Philiphine Cheptanui

I am a dedicated computer network specialist

ABOUT ME

Philiphine Cheptanui

A dedicated Network, Cybersecurity and Digital Forensics Specialist focused on designing secure, resilient infrastructures through advanced threat detection, zero-trust frameworks, and cloud security best practices. Passionate about safeguarding networks with firewalls, SIEM tools, and penetration testing while automating defenses for efficiency. Committed to staying ahead of evolving cyber threats and driving secure digital transformation in enterprise environments by leveraging technology to build secure systems and investigate digital threats.

  • 00100, Nairobi, Kenya.
  • +254 909-40575
  • koimaphilipine@gmail.com
  • https://compnetworksecurity.blogspot.com/
Me

My Professional Skills

Building resilient networks and cloud defenses for the digital age.


Switching and Routing, VLANS, WPA3, VPN and Firewall 95%
IDPS, NAT, Vulnerability Assessment, SIEM and EDR 80%
Secure DevOps 65%
Wordpress 85%

Services

Secure Network Infrastructure Solutions

Future-proof your connectivity with battle-tested architectures!
Design, configure, optimize, and deploy secure LAN/WAN/VPN networks. Secure your existing network infrastructure by troubleshooting your routers, switches and firewalls and hardening Wireless network infrastructure

Cybersecurity Protection

Stay three steps ahead of threats!
Configure IDS/IPS and firewall, assess vulnerability and test for penetration, audit security compliance for risk mitigation and plan to respond to incidences.

Cloud Network Security

Migrate fearlessly. Operate securely!
Secure cloud migration, implement zero-trust architecture, and deploy SIEM for real time threat monitoring.

Wordpress and System Security

Shield your digital presence.
Harden Wordpress sites and secure ERP deployments.

IoT and Smart Device Security Hardening

Securing the connected world – one device at a time!
Segment vulnerable devices, assess vulnerabilty, Implement IoT-specific firewalls, secure wireless protocols and ensure compliance with IoT security frameworks.

Security Training and Consultation

Knowledge is the strongest firewall!
Offer training on cybersecurity best practices for team, and audit networks security and provide actionable reccommendations.

0
completed project
0
design award
0
LinkedIn Impressions
0
current projects

Portfolio

  • Security Vulnerabilities at the Network Layer (Layer 3) of the OSI Model

     

    Threats and Remediation Strategies

    Modern digital infrastructure depends heavily on reliable and secure communication between networks. At the center of this communication lies the network layer (Layer 3) of the OSI model, which is responsible for logical addressing, routing, and packet forwarding across interconnected systems. Despite its central role in enabling global connectivity, Layer 3 also introduces several security vulnerabilities that can be exploited by malicious actors. These vulnerabilities arise from weaknesses in routing protocols, inadequate authentication mechanisms, and the inherent trust-based design of many foundational networking technologies. This article critically examines the major security issues affecting the network layer, including IP spoofing, routing protocol manipulation, ICMP-based attacks, and route hijacking. It further explores practical remediation strategies that organizations can implement to enhance the resilience and security of Layer 3 network infrastructure.

    Introduction

    The Open Systems Interconnection Model provides a conceptual framework for understanding how different networking functions operate within layered architectures. Within this model, the network layer serves as the intermediary between local network communication and global network routing.

    At this layer, devices determine the most efficient path for data packets to travel across networks. The primary protocol governing this process is the Internet Protocol, which assigns logical addresses and enables packet routing across the internet and private networks.

    While these mechanisms make global communication possible, they were largely designed during a period when network security threats were minimal. As a result, many Layer 3 protocols rely heavily on implicit trust, creating vulnerabilities that modern attackers can exploit.

    Consequently, protecting the network layer has become a fundamental requirement for maintaining the confidentiality, integrity, and availability of organizational information systems.

    The Functional Role of Layer 3 in Network Architecture

    Layer 3 performs several critical functions within network infrastructure. These include:

    • Logical addressing and identification of devices

    • Packet routing between networks

    • Path selection and route determination

    • Packet fragmentation and reassembly

    • Traffic control between subnets and external networks

    The network layer relies on several supporting protocols. Among the most significant are Internet Control Message Protocol, which provides diagnostic and error reporting capabilities, and routing protocols such as Open Shortest Path First and Border Gateway Protocol, which allow routers to exchange information about network topology.

    Because these protocols govern the flow of traffic across networks, any compromise at this layer can have widespread implications for network performance and security.

    Major Security Vulnerabilities at the Network Layer

    1. IP Spoofing

    One of the most prevalent threats at Layer 3 is IP spoofing. This attack involves the falsification of packet source addresses in order to disguise the identity of the sender.

    In a typical spoofing attack, an adversary crafts packets that appear to originate from a trusted host. This manipulation enables attackers to bypass security controls, obscure the origin of malicious traffic, and conduct large-scale denial-of-service campaigns.

    The vulnerability exists because the Internet Protocol does not inherently verify the authenticity of the source address contained within packet headers. Routers generally forward packets based solely on destination information, allowing spoofed packets to propagate through networks without immediate detection.

    The consequences of IP spoofing may include unauthorized access to network resources, disruption of communication services, and the facilitation of distributed denial-of-service attacks.

    Remediation Strategies

    Mitigating IP spoofing requires strict traffic validation mechanisms. Organizations should implement ingress and egress filtering to ensure that packets entering or leaving the network contain legitimate source addresses. Additionally, access control lists configured on routers can prevent traffic originating from suspicious or invalid address ranges.

    Network monitoring tools should also be deployed to identify unusual traffic patterns indicative of spoofing activity.

    2. Routing Protocol Manipulation

    Routing protocols are essential for determining how data packets traverse complex networks. However, these protocols can be exploited when authentication mechanisms are weak or absent.

    For instance, routing protocols such as **Open Shortest Path First rely on the exchange of routing updates between neighboring routers. If an attacker gains access to the network, they may inject fraudulent routing information, thereby altering the topology perceived by other routers.

    Such manipulation may allow attackers to reroute traffic through malicious systems, conduct surveillance on sensitive communications, or disrupt connectivity across entire networks.

    Remediation Strategies

    To address this vulnerability, organizations should enable authentication mechanisms within routing protocols. Many modern implementations support cryptographic authentication to verify the legitimacy of routing updates.

    Restricting routing communications to trusted interfaces and implementing route filtering policies further reduces the risk of unauthorized route advertisements.

    Continuous monitoring of routing tables is also essential to detect anomalous changes that may signal an ongoing attack.

    3. ICMP Exploitation

    The Internet Control Message Protocol plays a crucial role in network diagnostics. It enables devices to report errors, test connectivity, and provide information about network conditions.

    Despite its legitimate uses, ICMP can also be exploited for malicious purposes.

    Attackers frequently employ ICMP to perform network reconnaissance by conducting ping sweeps across IP address ranges. Such scanning allows adversaries to identify active hosts and map network structures prior to launching more targeted attacks.

    Additionally, ICMP flood attacks can overwhelm network devices by generating large volumes of diagnostic traffic, leading to service degradation or denial of service.

    Remediation Strategies

    Mitigation requires careful control of ICMP traffic. Network administrators should implement filtering policies that restrict unnecessary ICMP messages at network boundaries. Rate limiting mechanisms can also be used to prevent excessive diagnostic traffic from overwhelming routers and firewalls.

    Where appropriate, ICMP redirect messages should be disabled to prevent unauthorized modification of routing paths.

    4. Route Hijacking

    Route hijacking represents one of the most significant global threats to internet stability. This attack occurs when a malicious actor advertises false routing information to redirect traffic through unauthorized networks.

    The vulnerability is closely associated with **Border Gateway Protocol, which is responsible for exchanging routing information between autonomous systems on the internet.

    Because BGP was originally designed with limited security mechanisms, attackers can exploit it to announce fraudulent routes that divert traffic away from its intended destination.

    The consequences of such attacks may include large-scale traffic interception, data surveillance, and widespread service disruption.

    Remediation Strategies

    Preventing route hijacking requires cooperation among network operators and internet service providers. Techniques such as route filtering, prefix validation, and cryptographic route origin verification can significantly reduce the risk of fraudulent route advertisements.

    Monitoring systems should also be implemented to detect unusual routing announcements that deviate from expected network behavior.

    5. Fragmentation-Based Attacks

    The network layer supports packet fragmentation to ensure that large packets can traverse networks with smaller maximum transmission units. However, attackers may exploit this feature to evade detection mechanisms.

    By fragmenting malicious packets into smaller segments, adversaries may bypass firewalls or intrusion detection systems that inspect packets individually rather than reconstructing the complete message.

    Remediation Strategies

    Security devices should be configured to reassemble fragmented packets before performing deep packet inspection. Intrusion detection systems capable of identifying abnormal fragmentation patterns can further enhance protection against such attacks.

    Strengthening Security at Layer 3

    Addressing network layer vulnerabilities requires a comprehensive security architecture that integrates multiple defensive mechanisms.

    Network segmentation using **Virtual Local Area Network configurations can isolate sensitive systems and limit the lateral movement of attackers. This approach reduces the potential impact of compromised devices within the network.

    Additionally, strict access control policies should be implemented on routers and Layer 3 switches to regulate traffic between network segments.

    Secure routing practices, including cryptographic authentication and route validation, provide further protection against routing manipulation.

    Continuous network monitoring, supported by logging and anomaly detection systems, enables organizations to identify suspicious activity before it escalates into a significant security incident.

    Finally, regular security audits and configuration reviews ensure that network infrastructure remains aligned with evolving cybersecurity standards and threat landscapes.

    In summary...

    The network layer occupies a central position within the architecture of modern communication systems. It enables the seamless exchange of data across networks while supporting the scalability and interoperability that characterize the internet.

    However, the same mechanisms that facilitate connectivity also introduce significant security challenges. Protocols such as Internet ProtocolInternet Control Message Protocol, Open Shortest Path First, and Border Gateway Protocol remain vulnerable to exploitation when adequate safeguards are not implemented.

    Organizations that neglect Layer 3 security risk exposing their networks to traffic interception, routing manipulation, and large-scale service disruptions.

    By adopting robust security practices—including traffic filtering, routing authentication, network segmentation, and continuous monitoring—organizations can significantly enhance the resilience of their network infrastructure and safeguard the integrity of digital communication systems.

    Ultimately, securing the network layer is not merely a technical requirement; it is a strategic necessity in an increasingly interconnected and threat-prone digital environment.

  • Layer 2 Switch Hardening

     

    Why It Matters for Network Security

    Most organizations invest heavily in firewalls, endpoint protection, and perimeter security. However, a large number of network breaches originate inside the network itself, particularly at Layer 2.

    Access switches form the foundation of enterprise connectivity. If they are not properly hardened, attackers can exploit multiple Layer 2 vulnerabilities to intercept traffic, disrupt operations, or gain unauthorized access to sensitive systems.

    Understanding how to secure these devices is therefore a critical responsibility for network engineers and IT administrators.

    Why Layer 2 Security Is Often Overlooked

    Layer 2 networks are typically considered part of the “trusted internal environment.” This assumption can be dangerous.

    Technologies such as Address Resolution Protocol and Dynamic Host Configuration Protocol were originally designed for functionality rather than security. As a result, they can be manipulated by attackers when proper protections are not in place.

    If switches are deployed with default configurations, they often lack the controls required to detect or prevent malicious activity within the network.

    Major Risks of Unhardened Layer 2 Switches

    Failing to harden switches exposes networks to several high-impact threats.

    1. DHCP Spoofing Attacks

    Attackers can deploy a rogue DHCP server to distribute malicious network configurations to users.

    Once successful, the attacker can:

    • Redirect traffic through a malicious gateway

    • Launch **Man-in-the-Middle Attack attacks

    • Capture login credentials and sensitive data

    Without proper safeguards, devices may accept responses from unauthorized DHCP servers.

    2. ARP Spoofing and Traffic Interception

    Because Address Resolution Protocol does not authenticate responses, attackers can manipulate ARP tables and redirect traffic.

    This technique enables attackers to:

    • Intercept network traffic

    • Capture credentials

    • Modify data in transit

    In many internal networks, ARP spoofing remains one of the easiest attacks to execute.

    3. MAC Flooding Attacks

    Switches maintain a MAC address table to forward frames correctly.

    Attackers can overload this table by sending thousands of spoofed MAC addresses, forcing the switch to behave like a hub.

    This allows the attacker to capture network traffic from multiple devices.

    4. Unauthorized Network Access

    If switch ports are left open and unrestricted, unauthorized devices can easily connect to the network.

    This may allow attackers to introduce:

    • Rogue access points

    • Unauthorized servers

    • Network monitoring tools

    Once connected, attackers can begin reconnaissance and lateral movement.

    Essential Layer 2 Switch Hardening Techniques

    Proper switch hardening significantly reduces the attack surface of enterprise networks.

    Below are the most effective security controls.

    1. Enable DHCP Snooping

    DHCP Snooping is a critical protection against DHCP spoofing.

    It works by:

    • Identifying trusted DHCP server ports

    • Blocking DHCP responses from unauthorized ports

    • Maintaining a binding table of legitimate IP-MAC relationships

    Only designated ports are allowed to provide DHCP responses.

    2. Enable Dynamic ARP Inspection

    Dynamic ARP Inspection protects against ARP spoofing by validating ARP packets against trusted DHCP snooping data.

    Invalid ARP responses are dropped automatically.

    This prevents attackers from manipulating ARP tables to intercept traffic.

    3. Implement Port Security

    Port security restricts which devices can connect to switch interfaces.

    Best practices include:

    • Limiting the number of MAC addresses per port

    • Binding specific MAC addresses to trusted devices

    • Automatically shutting down ports when violations occur

    This control prevents unauthorized devices from joining the network.

    4. Disable Unused Ports

    Unused switch ports should always be disabled.

    Leaving ports active increases the risk that an attacker can simply plug into the network.

    Unused ports should be:

    • administratively shut down

    • assigned to an unused VLAN

    5. Implement Network Segmentation

    Using Virtual Local Area Network segmentation helps isolate sensitive systems and reduce lateral movement.

    Critical infrastructure such as servers, management systems, and user networks should be separated.

    Segmentation limits the damage caused by a compromised device.

    6. Use Secure Management Protocols

    Switch management should never rely on insecure protocols.

    Administrators should avoid:

    • Telnet

    • HTTP management

    Instead, use secure alternatives such as:

    • Secure Shell

    • Simple Network Management Protocol

    These protocols protect management traffic from interception.

    7. Implement Access Control Lists

    Access control lists help control which systems can communicate with network infrastructure.

    Management interfaces should only be accessible from trusted administrative networks.

    The Cost of Ignoring Switch Hardening

    Organizations that neglect Layer 2 security often face consequences such as:

    • Internal network breaches

    • Credential theft

    • Business disruption

    • Regulatory compliance violations

    In many cases, attackers exploit simple misconfigurations rather than advanced vulnerabilities.

    Building a Secure Layer 2 Infrastructure

    Switch hardening is not a one-time configuration task. It requires ongoing monitoring, auditing, and updates to address emerging threats.

    A strong Layer 2 security strategy should include:

    • hardened switch configurations

    • network segmentation

    • monitoring and intrusion detection

    • regular security assessments

    By securing the foundation of the network, organizations can significantly reduce their exposure to internal attacks.

    ✔ Secure internal network traffic
    ✔ Prevent rogue devices and spoofing attacks
    ✔ Protect sensitive business data

    Layer 2 security may not always receive the same attention as perimeter defenses, but it remains one of the most critical components of a resilient network infrastructure. 

    For Switch Hardening services, comment "Secure". 

  • DHCP Spoofing: A Hidden Network Security Threat and How to Stop It

     Modern organizations rely heavily on automated network services to simplify connectivity. One of the most essential services is Dynamic Host Configuration Protocol (DHCP), which automatically assigns IP addresses and network configurations to devices.

    While DHCP improves efficiency and reduces manual configuration, it also introduces a serious security risk known as DHCP spoofing.

    For organizations that depend on secure networks, understanding and mitigating this threat is critical.

    What Is DHCP Spoofing?

    DHCP spoofing occurs when a malicious device impersonates a legitimate DHCP server within a network.

    Instead of receiving IP configuration from the real server, devices unknowingly accept network settings from the attacker’s rogue server.

    Once this happens, the attacker can manipulate network traffic and gain unauthorized visibility into communications.

    How DHCP Spoofing Attacks Work

    A typical attack follows these steps:

    1. A rogue device connects to the internal network.

    2. The attacker runs a fake DHCP service.

    3. When users connect, their devices send DHCP requests.

    4. The rogue server responds faster than the legitimate server.

    5. Victims receive malicious network configuration.

    This allows the attacker to:

    • Redirect traffic through a malicious gateway

    • Launch **Man-in-the-Middle Attack attacks

    • Capture login credentials and sensitive data

    • Disrupt network connectivity

    In many environments, this attack can occur silently without immediate detection.

    Signs Your Network May Be Under DHCP Spoofing Attack

    Network administrators should watch for several warning signs:

    • Users experiencing unexpected network outages

    • Multiple devices receiving incorrect IP address ranges

    • Suspicious gateway or DNS server addresses

    • Unrecognized DHCP servers appearing in network logs

    If these symptoms appear, a rogue DHCP server may already be active.

    How to Prevent DHCP Spoofing

    Effective protection requires a combination of network configuration, monitoring, and security policies.

    1. Enable DHCP Snooping

    One of the most effective defenses is **DHCP Snooping.

    This security feature available on managed switches:

    • Identifies trusted DHCP servers

    • Blocks DHCP responses from unauthorized devices

    • Maintains a database of valid IP–MAC bindings

    Only designated ports are allowed to send DHCP server responses.

    2. Use Network Segmentation

    Segmenting networks using VLANs limits the ability of attackers to spread rogue services across the entire infrastructure.

    This also helps isolate compromised devices.

    3. Implement Port Security

    Port security restricts which devices can connect to switch ports.

    Common strategies include:

    • Limiting the number of MAC addresses per port

    • Binding known MAC addresses to specific ports

    This prevents unauthorized devices from introducing rogue services.

    4. Deploy Network Access Control

    Using **Network Access Control ensures that only authenticated devices can join the network and receive IP configuration.

    Unauthorized devices are automatically blocked.

    5. Continuous Network Monitoring

    Security monitoring tools and intrusion detection systems can identify abnormal DHCP behavior early.

    Early detection significantly reduces the risk of data interception.

    Why Businesses Should Take DHCP Security Seriously

    Many cybersecurity strategies focus on perimeter defense, but internal network threats are often overlooked.

    A successful DHCP spoofing attack can lead to:

    • Credential theft

    • Data interception

    • Network disruption

    • Regulatory compliance violations

    For organizations that rely on digital operations, these risks can translate into financial and reputational damage.

    Strengthening Your Network Security

    Protecting your network requires more than installing security tools. It demands proper configuration, monitoring, and ongoing security assessment.

    Organizations that proactively secure their DHCP infrastructure significantly reduce their exposure to internal attacks.

    If your organization wants to strengthen its network security posture, conducting a professional network security assessment is the first step.

    ✔ Secure your infrastructure
    ✔ Detect hidden vulnerabilities
    ✔ Protect critical business data

    Need help securing your network?
    Professional network security assessments and infrastructure hardening services can help identify risks such as DHCP spoofing before attackers exploit them.

  • When Security Tools Return “Nothing”: Understanding DIRB Scan Results

     A Cybersecurity Learning Moment

    While learning web security assessment techniques, I performed a directory enumeration scan using DIRB, a commonly used tool for discovering hidden web content. At first glance, the scan appeared uneventful—no directories or files were found.

    However, the real learning moment came from understanding why.

    The Test Scenario

    The scan was executed against a fictional domain for learning purposes:

    dirb http://example-corp.test

    DIRB uses a predefined wordlist to request thousands of common directory and file names from a web server and then analyzes the server’s HTTP responses to determine whether those resources exist.

    Scan Output (Visual Representation)

    📌 This output can be converted into a graphic for blog or LinkedIn posting.

    -----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Jan 29 13:41:39 2026
URL_BASE: http://example-corp.test/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://example-corp.test/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
    (Try using FineTunning: '-f')

-----------------
END_TIME: Thu Jan 29 13:41:40 2026
DOWNLOADED: 0 - FOUND: 0

    What Does This Actually Mean?

    At the core of this output is the warning:

    “NOT_FOUND[] not stable, unable to determine correct URLs {30X}”

    DIRB expects a consistent “Not Found” response (usually HTTP 404) when it requests a non-existent page. This helps the tool distinguish between real and fake paths.

    In this case, the server responded with 30X redirect codes (such as 301 or 302) for both valid and invalid URLs.

    As a result:

    • DIRB could not reliably identify which paths truly existed

    • Any potential findings risked being false positives

    • The tool correctly reported zero confirmed results

    This is not a failure of the tool—it’s a limitation imposed by server-side behavior.

    Why Servers Behave This Way

    Redirect-heavy configurations are often used to:

    • Force traffic to a single landing page

    • Enforce HTTPS or canonical domains

    • Reduce information leakage

    • Improve security posture against reconnaissance

    From a defensive security perspective, this behavior can intentionally or unintentionally hinder automated enumeration tools.

    Key Cybersecurity Takeaways

    • 🛠️ Security tools rely heavily on predictable system behavior

    • 🔍 “No results” does not always mean “no risk”

    • 🧠 Interpretation matters more than raw output

    • 🛡️ Server configuration plays a major role in exposure and visibility

      



    Final Thought

    In cybersecurity, understanding tool limitations is just as important as knowing how to run them. Effective security analysis comes from combining technical results with context, reasoning, and awareness of how systems are designed to respond.

    Sometimes, the most valuable insight is hidden in a warning message.

  • Five Types of HTTP Headers

     

    Figure 1: HTTP Headers

    HTTP Headers

    Statement Problem - Understand the operation of HTTP Headers as they pass information between the client and server. 

    Approach: Discussion

    Tools - Basic understanding of HTTP communication and cURL

    Introduction

    HTTP headers pass information between client and server. While some headers are used by both requests and responses, some are only used by either requests or responses. These headers can have one or more values appended after the header name and separated by a colon. There are five types of headers. 

    Discussion

    General headers are used by both HTTP requests and responses. They are used in specific contexts to describe the message and not its contents. Examples include the date (date: Wed, 16 Feb 2025 10:30:44 GMT) that describes the time zone in which the message originated. Another example of a general header is a connection (Connection: close), that dictates if the current network connection should stay alive after the request finishes. The connection header normally has two values including close and keep-alive.

    Entity headers are common to requests and responses. They are used to describe the content transferred by the message. They include content-type (text/html), media-type (application or pdf), a boundary that acts as a marker to separate content, content-length (385), and content-encoding (gzip). 

    Request headers are used exclusively for requests alone and do not relate in any way to the content of the message. The request headers include host (www.nnnn.co.ke) which specifies the host being queried, user-agent (curl/7.77.0) describes the client requesting resources, referrer (https://www.nnnn.co.ke) points to where the current request is coming from, accept (*/*) that describes the media types that the client can understand and a cookie that contain cookie value pairs in name=value. It also has authorization (basic….) that the server uses to identify the client.

    Response headers are used in HTTP responses and do not relate to the content of the message in any way. Common response headers include location, age, server, set cookie (Cookies needed for client identification), and www-authenticate which notifies the client about the type of authentication required to access the required resource. 

    Security headers are a type of response headers used to specify the rules and policies to be followed by the browser while accessing the website. They include content-security-policy, strict-transport security and referrer-policy.



    Philiphine Cheptanui, CyberSec

  • HTTP Requests and Responses

      

    HTTP Requests and Responses

    Problem Statement - Explore HTTP Communication to decipher the structure and the meaning of HTTP communication.

    Approach - Explanation of HTTP 

    Tools used - cURL, Basic understanding of web communication

    Introduction

    HTTP request is made by the client such as cURL or browser, is processed by the server that then sends an http response containing the response code, and likely, the requested resource. An HTTP request contains three main paths including the HTTP method e.g. GET which specifies the type of action to perform, the path to the resource being accessed, and the version of the HTTP in use. See Figure 1.

    Figure 1: HTTP Request
    An HTTP response has two main fields and other details. The two main fields are the HTTP version and the response code i.e. 200 OK.  The response code is used to determine the status of the request. See Figure 2.
    Figure 2: HTTP Response
    To preview full HTTP request and full HTTP response, use cURL. This is useful for writing exploits and penetration tests. To do this, issue curl www.naconek.ke -v where the -v flag prints both the request and the response. the output details can be enhanced by using -vvv to verbose further. See Figure 3 below. 
    Figure 3: Full HTTP Request and Response in cURL

    Using DevTools to Monitor HTTP Communication
    Browser developer tools are mainly used by developers to test web applications and are critical tools for penetration testers. In this section, I explored how I can utilize DevTools to assess and monitor different types of web requests. When one visits a web application, the browser sends several requests and receives several HTTP requests to render the final output to the user. The DevTools shows the status of the request or response at a glance. In Firefox, use CTRL +SHIFT+I or F12 to display the DevTools. See Figure 4. 
    Figure 4: DevTool and HTTP Commnucication

    This activity demosnstrate the usefulness of DevTools in monitoring HTTP communications. Using the network tab, DevTools can give more insights into the processes happening behind the scenes when a client requests for a resource from the server. 

    Philiphine Cheptanui, CyberSec.

  • Understanding Web Requests (HTTP and HTTPs Fundamentals)

    Problem Statement - Understand the underlying mechanism of web communication

    Approach - Explanation of URL components, HTTP vs. HTTPS, client-server model, and DNS resolution flow.

    Tools Used - Web browser, cURL and conceptual understanding of DNS servers.

    Introduction

    Understanding web requests is critical for any cybersecurity enthusiast to be successful. It focuses on how web applications work. The first focus is on HyperText Transfer Protocol (HTTP). HTTP is an application layer protocol that is used to access the World Wide Web resources. Hypertext stands for texts that contain links to other resources and texts that can reader can understand. Since HTTP communication is client and server, the client requests resources from the server that processes the request and returns the requested resources. The default port for HTTP communication is port 80 and that of HTTPS is port 443. To fully access the web, the user must enter a fully qualified domain name as a Uniform Resource Locator (URL) to reach the desired website. A URL has different specifications including the scheme that describes the protocol being accessed, user information that contains the credentials of the client, a host that contains the resources being requested, a port that defines the way to access the server, a path that points to the location of the requested resource, query string that consists of parameters and value and the fragment (See Figure 1).  It is worth noting that not all of these components are required to access web resources. However, scheme and host are essential to access the resource. 



    Figure 1: Components of a URL

    Activity and Lessons Learned

    I explored a typical HTTP flow and learned that it involves two main processes. The first process happens when the client enters the domain name on the browser. The browser will contact the preferred DNS server to resolve the domain name to IP. In this process, the browser will first look at its local cache if it has looked up the address recently. If not, the browser forwards the request to the Recursive DNS server that also checks its local cache if it has recently looked up the address. If yes, the recursive DNS relays the IP address to the client and the request ends. If not, the recursive DNS will forward the request to the Internet’s Root DNS servers which will determine the correct Top-Level Domain (TLD) server to process the address. The TLD server will then forward the request to the authoritative server that will process the address and return the IP address. The TLD and recursive DNS servers will save the address in their local cache and relay it to the browser.

    The second process happens when the browser has received the IP address of the desired domain name. The client will send the HTTP GET request to port 80 asking for the root path. The server receives the request, processes and returns it with a 200 OK. The web browser then renders and outputs it to the user (See Figure 2). 

    Figure 2: HTTP Flow

    Client URL (cURL)

    Client URL is a command-line tool used to send various types of web requests from the command line. When returning responses, cURL does not render and presents it in raw format. Client URL uses various flags for various purposes as seen in Figure 3. 

    Figure 3: cURL Flags
    To demonstrate that cURL can be used to send requests to the server and recieve responses, I used command-line by issuing the command - $curl 94.237.54.54:42524/download.php on cURL. The server responded with the resource i.e the requested flag. See Figure 4.
    Figure 4: Requested Flag

    Note: In HTTP, data is transferred in clear-text, giving room for Man-in-the-middle (MiTM) Attacks.

    HyperText Transfer Protocol Secure (HTTPs)

    HTTPs are a more secure protocol and are used to counter the risks associated with transferring data in clear text seen in HTTP. In this protocol, all communication/data are transmitted in encrypted format, making it difficult for the third party to extract and retrieve the data. When HTTP is transferring data, the data is in plain text and anyone can easily read it. But with HTTPs, the data is encrypted and transferred as Application data, which is transferred as a single encrypted stream, making it difficult for any malicious actor to capture information such as credentials (See Figure 5). HTTPS websites are identified through the https:// scheme

    Figure 5: HTTPs Overview

    Note * While HTTPs transfers data/communication in an encrypted format, the request may still reveal the visited URL if it contacts a clear-text DNS server. Thus, it is safe to use encrypted DNS servers such as 8.8.8.8 or 1.1.1.1 or use a VPN service to ensure all traffic is encrypted.

    HTTPs Flow

    When a client types http:// to visit an https:// site, the browser will attempt to resolve the domain. It redirects the user to the web server hosting the target website, and the request is sent to the web server through port 80 – this is an unencrypted HTTP protocol. The server detects this and redirects the client to secure port 443. This redirecting process is achieved through the 301 Moved Permanently response code. Upon receipt of the server response, the client sends a client hello packet to introduce itself, and the server responds with a server hello message. This process is followed by key exchange to exchange SSL certificates from the server and the client verifies the certificate and sends its certificate. It will then initiate an encrypted handshake to confirm whether the encryption and transfer are working correctly. After the handshake completes successfully, normal HTTPs communication resumes. See Figure 6 for details.


    Figure 6: HTTPs Flow
    Just like HTTP, cURL handles HTTPs communications, performs secure handshake, and encrypts and decrypts data automatically. However, if the website has an invalid/outdated SSL certificate, then cURL would not proceed with the communication to protect against the MiTM attack. However, the certificate-checking process can be bypassed by using the -k flag. See Figure 7.
    Figure 7: cURL for HTTPs

    This activity is a comprehensive exploration of web requests, fundamental for cybersecurity. It elucidates the client-server communication model of HTTP and HTTPS, detailing URL components and the crucial DNS resolution process. The security implications of clear-text HTTP versus encrypted HTTPS are highlighted, along with the functionality of cURL for command-line interactions.

    • GET A FREE QUOTE NOW

    Get a free quote today—let’s secure your systems with tailored solutions!.

    Talk to Me

    CONTACT ME

    Contact Form

    Powered by Blogger.
    ADDRESS

    00100, Nairobi, Kenya

    EMAIL

    koimaphilipine@gmail.com

    TELEPHONE

    +254 909-40575

    MOBILE

    +254 105-345885,

    GitHub LinkedIn

    Copyright © 2017 Computer Networks & CyberSec Essentials. Designed By Portfolio Blogger Template | Distributed By Gooyaabi Templates
    Made With