OSI layer theory

 

What is OSI layer?

As per “geeksforgeeks” website: OSI stands for Open Systems Interconnection. It has been developed by ISO – ‘International Organization of Standardization‘, in the year 1984. It is 7 layer architecture with each layer having specific functionality to perform. All these 7 layers work collaboratively to transmit the data from one person to another across the globe.

Layers of OSI:

1. Physical Layer

2. Data Link Layer

3. Network Layer

4. Transport Layer

5. Session Layer

6. Presentation Layer

7. Application Layer

At receiver side Physical layer will be the first layer and data link layer will be second layer and so on

 But at sender side Application layer will be the first layer and Presentation layer will be the second layer

We can remember the layers name by below line:

Please do not touch Stephen pet animal (PDNTSPA)

Each work first letter start with each layer name:

1. Physical Layer:

This layer is the first layer at receiver side and last layer at sender side, as the name indicate it is responsible for actual physical connection with the device.

It converts the signal in bits and sends by physical medium

This layer converts the digital bits into electrical, radio, or optical signals

Responsibility of physical layer:

Topology management: The topology like Bus topology, Star topology etc are managed by physical layer.

Data Flow control: The Physical layer also defines the transmission rate i.e. the number of bits sent per second.

Synchronization: It is responsible for bit synchronization

Device use at physical layer: Cables, Hubs

Protocols used at this layer: The major protocols used by this layer include Bluetooth, PON, OTN, DSL, IEEE.802.11, IEEE.802.3, L431 and TIA 449

Data Link Layer:

• The main use of data link layer is to control error. Ensures that the data received is free of any errors, and to do that it also monitors flow control of packets. It sends data as per acknowledgement of receiver and vise versa.

 

Data link layer has two parts:

1. Media Access control MAC

2. Logic Link control LLC

Ø The packet received by Data link layer divided into frames.

Ø After framing it add MAC address on header of each frame it is also called physical addressing

Ø It encapsulates Sender and Receiver’s MAC address in the header

Ø It uses ARP (Address Resolution Protocol) protocol to get receiver MAC address.

Ø Switch & Bridge are Data Link Layer devices

Protocol used: ARP, CSLIP, HDLC,

Network Layer:

It also takes care of packet routing i.e. selection of the shortest path to transmit the packet, from the number of routes available

It uses sender and receiver IP address are added to its header for routing

It provide logical addressing for routing address

Device used in network layer is routers. 

Protocols: Routing Protocols, IP, ICMP

Transport layer:

Transport layer is responsible for segmentation and flow control error to ensure proper data transmission. Each segment has its header which contains basic information which helps in reassembly of segments. It also adds Source and Destination port numbers in its header and forwards the segmented data to the Network Layer. 

Transport Layer is called as Heart of OSI model.

It provides connection oriented connection in such connection below steps take place:

1. Stable a connection  

2. Transfer data in segments and do acknowledgement

3. Once sender get acknowledgement it disconnect the connection

Protocols: TCP (TCP stands for transmission control protocol)

, IP, UDP, DCCP and SCTP

 Session layer:

This layer is responsible for the establishment of connection, maintenance of sessions, authentication, and also ensures security. It is end to end layer which stabiles connection and disconnect only when data get transfer and session layer get confirmation for same

It also provide logical ports for data transfer

It support communication between two device by half and full duplex model

PPTP, SAP, L2TP and NetBIOS

Presentation layer:

This layer is responsible for Translation, Encryption/ Decryption, Compression:

We can understand this with an example.

Suppose a user send a message then he send message by any application like Gmail, facebook etc that application work on Application layer but when we send message it get encrypted before it send to someone else this encryption take place at presentation layer.

Or suppose we receive any file (for ex. MP3 file) when we try to open that we get option to open in VLC media this selection option take place at presentation layer.

And we open file in an application this application work at application layer.

Protocols: XDR, TLS, SSL and MIME

Application layer:

At the very top of the OSI Reference Model stack of layers, we find the Application layer which is implemented by the network applications

Ex: Application – Browsers, Skype Messenger, etc. 

Protocols: HTTP, SMTP, DHCP, FTP, Telnet, SNMP and SMPP.

Code Injection

 

Code Injection

 

As per Wikipedia: Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Type of code injection:

Cross-site scripting (Follow the below link to learn) https://rahulprakash156.blogspot.com/2021/12/cross-site-scripting.html

SQL injection (Follow the below link to learn)

https://rahulprakash156.blogspot.com/2020/06/sql-injection-what-is-sql-injection-sql.html

LDAP Injection

Carriage Return – line Feed Injection

SMTP Injection

Command Injection

How to protect from code Injection

1. Use strong coding technique for developing any application

2. Do proper security testing of any application or website before using it.

3. Use authorized website and secure application and website

4. Provide minimum strict access as per requirement, for example if any user in office do not need access of common internet access for his work we need to block that internet access for him.

 

Class of IP Address

 

Class of IP Address

What is IP address ?

A unique string of characters that identifies each computer using the Internet Protocol to communicate over a network

It consist for 4 bytes.

Ex: 10.23.54.67

Note: An IP address must be unique within any network.

 

There are 5 class of IP address.

Class A: 1-127

Used for large number of hosts.

Class A IP has one network byte and 3 host byte

Ex: N.H.H.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP 10.10.10.10

Then mask address: 255.0.0.0

And Network address: 10.0.0.0

Note: An address mask represents a subnet used in computer networking

Network IP represents the number of networks

 

Class B: 128 – 191

Used for medium size network.

Class B IP has two byte for network address and 2 byte for host address

Ex: N.N.H.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP

IP Address:           150.150.150.15

Mask Address:     225.225.0.0

Network address: 150.150.0.0

Class C: 192 – 223

Used for local area network.

Class B IP has Three byte for network address and 1 byte for host address

Ex: N.N.N.H ( here N stands for Network IP and H stands for Host address)

We can understand this with example:

Suppose we have IP

IP Address:           200.10.10.10

Mask Address:     225.225.255.0

Network address: 200.10.10.0

Class D: 224 – 239

Reserve for multi-tasking.

Class E: 240 – 255

This class is reserved for research and Development Purposes.

There are few things we need to know in IP address:

1. The hosts located in the same network, We suppose to assign  the same network ID.

2. IP address cannot start with 127 as 127 is used exclusively by Class A.

3. If all the bits of the network ID are set to 0, it could not be assigned as it specifies a particular host on the local network.

4. If all the bits of the network ID are set to 1, it could not be assigned as it is reserved for multicast address.

Tailgating and Impersonation

 

Tailgating and  Impersonation

 

Tailgating is a technique in which a person uses someone else’s access to a building or in a campus where he is not authorized.

It can be very dangerous if unauthorized person access an office or try to get sensitive information.

It may happen by just following someone across the gate.

Even if two people work in same office, each  person has its own limitation to access office area, if someone work in First floor of a building and if he do not have access of second floor he do not suppose to access second floor if he is doing it comes under Tailgating.

It’s very easy to do tailgating someone just try to make friendship with someone else in a common area like common smoking area in office or outside the campuses at any food stall they will try to make friendship and may request to allow him to enter in office campuses.

How to Protect from Tailgating:

An organization can make policy to display I-Card whenever they are in office campus.

We can use scan lock door, so that only those people get access who are authorized.

It’s everyone moral responsibility to ask question if you find any unknown or not using not using I-card.

Make entry door in such a way that only one person can enter at a time. We can see such doors used in Metro station so that only one person can pass at a time that has ticket or metro pass.

 

 

    Impersonation

Impersonation means someone pretend to be someone else

A guy may make fake social media profile to pretend as someone else to get some information.

Someone may call you and say they are calling from IT department and they may try to get sensitive information like IP address, software and antivirus details

How to protect:  

Never provide sensitive information like password, bank details or family details.

Cross check authorized phone number, email before sharing any information or money.

 

Denial of Service

 

Denial of Service

Force a service to fast (It happens due to overload of services)

It cause a system or service to be unavailable

Attacker use advantage of a design failure or vulnerability

It may happen unintentional or may be intentional

Cause:

1. If there is low bandwidth and everyone try to download something

2. If an attacker attack any computer from multiple location

3. A loop without STP (STP stand for spanning tree protocol is a net work protocol that build a loop free logical topology for Ethernet network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them )

 

 

 

 

 

 

 

DDOS amplification

In This attack, attacker send very small attack but when it reach us it become larger attack protocols use for this are NTP, DNS, ICMP.

Ex. When we request for DNS key we get answer in large key.

Now attacker use this, he ask for small information but he get larger information in return, now if attacker ask this information to multiple computer all computer will send request to DNS server and all DNS server will send this information to web server.

 

Buffer overflows

 

Buffer overflows

Buffer is a fixed storage space

Buffer space is used to store a data for example: Suppose you added 2 numbers 5+6=11 now you if you want to multiple the output of this two numbers then you need to store this number in a buffer so 11 will be store in buffer and then in next step we will multiple 11 with a new number.

As we know buffer has a fix size so if we will try to store a values whose size is more than buffer size then it may create big issue.

Type of buffer overflow:

1. Stack overflow attack

2. Heap overflow attack

3. Integer overflow attack

4. Unicode overflow

Buffer overflow issue can be seen in C and C++ programming

There is few function like Scanf, gets Printf, Sprintf, Strcat, Strcpy etc which can lead to a buffer overflow.

Lets take an example of buffer over flow, we will assume it is Last in first out

Main(int argc, Char *argv[])

{

   func(argv[1]);

       {

          Char buffer [10];

          Strcpy(buffer, v);

       }

}

The strcpy() function in the above example copies the command arguments into the destination buffer variable without checking the string length

 

We will enter value “AAAAAAAAAAAAAAAAAAA”

Here we enter values more than the size 10, now how program run:

Fun()

Buffer[10]

return address

main()

local variables

 

 

Here value will store in buffer memory but if value is more than 10 then it will store in return address and it will return wrong value

 

 

Phishing

 

Phishing

 

You may get email or message which contain similar type of URL, but not the real one and when you will check on that you will get similar type of website:

For ex: https://rahulprakash156.blogsport.com

https://rahuulprakash156.blogsport.com ---Wrong Website

 

After logging in wrong website you may share your user name, email id Password etc

Vishing (Voice Phishing)

In office they may call and say they are calling from bank or from your boss office.

In India there is a case under investigating in which a man call a business man’s wife and said that they are from ruling part and they need donation and like that he took 200 cr.

Smishing (SMS Phishing) is done by text message

Spear Phishing:

They target a very particular person like CEO of a company for a particular information

 

 

 

Cross Site Scripting

 

Cross Site Scripting

 

XSS stands for cross site Scripting is  code injection attack executed an the client side of a web application

Here attacker injects malicious script through the web brouser

The malicious script is executed when the victim visits the web page or web server

Attacker try to steals cookies, session, token and other sensitive information

It is a web application hacking technique

Virus Hoax

 

Virus Hoax

A computer virus hoax is a message warning that recipients of a non-Existent computer virus threat.

 

It is a Threat that doesn’t actually exist but they seem like they could be real

Virus Hoaxes are usually harmless and accomplish nothing more than annoying wasting the time of people who forward the message.

Example of few Virus hoax:

Good Times:

Warnings about a computer virus named “Good times” began being passed around among internet user in 1994. The good time virus was supposedly transmitted via an email bearing the subnet header “Good Times” or Goodtimes” Hence the virus name and the warning recommended deleting any such email unread. The Virus described in the warning did not exist but the warning in effect virus like.

 

Invitation attachment:

The invitation virus hoax involved an email spam in 2006 that advised computer users to delete an email with any type of attachment that stated with invitation.

Botnet

 Botnet

 

A bot is a computer that has been compromised through a malware infection and can be controlled remotely by a cyber-criminal by command and control server.

Bot is short for robot

Botnet could be brought by a network worm it could be a virus or by a Trojan horse.

Types of attack that can be launched after a computer has been taken over as a bot include

(i) Spam Bot: Spambot is a machine that automatically distributes spam emails

(ii) Denial of Service: Attacker can do denial of service attack

(iii) Attacker can install spyware or keylogger

Java buzzwords

 The Java programming language is a high-level language that can be characterized by all of the following buzzwords:

1. Simple
2. Object-oriented
3. Distributed
4. Interpreted
5. Robust
6. Secure
7. Architecture neutral
8. Portable
9. High performance
10. Multithreaded
11. Dynamic

Now we will explain each and every term in detail.

Simple: 

Java is a simple language it's syntax is taken from C and C++ there is no concept of pointer which makes it easy to understand if anyone has knowledge of opps based language it's very easy to understand java.

Secure: 

Java is secure language Error  handling features make it easy to use in real time. Classloader bytecode verify and security manager.

Classloader helps to separate package bby classes of local file system

SolarWinds attack and rundll32.exe

                                           SolarWinds attack and rundll32.exe

Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL.

Typically, there’s no technical way to launch a DLL file directly. Hence, Windows uses a rundll32.exe process to execute the DLL files.

But we have seen these days that attackers use rundll.32 to execute malicious file,  recently attacker target  SolarWinds in which attacker used rundll.exe processor, I will share the details below. How it happens, I used the below information from the Microsoft security blog, where they explained how the attach happened.   

The attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe. This is a known MITRE ATT&CK technique used for persistence, but it could also be abused to trigger execution of malicious code when a certain process is launched. Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped.

The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL. using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution and also deletes the following registry keys related to HTTP proxy:

• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
• HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

So it’s very important to check rundll32.exe running which file or process, is that genuine or not? we get such information in EDR workflow data where it explain all the process run with a very clear diagram. But I am writing this blog to explain basic steps to deal with rundll32.exe, for normal user its difficult to use EDR AV and to understand how it works but they can follow few things that can help to monitor and protect his own computer.

 

rundll32.exe helps to run programs in DLL (Dynamic Link Library) files, because DLL file cannot launch directly

 

We can check which files are running by rundll32.exe by below command.

tasklist /m /fi "imagename eq rundll32.exe

You will see the list of details of what services are being run by rundll32.exe

 

Second investigation: Find the location of rundll32.exe file, if it is not running at right location means it is not the right file.

Go to task bar, right click on rundll32.exe, and open the location

The correct file path is: C:\Windows\System32\rundll32.exe. 

 

Check the filename carefully sometime attacker user same type of file name like. Rund1l32.exe at the place of L they use 1 or something similar

 

 

How computer boot

How computer boot

In this blog we will try to understand how computer start from starting point.

In last 25-30 years there is no major change in the booting process in computer, even same program is used in the processor to load the OS.

 

To start a Computer, we power on the button of CPU, or we can say we reset the power button on CPU. So when we press the button it generates electric signal (Plus) and this plus send to a specific pin on the CPU, this pin is called reset pin. And when the CPU gets this signal it start booting. So we need to see what happens here.

Step 1: When we switch on the computer a plus send to CPU reset pin.

Step 2: Every register in CPU initialized to 0 except two register (code Segment (CS) and Instruction pointer (IP)). code Segment (CS) set the value of 0XF000 and Instruction pointer (IP) set as 0xfff0.

So the physical Address of first instruction is set as 0xfff0. 

How this happen as we know in 8086 or 8088 processor (CS<<4) + IP (CS Register shifted 4 bit and IP added to it.)

So at the first memory location which is 0xfff0, it has 16 bit memory where it get instruction to move or jump into bios.

From here it enters into bios (it stands for Basic input output device) and it is read only memory. It is in the form of Flash/EPROM/ EEPROM.

The term BIOS (Basic Input/Output System) was created by Gary Kildall and first appeared in the CP/M operating system in 1975.

Bios is present in a small chip connected to the processor

What are the basic function of Bios:

1.       first power on self test (I check is computer has all parts ( Monitor, keyboard, mouse etc) and is all parts working fine.

2.       Initialize video card and other device.

3.       Now it displays BIOS screen, since video card has been initialized so screen can work fine.

4.       Perform brief memory test

5.       Set DRAM memory parameters

6.       Configure plug & Play device configured

7.       Assign resources (DMA channels IRQs)

8.       It identifies boot device

It read sector 0 from boot device into memory location 0x7c00 (Sector 0 hold the OS location)

 

0x7c00 is a Memory location in the Low memory region of RAM, it copies sector 0 from the boot device (which is generally a hard disk) into memory location 0x7c00. At location 0x7c00 there is a code of 512 bits which helps in booting the OS.

MBR:

A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBRs was publicly introduced in 1983 with PC DOS 2.0.

For example, a hard disk is divided into sectors and the first sector of hard disk contain boot loader, it contains information, where OS installed in the computer.

It also contends information of logical partition like from where c drive or d drives starts

At the MBR we also get an option to select OS, which OS we want to use if we have more than one OS in the computer.

MBR

Master boot loader (446 bites)

Partition table (64 Bytes)

Signatures (2 Bits)