OSI layer theory

 

What is OSI layer?

As per “geeksforgeeks” website: OSI stands for Open Systems Interconnection. It has been developed by ISO – ‘International Organization of Standardization‘, in the year 1984. It is 7 layer architecture with each layer having specific functionality to perform. All these 7 layers work collaboratively to transmit the data from one person to another across the globe.

Layers of OSI:

1. Physical Layer

2. Data Link Layer

3. Network Layer

4. Transport Layer

5. Session Layer

6. Presentation Layer

7. Application Layer

At receiver side Physical layer will be the first layer and data link layer will be second layer and so on

 But at sender side Application layer will be the first layer and Presentation layer will be the second layer

We can remember the layers name by below line:

Please do not touch Stephen pet animal (PDNTSPA)

Each work first letter start with each layer name:

1. Physical Layer:

This layer is the first layer at receiver side and last layer at sender side, as the name indicate it is responsible for actual physical connection with the device.

It converts the signal in bits and sends by physical medium

This layer converts the digital bits into electrical, radio, or optical signals

Responsibility of physical layer:

Topology management: The topology like Bus topology, Star topology etc are managed by physical layer.

Data Flow control: The Physical layer also defines the transmission rate i.e. the number of bits sent per second.

Synchronization: It is responsible for bit synchronization

Device use at physical layer: Cables, Hubs

Protocols used at this layer: The major protocols used by this layer include Bluetooth, PON, OTN, DSL, IEEE.802.11, IEEE.802.3, L431 and TIA 449

Data Link Layer:

• The main use of data link layer is to control error. Ensures that the data received is free of any errors, and to do that it also monitors flow control of packets. It sends data as per acknowledgement of receiver and vise versa.

 

Data link layer has two parts:

1. Media Access control MAC

2. Logic Link control LLC

Ø The packet received by Data link layer divided into frames.

Ø After framing it add MAC address on header of each frame it is also called physical addressing

Ø It encapsulates Sender and Receiver’s MAC address in the header

Ø It uses ARP (Address Resolution Protocol) protocol to get receiver MAC address.

Ø Switch & Bridge are Data Link Layer devices

Protocol used: ARP, CSLIP, HDLC,

Network Layer:

It also takes care of packet routing i.e. selection of the shortest path to transmit the packet, from the number of routes available

It uses sender and receiver IP address are added to its header for routing

It provide logical addressing for routing address

Device used in network layer is routers. 

Protocols: Routing Protocols, IP, ICMP

Transport layer:

Transport layer is responsible for segmentation and flow control error to ensure proper data transmission. Each segment has its header which contains basic information which helps in reassembly of segments. It also adds Source and Destination port numbers in its header and forwards the segmented data to the Network Layer. 

Transport Layer is called as Heart of OSI model.

It provides connection oriented connection in such connection below steps take place:

1. Stable a connection  

2. Transfer data in segments and do acknowledgement

3. Once sender get acknowledgement it disconnect the connection

Protocols: TCP (TCP stands for transmission control protocol)

, IP, UDP, DCCP and SCTP

 Session layer:

This layer is responsible for the establishment of connection, maintenance of sessions, authentication, and also ensures security. It is end to end layer which stabiles connection and disconnect only when data get transfer and session layer get confirmation for same

It also provide logical ports for data transfer

It support communication between two device by half and full duplex model

PPTP, SAP, L2TP and NetBIOS

Presentation layer:

This layer is responsible for Translation, Encryption/ Decryption, Compression:

We can understand this with an example.

Suppose a user send a message then he send message by any application like Gmail, facebook etc that application work on Application layer but when we send message it get encrypted before it send to someone else this encryption take place at presentation layer.

Or suppose we receive any file (for ex. MP3 file) when we try to open that we get option to open in VLC media this selection option take place at presentation layer.

And we open file in an application this application work at application layer.

Protocols: XDR, TLS, SSL and MIME

Application layer:

At the very top of the OSI Reference Model stack of layers, we find the Application layer which is implemented by the network applications

Ex: Application – Browsers, Skype Messenger, etc. 

Protocols: HTTP, SMTP, DHCP, FTP, Telnet, SNMP and SMPP.

Code Injection

 

Code Injection

 Definition:

Code injection occurs when an attacker exploits a vulnerability in a system by injecting malicious code into a vulnerable program. This manipulation allows the attacker to alter the program’s intended execution, often resulting in severe consequences such as the spread of computer viruses or worms.

Types of Code Injection:

1. Cross-site Scripting (XSS): Learn more
2. SQL Injection: Learn more
3. LDAP Injection
4. Carriage Return-Line Feed Injection (CRLF)
5. SMTP Injection
6. Command Injection

How to Protect Against Code Injection:

1. Strong Coding Practices:
   Ensure secure coding techniques are followed during application development. Validate and sanitize all user inputs to prevent malicious code from being processed.

2. Comprehensive Security Testing:
   Perform thorough security testing of applications or websites before deployment to identify and fix potential vulnerabilities.

3. Use Trusted and Secure Applications:
   Always use authorized websites and verified secure applications to minimize risks.

4. Implement Least Privilege Access:
   Grant users only the minimum access necessary for their roles. For instance, if an employee does not require internet access for their work, restrict their access to prevent unnecessary exposure to risks.

Class of IP Address

 

Class of IP Address

What is IP address ?

A unique string of characters that identifies each computer using the Internet Protocol to communicate over a network

It consist for 4 bytes.

Ex: 10.23.54.67

Note: An IP address must be unique within any network.

 

There are 5 class of IP address.

Class A: 1-127

Used for large number of hosts.

Class A IP has one network byte and 3 host byte

Ex: N.H.H.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP 10.10.10.10

Then mask address: 255.0.0.0

And Network address: 10.0.0.0

Note: An address mask represents a subnet used in computer networking

Network IP represents the number of networks

 

Class B: 128 – 191

Used for medium size network.

Class B IP has two byte for network address and 2 byte for host address

Ex: N.N.H.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP

IP Address:           150.150.150.15

Mask Address:     225.225.0.0

Network address: 150.150.0.0

Class C: 192 – 223

Used for local area network.

Class B IP has Three byte for network address and 1 byte for host address

Ex: N.N.N.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP

IP Address:           200.10.10.10

Mask Address:     225.225.255.0

Network address: 200.10.10.0

Class D: 224 – 239

Reserve for multi-tasking.

Class E: 240 – 255

This class is reserved for research and Development Purposes.

There are few things we need to know in IP address:

1. The hosts located in the same network, We suppose to assign  the same network ID.

2. IP address cannot start with 127 as 127 is used exclusively by Class A.

3. If all the bits of the network ID are set to 0, it could not be assigned as it specifies a particular host on the local network.

4. If all the bits of the network ID are set to 1, it could not be assigned as it is reserved for multicast address.

Tailgating and Impersonation

 

Tailgating and  Impersonation

 

Tailgating is a technique in which a person uses someone else’s access to a building or in a campus where he is not authorized.

It can be very dangerous if unauthorized person access an office or try to get sensitive information.

It may happen by just following someone across the gate.

Even if two people work in same office, each  person has its own limitation to access office area, if someone work in First floor of a building and if he do not have access of second floor he do not suppose to access second floor if he is doing it comes under Tailgating.

It’s very easy to do tailgating someone just try to make friendship with someone else in a common area like common smoking area in office or outside the campuses at any food stall they will try to make friendship and may request to allow him to enter in office campuses.

How to Protect from Tailgating:

An organization can make policy to display I-Card whenever they are in office campus.

We can use scan lock door, so that only those people get access who are authorized.

It’s everyone moral responsibility to ask question if you find any unknown or not using not using I-card.

Make entry door in such a way that only one person can enter at a time. We can see such doors used in Metro station so that only one person can pass at a time that has ticket or metro pass.

 

 

    Impersonation

Impersonation means someone pretend to be someone else

A guy may make fake social media profile to pretend as someone else to get some information.

Someone may call you and say they are calling from IT department and they may try to get sensitive information like IP address, software and antivirus details

How to protect:  

Never provide sensitive information like password, bank details or family details.

Cross check authorized phone number, email before sharing any information or money.

 

Denial of Service

 

Denial of Service

Force a service to fast (It happens due to overload of services)

It cause a system or service to be unavailable

Attacker use advantage of a design failure or vulnerability

It may happen unintentional or may be intentional

Cause:

1. If there is low bandwidth and everyone try to download something

2. If an attacker attack any computer from multiple location

3. A loop without STP (STP stand for spanning tree protocol is a net work protocol that build a loop free logical topology for Ethernet network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them )

 

 

 

 

 

 

 

DDOS amplification

In This attack, attacker send very small attack but when it reach us it become larger attack protocols use for this are NTP, DNS, ICMP.

Ex. When we request for DNS key we get answer in large key.

Now attacker use this, he ask for small information but he get larger information in return, now if attacker ask this information to multiple computer all computer will send request to DNS server and all DNS server will send this information to web server.

 

Buffer overflows

 

Buffer overflows

Buffer is a fixed storage space

Buffer space is used to store a data for example: Suppose you added 2 numbers 5+6=11 now you if you want to multiple the output of this two numbers then you need to store this number in a buffer so 11 will be store in buffer and then in next step we will multiple 11 with a new number.

As we know buffer has a fix size so if we will try to store a values whose size is more than buffer size then it may create big issue.

Type of buffer overflow:

1. Stack overflow attack

2. Heap overflow attack

3. Integer overflow attack

4. Unicode overflow

Buffer overflow issue can be seen in C and C++ programming

There is few function like Scanf, gets Printf, Sprintf, Strcat, Strcpy etc which can lead to a buffer overflow.

Lets take an example of buffer over flow, we will assume it is Last in first out

Main(int argc, Char *argv[])

{

   func(argv[1]);

       {

          Char buffer [10];

          Strcpy(buffer, v);

       }

}

The strcpy() function in the above example copies the command arguments into the destination buffer variable without checking the string length

 

We will enter value “AAAAAAAAAAAAAAAAAAA”

Here we enter values more than the size 10, now how program run:

Fun()

Buffer[10]

return address

main()

local variables

 

 

Here value will store in buffer memory but if value is more than 10 then it will store in return address and it will return wrong value

 

 

Phishing

 

Phishing

 

You may get email or message which contain similar type of URL, but not the real one and when you will check on that you will get similar type of website:

For ex: https://rahulprakash156.blogsport.com

https://rahuulprakash156.blogsport.com ---Wrong Website

 

After logging in wrong website you may share your user name, email id Password etc

Vishing (Voice Phishing)

In office they may call and say they are calling from bank or from your boss office.

In India there is a case under investigating in which a man call a business man’s wife and said that they are from ruling part and they need donation and like that he took 200 cr.

Smishing (SMS Phishing) is done by text message

Spear Phishing:

They target a very particular person like CEO of a company for a particular information

 

 

 

Cross Site Scripting

 

Cross Site Scripting

 

XSS stands for cross site Scripting is  code injection attack executed an the client side of a web application

Here attacker injects malicious script through the web brouser

The malicious script is executed when the victim visits the web page or web server

Attacker try to steals cookies, session, token and other sensitive information

It is a web application hacking technique

Virus Hoax

 

Virus Hoax

A computer virus hoax is a message warning that recipients of a non-Existent computer virus threat.

 

It is a Threat that doesn’t actually exist but they seem like they could be real

Virus Hoaxes are usually harmless and accomplish nothing more than annoying wasting the time of people who forward the message.

Example of few Virus hoax:

Good Times:

Warnings about a computer virus named “Good times” began being passed around among internet user in 1994. The good time virus was supposedly transmitted via an email bearing the subnet header “Good Times” or Goodtimes” Hence the virus name and the warning recommended deleting any such email unread. The Virus described in the warning did not exist but the warning in effect virus like.

 

Invitation attachment:

The invitation virus hoax involved an email spam in 2006 that advised computer users to delete an email with any type of attachment that stated with invitation.

Botnet

 Botnet

 

A bot is a computer that has been compromised through a malware infection and can be controlled remotely by a cyber-criminal by command and control server.

Bot is short for robot

Botnet could be brought by a network worm it could be a virus or by a Trojan horse.

Types of attack that can be launched after a computer has been taken over as a bot include

(i) Spam Bot: Spambot is a machine that automatically distributes spam emails

(ii) Denial of Service: Attacker can do denial of service attack

(iii) Attacker can install spyware or keylogger

Java buzzwords

 The Java programming language is a high-level language that can be characterized by all of the following buzzwords:

1. Simple
2. Object-oriented
3. Distributed
4. Interpreted
5. Robust
6. Secure
7. Architecture neutral
8. Portable
9. High performance
10. Multithreaded
11. Dynamic

Now we will explain each and every term in detail.

Simple: 

Java is a simple language it's syntax is taken from C and C++ there is no concept of pointer which makes it easy to understand if anyone has knowledge of opps based language it's very easy to understand java.

Secure: 

Java is secure language Error  handling features make it easy to use in real time. Classloader bytecode verify and security manager.

Classloader helps to separate package bby classes of local file system

SolarWinds attack and rundll32.exe

                                           SolarWinds attack and rundll32.exe

Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL.

Typically, there’s no technical way to launch a DLL file directly. Hence, Windows uses a rundll32.exe process to execute the DLL files.

But we have seen these days that attackers use rundll.32 to execute malicious file,  recently attacker target  SolarWinds in which attacker used rundll.exe processor, I will share the details below. How it happens, I used the below information from the Microsoft security blog, where they explained how the attach happened.   

The attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe. This is a known MITRE ATT&CK technique used for persistence, but it could also be abused to trigger execution of malicious code when a certain process is launched. Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped.

The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL. using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution and also deletes the following registry keys related to HTTP proxy:

• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

So it’s very important to check rundll32.exe running which file or process, is that genuine or not? we get such information in EDR workflow data where it explain all the process run with a very clear diagram. But I am writing this blog to explain basic steps to deal with rundll32.exe, for normal user its difficult to use EDR AV and to understand how it works but they can follow few things that can help to monitor and protect his own computer.

 

rundll32.exe helps to run programs in DLL (Dynamic Link Library) files, because DLL file cannot launch directly

 

We can check which files are running by rundll32.exe by below command.

tasklist /m /fi "imagename eq rundll32.exe

You will see the list of details of what services are being run by rundll32.exe

 

Second investigation: Find the location of rundll32.exe file, if it is not running at right location means it is not the right file.

Go to task bar, right click on rundll32.exe, and open the location

The correct file path is: C:\Windows\System32\rundll32.exe. 

 

Check the filename carefully sometime attacker user same type of file name like. Rund1l32.exe at the place of L they use 1 or something similar

 

 

How computer boot

How computer boot

In this blog, we’ll explore the boot process of a computer, from the moment you press the power button to when the operating system is fully loaded.

Over the past 25-30 years, there haven’t been significant changes in how computers boot. Surprisingly, even today, computers still use the same foundational processes and programs to load the operating system (OS).

Step-by-Step Breakdown of the Boot Process

Step 1: Powering On

When you press the power button on your computer, an electrical signal (pulse) is sent to a specific pin on the Central Processing Unit (CPU) called the "reset pin." This signal tells the CPU to begin the boot process.

Step 2: CPU Initialization
Once the CPU receives the reset signal, it initializes. All of its internal registers are set to zero, except for two crucial registers:

1. Code Segment (CS): This register is set to the value 0xF000.
2. Instruction Pointer (IP): This register is set to 0xFFF0.

This combination points to the first memory location 0xFFFF0, which contains the starting instruction that directs the CPU to the Basic Input/Output System (BIOS).

Step 3: Entering the BIOS
The CPU then jumps to the BIOS, which stands for Basic Input/Output System. BIOS is a small program stored in a chip on the motherboard, typically in read-only memory (Flash/EPROM/EEPROM). The term BIOS was coined by Gary Kildall and was first introduced in the CP/M operating system in 1975.

What Does the BIOS Do?

1. Power-On Self-Test (POST): BIOS first performs a self-test to check if essential components like the monitor, keyboard, and mouse are connected and working properly.
2. Initialize Video Card: The video card is initialized so that the display can function properly.
3. Display BIOS Screen: Once the video card is ready, the BIOS screen (commonly showing the manufacturer’s logo) is displayed.
4. Memory Test: BIOS conducts a brief memory test to check if the RAM is functioning correctly.
5. Set DRAM Parameters: It configures the DRAM memory parameters.
6. Configure Plug-and-Play Devices: Plug-and-play devices are detected and configured.
7. Assign System Resources: BIOS allocates system resources like DMA channels and IRQs to devices.
8. Identify the Boot Device: It identifies the device from which the OS will be booted (e.g., a hard drive, SSD, or USB).

Step 4: Loading the Boot Loader

The BIOS reads the first sector (sector 0) from the boot device (typically a hard drive or SSD) into memory location 0x7C00. Sector 0 contains the Master Boot Record (MBR), which holds essential information about the system’s partitions and the location of the operating system.

Memory Location 0x7C00:
This is a specific location in the low memory region of RAM where the BIOS loads the first 512-byte sector from the boot device. This sector contains the code necessary to load the OS.

Master Boot Record (MBR)

The Master Boot Record (MBR) is a special section at the beginning of the boot device (like a hard drive). It contains vital information required to load the OS and manage system partitions. The concept of the MBR was introduced in 1983 with IBM's PC DOS 2.0.

The MBR contains:

1. Master Boot Loader (446 Bytes): The code that helps load the operating system.
2. Partition Table (64 Bytes): Information about how the storage is divided (e.g., C: and D: drives).
3. Signature (2 Bytes): A unique identifier to confirm the integrity of the MBR.

At this stage, if the computer has multiple operating systems installed, the MBR allows the user to select which OS to boot.

Conclusion

The computer’s boot process starts with a simple electrical signal that triggers a series of events, from initializing the CPU to loading the operating system. While modern computers are faster and more powerful, the boot process has remained fundamentally unchanged for decades, with the BIOS and MBR playing crucial roles in getting the system up and running.

By understanding these steps, you gain a deeper appreciation of how complex yet elegant the boot process is, bringing your machine to life every time you press that power button.