Master Local Area Network (LAN) Topologies In Just A Few Hours!

Local Area Network (LAN) Topologies

Over the years, there has been experimentation and implementation of various network designs.  In reference to networking, when we refer to the term "topology", we are actually referring to the design or look of the network at hand. Let's discuss the advantages and disadvantages of these topologies below. Master Local Area Network (LAN) Topologies In Just A Few Hours!

Ring Topology

The ring topology (also known as token topology) boasts some similarities. Devices such as computers are connected directly to each other to form a loop, meaning that there is little cabling required and less dependence on dedicated hardware such as within a star topology.

A ring topology works by sending data across the loop until it reaches the destined device, using other devices along the loop to forward the data. Interestingly, a device will only send received data from another device in this topology if it does not have any to send itself. If the device happens to have data to send, it will send its own data first before sending data from another device.

Because there is only one direction for data to travel across this topology, it is fairly easy to troubleshoot any faults that arise. However, this is a double-edged sword because it isn't an efficient way of data travelling across a network, as it may have to visit many multiple devices first before reaching the intended device.

Lastly, ring topologies are less prone to bottlenecks, such as within a bus topology, as large amounts of traffic are not travelling across the network at any one time. The design of this topology does, however, mean that a fault such as cut cable, or broken device will result in the entire networking breaking.

This lab will take you through the flaws in different network topologies

• In a ring topology, all devices are a connector to two others to create a full circle

• Packets of data travel from one device to the next until they have reached their destination

• One of the major flaws with a ring topology is that if a device goes down or a cable is broken, then data will no longer be passed
  

• If you hover over the middle of the network cable, you can cut it and see what happens to the packets
  

• If you hover over the middle of the network cable, you can cut it and see what happens to the packets
  

• The packets can now no longer travel around the network, and no devices can talk to each other

  

 

 

 

 
Whilst you know where to send information in real life to the correct department, networks need to know as well. Network administrators use subnetting to categorise and assign specific parts of a network to reflect this.

Subnetting is achieved by splitting up the number of hosts that can fit within the network, represented by a number called a subnet mask. Let's refer back to our diagram from the first room in this module:

 

 

Vertical and Horizontal Domain Co-Relation 

There is something also known as sub-sub domain.

To understand about subdomain enumeration so you will see how you can enumerate a subdomains what is the difference between a vertical doing co-relation and horizontal domain co-relation so that is something which is also known as sub-sub domain that we discussed about in the previous blog so let's quickly understand about vertical domain co-relation so all sub domains of a domain for example let's say google.com so one of the sub domains of google.com will be match start google.com this is example of vertical domain correlation which means any subdomain of a particular base domain or top level domain where is in horizontal domain correlation if contains the acquisitions of the top level domain of the base domain for example google.cz, youtube.com, blogger.com all of these are the products of Google which means they are some other way connected to the base domain with the top of the organisation which basically means anything that aquired by google as a entity is considered to be horizontal domain co-relation now is it really important or would that to identify security flaws into the acquisitions by any parent organisation.

Vertical Domain Co-relation

All the subdomain of a domain of google.com (maps.google.com) -> All subdomain of a particular base domain.

Horizontal Domain Co-relation

Acquisitions of, google.cz, youtube.com, blogger.com -> anything that is acquired by google as entity.

Yes there are many examples of bug bounty programs where an acquisitions are also considered to be an scope for instance Facebook is a runs about bounty program Facebook runs a bug bounty program which also includes on of it acquisitions similarly Google also includes all of it acquisitions into the bug bounty program similarly Apple also includes all the acquisitions under its bug bounty program and so on so as of now we have understood about vertical domain correlation, horizontal domain correlation so how do we actually identify these types of domains or sub-domains.


There are some of the open source tools that can be used to identify this and we are going to use most of them into the next upcoming blog so I like to use a subfinder because it is written in go language and and because of its speed and con-currency it is considered to be one of the fastest tool to identify sub domains for any given target.


There are multiple tools that can be used to identify some domains like Amass, Sublist3r, Aquatone or Knockpy but at the end the going to get the same results from all of them So, they basically want to save our time so we are going to use subfinder in the upcoming blog when we will identify multiple supplement in a lesser span of time.

Subdomains for Recon

Subfinder - https://github.com/subfinder/subfinder

Amass - https://github.com/caffix/amass

Sublister - https://github.com/aboul3la/Sublist3r

Aquatone - https://github.com/michenriksen/aquatone

Knockpy - https://github.com/guelfoweb/knock

So in addition to the finder I also like to find subdomains manually because that is the time that we may get a new subdomain for any target for that we are going to use crt.sh which basically is the certificates transparency log in which if any new certificate has been assigned to a top level domain or its subdomain you are going to know about that.

Second is censys.io which is in iot connected search engine from where we can also identify given sub domains for any target similar to censys is Shodan.io I run it is again internet-connected search engine where we can identify about multiple targets and their subdomains Google certificate transparency log is again the certificate lock from which we can identify the sub domains for any given target Facebook certificate transparency is similar like Google certificate transparency when we can identify subdomains based on the certificate blocks you can also identify sub domains using CSP Header you can also identify sub domain based on the DNS record by using view viewdns.info website, dnsdumpster.com as well as virustotal.com.

I also like to find the subs manually from -

crt.sh

censys.io

shodan.io

Google certificate transparency

Facebook certificate transparency

CSP header

viewdns.info

dnsdumpster.com

virustotal.com

Disclaimer

What bug you want to Report?

A bug report contains device logs, stack traces, and other diagnostic information to help you find and fix bugs in your app.

Authentication Bypass

Authentication Bypass is a dangerous vulnerability which is found in Web-Applications. Attackers can bypass the control mechanisms which are used by the underlying web application like OTP, Captcha, 2FA, Email verification etc.
An Attacker can perform a  complete Account takeover of Victim.


Severity :   High 

Complexity : Easy

From : Remote / External




Impact : An Adversary can carry out Auth Bypass attack and perform an Account Take Over

Affected IP's : IP Address     Port
https://www.example.com/      443



Recommendations :

The application should protect the sensitive actions and validate the verification process of the web application. Restrict the user for any malicious behaviour.
 
 
 
References :

https://hackerone.com/reports/770504
https://hackerone.com/reports/257305
https://hackerone.com/reports/219205

 

No Rate Limit 

No Rate Limit is a type of computer security vulnerability typically found in web applications. No Rate Limit  enables attackers to perform actions on the web application where the attacker can do signup creation, password reset or 2FA of other users. No Rate Limit vulnerability may be used by attackers to bypass access controls such & bruteforce tokens and passwords without any limiting of any requests. There should be protection on the web application for sensitive actions. Attackers send a high number of requests to perform desirable actions to get access to the application or accounts. 

NO RL effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.





Severity :   High 

POST Request :

Complexity : Easy

From : Remote / External



Impact :An Adversary can carry out No Rate-Limit attack and also can take over the victim Account.
Also, an adversary can manage to login through any other user's account.


Affected IP's : IP Address    Port
https://www.example.com/    443




Recommendations :

There should be a protection on the web application for limiting the users simultaneous requests.

Any user should be Rate limited if He/She sends or races high amount of requests in a significant amount of time.
 
 
 
References :

https://hackerone.com/reports/743545
https://hackerone.com/reports/385381
https://hackerone.com/reports/297359

Cross Site Scripting (XSS) :

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.




Severity :  High 

Payload : Enter the payload here

Complexity : Easy

From : Remote / External




Impact : An Adversary can carry out XSS attack and also can take the cookie of the Admin and login through Admin Account.
Also, an adversary can manage to login through any other users account with valid session cookies.

Affected IP's : IP Address    Port
https://www.example.com/    443






Recommendations :

Sanitize all the user inputs before executing them, also add XSS protection headers on server and client side.
 
 

References :

https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://portswigger.net/web-security/cross-site-scripting

 


Provided by HACKING TRUTH (CLICK HERE)

CSRF

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.



Severity :   High 

POST Request :

Complexity : Easy

From : Remote / External




Steps to Reproduce:


1. Victim login their example account first.
2. Attacker send a form/link to victim.
3. If victim click the form/link, A desirable action could happen (eg- Profile Details Update or Email Password)
4. Attacker successfully performs ATO





Impact : An Adversary can carry out CSRF attack to modify the details of a victim and also can take over the victim Account.

Affected IP's : IP Address    Port
https://www.india.gov.in/    443





Recommendations :

This CSRF protection protects the form against Cross-site Request Forgery attacks because an attacker would also need to guess the token to successfully trick a victim into sending a valid request. The token should also be invalidated after some time and after the user logs out.

 
 
 
 
References :

https://owasp.org/www-community/attacks/csrf
https://www.acunetix.com/websitesecurity/csrf-attacks/
https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/

CORS

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. However, it also provides potential for cross-domain based attacks, if a website's CORS policy is poorly configured and implemented. CORS can be exploited to trust any arbitrary domain attacker controlled domain name and send the data to it.  Attackers can make an exploit and ask the domain to send data of the victim to the attacker domain.




Severity :  High 

CURL Request : curl “https://example.com/wp-json” -I -H Origin:hackingtruth.in
As you can see when we run the above request in curl we can see these header results in the response.  

Access-Control-Allow-Origin: hackingtruth
Access-Control-Allow-Credentials : true

Complexity : Easy

From : Remote / External





Steps to Reproduce:

1. Enter the domain name example.com in the POC Code shown below and save it as exploit.html and click on exploit button :



Exploit Code :

  
  
  
<html>
<body>
<center>
<h2>CORS POC Exploit>/h2>
<h3>Extract SID</h3>

<div id="demo">
<button onclick="cors()" type="button">Exploit Click here
</button></div>

<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET", "https://example.com/wp-json/", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>

</body>
</html>

  

Affected IP's :

IP Address            Port
https://www.example/    443




Recommendations :

All the REST Apis should be authenticated and the domain should not trust any other domains. Allow only selected, trusted domains in the Access-Control-Allow-Origin header.
 
 
 
References :

https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Provided by HACKING TRUTH (CLICK HERE)

SSRF

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems



Severity :   High 

POST Request :

Complexity : Easy

From : Remote / External





Steps to Reproduce:

1. Attacker finds the vulnerable injection point (parameter)
2. Attacker sends a localhost request or request to his controlled domain (eg: Burp collaborator)
3. Attacker is able to scan the internal network or connect to localhost. Also attacker can get a HTTP connection on his controlled domain.
4. Attacker successfully performs SSRF and exfiltrates data if any.




Impact : An Adversary can carry out SSRF attack to scan the internal network, perform sensitive actions, download sensitive files like meta-data etc.


Affected IP's : IP Address    Port
https://www.india.gov.in/    443




Recommendations :

There should be a proper validation and sanitization of any URL's,IP or shortlinks given by the user. More here - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
 
 
 
References :

https://portswigger.net/web-security/ssrf
https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Provided by HACKING TRUTH (CLICK HERE)

SQL Injection

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.





Severity :   High 

POST Request :

Complexity : Easy

From : Remote / External




Steps to Reproduce:

1. Attacker finds the vulnerable injection point (parameter)
2. Attacker sends a query to retreive the DB Version or DB Name or DB Tables
3. Attacker is able to perfrom successfull SQLi




Impact : An Adversary can carry out SQLi attack to download database,usernames,passwords modify the logic or  perform sensitive actions etc.


Affected IP's : IP Address    Port
https://www.india.gov.in/    443



Recommendations :

Most instances of SQL injection can be prevented by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.


References :

https://portswigger.net/web-security/sql-injection
https://www.acunetix.com/vulnerabilities/web/sql-injection/

Provided by HACKING TRUTH (CLICK HERE)

Broken Link Hijacking

When an web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity.




Severity :   Medium 

POST Request :

Complexity : Easy

From : Remote / External





Steps to Reproduce:

1. Attacker finds the vulnerable injection point (broken link)
2. Attacker is able to claim the broken link
3. Attacker is succesfully perfrom the BLH Attack





Impact : An Adversary can carry out BLH attack to trick the victim in clicking the link and visiting the resources which are linked to the website, this way attacker can perfrom identify theft and steal credentials.


Affected IP's : IP Address    Port
https://www.india.gov.in/    443




Recommendations :

Fix all the broken links in the web application to any external resources.



References :

https://medium.com/@iamtess5277/what-is-broken-link-hijacking-o-o-872d821da6fd
https://medium.com/@arbazhussain/broken-link-hijacking-burp-plugin-6918d922c3fb
https://hackerone.com/reports/266908

Click Jacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.



Severity :   High 

POST Request :

Complexity : Easy

From : Remote / External





Steps to Reproduce:


1. Attacker finds the web application is vulnerable to Clickjacking and loads successfully into the iframe of the attacker.
2. Attacker creates a POC with the target.com which loads in the iframe
3. Attacker creates or induces a sensitive action
4. Attacker is able to achieve sesntive action on the targt.com





Impact : Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

Affected IP's : IP Address    Port
https://www.india.gov.in/    443



Recommendations :

https://portswigger.net/web-security/clickjacking


References :

https://portswigger.net/web-security/clickjacking





Proof of Concept :


   

 <head>

              <style>

                   #target_website {

                            position:relative;

                         width:128px;

                         height:128px;

                         opacity:0.00001;

                         z-index:2;

                         }

                   #decoy_website {

                         position:absolute;

                         width:300px;

                         height:400px;

                         z-index:1;

                         }

             </style>

            </head>

               ...

            <body>

                <div id="decoy_website">

                 ...decoy web content here...

                 </div>

                 <iframe id="target_website" src="https://vulnerable-website.com">

                 </iframe>

            </body>
  
  
  

Subdomain Takeover

HTML Injection

When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.




Severity :   Medium 

POST Request :

Complexity : Easy

From : Remote / External




Steps to Reproduce:

1. Attacker finds the vulnerable injection point (parameter)
2. Attacker is able to inject the HTML Tags and it gets executed
3. Attacker is able to perfrom successfull HTML Injection




Impact : An Adversary can carry out HMTLi attack to trick the victim in clicking the link and visiting the website, this way attacker can perfrom identify theft and steal credentials.

Affected IP's : IP Address    Port
https://www.india.gov.in/    443





Recommendations :

Do not allow parsing or execution of HTML tags from the user input.


References :

https://www.acunetix.com/vulnerabilities/web/html-injection/#:~:text=HTML%20Injection%20is%20an%20attack,injection%20of%20certain%20HTML%20tags.
https://www.softwaretestinghelp.com/html-injection-tutorial/

File Inclusion

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.



Severity :   High 

Complexity : Easy

From : Remote / External



Steps to Reproduce:

1. Attacker identfies a vulnerable injection point (parameter)
2. Attacker tries to read and execute the internal file
3. Attacker is successfully able to perfrom File Inclusion Attack




Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server


Affected IP's : IP Address     Port
https://www.example.com/      443



Recommendations :

The application should have proper whitelist of files and ignore every other filename and path.

 
References :

https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/

Directory Listing

Directory Listing is a vulnerabilty in which the server has misconfiguration and exposes the internal and hidden directories from the server to the public internet.
Sometime an attacker can gain sensitive information from the server like backup files, source code , api keys , password files etc.



Severity :   Medium 

Complexity : Easy

From : Remote / External





Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server

Affected IP's : IP Address     Port
https://www.example.com/      443


Recommendations :

The application should have proper permissions on sensitive directories and content.
 
 
References :

https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/#:~:text=Directory%20listing%20is%20a%20web,it%20leads%20to%20information%20disclosure.

Disclaimer

HelpSystems Intermapper is a complete system monitoring tool that covers networks, network equipement, servers, endpoints, and other devices connected to the network. The software is available in free and paid versions. The free plan has all of the features of the paid system but it is limited to monitoring only five devices. Network Monitoring Tools HelpSystems Intermapper

As the name of this tool susggests, it is driven by a network map, which forms a menu through to device performance statistics. The systems discovers all devices connected to the network and uses this information to create the network topology map. The map is constantly updated as the monitor polls devices for live statuses. 

As well as providing live network monitoring, the intermapper service stores performance metrics and supports the analysis of historical date. The services will also help you track SLA goal achevement and send out an alert if performance deteriorates to the point where it could become noticeable by the users, or approach the limits of SLA service expectations. 

Intermapper installs on windows, macOS and Linux. HelpSystems offer the paid service of intermapper on 30 Day free trial.

Your network goes beyond your network

There's never been a more important time to ensure you have a solid network monitoring strategy. Are you getting the full view of your environment? Intermapper is flexible network monitoring and mapping software for all your physical and virtual equipment. Map and monitor everything with an IP address, giving you a look at your total environment—not just IT’s network.

Discover the full picture with Intermapper

If you’re not monitoring and mapping your entire network environment, you’re only getting half the story. Intermapper is easy to install, deploy, and use across your entire organization to see your IP-enabled devices displayed in live, customizable maps. And with auto-discovery, you can map your connected environment faster and take the burden off your IT team.

Download the latest version of Intermapper CLICK HERE

Disclaimer