Network Security Types of attacks

Security is a fundamental component of every network design. When planning, building, and operating a network, you should understand the importance of a strong security policy.

Need for Network Security:

Today almost anyone can become a hacker by downloading tools from the Internet. These complicated attack tools and generally open networks have generated an increased need for network security and dynamic security policies.

The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A closed network provides connectivity only to trusted known parties and sites; a closed network does not allow a connection to public networks.

Because they have no Internet connectivity, networks designed in this way can be considered safe from Internet attacks. However, internal threats still exist.

There is a estimates that 60 to 80 percent of network misuse comes from inside the enterprise where the misuse has taken place.

Types of attack:

Passive Attack

A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.

Active Attack

In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data.

Distributed Attack

A distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program, to a “trusted” component or software that will later be distributed to many other companies and users Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution. These attacks introduce malicious code such as a back door to a product to gain unauthorized access to information or to a system function at a later date.

Insider Attack

An insider attack involves someone from the inside, such as a disgruntled employee, attacking the network Insider attacks can be malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fraudulent manner; or deny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as performing a task

Close-in Attack

A close-in attack involves someone attempting to get physically close to network components, data, and systems in order to learn more about a network Close-in attacks consist of regular individuals attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close physical proximity is achieved through surreptitious entry into the network, open access, or both.
One popular form of close in attack is social engineering in a social engineering attack, the attacker compromises the network or system through social interaction with a person, through an e-mail message or phone. Various tricks can be used by the individual to revealing information about the security of company. The information that the victim reveals to the hacker would most likely be used in a subsequent attack to gain unauthorized access to a system or network.

Phishing Attack

In phishing attack the hacker creates a fake web site that looks exactly like a popular site such as the SBI bank or paypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick the user into clicking a link that leads to the fake site. When the user attempts to log on with their account information, the hacker records the username and password and then tries that information on the real site.

Hijack attack

Hijack attack In a hijack attack, a hacker takes over a session between you and another individual and disconnects the other individual from the communication. You still believe that you are talking to the original party and may send private information to the hacker by accident.

Spoof attack

Spoof attack In a spoof attack, the hacker modifies the source address of the packets he or she is sending so that they appear to be coming from someone else. This may be an attempt to bypass your firewall rules.

Buffer overflow

Buffer overflow A buffer overflow attack is when the attacker sends more data to an application than is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system in a  command prompt or shell.

Exploit attack

Exploit attack In this type of attack, the attacker knows of a security problem within an operating system or a piece of software and leverages that knowledge by exploiting the vulnerability.

Password attack

Password attack An attacker tries to crack the passwords stored in a network account database or a password-protected file. There are three major types of password attacks: a dictionary attack, a brute-force attack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of potential passwords. A brute-force attack is when the attacker tries every possible combination of characters.

 

 

What ports are open on the computer

One of the most common question is see users asking
How i can find what ports are open on my computer

you can uses NETSTAT command to check what ports
are open on your computer .

netstat -an |find /i "listening"

Listening will show you what ports are open and
if you replace listening with established it will
show you all the ports you have connection established.





netstat -an |find /i "Established"

I still suggest you to use port scanner to
find out what ports are open on your computer.

Analyze the Disk Space through Script

This script will be useful to analyze the disk usage and if the reported disk space is more than 90 % an email will be sent to the administrator.




#!/bin/sh
# set -x
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free available) percentage of space is >= 90%.
# -------------------------------------------------------------------------
# Set admin email so that you can get email.
ADMIN="root"
# set alert level 90% is default
ALERT=90
# Exclude list of unwanted monitoring, if several partions then use "|" to separate the partitions.
# An example: EXCLUDE_LIST="/dev/hdd1|/dev/hdc5"
EXCLUDE_LIST="/auto/ripper"
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
function main_prog() {
while read output;
do
#echo $output
  usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1)
  partition=$(echo $output | awk '{print $2}')
  if [ $usep -ge $ALERT ] ; then
     echo "Running out of space \"$partition ($usep%)\" on server $(hostname), $(date)" | \
     mail -s "Alert: Almost out of disk space $usep%" $ADMIN
  fi
done
}
if [ "$EXCLUDE_LIST" != "" ] ; then
  df -H | grep -vE "^Filesystem|tmpfs|cdrom|${EXCLUDE_LIST}" | awk '{print $5 " " $6}' | main_prog
else
  df -H | grep -vE "^Filesystem|tmpfs|cdrom" | awk '{print $5 " " $6}' | main_prog
fi

Adding NEW user in Linux Server through Script

                      Adding NEW user in Linux Server



This script allows the root user or admin to add new users to the system in an easier way by just typing the user name and password (The password is entered in an encrypted manner).



#!/bin/bash
# Script to add a user to Linux system
if [ $(id -u) -eq 0 ]; then
    read -p "Enter username : " username
    read -s -p "Enter password : " password
    egrep "^$username" /etc/passwd >/dev/null
    if [ $? -eq 0 ]; then
        echo "$username exists!"
        exit 1
    else
        pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
        useradd -m -p $pass $username
        [ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
    fi
else
    echo "Only root may add a user to the system"
    exit 2

fi

OSI (Open Systems Interconnection) Model

The Open Systems Interconnection Model (OSI) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The OSI Model is a conceptual, seven-layered model of how networks work. It tells us that how data is going through one computer to another computer, and also it simplifies to troubleshoot the network issues.

A reference model to make sure products of different vendors would work together.

The concept of a seven-layer model was provided by the work of Charles Bachman, Honeywell Information Services.

OSI Network Interconnection

OSI Packet Structure

OSI LAYER

1.  Physical Layer

• Function of Layer 1

• It defines the electrical and physical specifications of the data connection. It defines the relationship between a device and a physical transmission medium (e.g., a copper or fiber optical cable). This includes the layout of pins, voltages, line impedance, cable specifications, signal timing, hubs, repeaters, network adapters, host bus adapters (HBA used in storage area networks) and more.
• It defines the protocol to establish and terminate a connection between two directly connected nodes over a communications medium.
• It may define the protocol for flow control.
• It defines transmission mode i.e. simplex, half & full duplex.
• It defines topology.

• Protocol

• Telephone network modems- V.92
• IRDA physical layer
• USB physical layer
• EIA RS-232, EIA-422, EIA-423, RS-449, RS-485
• Ethernet physical layer Including 10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T, 1000BASE-T, 1000BASE-SX and other varieties
• Varieties of 802.11 Wi-Fi physical layers
• DSL
• ISDN
• T1 and other T-carrier links, and E1 and other E-carrier links
• SONET/SDH
• Optical Transport Network (OTN)
• GSM Um air interface physical layer
• Bluetooth physical layer
• ITU Recommendations: see ITU-T
• IEEE 1394 interface
• TransferJet physical layer
• Etherloop
• ARINC 818 Avionics Digital Video Bus
• G.hn/G.9960 physical layer
• CAN bus (controller area network) physical layer
• Mobile Industry Processor Interface physical layer

2.  Data Link Layer

The Data-Link layer contains two sub layers that are described in the IEEE-802 LAN standards:

Media Access Control (MAC) layer- Responsible for controlling how computers in the network gain access to data and permission to transmit it.

Logical Link Control (LLC) layer- Control error checking and packet synchronization.

Data Link Layer

• Function of Layer 2

• Link establishment and termination: establishes and terminates the logical link between two nodes.
• Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are available.
• Frame sequencing: transmits/receives frames sequentially.
• Frame acknowledgment: provides/expects frame acknowledgments. Detects and recovers from errors that occur in the physical layer by retransmitting non-acknowledged frames and handling duplicate frame receipt.
• Frame delimiting: creates and recognizes frame boundaries.
• Frame error checking: checks received frames for integrity.
• Media access management: determines when the node "has the right" to use the physical medium.

• Protocol

• ARCnet　Attached Resource Computer NETwork
• CDP Cisco Discovery Protocol
• DCAP Data Link Switching Client Access Protocol
• Distributed Multi-Link Trunking
• Distributed Split Multi-Link Trunking
• Dynamic Trunking Protocol
• Econet
• Ethernet
• FDDI Fiber Distributed Data Interface
• Frame Relay
• ITU-T G.hn Data Link Layer
• HDLC High-Level Data Link Control
• IEEE 802.11 WiFi
• IEEE 802.16 WiMAX
• LACP Link Aggregation Control Protocol
• LattisNet
• LocalTalk
• L2F Layer 2 Forwarding Protocol
• L2TP Layer 2 Tunneling Protocol
• LAPD Link Access Procedures on the D channel
• LLDP Link Layer Discovery Protocol
• LLDP-MED Link Layer Discovery Protocol - Media Endpoint Discovery
• PAgP - Cisco Systems proprietary link aggregation protocol
• PPP Point-to-Point Protocol
• PPTP Point-to-Point Tunneling Protocol
• Q.710 Simplified Message Transfer Part
• Multi-link trunking Protocol
• RPR IEEE 802.17 Resilient Packet Ring
• SLIP Serial Line Internet Protocol (obsolete)
• StarLAN
• STP Spanning Tree Protocol
• Split multi-link trunking Protocol
• Token ring a protocol developed by IBM; the name can also be used to describe the token passing ring logical topology that it popularized.
• VTP VLAN Trunking Protocol
• VLAN Virtual Local Area Network

3.  Network Layer

Network Layer

• Function of Layer 3

• Routing: routes frames among networks.
• Subnet traffic control: routers (network layer intermediate systems) can instruct a sending station to "throttle back" its frame transmission when the router's buffer fills up.
• Frame fragmentation: if it determines that a downstream router's maximum transmission unit (MTU) size is less than the frame size, a router can fragment a frame for transmission and re-assembly at the destination station.
• Logical-physical address mapping: translates logical addresses, or names, into physical addresses.
• Subnet usage accounting: has accounting functions to keep track of frames forwarded by subnet intermediate systems, to produce billing information.

• Protocol

• ARP Address Resolution Protocol
• RARP Reverse Address Resolution Protocol
• ATM Asynchronous Transfer Mode
• Frame relay, a simplified version of X.25
• IS-IS, Intermediate System - Intermediate System (OSI)
• MPLS Multi-protocol label switching
• SPB Shortest Path Bridging
• X.25
• MTP Message Transfer Part
• NSP Network Service Part
• HIP Host Identity Protocol

• Protocol Layer 3+4

• AppleTalk
• DECnet
• IPX/SPX
• Internet Protocol Suite
• Xerox Network Systems
• TCP/IP

4.  Transport Layer

Transport Layer

• Function of Layer 4

• Message segmentation: accepts a message from the (session) layer above it, splits the message into smaller units (if not already small enough), and passes the smaller units down to the network layer. The transport layer at the destination station reassembles the message.
• Message acknowledgment: provides reliable end-to-end message delivery with acknowledgments.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers are available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link and keeps track of which messages belong to which sessions (see session layer).

• Protocol

• AH Authentication Header over IP or IPSec
• IL Originally developed as transport layer for 9P
• SCTP Stream Control Transmission Protocol
• Sinec H1 for telecontrol
• SPX Sequenced Packet Exchange
• TCP Transmission Control Protocol
• UDP User Datagram Protocol
• DCCP Datagram Congestion Control Protocol

5.  Session Layer

Session Layer

• Function of Layer 5

• Session establishment, maintenance and termination: allows two application processes on different machines to establish, use and terminate a connection, called a session.
• Session support: performs the functions that allow these processes to communicate over the network, performing security, name recognition, logging, and so on.

• Protocol

• 9P Distributed file system protocol developed originally as part of Plan 9
• NetBIOS, File Sharing and Name Resolution protocol - the basis of file sharing with Windows.
• NetBEUI, NetBIOS Enhanced User Interface
• NCP NetWare Core Protocol
• NFS Network File System
• SMB Server Message Block
• SOCKS "SOCKetS"

6.  Presentation Layer

Presentation Layer

• Function of Layer 6

• Character code translation: for example, ASCII to EBCDIC.
• Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.
• Data compression: reduces the number of bits that need to be transmitted on the network.
• Data encryption: encrypt data for security purposes. For example, password encryption.

• Protocol

• TLS Transport Layer Security

7.  Application Layer

Application Layer

• Function of Layer 7

• Resource sharing and device redirection
• Remote file access
• Remote printer access
• Inter-process communication
• Network management
• Directory services
• Electronic messaging (such as mail)
• Network virtual terminals

• Protocol

• ADC, A peer-to-peer file sharing protocol
• AFP, Apple Filing Protocol
• BACnet, Building Automation and Control Network protocol
• BitTorrent, A peer-to-peer file sharing protocol
• BGP Border Gateway Protocol
• BOOTP, Bootstrap Protoc;
• CAMEL, an SS7 protocol tool for the home operator
• Diameter, an authentication, authorization and accounting protocol
• DICOM includes a network protocol definition
• DICT, Dictionary protocol
• DNS, Domain Name System
• DSM-CC Digital Storage Media Command and Control
• DSNP, Distributed Social Networking Protocol
• DHCP, Dynamic Host Configuration Protocol
• ED2K, A peer-to-peer file sharing protocol
• FTP, File Transfer Protocol
• Finger, which gives user profile information
• Gnutella, a peer-to-peer file-swapping protocol
• Gopher, a hierarchical hyperlinkable protocol
• HTTP, Hypertext Transfer Protocol
• HTTPS, Hypertext Transfer Protocol Secure
• IMAP, Internet Message Access Protocol
• IRC, Internet Relay Chat
• ISUP, ISDN User Part
• LDAP Lightweight Directory Access Protocol
• MIME, Multipurpose Internet Mail Extensions
• MSNP, Microsoft Notification Protocol (used by Windows Live Messenger)
• MAP, Mobile Application Part
• Mosh, Mobile Shell
• NNTP, Network News Transfer Protocol
• NTP, Network Time Protocol
• NTCIP, National Transportation Communications for Intelligent Transportation System Protocol
• POP3 Post Office Protocol Version 3
• RADIUS, an authentication, authorization and accounting protocol
• RDP, Remote Desktop Protocol
• Rlogin, a UNIX remote login protocol
• rsync, a file transfer protocol for backups, copying and mirroring
• RTP, Real-time Transport Protocol
• RTSP, Real-time Transport Streaming Protocol
• SSH, Secure Shell
• SISNAPI, Siebel Internet Session Network API
• SIP, Session Initiation Protocol, a signaling protocol
• SMTP, Simple Mail Transfer Protocol
• SNMP, Simple Network Management Protocol
• SOAP, Simple Object Access Protocol
• SMB, Microsoft Server Message Block Protocol
• STUN, Session Traversal Utilities for NAT
• TUP, Telephone User Part
• Telnet, a remote terminal access protocol
• TCAP, Transaction Capabilities Application Part
• TFTP, Trivial File Transfer Protocol, a simple file transfer protocol
• WebDAV, Web Distributed Authoring and Versioning
• XMPP, an instant-messaging protocol

ASA (Firewall) Password Recovery

Hello Everyone.


To recover passwords for the ASA, perform the following steps:

Step: 1 Connect to the ASA console port according to the instructions in "Accessing the Command-Line Interface" section.

Step: 2 Power off the ASA, and then power it on.

Step: 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step: 4 To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM...

rommon #1> confreg

The ASA displays the current configuration register value, and asks whether you want to change it:

Current Configuration Register: 0x00000041

Configuration Summary:

boot default image from Flash

ignore system configuration

Do you wish to change this configuration? y/n [n]: y

Step: 6 Record the current configuration register value, so you can restore it later.

Step: 7 At the prompt, enter Y to change the value. The ASA prompts you for new values.

Step: 8 Accept the default values for all settings. At the prompt, enter Y.

Step: 9 Reload the ASA by entering the following command:

rommon #2> boot

Launching BootLoader...

Boot configuration file contains 1 entry.

Loading disk0:/asa800-226-k8.bin... Booting...Loading...

The ASA loads the default configuration instead of the startup configuration.

Step: 10 Access the privileged EXEC mode by entering the following command:

hostname> enable

Step: 11 When prompted for the password, press Enter.

The password is blank.

Step: 12 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step: 13 Access the global configuration mode by entering the following command:

hostname# configure terminal

Step: 14 Change the passwords, as required, in the default configuration by entering the following commands:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step: 15 Load the default configuration by entering the following command:

hostname(config)# no config-register

The default configuration register value is 0x1.

Step: 16 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA.

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON mode without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.