SECURITY+
Some notes while studying SECURITY+ with AhmedSultan
Data vulnerable : stored ,transfer,process sec info properites CIA :-Confidentialtiy السرية -Integrity سلامة البيانات -Acaliabilty التوافر - non-repudiation [log-->auditing]
security control :-Technical [anti virus] -operationl [people] -managerial Threat= vuln + exploit Threat successed -->Risk attack vector : the tool [nmap] honeynet : fake network contain vulnerability
nmap -sS : discover service
fire eye : kali tools in windows
test access port [tap] = wireshark but hardware
vulnerabilites :-zero day [still freash] -legecy platform [no longer supported [unpatchable]] -default setting -open permission
Nessus : vuln scanner [Network] Nikto :vuln scanner [App&Wep Application]
open vas : scanner in kali [open vas -start --> log in credintial --> scan task --> download report ]
botnet(zombiy) : hacked machines
disable windows defender (cmd) : Set-MpPreference -DisableRealtimeMonitoring $true
Act with suspicous [task manager] :- discover the port [0-1024 are normal service ports] (ip angry range scanner) , Putty --> to make connection by ip and port - delete the malware file - end task - windows firewall advanced [search for the port and disable rule]
Cryptography :hide the content [encoding] just the destination can decoding it -encryption [two way + key] -symmetric : one key -Asymmetric : two key [private , public] -hashing :simplest type [fixed length string] one way --> en/decryption متعرفش ترجع القيمة تانى زى الاول مش زى -pki [all are technics of encoding]
cipher :algorithm used to encrypt and decrypt cryptanalysis : cracking cryptograpic
public key --> confidential private key --> authenticate spoofing :تزوير PKI : publiv key infrastrucure [prove the owner of the key] CA : certificate authority gurantee - key generation - certificate generation - storage
ACS [Access Control System] :control subject [user] with object [ex:database]
windows :SAM file linux : /etc/pass
brute force : attempt every possible combination [strong CPU]
Firewalls[layer 3, layer 4]
1-Packet filter : hard to config 2-stateful firewall 3-time zones
Proxy[layer 7] :- between [client , server] - types [forward : used , ananymous : untraceable , reverse : WAF] - [user --> proxy --> server] How it works 1- send request to proxy 2-proxy receives 3-cheack if allowed or not 4-proxy send request as the user 5-proxy give the user the rsponse
WAF(wep application firewall) same as the proxy but REVERSE [server --> WAF --> user] -layer 7 [see every thing in data] -MODES [learning [the normal logs] , active [block malicious] , passive [not block just log it (take action personally )]]
how WAF works 1-WAF learn the normal traffic [learning mode] 2-malicious traffic signature based [cheack] 3-block ip or detect abnormal behavior [to take action ]
IPS/IDS [detect via packet] monitor malicious and take action -IPS work between firewall and switch monitor malicious and take action -IDS work in switch monitor malicious and dont take action
NGFW[Next Generation Firewall] : solution combine firewall with other security solution [proxy , antivirus ,...]
Secure Mail Gateway : block to milcious mails [spam]
sandbox : حقل تجارب لبرنامج خبيث لفهم طبيعة عمله work in vm or a real system
TCP/IP Protocol
App --> Transport --> Internet -->Link
192.168.1[network] | .3[host]
1-126 --> class A 128-191 --> class B 192-213 --> class C
Three-way hanshake [TCP .. Not for UDP]
1- send syn 2-syn recieved 3- established
ARP Protocol : to get MAC address from its IP
DHCP
1- client send dicover [broadcast] 2- server send offer with IP [broadcast or unicast] 3- client send acknowledgement from server 4- server send DHCP Pack
DHCP Relay Agent : [عشان الراوتر يوجه الديسكفر الى السيرفر اعشان يبعتله [ اى بى
DNS : MAP between [Names and IPs] ICMP : PING command Subnet Mask [255.255.0.0] : what network you are in
macof -n 1000 : make switch full of mac address [flood attack]
VLANs
divide LANs in switch
decrease broadcast domain
identifier is the Numper of VLAN
switch port trunk [تفعيل توصيل شبكتين وهميتين مع بعض من خلال رقم الشبكة فى مكانين مختلفين ف الشبكة]
NAT Terminology :every time you access internet you get public ip from [router or firewall]
TCP/IP Attacks
IP : -man in the middel attack (ARP poisoning) -session hijacking -IP spoofing -DOS , DDOS [flood devices] -smurf attack [DOS attack withe the broadcast IP] -ICMP[ping] to perform network reconnaissances -UDP[lack of cheaksum] easy to edit
Passive reconnaissances : by internet Active reconnaissances [ex : port scan]
CVSS : standard of vulenrabiltiy [درجة خطور الثغرة]
Network Application
DNS : has a data base [.net , www. ,] [ هتبعت الاول الروت وبعدها هيرد عليك برسالة ترجة للمؤشروبعده لدوت كوم وبعدها ترجع الرسالة وتبعت اسم الموقع نفسه وبعدها يرجع تانى بنتيجة البحث ويجيبلك ال اى بى ويرجع للمؤشر ويرجعه للسيرفر عشان يظهر النتيجة للمستخدم] DNS resolver is the client side
HTTP url: www.kora.com , uri :www.kora.com/gjyufyujhbjb
Request :-GET [wep site] -POST [sign-in]
SMTP : send mails [Envelope , Header , Body]
Network Security
Defense-in-Depth : build block security design AAA protocol[RADIUS , TACACS+] : Authentication , Authorization , Accounting IAM : Identity Accsess Management
Statful Firwall [ الباكيت هتخرج من المستخدم وهى راجعة مش هتترفض لانها خرجت من الداخل ] -Stateless Firewall [الباكيت هتترفض لانها داخلة من الخارج للداخل ] IPS :Intrusion Prevention System [search inside packet(1000 byte is abnormal packet so deny it )] | Firewall : [permit or deny] The Right Typology : [ Internet --> Firewall --> IPS --> Network ] Network Tap [hardware] : work as wireshark save all the traffic
VPNs :communication in a secure way [SSL] 2layers
ECS : Email Content Security [cheack on emails] WCS : Wep Content Security [if it is [http ,https] cheack it if permitted]
ASA --> Firewall ASAx --> NGFW
SEIM LOGS [ IPS , FIREWALL , DNS , WCS , ECS , AAA , NGFW , linux --> /var/log , windows --> Event Viewer , PCAP , NET Flow]
security onion [ubuntu] tar -xzvf [file] --> decompration ./file.pl --> insall
IDS : testmyids.com
(12-14-15 -17 -22 -38 -39 - 40)
Active Directory : to store credential contrlo the domain network as a software Domain Controller :The server in charge of running the Active Directory
delegation : to give specific users some control over some OUs
Kerberos: Used by any recent version of Windows. This is the default protocol in any recent domain.[host name] NetNTLM: Legacy authentication protocol kept for compatibility purposes.[IP]
PROTOCOLS
DMS: name [numpers] resolving [pc1--> IP,pc2-->IP] cuz there alot of network cards in the same pc
DHCP : Dynamic Host Config Protocol [UDP ] to auto assigning IP ,routes, .. [discover [pc] , offer[server] ,request[pc] , ack[server]] IP static required [for servers] lease duration (8 days default)
DNS : name resolving [TCP&UDP]
FAT[4GB] | NTFS[UP TO 2Tera] we can do vmware inside vmware [bad for performance]
vmnet1 : host only vmnet8 : NET vmnet0 : the physical netowrk [bridged]
standard : 2 vmware only datacenter: alot
core without GUI only need 512Mg RAM
domain controller : control any user in your domain from your pc [cant work without DNS] RUN[dcpromo]:covert to domain control [is not working after ser_16]
[tree , forest[group of trees] , trust [between two forests]]
//join domain
pc--> properities -- > change setting --> name:client , domain :networks.local [check the DNS must be the same ]
Last updated