OSI Model Deep Dive
- Physical: Bits (Cable cutting, wiretapping)<br></br>2. Data Link: Frames/MAC (ARP Spoofing, MAC Flooding, VLAN Hopping)<br></br>3. Network: Packets/IP (IP Spoofing, Route Injection)<br></br>4. Transport: Segments/TCP/UDP (SYN Floods, Port Scanning)<br></br>5. Session: Session management<br></br>6. Presentation: Encryption/Encoding<br></br>7. Application: HTTP/Data (SQLi, XSS, CSRF, API abuse)
TCP vs. UDP
TCP (Layer 4): Connection-oriented (3-way handshake), reliable (retransmits dropped packets), ordered, slower. Used for HTTP, SSH, FTP.<br></br><br></br>UDP (Layer 4): Connectionless (fire and forget), unreliable, unordered, faster/low latency. Used for DNS, DHCP, VoIP, Streaming.<br></br><br></br>Security Note: UDP is often used for log shipping (Syslog) because if the logging server goes down, you don’t want the application to hang waiting for a TCP ACK from the log server.
TCP 3-Way Handshake
- SYN: Client sends segment with SYN flag set and initial sequence number (ISN).<br></br>2. SYN-ACK: Server replies with SYN and ACK flags set. Acknowledges client’s ISN (ISN+1).<br></br>3. ACK: Client sends ACK flag. Connection is ESTABLISHED.<br></br><br></br>Attack Vector: SYN Flood (exhausting server resources by sending SYN but never sending the final ACK).
DNS Architecture & Security
Process: Client -> Resolver (ISP/8.8.8.8) -> Root (.) -> TLD (.com) -> Authoritative Nameserver (google.com).<br></br><br></br>Attacks:<br></br><ul><li>Cache Poisoning: Injecting false records into a resolver’s cache to redirect users to malicious IPs.</li><li>DNS Exfiltration (Tunneling): Encoding data in subdomains (e.g., secret-data.attacker.com). Bypasses firewalls as it looks like standard DNS queries. Logged in DNS logs, but not HTTP logs.</li><li>Sinkholing: Rerouting malicious traffic (botnets) to a controlled IP for analysis.</li></ul>
DNS Record Types
A: Maps hostname to IPv4.<br></br>AAAA: Maps hostname to IPv6.<br></br>CNAME: Alias (maps hostname to hostname).<br></br>PTR: Reverse lookup (IP to hostname). Format: 2.0.0.127.in-addr.arpa.<br></br>MX: Mail Exchange (directs email).<br></br>SOA: Start of Authority (primary zone info, serial number, timeouts).<br></br>NS: Nameserver (delegates zone authority).
SSL/TLS Handshake
- ClientHello: Supported cipher suites, TLS version, random bytes.<br></br>2. ServerHello: Chosen cipher, Server Cert, random bytes.<br></br>3. Authentication: Client verifies Server Cert against Trusted Root CA store.<br></br>4. Key Exchange: Asymmetric encryption (RSA/Diffie-Hellman) used to securely agree on a ‘Pre-Master Secret’.<br></br>5. Session Keys: Both derive symmetric keys from the secret.<br></br>6. Finished: Traffic is now encrypted with symmetric key (AES/ChaCha).
Common Web Attacks: XSS
Reflected: Malicious script injected into request (URL parameters) and immediately returned by server. (Phishing links).<br></br>Stored (Persistent): Script saved in database (comments, profiles) and served to victims later.<br></br>DOM-based: Vulnerability in client-side JavaScript code handling inputs (e.g., location.hash written to innerHTML).<br></br><br></br>Mitigation: Context-aware Output Encoding (escaping user input) and Content Security Policy (CSP).
CSRF (Cross-Site Request Forgery)
Concept: Attacker forces an authenticated user’s browser to send a state-changing request (e.g., ‘Change Password’) to a site where they are logged in. Relying on browser automatically sending cookies.<br></br><br></br>Prevention:<br></br>1. Anti-CSRF Tokens: Random, unique token validated by server on every state-changing request.<br></br>2. SameSite Cookie Attribute: (Strict or Lax) prevents cookies from being sent on cross-site requests.<br></br><br></br>Diff: XSS executes code; CSRF exploits trust in existing sessions.
CORS vs SOP
SOP (Same Origin Policy): Browser security feature. Scripts from Origin A (domain+protocol+port) cannot read resources from Origin B.<br></br><br></br>CORS (Cross-Origin Resource Sharing): Mechanism to bypass SOP. Server sends headers (Access-Control-Allow-Origin) indicating which domains are allowed to read its resources.<br></br>Pre-flight: Browser sends OPTIONS request first to check permissions before sending actual data (for complex requests).
SQL Injection (SQLi)
Mechanism: Attacker interferes with SQL queries by injecting malicious input (e.g., ' OR 1=1 --) to view/modify unauthorized data.<br></br><br></br>Prevention: Use Prepared Statements (Parameterized Queries). Never concatenate user input directly into query strings. Input validation is a secondary defense layer.
Authentication vs Authorization
Authentication (AuthN): Verifying identity (Who are you?).<br></br>Examples: Passwords, Biometrics, MFA, X.509 Certs, Kerberos, OIDC.<br></br><br></br>Authorization (AuthZ): Verifying access rights (What can you do?).<br></br>Examples: ACLs (Access Control Lists), OAuth Scopes, IAM Policies, sudoers file.
Kerberos Architecture
KDC: Key Distribution Center (The Domain Controller).<br></br>TGT: Ticket Granting Ticket (Proof of ID, encrypted with KDC key).<br></br>Service Ticket: Used to access specific resources (File share, SQL).<br></br><br></br>Attacks:<br></br>Golden Ticket: Forged TGT (requires KRBTGT hash). Gives total control over domain.<br></br>Silver Ticket: Forged Service Ticket (requires Service account hash). Gives access to specific service only.
OIDC vs OAuth 2.0
OAuth 2.0: Authorization framework. It delegates access (giving an app a ‘key’ to access your Google Drive photos without giving it your password). Uses Access Tokens.<br></br><br></br>OIDC (OpenID Connect): Authentication layer built on top of OAuth 2.0. It verifies identity. Uses ID Tokens (JWT format).
Public Key Infrastructure (PKI)
CA (Certificate Authority): Trusted entity that signs digital certificates.<br></br>Root Store: Hardcoded list of trusted CAs in OS/Browser.<br></br>Chain of Trust: Root CA -> Intermediate CA -> Leaf Certificate.<br></br>Pinning: (Deprecated) Hardcoding valid cert hashes in the app to prevent MITM using compromised CAs. Replaced by Certificate Transparency logs.
Symmetric vs Asymmetric Encryption
Symmetric (AES, ChaCha20):<br></br>+ Fast, low overhead.<br></br>- Key distribution is difficult (how do I get the key to you securely?).<br></br><br></br>Asymmetric (RSA, ECC/Ed25519):<br></br>+ Solves key distribution (Public/Private key pair).<br></br>- Slow, computationally expensive.<br></br><br></br>Hybrid Workflow (HTTPS/SSH): Use Asymmetric to securely exchange a Symmetric key, then use Symmetric for the actual data transfer.
Hashing vs Encryption vs Encoding
Encryption: Reversible (with key). Confidentiality. (AES, RSA).<br></br>Hashing: One-way (irreversible). Integrity/Verification. (SHA-256, MD5). Vulnerable to collisions if weak.<br></br>Encoding: Reversible (public format). Data usability/format. NOT security. (Base64, Hex, URL encoding).
Linux Permissions & Special Bits
RWX: Read (4), Write (2), Execute (1). chmod 755 = User(RWX), Group(RX), Other(RX).<br></br><br></br>SUID (Set User ID): Executable runs with permissions of the file owner (usually root). Major privilege escalation vector (e.g., passwd needs this).<br></br>SGID: Runs with permissions of the group.<br></br>Sticky Bit: On directories (like /tmp), prevents users from deleting files owned by others.
Buffer Overflow
Concept: Writing more data to a buffer than it can hold, overwriting adjacent memory (e.g., Return Instruction Pointer).<br></br><br></br>Mitigations:<br></br>ASLR (Address Space Layout Randomization): Randomizes memory locations of stack/heap/libraries.<br></br>DEP/NX (Data Execution Prevention): Marks memory areas (stack) as non-executable.<br></br>Stack Canaries: Secret value placed before the return address; if changed, execution stops.
Google BeyondCorp
Zero Trust Model: “Trust the host, not the network.”<br></br>Moves access controls from the network perimeter (VPN) to individual devices and users. Access depends on device context (is it a corporate laptop? is it patched?) and user identity, regardless of physical location.
Meltdown & Spectre
Side-Channel Attacks exploiting modern CPU optimization (Speculative Execution).<br></br>The CPU guesses which path code will take and executes it early to save time. If guessed wrong, it rolls back, but traces remain in the CPU Cache. Attackers can read this cache to infer secrets (kernel memory, passwords) from other processes.
Virtualization Risks
VM Escape: Code running in a Guest VM breaks out to interact with the Host Hypervisor.<br></br>Hyperjacking: Installing a malicious hypervisor (rootkit) under the OS, making the malware invisible to the OS antivirus.<br></br>Container breakout: Escaping Docker container to host (often via misconfigured capabilities like --privileged).
MITRE ATT&CK Framework
Knowledge base of adversary tactics and techniques based on real-world observations.<br></br>Structure: Tactics (Why? e.g., “Initial Access”) -> Techniques (How? e.g., “Phishing”).<br></br>Use: Mapping defenses against specific APT behaviors, identifying gaps in detection coverage.
STRIDE Model
Sspoofing (Identity)<br></br>Ttampering (Integrity)<br></br>Rrepudiation (Logging/Proof)<br></br>Iinformation Disclosure (Confidentiality)<br></br>Ddenial of Service (Availability)<br></br>Eelevation of Privilege (Authorization)
STRIDE Model
<b>S</b>poofing (Identity)<br></br><b>T</b>ampering (Integrity)<br></br><b>R</b>epudiation (Logging/Proof)<br></br><b>I</b>nformation Disclosure (Confidentiality)<br></br><b>D</b>enial of Service (Availability)<br></br><b>E</b>levation of Privilege (Authorization)
2. Identification: Detect, Triage, Declare Incident.
3. Containment: Short term (isolate host) & Long term (firewall rules).
4. Eradication: Remove malware, patch vulnerability.
5. Recovery: Restore from backup, monitor closely.
6. Lessons Learned: Post-mortem, process improvement.
2. RAM / Routing Table / Arp Cache
3. Network Traffic / Temporary Files
4. Disk / HDD / SSD
5. Archival / Backups (Least volatile)
Rule: Capture the most volatile evidence first before powering down (or don't power down at all to save RAM).
- Beaconing: Regular, heartbeat-like connections to C2 servers.
- Fast-Flux DNS: Domains rapidly changing IPs.
- DGA (Domain Generation Algorithms): High volume of NXDOMAIN (failed) DNS queries for random-looking domains (`xyz123.com`).
- Unusual Traffic: Workstation sending SMTP (Spam) or scanning internal ports.
22: SSH (Secure Shell) / SFTP
23: Telnet (Remote CLI - Cleartext)
25: SMTP (Email Sending)
53: DNS (UDP/TCP)
80: HTTP
443: HTTPS (TLS/SSL)
143: IMAP (Email Retrieval - cleartext)
3389: RDP (Remote Desktop)
445: SMB (Windows File Sharing - Attack vector for EternalBlue)
123: NTP (Network Time)
161: SNMP (Network Mgmt)
Cloud Risk: Attacker targets the Instance Metadata Service (e.g., `http://169.254.169.254/latest/meta-data/`) to steal cloud IAM credentials/keys assigned to that server, leading to full cloud account compromise.
Rootkit: Hides existence of malware/processes from OS (modifies kernel/DLLs).
RAT (Remote Access Trojan): Provides full remote control (C2) to attacker.
Worm: Self-replicating, spreads via network automatically (e.g., WannaCry).
Trojan: Disguised as legitimate software, requires user execution.
-sS (SYN Scan): Sends SYN, receives SYN-ACK, sends RST (Reset). Does not complete connection. Faster, quieter (often not logged by app, but logged by firewall), requires root/sudo.
Modern OSs (Windows 10+, macOS, iOS) refuse to load Kernel drivers if they aren't signed by a trusted CA. Prevents loading malicious drivers/rootkits.
