ITIL

Port scanning types

Ping scan: Ping scan sends an ICMP echo request to the target and if the response is and ICMP reply, then you can know that target is alive.

TCP half open scan: This is the most common scan type. It is a very quick scan because it doesnt complete the all TCP handshake process. It sends and SYN flag and waits for SYN-ACK but doesnt complete the connection. Connection is not established but you can know that target/port is alive and listening. If you receive a RST packet from target than it means that target is alive but port is not open. If no packet comes from target than you know that target is alive but port is filtered.

TCP connect: Same as half open scan but also we send ACK package back to target. This is slower.

UDP Scan: UDP scans are used to detect DNS, SNMP and DHCP servers. First you send a UDP packet, if you receive ICMP port unreachable error(type 3, code 3) it means that port is closed. Other ICMP port unreachable errors(type 3, code 0,1,2,9,10 or 13) means port is filtered.If a service will respond with a UDP packet, than it means port is open. If there is no reponse than it is accepted as port is filtered. Communication over UDP is unreliable. It doesnt establish connections like TCP does. Or it doesnt have synchronising the packets like TCP does. ALso for this reason UDP scans are very slow.

Stealth Scanning – NULL, FIN, X-MAS: These scans try to get some kind of response from target, without going through the handshaking process.

FIN Scan: FIN scan sends a FIN packet at the beginning. If RST is received, than it means port is closed. If no packets are received at all than it means port is open.

X-MAS Scan: It sends a TCP packet with URG, PUSH and FIN flags. If no packet is recieved it means port is open, if RST is received than it means port is closed. Name is christmas scan because it lights up packet like christmas tree.

NULL Scan: Does not set any flag and send the packet. If there is no response it means port is open, if RST is received than it means port is closed.

OSI Layers

Application Layer:  This layer interacts with user and prepares data for next layer. Application layer includes the protocols that supports applications. This layer formats takes the data and instructions from applications, format them and passes down to next layer.
FTP. HTTP, SMTP, DNS (SSL, TLS)

Presentation Layer: Presentation layer takes the data from application layer and puts it in a format that all computer sytems on OSI Model can understand. This layer concerns about syntax and format of data. Presentation layer also handles the compression, encoding and encryption issues.
MPEG, JPEG, SSL

Session Layer: Session layer is responsible of maintaining the connection between two applications.
Session layer protocols control application to application communication.
NFS, SQL, RPC(Remote Procedure Call), NetBIOS

Transport Layer: Transport layer protocols handle computer to computer communication. This layer is responsible of reliability. Handshaking process happens at transport layer. Source and destination ports are specified at this layer. Transport layer takes data and segment it. Transfers the segment from source to destination.
TCP, UDP (For CISSP SSL)

Network Layer: Main responsibility of network layer is to insert information into packet's headers.
Segments become packets by adding source and destination IP addresses.
IP, ICMP

Data Link Layer: Data link layer is responsible transferring data between devices. The packets become frames which are created for specific network, for example ethernet. Frames have the physical addresses of two nodes transferring the data.
(LLC-LOgical ink control and MAC are sublayers of datalink layer) ARP, ethernet

Physical Layer: Physica layer is responsible of  converting bits into voltage for transmission.
network adapter, repeater, hubs

MIcroservices architecture

What happens when you type google.com?

This is one of the most common and basic questions and actually it is a nice way of explaining what is going on behind the scenes when we browse internet. It is not wrong to say that, "a lot" is going on when you click google.com or any website. Both on network layer and on application layer.
Mainly the steps are DNS lookup phase, than TLS handshake and than fetching the page

https://www.glassdoor.com/Interview/What-happens-when-you-type-www-google-com-in-your-browser-QTN_56396.htm

https://github.com/alex/what-happens-when

1. So in the first step, when you type and click, you ask your computer to resolve a hostname, the first place that will be checked is the local DNS cache of my client, which stores DNS information that computer has recently retrieved.
2. If required record cant be found on local cache than a query is done to your ISP’s recursive DNS servers. Recursive DNS servers check their own local caches before forwarding the query to root DNS servers.
3. If recursive DNS servers don't have the record in cache than they send query to root DNS servers.  13 root name servers contain pointers for all Top Level Domains (TLDs) such as .com, .net etc. So if we are trying to reach google.com, the .com the query will be redirected to TLD name servers responsible for .com root pointers.
4. TLD DNS servers do not store DNS records for individual domains, instead they keep track of the authoritative name servers for all the domains in their TLD. TLD name servers look at the next part of the query from right to left, than direct the query to authoritative name servers for google.com.
5. Authoritative name servers contain all of the DNS records for given domains. Such as host records (which store IP addresses) A record , MX records (which identify nameservers for a domain and so on. In this case we are looking for the IP address of google.com. The recursive server queries the authoritative nameservers and asks for the host record for google.com.
6. Recursive name servers gets the host record for google.com from authoritative name servers and stores this record in local cache. After this point when someone asks for the same record, than recursive server can answer itself.
7. Finally recursive server sends the host record to client computer back. Client computer also stores the record in its cache and passes the IP address to browser. Now web server passes the web page to browser.

After this TLS handshake is done which is explained in another post.

Than, first html file is fetched and html parsing is done. Than the linked resources are fetched like media content.

Encoding, encryption, and hashing

Encoding is used for integrity. It ensures the integrity of data when it is transferred through network and systems. It is not actually a security function. It is easily reversible.

Encryption is defined for confidentiality of data or traffic. It is only reversible if you have appropriate keys.

Hashing is a one way operation and output is at a fixed size. Hashing can be used in order to provide message integrity. It is also used for storing passwords in database. Storing hashed password is more secure than storing clear text.

Wannacry

Wannacry is a crypto ransomware, used by cybercriminals in order to extort money. Wannacry does this by encrypting your valuable files so you can't decrypt and read them. Wannacry targets windows operating system. It demands bitcoin payment in order to decrypt your files.

ISO about vehicle security

ISO/SAE CD 21434
Applicable to Road-vehicles
Goal of reasonably secure vehicles and systems.
Automakers and Suppliers can use to show “due diligence”.
Focus on automotive cybersecurity engineering.
Risk-oriented approach
Risk is used for prioritization of action.
Analyses of risk factors for methodical elicitation of cybersecurity requirements.
Cybersecurity activities/processes for all phases of vehicle lifecycle

SAE J3061:
Cybersecurity Guidebook for Cyber-Physical Vehicle Systems

ISO 26262:
Road vehicles — Functional safety

ISO 27001

ISO 27001 is a standard for implementing an Information Security Management System(ISMS) for the company.  An ISMS is a framework to manage information security risks.
Idea behind 27001 is you to become proactive, not reactive.
There are 14 domains in ISO 27001:

1. Information security policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Cryptography
6. Physical and environmental security
7. Operations security
8. Communications security
9. Access control
10. Information systems acquisition, development and maintenance
11. Supplier relationships
12. Information security incident management
13. Business continuity management
14. Compliance

What is Cross-Site Request Forgery?

When an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing.
Attacker forges a valid request from user to achieve malicious action.

A user is tricked into(this can be by a fishing email) interacting with a script or page on a 3rd party side and this generates a malicious request to legitimate site. Attacker takes control of this data or form sent to the valid site.

To fix, random anti-csrf tokens must be used.
Origin of request must be checked.
Two-factor authenticaton can be enabled.
Ensure Cookies are sent with the SameSite Cookie Attribute

Same origin policy

How does tracert work?

How exactly does traceroute/tracert work at the protocol level?
Traceroue uses TTL values in order to find the path to target.  Each time it increases the TTL value to find the path to target.
Windows uses ICMP by default while Linux uses UDP.



TTL:
Time to live (TTL) refers to the amount of time or “hops” that a packet is set to exist inside a network before being discarded by a router.

How does PING work?

ICMP is a layer 3 protocol (network layer) (it doesn’t work over a port) . Ports are on layer 5 which is session layer. Ping does not use TCP or UDP. They are layer 4 protocols.

DOS Attack Types

https://sucuri.net/guides/what-is-a-ddos-attack/

Volume-based DDoS attacks

ICMP Flood

UDP Flood

Ping flood

Protocol-based DDoS attacks

Ping of death: Attackers send malicious pings to a server, manipulating the IP protocols.

SYN Flood: The attacker continuously sends a lot of SYN packets to the victim. Victim waits for ACK packets, but they don't come.

Application Layer DDoS attacks:

HTTP Flood

Asymmetric and symmetric algorithms:

Sample Symmetric encryption algorithms:

DES, RCx, Blowfish, Rijndael (AES)

Sample Asymmetric encryption algorithms:
Diffie Hellman, RSA, EC, El Gamal, DSAC
Common block cipher modes:
ECB(Electronic Code Block) and CBC(Cipher Block Chaining)

Difference between ECB and CBC:
ECB just does a one-to-one lookup for encryption, without using an IV, which makes it fairly easy to attack using a chosen-plaintext attack. CBC uses an IV for the first block and then propagates the XOR of the previous block onto subsequent ones. The difference in results can be remarkable.

PFS(Perfect Forward Secrecy)

PFS is a feature of specific key agreement protocols that gives assurance that session keys will not be compromised even if the private key is compromised.

There is no one click enabling for PFS. You have to choose the right cipher suites in order to have/achieve PFS. You should make sure Diffie Helman is chosen as key exchange algorithm.

TLS Handshake

https://www.youtube.com/watch?v=cuR05y_2Gxc

A client sends hello message. So what are included in that hello message?
 version number, protocol TLS 1.2 1.3, whatever. Also ciphr suit that client can support.
Server side should be supporting those. ( server side can be configured as to support some suits and some not due to vulnerabilities) Server side chooses which cipher suits will be used basing on the ones that are supported via client.

Server side sends hello message back to the client along with a certificate including server’s public key. So client can use this public key in order to encrypt things, and than server can decrypt using private key.(Asymmetric encryption in place).

Client checks if it is a valid certificate ( If it is revoked or not)
Server also sends a “hello done” message to client and hello part ends.

At that point, client creates a “Pre master secret”(something like a session key) and encrypts this with server’s public key. And sends it to server. (Key exchange, Change Cipher Spec). Now both client and server calculates the same symettric key from pre-master secret.. After that point client and server will communicate with symmetric encryption and they will be using that symmetric key. And client sends a “Client finished” message to server.

(RSA, Elliptic curve and diffie helfman algorithms may be used in that key exchange process.)


Server sends “Change Cipher Spec” message. Which means that “ok now i am switching from asymetric encryption to symetric encrption”. This will create an advantage in bulk encryption because symetric encryption is faster.
Server sends “Server finished” message.
And than bulk data is encrypted and transferred. (AES can be used)

TLS

TLS uses both asymmetric and symmetric encryption. Initial exchange is done using asymmetric encryption but bulk data encryption requires symmetric.

TLS 1.3 is the current latest version.

SSL itself is also vulnerable to a number of other potential attacks including BEAST, BREACH, FREAK, and Heartbleed.