Run a network sniffer and capture the returned traffic with the configuration file from the
router

Send a customized SNMP set request with a spoofed source IP address in the range -
192.168.1.0

Social engineering

Explanation:
Just like any other service that accepts usernames and passwords for logging in, AWS
users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any
other method of social engineering, may find yourself with an AWS users’ credentials within
the hands of an attacker.
If a user only uses API keys for accessing AWS, general phishing techniques could still use
to gain access to other accounts or their pc itself, where the attacker may then pull the API
keys for aforementioned AWS user.
With basic opensource intelligence (OSINT), it’s usually simple to collect a list of workers of
an organization that use AWS on a regular basis. This list will then be targeted with spear
phishing to do and gather credentials. an easy technique may include an email that says
your bill has spiked 500th within the past 24 hours, “click here for additional information”,
and when they click the link, they’re forwarded to a malicious copy of the AWS login page
designed to steal their credentials.
An example of such an email will be seen within the screenshot below. it’s exactly like an
email that AWS would send to you if you were to exceed the free tier limits, except for a
few little changes. If you clicked on any of the highlighted regions within the screenshot,
you’d not be taken to the official AWS web site and you’d instead be forwarded to a pretend
login page setup to steal your credentials.
These emails will get even more specific by playing a touch bit additional OSINT before
causing them out. If an attacker was ready to discover your AWS account ID on-line
somewhere, they could use methods we at rhino have free previously to enumerate what
users and roles exist in your account with none logs contact on your side. they could use
this list to more refine their target list, further as their emails to reference services they will
know that you often use.
For reference, the journal post for using AWS account IDs for role enumeration will be
found here and the journal post for using AWS account IDs for user enumeration will be
found here.
During engagements at rhino, we find that phishing is one in all the fastest ways for us to
achieve access to an AWS environment.

The right most portion of the hash is always the same

4.0-6.9

Port 53

Explanation:
DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to
transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP)
these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and
resource usage compared TCP-equivalent queries. UDP has no error or flow-control
capabilities, nor does it have any integrity checking to make sure the info arrived intact.How
is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it’s a
best-effort protocol after all) within the first instance, most systems will retry variety of times
and only after multiple failures, potentially switch to TCP before trying again; TCP is
additionally used if the DNS query exceeds the restrictions of the UDP datagram size –
typically 512 bytes for DNS but can depend upon system settings.Figure 1 below illustrates
the essential process of how DNS operates: the client sends a question string (for example,
mail.google[.]com during this case) with a particular type – typically A for a number
address. I’ve skipped the part whereby intermediate DNS systems may need to establish
where ‘.com’ exists, before checking out where ‘google[.]com’ are often found, and so on.
Many worms and scanners are created to seek out and exploit systems running telnet.
Given these facts, it’s really no surprise that telnet is usually seen on the highest Ten
Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an
upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually
the case, this upgrade has not been performed on variety of devices. this might flow from to
the very fact that a lot of systems administrators and users don’t fully understand the risks
involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to
completely discontinue its use. the well-liked method of mitigating all of telnets
vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing
many of an equivalent functions as telnet and a number of other additional services typical
handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks
to beat before it can completely replace telnet. it’s typically only supported on newer
equipment. It requires processor and memory resources to perform the info encryption and
decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are
often and to supply solutions to alleviate the main known threats so as to enhance the
general security of the web
Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is
usually cached on the local system (and possibly on intermediate DNS servers) for a period
of your time . Subsequent queries for an equivalent name from an equivalent client then
don’t leave the local system until said cache expires. Of course, once the IP address of the
remote service is understood , applications can use that information to enable other TCPbased
protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat
GIFs are often reliably shared together with your colleagues.So, beat all, a couple of dozen
extra UDP DNS queries from an organization’s network would be fairly inconspicuous and
will leave a malicious payload to beacon bent an adversary; commands could even be
received to the requesting application for processing with little difficulty.

Snort

Hybrid

Kernel toolkit

Explanation: Kernel-mode rootkits run with the best operating system privileges (Ring 0)
by adding code or replacement parts of the core operating system, as well as each the
kernel and associated device drivers. Most operative systems support kernel-mode device
drivers, that execute with a similar privileges because the software itself. As such, several
kernel-mode rootkits square measure developed as device drivers or loadable modules,
like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category
of rootkit has unrestricted security access, however is tougher to jot down. The quality
makes bugs common, and any bugs in code operative at the kernel level could seriously
impact system stability, resulting in discovery of the rootkit. one amongst the primary wide
familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack
magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and
take away as a result of they operate at a similar security level because the software itself,
and square measure therefore able to intercept or subvert the foremost sure software
operations. Any package, like antivirus package, running on the compromised system is
equally vulnerable. during this scenario, no a part of the system is sure.

VRFY

Explanation: The VRFY commands enables SMTP clients to send an invitation to an
SMTP server to verify that mail for a selected user name resides on the server. The VRFY
command is defined in RFC 821.The server sends a response indicating whether the user
is local or not, whether mail are going to be forwarded, and so on. A response of 250
indicates that the user name is local; a response of 251 indicates that the user name isn’t
local, but the server can forward the message. The server response includes the mailbox
name.

Host OS on containers has a larger surface attack.