CompTIA CYSA+ CS0-002 – Analyzing Network IOCs Part 5

  1. UDP Ports (OBJ 4.3)

UDP ports or user datagram protocol ports. In this lesson we are going to talk about all the UDP ports because we just spent the last lesson talking about all the TCP ports. As a cybersecurity analyst, you have to know UDP port numbers for the registered ports that are commonly scanned against just like the TCP ones. Now, the only difference between the TCP ports and the UDP ports is what they’re used for. And UDP is more of a fire and forget protocol. There is no windowing that’s going to occur, there is no send and acknowledgement that occurs. So when you deal with UDP it’s a fire and forget. So just keep that in mind. Now the first one we’re going to have is port 53, which is DNS.

As I said in the TCP lesson, port 53 operates over TCP and UDP. For TCP it’s used for zone transfers. For UDP. It’s used for DNS queries. That’s the only difference. What is DNS being used for? And based on that it will pick one of the ports and one of the protocols. Next we have port 67, which is Dhcps. This is a server port for the dynamic host configuration protocol or DHCP. The next port we have is port 68 and this is Dhcpc. This is the client port for the dynamic host configuration protocol or DHCP. So if you’re dealing with a server port 67, if you’re dealing with a client port 68 and the next one we have is port 69. This is the trivial file transfer protocol, or TFTP. This is used generally when you’re dealing with routers and switches and trying to send an iOS update or things of that nature.

Next we have port 123, NTP, the network time protocol. This allows our devices to share time on the network and make sure we’re all using a centralized time source. As we talked about back in Syslog. This is very helpful in coordinating your logs. Next we have port 135, the Msrpc. Now, as we talked about with TCP, this advertises what RPC services are available in a Windows environment. It operates both as TCP and UDP, doing the same function. The next port is 137. NetBIOS name service. NetBIOS Name service is going to support Windows file sharing with pre Windows 2000 version host. And so it is something that’s there for backwards compatibility, very much like DNS, except we’re not dealing with IP addresses and names across the Internet. Instead we’re dealing with NetBIOS name service. So every Windows PC has a name.

For instance, Jason’s PC. NetBIOS allows me to have Jason’s PC and use that or my IP address when talking across the network. Port 138 is NetBIOS DGM this is the NetBIOS datagram service and supports Windows file sharing with pre Windows 2000 version hosts. So because we’re dealing with datagrams, we’re dealing with UDP here, right? And so this is how we can send large chunks of data across the network in a fire and forget format. Next we have port 139, which is NetBIOS SSN. This is NetBIOS Session service support for Windows File sharing with pre Windows 2000 version host again. Now, again, port 139 was something we had both on TCP and UDP using the same functionality. The next port we have is 161, which is SNMP. We talked about this one back in Syslog as well, because we’re going to use this as an agent port for the Simple Network Management Protocol to be able to send data across our network about our different devices.

When we start dealing with port 162, we are dealing with SNMP again. But this is the Management Station port for receiving those SNMP trap messages. So as a client sending out the information over the agent, it’s 161. As the management station who wants to receive those messages, it’s 162. Our next port is four, four, five, and this one was one that we had both on TCP and UDP. This is the Microsoft DS. Again. It supports Windows File Sharing or Server message block over TCP IP on current Windows networks. Our next port is port 500 or Isocamp isa KMP. Now, Isocamp is the Internet Security Association and Key Management Protocol, and it’s used to set up IPsec tunnels. So if you’re using VPN using IPsec, you are going to be using port 500 as part of that setup process.

The next one we have is Syslog, port 5114. This is a server port for a Syslog daemon and Assist log daemon just means a Syslog server. So this allows us to have a Syslog server there waiting and collecting information. The next port that’s important to know is port 520. This is rip. Rip. This is the Routing Information Protocol, and it’s an older routing protocol that is used across the networks and still heavily in use today with lots of different systems. Port six, three, one, or IPP. This is the Internet Printing Protocol. If you have an Internet connected printer, this will be using IPP. The Internet Printing Protocol is a specialized Internet protocol for communication between your client devices, your computers, your smartphones, your tablets and things like that, and the printers that you want to print to. This is heavily used inside Windows and Linux systems.

The next port is 1434. Now, 1434 is mSQL. Just like we talked about the MySQL servers. Microsoft has their own version of a SQL Server, and the Microsoft SQL Server will receive its queries and requests over port 1434. Port. 1900 is UPnP. UPnP is universal Plug and Play. This is used for auto configuration of port forwarding by game consoles and other smart appliances. Now, this is something that has opened up in the last several years where devices could basically self configure and be able to just be plugged into a network and open up ports as needed. Because of this, this is an area of vulnerability and something you should be looking at, especially in a corporate network. And our last port is 4500. This is nettike. Now, this is your network address translation to Internet Key Exchange. This is used to set up an IPsec traversal through a network address translation gateway. And essentially, if you’re using an IPsec over Net, you’re going to be using port 4500 as well.

Now, just a quick exam tip. As I said in the TCP lesson, the same thing applies. They’re not going to ask you what is port 4500? And you have to say nat tike. But instead you should be familiar that when you see these ports, you know these are common ports. These are things that people are scanning from these ports that we just covered in the last lesson. In this lesson, those 40 ports, 20 TCP and 20 UDP are the 20 most scanned ports by Nmap across the world, meaning attacker are looking for openings in these ports. It also means these are the most important ports for you as a defender to know, because you want to look across your systems and see if those are open. And if they are open, you want to figure out do you need them to be open, and if not, you should close them. And if you do, how you can best defend them, because they are things that are on the radar of attackers looking to get into your network.

  1. Data Exfiltration (OBJ 4.3)

Data exfiltration. Now, in this lesson, we are going to talk about data exfiltration because after all, when an attacker tries to get into your system, they’re not just trying to get in there to gain access, but instead they’re trying to gain access for a purpose. And a lot of times that purpose is data exfiltration. Data exfiltration is the process by which an attacker takes data that’s stored inside of a private network and they move it out to an external network. Now, data exfiltration is essentially stealing your information. And this is really important because it can be done for lots of different reasons. For example, somebody might try to steal your information to then blackmail you based on what they took.

Or they may steal your information like your customers credit card numbers, to be able to use those credit card numbers and buy things and make money for themselves. There are lots of different reasons that someone might want to exfil your data. But either way, as a cyber defense analyst, you need to understand what data exfiltration is and all the different ways that someone might try to do it. Data exfiltration can be performed over many different types of channels. This can be done over Http or Https transfers, it can be done over Http requests to databases, it can be done using DNS, it can be done using overt channels, or it can be done using explicit tunnels. Throughout the rest of this lesson, we’re going to cover each of these five areas.

First we have http or https transfers. Now, these transfers occur when an attacker uses commercial file sharing services to upload the exfiltrated data from a victim. For example, if someone breaks into your network and they find a lot of files on your hard drive, they need to get those things out. Well, they might log into something like their Dropbox account from your machine and then upload all your files to that Dropbox account. They can do this with Dropbox, OneDrive Google Drive, or many other cloud sharing services. All of these are a valid way for you to upload those files to the centralized server and exfiltrate that data. Another way that this might happen is if they’re using Http requests to database services.

Now, when this happens, an adversary is going to use an SQL injection or another type of similar technique to copy records from a database to which they shouldn’t have access. Now, these are a little bit easier to detect. The reason is there’s a common IOC that you’re going to notice with them if you see a spike in request to a PHP or other script files or unusually large Http response packets. This could be an indicator that someone is trying to use this Http request to the database service to get the data out of the database and over to an attacker. The third type of data exfiltration channel that we could use is DNS. Now, DNS can be used with its queries to transmit data out of a network enclave.

Now, there’s lots of different types of records with DNS, but one of the common indicators of compromise is if you see an atypical query type being used. For instance, someone starts asking for TXT files, or MX records, or C names, or null. All of these are not nearly as common as a standard A record. And so if somebody has a client on a network and they start sending out a request for TXT records and in that as additional data, that can actually be a way of exfiltrating data out of your network using DNS as a covert channel, another thing you might be using is just an overt channel. Now, basically, an overt channel is a channel that is meant to send data.

For instance, FTP is File Transfer Protocol, instant messaging, peer to peer information, emailing and other obvious file and data sharing tools are all considered overt channels. This is what those tools were designed to do, to send information. Now, an attacker is using them to get your data out of the network, making it an overt channel. The final type we have is an explicit tunnel. Now, when you’re using an explicit tunnel, this uses something like SSH, which is Secure Shell or VPNs Virtual Private Networks to create a tunnel to transmit the data across the network. So how do you identify if one of these explicit tunnels is actually being used as part of data exfiltration, or it’s just something that is useful and needed by an administrator? Well, one of the IOCs for this is if you start seeing atypical endpoints being involved in these tunnels.

Now, one of the most common ways that it could be atypical is based on geographic location. For instance, in my company, we have employees in several areas. We have employees in Maryland and Washington DC area. We have employees down in Florida, we have employees down in Puerto Rico, we have employees out in Asia, in the Philippines, and places like that. Now, if I start seeing traffic with an endpoint going from my servers to Russia, or my servers to Turkey, those are locations that we don’t have any employees in. So that would be atypical and something that would be suspicious that we would look into. But if I saw an SSH connection or a VPN going from Puerto Rico into my servers, that wouldn’t be atypical, because my staff down there connects through VPNs all the time.

So now that we’ve covered the basics of data exfiltration and the five types of channels that could be used, let me give you a warning about data exfiltration. An adversary could use a different channel for data exfiltration than they use for Command and control. So just because you identified something like Beaconing or Command and Control, and you block that, it doesn’t mean the data is going to stop being exfilled. The reason for this is you might stop the beaconing and the command and control. But the command was already received before you cut that off. And so if I had a command and control channel over DNS, but I’m sending that data out over SSH and you block port 53, that stops the command and control. But I may have already received the command signal to send the data and so I’ll continue sending it over port 22 using SSH.

This is just something you have to think about because you’ve got to catch both areas, whatever the command and control channel is and the data exfiltration channel. The final thing I want to talk about here is what is the best mitigation against data exfiltration? Well, the best mitigation is to use strong encryption of data when it’s at rest or when it’s in transit. If you have a hard drive that is encrypted, the data stored on that hard drive can’t be copied off and exfiltrated without breaking that encryption first. So even if they were able to download those files and exfiltrate them, they would have these encrypted files without the key and they wouldn’t be able to open them and read them. This makes the data they exfilled essentially useless to them. So make sure you’re using strong encryption on all of your data at rest, especially if you want to protect it from data exfiltration.

  1. Covert Channels (OBJ 4.3)

Covert channels. Now, in the last lesson on data exfiltration, I talked about overt channels, things like FTP or PeerToPeer or instant messaging that are obvious ways to send data. But data exfiltration can also happen over covert channels. We talked about this by hiding data inside of DNS and other methods like this. In this lesson, we’re going to talk more about what a covert channel is. Now, a covert channel is a communications path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures. Now, covert channels can enable the stealthy transmission of data from node to node using means that your security controls simply don’t anticipate. For instance, if you don’t tune your IDs to start looking at those DNS records, that would be a covert channel. You might have a covert channel that is sending information over ICMP echo reply packets, which are what we send out in response to a ping.

Again, a lot of IDs aren’t looking for that type of information. So as we go through the rest of this lesson, we are going to talk about some different covert channels. First, you might find a covert channel that takes advantage of egress filtering not being applied to a firewall. This way they can transmit data over a nonstandard port and send information out. We talked about this in depth in our nonstandard port lesson. Second, you might have data that gets encoded, and that encoded data isn’t sent out as part of the TCP IP packet headers. So as we’ve already mentioned, we may take data, encode it as part of an echo reply for ICMP, or part of a DNS text record, and send it out. By doing this, it can evade detection. The third thing we can do is we can start segmenting data into multiple packets by chunking up that data into multiple packets.

These can be sent at separate times. And this can help you evade signature analysis and data loss prevention, because a lot of these signature analysis and data loss prevention tools only use a short window. And so that might be 30 seconds or 60 seconds when they start reconstructing packets to search for signatures. If you sent out a packet right now and a packet in three minutes, and another packet in three minutes after that, that may get through the sensors and not trigger any alerts. The fourth thing you might look at is obfuscating data using hex. This way you can transmit strings of data using hex code instead of using character strings. By using hex, it can get through the sensors because the sensors may be looking for an ASCII string and not a Hex string.

The fifth type of COVID channel is when you start transmitting data in an encrypted format. By sending it out through an encrypted format like an SSL or TLS tunnel. This can prevent inspection as it leaves the network unless somebody has a break and inspect device sitting at the edge of their network. So when you’re trying to mitigate against these different types of COVID channels, what can you do? Well, the best thing to do is use advanced intrusion detection or user behavior analytics tools. These are going to be your best options to help detect those covert channels. But keep in mind, they are not foolproof and they will not detect everything. As I said before, as the defenders get better, so do the attackers. And so we’re constantly having this chess match where each side is trying different things to get something by the other one.

The attacker is trying to evade the defender and the defender is trying to figure out what the attacker is doing or block their future attacks. Now, when we look at covert channels, these can be created using two different methods. We can use storage or timing as our methods of a covert channel. When we talk about a covert storage channel, this is going to utilize one process in the computer to write to a storage location and then it will use a different process to read from that location. By splitting up this reading and writing function, it can actually be a covert channel that cannot be detected by the operating system kernel. The second type of COVID channel we can have is covert timing channels. Now, these are going to utilize one process to alter a system resource so that changes in its response time can actually signal information to a recipient process.

Now, for the cysaplus exam, you don’t have to know these two types of channels in depth and how they operate. But just keep in mind that covert storage channels use storage to be that covert method where I write to one part and then read from that part of the drive. And covert timing is going to use different timing and sequences to pass information off. For instance, I might send out a ping packet and I can actually translate that into Morse code. So every time I send out a ping packet on an even number or an odd number second, that might tell me whether it’s a dot or a dash. Now, there are lots of different methods you can use with timing channels and you can create them as complex or as simple as you want as an attacker.

But it’s just something to be aware of as a defender as you start seeing unusual things, think is this possibly a timing channel or is this possibly a storage channel that I should look into? Now, in addition to this, sometimes you’ll have a covert channel that’s actually a hybrid of the two. And we’ll actually combine the storage ability and the timing channel ability. This way an attacker can evade detection as well. Now, before we finish up this lesson, I do want to talk about one more area that we can use as an attacker to be able to hide our data when we’re trying to do a data exfiltration. Now, as a penetration tester, I call myself an attacker. But you as a defender need to understand the way these attackers, whether they are good guys working for you or bad actors going against you.

And that way you can start looking for these type of things. And this is known as steganography. Now, steganography is this hiding technique where we’re trying to hide data in plain sight. Essentially, steganography is the practice of concealing data within another file message, image or video. Now, there are lots of modern tools out there that can help you hide digital information so that the human eye cannot tell the difference. For instance, there’s this Java tool called LSB Steganography. And you can put a secret message of text in the top part of this blank. You’ll upload an image, which is the original image on the left side, and then you will end up saving that text into the image. Now, if you look at that image with the naked eye, you cannot tell the difference.

But what’s ended up happening here is that in the background, those words of ASCII tech have been converted into ones and zeros. And they have slightly modified one pixel here and one pixel there in that final image. And those single pixels are only being changed by a fraction of a bit. So it might be yellow, and now it’s a little bit of a lighter yellow. This one might have been a green color, and now it’s a little bit of a darker green. And all those ones and zeros are put throughout that image. And it does affect the image quality just a little bit, but it doesn’t really add to the file size or change the file much at all. And so it’s very easy to hide information in these files. Now, the reason we call it hiding in plain sight is because there is no encryption here.

Anybody who has this tool can actually take that steganography image, load it into the tool, and then pull out the data back to the text as well. Now, the reason I want to bring up steganography to you is not because it’s used heavily inside the attacker workspace. In fact, it’s one of the least common ones that I’ve seen out in the wild. But it is important to think about because data loss countermeasures do inspect outgoing packets for a lot of different signatures, and they’re looking at those signatures to see if they match a database of known file signatures. But if I take that file and I put it inside another file, such as I did here with this text, putting it inside the image, that will actually be circumvented from that countermeasure signature matching because we are not going to match that text.

That text now became this image, or we’re not going to match the original image because now we have the text embedded in it and that changes the file a little bit. So this is something to keep in mind as you’re looking at it. In addition to using text and images, you can use audio files, video files, pretty much whatever you want. And you can hide other data inside of those type of files and then pull it out using steganography.