Protocols

avatar
Created by
GiganticAngonoka72710

Cards (38)

  • Telnet
    • The Telnet protocol is an application layer protocol used to connect to a virtual terminal of another computer. Using Telnet, a user can log into another computer and access its terminal (console) to run programs, start batch processes, and perform system administration tasks remotely.
    • When a user connects, they will be asked for a username and password. Upon correct authentication, the user will access the remote system’s terminal. Unfortunately, all this communication between the Telnet client and the Telnet server is not encrypted, making it an easy target for attackers.
  • Telnet
    • A Telnet server uses the Telnet protocol to listen for incoming connections on port 23. A user is connecting to the telnetd, a Telnet server
    1. First, he is asked to provide his login name (username). We can see the user entering frank.
    2. Then, he is asked for the password, D2xc9CgD. The password is not shown on the screen; however, we display it below for demonstration purposes.
    3. Once the system checks his login credentials, he is greeted with a welcome message.
    4. And the remote server grants him a command prompt, frank@bento:~$. The $ indicates that this is not a root terminal.
  • Telnet
    • Although Telnet gave us access to the remote system’s terminal in no time, it is not a reliable protocol for remote administration as all the data are sent in cleartext.
    • Telnet is no longer considered a secure option, especially that anyone capturing your network traffic will be able to discover your usernames and passwords, which would grant them access to the remote system. The secure alternative is SSH
  • HTTP
    • Hypertext Transfer Protocol (HTTP) is the protocol used to transfer web pages. Your web browser connects to the webserver and uses HTTP to request HTML pages and images among other files and submit forms and upload various files.
    • Anytime you browse the World Wide Web (WWW), you are certainly using the HTTP protocol.
  • HTTP
    • HTTP sends and receives data as cleartext (not encrypted); therefore, you can use a simple tool, such as Telnet (or Netcat), to communicate with a web server and act as a “web browser”. The key difference is that you need to input the HTTP-related commands instead of the web browser doing that for you.
    We need an HTTP server (webserver) and an HTTP client (web browser) to use the HTTP protocol. The web server will “serve” a specific set of files to the requesting web browser.
    Three popular choices for HTTP servers are:
    • Apache
    • Internet Information Services (IIS)
    • nginx
  • FTP
    • File Transfer Protocol (FTP) was developed to make the transfer of files between different computers with different systems efficient.
    • FTP also sends and receives data as cleartext; therefore, we can use Telnet (or Netcat) to communicate with an FTP server and act as an FTP client.
    • Since FTP servers listen on port 21 by default, we had to specify to our Telnet client to attempt connection to port 21 instead of the default Telnet port.
  • FTP
    A command like STAT can provide some added information. The SYST command shows the System Type of the target (UNIX in this case). PASV switches the mode to passive. It is worth noting that there are two modes for FTP:
    • Active: In the active mode, the data is sent over a separate channel originating from the FTP server’s port 20.
    • Passive: In the passive mode, the data is sent over a separate channel originating from an FTP client’s port above port number 1023.
  • FTP
    • FTP client will initiate a connection to an FTP server, which listens on port 21 by default. All commands will be sent over the control channel. Once the client requests a file, another TCP connection will be established between them
    • get FILENAME made the client and server establish another channel for file transfer.
    • Because FTP sends the login credentials along with the commands and files in cleartext, FTP traffic can be an easy target for attackers.
  • SMTP
    Email delivery over the Internet requires the following components:
    1. Mail Submission Agent (MSA)
    2. Mail Transfer Agent (MTA)
    3. Mail Delivery Agent (MDA)
    4. Mail User Agent (MUA)
  • Mail Process
    1. A Mail User Agent (MUA), or simply an email client, has an email message to be sent. The MUA connects to a Mail Submission Agent (MSA) to send its message.
    2. The MSA receives the message, checks for any errors before transferring it to the Mail Transfer Agent (MTA) server, commonly hosted on the same server.
    3. The MTA will send the email message to the MTA of the recipient. The MTA can also function as a Mail Submission Agent (MSA).
    4. The recipient will collect its email from the MDA using their email client.
  • SMTP
    • Simple Mail Transfer Protocol (SMTP) is used to communicate with an MTA server. Because SMTP uses cleartext, where all commands are sent without encryption, we can use a basic Telnet client to connect to an SMTP server and act as an email client (MUA) sending a message.
    • SMTP server listens on port 25 by default. To see basic communication with an SMTP server, we used Telnet to connect to it. Once connected, we issue helo hostname and then start typing our email
  • POP3
    • Post Office Protocol version 3 (POP3) is a protocol used to download the email messages from a Mail Delivery Agent (MDA) server, as shown in the figure below. The mail client connects to the POP3 server, authenticates, downloads the new email messages before (optionally) deleting them.
    • First, the user connects to the POP3 server at the POP3 default port 110. Authentication is required to access the email messages; the user authenticates by providing his username USER frank and password PASS D2xc9CgD. 
  • POP3
    • In general, your mail client (MUA) will connect to the POP3 server (MDA), authenticate, and download the messages. Although the communication using the POP3 protocol will be hidden behind a sleek interface, similar commands will be issued, as shown in the Telnet session above.
    • Based on the default settings, the mail client deletes the mail message after it downloads it. The default behaviour can be changed from the mail client settings if you wish to download the emails again from another mail client.
  • IMAP
    • Internet Message Access Protocol (IMAP) is more sophisticated than POP3. IMAP makes it possible to keep your email synchronized across multiple devices (and mail clients).
    • In other words, if you mark an email message as read when checking your email on your smartphone, the change will be saved on the IMAP server (MDA) and replicated on your laptop when you synchronize your inbox.
    • IMAP requires each command to be preceded by a random string to be able to track the reply. So we added c1, then c2, and so on. 
  • Protocols CIA
    • Confidentiality refers to keeping the contents of the communications accessible to the intended parties. Integrity is the idea of assuring any data sent is accurate, consistent, and complete when reaching its destination. Finally, availability refers to being able to access the service when we need it. 
    • For instance, confidentiality would be the highest priority for an intelligence agency. Online banking will put most emphasis on the integrity of transactions. Availability is of the highest importance for any platform making money by serving ads.
  • Sniffing
    • A sniffing attack can be conducted using an Ethernet (802.3) network card, provided that the user has proper permissions (root permissions on Linux and administrator privileges on MS Windows). There are many programs available to capture network packets
    1. Tcpdump is a free open source command-line interface (CLI) program that has been ported to work on many operating systems.
    2. Wireshark is a free open source graphical user interface (GUI) program available for several operating systems, including Linux, macOS and MS Windows.
    3. Tshark is a CLI alternative to Wireshark.
  • Sniffing
    • First, we are going to use Tcpdump to attempt to capture the username and password. In the terminal output below, we used the command sudo tcpdump port 110 -A.
    • Before explaining this command, we should mention that this attack requires access to the network traffic, for example, via a wiretap or a switch with port mirroring. Alternatively, we can access the traffic exchanged if we launch a successful Man-in-the-Middle (MITM) attack. port 110: POP3, -A: ASCII
    • We could also use Wireshark to achieve the same results.
  • Sniffing
    • In brief, any protocol that uses cleartext communication is susceptible to this kind of attack. The only requirement for this attack to succeed is to have access to a system between the two communicating systems.
    • This attack requires attention; the mitigation lies in adding an encryption layer on top of any network protocol. In particular, Transport Layer Security (TLS) has been added to HTTP, FTP, SMTP, POP3, IMAP and many others
  • MitM
    • A Man-in-the-Middle (MITM) attack occurs when a victim (A) believes they are communicating with a legitimate destination (B) but is unknowingly communicating with an attacker (E).
    • In the figure below, we have A requesting the transfer of $20 to M; however, E altered this message and replaced the original value with a new one. B received the modified messaged and acted on it.
  • MitM
    • This attack is relatively simple to carry out if the two parties do not confirm the authenticity and integrity of each message. In some cases, the chosen protocol does not provide secure authentication or integrity checking; moreover, some protocols have inherent insecurities that make them susceptible to this kind of attack.
    • Any time you browse over HTTP, you are susceptible to a MITM attack, and the scary thing is that you cannot recognize it.
    • Many tools would aid you in carrying out such an attack, such as Ettercap and Bettercap.
  • MitM
    • MITM can also affect other cleartext protocols such as FTP, SMTP, and POP3. Mitigation against this attack requires the use of cryptography.
    • The solution lies in proper authentication along with encryption or signing of the exchanged messages. With the help of Public Key Infrastructure (PKI) and trusted root certificates, Transport Layer Security (TLS) protects from MITM attacks.
  • Protocols Encrypted
    • An existing cleartext protocol can be upgraded to use encryption via SSL/TLS. We can use TLS to upgrade HTTP, FTP, SMTP, POP3, and IMAP, to name a few.
    Considering the case of HTTP. Initially, to retrieve a web page over HTTP, the web browser would need at least perform the following two steps:
    1. Establish a TCP connection with the remote web server
    2. Send HTTP requests to the web server, such as GET and POST requests.
  • Protocols Encrypted
    HTTPS requires an additional step to encrypt the traffic. The new step takes place after establishing a TCP connection and before sending HTTP requests. This extra step can be inferred from the ISO/OSI model in the image presented earlier. Consequently, HTTPS requires at least the following three steps:
    1. Establish a TCP connection
    2. Establish SSL/TLS connection
    3. Send HTTP requests to the webserver
  • TLS Handshake
    1. The client sends a ClientHello to the server to indicate its capabilities, such as supported algorithms.
    2. The server responds with a ServerHello, indicating the selected connection parameters. The server provides its certificate if server authentication is required. The certificate is a digital file to identify itself; it is usually digitally signed by a third party. Moreover, it might send additional information necessary to generate the master key, in its ServerKeyExchange message, before sending the ServerHelloDone message to indicate that it is done with the negotiation.
  • TLS Handshake
    • 3. The client responds with a ClientKeyExchange, which contains additional information required to generate the master key. Furthermore, it switches to use encryption and informs the server using the ChangeCipherSpec message.
    • 4. The server switches to use encryption as well and informs the client in the ChangeCipherSpec message.
  • TLS
    • Consequently, once an SSL/TLS handshake has been established, HTTP requests and exchanged data won’t be accessible to anyone watching the communication channel.
    • As a final note, for SSL/TLS to be effective, especially when browsing the web over HTTPS, we rely on public certificates signed by certificate authorities trusted by our systems. 
  • Certificates
    1. To whom is the certificate issued? That is the name of the company that will use this certificate.
    2. Who issued the certificate? This is the certificate authority that issued this certificate.
    3. Validity period. You don’t want to use a certificate that has expired, for instance.
  • SSH
    1. You can confirm the identity of the remote server
    2. Exchanged messages are encrypted and can only be decrypted by the intended recipient
    3. Both sides can detect any modification in the messages
    To use SSH, you need an SSH server and an SSH client. The SSH server listens on port 22 by default. The SSH client can authenticate using:
    • A username and a password
    • A private and public key (after the SSH server is configured to recognize the corresponding public key)
  • SSH Public Key Authentication
  • SSH Public Key Authentication
  • SSH
    • Note that if this is the first time we connect to this system, we will need to confirm the fingerprint of the SSH server’s public key to avoid man-in-the-middle (MITM) attacks. 
    • In the case of SSH, we don’t usually have a third party to check if the public key is valid, so we need to do this manually.
  • SSH
    • We can use SSH to transfer files using SCP (Secure Copy Protocol) based on the SSH protocol. An example of the syntax is as follows: scp mark@10.10.222.202:/home/mark/archive.tar.gz ~.
    • This command will copy a file named archive.tar.gz from the remote system located in the /home/mark directory to ~, i.e., the root of the home directory of the currently logged-in user.
  • SSH
    • As a closing note, FTP could be secured using SSL/TLS by using the FTPS protocol which uses port 990. It is worth mentioning that FTP can also be secured using the SSH protocol which is the SFTP protocol. By default this service listens on port 22, just like SSH.
  • Password Attacks:
    Attacks against passwords are usually carried out by:
    1. Password Guessing: Guessing a password requires some knowledge of the target, such as their pet’s name and birth year.
    2. Dictionary Attack: This approach expands on password guessing and attempts to include all valid words in a dictionary or a wordlist.
    3. Brute Force Attack: This attack is the most exhaustive and time-consuming where an attacker can go as far as trying all possible character combinations, which grows fast (exponential growth with the number of characters).
  • Password Attacks
    • We want an automated way to try the common passwords or the entries from a word list; here comes THC Hydra. Hydra supports many protocols, including FTP, POP3, IMAP, SMTP, SSH, and all methods related to HTTP. The general command-line syntax is: hydra -l username -P wordlist.txt server service where we specify the following options:
  • Preventing Password Attacks
    • Password Policy: Enforces minimum complexity constraints on the passwords set by the user.
    • Account Lockout: Locks the account after a certain number of failed attempts.
    • Throttling Authentication Attempts: Delays the response to a login attempt. A couple of seconds of delay is tolerable for someone who knows the password, but they can severely hinder automated tools.
  • Preventing Password Attacks
    • Using CAPTCHA: Requires solving a question difficult for machines. It works well if the login page is via a graphical user interface (GUI). (Note that CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.)
    • Requiring the use of a public certificate for authentication. This approach works well with SSH, for instance.
    • Two-Factor Authentication: Ask the user to provide a code available via other means, such as email, smartphone app or SMS.
  • Protocols