martes, 20 de junio de 2017

Firewall

Source; https://www.howtogeek.com/school/windows-network-security/lesson5/all/

  1. Windows Firewall rules have the following parameters that can be edited:

  1. Name – the name of the rule you are viewing.
  2. Group – the group the rule belongs to. Generally, the group describes the app or the Windows feature the rule belongs to. For example, rules that apply to a specific app or program will have the app/program name as the group. Rules that are related to the same networking feature, e.g. File and Printer Sharing, will have as a group name the feature they relate to.
  3. Profile – the network location/profile the rule is applied to: private, public, or domain (for business networks with network domains).
  4. Enabled – it tells you whether the rule is enabled and applied by Windows Firewall or not.
  5. Action – the action can “Allow” or “Block” based on what the rule is supposed to do.
  6. Override – tells you whether that rule overrides an existing block rule. By default, all rules should have the value “No” for this parameter.
  7. Program – the desktop program the rule applies to.
  8. Local address – tells you whether the rule is applied only when your computer has a specific IP address or not.
  9. Remote address – tells you whether the rule is applied only when devices with specific IP addresses are connected or not.
  10. Protocol – shares the network protocols for which the rule is applied.
  11. Local port – tells you whether the rule is applied for connections made on specific local ports or not.
  12. Remote port – tells you whether the rule is applied for connections made on specific remote ports or not.
  13. Authorized users – the user accounts for which the rule is applied (for inbound rules only).
  14. Authorized computers – computers for which the rule is applied.
  15. Authorized local principals – the user accounts for which the rule is applied (for outbound rules only).
  16. Local user owner – the user account which is set as the owner/creator of the rule.
  17. Application package – this applies only to apps from the Windows Store and it shares the package name of the app the rule applies to.

Social Engineer

RESOURCES: SOCIAL ENGINEERING

These stories show some examples of how individuals can be manipulated to reveal personal and organizational information.
Articles
Videos
Amazing mind reader reveals his 'gift', Duval Guillaume, YouTube
Walmart Prank, anthony11999944, YouTube
Man Steals People's Banking Information, walkinc1, YouTube (NOTE: YouTube captions include some errors, but the action is clear.)

VERIZON DATA BREACH INVESTIGATIONS REPORT


Source: https://courses.edx.org/courses/course-v1:RITx+CYBER501x+1T2017/courseware/474124c8f0904b90849fd8558e1db0e1/c03c11193e7e476cad60c3957176a064/1?activate_block_id=block-v1%3ARITx%2BCYBER501x%2B1T2017%2Btype%40vertical%2Bblock%407e8aa5fc322449d5814be76b3246acd9

DNS SERVER

Putting it Together

To better illustrate how both of the nameservers interact with each other, let’s imagine that you are at your computer and you want to search for pictures of cats so you type www.google.com into your Web browser to go to Google. However, your computer doesn’t know where the server for www.google.com is located, so your computer sends a query to a recursive DNS nameserver (OpenDNS) to locate the IP address of the website for you. The recursive DNS nameserver is now assigned the task of finding the IP address of the website you are searching for. If the recursive DNS nameserver does not already have the DNS record cached in it’s system, it will then query the authoritative DNS hierarchy to get the answer.
Each part of a domain like www.google.com has a specific DNS nameserver (or group of redundant nameservers) that is authoritative.
At the top of the tree are the root domain nameservers. Every domain has an implied/hidden “.” at the end that designates the DNS root nameservers at the top of the hierarchy. Root domain nameservers know the IP addresses of the authoritative nameservers that handle DNS queries for the Top Level Domains (TLD) like “.com”, “.edu” or “.gov”. It first asks the root domain nameservers for the IP address of the TLD server, in this case, “.com” (for google.com).
Afterwards it asks the authoritative server for “.com”, where it can find the “google.com” domain’s authoritative server. Then “google.com” is asked where to find “www.google.com”. Once the IP address is known for the website the recursive DNS server responds to your computer with the appropriate IP address. The end result of which is that you are now happy because you can search pictures of cats all day long.  Below is an illustration of the process:
Screen Shot 2014-07-16 at 10.56.09 AM

Source:https://umbrella.cisco.com/blog/blog/2014/07/16/difference-authoritative-recursive-dns-nameservers/

DORA process of DHCP, Unicast or Broadcast

Dynamic Host Configuration Protocol (DHCP) provides IP address and other configuration information like subnet mask, default gateway, WINS and DNS server address to network clients. DHCP allocates IP addresses dynamically to the clients, known as a lease for a period called lease period.
DHCP lease-generation is 4 step process called DORA which expands as below:
D – Discover
O – Offer
R – Request
A – Acknowledgement
The working process is as under:
1. The DHCP client broadcasts a DHCPDISCOVER packet in the subnet.
2. Once DHCP Server receives DISCOVER packet, it replies with DHCPOFFER packet. This packet is broadcast and contains a potential IP address for the client.The client might receives DHCPOFFER packet from multiple DHCP servers ( if they exist in subnet).
3. The client then broadcasts a DHCPREQUEST that contains a server identifier. Since this broadcast packet reaches all DHCP servers, they come to know which server’s DHCPOFFER the client has chosen to accept. In case client received multiple DHCPOFFER, it selects the server that made the fastest response to its DHCPDISCOVER which typically is the DHCP server closest to the client.
4. Once DHCP servers receive the DHCPREQUEST they use server identifier to know if their offer is accepted or not. The chosen server stores the IP address client information in the DHCP database and broadcasts DHCPACK message. If for some reason, the DHCP server cannot provide the address that was offered in the initial DHCPOFFER, the DHCP server sends a DHCPNAK message.
I will discuss about conditions resulting DHCPNAK in some other blog.
Let’s discuss these steps in more detail. For sake of clarity I am using diagram below:
a
As per diagram let’s take example of DHCP server whose IP address is A and MAC address is AA (I am using A and AA for sake of simplicity to avoid writing 4 octets of IP and 12 Hexadecimal bits for MAC address). There is a client looking for IP address so don’t have any IP but its MAC address is BB. Steps of DORA process are as under:
1. Client will broadcast DISCOVER packet to 255.255.255.255 which is broadcast IP. It will use 0.0.0.0 as source IP because it doesn’t has any IP yet. On frame it will use broadcast MAC address FF-FF-FF-FF-FF-FF as destination while use its own MAC address as source.
2. Once DHCP server receives DISCOVER packet, it will broadcast OFFER packet on 255.255.255.255 IP as client don’t have any IP. Since server has received MAC address of client from DISCOVER packet it will use it as destination MAC. So, as per our example it will be BB. Hence, OFFER frame is unicast.
With OFFER packet several other information also come as per configuration like DHCP server identifier, potential IP and others
3. Once client receives OFFER it broadcasts REQUEST packet on 255.255.255.255. It uses destination MAC as FF-FF-FF-FF-FF-FF. In case, multiple DHCP servers have sended OFFER packet, REQUEST packet will reach to all of them. This packet has DHCP server identifier which is used by servers to verify whether their IP is chosen or not. However, there is a chance that the transaction related to offer selected by client couldn’t complete successfully. The client then try to send a REQUEST to different Server Identifier.  So, “rejected” servers will wait for a while before offering a previously-offered lease to another client.
4. Once Server receives REQUEST packet, it will send ACK packet to client. In destination address it will use broadcast IP address but unicast MAC address i.e BB as per our example. Hence, will be received by intended client only.
Here is the summary:
                                        DISCOVER          OFFER                   REQUEST               ACK
SOURCE IP                  0.0.0.0                  A                           0.0.0.0                       A
SOURCE MAC              BB                         AA                         BB                              AA
DESTINATION IP          Broadcast          Broadcast           Broadcast             Broadcast
DESTINATION MAC      Broadcast              BB                  Broadcast                 BB
NETWORK LAYER         Broadcast          Broadcast           Broadcast             Broadcast
DATALINK LAYER          Broadcast           Unicast              Broadcast              Unicast
Broadcast IP – 255.255.255.255
Broadcast MAC – FF-FF-FF-FF-FF-FF
So, this is all in this blog. Have a very nice day !!

Lean los Comentarios: https://vinitpandey.wordpress.com/2015/06/17/dora-process-of-dhcp/
Source: https://vinitpandey.wordpress.com/2015/06/17/dora-process-of-dhcp/