1.

Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP) is the primary transport layer IP protocol used to
provide reliable, full-duplex connections and exchange encapsulated TCP data in an IP
datagram. TCP is typically implemented on hosts only to provide reliable end-to-end data
delivery. The unit of transfer between the TCP software on two machines is called a TCP
segment. Segments are exchanged to establish connections, transfer data, send
acknowledgements, advertise window sizes and close connections. Each TCP segment,
encapsulated in an IP datagram, has a TCP header - 20 bytes long. TCP use headers as part
of packaging message data for transfer over network connections. TCP headers contain a set
of parameters called fields defined by the protocol technical specifications.

TCP Header Format

Each TCP header has ten required fields totaling 20 bytes (160 bits) in size. They can also
optionally include an additional data section up to 40 bytes in size.

TCP headers appear in the following sequence:

1. Source TCP port number (2 bytes)

2. Destination TCP port number (2 bytes)
3. Sequence number (4 bytes)
4. Acknowledgment number (4 bytes)
5. TCP data offset (4 bits)
6. Reserved data (3 bits)
7. Control flags (up to 9 bits)
8. Window size (2 bytes)
9. TCP checksum (2 bytes)
10. Urgent pointer (2 bytes)
11. TCP optional data (0-40 bytes)

The headers supply specific information:

 Source and destination TCP port numbers are the communication endpoints for
sending and receiving devices.
 Message senders use sequence numbers to mark the ordering of a group of messages.
Both senders and receivers use the acknowledgment  numbers field to communicate
the sequence numbers of messages that are either recently received or expected to be
sent.
 The data offset field stores the total size of a TCP header in multiples of four bytes. A
header not using the optional TCP field has a data offset of 5 (representing 20 bytes),
while a header using the maximum-sized optional field has a data offset of 15
(representing 60 bytes).
  Reserved data in TCP headers always has a value of zero. This field serves the
purpose of aligning the total header size as a multiple of four bytes (important for the
efficiency of computer data processing).
 TCP uses a set of six standard and three extended control flags (each an individual bit
representing on or off) to manage data flow in specific situations. One bit flag, for
example, initiates TCP connection reset logic.

 TCP senders use a number called window size to regulate how much data they send to
a receiver before requiring an acknowledgment in return. If the window size becomes
too small, network data transfer will be unnecessarily slow, while if the window size
becomes too large, the network link can become saturated (unusable for any other
applications) or the receiver may not be able to process incoming data quickly enough
(also resulting in slow performance). Windowing algorithms built into the protocol
dynamically calculate size values and use this field of TCP headers to coordinate
changes between senders and receivers.
 The checksum value inside a TCP header is generated by the protocol sender as a
mathematical technique to help the receiver detect messages that are corrupted or
tampered with.
 The urgent pointer field is often set to zero and ignored, but in conjunction with one
of the control flags, it can be used as a data offset to mark a subset of a message as
requiring priority processing.

 Usages of optional TCP data include support for special acknowledgment and
window scaling algorithms

Layer 4 Protocol- Transport Layer

The Internet transport layer is implemented by Transport Control Protocol (TCP) and the
User Datagram Protocol (UDP). TCP provides connection-oriented data transport, whereas
UDP operation is connectionless.TCP provides full-duplex, acknowledged, and flow-
controlled service to upper-layer protocols. It moves data in a continuous, unstructured byte
stream in which bytes are identified by sequence numbers. TCP can support numerous
simultaneous upper-layer conversations.

What is penetration testing

A penetration test, also known as a pen test, is a simulated cyber-attack against your
computer system to check for exploitable vulnerabilities. In the context of web application
security, penetration testing is commonly used to augment a web application firewall (WAF).
Pen testing can involve the attempted breaching of any number of application systems, (e.g.,
application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities,
such as unsensitized inputs that are susceptible to code injection attacks.

Insights provided by the penetration test can be used to fine-tune your WAF security policies
and patch detected vulnerabilities.

Penetration testing methods

What is Penetration Testing?

Penetration testing is the art of finding vulnerabilities and digging deep to find out how much
a target can be compromised, in case of a legitimate attack. A penetration test will involve
exploiting the network, servers, computers, firewalls, etc., to uncover vulnerabilities and
highlight the practical risks involved with the identified vulnerabilities.

Stages of Penetration Testing

Penetration testing can be broken down into multiple phases; this will vary depending on the
organization and the type of test conducted– internal or external. Let’s discuss each phase:

1) Agreement phase:

In this phase, there is a mutual agreement between the parties; the agreement covers high-
level details- methods followed and the exploitation levels. The attacker cannot bring down
the production server even if the testing has been done at non-peak hours. What if the
attacker changes the data that has been contained in the database in production? This will
unveil the vulnerabilities but at the cost of business. A non-disclosure agreement has to be
signed between the parties before the test starts.

2) Planning and reconnaissance:

In this phase, the attacker gathers as much information about the target as possible. The
information can be IP addresses, domain details, mail servers, network topology, etc. An
expert hacker will spend most of the time in this phase, this will help with further phases of
the attack.

3) Scanning:

This is the phase where the attacker will interact with the target with an aim to identify the
vulnerabilities. An attacker will send probes to the target and records the response of the
target to various inputs. This phase includes- scanning the network with various scanning
tools, identification of open share drives, open FTP portals, services that are running, and
much more. In case of a web application, the scanning part can be either dynamic or static. In
static scanning, the application code is scanned by either a YTool or an expert application
vulnerability analyst. The aim is to identify the vulnerable functions, libraries and logic
implemented. In dynamic analysis, the tester will pass various inputs to the application and
record the responses; various vulnerabilities like injection, cross-site scripting, remote code
execution can be identified in this phase.

4) Gaining Access:

Once the vulnerabilities have been identified, the next step is to exploit the vulnerabilities
with an aim to gain access to the target. The target can be a system, firewall, secured zone or
server. Be aware that not all vulnerabilities will lead you to this stage. You need to identify
the ones that are exploitable enough to provide you with access to the target.

5) Maintaining access:

The next step is to ensure that the access is maintained; i.e., persistence. This is required to
ensure that the access is maintained even if the system is rebooted, reset or modified. This
kind of persistence is used by attackers who live in the system and gain knowledge about
them over a period of time, and when the environment is suitable, they exploit.

6) Exploitation:

This is the phase where the actual damage is done. An attacker will try to get the data,
compromise the system, launch dos attacks, etc. Usually, this phase is controlled in
penetration testing so as to ensure that the mayhem on the network is limited. This phase is
modified in this way- a dummy flag is placed in the critical zone, may be in the database; the
aim of the exploitation phase will be to get the flag. Revealing the contents of the flag will be
enough to ensure practical exploitation of the network or data theft.

7) Evidence collection and report generation:

Once the penetration test is complete, the final aim is to collect the evidence of the exploited
vulnerabilities and report it to the executive management for review and action. Now, it is the
management’s decision on how this risk has to be addressed. Whether they want to accept the
risk, transfer it or ignore it (least likely option).

Different Types and Methods of Penetration Testing

Types of penetration testing can be categorized on the basis of either, the knowledge of the
target or the position of the penetration tester. There are a few other parameters to the
categorization of penetration.

 Black Box, Gray Box, and White Box:

When the penetration tester is given the complete knowledge of the target, this is called a
white box penetration test. The attacker has complete knowledge of the IP addresses, controls
in place, code samples, etc. When the attacker has no knowledge of the target, this is referred
to as a black box penetration test. Please note that the tester can still have all the information
that is publically available about the target. When the tester is having partial information
about the target, this is referred to as gray box penetration testing. In this case, the attacker is
having some knowledge of the target like URLs, IP addresses, etc., but does not have
complete knowledge or access. This is with respect to the knowledge.

 Internal and External Penetration test:

If the penetration test is conducted from outside the network, this is referred to as external
penetration testing. If the attacker is present inside the network, simulation of this scenario is
referred to as internal penetration testing. Since the attacker is an internal person, the
knowledge about the system and the target will be abundant when compared to a test
conducted from outside.

 In-house and Third party Penetration test:

When the test is conducted by an in-house security team, it is another form of internal
penetration testing. Companies often hire third-party organizations to conduct these tests, this
is referred to as third-party penetration testing.

 Blind and Double-Blind Penetration test:

In a blind penetration test, the penetration tester is provided with no prior information but the
organization name. The penetration tester will have to do all the homework, just like a
legitimate attacker would do. This will surely take more time, but the results would be more
close to the practical attacks. A double-blind test is like a blind test but the security
professionals will not know when the testing will start. Only the senior management will
have this information. This will test the processes, controls and the awareness of the security
teams if and when a real attack occurs.

Importance of penetration testing in business

For an organization, the most important thing is business continuity. Second most important
thing is the supporting services that ensure the business runs smoothly. Thus, to ensure that
senior management is involved and pays attention, a penetration tester should highlight the
risks that a business might face due to the findings. Let’s discuss a few important pointers
that cover two things:

 What is in this for the business, in terms of capital?

 What is there for the security teams?

A penetration test will ensure that:

1) Weaknesses in the architecture are identified and fixed before a hacker can find and
exploit them; thus, causing a business loss or unavailability of services.

2) Organisations these days need to comply with various standards and compliance
procedures. A penetration test will ensure that the gaps are fixed in time to meet compliance.
One of the examples is PCI-DSS; an organization which deals with customer’s credit card
information (store, process or transmit) have to get them PCI-DSS certified. One of the
requirement is to get penetration testing done.

3) Penetration tests will be an eye-opener or a check on the organization’s internal security

team. How much time do they take to identify attacks and take responsive steps? Do they
realize that a breach has happened? If yes, what do they do? And, when they do, is it
sufficient?

4) What will be the effect if a real attack occurs? What damage can be done? We can actually
calculate the potential loss to the organization if an attack occurs.

Tools and techniques

Now that we have talked enough about what is the need of a penetration test. We need to talk
about the tools that a penetration tester can use to conduct this test.

1. Nessus

Nessus is a network and web application vulnerability scanner, it can perform different types
of scans and help a penetration tester identify vulnerabilities. The attacker can then spend
time in determining what can be exploited further. The free version of the tool is having some
interesting features disabled. The full version is powerful and has a lot of features that will
help during the scanning phase of the penetration test.

2. Dirbuster

Dirbuster is a directory busting tool, this will help the attacker to find the directories that are
present. The tool will take an input list and will help in testing their availability. This will
allow for footprinting of the directory structure and find directories that will be difficult to
find.

3. Metasploit

Metasploit is an exploitation framework that has been packed with various capabilities. A
skilled attacker can generate payloads, shellcodes, gain access, and perform privilege
escalation attacks. The knowledge of python and ruby will be helpful since the framework
uses them for most of the scripts.

4. Burp Suite
This tool is specifically used for testing web applications. Let us assume that you have
uncovered a test web application that is no longer used after production push. You can use
this tool to dig deeper into the application and hunt vulnerabilities. The high severity
vulnerabilities can be further exploited to move forward with the attack.

What is cyber attack ?

A cyber attack is any type of offensive action that targets computer information systems,
infrastructures, computer networks or personal computer devices, using various methods to
steal, alter or destroy data or information systems.

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

2. Man-in-the-middle (MitM) attack
3. Phishing and spear phishing attacks
4. Drive-by attack
5. Password attack
6. SQL injection attack
7. Cross-site scripting (XSS) attack
8. Eavesdropping attack
9. Birthday attack
10. Malware attack

Password Attacks
Nowadays, it seems as if you need a password for everything. I have so many passwords that I find it
hard to keep track. Although it might sound like a good idea to keep your passwords simple or to
write them down, both practices are highly discouraged. The goal is to make it harder for

someone to find or guess your password; therefore, password integrity is necessary. That being said,
an attacker might attempt a login with false credentials. It is also important to note that not all
attackers are external users. Many recorded instances of attempted and/or successful attacks have
come from internal company employees.

1. Malware Used in Cyber Attacks

Malware “Malicious Software” is developed by a cyber-attacker with the purpose of invading

the target’s computer and taking some or full control. Usually, Malware can infect the system
or network with the initial unintentional and unknowing help from a human and continue to
self-replicate automatically. Once security is breached and the Malware is in the system, it
can do serious damage. Hackers lure a user to click an email attachment, download an
executable software hidden as an e-book, or infect portable devices so that they can spread
faster.

Here are the Most common types of Malware of 2019:

1. Virus:
Spreads with user action, such as opening an infected file. They depend on a host file.
2. Worms:
They replicate themselves automatically, without the use of a host file.
3. Trojan Horse:
Malware that disguises as legitimate software. Once you install the “legitimate software”
the malware takes control of your system.
4. RootKit:
Hidden deeply within the computer files. It provides continued privilege or backdoor
access to the computer.
5. LogicBomb:
A set of instructions inserted into software that sets off a malicious action when a certain
condition is triggered.
6. ExploitKit:
Searches for software vulnerabilities. It is very effective on unpatched systems.
7. Adware:
Stands for Malicious Ads. It presents continuous unwanted ads on a computer. Some
adware monitors the user’s behavior so it can serve tailored ads.
8. Ransomware:
It blocks (kidnaps) key files or data on the computer and asks for money so they can be
liberated.
 

2. Phishing

A cyber-attack that aims to obtain sensitive information by cheating targets into believing
fake messages. Phishing attackers disguise themselves as a trustworthy source and send lures
usually through email, social media, or other electronic media.

Phishing relies on social engineering to be able to deceive its targets. It makes a user enter
their personal information, such as username, password, credit card, etc to a fake website that
looks like the legitimate site, but it is not. The fake website either keeps sensitive information
or installs Malware on the user’s computer.
 

3. Man in the Middle Attack

As the name implies, an attacker sits in the middle of the communication between two targets
and is able to eavesdrop. The Man-In-The-Middle Attack or MITM attempts to secretly
intercept and listen to the legitimate communication between two hosts.

The attacker acts as a relay who listens and sometimes even alters the conversations with the
two hosts. It intercepts the entire communication passing through the two victims and even
inserts new messages.

A MITM can happen in any sort of online or electronic communication.

Here are the Most Common of MITM attacks:

 Email Hijacking
 Wireless LAN Eavesdrop
 Session Hijacking
 

4. DoS and DDoS Denial of Service Attack

This cyber-attack floods the systems with too much traffic that it overloads resources and
bandwidth, making servers and network unavailable. With too much information a server or
system is often unable to respond to valid requests so it overloads. DoS attackers attempt to
make network resources unavailable to its legitimate users by flooding the servers with junk
and oversized requests.

In a DDoS Distributed Denial of Service attack, the source of DoS traffic comes from
multiple different places. An attacker usually crafts a DDoS with an army of bots (or botnet).
All bots (also referred to as Zombies) in a botnet are infected systems that can be controlled
to send loads of malformed traffic.

A variation of DDoS is the HTTP Flood. This attack controls the HTTP and POST unwanted
requests to attack a web server. The HTTP Flood uses a botnet to overwhelm a server with
too many HTTP requests.
 

5. Cross Site Scripting

This attack aims to insert malicious code into a website which targets a visitor’s browser.
Cross Site Scripting, also knowns as XSS targets trusted web applications. The attacker uses
the web app to inject the code such as a browser or client-side scripts that is viewed by other
users of the same application.

This attack is performed by hackers to bypass and gain access to applications. An XSS works
because some web applications use inputs from users found in the output generated without
validation. The web browser of the victim doesn’t know that the script came from somewhere
else. The web browser trusts the legitimate site, so it allows the third-party “malicious” script
to access cookies, session tokens, and other sensitive information kept on the web browser.

6. SQL Injection

An SQL injection attack interferes with the queries that a web application makes to the
database. An attacker inserts crafted SQL (Structured Query Language) code lines that allow
data to be revealed. This data is retrieved from the database which could be information about
other users. The attacker gains access because the database is unable to recognize the
“incorrect statements”  and filter out the illegal input values.

In some cases the SQL injection can also modify or remove data, harming the content of the
databases and the application’s normal behavior. To perform an SQL injection is just a matter
of submitting the malicious SQL statements into any vulnerable entry field such as a search
box.

7. Zero-day Exploits

When new software is developed, it usually contains countless bugs and vulnerabilities.
When software developers find their own vulnerability they quickly develop patches and
updates. But sometimes this process is slow.

Black-hat hackers take advantage of zero-day exploits and are able to find vulnerabilities in
new software much faster. They are able to target this vulnerability before users update their
software.
Malware attack

Malicious software can be described as unwanted software that is installed in your system
without your consent. It can attach itself to legitimate code and propagate; it can lurk in
useful applications or replicate itself across the Internet. Here are some of the most common
types of malware:

 Macro viruses — These viruses infect applications such as Microsoft Word or Excel.
Macro viruses attach to an application’s initialization sequence. When the application
is opened, the virus executes instructions before transferring control to the
application. The virus replicates itself and attaches to other code in the computer
system.
 File infectors — File infector viruses usually attach themselves to executable code,
such as .exe files. The virus is installed when the code is loaded. Another version of a
file infector associates itself with a file by creating a virus file with the same name,
but an .exe extension. Therefore, when the file is opened, the virus code will execute.
 System or boot-record infectors — A boot-record virus attaches to the master boot
record on hard disks. When the system is started, it will look at the boot sector and
load the virus into memory, where it can propagate to other disks and computers.
 Polymorphic viruses — These viruses conceal themselves through varying cycles of
encryption and decryption. The encrypted virus and an associated mutation engine are
initially decrypted by a decryption program. The virus proceeds to infect an area of
code. The mutation engine then develops a new decryption routine and the virus
encrypts the mutation engine and a copy of the virus with an algorithm corresponding
to the new decryption routine. The encrypted package of mutation engine and virus is
attached to new code, and the process repeats. Such viruses are difficult to detect but
have a high level of entropy because of the many modifications of their source code.
Anti-virus software or free tools like Process Hacker can use this feature to detect
them.
 Stealth viruses — Stealth viruses take over system functions to conceal themselves.
They do this by compromising malware detection software so that the software will
report an infected area as being uninfected. These viruses conceal any increase in the
size of an infected file or changes to the file’s date and time of last modification.
 Trojans — A Trojan or a Trojan horse is a program that hides in a useful program
and usually has a malicious function. A major difference between viruses and Trojans
is that Trojans do not self-replicate. In addition to launching attacks on a system, a
Trojan can establish a back door that can be exploited by attackers. For example, a
Trojan can be programmed to open a high-numbered port so the hacker can use it to
listen and then perform an attack.
 Logic bombs — A logic bomb is a type of malicious software that is appended to an
application and is triggered by a specific occurrence, such as a logical condition or a
specific date and time.
 Worms — Worms differ from viruses in that they do not attach to a host file, but are
self-contained programs that propagate across networks and computers. Worms are
commonly spread through email attachments; opening the attachment activates the
worm program. A typical worm exploit involves the worm sending a copy of itself to
every contact in an infected computer’s email address In addition to conducting
malicious activities, a worm spreading across the internet and overloading email
servers can result in denial-of-service attacks against nodes on the network.
 Droppers — A dropper is a program used to install viruses on computers. In many
instances, the dropper is not infected with malicious code and, therefore might not be
detected by virus-scanning software. A dropper can also connect to the internet and
download updates to virus software that is resident on a compromised system.
 Ransomware — Ransomware is a type of malware that blocks access to the victim’s
data and threatens to publish or delete it unless a ransom is paid. While some simple
computer ransomware can lock the system in a way that is not difficult for a
knowledgeable person to reverse, more advanced malware uses a technique called
crypto viral extortion, which encrypts the victim’s files in a way that makes them
nearly impossible to recover without the decryption key.

 Adware — Adware is a software application used by companies for marketing

purposes; advertising banners are displayed while any program is running. Adware
can be automatically downloaded to your system while browsing any website and can
be viewed through pop-up windows or through a bar that appears on the computer
screen automatically.
 Spyware — Spyware is a type of program that is installed to collect information
about users, their computers or their browsing habits. It tracks everything you do
without your knowledge and sends the data to a remote user. It also can download and
install other malicious programs from the internet. Spyware works like adware but is
usually a separate program that is installed unknowingly when you install another
freeware application.

Layer 3 and 4 Protocols - TCP/UDP and

ICMP, more technical details on headers,
working methods, pros-cons, etc.

Recent cyber threats

 Protection mechanism - types of
network/web security tools/technology
Different type of web and network
vulnerabilities

What is Firewall?
A firewall is typically a system used to enforce an access control policy between two
networks. The firewall sits between two networks, examines all traffic that goes through the
two networks, and only allows "authorized" traffic to pass through. The firewall enforces an
authentication system that allows only authorized individuals to gain access to the private
network.
Types of Firewall
Packet filtering firewalls 
This, the original type of firewall, operates inline at junction points where devices such as
routers and switches do their work.

However, this firewall doesn't route packets, but instead compares each packet received to a
set of established criteria -- such as the allowed IP addresses, packet type, port number, etc.
Packets that are flagged as troublesome are, generally speaking, are dropped -- that is, they
are not forwarded and, thus, cease to exist.

Circuit-level gateways 
Using another relatively quick way to identify malicious content, these devices monitor the
TCP handshakes across the network as they are established between the local and remote
hosts to determine whether the session being initiated is legitimate -- whether the remote
system is considered trusted. They don't inspect the packets themselves, however.

Stateful inspection firewalls

State-aware devices, on the other hand, not only examine each packet, but also keep track of
whether or not that packet is part of an established TCP session. This offers more security
than either packet filtering or circuit monitoring alone, but exacts a greater toll on network
performance.

A further variant of stateful inspection is the multilayer inspection firewall, which considers
the flow of transactions in process across multiple layers of the ISO Open Systems
Interconnection seven-layer model.
Application-level gateways 
This kind of device, technically a proxy, and sometimes referred to as a proxy firewall,
combines some of the attributes of packet filtering firewalls with those of circuit-level
gateways. They filter packets not only according to the service for which they are intended --
as specified by the destination port -- but also by certain other characteristics, such as the
HTTP request string.

While gateways that filter at the application layer provide considerable data security, they can
dramatically affect network performance.

Next-gen firewalls 
This looser category is the most recent -- and least-well delineated -- of the types of firewalls.
A typical next-gen product combines packet inspection with stateful inspection, but also
includes some variety of deep packet inspection.

Firewall Pros and Cons

 Pro
o Protection for vulnerable services
o Protection against routing-based attacks
o Controlling access to systems
o Centralization of security software
o Privacy
o Statistic collection
o Policy enforcement
 Cons
o complex to configure
o may block services that would be helpful as well
o back door attack may also be possible (modem access)
o cannot protect against viruses
o could cause performance problems (potential bottleneck)
o tends to concentrate security in a single spot

How Firewalls work?

Firewall examine all the data packets passing through them to see if they meet the rules
defined by the ACL (Access Control List) made by the administrator of the network. Only, If
the Data Packets are allowed as per ACL, they will be Transmitted over the Connection.

Firewalls generally also maintain a log of Important Activities in Inside the Network. A
Network Administrator can define what is important for him and configure the Firewall to
make the Logs accordingly.
 Firewall can filter contents on the basis of Address, Protocols, Packet attributes and
State.
 Firewalls generally only Screen the Packet Headers.