italy, and Spain, its goal being able to intercept and exfiltrate all incoming messages related to one-time passwords sent by banks.

"The first campaigns of malware were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank," the researchers said.

"They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target."

Burp Suite Extension - To Monitor And Keep Track of Tested Endpoints

Burp Scope Monitor Extension

A Burp Suite Extension to monitor and keep track of tested endpoints.

Main Features

• Simple, easy way to keep track of unique endpoints when testing an application
• Mark individual endpoints as analyzed or not
• Instantly understand when a new endpoint, not tested is requested
• Accessible from Proxy tab (right click, mark request as analyzed/not)
• Send to Repeater
• Enforcement of Burp's in scope rules
• Import/Export state file directly to a CSV file for
• Autosave option

Installation

1. Make sure you have Jython configured under Extender -> Options -> Python Environment. For further instructions, check PortSwigger official instructions at their support page.
2. git clone git@github.com:Regala/burp-scope-monitor.git
3. Import main.py in Extender - Extender -> Extensions -> Add -> Select Python -> Select main.py

Documentation

Most of the options available in General or Import tabs are auto-explanatory.

• "Repeater request automatically marks as analyzed" - when issuing a request to an endpoint from repeater, it marks this request as analyzed automatically.
• "Color request in Proxy tab" - this essentially applies the behavior of the extension in the Proxy tab, if you combine these options with "Show only highlighted items" in Proxy. However, it's not as pleasant to the eyes as the color pallete is limited.
• "Autosave periodically" - backups the state file every 10 minutes. When activating this option, consider disabling "Autostart Scope Monitor". This is in order to maintain a different state file per Burp project. However, you can easily maintain only one, master state file.
• "Import/Export" is dedicated to handle the saved state files. It's preferred to open your Burp project file associated with the Scope Monitor. It will still work if the Burp project is different, but when loading the saved entries, you won't be able to send them to Repeater or view the request itself in the Request/Response viewer (this is due to the fact that we are not storing the actually requests - just the endpoint, it's analyzed status and a couple of other more. This makes it a little bit more efficient).

Future Development

• Keep track of parameters observed in all requests
• Highlight when a new parameter was used in an already observed/analyzed endpoint
• Export to spreadsheet / Google Sheets
• Adding notes to the endpoint

Implementation

The code is not yet performant, optimized or anything similar. KISS and it works. Performance will be increased depending on demand and how the extension performs when handling large Burp projects.

To circumvent some of Burp's Extender API limitations, some small hacks were implemented. One of those is automatically setting a comment on the requests that flow in the Proxy tab.

You can still add comments on the items, as you'd normally would, but just make sure to keep the placeholder string (scope-monitor-placeholder) there.

Hopefully in the future each requestResponse from Burp will have a unique identifier, which would make the import state / load from file much cleaner and fast. With large state files, this might hang a bit when loading.

Download Burp Scope Monitor