Address resolution protocol & ARP poisoning:

Address resolution protocol:

•Address resolution protocol, a network layer protocol used to convert an IP address into a physical address.

•A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.

•There is also Reverse ARP (RARP) which can be used by a host to discover its IP address. In this case, the host broadcasts its physical address and a RARP server replies with the host's IP address.

•ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses.

Arp Poisoning Attack: 

•When one host using IP on a LAN is trying to contact another it needs the MAC address of the host it is trying to contact. 

•It first looks in it's ARP cache (to see your ARP cache in windows type in "arp –a" at the command line) to see if it already has the MAC address, but if not it broadcasts out an ARP request asking "Yo, who has this IP address I'm looking for?" If the host that has that IP address hears the ARP query it will respond with it's own MAC address and a conversation can begin using IP. 

•In common bus networks like Ethernet using a hub all traffic can be seen by all hosts who's NICs are in promiscuous mode, but things are a bit different on switched networks. 

•A switch looks at the data sent to it and tries to only forwards packets to its intended recipient based on MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go. 

•There are ways around switches though, Using a program like Arpspoof, Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.

Example:

•Basically, the Cracker is telling A's box that he has the IP that corresponds to B's box and vice versa. By doing this the Cracker receives all network traffic going between A and B. Once you have Arpspoofed your way between two machines you can sniff the connection with whatever tool you like (TCPDump, Ethereal,  Ngrep, etc.) By arpspoofing between a machine and the LANs gateway you can see all the traffic it's sending out to the Internet.

Encoding: 

• Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed.
• It does not require a key as the only thing required to decode it is the algorithm that was used to encode it.
• Encoding is for maintaining data usability and can be reversed by employing the same algorithm that encoded the content, i.e. no key is used.
• Examples: ASCII, Unicode, URL Encoding, Base64

Encryption: 

• Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation.
• It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation.
• As such, the ciphertext, algorithm, and key are all required to return to the plaintext.
• Encryption is for maintaining data confidentiality and requires the use of a key (kept secret) in order to return to plaintext.
• Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
• Unencrypted data is called plain text ; encrypted data is referred to as cipher text.
• There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.
• Symmetric (or public-key) encryption: A type of encryption where the same key is used to encrypt and decrypt the message.
• Asymmetric (or public-key) encryption: This uses one key to encrypt a message and another to decrypt the message.
• Examples: AES, Blowfish, RSA

Hashing: 

• Hashing is used in conjunction with authentication to produce strong evidence that a given message has not been modified.
• This is accomplished by taking a given input, hashing it, and then encrypting the sent hash with the recipient's public key.
• When the recipient opens the message with their private key they then hash the message themselves and compare it to the hash that was given encrypted by the sender.
• If they match it is an unmodified message.
• Hashing is for validating the integrity of content by detecting all modification thereof via obvious changes to the hash output.
• Examples: SHA-3, MD5 (Now obsolete), etc.

Matriux:

Matriux is a live security operating system which consists of powerful and open source tools and free tools which can be used for various urposes like penetration testing, ethical hacking, cyber investigations, vulnerabitlity analysis, data retriveing and not only limited for this, can be used for other purposes.

It can also be used as a normal desktop systems.

With this matriux we can turn a normal system to a powerful penetration testing toolkit.

The open source tools can do the following ,

1.reconnaissance --which can gain information about an enemy or potential enemy

2.scanning

3.Debugger

4.Tracer

5.Fuzzer

It also includes general tools for multimedia and internet applications.

It can be used from a live environment like CD, DVD, USB Disk or it can also be installed directly in to hard disk in very few steps.

Finally i can say that it is much similar to Back track.

SSL Renegotiation vulnerability:

Renegotiation is to negotiate new terms to replace old ones.

This occurs because server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.

The vulnerability involves a flaw in renegotiation and allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session.

Renegotiation allows one part of an encrypted connection to be controlled by another.

Step by step process for renegotiation:

1. Client starts TLS hand shake with the server, the attacker who is in the middle does not forward this hand shake packets. Let us consider this as session@1. Thus ot resemblance MITM attack.

2. The attacker negotiates a new session and performs a complete TLS exchange. Let us consider this as session@2.

3. The attacker sends application level commands over the previously established TLS session.

4. The attacker requests a renegotiation of the handshake process. Renegotiation is to negotiate new terms to replace old ones. Renegotiation may be activated due to different cipher requirements on different resources.

5. He then forwards handshake packets of the session @1 within the encrypted session @2.

6. The TLS handshake started i.e session@1 hold back by the attacker, is now being let to the server which performs a new TLS Handshake over the previously established encrypted TLS session @2.

7. The client holds now an authenticated session and sends requests containing the authentication credential (i.e. cookie). The attacker gets this request and appends the client request to its previous request and forwards to the server.

8. Finally merged request consists of the attacker request and the authentication credential from the authenticated client.

Authentication Gap in SSL Renegotiation:

Authentication gap in SSL is due to renegotiation during the negotiation process at which an attacker joins heterogeneous connections in a completely standards-compliant way. Web servers will combine the data they receive prior to renegotiation with the data they receive after renegotiation.

GET attacks are essentially trivial to execute. An application that only makes changes in response to POST requests will probably not be vulnerable.

Affected Versions:

SSL version 3.0 and newer version.

TLS version 1.0 and newer version.

Resolution:

1. Disabling renegotiation:

This cannot be configured easily, but the majority of web sites do not use renegotiation so disabling it won't be a problem.

2. Using a firewall :

To monitor the contents of all request headers to spot what seems like an embedded HTTP request. Good thing is that embedded request line will not be obfuscated, making it easier to detect.

Example:

GET /path/resource.asp HTTP/1.0------à attackers
Header: GET /index.asp HTTP/1.0
Cookie: 123455678796_jjoivcdf_@Dss----> clients

Scenario:

              sess1                                 sess2

  TLS client <--->  rogue TLS server (doing MITM)  <--->  victim MS IIS

Impacts:

This vulnerability is used to theft the credentials.

This is also useful to perform CSRF attack.

DLL Hijacking:

DLL –Dynamic link library are set of functions, and small programs that are used by large programs that are running in the computer. It’s Microsoft implementation of shared library where the data in the library can be shared by any module within the computer. These functions are responsible for the larger programs to communicate with external devices like printer, mouse etc.

They are not loaded into Random access memory together with the application so the added advantage is memory is saved in RAM. Whenever a DLL is needed it is loaded and run.

For example: A user is editing Microsoft Word document, If and only if the user decides to print the document, then the printer DLL file gets loaded into RAM and run, until that the DLL file does not needs to be loaded.

All DLL file will have .dll extension. All windows and some non-windows applications rely on DLLs as a part of their functionality.

So by this we can say that along with the DLLs built in windows, developers also create DLLs that contain functions which will be used by the application. All the DLLs used by the application are packaged and installed within the application.

DLL hijacking:

When the DLLs are packaged and installed within the application, there is a need to developer to specify certain path at which the packaged DLLs are to be executed but, this is not possible i.e application does not have statically defined path. Then it searches for the directory it was executed from, and then searches the system directory and then placed.

To get an idea of how is it occurred take the above scenario with the below explaining below, an attacker is executing an application that must dynamically search for required DLL when loaded, the application immediately searches the path it was executed from and then finds a DLL that matches. In the Windows system directory, the real DLLs associated with the application are located. The DLL which are placed in the directory with the application is that which has been modified by an attacker to allow remote command shell access into the system.

However, the application never gets the real DLL because it matches.