1 00:00:01,340 --> 00:00:06,590 When an attacker gains access to the network there are many ways to cover their tracks so they cannot 2 00:00:06,590 --> 00:00:10,730 be detected by security equipment and forensics. 3 00:00:10,730 --> 00:00:16,130 In this section we are going to cover the different methods that attackers can use to limit their exposure 4 00:00:16,220 --> 00:00:25,560 on a network encryption and tunneling are the most common tricks that attackers use to hide their actions. 5 00:00:25,680 --> 00:00:33,690 VPN and S-sh protocols can be used to encrypt data which can be impossible to decrypt for security devices 6 00:00:33,690 --> 00:00:36,260 like IP asses and firewalls. 7 00:00:36,660 --> 00:00:42,360 If an attacker wanted to leak stolen data outside of a network they could simply form an encrypted tunnel 8 00:00:42,390 --> 00:00:45,770 back to their network with no one knowing it. 9 00:00:45,780 --> 00:00:47,510 There are many hacker tools out there. 10 00:00:47,610 --> 00:00:54,480 In addition to VPN and S-sh clients that can be used for secure tunneling like the LAN turtle 11 00:01:00,710 --> 00:01:08,020 when security appliances like an IPX are overloaded it may cause them to fail open and let traffic bypass 12 00:01:08,170 --> 00:01:12,990 without inspection by executing a Diosa attack. 13 00:01:13,180 --> 00:01:19,960 A system's resources could be exhausted which could trigger a fail open scenario. 14 00:01:19,960 --> 00:01:26,380 The best way to prevent resource exhaustion is to make sure that your security devices are set to throttle 15 00:01:26,380 --> 00:01:29,580 traffic within standby thresholds. 16 00:01:30,220 --> 00:01:37,240 Let's hop in the Kayley lab and I'll show you an example of a tool that can be used to cause resource 17 00:01:37,270 --> 00:01:41,290 exhaustion on a system. 18 00:01:41,290 --> 00:01:44,790 First we need to download the slower us or however use it. 19 00:01:44,890 --> 00:01:46,590 Application. 20 00:01:46,710 --> 00:01:54,960 So just google slow loris download go to get a job and then it gives us instructions on what we need 21 00:01:54,960 --> 00:02:02,130 to download first and then how to execute the slow loris script. 22 00:02:02,130 --> 00:02:04,830 So first I'll run through these apt get commands 23 00:02:09,780 --> 00:02:17,630 get a terminal open. 24 00:02:18,040 --> 00:02:20,800 Once that finishes will install Perl 25 00:02:30,250 --> 00:02:35,950 Perle's a programming language that will be used by slow learners. 26 00:02:36,890 --> 00:03:09,200 Case we got Perl and we just need to install these next two modules. 27 00:03:10,700 --> 00:03:14,870 Now we just need to download this perl script and download the zip file 28 00:03:25,450 --> 00:03:36,310 going to extract the perl script and then I'll just extract it to my desktop so it's easy to find. 29 00:03:36,640 --> 00:03:43,950 All right so now that we have the file extracted and we know the location opened up our terminal go 30 00:03:43,950 --> 00:03:48,500 to the path where our perl script is so we can launch it. 31 00:03:48,780 --> 00:03:59,070 Now we'll launch a terminal navigate to my desktop directory and then I'll paste in the string to run 32 00:03:59,070 --> 00:04:01,210 the attack. 33 00:04:01,650 --> 00:04:05,550 I'm going to put in an IP address on my lab not work 34 00:04:08,870 --> 00:04:10,920 and then hit enter. 35 00:04:12,230 --> 00:04:18,860 And here you can see what it's doing is it's building as many sockets as it can to that server on port 36 00:04:18,860 --> 00:04:23,110 80 to try to exhaust the resources of that server. 37 00:04:26,040 --> 00:04:32,670 So here I've browsed to that server's web page and I can't even see any of the images that I would normally 38 00:04:32,670 --> 00:04:33,700 see for this web page. 39 00:04:33,720 --> 00:04:41,640 So clearly it's resources are being exhausted from our slow loris attack and you're mostly logged into 40 00:04:41,640 --> 00:04:46,710 the server that's being attacked around the nets that command. 41 00:04:46,780 --> 00:04:54,220 So as you can see our attacking station at IP address 10.0 that 11. 11 has opened up a ton of port 80 42 00:04:54,220 --> 00:05:01,430 sockets to the server to try to exhaust its resources. 43 00:05:01,490 --> 00:05:07,960 Our next evasion method is traffic fragmentation when data is sent to our networks. 44 00:05:08,000 --> 00:05:15,560 It can be sent with different byte sizes if data is larger than what's called the maximum transmission 45 00:05:15,560 --> 00:05:24,710 unit for an interface and needs to be fragmented traffic fragmentation is undesirable on networks for 46 00:05:24,920 --> 00:05:29,760 optimization reasons and it is even worse for security. 47 00:05:29,960 --> 00:05:37,460 Attackers can intentionally fragment data certain ways to trick security equipment like eyepieces to 48 00:05:37,460 --> 00:05:38,840 bypass inspection 49 00:05:41,670 --> 00:05:46,040 network communication is not possible without using protocols. 50 00:05:46,470 --> 00:05:52,250 Protocols are used to standardize how data is exchanged between network devices. 51 00:05:53,710 --> 00:06:01,300 Security devices inspect protocol data based on industry standards and if an attacker modifies protocol 52 00:06:01,300 --> 00:06:06,880 behavior it could trigger security devices and make it difficult to inspect data 53 00:06:10,170 --> 00:06:18,690 traffic substitution in insertion can also be used to evade security sensors traffic substitution and 54 00:06:18,690 --> 00:06:27,030 insertion as one data sent in a different format than expected and can cause an IPX to miss malicious 55 00:06:27,150 --> 00:06:28,140 payloads. 56 00:06:30,780 --> 00:06:34,440 The last evasion method I want to cover is pivoting. 57 00:06:34,440 --> 00:06:40,980 Pivoting means to attack systems with the intention of jumping to other systems on the same network 58 00:06:42,030 --> 00:06:48,660 to prevent pivoting now work and points should be segmented to only have access to required services 59 00:06:49,040 --> 00:06:52,800 for a wired wireless and VPN access.