James Williams
NET-PROTO-01: Protocol security focuses on securing network communication protocols
NET-SCAN-01: Port scanning techniques for reconnaissance and vulnerability assessment
NET-DNS-01: DNS security analysis and protection against DNS-based attacks
Impact: Service disruption, data breaches, infrastructure compromise
<!-- VULNERABLE: Weak protocols -->
SSH-1.0 # Weak encryption
SSL 2.0/3.0 # Deprecated protocols
WEP (WiFi) # Easily cracked
Telnet # Plaintext transmission
<!-- SECURE: Strong protocols -->
SSH-2.0 # Strong encryption
TLS 1.2/1.3 # Modern protocols
WPA3 (WiFi) # Strong authentication
SSH/HTTPS # Encrypted transmission<!-- VULNERABLE: Implementation flaws -->
Heartbleed (OpenSSL) # Buffer overflow
POODLE (SSL 3.0) # Padding oracle
BEAST (TLS 1.0) # Block cipher attack
CRIME (TLS) # Compression attack
<!-- SECURE: Proper implementation -->
Regular security updates
Proper input validation
Secure random number generation
Memory-safe programming<!-- TCP Connect Scan -->
nmap -sT target.com
<!-- TCP SYN Scan (Stealth) -->
nmap -sS target.com
<!-- TCP FIN Scan -->
nmap -sF target.com
<!-- TCP NULL Scan -->
nmap -sN target.com
<!-- TCP XMAS Scan -->
nmap -sX target.com<!-- UDP Scan -->
nmap -sU target.com
<!-- UDP Scan with Service Detection -->
nmap -sU -sV target.com
<!-- Common UDP Ports -->
53 - DNS
67 - DHCP
123 - NTP
161 - SNMP
500 - IKE<!-- Service Version Detection -->
nmap -sV target.com
<!-- OS Detection -->
nmap -O target.com
<!-- Script Scanning -->
nmap --script vuln target.com
<!-- Aggressive Scan -->
nmap -A target.com<!-- Timing Control -->
nmap -T0 target.com # Paranoid (slowest)
nmap -T5 target.com # Insane (fastest)
<!-- Fragmentation -->
nmap -f target.com
<!-- Decoy Scanning -->
nmap -D decoy1,decoy2,ME target.com
<!-- Source Port Spoofing -->
nmap --source-port 53 target.com<!-- DNS Cache Poisoning Attack -->
1. Attacker queries DNS server for non-existent subdomain
2. DNS server queries authoritative server
3. Attacker floods with fake responses
4. DNS server caches fake response
<!-- Example -->
Query: nonexistent.example.com
Fake Response: example.com A 192.168.1.100
Result: All queries to example.com redirected<!-- DNS Amplification -->
1. Attacker spoofs victim's IP address
2. Sends small DNS queries to open resolvers
3. Open resolvers send large responses to victim
4. Amplification factor: 50-100x
<!-- Mitigation -->
- Disable open DNS resolvers
- Implement rate limiting
- Use DNS response size limits<!-- DNSSEC Zone Signing -->
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com
dnssec-signzone -o example.com example.com.db
<!-- DNSSEC Validation -->
dig +dnssec example.com
dig +cdflag example.com
<!-- DNSSEC Chain of Trust -->
Root Zone → TLD → Domain → Subdomain<!-- DNS Filtering -->
# Block malicious domains
*.malware.com A 0.0.0.0
*.phishing.com A 0.0.0.0
<!-- DNS Monitoring -->
# Log DNS queries
logging {
channel security {
file "/var/log/dns-security.log";
severity info;
};
};<!-- Snort IDS Rules -->
alert tcp any any -> any 22 (msg:"SSH Brute Force"; threshold:type both, track by_src, count 5, seconds 60;)
alert udp any any -> any 53 (msg:"DNS Query"; content:"|01 00 00 01|"; depth:4;)
alert tcp any any -> any 80 (msg:"Web Attack"; content:"/etc/passwd"; nocase;)
<!-- Suricata Rules -->
alert http any any -> any any (msg:"Suspicious User Agent"; content:"sqlmap"; http_user_agent;)<!-- Wireshark Filters -->
tcp.port == 22 and tcp.flags.syn == 1
dns.qry.name contains "malware"
http.request.uri contains "admin"
ip.src == 192.168.1.100
<!-- tcpdump Commands -->
tcpdump -i eth0 port 22
tcpdump -i eth0 host 192.168.1.100
tcpdump -i eth0 -w capture.pcapSkills Needed: Network protocols, Security tools, Penetration testing, Risk assessment
Our OS³ Studio provides hands-on experience with:
Access: Available through university portal
Lesson: Weak network protocols and default credentials create massive attack surfaces
Use OS³ Studio to identify network protocol vulnerabilities, perform port scanning, and analyze DNS security.
Time: 45 minutes
Focus on systematic network reconnaissance and vulnerability assessment
Take a break, ask questions, or catch up on the previous task.
Next: Secure implementation and Task 2
<!-- SECURE: SSH Configuration -->
# /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
<!-- SECURE: TLS Configuration -->
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;<!-- SECURE: VLAN Configuration -->
# DMZ Network
vlan 10
name DMZ
# Internal Network
vlan 20
name Internal
# Guest Network
vlan 30
name Guest
<!-- Firewall Rules -->
# Allow DMZ to Internet
permit ip 192.168.10.0/24 any
# Block Guest to Internal
deny ip 192.168.30.0/24 192.168.20.0/24<!-- SECURE: BIND Configuration -->
options {
listen-on port 53 { 127.0.0.1; 192.168.1.10; };
allow-query { localnets; };
allow-recursion { localnets; };
recursion no;
version "Not disclosed";
hide-identity yes;
hide-version yes;
};
<!-- DNSSEC Configuration -->
zone "example.com" {
type master;
file "example.com.signed";
dnssec-enable yes;
dnssec-validation yes;
};<!-- SECURE: DNS Filtering -->
# Block malicious domains
zone "malware.com" {
type master;
file "blocked.zone";
};
<!-- DNS Logging -->
logging {
channel security {
file "/var/log/dns-security.log";
severity info;
};
category security { security; };
};<!-- SECURE: Snort Configuration -->
# /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
# Enable rules
include $RULE_PATH/local.rules
include $RULE_PATH/web-attacks.rules
# Output configuration
output unified2: filename snort.log, limit 128
<!-- Custom Rules -->
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force"; threshold:type both, track by_src, count 5, seconds 60;)<!-- SECURE: Traffic Monitoring -->
# Monitor suspicious traffic
tcpdump -i eth0 -w suspicious.pcap host 192.168.1.100
# Analyze DNS queries
tcpdump -i eth0 port 53 -n
# Monitor failed connections
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-rst) != 0'
# Real-time analysis
tshark -i eth0 -f "port 80" -T fields -e ip.src -e ip.dst<!-- SECURE: 802.1X Configuration -->
# Switch Configuration
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto
authentication host-mode multi-domain
authentication violation restrict
<!-- RADIUS Configuration -->
radius-server host 192.168.1.100
radius-server key secretkey
aaa authentication dot1x default group radius
dot1x system-auth-control<!-- SECURE: iptables Rules -->
# Default deny policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from specific networks
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# Block suspicious traffic
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROPUse OS³ Studio to implement secure network configurations and monitoring systems.
Time: 45 minutes
Focus on implementing industry-standard network security practices
For students with additional time, explore the source code to understand:
Deliverable: Code review report with network security recommendations