Wannacry ?? Hopefully not…

What was the Wannacry attack???

Wannacry attack was the misuse of a vulnerability in the SMB protocol of Microsoft windows operating system that allowed hackers to install a back door and then run arbitrary exploit code.
Wannacry was a combination of 2 exploits, double pulsar and eternal blue.
Double pulsar was responsible for creating the backdoor that allowed the installation of eternal blue.
Eternal blue was responsible for encrypting the files on your system and running a code asking for ransom.

What is an SMB protocol?

Let’s say you a working in Mumbai. You create a file and want others sitting in other locations like Lisbon, London, Manilla to access the file and update it or download it. You will save the file in a shared drive allocated for this purpose.
The shared drive is actually a partition in the file server.

when other computer want to access the file, they will to use a communication mechanism where those computers ask for the access to the file and the server acts like the gatekeeper and provides access. The communication protocol used for this purpose is the SMB protocol.

The other computers are the SMB clients and the file servers is running the SMB server.

SMB protocol is one of the most common protocols of windows. Samba was developed for the unix operating system and now a file stored on the Unix server can be accessed by a windows operating system.

SMB protocol is also used for Inter process communications (IPC) i.e talking to other computers over a network. It is an application layer protocol and uses port 445.

Double Pulsar ?? Sounds like a galaxy…

To run any exploit on a system, you need a backdoor like any thief would need a backdoor to enter a house. Double pulsar does this i.e, creating a backdoor.

Double pulsar is an exploit code/ malware payload that is built mostly using some low level programming language like versions of C for instance
and injected into the victim’s computer when the victim uses some resource on the internet like downloading an infected file, clicking on an obvious link in an email or even simply accessing an infected website.

The hacker loads the double pulsar code to a file, gets the victim to download the file somehow (The victim uses the SMB protocol to download the file)
or in other terms access the file over a shared network (see the connection!!) and the double pulsar payload runs on the victim’s system, gets access to
the shell environment and opens a backdoor for other exploits to run.You will know if you dig deeper than getting access to the shell means everything.
You could do anything from then on and that’s why most of the exploit codes concentrate on getting the shell access.

Now comes the Eternal Blue exploit…

Now that a backdoor is opened, all the attacker has to do is to send a specially crafted packet to the victim’s system and as the SMB protocol which runs on default on the windows systems does not understand this packet’s malicious nature due to the vulnerability present in the protocol, it accepts the packet.

This specially crafted packet has a payload which will start running shell codes and encrypt the files on your computer without you knowing it and then present the screen for ransom.

Where do these worms come from???

All this needs extreme amount of expertise. These exploits are called Zero-day exploits meaning the vulnerabilities are unknown to the manufacturer which is Microsoft here. NSA (National security agency) developed the exploit after discovering the vulnerability. But they did not release the knowledge to the outside world (This tells me that they are twisted themselves).

Anyways, a very famous dark group of hackers called the ‘The shadow brokers’ got into their database somehow and leaked out the exploit. Shadow brokers then sell such exploits to the highest bidders. They never leak out their customers. Currently, all fingers point to North Korea as the clients.

The customers, whoever they were, started attacking networks.

Subnetting

I explained the advantages of subnetting in my previous article. Here, I would like to take you through some important calculations and subnetting practically. Please stay with this article and review this as many times as you would like as this is the basics of calculations and subnetting. There is no point in going any further if you do not understand subnetting well and again no point if you do not get this article very well.

IP Address – A Step Further

Welcome to the next step of understanding IP addresses. Now that you understand the structure of IP addresses, I want to take you through the bifurcation of IP address and the significance.

IP addresses identify a network and the host/device in the network. The closest Analogy will be a Zip code/post code in the US/UK which identifies the street (network) and the house (host/device) of the addressee. Just like the picture below.

To understand this further, we need to look at something called netmask or ‘SUBNET mask’. A Net mask tells you the part of the IP address that denotes the network (street) and the part that depicts the host (house). Routers or layer 3 devices as they are called, use a combination of the IP address and subnet mask to identify and route the data packet correctly.

For a class ‘A’ IP address, the default sub net mask will be 255.0.0.0. This means that the 1st Octet is the network address and from octets 2nd to 4th are Host addresses.

Similarly, Class ‘B’ has default mask of 255.255.0.0 where first 2 octets denote the network address and next 2 octets are the host addresses.

Class ‘C’ has 255.255.255.0, meaning, the 2 octets denote network and last octet denotes host addresses.

What does this bifurcation mean?

Let’s look at an example:-

An IP address 10.168.10.10  with a default mask of 255.0.0.0 denotes that this host/device belongs to the network 10.0.0.0 and the address of the device is 10.168.10.10. Here, 1stoctet is the network and the next 3 octets denotes the address of a particular hosts. Keep with the analogy of the streets and houses, you will understand better.

However, there is one more important thing this net mask tells you and that is that there is only there is only one network i.e all hosts/ devices in this setup belong to one large pool. Nice, isn’t it. Noooooo!!!! Read on..

The concept of Many networks.

For starters, you can have all your devices (users, servers,  routers) in one single network or separate them allocating different network for each set of users as per departments, servers keeping  database and application servers in different networks for instance, Routers in different networks. Now what does this achieve?

Go back to the analogy of Streets and houses. How would a city’s addressing look where it’s just one large city and no bifurcation between streets, lanes, houses, offices etc. I reckon, the town planning authorities are going to have a tough time. A better analogy to me is a phone directory without any ordering. It’s then just a large book with lots and lots of data. How do you segregate it and make your job of finding a number easier. Well, you order the data alphabetically. That’s exactly what you do in case of networks. You order the hosts/ devices as per departments/ buildings/locations. This makes administration a hell lot easier.

Bifurcating networks & hosts by the resources/ other relevant categorizations help in:-

  • Restricting privileges.
  • Helps administrators to deal with separate networks in separate ways depending on the criticality.
  • Saves IP address space.
  • Improves performance of the network by saving memory space and processing power.

We will go into the above reasons in detail as we proceed through our topics.

How do you identify if there is one network or many networks?

 Now, this is simple. If an IP address has the default net mask, then there is 1 network.

All of my career in IT security, I have never had any client on a single network. I am sure most of the IT security professionals will agree with me.

Next we will look into subnetting (creating multiple networks) and I promise you that this is going to be challenging and interesting. The article on subnetting is the applying of the above theory in practice.

IP Address Basics

Ever wondered, how a computer manages to find another computer in a network?Well there are many ways but the core of finding each other are by the way of unique addresses. Just like we humans find each other by name, computers too have a name. This name is called an ‘IP Address’.  Another name that is very important is a ‘MAC Address’ which we will speak about later.

IP Addresses are numbers that gives presence to a computing device (Laptop, PC, server, mobiles etc) in a network. Computers in a network identify each other by their IP addresses.

To start off  IP addressing follows some standards and there are versions to the standards. The most used version is IPv4. Currently the world is headed towards IPv6 but, Let’s keep ourselves around IPv4 at the moment as IPv4 is to stay almost forever. I don’t think IPv4 will be completely replaced due to the sheer volume of devices on IPv4. There is just too much replacement to do.

IP addressing is like playing guitar. Not very difficult to understand but difficult to master or be even good at. Needless to say, it requires practice to use IP addressing and its concepts in the practical world. However, that’s for another discussion.

Some properties of an IP address:-

  • IP stands for Internet Protocol and represents the protocol that the internet/ networked devices use to find each other.
  • Is a 32 bit address ( 128 bit in IPv6 ) and is made up of 4 octets (32 bits divided into 4 octets of 8 bits each). This is best visualized in a binary notation:
    11000000:10101000:00001010:00001010 
    Octet1 : Octet2 : Octet3 : Octet4

8 bits (an octet) make up a Byte. Alternatively, an IP address is of 4 bytes.

Well, calm down champ.. getting to that in a moment.

Bits or binary digits are the smallest fraction of a message. Well, let’s face it, computers do not understand English or vocabulary in the general sense. Computers understand only binary i.e ‘0’ and ‘1’. Hence, everything you type in English, is being converted to binary by the computer.

A bit consists of a ‘0’ and ‘1’ and hence the name binary digit or bit for short. 8 bits make a byte. 1024 bytes is a kilobyte. 1024*1024 makes a megabyte and so on..

  • An IP Address can be denoted in 3 forms:-

Dotted Decimal:- 192.168.10.10
Binary:-  11000000:10101000:00001010:00001010
Hexadecimal:- 0xC0:A8:0A:0A

  • IP addresses are divided into class ranges A,B,C,D & E. The first octet denotes the class.
    Class Range
    A 1-126 (127 is a loop back address. Should not be used)
    B 128 – 191
    C 192 – 223
    D 224 – 239 (Used for multicast communication)
    E 240 – 255 (Used for experiment/ research)

Hence, IP address 192.168.10.10 belongs to class C. 172.168.10.1 belongs to class B and so on.

As mentioned, a byte or octet is made up of 8 bits (bits is short for binary digits). Every bit in this byte has a ‘place value’ or ‘block size’. A bit can be turned ‘on’ or ‘off’ represented as ‘1’ and ‘0’ respectively.

Considering every bit to be on, the values are as under:

1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1

If all the bits were ‘on’, then the total value will be 255

if all the bits were ‘off’, then the total value will be 0

Simply put, 0-255 represents a range of IP addresses that can exist. In other words, an IP address can be have in every octet a minimum of 0 and a maximum of 255 represented as 0-255:0-255:0-255:0-255.

To make this sink in further, an IP address can be anywhere in the range of 0.0.0.0 to 255.255.255.255. However, before you shoot the gun, let me tell you that 0.0.0.0 represents all IPs on the local machine and 255.255.255.255 is the broadcast address. Both these addresses are not used in addressing devices. More on these 2 addresses on a different blog.

It will be a big mistake to think that all can be explained in an article. I will not do that mistake, though I will tell you that this is it for starters. You will dig deeper about IP addresses in subnets, masks, CIDR etc because that’s where practicals of IP addressing starts. See you soon with more on IP addressing…

Try the following to get a good grip:-

  • Convert the following into dotted decimal Notation:-

11110000:11001000:11111111:00001000
10101000:00001111:1110000:00011100
11000000:10100000:00110001:11111111

  • Convert the following to binary:-

192.168.10.1
12.132.112.10
172.168.10.32