· 6 years ago · Feb 18, 2020, 11:46 AM
1+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2IOT Architecture
35 layers
4
51. Application Layer
62. Middleware Layer
73. Internet Layer
84. Access Gateway Layer
95. Edge Techn Layer
10
11Application Layer: responsible for data delivery to user at application layer, The user interface to control / manage and command the IOT device works at this layer.
12Middleware Layer: Device and info. management
13inernet layer: For endpoint connectivity.
14Access Gateway Layer: Responsible for protocol translation and messaging.
15Edge Techn Layer: covers IOT capable devices.
16
17IOT Technologies and Protocols
183 things
19 wired communications {{
20 ::: Ethernet
21 ::: Multimedia over Coax Alliance (MoCA)
22 ::: Power Line Communication (PLC)
23 }}
24
25 wireless communications {{
26 [[[ Short Range ]]]
27 :::Bluetooth Low Energy (BLE)
28 :::Light Fidelity (Li-Fi)
29 :::Near Field Communication (NFC)
30 :::Radio Frequency Identification (RFID)
31 ::: WiFi
32 [[[ Medium Range ]]]
33 :::Ha-Low
34 :::LTE-Advanced
35 [[[ Long Range ]]]
36 ::: Low-Power Wide Area Networking (LPWAN)
37 ::: Very Small Aperture Terminal (VSAT)
38 ::: Cellular Network
39 }}
40 OS {{
41 ::: RIOT OS
42 ::: ARM mbed OS
43 ::: Real Sense OS X
44 ::: Ubuntu Core
45 ::: Integrity RTOS
46 }}
47
48IOT Communication Models
491. Device to Device Model
50 most basic model
51 2 devices communicate with each other directly, without interfering any other device.
52 eg. wireless printer connected to phone, phone can directly send print commands to printer
53 smart tv wireless display directly connected to laptop
54 smart watch directly connected to phone
55 bluetooth, nfc or rfid are examples of device to device
56
572. Device to Cloud Model
58[[img ref.]]
59 when device connected with application server
60 home with multiple sensors for security purpose such as motion detector, camera, temp sensor etc.
61 these sensors are directly connected to the application server which is either hosted locally or on a cloud.
62 application server is responsible for communication btwn these sensors /devices
63
64 3. Device to Gateway Model
65[[img ref.]]
66
67 similar to device to cloud
68 just a gateway is added in between
69 gateway collectes the data from all the sensors and then sends to remote application server.
70 gives you a consolidated point to inspect and control the data i.e being transmitted.
71 gateway provides security and other functionality such as data translation or protocol translation.
72
734. Back End Data Sharing Model
74[[ ref.image]]
75 is an advanced model
76 used in collective partnership between diff. application providers.
77 this models extends to device to cloud model to a scalable scenario where these sensors are accessed and controlled by multiple authorized third parties.
78
79IOT Attacks
80challenges to IOT
81it brings ease and mobility
821. Lack of Security
832. Vuln. Interfaces
843. Physical Security Risk
854. Lack of Vendor Support
865. Difficult to update firmware and OS
876. Inter-operability issues
88
89https://owasp.org/www-project-internet-of-things/
90[[ ref image OWASP TOP10 iot ]]
91
92Attack Areas
93Device memory containing creds.
94access control
95firmware extraction
96priv esc
97resetting to an insecure state
98removal of storage media
99web attacks
100firmware attacks
101network service attack
102unencrypted local data storage
103CIA issues
104Cloud computing attacks
105malicious updates
106insecure api
107mobile app threats
108
109Attack Methods
1101. DOS / DDOS :- flooding rqsts
1112. Rolling Code Attack : aka code hopping , attacker capture the code, sequence or signal coming from transmitter devices along with simultaneously blocking the reciever from recieving the signal.
112 the captured code is used later on to gain unauth. access
113 example : victim wants to unlock car .. central locking of cars work on radio signals. .. attacker can use signal jammer to jam preventing the car from recieving the signals and simultaneously capture the signals sent by owner.
114 later on can replay this to open the car.
1153. Blue Borne Attack: to exploit bluetooth vuln.
1164. Backdoor : deploying backdoor on a system connected to corporate or internal network. accessing the internal n/w to control connected iot devices.
117
118some iot search engines
119http://www.thingful.net/
120https://censys.io/
121https://www.shodan.io/
122
123
124Countermeasures
1251. firmware update
1262. disable telnet
1273. block unnecessary ports
1284. encrypted communication
1295. strong password
1306. secure password recovery
1317. 2 Factore Authentication
1328. periodic assessment of devices
133+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
134
135==========================CLOUD COMPUTING======================
136TARGET OF ETHICAL HACKER COULD BE HOSTED ON CLOUD THAT'S WHY IN CEH MODULES CLOUD COMPUTING IS ADDED
137IN THIS MODULE WE ARE NOT GOING TO ATTACK CLOUD COMPUTING WE JUST OVERVIEW ABOUT THE CLOUD COMPUTING
138
139==> Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.
140
141-->CLOUD COMPUTING TYPES (SERVICE MODELS):-
142
143 ~Infrastructure-as-a-service(Iaas)
144 AMAZON EC2, GOGRID, windows skydrive,ETC
145
146 ~PLATFORM-as-a-SERCIVE(PaaS)
147 Google App Engine,Microsoft Azure,etc
148
149 ~Software-as-a-Service(SaaS)
150 Google Docs, Salesforce CRM, etc
151 {REF. TO IMG cloud computing types}
152
153
154-->CLOUD COMPUTING MODELS(DEPLOYMENT MODELS):-
155 {REF. TO IMG}
156
157-->AWS VPC(VIRTUAL PRIVATE CLOUD):-
158 TERMS:-
159 ~REGION
160 ~VPC
161 ~INSTANCE
162
163-->CLOUD COMPUTING PROVIDERS
164 COMMON FEATURE:-
165 ~HOURLY PAY-AS-YOU-GO
166 ~MANAGEMENT API
167 ~WEB MGMT. INTERFACE
168 ~AUTO-SCALING
169 ~IMAGING
170
171 PROVIDERS:-
172 #AMAZON WEB SERVICES(AWS)
173 #MICROSOFT AZURE
174 #GOOGLE COMPUTE ENGINE
175 #IBM CLOUD
176 #DIGITAL OCEAN
177 #VMWARE VCLOUD
178
179-->DETECTION
180 # dig SOA <Domain>
181-->Instances and VPC security
182 Security rules can be applied at several places in an AWS VPC:-
183VPC {ref. to img}
184Load Balancers {ref. to img}
185EC2(Elastic Compute Cloud) Instances {ref. to img}
186+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
187
188IDS
189intrusion detection system
190>analyze n/w traffic to discover intruders
191>monitors the activity of users and the systems
192>flags the abnormal activity
193
1943 components of IDS :
1951. NIDS : n/w intrusion detection system
196 it parses n/w traffic
197 it is mostly installed in same subnet as firewall
198 it matches traffic to known attack methods
199 should alert admin when possible attack is recognized
2002. NNIDS : n/w node ids
201 it parses the n/w traffic, similiar to nids
202 but it only monitors single host traffic, not the entire subnet
203 concept is same as nids, just with different focus
2043. HIDS : Host ids
205 designed to discover changes to file system - focus on file system and not on n/w traffic
206 a snapshot is taken of the file system
207 when run, a new snapshot is taken and compared to the original
208 HIDs is typically used on systems in which config files are rarely changed : looks for suspicious changes to executable files, binaries and file systems
209
210What does IDS s/w look for ?
211> scans for open ports : to determine which port may have vuln
212> probes from the same remote hosts
213> repeated login attempts : looks for suspicious login attempts
214>missing or truncated logs : in case of some trying to cover the tracks
215>new files or cmds on the system : indicating some one has compromised the system or backdoor
216>missing files
217>system performance lagging
218>unusual log file entries: in case there is any increase in them
219
220Firewalls
221h/w based : faster solution .....devices that only have one function i.e firewall ...no flexibilty - plugged somewhere in b/w of network
222s/w based : installed on host systems
223log attempts to access a n/w or a host
224can filter by any info. in n/w packet header :
225some also filter by packet content : encapsulation and decapsulation
226
227 types :
228packet filtering : examines packet contents
229
230circuit level : does not examin contents
231
232statefull inspection :
233 examines each packet
234 remebers packets that are related to an established connections
235 may impact performance
236 example :
237 it is going to block ack packet if no syn packet was sent to initiate the connection.
238
239
240honey pot : trap some one who is trying to hack into your system
241designed to create extensive logs of interactions, intentionally vuln, allowing hacker to compromise
242has no access to other systems or data
243standalone machine / sperate system
244confuse hackers - hacking the hackers [pentbox demo ]
245honeynet - network of honeypots - provides multiple targets.
246use to :
247 record login attempts
248 free up resource on live system
249 limit exposure to sensitive data
250 confuse/discourage attackers
251
252
253
254
255Firewall Tools :
256h/w based / s/w based
257specific type of h/w designed to perfom specif task.- physical machines - with time no flexibility
258
259eg. firewalls :
260 pfsense - s/w based
261 fortinet -fortigate
262 cisco ASA
263 watchguard xtm
264 juniper srx
265 checkpoint vsx
266 sohos utm
267 cyberoam utm
268
269honeypot tools :
270 purpose
271
272honeybot - windows based honeypot - simulate n/w ports - includes IDS
273LaBrea - acts as tar pit -multiple platforms
274google hack honeypot - multiple platforms
275Kojoney- simulates a ssh server -written in python - multiple platform -
276conpot -multiple plat - complete protocol stack - wideranging honeypot - python based
277
278
279ids tools :
280identify your secuirty needs!
281purpose of ids !
282n/w based or host based [have great over head ]
283
284cisco secure ids - n/w based ids -- can terminate connections aitomatically
285snort - host ids - very flexible
286aide - host based - files and dir. integrity checker
287ossec - hids- for unix
288checkpoint - provides several ids tools
289
290snort - IDS
291an IDS works similarly to antivirus (AV) software on your desktop; It attempts to identify malicious software on your network and warns you of its presence.
292installation !!
293Snort, created by Martin Roesch in 1999
294became so popular that the networking giant Cisco purchased it in 2014
295
296
297ubuntu - machine 1
298kali - machine 2 - attacking machine
299
300ubuntu
301sudo gedit /etc/snort/snort.conf
302gedit is for opening text editor
303can simply view by cat or edit using vim as well
304 this files contains configuration of snort
305======================================================================================================================================================================================
306
307
308SNORT
309installation
310apt-get install snort
311in case of error
312need to add repo first
313open the /etc/apt/sources.list file
314
315repo links you can find here : [ https://www.kali.org/docs/general-use/kali-linux-sources-list-repositories/ ]
316
317deb http://http.kali.org/kali kali-rolling main non-free contrib
318deb-src http://http.kali.org/kali kali-rolling main non-free contrib
319deb http://http.kali.org/kali kali-rolling main non-free contrib
320
321after updating file --> save file
322apt-get update -y
323apt-get install snort -y
324will has for an home n/w ip enter it using if config /16
325
326snort -V
327to check installed version
328
329touch /etc/snort/rules/custom.rules
330creating a custom rules file
331
332/etc/snort/snort.conf
333default config of snorts are here --to change do a vi or gedit
334
335add this line in snort.conf file
336
337include $RULE_PATH/custom.rules
338for logging
339create a log folder
340mkdir log
341snort -l ./log -b -c /etc/snort/snort.conf
342-l to give the log dir
343-c to use rule files
344-b log packets in tcp dump format
345
346this will compare live traffic with the rule set based upon your config.
347you can check ./log dir for alert file and log file
348
349explaining a sample rule
350
351alert tcp any 21 -> 192.168.134.23 8080 (msg: )
352--------------------------------------------------------------------------------------------------------------------------------------------------------------
353action protocol sourceip src port direction dst ip dst port rule options
354 <> for bi directional
355action: {
356
357alert - generate an alert using the selected alert method, and then log the packet
358
359log - log the packet
360
361pass - ignore the packet
362
363drop - block and log the packet
364
365reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
366
367sdrop - block the packet but do not log it.
368} read more at :::::::::::::::::::: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html
369
370protocol: {
3711.udp
3722.tcp
3733.icmp }
374
375direction {
376->
377<> }
378
379rule options: { seperated by ;
380msg: " "
381logto: " "
382ttl: " "
383tos:
384id
385ipoptions
386fragbits
387dsize:
388icmp_id
389icmp_Seq
390offset
391depth
392nocase
393session
394rpc
395react
396resp
397ack
398seq
399itype
400icode }
401
402snort -A console -q -u snort -c /etc/snort/snort.conf -i eth0
403
404alert icmp any any -> any any (msg: "this is a demo msg"; sid: 10099921)
405
406
407
408service apache2 status
409service apache2 start default port 80
410
411
412gedit icmp.rules
413un-comment the first rule line
414and check by pinging
415
416uncomment the second rule line and check by opening in browser
417
418
419
420ids --- sees the traffic -- fire n alert -- but can not prevent
421ids -- rcvs copy of data -- not sits in line of connection
422
423ips filters on 2 methods
424signature detection -- database of signature of malicious packets
425anomaly detection-- gives a baseline (example: we have average 50 tcp connections )--clipping point(let's say 3xbaseline i.e 150 tcp connections ) -- after that(i.e >150 tcp connections ) generates an alert ---> this is an eg of statistical anomaly
426 -- otherwise can set anomalies like how std. protocols works ...if anythings deviates from their std. behaviour than generate an alert
427
428==========================================
429other configuration -
430ipvar HOME_NET 192.168.1.0/24
431 you have to give your lan ip range here
432ipvar EXTERNAL_NET !$HOME_NET
433! for not - $ for vairable inverse of home net
434anything other than home net is my external net
435
436var RULE_PATH /etc/snort/rules
437this is the path of the file in which rules are set
438
439scroll down and you can see the list of rules
440some are commented out some are in place by default
441
442you can select any rule and go into the path and open the file and see what kind of traffic policy rules are in place
443example:
444include $RULE_PATH/ftp.rules
445
446cat /etc/snort/rules/ftp.rules
447
448
449honeypot - pentbox
450--------------------------------------------------------------------------------------
451wget http://downloads.sourceforge.net/project/pentbox18realised/pentbox-1.8.tar.gz
452tar xvfz pentbox.tar.gz -----to extract
453cd into pentbox dir created
454./pentbox.rb
4552 --> n/w tools
4563 -->honey pot
4571 or 2
458
459https://github.com/paralax/awesome-honeypots
460+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
461
462sniffing................
463sniffing aka wiretapping
464
465action of secretly listening to other people conversation , extending the definition to computers and n/w
466
467Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools
468
469sniffing can be done through h/w , s/w
470
471h/w when sniffing very high speed n/w eg. 10Gbps
472
473kinds of info we can gather through sniffing
474*usernames
475*passwords
476*Replay
477*Chat
478*watch some one surf website
479*ftp/telnet
480
481
482attack types
483passive sniffing
484
485hub : n/w device that shares broadcast domain
486
487tap: h/w it sits inline with commu. media replicates bits on the wire
488hosts . are not aware of this
489
490[ref hub image ]
491
492
493active sniffing
494in lay 2 n/w
495[ref switch image ]
496
497swithced n/w : bydefault you can not recieve the data in switching
498
499manipulate the switch to get a copy
500
501attacker poisons protocols to redirect traffic
502attacks that you can do against swithed n/w
503MITM techniques
504{{
505
506*MAC flood
507*MAC duplication
508*ARP spoof
509*DHCP starvation
510
511}}
512
513Promiscous mode tells NIC to not discard frames
514by default when NIC rcvs a layer 2 frame it reads des. mac add , if dest . mac is not as of yours the frame is discarded
515
516
517Protocols that provide usernames and passwords in cleartext
518
519Telnet
520POP
521SMTP
522FTP
523HTTP
524IMAP
525
526Hence Encryption is important
527
528MAC Flooding
529editing CAM table : mapping of mac address to physical ports
530
531CAM tables are finite : often 64k to 128k entries
532what happens when table is full : flooding occurs
533send 130k arp rqst and randomise source mac address [ cam table will be flooded ]
534once flooded switch will start broadcasting
535
536# macof -n 130000 -d 192.168.0.1
537-n for number of packets to send
538-d for switch ip address that you want to flood
539-e for target mac address
540
541
542MAC Spoofing
543impersonating other user
544technitium MAC address changer for windows used to modify MAC address of NIC
545https://technitium.com/tmac/
546
547How Does It Work?
548
549This software just writes a value into the windows registry.
550 When the Network Adapter Device is enabled, windows searches for the registry value 'NetworkAddress' in the key
551HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1- 08002bE10318}\[ID of NIC e.g. 0001].
552 If a value is present, windows will use it as MAC address, if not, windows will use the hard coded manufacturer provided MAC address. Some Network Adapter drivers have this facility built-in.
553 It can be found in the Advance settings tab in the Network Adapter's Device properties in Windows Device Manager.
554
555
556arp spoofing and arp cache poisoning [[ arp spoofing image]]
557arp explained
558ip to mac
559poison the gateway and victim both
560arp attack tool ettercap
561countermeasures: Xarp
562
563alice arp cahce :
564ip | mac
56510.0.0.1 | cc:Cc:cc:Cc:Cc...
566
567
568bob arp cahce :
569ip | mac
57010.0.0.7 | cc:cc:cc:cc:cc
571
572
573ARP : address resolution protocol
574example arp table arp <-'
575arp spoofing : image example
576+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
577
578session hijacking,
579
580sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access
581
582session creation how ?
583
584session mgmt attacks
585token generation
586prediction :- requires sniffing --> attempts to guess next token
587
588to easily create, edit and delete a cookie for the current page.
589
590what is a cookie ?
591cookie ??
592A cookie is a message given to a web browser by a web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server
593information is packaged into a cookie and sent to your browser which stores it for later use.
594
595used for tracking the user, personlization, session mgmt
596not a security risk until some gets access to them.
597
598stores session id in the cookie ...once you login session id is generated and stored in cookie ...
599 cookie have alive time : can be for the lifetime of the browser, for certain amount of time, stays irrespective of browser closes or not.
600
601
602web server only matches the session id
603wireshark/burp suite can be used to see the session id being sent backand forth
604modify headers using
605cookies manager + firefox plugin
606
607Cookies have parameters that can be passed to them:
608
609 The name of the cookie.
610 The value of the cookie.
611 The expiration date of the cookie: this determines how long the cookie will remain active in your browser.
612 The path the cookie is valid for. Web pages outside of that path cannot use the cookie.
613 The domain the cookie is valid for. This makes the cookie accessible to pages on any of the servers in a domain.
614 The need for a secure connection: this indicates that the cookie can only be used under a secure server condition.
615
616auth_token= 124124csnwn12412niniwen2
617
618twitter auth token example :
619https://packetstormsecurity.com/files/119773/twitter-cookie.txt
620
621
622[[ ref. session hijacking image]]
623
624cookie manager for firefox:
625 https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/
626cookie editor for firefox:
627 https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/
628for chrome :
629 https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en
630
631Cookies folder location in Windows 10/8/7
632
633To see where Internet Explorer stores its Cookies in Windows 10/8.1/8/7/Vista, open Explorer > Organize > Folder Options > Views > Check ‘Do not show hidden files and folders’ and Uncheck ‘Hide protected OS files‘ > Apply > OK.
634
635Now you will be able to see the two real locations of Windows Cookies folders at the following address in Windows 7:
636• C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
637• C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low
638In Windows 8 and Windows 8.1, the Cookies are stored in this folder:
639• C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
640In Windows 10 you may open Run box, type shell:cookies and hit Enter to open the Cookies folder. It is located here:
641• C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies
642
643Prevent Session Hijacking
644encrypt end to end : session id if encrypted then attacker would not be able to use it.
645this puts additional load on the web server,
646Preventions implemented on server side
647Session to be regenerated again within few min.
648Session id to be expired after certain interval of time.
649
650
651Login -- using browser -- js run on browser -- Facebook server -- authorized user -- session generated -- session id created (uid/sid/sess_id) -- saved in cookies -- client side --
652
653
654Https rqst -->
655
656Https reply + set cookies <--
657
658Https rqst + cookies-->
659
660Cookies -- small text files -- username paswd not stored -- only session id is stored can be encrypted or plain text
661
662Cookie used to track user who has authenticated
663
664Server sends back session cookie
665
666Cookies sent in Http header or explicitly included in a hidden field
667Generated by server stored by client
668
669
670If the algorithm to create new session id is easy and predictable then attacker can generate the session id - guess the session if not properly randomized
671
672{
673
674Sniffing the n/w and capture cookie in transit
675
676
677DNS cache poisoning :- tricking the user that you are facebook.com and the cookie is then going to be sent to you.
678
679
680} - n/w based attacks -Encrypted connections can avoid these attacks
681
682
683What Is a CMS?
684================
685
686A Content Management System(CMS), is a system that allows you to manage information easily and effectively. The information could be anything, whether it’s a simple article or a complex media management system.
687It’s for non-technical users based system that allows them organize content easily and makes the process easily rather than hectic. In any web-based application, there are three basic operations
688
689--> Add
690--> Edit
691--> Delete
692
693Example: Wordpress , Joomla , drupal, magento etc...