May 18 2023

HACKERS HAVE A P2P NETWORK OF HACKED TP-LINK ROUTERS WORLDWIDE. IS YOUR ROUTER A PART OF IT?

Category: Hacking,Network securityDISC @ 9:42 am

Check Point Research has been monitoring sophisticated attacks on authorities in numerous European countries since January 2023. The campaign made use of a broad number of tools, one of which was an implant, which is a tactic that is often linked withĀ ChineseĀ government-backed cybercriminals. This action has substantial infrastructure similarities with activities that have been previously published by Avast and ESET, which links it to the ā€œMustang Pandaā€ malware family. This cluster of suspicious behavior is

being monitored by CPR as ā€œCamaro Dragonā€ at the moment.

According to experts from Check Point named Itay Cohen and Radoslaw Madej, an investigation of these attacks has uncovered a bespoke firmware implant that was created specifically for TP-Link routers. ā€œThe implant features several malicious components, including a custom backdoor named ā€˜Horse Shell,’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,ā€ the firm claimed.

ā€œBecause of the implant’s firmware-agnostic design,ā€ its components may be incorporated into different types of software by a variety of different manufacturers. At this time, the precise mechanism that was utilized to distribute the altered firmware images on the compromised routers is unclear. Likewise, its utilization and participation in real attacks are also unknown. It is believed that the first access may have been gained by taking advantage of security holes that were already known about or by brute-forcing devices that had passwords that were either the default or readily guessed.

According to what is currently known, the C++-based Horse Shell implant gives attackers the ability to run arbitrary shell commands, upload and download files to and from the router, and relay communication between two separate clients. However, in an intriguing turn of events, it is suspected that the router backdoor targets random devices on residential and home networks. This finding lends credence to the theory that hacked routers are being co-opted into a mesh network with the intention of establishing a ā€œchain of nodes between main infections and real command-and-control.ā€

The purpose of relaying communications between infected routers by utilizing a SOCKS tunnel is to establish an extra layer of anonymity and disguise the end server. This is accomplished by the fact that each node in the chain possesses information only about the nodes that came before and after it in the chain.

To put it another way, the approaches obfuscate the origin and destination of the traffic in a manner that is comparable to how TOR works, which makes it far more difficult to discover the scope of the attack and disrupt it. The finding is just one more illustration of a long-standing pattern in which Chinese threat actors target internet-facing network equipment in order to manipulate the underlying software or firmware of such devices.

InfoSec tools | InfoSec services | InfoSec books

Tags: TP-LINK ROUTERS


May 12 2023

USING NETGEAR’S NIGHTHAWK RAX30 ROUTER, HACKERS CAN SEE WHAT YOU DO ON INTERNET

Category: Hacking,Network securitydisc7 @ 10:38 am

Because IoTĀ devices often have weak security and are easily hacked, the Internet of Things (IoT) has been an increasingly attractive target for cyber assaults in recent years. This is due to the fact that IoT devices are connected to the internet. Pwn2Own was a competition held in Toronto in the last yearĀ that focused on hacking into Internet of Things (IoT) devices such as printers,Ā routers, network-attached storage (NAS) devices, routers, and smart speakers. The competition was organized by the Zero Day Initiative (ZDI), which aimed to bring attention to the vulnerabilities of IoT devices and encourage better security practices from manufacturers. This competition invited skilled hackers to showcase their expertise in locating and exploiting flaws in the devices being used. As part of their investigation and participation in the Pwn2Own Toronto hacking competition that took place in December of last year,Ā Team82Ā exposed five vulnerabilities that were found in NETGEAR’s Nighthawk RAX30 routers.
If an exploit is successful, an attacker may be able to monitor the online activities of users, hijack users’ connections to the internet, and redirect traffic to malicious websites, as well as insert malware into network traffic.

These vulnerabilities might potentially be used by an attacker to obtain access to and manage networked smart devices (such as security cameras, thermostats, and smart locks), modify router settings (such as passwords or DNS settings), or exploit a network that has been hacked to launch attacks against other devices or networks.

NETGEAR products come with a dedicated server known as soap_serverd that operates on port 5000 (HTTP) and port 5043 (HTTPS). This server serves as a programmatic application programming interface (SOAP) for the router.

Users are given the ability to query the device and make changes to its settings thanks to the available API. The NETGEAR Nighthawk App for iOS and Android is the primary client that connects to the server. The vulnerabilities that were targeted are listed below.

They are able to extract the device serial number by using the CVE-2023-27357 vulnerability, which is known as Sensitive Information Exposed Without Authentication.

By using CVE-2023-27369, also known as an SSL Read stack overflow, researchers are able to deliver an HTTPS payload without being constrained by size requirements.

They are able to create a payload that is sufficiently large to replace the socket IP, bypass authentication, and obtain the device settings by using CVE-2023-27368, which is a sscanf stack overflow vulnerability.

They were able to alter the admin password by using CVE-2023-27370 (Plain text secrets in the configuration), which allowed us to access the plain-text answers to the security questions, along with the serial number that we obtained before.

Once they have updated the password, they were able to send a magic packet to the device in order to activate a limited telnet server. They get root access and remote code execution on the device by using the CVE-2023-27367 vulnerability, which is a restricted shell escape.

It is possible to compromise vulnerable RAX30 routers by chaining together these five CVEs. The most serious of these flaws allows for pre-authentication remote code execution on the device. NETGEAR has patched all five vulnerabilities uncovered by Team82, three of which were high-severity vulnerabilities that enable pre-authentication remote code execution, command injection, or authentication bypasses.

Basic Router Security

 InfoSec tools | InfoSec services | InfoSec books

Tags: Basic Router Security, NETGEAR’S NIGHTHAWK RAX30 ROUTER


Apr 14 2023

Building a Network Security Strategy: Complete Checklist To Protect Your Network

Category: Network securityDISC @ 7:31 am

Whether you’re a large or small business, network security is something you can’t ignore.

Threat actors can and will, infiltrate businesses of any size wreaking havoc on computer systems, maliciously encrypting data, and in some cases completely destroying a company’s ability to stay in business. 

While the latter situation isn’t that common, there have been several recent instances where poor network security has led to significant security breaches.

Consider theĀ Uber breachĀ QAwZ from September 2022, where anĀ MFA fatigue attackĀ led to a breach of Uber’s systems.

A similar attack led to a breach of CISCO’s systems, and Activision ended up being hacked after an SMS phishing attack, which reportedly led to a significant data breach of Activision’s IP and employee data.

These breaches signal the need for better network security practices, and they also show how single security measures are not enough.

All of the breaches mentioned above happened because of a weakness in each company’sĀ MFAĀ practices, but they could’ve been mitigated by other security measures including zero trust granular access rules.

Organizations of all sizes need a network security strategy with modern, cloud-based tools and technologies to stay secure:

Single Sign-On (SSO) with Multi-Factor Authentication (MFA)

Before we even get to network security, organizations should deploy a Single Sign-On (SSO) identity provider with Multi-Factor Authentication (MFA) support.

SSO allows users to access multiple applications using one login.

This makes it easier for users to integrate network security practices into their daily routine without much friction, while the IT team has a much easier time keeping everyone organized. 

MFA, meanwhile, adds an extra layer of security by requiring users to provide two or more pieces of evidence to prove their identity.

This is typically a username and password, followed by a one-time code, or biometric authentication such as a fingerprint or facial recognition.

Under an MFA scheme, you can require just a second authentication factor or multiple depending on the level of security you need and your threat model.

SSO with MFA also reduces the risk of password-related security incidents, such as password theft or reuse.

It also makes it harder for hackers to access your network since they have to not only steal the password but somehow obtain the second or even third factor to finally break in.

But as we mentioned at the beginning of this article there are ways to get around MFA security measures, so how do you make sure that doesn’t happen?

It starts with training and clearly defined policies that convey to employees that IT teams and outside security contractors will never ask them for their MFA security codes. 

Second, you can increase the difficulty of MFA for higher privileged accounts such as a number-based challenge that requires the user to see both sets of numbers to correctly answer the MFA challenge.

Biometric measures can also be effective as long as employees understand they should never authorize an MFA request they didn’t initiate. 

Zero Trust Network Access (ZTNA)

One of the biggest and most important strategies in modern network security is the deployment of Zero Trust Network Access. ZTNA assumes that all network traffic is untrusted, even if it originates from inside the network itself. 

ZTNA requires that users prove their identity, and then meet specific security requirements before accessing network resources.

This includes granular access rules that can be user- or group-specific. Then context-based verification allows organizations to limit access to resources based on specific criteria, such as device posture, location of the user requesting access, and time of day.

These contexts are also continually verified to ensure that a user’s security posture doesn’t suddenly change, which can be an indication of malicious activity.

Device posture is an important part of context since it demands that user devices meet certain security requirements before accessing resources.

This can be criteria such as the presence of a specific antivirus suite, a custom security certificate, and a minimum operating system version, among others. 

When you put it all together Zero Trust Network Access reduces the risk of unauthorized access to sensitive data and resources.

This is a far better approach than the legacy-based VPN and firewall. Under the old model, you would log in with a VPN, and then once you had access to company resources that was it.

There were limited access rules about who could see what and no context-based requirements with continuous verification.

That meant that once a hacker gained access to a system they had an easier time achieving lateral movement (moving from one server or resource to another).

After lateral movement, hackers would often obtain higher privileged account credentials ultimately gaining access to employee and customer data, or sensitive trade secrets.

ZTNA provides better control over network access, which enables organizations to detect and respond to security incidents more effectively.

Malware Protection

Malware is one of the biggest and most common threats to network security.

It can infect computers and networks leading to damage to computer systems, malicious data encryption (ransomware), and data exfiltration.

Malware protection solutions are designed to detect and prevent malware from infecting your network via the most common vehicle for infiltration: the Internet.

While you can get infected through malicious USB keys and drives, the most common way is through a malicious website or downloading a malicious file from the Internet.

Malware protection guards against these threats by analyzing web traffic to identify and block malware.

This usually includes a number of techniques such as signature-based detection, behavior-based detection, and virtual code emulation, to identify and block malware.

Putting together a proper malware protection solution can prevent everything from known malware infections to zero-day exploits and advanced persistent threats (APTs).

Web Filtering

Web filtering is a security mechanism that blocks access to malicious websites and content.

This is a list-based solution that blocks known malicious websites, and it can also be used to prevent employees from venturing into problematic areas of the Internet that may violate company policies, break local laws, or simply be time-wasting distractions. 

The focus, however, is to reduce the risk of employees accessing malicious websites and content, which can lead to malware infections, data breaches, and other forms of cyber threats.

Web Filtering can also reduce the workload for IT teams if they no longer have to deal with issues related to web usage.

Compliance

Although not directly part of network securitycompliance is a key consideration when looking at tools and technologies to keep your network secure.

Many companies are responsible for maintaining records for their customers including private information such as health data, credit card data, addresses, and more.

Holding onto information like this as a necessary part of your business only increases the need for solid network security as the consequences of a breach are that much greater.

That’s why Zero Trust Network Access and other modern tools are so important.

Under a traditional perimeter-based approach hackers will have an easier time obtaining sensitive information after a successful breach.

Choosing the Right Solution

Now that we understand what tools you need, how do you choose the right network security solution for your organization?

First, you need to anticipate growth and increased demand for your network security needs.

Opt for solutions that can scale with your business, as well as offer the flexibility to adapt to new threats, and regulatory requirements. Quite often cloud-based platforms are the best choice when it comes to flexibility.

Cost is another important issue; network security investment isn’t just about upfront costs.

There can be many ongoing expenses, especially for hardware-based solutions that require regular maintenance, updates, and support.

And don’t forget about potential hidden costs such as additional licensing fees for certain features or upgrades after your initial service contract expires–it pays (literally) to do your due diligence to discover any potential hidden costs.

If your team is too small to allow for a full-time security expert then consider alternatives such as managed service providers (MSPs).

These specialized organizations offer a wide range of fully managed IT services. By outsourcing some or all of your network security functions to an MSP, your organization can benefit from the expertise and resources of a dedicated security team.

MSPs typically offer 24/7 monitoring and support, threat intelligence, and access to the latest security technologies, ensuring that your organization’s network is continuously protected. 

Suppose you have pre-existing systems that cannot be replaced or are crucial for your business. In that case, you should also consider solutions that offer seamless compatibility with those systems.

Some common pre-existing hardware includes a data center firewall or possibly SD-Wan appliances. 

By considering issues such as scalability, compliance, the total cost of ownership, and legacy integration, you can make an informed decision and select the most suitable network security solution for your organization.

Perimeter 81 Checks All the Boxes

Putting together all of these essential network security features and tools is easy with Perimeter 81.

This cloud-based, converged network security solution provides comprehensive network security focusing on ease of use, lightning-fast deployment, and easy scalability.

Most importantly, however, Perimeter 81 allows you to use  ZTNA, Malware Protection, and Web Filtering from a single management console for easier all-around management.

If your ZTNA needs are simpler than most you can also use Perimeter 81’sFirewall as a Service to protect on-prem and cloud-based resources.

While you can permit access to all services to everyone in the company using the firewall, that is not recommended as granular access control is simple to implement with Perimeter 81 even for those with seemingly basic requirements.

A comprehensive network security strategy is critical for all organizations that want to protect their network and data from cyber threats.

This checklist allows organizations to build a robust and effective network security strategy that meets their specific needs and requirements.

Network Security Checklist – Download Free E-Book

Network Security: Private Communication in a Public World

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Network Security Checklist


Mar 27 2023

TLS Essentials 12: TLS 1.2 Wireshark analysis

Category: Network securityDISC @ 12:57 pm

This lesson on TLS – Transport Layer Security – analyzes a TLS 1.2 connection with Wireshark.

🔷🔷 About 🔷🔷

TLS 1.2 Wireshark analysis

Wireshark 101: Essential Skills for Network Analysis

midBit Technologies, LLC SharkTap Gigabit Network Sniffer

SharkTap Gigabit Network Sniffer


InfoSec Threats
Ā |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: SharkTap Gigabit Network Sniffer, TLS 1.2 Wireshark analysis, Transport Layer Security


Jan 26 2023

Wireshark 4.0.3 Released – What’s New!

Category: Network securityDISC @ 9:16 am

The Wireshark Team has recently unveiled the latest iteration of their widely-utilized packet analyzer, Wireshark 4.0.3. 

This version boasts a multitude of improvements, including new features and updates, as well as the resolution of various bugs to ensure a smooth and efficient user experience.

The Wireshark packet analyzer is a free and open-source application that is available for all major platforms. In addition to troubleshooting networks, Wireshark can be used to analyze network traffic, develop software or communications protocols, and can even be used for educational purposes in the cybersecurity field.

Wireshark supports a wide range ofĀ network protocols, and with Wireshark, a security professional can see the details of network packets in real-time, including the:-Ā 

Wireshark 4.0.3
  • Source IP addresses
  • Destination IP addresses
  • Port numbers
  • Packet sizes

Many organizations utilize this tool on a regular basis as part of their daily business operations so that they can monitor the day-to-day tasks of their businesses.

Wireshark 4.0.3 Platform Support

Wireshark 4.0.3 packet analyzer is available for all major platforms and operating systems, and below we have given you a list of them in case you need them:-

  • Windows
  • Linux
  • macOS
  • BSD

What’s New?

The 32-bit Windows packages for Wireshark 4.0 and later can’t be downloaded from the official Wireshark website, and cannot be installed on your computer. Currently, Qt 5.12.2 is the version shipped with Windows installers as the standard version.

There are several new fixes for the multitude of vulnerabilities and bugs that have been added to this new version. However, here below we have mentioned new things added to this version:-

  • Vulnerability Fixes
  • Bug Fixes
  • Updated Protocol Support

Vulnerabilities Fixed

Here below we have mentioned the vulnerabilities that have been fixed in this new version:-

Bugs fixed

Here below we have mentioned the bugs that have been fixed in this new version:-

  • Qt: After modifying the coloring rules, the coloring rule applied to the first packet reflects the coloring rules previously in effect.
  • The help file doesn’t display for extcap interfaces.
  • For USB traffic on XHC20 interface destination is always given as Host.
  • Wireshark Expert Info – cannot deselect the limit to display the filter tick box.
  • Wrong pointer conversion in get_data_source_tvb_by_name()
  • A wrong number of bits skipped while decoding an empty UTF8String on UPER packet.
  • Crash when analyzing protobuf packets.
  • Uninitialized values in various dissectors.
  • String (GeoIP country/city) ordering doesn’t work in Endpoints.
  • Wireshark crashes with an assertion failure on stray minus in filter.
  • IO Graph: Add new graph only works until the 10th graph.
  • Fuzz job crash output: fuzz-2022-12-30-11007.pcap.
  • Q.850 – error in label for cause 0x7F.
  • Uninitialized values in CoAP and RTPS dissectors.
  • Screenshots in AppStream metainfo.xml file not available.

Updated Protocol Support

Listed below are all the updated protocol support that is supported by the current version:-

  • ASTERIX
  • BEEP
  • BGP
  • BPv6
  • CoAP
  • EAP
  • GNW
  • GSM A-bis P-GSL
  • iSCSI
  • ISUP
  • LwM2M-TLV
  • MBIM
  • NBAP
  • NFS
  • OBD-II
  • OPUS
  • ProtoBuf
  • RLC
  • ROHC
  • RTPS
  • Telnet
  • TIPC
  • USB

It is absolutely crucial that users upgrade their current version of Wireshark to the newly released 4.0.3 version as soon as possible. 

The Wireshark team has put a great effort into adding new features and fixing bugs to improve the overall user experience. Failure to update will result in missing out on the many enhancements and refinements this version has to offer.

In addition, if you are interested in getting the latest version of the application,Ā you may click this link.

Wireshark Cheat Sheet

Explore latest WireShark Titles

InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: wireshark


Jan 16 2023

Most Important Network Penetration Testing Checklist

Category: Cheat Sheet,Network security,Pen TestDISC @ 11:05 am

Network Penetration Testing determines vulnerabilities in the network posture by discovering Open ports, Troubleshooting live systems, services and grabbing system banners.

The pen-testing helps administrator to close unused ports, additional services, Hide or Customize banners, Troubleshooting services and to calibrate firewall rules.You should test in all ways to guarantee there is no security loophole.

Let’s see how we conduct a step by step Network penetration testing by using some famous network scanners.

Network Penetration Testing

1.HOST DISCOVERY

Footprinting is the first and important phase were one gather information about their target system.

DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, CNAME) resolving to the target domain.

  • A ā€“ A record is used to point the domain name such as gbhackers.com to the IP address of it’s hosting server.
  •  MX ā€“ Records responsible for Email exchange.
  • NS ā€“ NS records are to identify DNS servers responsible for the domain.
  • SRV – Records to distinguish the service hosted on specific servers.
  • PTR ā€“ Reverse DNS lookup, with the help of IP you can get domain’s associated with it.
  • SOA ā€“ Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
  • CNAME ā€“ Cname record maps a domain name to another domain name.

We can detect live hosts, accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn 192.168.169.128root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IProot@kali:~# nmap -sn 192.168.169.* Wildcardroot@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet

Whois Information 

To obtain Whois information and name server of a webisteroot@kali:~# whois testdomain.com

  1. http://whois.domaintools.com/
  2. https://whois.icann.org/en

Traceroute

Network Diagonastic tool that displays route path and transit delay in packetsroot@kali:~# traceroute google.com

Online Tools

  1. http://www.monitis.com/traceroute/
  2. http://ping.eu/traceroute/

2.PORT SCANNING

Perform port scanning using tools such as Nmap, Hping3, Netscan tools, Network monitor. These tools help us to probe a server or host on the target network for open ports.

Open ports are the gateway for attackers to enter in and to install malicious backdoor applications.root@kali:~# nmap –open gbhackers.com             To find all open portsroot@kali:~# nmap -p 80 192.168.169.128           Specific Portroot@kali:~# nmap -p 80-200 192.168.169.128   Range of portsroot@kali:~# nmap -p ā€œ*ā€ 192.168.169.128          To scan all ports

Online Tools

  1. http://www.yougetsignal.com/
  2. https://pentest-tools.com/information-gathering/find-subdomains-of-domain

3.Banner Grabbing/OS Fingerprinting

Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, NMAP determines the operating system of the target host and the operating system.

Once you know the version and operating system of the target, we need to find the vulnerabilities and exploit.Try to gain control over the system.root@kali:~# nmap -A 192.168.169.128root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level

IDserve another good tool for Banner Grabbing.

Networkpentesting Flowchart

Online Tools

  1. https://www.netcraft.com/
  2. https://w3dt.net/tools/httprecon
  3. https://www.shodan.io/

4.Scan for Vulnerabilities

Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.

These tools help us in finding vulnerabilities with the target system and operating systems.With this steps, you can find loopholes in the target network system.

GFILanguard

It acts as a security consultant and offers patch Management, Vulnerability assessment, and network auditing services.

Nessus

Nessus a vulnerability scanner tool that searches bug in the software and finds a specific way to violate the security of a software product.

  • Data gathering.
  • Host identification.
  • Port scan.
  • Plug-in selection.
  • Reporting of data.

5.Draw Network Diagrams

Draw a network diagram about the organization that helps you to understand logical connection path to the target host in the network.

The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, Network view.

6.Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.

With proxy servers, we can anonymize web browsing and filter unwanted contents such as ads and many other.

Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide yourself from being caught.

6.Document all Findings

The last and the very important step is to document all the Findings from Penetration testing.

This document will help you in finding potential vulnerabilities in your network. Once you determine the Vulnerabilities you can plan counteractions accordingly.

You can download rules and scope Worksheet here – Rules and Scope sheet 

Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.

Important Tools used for Network Pentesting

Frameworks

Kali Linux, Backtrack5 R3, Security Onion

Reconnaisance

Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft

Discovery

Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap

Enumeration

Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan

Scanning

Nessus, GFI Languard, Retina,SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack

Sniffing

Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap

Exploitation

 Metasploit, Core ImpactThese are the Most important checklist you should concentrate with Network penetration Testing .

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Checkout our previous posts on Pen Testing…

Contact DISC InfoSec

InfoSec books | InfoSec tools | InfoSec services

Tags: Penetration Testing Checklist


Dec 16 2022

Network Security Checklist

Category: Network securityDISC @ 12:49 pm

Network Security Checklist via Ethical Hackers Academy

Network Security Assessment: Know Your Network

InfoSecBooks & Tools


InfoSec Threats
Ā |Ā InfoSec booksĀ |Ā InfoSec toolsĀ |Ā InfoSec services

Tags: Network Security Assessment, Network Security Checklist


Oct 27 2022

Wireshark 4.0.1 Released – What’s New!!

Category: Network security,Security ToolsDISC @ 1:33 pm

A new version of Wireshark has been released recently by the Wireshark Team, it’s Wireshark 4.0.1, which contains several enhancements, new updates, and bug fixes.

Wireshark is one of the most widely used open-source free software packet analyzers that are currently available on the market, and it is available in a variety of options for different platforms.

There are many people who use Wireshark packet analyzers for the analysis of packets, not just network administrators only. As security analysts also use Wireshark packet analyzers for packet analysis purposes.

Several organizations make use of this tool to manage and monitor all the activities of their business operations on a regular basis.

Wireshark recently released its Wireshark 4.0.0 and the current Wireshark 4.0.1 is a quick update from the previous one.

Platform Support

For all the major platforms or operating systems, the Wireshark 4.0.1 packet analyzer is available and here below we have mentioned them:-

  • Windows
  • Linux
  • macOS
  • BSD

What’s new in Wireshark 4.0.1?

There are several primary purposes for using Wireshark as a network protocol analyzer, including:-

  • Analysis
  • Troubleshooting
  • Education
  • Development

Wireshark 4.0 and later do not have any official 32-bit Windows packages that you can install on your computer. Qt 5.12.2 is now the standard version that ships with Windows installers. The previous version of these packages was Qt 6.2.3, which was shipped by default.

This release removes the experimental syntax for the display filter used in Wireshark 4.0.0 that allowed literals to be displayed just using angle brackets <…​>. You can use the colon prefix instead while dealing with byte arrays.

Wireshark 4.0.1 Released – What’s New!!


Oct 05 2022

WireShark 4.0.0 Released – What’s New?

Category: Network securityDISC @ 9:18 am

There are several open-source packet analyzers available, but Wireshark is among the most popular. Moreover, the application has been upgraded to version 4.0.0 and comes with multiple new features and fixes.

It is not only network administrators who use Wireshark packet analyzers to analyze packets, but also security analysts to analyze packets.

Wireshark network protocol analyzer can be used for the following primary purposes:-

  • Troubleshooting
  • Analysis
  • Development
  • Education

An array of organizations use the tool to manage their business activities related to their business, and it has been adopted by organizations of all sizes.

What’s New?

The official Windows 32-bit package of Wireshark is no longer being distributed with the release of this version. Here below we have mentioned all the new additions:-

  • With many new extensions available, the display filter syntax has become much more powerful.
  • Redesigns have been made to the Conversation and Endpoint dialogs.
  • Packet Detail and Packet Bytes are now displayed underneath the Packet List pane in the default layout for the main window.
  • A number of improvements have been made to the hex dump import from Wireshark and from text2pcap.
  • A great deal of improvement has been made in the performance of using MaxMind geolocation.

New and Updated Features

In this latest release, Here below we have mentioned all the new and updated features:-

  • The macOS packages now ship with Qt 6.2.4 and require macOS 10.14. They previously shipped with Qt 5.15.3.
  • The Windows installers now ship with Npcap 1.71. They previously shipped with Npcap 1.70.
  • The Windows installers now ship with Npcap 1.70. They previously shipped with Npcap 1.60.
  • The ā€˜v’ (lower case) and ā€˜V’ (upper case) switches have been swapped for editcap and mergecap to match the other command line utilities.
  • The ip.flags field is now only the three high bits, not the full byte. Display filters and Coloring rules using the field will need to be adjusted.
  • New address type AT_NUMERIC allows simple numeric addresses for protocols which do not have a more common-style address approach, analog to AT_STRINGZ.
  • The Conversation and Endpoint dialogs have been redesigned.
  • The Windows installers now ship with Qt 6.2.3. They previously shipped with Qt 6.2.4.
  • The Windows installers now ship with Npcap 1.60. They previously shipped with Npcap 1.55.
  • The Windows installers now ship with Qt 6.2.4. They previously shipped with Qt 5.12.2.
  • The display filter syntax has been updated and enhanced.The default main window layout has been changed so that the Packet Detail and Packet Bytes are side by side underneath the Packet List pane.
  • The HTTP2 dissector now supports using fake headers to parse the DATAs of streams captured without first HEADERS frames of a long-lived stream (such as a gRPC streaming call which allows sending many request or response messages in one HTTP2 stream). Users can specify fake headers using an existing stream’s server port, stream id and direction.
  • The IEEE 802.11 dissector supports Mesh Connex (MCX).
  • The ā€œCapture Optionsā€ dialog contains the same configuration icon as the Welcome Screen. It is now possible to configure interfaces there.
  • The ā€œExtcapā€ dialog remembers password items during runtime, which makes it possible to run extcaps multiple times in row without having to reenter the password each time. Passwords are never stored on disk.
  • It is possible to set extcap passwords in tshark and other CLI tools.
  • The extcap configuration dialog now supports and remembers empty strings. There are new buttons to reset values back to their defaults.
  • Support to display JSON mapping for Protobuf message has been added.
  • macOS debugging symbols are now shipped in separate packages, similar to Windows packages.
  • In the ZigBee ZCL Messaging dissector the zbee_zcl_se.msg.msg_ctrl.depreciated field has been renamed to zbee_zcl_se.msg.msg_ctrl.deprecated
  • The interface list on the welcome page sorts active interfaces first and only displays sparklines for active interfaces. Additionally, the interfaces can now be hidden and shown via the context menu in the interface list
  • The Event Tracing for Windows (ETW) file reader now supports displaying IP packets from an event trace logfile or an event trace live session.
  • ciscodump now supports IOS, IOS-XE and ASA remote capturing.
  • The PCRE2 library is now required to build Wireshark.
  • You must now have a compiler with C11 support in order to build Wireshark.

WireShark 4.0.0 Released – What’s New!!

Wireshark for Security Professionals

Wireshark cheat sheet

Tags: wireshark, WireShark Cheat Sheet


Mar 06 2022

Network Infrastructure Security Guidance

Category: Information Security,Network securityDISC @ 2:44 pm

Building a Future-Proof Cloud Infrastructure: A Unified Architecture for Network, Security, and Storage Services


Feb 23 2022

A comparison of NDR solutions: Deep packet inspection (DPI) vs. metadata analysis

Category: Network securityDISC @ 9:54 am

DPI has become popular since it provides very detailed traffic analysis. However, this approach requires designated hardware sensors and large amounts of processing power, while at the same time being blind to encrypted network traffic and only analysing data flowing over the mirrored infrastructure.

Metadata analysis (MA) overcomes these limitations to provide detailed and insight-enriched visibility into the entire network. In addition, MA is completely unaffected by encryption and ever-increasing network traffic. These advantages make MA-based NDR solutions a superior and future-proof alternative to NDR solution relying on deep packet inspection.

Modern organisations are characterised by complex IT environments and expanding attack surfaces. To protect themselves, they need a robust cyber architecture with a reliable Network Detection and Response (NDR) solution. NDR is crucial to detect suspicious behaviours and malicious actors, and quickly respond to threats. NDR tools continuously analyse traffic to build models of ā€œnormalā€ behaviour on enterprise networks, detect suspicious traffic, and raise alerts.

Traditional NDR solutions rely on deep packet inspection (DPI). This approach supports detailed analysis and has thus become quite popular. But as data volumes increase and network traffic becomes increasingly encrypted, such solutions are becoming inadequate to protect enterprise networks moving forward. What organisations now need is a more future-proof NDR solution relying on metadata analysis.

In this article, we explore and compare two NDR approaches: deep packet inspection and metadata analysis. We will examine why metadata analysis is a superior detection technology to protect IT/OT networks from advanced cyber threats.

What is deep packet inspection and how does it work?

Deep packet inspection is the traditional approach to NDR. DPI monitors enterprise traffic by inspecting the data packets flowing across a specific connection point or core switch. It evaluates the packet’s entire payload, i.e., its header and data part to look for intrusions, viruses, spam, and other issues. If it finds such issues, it blocks the packet from going through the connection point.

DPI relies on traffic mirroring. In effect, the core switch provides a copy (ā€œmirrorā€) of the network traffic to the sensor that then uses DPI to analyse the packet’s payload. Thus, DPI provides rich information and supports detailed analysis of each packet on the monitored connection points. This is one of its biggest benefits.

However, its drawbacks outnumber this benefit. As network traffic continues to increase and IT environments become increasingly complex and distributed, DPI is reaching its limits.

NDR

Why DPI can’t detect or prevent advanced cyberattacks

Threat Hunting with Elastic Stack: Solve complex security challenges with integrated prevention, detection, and response

Tags: Deep packet inspection, NDR solutions


Feb 10 2022

How Does An IPv6 Proxy Work & How Enterprises Can Get Benefit?

Category: Network securityDISC @ 9:12 am

Technological advancements have come a long way – from when internet utility was very limited to when internet connection was achieved only throughĀ internet protocol (IP) version 4 (IPv4) addressesĀ to this modern age where IPv6 is the next big thing.

IPv6 stands for internet protocol version 6, as you might have figured out by now, and was first introduced in 2012.

It became imperative after developers discovered that IPv4 had a finite number and addresses. It would not take long before we ran out of possible commutations for the fourth IP version.

As such, a new version that would allow humanity to generate an infinite number of IP addresses was born; IPv6. And several technologies have been built and designed in its wake.

IPv6 proxy, for instance, was subsequently developed to make things easy. IPv6 had several benefits, such as routing traffic and packet headers conveniently and attracting many organizations to start hosting their servers on it.

However, traffic and connections coming from the older IPv4 could not reach or interact with these new servers because they operated on different standards.

Therefore, it became necessary to build a tool that could translate all IPv4 traffic to reach IPv6 hosted servers, hence the IPv6 proxy.

What Is A Proxy?

A proxy is a device or computer that can serve as the middleman between different servers or networks.

It can stand anywhere between the user and the internet and transfer data and connections back and forth quickly and securely.

This traffic transfer is often done using its IP and location while concealing the user’s details. This helps to provide necessary security and anonymity for the internet user.

How Do Proxies Work?

Proxies are not the only tools used in re-routing users’ connections, but they are one of the most effective, and this is evident in the way they work:

  • The user sends out a request using a proxy
  • The proxy accepts the incoming traffic and remodels it to ensure lesser errors and better speed
  • Then it masks the user’s IP and transfers the traffic using its IP instead
  • The request reaches the final server, and the results are collected and returned to the user via the proxy network
  • The proxy again accepts this traffic and screens it for possible malware. Once it certifies that it is healthy, it sends it to the user.
  • The user receives the result quickly as a web page.
  • All these happen so quickly and seamlessly that users can’t even tell there have been interceptions at different levels and points.

What Are Proxies Used For?

Proxies are essential for several reasons, and below are some of the most common:

  1. To Boast Internal Security

The internet may be a lovely place for both individuals and brands, but it can also turn sour quickly.

There are cybercriminals monitoring traffic at every turn and waiting for what data to breach.

Proxies are used because they can hide your IP and sensitive data and filter traffic to ensure the user is protected at all times.

  1. To Reduce Server Load

Servers are just like every other type of machine – they can only handle what is within their capacity.

When a server has to deal with too much traffic every day, it doesn’t take long before it crashes.

Proxies are helpful because they are excellent at reducing the workload on servers. For instance, proxies can allocate traffic to the available server to prevent one server from taking too much load.

Proxies can also deploy caching mechanisms where they store results from past queries. This way, they can pull the data from what has been stored instead of disturbing the servers.

  1. To Bypass Restrictions

There are several limitations and restrictions that people face when surfing the internet. Some users can get banned or blocked when they use the same IP to interact with a website or server repeatedly.

Other users can get restricted from using particular services or accessing specific content because of where they live.

Proxies are used to prevent both types of limitations as they can supply users with an extensive collection of IPs to prevent bans and multiple locations from bypassing geo-restrictions.

What Is An IPv6 Proxy?

An IPv6 proxy can be defined as a type of proxy that translates IPv4 traffic into IPv6 traffic. It could be software or hardware that stands between users and the internet and translate this older traffic into the IPv6 version.

The purpose is often to allow traffic from devices using the older IP versions to reach servers hosted on the IP6 standard.

Without this tool, it would be impossible for anyone using the older IP versions to interact with IPv6 standards.

The IPv6 proxy can also perform other essential functions of a regular proxy, including concealing the user’s networks to provide online privacy and filtering traffic to boost online security.

How Do IPv6 Proxies Work?

As the world adopts IPv6 standards and gradually moves towards it, several users, including organizations and service providers still using the IPv4 standard, need a tool to help them translate and forward their traffic.

IPv6 proxies work by intercepting traffic from the older IP standard, translating the address and header, and routing the information before forwarding them to an IPv6 server or target device.

The Main Use Cases of IPv6 Proxies

There are several ways the IPv6 proxy can be used (visit Oxylabs for more info), including the following:

  1. Maximizing Online Security and Privacy

Like all significant proxies, the IPv4 proxies also play a massive role in boosting your security and that of your data. Whatever your online activity, you can hide your identity using these proxies with zero cost to your browsing speed and performance.

  1. Bypassing Censorship and Constraints

If you experience bans, blockings, and restrictions very often online, you may want to consider switching to the IPv6 proxies as they can easily bypass these challenges. You can easily choose a different IP and location to appear like a completely different user.

  1. Web Scraping

IPv4 proxies can also be used with a dedicated scraper to harvest a large amount of data from different sources at once. This capability comes from the fact that an IPv6 proxy can translate and re-route any traffic to help it reach any server. It can also provide you with multiple IP addresses and locations to help you perform these repetitive tasks without using an IP twice.Ā 

IPv6 Essentials: Integrating IPv6 into Your IPv4 NetworkĀ 

Tags: IPv6 Proxy


Jan 08 2022

WireShark Cheat Sheet

Category: Cheat Sheet,Network securityDISC @ 11:08 am

Learn Wireshark: Confidently navigate the Wireshark interface and solve real-world networking problems

Tags: WireShark Cheat Sheet


Dec 23 2021

WireShark Cheat sheet

Category: Cheat Sheet,Network securityDISC @ 11:13 am

Tags: wireshark


Sep 27 2021

Ways to Improve Internet Speed

Category: Network securityDISC @ 2:31 pm

A slow-speed internet that makes you wait for ages before you can finally access a webpage is surely quite a pain! It tests your patience to the last limits and doesn’t allow you to complete your work on time. It is equally frustrating for game lovers, who always need an active internet connection to play the games. Alongside this, the slow internet hinders with user’s efficiency to a great deal.

If you are sick and tired of your slow-poke internet, here are a few ways through which you can augment the speed of your internet, easily.

  • Restart the Router

This is surely an age-old formula to repair things and works quite well most of the time. If your internet connectivity is getting blocked or the connection gets interrupted quite a lot, you need to try this method for sure. All you need to do is to turn off the switch giving power to the router. Once you turn it on again, it will work well and deliver you with the speed you always wanted

  • Use a Cable

Going back to the old typical cable connectivity might help you with your internet speed this time. Yes, you read that right! You may need to take that dangling wire out of your storage box and put it back to work. The speed it delivers will amaze you. This happens because there is no distraction, distortion, or blockade anymore, which might affect the signal strength of the Wi-Fi.

Tags: Boost internet speed, Improve Internet Speed


Sep 07 2021

Poisoned proxy PACs! The NPM package with a network-wide security hole

Category: Network securityDISC @ 9:24 am

Not long ago, independent software developer Tim Perry, creator of the HTTP Toolkit for intercepting and debugging web traffic…

…decided to add proxy support to his product, which, like lots of software these days, is written using Node.js.

ICYMI, Node.js is the project that took the JavaScript language out of your browser and turned it into a full-blown application development system in its own right, a bit like Java (which is unrelated to JavaScript, by the way, for all that the names sound similar).

As well as the JavaScript core, which uses the V8 JavaScript engine from Google’s Chromium project, Node.js sofware typically also relies on NPM, the Node package manager, and the NPM registry, a truly enormous repository of open-source Node tools and programming libraries.

The NPM registry runs from basic text formatting to full-on facial recognition, and almost everything in between.

Instead of writing all, of the code in your project yourself, or even most of it, you simply reference the add-on packages you want to use, and NPM will fetch them for you, along with any additional packages that your chosen package needs…

…and all the packages that those packages need, following theĀ turtlesĀ packages all the way down until every piece of add-on code needed to complete the jigsaw has been located and installed automatically.

Poisoned proxy PACs! The NPM package with a network-wide security hole…

Tags: security hole


Aug 27 2021

Don’t Leave Security to the Network

Category: Network securityDISC @ 9:08 am

Key Strategic Criteria

The solution is, instead, to focus on building applications that are secure by design, with zero-trust security baked-in rather than bolted-on. This is one of the three key strategic criteria we see for forward-looking enterprises that are accelerating the security of their applications.

  • Make applications secure by design – zero-trust is now the recommended security model.
  • Embrace tools that enable agility and efficiency and eliminate complexity.
  • Embrace open source for future-proofing, maximum visibility and to avoid proprietary lock-in.

Integrating security and the WAN is the next wave in network architecture. That means embedding zero-trust and access management capabilities in applications.

Zero-trust, to continue with the sporting event analogy, requires ticket checks before fans reach the stadium; it determines if they are authentic fans and therefore whether they can enter, where they can go once they’re inside the venue and which events they can watch. Zero-trust uses context as well as identity to authenticate users, and it enables policies that permit access only within a certain time window, a particular network segment or to a specific application. It removes the element of implicit trust that is so easily exploited, whether deliberately by bad actors or accidentally by careless users.

Zero-Trust Network Security

Zero Trust Networks: Building Secure Systems in Untrusted Networks

Tags: Zero-Trust Network Security


Aug 10 2021

Home and small business routers under attack – how to see if you are at risk

Category: Network securityDISC @ 10:53 am

Evan Grant, a researcher at network security scanning company Tenable, recently decided toĀ have a goĀ at hacking a home router.

The idea, it seems, was more to learn about the general techniques, tools and procedures available to router hackers than to conduct a security assessment of any particular product.

Understandably, therefore, Grant picked a router model using two non-technical criteria: was it popular, and was it available in Canada (Grant’s home country)?

After opening up the router casing to get access to the circuit board, Grant made good progress, by quickly:

  • Finding likely pins on the circuit board where a debugging device could be connected.
  • Identifying the correct wiring for the debugging circuity to permit a serial connection.
  • Getting a root shell via a serial line and accessing the files on the device.

Grant’s first stop was to download a binary file (executable program) called httpd, which is the name under which you typically find a home or small business router’s web server, used for managing the device from a browser.

The nameĀ httpdĀ stands forĀ HTTP daemon, whereĀ HTTPĀ means that the program handles web traffic, andĀ daemonĀ is the Unix/Linux name for what Windows users know as aĀ service: software that runs in the background whether anyone is logged in or not. (The wordĀ daemonĀ is properly pronounced ā€œdie-moanā€ or ā€œday-moanā€, but many sysadmins just call them ā€œdemonsā€, and you may need to follow suit to avoid causing confusion.)

Home and small business routers under attack – how to see if you are at risk

Network Security Assessment: Know Your Network

Tags: routers at risk


May 07 2021

Possible attacks on the TCP/IP protocol stack and countermeasures

Category: Network securityDISC @ 8:14 am

The task of a computer security system is to safeguard the information transmitted over the network and to adequately preserve the data stored in it. 

Excluding in this discussion threats due to natural disasters, we can classify the man-made risk, to which an information system is subject, into intentional threats or unintentional threats due to negligence or inexperience.

Businesses need to protect themselves from these threats, which can put both applications and assets at serious risk.

Intentional human threats can come from individuals with an interest in acquiring information or limiting the operation of business processes, driven by the pursuit of financial or political gain, or simply for fun.

An intentional attack can come from individuals outside the organisation or from internal staff such as ex-employees, disgruntled employees or malicious actors. In fact, personnel who are familiar with the security systems and the structure of the information system and who have the authorisation to access the system itself, can get hold of information or insert malicious code more easily.

The development of the Internet and the distributed processing of information over shared lines has certainly made security aĀ necessary duty. Therefore, the corporate network, if not adequately protected, could be subject to unauthorized access with possible network compromise and information theft.


May 04 2021

Hospital Operator Takes Network Offline After Major Cyberattack

A Californian hospital operator has made the move to take is network offline after it was hit by a major cyberattack. 

Reports state that the Scripps Health computer network that operates across half a dozen hospitals and a number of outpatient facilities in the San Diego, California area was forced to move to offline procedures after hackers launched a major cyberattack. 

The Californian hospital operator says it has contacted law enforcement and government agencies of the cyberattack, but failed to mention specifics of the departments it has informed of the potential data breach.Ā 

Hospital Operator Takes Network Offline After Major CyberattackĀ 

Data Protection and Privacy in Healthcare

Tags: Major cyberattack


Next Page »