SEC542 - 1
When is metasploit useful for DNS recon?
-For using DNSrecon plugins -Integrated with rest of pen testing stack
What are some of OWASP's flagship products?
-OWASP Zed Attack Proxy -OWASP Web Testing Environment Project -OWASP OWTFOWASP Dependency Check -OWASP ModSecurity Core Rule Set Project -OWASP CSRFGuard Project -OWASP AppSensor Project -OWASP Application Security Verification Standard Project -OWASP Software Assurance Maturity Model (SAMM) -OWASP Top Ten Project (largest contribution) -OWASP Testing Guide Project
What considerations should be made when deciding a web app pen testing toolkit?
-attack platform -dynamic web app security scanners -browser(s) -interception proxies
What modules does recon-ng have?
-finding contacts -seeing if an account is compromised -finding credentials -resolving hosts -geolocation
When is nslookup useful?
-limited functionality compared to dig -functionality removed from newer versions +universally available +usually installed on compromised systems +useful for confirmation of blind command injections
What viewpoints to pen testers have that are different from normal users?
-must think maliciously, but professionally -how can I bypass restrictions -what mistakes did developers, admins, and operators of the target system make?
What information can WHOIS return?
-names -phone numbers -addresses -DNS servers
Name the DNS reconnaissance tools
-nslookup -dig -nmap -DNSRecon -Metasploit
What information is commonly found on social networks?
-search by company -person data for social engineering -answers to password-reset questions -info on technologies used by the target -check out facebook, linkedin, and twitter
What should we check with transport encrytion on servers?
-supports HTTPS? -which version? SSL v2/3 TLS 1 -which ciphers/keylengths -expired certs -HTTP access to HTTPS resources -weak hashing algorithms (MD5, SHA-1) - less than 128 bit encyption
WHOIS registrars
-whois.afrinic.net (Africa) -whois.apnic.net (Asia Pacific, India, China, and Australia) -whois.arin.net (US and Canada) -whois.lacnic.net (Mexico and Latin America) -whois.ripe.net (Europe, Greenlan, Russia, and the Middle East)
What are the HTTP status code categories?
1xx information 2xx success 3xx redirection 4xx client error 5xx server error
What is an HTTP user-agent?
A header field for the client making the request, usually browser, but not always. Be sure to change from "pen test tool"
What is a Web Application Security Scanner?
A highly automated scanner to look for vulnerabilities. Compromising depth of vulnerability testing for speed. -Burp -ZAP -HP WebInspect -IBM Appscan
What is Trident/7.0?
A rendering engine for Internet Explorer 11.0
What are the OWASP Top 10 in 2017?
A1 - Injection A2 - Broken Authentication A3 - Sensitive Data Exposure A4 - XML External Entities (XXE) (NEW) A5 - Broken Access Control (MERGED A4 and A6) A6 - Security Misconfiguration A7 - Cross-Site Scripting (XSS) A8 - Insecure Deserialization (NEW) A9 - Using Components with Known Vulnerabilities A10 - Insufficient Logging & Monitoring (NEW)
What were the OWASP Top 10 in 2013?
A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards
What can ZAP do?
Actively scan a site searching for vulnerabilities, forced browsing (DirBuster), Spider & AJAX/Spider, and Fuzzing
What came with HTTP/1.1?
Added virtual host support, allows persisted connections, and added the OPTIONS method, and added support for caching, proxies, and compression.
What is a DNS Zone Transfer?
Allows secondary DNS server to mirror primary. Downloads the entire contents of another DNS server for a domain. AXFR - full transfer (useful for pen testers) or IXFR - incremental transfer
What is SPUD?
Automates google searches from SOAP API
When is dig useful?
Best dedicated DNS client for power use. You can use it to: +look up all the DNS records from a DNS name server for a provided domain. +attempt a zone transfer from a DNS name server for a provided domain. +PTR (reverse) lookup +query the name server's version of BIND
When should sensitive data be protected?
Both when stored and in transmission
What is Maltego?
Builds visual hierarchy of domains to people, emails, etc.
What is a CNAME?
Canonical Name Record: Type of DNS record that is aliased to another name record NOT an IP. It's a DNS alias.
What are search engine directives?
Directives that limit search results, letting you focus your search. EX: "site:www.sans.org" other useful directives: +inurl +intitle +link +filetype
What is DNS
Domain Name System. A Hierarchical database of domain names, which lists all the servers. Uses UDP port 53 for regular requests, TCP port 53 for large payloads, notably zone transfers
How often is OWASP Top 10 normally updated?
Every 3 years
What is FOCA/FAAST?
Filecat's your sites public documents and analyzes them. Produces lists of metadata like usernames, software versions, email addresses, operating systsems and passwords.
What is "google hacking"?
Finding vulnerabilities or sensitive information from search engines.
When would a pen tester use DELETE?
For denial of service or deleting config files to gain access.
What are reverse DNS (PTR) scans?
For finding non obvious domains, lookup by IP. Use WHOIS to find organization's IP addresses and perform reverse lookup for every IP
What HTTP methods were available for HTTP/1.0
GET, HEAD, POST, PUT, and DELETE. GET still is one TCP connection. No support for virtual hosts.
What are the HTTP request methods?
GET, POST, PUT, HEAD, TRACE, OPTIONS, CONNECT, DELETE
What is the first thing you should do before testing?
Get written permission from the highest ranking person you can.
What is GHDB
Google Hacking Database. Source of queries to find interesting information (Google Dorks)
When is DNSRecon useful?
Has modules useful from metasploit, that perform common DNS resolution tasks. Higher order tool than dig and nslookup. Includes a number of useful wordlists for DNS brute force scans.
What are the OTG testing categories?
INFO - Information Gathering CONFIG - Configuration and Deployment Management IDENT - Identity Management AUTHN - Authentication AUTHZ - Authorization SESS - Session Management INPVAL - Input Validation ERR - Error Handling CRYPST - Cryptolography BUSLOGIC - Business Logic CLIENT - Client Side
What is Shodan?
IOT search engine. Can search the internet of things, including cameras and power plants)
What does HTTPS mean to pen testers?
Interception is difficult, control either side and you are ok. HTTPS hides attacks from network sensors.
What kind of connections do websockets allow?
Long term bi-directional communication over a single TCP socket. Harder to intercept. Zap currently has best support of interception.
When is Nmap useful?
NSE (Nmap Security Engine) contains useful script, helps discover CNAME records from the DNS: -dns-zone-transfer -dns-brute (useful for discovering CNAMEs) -cipher evaluation
What is NIST?
National Institute of Standards and Technology. It is an agency in the technology administration that makes measurements and sets standards for industries to use.
When was the last OWASP Top 10 update? And the one before that
November 2017, before that was 2013
What does OTG stand for?
OWASP Testing Guide. Serves as a sanity test, good for exploring, documenting, and guide organizations in appropriate remediation.
What does OWASP stand for?
Open Web Application Security Project
What tools can you use to test SSL support?
OpenSSL, Nmap, Qualys SSL Labs
What attack platforms can you use?
Prebuilt Linux Virtual Machines: -SamuraiWTF -Kali -Security542
What are the major components of the Burp suite?
Proxy - integrated with rest of test suite, and can automatically rewrite HTML, can repeat requests Spider - crawls a web app, can authenticate or use predetermined form field values. Intruder - customizable attack tool Repeater - allows repeatable manipulation Sequencer - analyzes tokens for predictability Decoder - decodes and encodes various encoding schemes Comparer - "diffs" between two items of text
What are Interception proxies?
Proxy between requesting web app and server to view and modify payloads -ZAP -Burp
For pen testing what is "open source information"?
Publicly available information, such as that available through search engines, WHOIS, DNS, and caching sites.
What is recon-ng
Python tool for automating many common recon tasks, has many modules for recon, mapping, discovery, and exploitation. Can be used for gathering contact info, credentials, hosts, and geolocation.
What is QUIC?
Quick UDP Internet Conditions.
What is the Heartbleed vulnerability?
Remotely reads 64KB of memory chunks from vulnerable open SSL. Open SSL 1.0 - 1.0.1f, 1.0.2-beta1
What is the difference between TLS and SSL?
SSL is deprecated. TLS is the current standard. SSL 2 and 3 are older. TLS adds more options for encryption and hashing.
What are WHOIS lookups good for?
Stealthy recon. Hits central WHOIS servers and not the target servers.
When would a pen tester use CONNECT?
To attack through a proxy or SSL connection, often used with Websocket.
When would a pen tester use TRACE?
To echo requests as seen by the server back so tester can see any changes made by a proxy.
When would a pen tester use HEAD?
To speed up testing by only returning header data
What is a URI?
Uniform Resource Identifier. The address of a resource including how to retrieve it. {protocol}://{user:password}{domain name}{:port}/{resource}
What are DNS "brute force" (dictionary) scans?
Use a dictionary of potential DNS names (prefixes) to find DNS names by looking for them" <$dictionaryEntry>.targetdomain.com
What is the harvester?
Uses public sources to collect: -email addresses -IP addresses and domain names -ports and banners
What are Burp scopes?
Uses regular expressions to automate other Burp features.
What is WHOIS?
WHOIS provides client/server access to information on internet domains and IPV4/IPV6 netblocks. uses TCP port 43.
Do web app pen testers take a more fluid or rigid approach than broader pen testers?
Web app pen testing tends to be more fluid, jumping between steps as opportunities arise. Rather than a typical: -reconnaissance -scanning -vulnerability assessment -exploitation -post exploitation -reporting ...in that order, web app pen testers might find a SQL injection vulnerability and exploit it before completing the vulnerability assessment phase is complete.
What are the two major interception proxies used in the class?
ZAP and Burp
What does ZAP stand for?
Zed Attack Proxy
What is the primary focus of HTTP/2?
achieving faster performance by updating HTTP to use Binary Protocol (efficiency), Push Promises, Multiplexed not Pipelined (one TCP connection per origin for mutli requests), and HPACK (header more efficient by using binary)
What do attackers look at as far as HTTP?
methods that weren't intended to be supported by the developers. PUT, DELETE, CONNECT, TRACE
What was the first HTTP method to be supported in HTTP/0.9
the GET method. returns HTML only, one call is one TCP connection, no support for virtual hosts.
What can you obtain from NIST NVD (National Institute of Standards and Technology, National Vulnerability Database), xxsed, and EDB (Exploit Database)?
various Web Application vulnerabilities/flaws.
When would a Pen tester use the Options call.
when they want to learn what requets the server they are calling supports.