Introduction To Cyber Security

Common types of cyber attacks

Malware

• Blocks access to key components of the network (ransomware)
• Installs malware or additional harmful software
• Covertly obtains information by transmitting data from the hard drive (spyware)
• Disrupts certain components and renders the system inoperable

Phishing

Man-in-the-middle attack

Denial-of-service attack

SQL injection

Zero-day exploit

DNS Tunneling

What is a threat?

What is a vulnerability?

What is risk?

• Financial losses
• Loss of privacy
• Damage to your reputation Rep
• Legal implications
• Even loss of life

• Assess risk and determine needs. When it comes to designing and implementing a risk assessment framework, it is critical to prioritize the most important breaches that need to be addressed. Although frequency may differ in each organization, this level of assessment must be done on a regular, recurring basis.
• Include a total stakeholder perspective. Stakeholders include the business owners as well as employees, customers, and even vendors. All of these players have the potential to negatively impact the organization (potential threats) but at the same time they can be assets in helping to mitigate risk.
• Designate a central group of employees who are responsible for risk management and determine the appropriate funding level for this activity.
• Implement appropriate policies and related controls and ensure that the appropriate end users are informed of any and all changes.
• Monitor and evaluate policy and control effectiveness. The sources of risk are ever-changing, which means your team must be prepared to make any necessary adjustments to the framework. This can also involve incorporating new monitoring tools and techniques.

1. Scareware: These are threats that are actually not threats but they make us believe they are malicious so that we can install specific software to tackle the threat and end up paying for software.
2. Potentially Unwanted Programs(PUPs): These are program that user mostly intentionally downloads or they come bundled with some other apps and can be used to steal info. Antivirus and others software might not detect them as threats since they tend to pose legitimate purpose and hence highly unsecure.
3. Doxing: Making private information public by researching the person and looking into their history, IP address, location, Browser history or any other method to get the information.
4. CryptoCurrency Miners: These miners can be sent through multiple mediums to systems such as mobile and PCs and then these miners use the computation of PC to mine bitcoins and profit from that. Even telegram messages can put in such scripts, even youtube was caught doing this.

1. Australia
2. Canada
3. New Zealand
4. United Kingdom
5. United States of  America

6. Denmark
7. France
8. Netherlands
9. Norway

10. Belgium
11. Germany
12. Italy
13. Spain
14. Sweden

• Encryption consists of 2 parts, algorithm and key.
• Encryption is like  a padlock to lock the data and key is like key to use the padlock.
• Encryptions are 256 bit-AES, 128 bit-AES and legacy (Zip 2.0). The bigger the number infront of these algo, the better is the encryption and better the encryption, slower it gets. So more secure algo will take more time.
• AES (Advanced Encryption Standard) is symmetric algorithm, password becomes the key and higher the bits ie 128 or 256, so 128, 256 etc is called bit rate or key space.
• If you encrypt the files with public key you will need private key for decryption and vice versa.

• If you ServerA sends data to ReceiverA, then ServerA can use the public key of ReceiverA to encrypt the data, and then only receiverA with its own private key will be able to decrypt the files and since only ReceiverA has the private key, only receiverA will be able to decrypt/. This ensures confidentiality but not Authentication since the receiver will send public key to all and so receiver will not know which particular server has encrypted this data since all had the public key of receiver. Using Private key to decrypt data allows confidentiality and privacy since no one else can decrypt the data.
• However, when we use Receiver’s Private key to encrypt the data, this time only specific server will get the private key and no one else will be able to encrypt the data which can be decrypted with public key since only specific server has the private key to encrypt the data.   So in this case although authentication happens of the sender that only serverA can send this encrypted data however since the public key at the receiver end is public, anyone can use that public key to decrypt the data hence confidentiality is compromised.
• Crypto Systems can provide with diff number of securities by combining power of above two. So the data is confidential, Authenticated, NonRepudiational and  Integrity of the data is maintained. PDP is kinda like this.
• Assymetric algos are slower. requires more compute and are highly secure, due to this reason even the numbers infront of these algos are higher ex 1024-bit RSA is equal in strength to 80 bit symmetric keys.
• Asymmetric: better key distribution, Scalability, Authentication and nonrepudiation, slow and mathematically intensive
• symmetric: Fast, Strong
• HTTPS using TLS is example of hybrid systems

• Hash functions and digital signatures allows us to ensure the legitimacy of the keys being sent since a little change in the data will result in a change in the output hash confirming tempered data.
• The returned has strings of the data are fixed length and are called hashed, data digest or digest.
• One way hash function: In this case the output of the hash function ie the digest/hashes cannot be converted back into the original data and this is called one way hash function since the data cannot be obtained using the digest and hence digest will only make sure to ensure data integrity since any change in the original data will change the output hash digest.
• Hash Functions: MD2, MD4, MD5, HAVAL, SHA, SHA-1, SHA-256, SHA-384, SHA-512, Tiger
• MDA is weakest, use sha 256 or sha 512 instead.

• in digital signatures, the sender of the digital signature first uses a hashing algo to create  a hash and then the sender lets say google will encrypt this hash value using its own sender’s private key. Now the encrypted hash value is the digital signature.
• At the receiving end, you will end to receive this digital signature, then use sender’s public key to decrypt the data and get the expected unencrypted hash value. Now this hash value is cross checked for integrity of the certificate and the sender.
• So if we have chrome setup file, then the certificate will ensure that there has been no change in the software after it was published and also it will ensure that the software is actually from the mentioned software publisher.

• SSL is older than TLS and SSL is less secure than TLS so both should not be said together and are different technologies
• TLS can be used is https, VPC and FTP etc
• TLS is most used encryption method on internet
• It provides privacy since it encrypts data and data integrity because it uses message authentication codes (MACs) when communicating between applications.
• TLS creates end to end encryption of the connection between applications
• The connection is encrypted because a symmetric algo such as AES is used to encrypt the data being transferred. The keys are uniquely generated at the start of the session for the connection
• We can enable authentication of the connection between the two parties, this is done using public key cryptography, certificates  and digital signatures.
• If there is a communication going on in TLS 1.2 or lower and the session key being used is compromised, then all the communication happening will be decrypted by that threat. However, TLS 1.3 uses Diffie-Holman (DHE-RSA (forward secrecy)) which has forward secrecy and this forward secrecy enables the connection to be encrypted with a new unique for all the sessions so if a key is compromised in one session, since this would be a short term key(temp key), the next session will implement new session and so connection is more secure.
• SSL 1-> SSL3.0->TLS 1.0 ->TLS2.0 ->TLS 3.0
• Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols.
• Each protocol and version has vulnerabilities to different attacks hence always be on update system and browser, and try to connect to servers offering higer TLS version (TLS 2 or 3)

• In SSL stripping, a the attacker acts as a proxy between the actual server and you which were connected through https. This attacker changes https to http connection. 
• Basically when we request fb.com, an http request goes to the server. Lets assume the attacker is between our browser and the server. So the request goes from our browser to the server as http, this time the attacker in between just passes this request to the server. The server then responds as https connection but the connection is established for https was actually established by the server and the attacker, So all the request from the browser goes through attacker to the  server owning a website. And then when the website responds, this info is first received by the attacker in the middle. now attacker can choose to manipulate or copy this data before sending that data to us on our browser. This is SSL stripping, a kind of man in the middle attack. if this is happening, the client ie us, we will observe the connection to be http instead of https since it is being stripped in the middle. To avoid this use VPNs.
• These type of attacks are generally when we use public wifi since there are people in the middle managing the network.
• ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. … Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. So basically the packets that were coming in for a my pc are now being sent to this ARP attacker because the router thinks that the attackers MAC address is the real mac address and hence will map the requests to the attacker  MAC address so basically your public IP is now owned by the attacker.
• To avoid this use tunneling such as SSH, or use VPN which uses IPSec or any end to end encryption.

• X.509 is a standard that defines the format of public key certificates
• Digital Signature basically approves the public key and the certificate being used in the https connection are valid and original.
• Digital Signature is a hash value that has been encrypted (the issue private key)
• The RSA public key that is provided by the CA is first used to decrypt the digital signature and obtain the unencrypted hash value
• digital certificate with SSL not clear

• ServerA ex: google.com will have 2 keys, one public and one private. ServerA which owns the website being requested will send its public key to us but we need proof that the server than has sent this public key is actually that server.
• For verifying the public key of the server, we need SSL certificates. Basically the server will reach out to a CA lets say digicert to sign its public key and give a SSL certificate for the same. So after verification using email/DNS method, a certificate is given by the CA authority that the presented public key is indeed of google.
• The SSL certificate is basically the public key being changed to its hash. Now this hash is encrypted by CA’s own private key and since our browser has the CA’s public key, our browser will be able to decrypt the SSL certificate using CA’s public which is prestored on browsers.
• After decrypting the SSL certificate, browser will obtain our hash to verify the integrity and also will get the expected public key.
• Now our own browser and computer will have a pair of symmetric keys that will be used for communication. But our own key is very private and so we use the server’s public key recieved to encrypt customer’s key and send this encrypted customer’s key to the server. Now since server has its onw private key, the server will use the private key to decrypt the customer’s public key and now use customer’s public key to encrypt the data and send.
• https://www.youtube.com/watch?v=33VYnE7Bzpk&ab_channel=SunnyClassroom
• These Ca’s can issue certificate for google which might not actually be google.com and this has happend with Symantec in 2015 causing is t sell to digicert in 2018 due to mistrust by google and mozilla.
• Certificate pinning is a process in which we pin specific certificate’s public key and any other public key presented ie any new certificate if given, is shown not secured. used in banking sites.
• one solution is to use a VPN since that will route the traffic out of the scope of compromised network and the man in the middle is skipped. So if someone was earlier giving a fake certificate, this time they wont be encountered.
• The best way here is to use end to end encryption. In that case everyone’s traffic looks same in transit and hence gives high security such as Signal app.

• IN steganography, the message is hidden in some other form not visible to eyes. Such  as a hidden message in a Dog’s pic.
• The agent that carries the message is called carrier. A carrier can be  a pic, or audio or video anything.
• the data in not encrypted but just hidden, they do this by comparing the new message with old message.
• If we do use these agents for hidden messages, then we cannot upload these message were they are compressed since that will cause loss of message. Rather send by email to avoid compression.
• Some tools use steganography with encryption, which is better. Openpuff is used for creating such messages on windows.
• in OpenPuff, we can use decoy password to show fake results instead of actual text.

• Every hardware has a hardware identifier number that can be traced to the actual hardware on the network such as 08:00:27:2e:5b:59
• MAC address is one of these unique number which can be used to trace back our hardware, So MAC should be kept safe
• aa:bb:cc:dd:ee:ff    -> aa:bb:cc  => this part gives the Identity of the manufacturer, so apple laptop will have ID of apple. However,  the last 3 dd:ee:ff will be the unique identifier of your device. These last 3 digts are imp of keep safe.
• We can use MacChanger to change the mac address of our device and save our identity.

• Isolation is a technique through which we ensure that our actual details such as MAc add, motherboard/HDD serial number etc remains undisclosed to adversaries
• There are be hardware and software based isolation
• We can use software isolation by installing software which changes our Mac Address ie physical address
• Id hardware serial number is compromised, then it is a big issue since we can change everything else but if someone knows the hardcoded device serial numbers, then he will always be able to track back to your device.
• however, there are tools to change these hardware IDs
• A better solution is to use the virtual machines since they can spoof  these serial numbers.
• Sandboxing is an excellent isolation technique. Basically you can use an onprem or cloud based app to lunch files/softwares in a sandbox env. This will allow your file to work as expected and after you delete the sandbox, no risk reaches your system from the sandbox.
• Mac has an inbuilt sand box called SeatBelt. It was introduced in 2006. For using seatbelt, you will have to create a configuration file for the apps that are to be run. These configuration files will mention all the things that are permissible by the app to do.

• Kill : Ctrl + C
• Stop / Suspended: Ctrl + Z (this doesnt kill but just suspendes the process, this can be brought to front ground and resumed again). Use ‘Fg 1’ command to bring it to foreground.
• Tab: to autocomplete the commands
• Cut the line : Ctrl + K
• Paste the Link : Ctrl + Y
• Cursor to End : Ctrl+e
• Cursor to Begining : Ctrl + a

• / is the ‘root’ directory from where all the rest of the directories span out. Below / ‘root’ comes :
  • ‘/bin‘ : this contains all the programs that we execute from commands such as bash, cat, grep,echo etc ie all the linux commands since they are actually just programs
  • /etc: file folder contains all the configurations that we set such as ssh configurations. So to make changes in someone’s ssh configuration, get to this folder/directory to do it.
  • /home : this contains all the users and user related information
  • /sbin: this directory also contains binaries but these are system binaries and usually making changes to these requires root priviledges and the files that reside here are generally used to configure/make changes to the system/OS.
  • /temp: contains temporary files and folders, we can dump data here and later on come here and delete these files
  • /root: This is the ‘root home’ directory inside ‘/’ ie main directory.  This is home for the root user since root does not have folder inside ‘/home’ and only if you have root access you will be able to access ‘/root’ inside ‘/’.
• mkdir -p  :  Use mkdir -p /tmp/folder1/folder2/folder3, this will make 3 folders one inside another so we dont have to execute mkdir 3 times, this is advantage of using ‘-p’ option which refers to parent.
• ls -al: -a means to show hidden and ‘l’ is for long listing
• cp -r [files] [destination]: This is paste all the files from [files] to [destination] with the directories since -r is being used for recursive copying.
• cp -i : this will prompt if files are being overwritten otherwise it doesnt ask. -i means interactive.
• mv [source] [destination]: Since linux doesnt have command to renames a folder, we use move ie mv command.
• rm -rf : remove files recursively and forcefully
• apt-cashe Search: to search for specific package
• apt-cashe show: shows information about the package
• apt-get install: install package
• apt-get remove : removes the package
• dpkg -l : list all the packages installed on server
• apt autoremove: removes any installed/broken packages
• tar c: tar is archive tool. tar c is used to create archive
• tar r: append to archive
• tar t : list contents of archive
• tar x : extract archive
• tar v : verbose
• tar f file : file to use
• tar cf backup.tac * : this will create an archive names backup.tar from all the files in current directory
• netstat -antp: -a is for all results, -n is to use numerical address, -t is for tcp and -p is for name of program. This command will fetch you all the pragrams running on your machine and communicating with diff IPs
• cat /etc/passwd: see a list if users
• cat /etc/shadow: see encrypted passwords
• w: show who is logged in and what they’re doing
• adduser tom:  adds a user by the name tom along with home directory for tom. All while creating user, a group by the same name is created. So when we use this command , 3 entities are created, one is the user, then the group and the user’s home folder inside /home dir.
  userdel tom : deletes user by the name tom
• useradd tom: doesn’t create home dir for tom only the user and group is created
• addgroup cats: creates a new group cat
• delgroup cats: deletes group

• + : add permissions
• – : remove permissions
• = : make this the only permission
• u : user
• g : group
• o : other
• a : all
• chmod ugoa  + – =  rwx  filename: this is syntac of chmod which used to give permissions to users and make file executable. ugoa part decides user/group, +-= decides permissions conditions and rwx is permissions to be given.
• chmod u+x file1 : make file1 executable for owner
• chmod a+rw file1: means makes file1 open to all [a] add permissions [+] of read [r] and write [w].

• ps: list of process
• ps -f : list process with full formatting
• ps -e : list all process
• kill [pid] : kills process whose pid you mentioned.
• command & : run command in backgroud
• jobs: lit of jobs running in background
• fg [n] foreground job number [n]
• ctrl + d: detach from shell and run in background. so even though if you close the teminal, the process will still be running in the background.
• nohup command & : run command in background even if sessions/shell is terminated

• Reverse shell is solution to the issue with bind shell, it actually starts the shell connection from the attacked device so that firewall would think it is genuine since it was the device that started the connection.
• instead of netcat listening on port on attacked machine, a shell connection was established from attacked device to attacker.

• Some websites allows to enter some commands and hit enter such as check of pings or convert a file into something. We can send a command and see if it accepts commands other than the one it is meant to return resutls.

• Usually after using the exploit on a particular service, even though Nessus shows a service vulnerable and exploitable, the exploit doesnt work. It shows “Exploit completed but no session was created”. this happens since our payload might have failed. So in such case, after selecting the exploit, choose “show payloads”, and from the option, we can choose a simple one such as “cmd/unix/reverse”.
• “cmd/unix/reverse” usually works well and is able to create a sessions when the exploit completes. This uses reverse shell binding as explained above which is not blocked by firewalls since in case of reverse shell, the shell connection is started from the attacked machine to the attacker machine.
   
• Make command ‘$ set payload “cmd/unix/reverse” ‘, now if you show options of the exploits, this time configurable option would be different since we are using a different payload.
• Once this new payload is selected, this time after configuring the exploit when you ‘run’, a connection will be established after exploit completes.

• After exploit works and gives us the reverse shell, there are certain post exploit activities that needs to be done.
   
• We can start with priviledge escalation by trying to hack into other roles and users on that system
• or we can run service scan and this scan will give us service running localy also since from outside local running service is not shown. Now one by one scan/search for packages and find vulnerable once or maybe the once which can be made public and exploit it.
• we can exploit python package to create a reverse session with our kali machine