DNS Resolution

The Internet maintains two principal namespaces: the domain name hierarchy and the IP address system.The Domain Name System maintains the domain namespace and provides translation services between these two namespaces. Internet name servers implement the Domain Name System. The top hierarchy of the Domain Name System is served by the root name servers maintained by delegation by the Internet Corporation for Assigned Names and Numbers (ICANN) 

Most common services of a DNS server:

• Standard Name Resolution: Taking a DNS name as input and determining its corresponding IP address.
• Reverse Name Resolution: Taking an IP address and determining what name is associated with it.
• Electronic Mail Resolution: Determining where to send electronic mail (e-mail) messages based on the e-mail address used in a message.

Steps involved in DNS resolution:

1. Web Browser checks in the local dns cache.
2. Else, the DNS resolver request will be sent to DNS server by Internet Service Provider.
3. DNS servers communicate recursively to get the IP address for the Domain Name being look up

How to clear DNS cache on a Windows machine? Use ipconfig /flushdns command

How to view DNS cache on a Windows machine?

C:\Users\bharathi>ipconfig /displaydns

Windows IP Configuration

clients4.google.com
—————————————-
Record Name . . . . . : clients4.google.com
Record Type . . . . . : 5
Time To Live . . . . : 26
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : clients.l.google.co
apis.google.com
—————————————-
Record Name . . . . . : apis.google.com
Record Type . . . . . : 5
Time To Live . . . . : 194
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : plus.l.google.com
clients1.google.co.in
—————————————-
Record Name . . . . . : clients1.google.co.
Record Type . . . . . : 5
Time To Live . . . . : 135
Data Length . . . . . : 8
Section . . . . . . . : Answer
CNAME Record . . . . : clients-cctld.l.goo

plus.google.com

—————————————-
Record Name . . . . . : plus.google.com
Record Type . . . . . : 1
Time To Live . . . . : 62
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.34
Record Name . . . . . : plus.google.com
Record Type . . . . . : 1
Time To Live . . . . : 62
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.33
Record Name . . . . . : plus.google.com
Record Type . . . . . : 1
Time To Live . . . . : 62
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.38
Record Name . . . . . : plus.google.com
Record Type . . . . . : 1
Time To Live . . . . : 62
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.41
Record Name . . . . . : plus.google.com
Record Type . . . . . : 1
Time To Live . . . . : 62
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.46

http://www.google.co.in

—————————————-
Record Name . . . . . : http://www.google.co.in
Record Type . . . . . : 1
Time To Live . . . . : 255
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 74.125.236.63

C:\>tracert http://www.google.com

Tracing route to http://www.google.com [74.125.236.211]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.1.1
2 3 ms 2 ms 2 ms ras.beamtele.net [183.83.0.1]
3 3 ms 5 ms 4 ms ras.beamtele.net [183.82.14.1]
4 20 ms 19 ms 34 ms ras.beamtele.net [183.82.14.57]
5 17 ms 15 ms 16 ms 72.14.194.18
6 18 ms 16 ms 16 ms 66.249.94.170
7 17 ms 16 ms 18 ms 72.14.232.110
8 18 ms 17 ms 17 ms 209.85.240.147
9 17 ms 16 ms 16 ms maa03s17-in-f19.1e100.net [74.125.236.211]

Trace complete.

C:\>nslookup http://www.facebook.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: star.c10r.facebook.com
Addresses: 2a03:2880:f00c:800:face:b00c:0:1
31.13.79.49
Aliases: http://www.facebook.com

References:

1. http://igoro.com/archive/what-really-happens-when-you-navigate-to-a-url/
2. http://en.wikipedia.org/wiki/Domain_name
3. http://technet.microsoft.com/en-us/library/cc775637(v=ws.10).aspx
4. http://www.bytemark.co.uk/support/technical_documents/dnsworks
5. http://www.tcpipguide.com/

Wireshark for Security Testing

Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible.

Steps to capture and analyse network traffic using Wireshark

1. Download & Install Wireshark from here: http://www.wireshark.org/download.html
2. Capture -> Interfaces -> Select an interface which is active or whose traffic is expected to be sniffed
3. Filter the traffic and analyse

Filter Options

• Network traffic captured in Wireshark is color coded. For instance, all DNS requests are Blue colored and all HTTP requests are Green colored.
• “Filter” option on the top is user friendly. When we type some text in the text box, it displays clues on correct options. It remains in Red color until a correct option is selected. It turns Green when a correct option is selected.
• We can also sort by Source or Destination or Protocol.
• To display only DNS requests: Type “dns” in Filter
• To filter packets from a particular source IP address: Type “ip.src == 10.176.185.37” in Filter
• And operator in filters: dns && ip.src==10.176.185.34
• Find by string: Edit -> Find Packet -> Find By “String”

What to do with the captured traffic?

If your application is sending TCP to the destination server, you can use “Follow TCP Stream” option to see the packets in readable format.

• Select the TCP packet to be analysed.
• Right click and select “Follow TCP Stream” to view requests in a new window.
• We can see requests in readable format. Analyse session management and data transmission between servers.
• Unfortunately, the request and response body in TCP stream is compressed in gzip format and I could not find a way to unzip it in Wireshark.

References:

• http://www.securitytube.net/video/4799
• http://www.wireshark.org/
• http://wiresharkdownloads.riverbed.com/video/wireshark/introduction-to-wireshark/

Network Penetration Testing Interview Questions & Answers

FEB

1.What is your penetration testing methodology?

• Typical penetration testing methodology includes below steps:
  • Information Gathering
  • Planning and Analysis
  • Vulnerability Identification
  • Exploitation
  • Risk Analysis and Remediation Recommendation
  • Reporting

2. What are common network vulnerability identification steps? 

• Fingerprinting – Obtain information on open ports, services, OS
• Vulnerability Scanning –  using tools like Nessus, Nexpose
• Brute force default accounts – using password cracking tools
• Manual penetration testing
  •  Packet analysis – using tools like WireShark
  •  Analyse cryptographic issues
  •  Test published vulnerabilities specific to OS/Software/Service
  •  Phishing attacks

3. What are common ports and services to focus on during penetration testing?

Ideally, only required ports should be enabled and all other ports need to be disabled. Common ports to look for during penetration testing are:

• Port         Service
• 20             FTP – TCP {Data Stream} (File Transfer Protocol
• 21              FTP – TCP {Control Stream}
• 23              Telnet
• 25              SMTP – TCP (Simple Mail Transfer Protocol)
• 53               DNS – TCP/UDP (Domain Name Service)
• 69              TFTP – UDP (Trivial File Transfer Protocol)
• 80              HTTP – TCP (Hypertext Transfer Protocol)
• 110             POP3
• 135, 139     NETBIOS -UDP (Network Basic Input Output System)
• 137, 138    NETBIOS – TCP
• 143             IMAP
• 389            LDAP – TCP/UDP (Lightweight Directory Access Protocol)
• 445            SMB   – TCP  ( Server Message Block)
• 2049         NFS  v4  – TCP (Network File System)
• 5060         SIP  – TCP/UDP (Session Initiation Protocol)

4. Why windows is considered less secure than other OS?

• Windows is the widely used Operating System. Hence, it is the target for many hackers.
• User account management in Windows is not very secure. Attackers first target is to crack windows user names and passwords on a organization network and then escalate privileges to Domain admin account.

5. What tools do you use for Network Penetration testing?

Kali linux has many open source penetration testing tools

• Port Scanners: Nmap
• Network Vulnerability Scanners: Nessus, Nexpose
• Packet analysis: WireShark
• Web proxy: Burp Suite, OWASP ZAP
• Web Scanners: WebInspect, AppScan, Burp Suite Professional

Reference: Security Products / Tools

6. List common network security vulnerabilities.

• Insecure open ports and services
• Authentication
  • Authentication Bypass
  • Default accounts enabled
  • Weak passwords
  • Plain text passwords
• Authorization
  • Privilege Escalation
  • Gaining access
• Improper Input Validation
• Cryptography
  • Weak encryption
  • Weak keys
• Denial of Service
  • SYN flood
  • UDP flood
  • ICMP flood
  • Ping to Death
  • Distributed Denial of Service
• System Configuration
  • Unpatched software
  • Liberal access control
• Sensitive Information Leakage
• ARP Spoofing
• Vulnerabilities specific to Software or Operating System or Network Devices

7. What are common levels of network penetration testing?

• External penetration testing
  • Testing the network from external network reveals vulnerabilities from external attackers perspective.
• Internal penetration testing
  • Internal penetration testing allows testers to get additional access to internal assets and helps to assess threats from internal malicious users. Internal penetration testers need to crack the NAC and test network by connecting to the intranet.

8. What is the use of NIS

NIS – Network Information Service is commonly used for managing user credentials across a group of machines. It is a client-service directory service protocol for storing users and hostnames in a network. For instance, linux machines use /etc/hosts, /etc/passwd, /etc/shadow to store host names, list of users, secret auth hashes respectively.

9. How do you penetrate into an organization network in Internal penetration testing?

• Network Access Control (NAC) Bypass
• Crack user accounts
• Obtain Domain Controller access
• Escalate privileges to Domain Controller
• Obtain access to shared drives or FTP
• Retrieve sensitive files on shared drives or FTP
• Obtain DBA / sa account on databases
• Crack SMTP packets

10. What is NAC?

Network Access Control (NAC) enforces user authentication, endpoint security on devices connected to a network. Networks with NAC only allow devices that comply to the organization security policy. Meaning, any external device cannot obtain network access by connecting to a open LAN port of a network that implements NAC.

11. How do you bypass NAC?

Bypassing NAC is the first goal of a network pentester. Below are the easiest ways to bypass NAC:

• Connect to a open port using an ethernet cable and check if you can access the organization internet
• By spoofing IP Address / MAC address of a valid network device like a VOIP phone or a printer.

References for techniques to bypass NAC:

• https://www.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh-dc-07-Arkin-ppt-up.pdf

12. How can you obtain access to FTP servers?

• First, identify all the FTP servers on the organization network (eg: 192.168.1.1/24). Below nmap command can be used to obtain all the servers with FTP ports (20, 21) open.
  • nmap -p 20,21 192.168.1.1/24 -vvv –randomize-hosts -sS -sV -oG –excludefile exclude.txt >> nmap_ftpservers.txt
•  Check if any of the FTP servers have anonymous account enabled
  • Type “ftp://[server name]” in browser
  • Enter username as “Anonymous”
  • Password as your email address
  • Verify whether you are able to access the folders in the FTP server
• Check if any cracked user accounts work on FTP servers
• Brute force passwords for valid user accounts. Valid username and blank password could work some times.

13. How do you get sensitive files on the shared drives or FTP?

• We can search for words like “username”, “password”, “credit card”, “client data” in file search box
• Windows Grep is a useful tool to search file shares for sensitive files

14. What are the ways to crack database accounts?

• Check if default database accounts / passwords are enabled
  • For Oracle DB, defaults dba user accounts are sys, system.
  • For SQL Server, default administrator account is SA
    • Note: These accounts should be disabled for better security
• Try to brute force passwords for DB administrator accounts
  • Below are the metasploit commands to crack SA account on SQL Server
    • use auxiliary/scanner/mssql/mssql_login
    • set pass_file /usr/share/set/src/fasttrack/wordlist.txt
    • set RHOSTS [IP]
    • set threads 8
    • run
  • Caution: You may be caught by the organization intrusion detection system if you brute force passwords of SA accounts!

15. What is risk if database accounts are compromised?

If database administrator accounts (e.g: sa, dba) accounts are compromised, whole data in the database which could include Personally Identifiable Information (PII), user credentials can be compromised. The database could be deleted or shutdown which could cause Denial of Service (DOS) for some applications.

16. What tools/infrastructure do you have on your pentesting lab?

• Kali 2.0 VM
  • Nmap
  • Wireshark
  • Responder
  • Metasploit
  • John the Ripper (password cracker)
  • Burp Suite
• Windows 7 VM
  • Power Shell

17. When network controls would you recommend to strengthen network security of an organization

• Implement Network Access Control (NAC) properly.
• Do not leave unattended network ports or rogue Wifi on the network
• Secure File Shares. Do not use anonymous FTP accounts.
• Implement proper authentication / authorization to Domain Controllers.
• Implement strong password policy
• Encrypt user passwords. Do not allow users to store passwords on their machines.
• Implement appropriate network, host, web firewalls.
• Regularly identify and remediate network vulnerabilities using tools like Qualys, Nexpose, Nessus
• Implement appropriate Intrusion Detection System, Intrusion Prevention System.
• Implement proper network segmentation