Basics
Last updated
Last updated
Notes from tryhackme, HTB Academy and my practice
"Internal Networks are subnetworks that are segmented and separated based on the importance of the internal device or the importance of the accessibility of its data. The main purpose of the internal network(s) is to share information, faster and easier communications, collaboration tools, operational systems, and network services within an organization. In a corporate network, the network administrators intend to use network segmentation for various reasons, including controlling network traffic, optimizing network performance, and improving security posture."
Source: tryhackme
"A DMZ Network is an edge network that protects and adds an extra security layer to a corporation's internal local-area network from untrusted traffic. A common design for DMZ is a subnetwork that sits between the public internet and internal networks.
Designing a network within the company depends on its requirements and need. For example, suppose a company provides public services such as a website, DNS, FTP, Proxy, VPN, etc. In that case, they may design a DMZ network to isolate and enable access control on the public network traffic, untrusted traffic."
Source: tryhackme
Address to communicate on a network (Layer 3 of OSI model) = routing
| Network class | Network numbers | Network mask | Nb. of networks | No. of hosts per network |
|---|---|---|---|---|
Class A | 10.0.0.0 | 255.0.0.0 | 126 | 12 646 144 |
Class B | 172.16.0.0 to 172.31.0.0 | 255.255.0.0 | 16 383 | 65 024 |
Class C | 192.168.0.0 to 192.168.255.255 | 255.255.255.0 | 2 097 151 | 254 |
Loopback (localhost) | 127.0.0.0 to 127.0.0.7 | 255.255.255.0 |
Media Access Control, Physical address (Layer 2 of OSI model). Useful to know which device is which.
It looks like this 00:1a:3f:f1:4c:c6
Detailed info here
Transmission Control Protocol. It is a connection oriented protocol. http, ftp, etc all utilize this.
TCP uses 3 way handshake
SYN > SYN ACK > ACK : Asking to connect to a port > Port is open > connection occurs
User Datagram protocol. It is a connectionless protocol. Streaming service, voip etc. all utilize this.
Source: TCM Security Academy - Course Practical Ethical Hacking
TCP
FTP = File Transfer protocol
SSH and Telnet: connect to a device remotely ssh is encrypted telnet is not
SMTP, POP3 and IMAP: related to mail protocol
DNS: resolves ip addresses to name
HTTP and HTTPS : websites. HTTPS is encrypted
SMB: file share (aka SAMBA)
UDP
DHCP: will assign IP address
TFTP = trivial FTP
SNMP: Simple Network Management Protocol
| Number | Layer | Examples or use |
|---|---|---|
1 | Physical layer | Data cables |
2 | Data | Switches, MAC Addresses |
3 | Network | IP addresses, routing |
4 | Transport | TCP/UDP |
5 | Session | Session management |
6 | Presentation | WMV, JPEG, MOV |
7 | Application | HTTP, SMTP |
(Mnemonic: Please Do Not Throw Sausage Pizza Away)
Source:TryHackMe
Source:TryHackme
Source: TCM Security Academy - Course Practical Ethical Hacking
IP address - This identifies the host on the network.
Subnet mask - This is used to identify the network on which the host is connected.
Default gateway - This identifies the networking device that the host uses to access the internet or another remote network.
There are two categories of ports, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). TCP is connection-oriented, meaning that a connection between a client and a server must be established before data can be sent. The server must be in a listening state awaiting connection requests from clients. UDP utilizes a connectionless communication model. There is no "handshake" and therefore introduces a certain amount of unreliability since there is no guarantee of data delivery. UDP is useful when error correction/checking is either not needed or is handled by the application itself. UDP is suitable for applications that run time-sensitive tasks since dropping packets is faster than waiting for delayed packets due to retransmission, as is the case with TCP and can significantly affect a real-time system. There are 65,535 TCP ports and 65,535 different UDP ports, each denoted by a number.
| Protocol | TCP/UDP Port | Application(s) | Data Security |
|---|---|---|---|
FTP | 20/21 (TCP) | File Transfer | Cleartext |
SFTP | 22 (TCP) | File Transfer | Encrypted |
SSH | 22 (TCP) | Remote Access and File Transfer | Encrypted |
Telnet | 23 (TCP) | Remote Access | Cleartext |
SMTP | 25 (TCP) | Email (MTA) | Cleartext |
HTTP | 80 (TCP) | Worldwide Web | Cleartext |
POP3 | 110 (TCP) | Email (MDA) | Cleartext |
IMAP | 143 | Email (MDA) | Cleartext |
SNMP | 161 (TCP/UDP) | ||
LDAP | 389 (TCP/UDP) | ||
HTTPS | 443 (TCP) | Worldwide Web | Encrypted |
SMB | 445 (TCP) | ||
SMTPS | 465 | Email (MTA) | Encrypted |
FTPS | 990 | File Transfer | Encrypted |
IMAPS | 993 | Email (MDA) | Encrypted |
POP3S | 995 | Email (MDA) | Encrypted |
RDP | 3398 (TCP) | RDP |
Sometimes when playing with multiple ovpn (I often use htb and thm and do not always reboot my vm) you might end up with 2 tun interface in your ip add
To know which one is the active one you just need to check the routes using ip route the one that has more routes is the one that is the current ovpn connection.
At a high-level, VPN works by routing our connecting device's internet connection through the target VPN's private server instead of our internet service provider (ISP). When connected to a VPN, data originates from the VPN server rather than our computer and will appear to originate from a public IP address other than our own. There are two main types of remote access VPNs: client-based VPN and SSL VPN. SSL VPN uses the web browser as the VPN client. The connection is established between the browser and an SSL VPN gateway can be configured to only allow access to web-based applications such as email and intranet sites, or even the internal network but without the need for the end user to install or use any specialized software. Client-based VPN requires the use of client software to establish the VPN connection. Once connected, the user's host will work mostly as if it were connected directly to the company network and will be able to access any resources (applications, hosts, subnets, etc.) allowed by the server configuration. Some corporate VPNs will provide employees with full access to the internal corporate network, while others will place users on a specific segment reserved for remote workers.
ifconfig or ip add we will see a tun adapter if we successfully connected to the VPN
netstat -rn will show us the networks accessible via the VPN.
ip -4 a show tun0 check tun0 address
ping -c 4 IP.1 (one is the gateway location)
We can not be connected from more than 1 device at the same time
Source Hackthebox Academy
Source HTB Academy course Attacking common services
The concept is based on four categories that occur for each vulnerability. First, we have a Source that performs the specific request to a Process where the vulnerability gets triggered. Each process has a specific set of Privileges with which it is executed. Each process has a task with a specific goal or Destination to either compute new data or forward it. However, the individual and unique specifications under these categories may differ from service to service.
Every task and piece of information follows a specific pattern, a cycle, which we have deliberately made linear. This is because the Destination does not always serve as a Source and is therefore not treated as a source of a new task.
For any task to come into existence at all, it needs an idea, information (Source), a planned process for it (Processes), and a specific goal (Destination) to be achieved. Therefore, the category of Privileges is necessary to control information processing appropriately.
We can generalize Source as a source of information used for the specific task of a process. There are many different ways to pass information to a process.
| Information | Source | Description |
|---|---|---|
Code | This means that the already executed program code results are used as a source of information. These can come from different functions of a program. | |
Libraries | A library is a collection of program resources, including configuration data, documentation, help data, message templates, prebuilt code and subroutines, classes, values, or type specifications. | |
Config | Configurations are usually static or prescribed values that determine how the process processes information. | |
APIs | The application programming interface (API) is mainly used as the interface of programs for retrieving or providing information. | |
User Input | If a program has a function that allows the user to enter specific values used to process the information accordingly, this is the manual entry of information by a person. |
The source is, therefore, the source that is exploited for vulnerabilities. It does not matter which protocol is used because HTTP header injections can be manipulated manually, as can buffer overflows. The source for this can therefore be categorized as Code.
The Process is about processing the information forwarded from the source. These are processed according to the intended task determined by the program code. For each task, the developer specifies how the information is processed. This can occur using classes with different functions, calculations, and loops. The variety of possibilities for this is as diverse as the number of developers in the world. Accordingly, most of the vulnerabilities lie in the program code executed by the process.
| Process | Components | Description |
|---|---|---|
PID | The Process-ID (PID) identifies the process being started or is already running. Running processes have already assigned privileges, and new ones are started accordingly. | |
Input | This refers to the input of information that could be assigned by a user or as a result of a programmed function. | |
Data processing | The hard-coded functions of a program dictate how the information received is processed. | |
Variables | The variables are used as placeholders for information that different functions can further process during the task. | |
Logging | During logging, certain events are documented and, in most cases, stored in a register or a file. This means that certain information remains in the system. |
Privileges are present in any system that controls processes. These serve as a type of permission that determines what tasks and actions can be performed on the system. In simple terms, it can be compared to a bus ticket. If we use a ticket intended for a particular region, we will be able to use the bus, and otherwise, we will not. These privileges (or figuratively speaking, our tickets) can also be used for different means of transport, such as planes, trains, boats, and others. In computer systems, these privileges serve as control and segmentation of actions for which different permissions, controlled by the system, are needed. Therefore, the rights are checked based on this categorization when a process needs to fulfill its task. If the process satisfies these privileges and conditions, the system approves the action requested. We can divide these privileges into the following areas:
| Privileges | Description |
|---|---|
System | These privileges are the highest privileges that can be obtained, which allow any system modification. In Windows, this type of privilege is called SYSTEM, and in Linux, it is called root. |
User | User privileges are permissions that have been assigned to a specific user. For security reasons, separate users are often set up for particular services during the installation of Linux distributions. |
Groups | Groups are a categorization of at least one user who has certain permissions to perform specific actions. |
Policies | Policies determine the execution of application-specific commands, which can also apply to individual or grouped users and their actions. |
Rules | Rules are the permissions to perform actions handled from within the applications themselves. |
Every task has at least one purpose and goal that must be fulfilled. Logically, if any data set changes were missing or not stored or forwarded anywhere, the task would be generally unnecessary. The result of such a task is either stored somewhere or forwarded to another processing point. Therefore we speak here of the Destination where the changes will be made. Such processing points can point either to a local or remote process. Therefore, at the local level, local files or records may be modified by the process or be forwarded to other local services for further use. However, this does not exclude the possibility that the same process could reuse the resulting data too. If the process is completed with the data storage or its forwarding, the cycle leading to the task's completion is closed.
|Destination|Description| |Local|The local area is the system's environment in which the process occurred. Therefore, the results and outcomes of a task are either processed further by a process that includes changes to data sets or storage of the data.| |Network|The network area is mainly a matter of forwarding the results of a process to a remote interface. This can be an IP address and its services or even entire networks. The results of such processes can also influence the route under certain circumstances.|
Source HTB Academy course Attacking common services
Misconfigurations usually happen when a system administrator, technical support, or developer does not correctly configure the security framework of an application, website, desktop, or server leading to dangerous open pathways for unauthorized users.
Default credentials
Weak passwords
No passwords
Anonymous Authentication
Misconfigured access rights
Unnecessary defaults are those settings we need to change to secure a system by reducing its attack surface. It can happen on settings, features, files, credentials, etc.
Sensitive information may include, but is not limited to:
Usernames.
Email Addresses.
Passwords.
DNS records.
IP Addresses.
Source code.
Configuration files.
PII.
There are two key elements to finding sensitive information:
We need to understand the service and how it works.
We need to know what we are looking for.
| SMB | FTP | Databases | |
|---|---|---|---|
smbclient | ftp | Thunderbird | mssql-cli |
CrackMapExec | lftp | Claws | mycli |
SMBMap | ncftp | Geary | mssqlclient.py |
Impacket | filezilla | MailSpring | dbeaver |
psexec.py | crossftp | mutt | MySQL |
smbexec.py | mailutils | SQL Server Management Studio or SSMS | |
sendEmail | |||
swaks | |||
sendmail |
We can lookup the the OUI (3 first octets) to get find out the manufacturer of the device
