Author Archives: Felix

Conference Talk London 2018 |How to attack computers at cafes

Earlier this year, I was honoured to speak at the Security B-Sides London 2018 conference on the Rookie track. I presented the research I completed for my Master’s degree in the use of Unencrypted WiFi networks by business users. They recorded all the sessions and it is now available on YouTube.

My work builds on top of known attacks and existing software. It attempts to establish whether or not it is possible to extract NetNTLM hashes from computers connected to unencrypted WiFi networks.

If you want the full presentation document click on the link: Slide Deck “How to: Actually attack computers at cafes”

If you want to test your company’s cyber security Contact us and we will help you with your cybersecurity needs.

Transcript of my presentation |How to attack computers at cafes

This transcript has been tidied up a bit from the original speech because it doesn’t read brilliantly, but the message is the same.

Who am I?

Hi Everyone, I’m Felix and I’m a pen tester. I’ve been doing this for a while now and breaking into stuff for longer.

Why this research?

Today I am here to talk to you about some work that I did for my Masters dissertation. I was told to go away, find a project and do some research. At the same time I had a client that basically refused to take my word for it. They told me that they had lots of staff that spent a lot of time in airports and hotels and used free WiFi without a VPN or other protection. Essentially they had all their traffic going across the Internet without extra protection and this worried me.

The client turned round to me when I was telling him about the problem and stopped me saying “Can you prove it? Can you show me this? Because if you can’t I’m probably not going to do anything about it.” I had a look around but I couldn’t find a tool where the output would be something the business would care about. So I started out writing one myself.

Open WiFi MitM Condition

The work I am about to show you is based on a Man-in-the-Middle (MitM) attack. As a recap for those who may or may not know it: MitM conditions are essentially where you have some attacker controlled infrastructure where the attacker can do something to the communication between legitimate users and servers.

What can you do with MitM conditions?

These include reading the communication, modifying the communication and blocking the communication.

What I set out to do

I decided I was going to make my own Wi-Fi access point and make it steal user creds by being a MitM. I was hoping to then turn round to my client and give that demonstration so they would do something about their issue. At the time, I thought it would be easy, you know, why would it be hard, it’s open WiFi right?

Turns out encryption is a thing…

It turns out encryption is a thing… Obviously I already knew this, but it can be done at lots of different places in a communication. These days there’s not that much in terms of plain text creds going around the world. It’s usually encrypted somewhere and so that proved very quickly to me that I needed to so do something a bit different.

The idea

The idea was to go from a normal transaction to a little bit more like this diagram. I already had a bit of a plan based on some other work that I’ve seen and I know is quite prevalent. Essentially the attacker does stuff down at the bottom of this diagram. The section in pink is the bit where the attacker can take action.

What I actually did

I took a WiFi Pineapple and I set up a wireless network. I thought I was pretty obvious with the name that I used – “DANGER ZONE – DO NOT USE” – so that no one would connect to it. But people did anyway. I had a 4G modem, my WiFi Pineapple, and a battery. I wanted to prove to my clients that it was portable and you could do the attack anywhere.

Developed a tool

I took someone else’s code, frankly because it was easy and it already worked, and then I added stuff to it. My development process, over quite a long time, was where I would build a bit and it would work a bit and then I would find a bug. This quickly made me want to tear my hair out. I’d regularly leave the project and come back to it later – the hallmark of a good software development lifecycle obviously…

Fundamentally the tool is a transparent HTTP proxy which is sat on top of the SMB capture stack from Responder. Importantly, the proxy injects an HTML image tag. Because I knew I couldn’t get plaintext creds I aimed at getting a NetNTLM hash instead for later cracking. I called the tool ETAC: Evil Twin Authentication Capture.

Windows auth

One of the things you can do with Windows Auth is use programs like Internet Explorer to perform authentication. I was convinced that it was really important for me to make sure that my research worked against as stock a Windows as possible. I’ve seen lots of presentations of a similar nature that require the Operating System to be tweaked and the security weakened. I wanted this demonstration to be as real as possible so I didn’t install anything, no Firefox or anything along those lines. The only change I made, which you will see in a bit is I added them to an Active Directory domain.

Windows auth – the dot rule

So to clarify, I am trying to get Internet Explorer to authenticate against something. In the default configuration the security settings restrict this automatic login to the Intranet zone. If the machine thinks it is in an Intranet it will do what I need it to. The Intranet is defined by the settings in Internet Explorer. By default this means anything you explicitly list as part of the Intranet, any sites that don’t go through a configured proxy server, and those that are accessed via a UNC path. This last one is better understood as “the dot rule” and means that you can’t do it against IP addresses of Fully Qualified Domain Names (FQDNs). This is because both IPs and FQDNs have dots in them. All this meant the attack needed a DNS server.

The final attack flow

The diagram is what my attack flow ended up looking like:

  • The victim joins the evil twin wireless network and asks for a DHCP lease
  • The DHCP lease is supplied by the attackers DHCP server
  • Then an HTTP request goes through the evil web proxy
  • The web proxy downgrades the request as much as possible to enable easy injection on the response. This includes removing or altering HTTP headers and so on but not things like SSL stripping.
  • The HTTP response then gets an image tag injected into it
  • Which then creates a DNS resolution request
  • And then the SMB stack from responder kicks in and helpfully provides authentication capabilities

The challenges / HTTP is a pain

That all sounds like it should be amazing and work nicely and it kinda works… I had lots of problems:

  • First of all HTTP is a pain, there are a lot of variants in it.
  • The WiFi Pineapple doesn’t have a lot of power so I couldn’t just use other peoples libraries. This meant that I had to write a lot of this myself.
  • I found that there were status codes coming up with problems that I had no idea about and not seen before like an HTTP 416 error. This is “Range not satisfiable” – what on Earth does that mean?
  • Lots of HTTP headers were causing me problems.
  • Normal error handling was also tricky because sometimes connections and just not completed properly.
  • I discovered that there are behavioural differences between the use of transparent proxies and declared proxies. One of the things that is different is that transparent proxies don’t get explicitly told what port to actually go and make the request on. This is because its part of the original TCP connection. If you are doing iptables manipulations you lose some of that information. It’s often easy to guess but that isn’t great and it still needs coding up.

Transaction size and chunking

My favourite challenge was HTTP chunking and the differences between HTTP 1.0 and 1.1. Although they are a bit interchangable one of the biggest headaches I had was dealing with Chunked Transfer Encoding (CTE). In CTE you get a chunk of information and then the next chunk and so on. This is fine but there seems to be two different types of CTE: marked and unmarked.

When you think about it, I am trying to inject an HTML tag so I had to be quite careful with where that tag goes. Otherwise you end up with half of the injected tag in one chunk and half in the next chunk. Alternatively, you can save the whole response in the transparent proxy, manipulate it and the spit it out at the end. But this introduces delays which might make users suspicious of the gateway.

Successes and failures

The success I had was the fact that a standalone Windows 7 machine gave me NetNTLM creds no problem whatsoever, every single time it was happy. Unfortunately the moment I joined the machine to an Active Directory domain, things started going a bit pear shaped. Unfortuantely, what happens is that the SMB connection starts and almost straight away the targeted machine tries to work out where it’s Kerberos KDC is. It performs DNS resolution for the FQDN of the Active Directory Domain that it knows about. When it doesn’t get a response, or a “no such name” response, it literally just sends an RST packet ending the connection to my attacking infrastructure. Game Over….

There are lots of ways I think I could develop this further. I ran out of time for my Master’s thesis so I had to submit and it was fine. I think you might well be able to develop it to impersonate the KDC. Perhaps, depending on what it is looking for to prove that it is within the correct network it might be possible to trick it and get the authentication desired.

Summary

The tool is on GitHub, I definitely could develop it further. Machines joined to a domain are not vulnerable to this attack (yet), but those that are not domain joined are vulnerable.

Thank you very much, are there any questions?

Creating a new child domain – Microsoft Windows 2016 Server

Well, that was several hours of my life I won’t get back. Creating a new child domain is not an easy task, but we like challenges. This article will help you save many hours from finding how to create a new child domain.

TL;DR;

– Microsoft error messages still suck in Windows Server 2016
– Add the member server that will become the child-domain domain-controller to the parent domain before promoting it to a DC.

I was recently on a non-standard job. My client was interested in having a brand new Active Directory domain built to the best possible standards of information / “cyber” security.

I haven’t done much blue-team work for a little while, but I am always up for a challenge and this felt like a good opportunity to get my head around some of the challenges of setting up Windows 2016.

First of all, a side note: I hate Windows 2016 Core (aka non-GUI), I’m going to leave that there.

Moving on…

For reasons that are not best-described here, my client wants a silo’d active directory domain architecture.

Essentially, the ability to have different parts of the wider business belong to different container shells, whilst still having overarching control over the whole lot. This means a parent-domain (or root in *nix parlance), this parent domain sits at the top of the Active Directory forest hierarchy.

Each child-domain then inherits “stuff” (technical term) from the parent domain and can set its own controls. As a red-teamer, one goal in this scenario would be to become Enterprise admin, as this is the group that by default is truly in charge.

Long story short, I battled for hours trying to work out how to get this Windows 2016 vanilla-build server to become a domain controller for a child domain within the forest. No joy.

I kept getting a message “auth problem XXX”. Some research indicates that authentication is nothing to do with the problem, and in fact, DNS is the problem.

Go Microsoft with the useful error messages!

Having spent loads of time on the DNS configuration I got nowhere. I tried everything from the obvious pointing the child at the parent for DNS. Manually making DNS zones on the parent and child, and everything in between.

Literally hours of different combinations and I was still not getting anywhere.

I wish I could claim that this was my idea. However, in a state of despair, I called a friend and explained the situation.

His response was.

“Well you have tried everything I would have thought of and I’ll be honest, I’ve never done it before so I am not sure….”

He trailed off and as I was responding he suddenly interrupted me saying.

“have you joined the server that will become the child domain controller to the parent domain and then tried promoting it?”

The answer was no.

At first glance, this doesn’t make much sense as you are trying to add the machine to a sub-domain.

However, when you think a little deeper it does make sense.

The child would then appear in DNS correctly on the parent DNS service. Then they would have a basic trust relationship in place already making authentication “easier”.

So the very short version, to create a new child-domain domain-controller, add the member server that will be promoted to the parent domain first.

You want to upgrade your cybersecurity?

Contact us and increase your cybersecurity

95 rules of cyber warfare – Tallinn Manual 1.0 | A complete list

Please note - the below references the original Tallinn Manual, Tallinn 2.0 was released in February 2017 and should be used in preference.
  1. A State may exercise control over cyber-infrastructure and activities within its sovereign territory.
  2. Without prejudice to applicable international obligations, a State may exercise its jurisdiction: Over persons engaged in cyber activities on its territory; over cyber infrastructure located on its territory; and extraterritorially, in accordance with international law.
  3. Cyber-infrastructure located on aircraft, ships, or other platforms in international airspace, on the high seas, or in outer space is subject to the jurisdiction of the flag State or State of registration.
  4. Any interference by a State with cyber-infrastructure aboard a platform, wherever located, that enjoys sovereign immunity constitutes a violation of sovereignty.
  5. A State shall not knowingly allow the cyber-infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.
  6. A State bears international legal responsibility for a cyber operation attributable to it and which constitutes a breach of an international obligation.
  7. The mere fact that a cyber operation has been launched or otherwise originates from governmental cyber-infrastructure is not sufficient evidence for attributing the operation to that State but is an indication that the State in question is associated with the operation.
  8. The fact that a cyber operation has been routed via the cyber-infrastructure located in a State is not sufficient evidence for attributing the operation to that State.
  9. A State injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures against the responsible State.

    A cyber operation…
  10. …that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful.
  11. …constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.
  12. …or threatened cyber operation, constitutes an unlawful threat of force when the threatened action if carried out, would be an unlawful use of force.
  13. A State that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence.  Whether a cyber operation constitutes an armed attack depends on its scale and effects.
  14. Use of force involving cyber operations undertaken by a State in the exercise of its right of self-defence must be necessary and proportionate.
  15. The right to use force is self-defence arises if a cyber armed attack occurs or is imminent.  It is further subject to a requirement of immediacy.
  16. The right of self-defence may be exercised collectively.  Collective self-defence against a cyber operation amounting to an armed attack may only exercise at the request of the victim State and within the scope of the request.
  17. Measures involving cyber operations undertaken by States in the exercise of the right of self-defence pursuant to Article 51 of the United Nations Charter shall be immediately reported to the United Nations Security Council.
  18. Should the United Nations Security Council determine that an act constitutes a threat to the peace, breach of the peace, or act of aggression it may authorize non-forceful measures, including cyber operations.  If the Security Council considers such measures to be inadequate, it may decide upon forceful measures, including cyber measures.
  19. International organizations, arrangements, or agencies of a regional character may conduct enforcement actions, involving or in response to cyber operations, pursuant to a mandate from, or authorization by, the United Nations Security Council.
  20. Cyber operations executed in the context of armed conflict are subject to the law of armed conflict.
  21. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.
  22. An international armed conflict exists whenever there are hostilities, which may include or be limited to cyber operations, occurring between two or more States.
  23. A non-international armed conflict exists whenever there is protracted armed violence, which may include or be limited to cyber operations, occurring between governmental armed forces and the forces of one or more armed groups, or between such groups.  The confrontation must reach a minimum level of intensity and the parties involved in the conflict must show a minimum degree of organisation.
  24. a) Commanders and other superiors are criminally responsible for ordering cyber operations that constitute war crimes
    b) Commanders are also criminally responsible if they knew or, owing to the circumstances at the time, the show has known their subordinates were committing, were about to commit, or had committed war crimes and failed to take all reasonable and available measures to prevent their commission or to punish those responsible.
  25. The law of armed conflict does not bar any category of person from participating in cyber operations.  However, the legal consequences of participation differ, based on the nature of the armed conflict and the category to which an individual belongs.
  26. In an international armed conflict, members of the armed forces of a party to the conflict who, in the course of cyber operations, fail to comply with the requirements of combatant status lose their entitlement to combatant immunity and prisoner of war status.
  27. In an international armed conflict, inhabitants of an unoccupied territory who engage in cyber operations as part of a levée en masse enjoy combatant immunity and prisoner of war status.
  28. Mercenaries involved in cyber operations do not enjoy combatant immunity or prisoner of war status.
  29. Civilians are not prohibited from directly participating in cyber operations amounting to hostilities, but forfeit their protection from attacks for such time as the so participate.
  30. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
  31. The principle of distinction applies to cyber attacks.
  32. The civilian population as such, as well as individual civilians, shall not be the object of a cyber attack.
  33. In case of doubt as to whether a person is a civilian, that person shall be considered to be a civilian.
  34. The following persons may be made the object of cyber attacks:
    a) members of the armed forces;
    b) members of organised armed groups;
    c) civilians taking a direct part in hostilities; and
    d) in an international armed conflict, participants in a levée en masse.
  35. Civilians enjoy protection against attack unless and for such time as they directly participate in hostilities.
  36. Cyber attacks, or the threat thereof, the primary purpose of which is to spread terror among the civilian population, are prohibited.
  37. Civilian objects shall not be made the object of cyberattacks.  Computers, computer networks, and cyber-infrastructure may be made the object of attack if they are military objectives.
  38. Civilian objects are all objects that are not military objectives.  Military objectives are those objects which by their nature, location, purpose, or use, make an effective contribution to military action and whose total or partial destruction, capture or neutralisation, in the circumstances ruling at the time, offers a definite military advantage.  Military objectives may include computers, computer networks, and cyber-infrastructure.
  39. An object used for both civilian and military purposes – including computers, computer networks, and cyber-infrastructure – is a military objective.
  40. In case of doubt as to whether an object that is normally dedicated to civilian purposes is being used to make an effective contribution to military action, a determination that it is so being used may only be made following a careful assessment.
  41. For the purposes of this Manual:
    a) ‘means of cyber warfare’ are cuber weapons and their associated cyber systems and
    b) ‘methods of cyber warfare’ are the cyber tactics, techniques, and procedures by which hostilities are conducted.
  42. It is prohibited to employ means or methods of cyber warfare that are of a nature to cause superfluous injury or unnecessary suffering.
  43. It is prohibited to employ means or methods of cyber warfare that are indiscriminate by nature.  Means or methods cyber warfare are indiscriminate by nature when they cannot be:
    a) directed at a specific military objective, or
    b) limited in their effects are required by the law of armed conflict
    and consequently are of a nature to strike military objectives and civilians or civilian objects without distinction.
  44. It is forbidden to employ cyber booby traps associated with certain objects specified in the law of armed conflict.
  45. Starvation of civilians as a method of cyber warfare is prohibited.
  46. Belligerent reprisals by way of cyber operations against:
    a) prisoners or war;
    b) interned civilians, civilians in occupied territory or otherwise in the hands of an adverse party to the conflict, and their property;
    c) those hors de combat; and
    d) medical personnel, facilities, vehicles and equipment are prohibited.
    Where not prohibited by international law, belligerent reprisals are subject to stringent conditions.
  47. Additional Protocol I prohibits States Parties from making the civilian population, individual civilians, civilian objects, cultural objects and places of worship, objects indispensable to the survival of the civilian population, the natural environment, and dams, dykes, and nuclear electrical generating stations the object of a cyberattack by way of reprisal.
  48. a) All States are required to ensure that the cyber means of warfare that they acquire or use comply with the rules of the law of armed conflict that bind the State.
    b) States that are Party to Additional Protocol I are required in the study, development, acquisition, or adoption of a new means or method of cyber warfare to determine whether its employment would, in some or all circumstances, be prohibited by that Protocol or by any other rule of international law applicable to that State.
  49. Cyber attacks that are not directed at a lawful target, and consequently are of a nature to strike lawful targets and civilians or civilian objects without distinction, are prohibited.
  50. A cyber attack that treats as a single target a number of clearly discrete cyber military objectives in cyber-infrastructure primarily used for civilian purposes is prohibited if to do so would harm protected persons or objects.
  51. A cyberattack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated is prohibited.
  52. During hostilities involving cyber operations, constant care shall be taken to spare the civilian population, individual civilians, and civilian objects.

    Those who plan or devide upon…
  53. … a cyber attack shall do everything feasible to verify that the objectives to be attacked are neither civilians nor civilian objects and are not subject to special protection.
  54. … a cyber attack shall take all feasible precautions in the choice of means or methods of warfare employed in such an attack, with a view to avoiding, and in any to minimising, incidental injury to civilians, loss of civilian life, and damage to or destruction of civilian objects.
  55. …. attacks shall refrain from deciding to launch any cyberattack that may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.
  56. For States Party to Additional Protocol I, when a choice is possible between several military objectives for obtaining a similar military advantage, the objective to be selected for cyber attack shall be that the attack on which may be expected to cause the least danger to civilian lives and to civilian objects.
  57. Those who plan, approve, or execute a cyber attack shall cancel or suspend the attack if it becomes apparent that:
    a) the objective is not a military one or is subject to special protection; or
    the attack may be expected to cause, directly or indirectly, incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof that would be excessive in relation to the concrete and direct military advantage anticipated.
  58. An effective advance warning shall be given of cyberattacks that may affect the civilian population unless circumstances do not permit.
  59. The parties to an armed conflict shall, to the maximum extent feasible, take necessary precautions to protect the civilian population, individual civilians, and civilian objects under their control against the dangers resulting from cyber attacks.
  60. In the conduct of hostilities involving cyber operations, it is prohibited to kill or injure an adversary by resort to perfidy.  Acts that invite the confidence of an adversary to lead him to believe he or she is entitled to receive or is obliged to accord, protection under the law of armed conflict with the intent to betray that confidence constitutes perfidy.
  61. Cyber operations that qualify as ruses of war are permitted.

    It is prohibited to make …
  62. … improper use of the protective emblems, signs, or signals that are set forth in the law of armed conflict.
  63. … use of the distinctive emblem of the United Nations in cyber operations, except as authorised by that organisation.
  64. … use of the flags, military emblems, insignia, or uniforms of the enemy while visible to the enemy during an attack including a cyber attack.
  65. In cyber operations, it is prohibited to make use of flags, military emblems, insignia, or uniforms of neutral or other States not a party to the conflict.
  66. a) Cyber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict.
    b) A member of the armed forces who have engaged in cyber espionage in enemy-controlled territory loses the right to be a prisoner of war and may be treated as a spy if captured before re-joining the armed forces to which he or she belongs.
  67. Cyber methods and means of warfare may be used to maintain and enforce a naval or aerial blockade provided that they do not, alone or in combination with other methods, result in acts inconsistent with the law of international armed conflict.
  68. The use of cyber operations to enforce a naval or aerial blockade must not have the effect of barring, or otherwise seriously affective, access to neutral territory.
  69. To the extent that States establish zones, whether in peacetime or during armed conflict, lawful cyber operations may be used to exercise their rights in such zones.
  70. Medical and religious personnel, medical units, and medical transports must be respected and protected and, in particular, may not be made the object of a cyberattack.
  71. Computers, computer networks, and data that form an integral part of the operations or administration of medical units and transports must be respected and protected, and in particular, may not be made the object of attack.
  72. All feasible measures shall be taken to ensure that computers, computer networks, and data that form an integral part of the operations or administration of medical units and transports are clearly identified through appropriate means, including electronic markings.  Failure to so identify them does not deprive them of their protected status.
  73. The protection to which medical units and transports, including computers computer networks, and data that form an integral part of their operations or administration, are entitled by virtue of this section does not cease unless they are used to commit, outside their humanitarian function, acts harmful to the enemy.  In such situations, protection may cease only after a warning setting a reasonable time limit for compliance, when appropriate, remains unheeded.
  74. a) As long as they are entitled to the protection given to civilians and civilian objects under the law of armed conflict, United Nations personnel, installations, material, units and vehicles, including computers and computer networks that support United Nations operations, must be respected and protected and are not subject to a cyberattack.
    b) Other personnel, installations, material, units, or vehicles, including computers and computer networks, involved in a humanitarian assistance or peacekeeping mission in accordance with the United Nations Charter are protected against cyberattack under the same conditions.
  75. Prisoners of war interned protected persons, and other detained persons must be protected from the harmful effects of cyber operations.
  76. The right of prisoners of war interned protected persons, and other detained persons to certain correspondence must not be interfered with by cyber operations.
  77. Prisoners of war and interned protected persons shall not be compelled to participate in or support cyber operations directed against their own country.
  78. It is prohibited to conscript or enlists children into the armed forces or to allow them to take part in cyber hostilities.
  79. Civilian journalists engaged in dangerous professional missions in areas of armed conflict are civilians and shall be respected as such, in particular with regard to cyber attacks, as long as they are not taking a direct part in hostilities.
  80. In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyberattacks against works and installations containing dangerous forces, namely dams, dykes, and nuclear electrical generating stations, as well as installations located in their vicinity.
  81. Attacking, destroying, removing, or rendering useless objects indispensable to the survival of the civilian population by means of cyber operations is prohibited.
  82. The parties to an armed conflict must respect and protect cultural property that may be affected by cyber operations or that is located in cyberspace.  In particular, they are prohibited from using a digital cultural property for military purposes.
  83. a) A natural environment is a civilian object and as such enjoy general protection from cyberattacks and their effects.
    b) States Party to Additional Protocol I are prohibited from employing cyber methods or means of warfare which are intended or may be expected, to cause widespread, long-term, and severe damage to the natural environment.
  84. Diplomatic archives and communications are protected from cyber operations at all times.
  85. Collective punishment by cyber means is prohibited.
  86. Cyber operations shall not be designed or conducted to interfere unduly with impartial efforts to provide humanitarian assistance.
  87. Protected persons in occupied territory must be respected and protected from the harmful effects of cyber operations.
  88. The Occupying Power shall take all the measures in its power to restore and ensure, as far as possible, public order and safety, while respecting, unless absolutely prevented, the laws in force in the country, including the laws applicable to cyber activities.
  89. The Occupying Power may take measures necessary to ensure its general security, including the integrity and reliability of its own cyber systems.
  90. To extend the law of occupation permits the confiscation or requisition of property, taking control of cyber-infrastructure or systems is likewise permitted.
  91. The exercise of belligerent rights by cyber means directed against neutral cyber-infrastructure is prohibited.
  92. The exercise of belligerent rights by cyber means in neutral territory is prohibited.
  93. A neutral State may not knowingly allow the exercise of belligerent rights by the parties to the conflict from cyber-infrastructure located in its territory or under its exclusive control.
  94. If a neutral State fails to terminate the exercise of belligerent rights on its territory, the aggrieved party to the conflict may take such steps, including by cyber operations, as are necessary to counter that conduct.
  95. A State may not rely upon the law of neutrality to justify conduct, including cyber operations, that would be incompatible with preventive or enforcement measures decided upon by the Security Council under Chapter VII of the Charter of the United Nations.

The Tallinn Manual on “International law applicable to cyber warfare”. Cyber warfare is not legally binding and only a reflection of the opinions of each individual author.  Each author has attempted to logically apply international cyber warfare law to the cyber realm:

Resulting in the following 95 rules:

Learn how your organization can increase its cybersecurity contact us