CEH 9/ 10
ALE (Annual Loss Expectancy)
Expected amount to lose annually from resources failing. Monetary measure of how much loss you can expect in a year. ALE = SLE(Single Loss Expectancy) * ARO(annualized rate of occurance) SLE = AV(Asset Value) * EF(Exposure Factor)
First step with infected maching
Isolation
AMAP
It attempts to identify applications even if they are running on a different port than normal. It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.
LEAP
It is a proprietary WLAN authentication protocol developed by Cisco
802.11i
It is an IEEE amendment that specifies security mechanism for 802.11 wireless networks. TKIP / AES. Adds key caching as well. Facilitates fast roaming.
CEWL
- Web crawling password word generator. -Used for making a password list to hack.
BTCrack
- Bluetooth Cracker reconstructs the PIN and LINKEY with data sniffed during a pairing exchange.
Kerckhoff's Principle
"A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
MD (Message Digest) 2,4,5
- 128 bit output
Sc windows command line utility
- Sc query : shows all running services - SC CONFIG "Schedule" start= disabled - SC start schedule - SC \\computer64 start remoteregistry
Trojan Detection
- Scan the system for open ports - running processes that we don't normally see odd protocols - What is starting up - look in registry
PING
- ping www.cnn.com -f -l 1500 This says -f (don't fragment) -l (size in bytes). Used to determining the maximum packet size in bytes. Will reject if too big. - i : Sets TTL
Network Assessment Vulnerability Methodology
1. Acquisition Collect all background information 2. Identification Interviews Validate stage one 3. Analyze Look at it what does it means Make the information understandable 4. Evaluation Gather and make sure it's all good information 5. Generate reports
Nikto
-h : hostname -port : port number -Format : output file format -config : specify config file -H or -h : Help is a perl based Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received
Well know ports
0 - 1023
Hash function must haves (RSA)
1. Input of any lenght 2. Output of fixed length 3. easy to compute 4. One-way 5. Collision free
Cloud Computing NIST 800-145
1. On demand self service 2. Broad Network Access: Phones, tablest, PCs, .. 3. Resource pooling 4. Rapid elasticity 5. Measured service
Reserved Ports
1024 - 49151 (If your not 50 you can drink 151)
MD5
128 Bits / Broken / Hashing Function - block
IPV4 vs IPV6
32 bits / 128 bits ARP / No ARP icmpv6 broadcast (1 to Many)/ anycast (route to nearest node able to process) NAT / Not needed
Piconet
A Bluetooth network.
Paros Proxy
A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting
Broadcast MAC Address
A MAC address in which all bits are set to 1 (FF:FF:FF:FF:FF:FF).
Sybil Attack
A malicious node assigns itself many secure routing channel identifiers. - Manipulate torrent into believing you are the number one feed, to infect others.
IANA (Internet Assigned Numbers Authority)
A nonprofit, United States governmentfunded group that was established at the University of Southern California and charged with managing IP address allocation and the Domain Name System (top level domains). The oversight for many of IANA's functions was given to ICANN in 1998; however, IANA continues to perform Internet addressing and Domain Name System administration.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits.
Canonical Name (CNAME)
A record that is used to map duplicate host names to a single IP address.
Spread Spectrum Transmission
A technique that takes a narrow signal and spreads it over a broader portion of the radio frequency band.
Tunneling Virus
A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection.
XArp
ARP spoof detection - Sniffing
Common Vulnerability Scoring System V2 Descriptions
AV: Attack Vector AC: Access Complexity Au: Authentication C: Confidentiality Impact I: Integrity Impact A: Availability Impact
Hyena
Active directory tool. Managing, enumeration
RIR (Regional Internet Registry)
AfriNIC - Africa, ARIN - North America, APNIC - Asia Pacific, LACNIC - Southern & Central America and RIPE RIPE NCC - Europe, the Middle East and Central Asia.
IV (Initialization Vector)
An initialization vector (IV) is an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session. The use of an IV prevents repetition in data encryption,
SNORT
An open source network intrusion detection system, capable of performing real time traffic analysis and packet logging on IP networks. - Can be configured to run as Sniffer, Packet Logger, or Network Intrusion Detection System
DataThief
Analyzes a graph to get the underlying calculations
Multipart virus
Boot and file virus together
Root Kits
Can operate at several levels - Kernel - Firmware - Application - Memory
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.
Metamorphic Virus
Completely rewrites itself every time it infects a new file.
CSIRT (Computer Security Incident Response Team)
Computer Security Incident Response Team is an organization that receives reports of security breaches, conducts analyses of the reports and responds to the senders. It's a single point of contact in the US to report computer security breaches and security incidents. Homeland security affiliation.
PTK (pairwise transient key)
Concantenating : PMK + ANonce+ SNonnce + AP MAC + Client MAC
Connection Stream Parameter Pollution
Concatenating unvalidated input into a database connection may allow an attacker to override the value of a request parameter. An attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. - Connection string with parameters: "Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd;"
USB Grabber
Copies files from USB automatically when plugged in.
USB Dumpber
Copies files from USB devices silently
Block Cipher
DES - IDEA - Blowfish - Skipjack - AES - Twofish - RC2 - RC5 - RC6
DHCP Stages IPv4
DORA (IPV4) - Discover / Offer / Request / Acknowledge
DHCP Stages DORA IPV4
Discover / Offer / Request / Acknowledge
Authentication flood
DoS attack on AP that floods the AP with authentication requests
Bluesmacking
DoS attack which overflows Bluetooth-enables device with random packets causing the device to crash
Smurf attack
DoS that sends pings to broadcast address
ECE TCP flag (64) / CWR TCP Flag (128)
During the synchronization phase of a connection between client and server, the TCP CWR and ECE flags work in conjunction to establish whether the connection is capable of leveraging congestion notification. In order to work, both client and server need to support ECN. To accomplish this, the sender sends a SYN packet with the ECE and CWR flags set, and the receiver sends back the SYN-ACK with only the ECE flag set. Any other configuration indicates a non-ECN setup.
Service-oriented architecture (SOA)
Essentially a collection of services. - Web services
Sam Spade
Footprinting. A free network query tool. Whois, DNS Query and ZT, traceroute, email header analysis, ping, website download, abuse address query, finger. Runs on Windows.
Multi-Ping
Fully featured graph, alert, and report pinging multiple targets.
Cavity Virus
Hiding a virus inside the empty space of a file.
RFC 792
ICMP
RFC 791
IP
Distortion Technique Stenography
It require original cover image during decoding process where decoder functions to check for differences between original cover image and distorted cover image in order to restore secret message.
Ports
Know some ports
Cain and Able
Network sniffer, password cracker, arp poison
Unquoted Service Path
Not putting quotes around a path that contains spaces.
Unicast traffic
One to one communication both sides know IP
OCSP
Online Certificate Status Protocol
SAMBA
Open source version of SMB used in Linux
John The Ripper
Password cracking tool. LM Hash, Brute Force, and Dictionary attacks
SPAN Port
Port Mirroring, also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.
Hexadecimal indicator
Preceded by 0x to indicate a hex number is to follow.
Stream Cipher
RC4
Hacking phases
RSGMC (Really Should Get Me Cred) 1. Reconnaissance (footprinting) - Whois, nslookup, google the company, 2. Scanning - port scanning, ip scanner, looking for entry points, touching not attacking 3. Gaining Access - Root kits, malware, RAT 4. Maintaining Access - 5. Clearing Tracks - Cover up. Delete logs, remove malware
Bluebugging
Remotely accessing the Bluetooth-enabled device and using its features - Make and receive calls. - Look at calendar - More control than Bluesnarfing
Tethered jailbreak
Root phone, but everytime you reboot the phone you have to connect to a PC to aid the jailbreak using an application
Rubber hose attack
Rough the victim up until he gives you the credentials (or whatever info you're looking for)
uRPF / RFC 3704
Rules for ingress filtering using dynamic ACLs to help prevent DDoS
RFC 3207
SMTP Service Extension for Secure SMTP over Transport Layer Security
Stack vs Heap
STACK is used for static memory allocation and Heap for dynamic memory allocation. Stack is faster and follows a Last in First Out pattern, while HEAP is slower and contains within it the String Pool (a allocation of memory that stores Strings).
SYN TCP Flag (2)
SYN flag is initially sent when establishing the classic three-way handshake between two hosts
pairwise master key (PMK)
Same for everyone in a pre shared key environment. Not the same when using 802.1X authentication. A session master key is used. PSK + SSID hased. The TKIP key used to generate data encryption keys, data integrity keys, and session group keys, among others. This key is used only once at the start of a session.
Tree Based Assessment Tool
Scan is tailored to what is being scanned. OS, Web App..etc.
Pepper
Second "Salt" that isn't stored in the database
Traceroute
Send ICMP packets with TTL starting at 1 then incrementing by 1. Each hop sends back a Time Exceeded Message.
Black Hole Filtering
Send bad traffic to nowhere
TripWire
Signature Integrity verifier, can help with intrusion detection, software integrity
Active Sniffing
Sniffing a switch. Need to break the normal function to sniff the traffic. ARP poisoning maybe. Can be discovered.
DHCP IPV6 SARR
Solicit / Advertise / request-renew-remind-rebind-confirm / Reply
DHCP Stages IPv6
Solicit / Advertise / request-renew-remind-rebind-confirm / Reply
WiFi Standards
Standard / Freq. (GHz) / Modulation / Speed (Mbps) / Range (ft.) 1. 802.11a / 5 / OFDM / 54 / 20 - 100 2. 802.11b / 2.4 / DSSS / 11 / 35 -140 3. 802.11g / 2.4 / OFDM, DSSS / 54 / 35 - 140 4. 80211.n / 2.4 and 5 / OFDM / 600 / 70 - 250 - 80211.ac / 2.4 and 5GHz/ OFDM/ 1300/230 - 802.16 / 10-66 / no mod listed / 70-1000 / 30 miles - Bluetooth / 2.4 / no mod listed / 1-3 / 25 - 80211.i is the WPA2 Standard
DHCP Attacks
Starvation attack- use up all the addresses Rouge server - answer DHCP requests to isolate client or MITM - DHCP Snooping: switch analyzes traffic to prevent rouge DHCP servers. Prevents MITM. Maintains DHCP binding database.
Statefull Firewall
Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption.
stateless firewall
Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They're not 'aware' of traffic patterns or data flows.
SNOW
Stenography program used to hide info in white space
Wireless Standards at a glance
Stndrd / Encryp Alg / IV Size / Key ln / Intg Chk WEP / RC4 / 24-bits / 40-104-bit / CRC-32 WPA / RC4, TKIP / 48-bits/ 128 bit / Michael Algorithm and CRC-32 WPA2/ AES-CCMP / 48-bit/ 128 bit/ CBC-MAC
Bollard
Strong post designed to stop a car
UDP Scan
The scanner usually sends 0 byte UDP packets to each port on the target host. If the scanner receives an "ICMP port unreachable" message, then the port is closed. Otherwise, the port must be open.
Symmetric Algorithms / Asymmetric Algorithms
Symmetric: DES - 3DES - Blowfish - IDEA - RC4:RC6 - AES - IDEA - Skipjack - Twofish / Asymmetric: RSA - Diffee Hellman key exchange - DSA - EDSA
Synonymous ip attack
TCP-SYN packets with a header that specifies one and the same source and destination address - the address of the victim's server. The host server starts using additional system resources (RAM, CPU, etc.) to process each of the packets.
RFC 793
TCP/IP protocol suite. Developed as a flexible, fault-tolerant set of protocols robust enough to avoid failure if one or more nodes went down. Focus was on solving technical challenges of moving information quickly and reliably, not securing it.
Rainbow Table
Table for cracking hashes - Pre-computed hashes - Salts completely thwart precomputed tables, including rainbow tables.
ACK TCP Flag (16)
The acknowledgement flag is used to acknowledge the successful receipt of packets. If you run a packet sniffer while transferring data using TCP, you will notice every packet you send or receive is followed by an Acknowledgement.
Fair and Accurate Credit Transactions Act (FACTA)
The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies
Blueprinting
The art of collecting information about Bluetooth enable devices such as manufacturer, model and firmware version
hash spray attack
The attacker then uses PtH to login into all other workstations using the extracted local administrator hash and repeats the process
Heap-based buffer overflow
The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.
Gap Analysis
The gap analysis process involves determining, documenting and obtaining management's recognition of the variance between the requirements set forth in the regulation, guideline and/or best practice standard and the organization's current information security program.
Dictionary Attack
The program uses every word present in the dictionary to find the password. Dictionary attacks can be considered more useful than brute force attacks, although they do not work against systems that use passphrases.
PSH TCP Flag (8)
The push flag (like the urgent flag) exists to ensure that the data is given the priority it deserves and is processed at the sending or receiving end. This flag is used quite frequently at the beginning and end of a data transfer, affecting the way it is handled at both ends. A critical point to mention about the push flag is that it is usually set on the last segment of a file to prevent buffer deadlocks. It is also seen when used to send HTTP or other types of requests through a proxy ensuring the request is handled appropriately. - The URG pointer tell how many bytes of the data is urgent in the segment that has arrived. ... The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and send the data immediately.
RST TCP Flag (4)
The reset flag is used when a segment arrives that is not intended for the current connection. If you were to send a packet to a host in order to establish a connection, and there was no such service waiting to answer at the remote host, the host would automatically reject the request and then send you a reply with the RST flag set. This indicates that the remote host has reset the connection. Another point about the reset flag is that most hackers use this feature to scan hosts for open ports.
URG TCP Flag (32)
The urgent pointer flag is used to identify incoming data as urgent. The incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately. An urgent pointer could be used during a stream of data transfer and stop the data processing on the other end. - The URG pointer tell how many bytes of the data is urgent in the segment that has arrived. ... The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and send the data immediately.
GRC Governance Risk Compliance
Think of GRC as a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.
Key Escrow
Third party storage
Active Stack Fingerprinting
is based on the principle that an operating system's IP stack has its own unique way of responding to specially crafted TCP packets.
FTP Bounce Scan
This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. One of the abuses this feature allows is causing the FTP server to port scan other hosts. The error message will describe whether the port is open or not.
Rule Based Attack
This technique combines brute force, dictionary, and syllable attacks. Based on rules known about the passwords
Hybrid Attack
This type of attack is based on the dictionary and brute force attack. Often, people change their passwords by just adding numbers to their old passwords. This attack started as, the program adds numbers and symbols to the words from the dictionary.
Mutated Buffer Overflow attack
To bypass the IDS, the hacker can randomly replace some of the NOP instructions with equivalent pieces of code, such as: (e.g.: x++; x-; ? NOP NOP)
Inference Based Assessment Tool
Tool decides what to scan based on what it discovers.
HTTrack
Tool used to suck down an entire site to probe for weaknesses or put up duplicate fake site.
ICMP Types (Each Type has several codes)
Types - 0: Echo Reply - 3: Destination Unreachable - 4: Source Quench - 5: Redirect - 8: Echo - 9: Router Advertisement - 10: Router Selection - 11: Time Exceeded - 12: Parameter Problem - 13: Timestamp - 14: Timestamp Reply - 15: Information Request - 16: Information Reply - 17: Address Mask Request - 18: Address Mask Reply - 30: Traceroute Destination Unreachable Code 0 Net is unreachable 1 Host is unreachable 2 Protocol is unreachable 3 Port is unreachable 4 Fragmentation is needed and Don't Fragment was set 5 Source route failed 6 Destination network is unknown 7 Destination host is unknown 8 Source host is isolated 9 Communication with destination network is administratively prohibited 10 Communication with destination host is administratively prohibited 11 Destination network is unreachable for type of service 12 Destination host is unreachable for type of service 13 Communication is administratively prohibited 14 Host precedence violation 15 Precedence cutoff is in effect
USB Snoopy
USB Sniffer software. Sniffs data between a PC and a USB device.
IIS information leakage protect
Use URLScan via the IIS lockdown tool
Blue Jacking
Usually harmless. Sending unsolicited message to blue tooth enabled device.
802.11
WLAN Implementation standard - is part of the IEEE 802 set of LAN protocols, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer communication in various frequencies, including but not limited to 2.4, 5, and 60 GHz frequency bands.
WMIC - Command line utility interfaces with WMI
WMI provides a huge amount of functionality for the administration of Windows-based networks allowing users with the right credentials to do anything from launch processes to modify the security settings on the remote machine.
Query string manipulation
When you mess with a URL string to try to gain access.
Boot Sector Virus
Will move the MBR and copy itself in its place
XKMS
XML Key Management Specification
Message Digest (aka)
a. hashes b. hash values c. hash total d. CRC e. fingerprint f. checksum g. digital ID
Root kits
a set of software tools that enable an unauthorized user to gain control of a computer system without being detected
Worms
a standalone malware computer program that replicates itself in order to spread to other computers.
IoT definition
a system of interrelated, internet-connected objects able to collect (sensors) and transfer data without human interaction.
Havij
an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
Logical Access Control
are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems. Logical access is often needed for remote access of hardware and is often contrasted with the term "physical access", which refers to interactions (such as a lock and key) with hardware in the physical environment, where equipment is stored and used.[1]
ICMP Tunneling
can be used to bypass firewalls rules through obfuscation of the actual traffic. Depending on the implementation of the ICMP tunneling software, this type of connection can also be categorized as an encrypted communication channel between two computers
URL Fuzzer
can be used to find hidden files and directories on a web server by fuzzing. This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
tcp-over-dns tool
contains a special dns server and a special dns client. The client and server work in tandem to provide a TCP (and now UDP too!) tunnel through the standard DNS protocol.
Kerbcrack
crack kerberos passwords
ANSI X9.17
developed to address the need of financial institutions to transmit securities and funds securely using an electronic medium. Specifically, it describes the means to ensure the secrecy of keys.
Time Memory Trade Off attack
generic terminology for an algorithm which improves (shorten) running time by using more space (memory); or, similarly, that improves memory usage (i.e using less RAM or disk, or using it "better", e.g. with sequential access instead of random access) at the expense of more computing time - Rainbow tables
OWASP Introduction Testing Link
https://www.owasp.org/index.php/Testing_Guide_Introduction
Passive sniffing
involves listening and capturing traffic, and is useful in a network connected by hubs - Data link layer
Data Recovery Agent
is a Microsoft Windows user who has been granted the right to decrypt data that was encrypted by other users. The assignment of DRA rights to an approved individual provides an IT department with a way to unlock encrypted data in case of an emergency.
ciphertext-only attack
is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts
kismet
is a console (ncurses) based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/tcpdump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. - Can detect devices not connected to networks - Is passive / Netstumbler is active - Wireless card used can't be associated with any AP - Displays "hidden" networks - Config file is kismet.conf - Two part: server (sniffer) / Client (GUI) - Appends "mon" to end of wireless interface when monitoring -
XML Denial of Service Attack
is a content-borne denial-of-service attack whose purpose is to shut down a web service or system running that service. A common XDoS attack occurs when an XML message is sent with a multitude of digital signatures and a naive parser would look at each signature and use all the CPU cycles, eating up all resources. These are less common than inadvertent XDoS attacks which occur when a programming error by a trusted customer causes a handshake to go into an infinite loop.
Fraggle Attack
is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal - Mitiage: block echo port - port 7
Security Token
is a physical device used to gain access to an electronically restricted resource.
TCP SYN Scan (Stealth)
is referred to as "half-open" scanning, because the scanner doesn't establish a full TCP connection. The scanner sends a SYN packet, as if trying to open a real connection. A returned SYN|ACK packet indicates the port's listening. A RST packet means the port is closed. However, if a SYN|ACK is received, a RST is immediately sent back to prevent the host from opening a connection
Residual risk
is the amount of risk that remains after controls are accounted for.
Protect Wireless
long passwords Client Settings (WPA2 not WEP) Use VPN
Linux process in background
program & - tack on the ampersand
Confusion (Cryptography)
provided by mixing (changing) the key values used during the repeated rounds of encryption
Diffusion (Cryptography)
provided by mixing up the location of the plaintext throughout the ciphertext
Network Admission Control (NAC)
refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device (switch, router, wireless access point, DHCP server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network.
Gramm-Leach-Bliley Act (GLBA)
removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.
Inherent Risk
represents the amount of risk that exists in the absence of controls.
ike-scan
s a command-line tool that uses the IKE protocol to discover, fingerprint and test IPsec VPN servers
802.1x
s an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. In order for authentication with a server to take place client first must go through the open authentication process. 4 way packet exchange with no passwords.
Password Crack Defense
salting don't reuse passwords don't use simple passwords don't use clear text Don't use default passwords Encrypt communications pepper
Fair Cryptosystems
secret keys are divided into 2 or more pieces, and given to a 3rd party.
Man in the Browser
security attack where the perpetrator installs a Trojan horse on a victim's computer that's capable of modifying that user's Web transactions as they occur in real time.
NetStumbler
short for Network Stumbler will let you easily detect Wireless LAN networks around you, using the 802.11b, 802.11a, and 802.11g WLAN standards. Other than simply detecting the networks, it also reveals some physical details like Signal, Noise, SNR.
Key Size
the notion of "key size" for a cryptographic algorithm does not necessarily correspond to the actual encoded size of either the public or the private key, and it is always delicate to compare key sizes between different algorithms.
Asymmetric Cryptography
two different but mathematically related keys are used where one key is used to encrypt and another is used to decrypt Public / Private key
digital certificate
used to identify the certificate holder when conducting electronic transactions (x.509v3) 1. User generates key pair (public and private) 2. User requests certificate of the CA server 3. CA responds with its public key and digital signature signed with its private key 4. User gathers personal info to send to CA to get the certificate 5. User sends her public key and additional information encrypted with the CA'a public key 6. CA receives request then binds user's identity to the public key
CAM Table (content addressable memory table)
used to record a stations mac address and it's corresponding switch port location and VLAN parameters
.net common runtime
very difficult for buffer overflow. They call APIs that ARE vulnerable (C,C++)
Key Escrow
(also known as a "fair" cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
ACK DDoS
- (or ACK-PUSH Flood), attackers send spoofed ACK (or ACK-PUSH) packets at very high packet rates that fail to belong to any current session within the firewall's state-table and/or server's connection list. - Typically, a smaller botnet sends spoofed SYN packets to large numbers of servers and proxies on the Internet that generate large numbers of SYN-ACK packets in response to incoming SYN requests from the spoofed attackers. This SYN-ACK flood is not directed back to the botnet, but instead, is directed back to victim's network and often exhausts the victim's firewalls by forcing state-table lookups for every incoming SYN-ACK packet.
LAN Manger passwords
- 14 bytes - Split in half then hashed seperately - If 7 or less characters the second hash is always 0xAAD3B435B51404EE
LM Hashes
- 14 character max - Password is converted to uppercase - null padded if less than 14 characters - Password is broken in to two 7 character hashes - Based on DES - Broken
SHA1
- 160 Bit Hashing function similar to MD5 / Has been broken - 512 bit block - block
Blue Tooth
- 2.45 GHz - Uses PSK (Phase shift keying) for connections
ASCII Table
- 48 starts 0 (zero) - 65 Starts Uppercase A - 97 Starts lower case a
DES
- 64 Bit block size - Key is 56 bit plus 8 bits of control (64) - Double DES 56X2=112 - Triple DES 56X3=168 - Block cipher - Has been broken - Meet in the middle attack - 112 bits of security - Symetric - 2TDES is still in use in chipped Credit cards. Used to compute the 3 digit code.
Subnetting
- 8 Bit binary number conversion to decimal. Map the eight bits (on is 1 off is 0) to the 8 bit number line (128 / 64 / 32 / 16 / 8 / 4 / 2 / 1). - IPV4 addresses are four eight bit binary numbers separated by dots. - /X means the first X bits are the network address. First X bits are turned on (1). - Magic number is the number line representation of the last bit of the slash number octet that is on, minus 1. 20th bit is in the third octet. The fourth bit is the last bit on in the third octet. The fourth bit on the number line is 16. - EX: 192.168.60.55 /20 - To get the first (network) address first find the octet where their are bits on (1) and off (0) when turning on the first 20 bits. Third octet (60). The first two octets are on (16 ones). - Third octet has 4 ones and 4 zeros. 11110000 (the 20th bit is in the third octet. - 00111100 is the third octet in binary (32+16+8+4) - Do binary to decimal conversion on the places where the octet number and the network bits are both on (first 4 are on). Of the first four the third octet has 32 and 16 on. That means the network address of the third octet is 48. - The broadcast (last) address is figured by adding the magic number (16-1=15) to the broadcast address octet. 48+15=63 - Broadcast address: If there are any other octets after they become 255. - Network address: left over octets are 0. - 192.168.60.55 /20 : Notation - 192.168.48.0 : Network address (First address) - 192.168.63.255 : Broadcast address - https://www.lammle.com/ip-subnet-practice-page/
NOP Sled technique
- A buffer overflow can be used against a variable of fixed length. At the end of the reserved space in memory is a pointer to the next area of memory to go to. - The challenge is to point to the attacking shellcode in memory but not knowing exactly where it is. - The NOP sled technique is used to get close and keep moving forward in memory until you hit the code. - 0x90 is the hexadecimal value of the NOP instruction. It does nothing at all.
Cookie Replay Attack
- A cookie replay attack occurs when an attacker steals a valid cookie of a user, and reuses it to impersonate that user to perform fraudulent or unauthorized transactions/activities - Mitigation - Don't expose cookie specifics to the browser. - Add timestamp - Encryption - Use counter in an encrypted cookie
Secure Cookie
- A flag set in the cookie that says it can only be transported over a secure connection. What a secure connection is, is the defined by the client. Usually HTTPS / TLS.
Fuzzer
- A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs. - The data-generation part is made of generators, and vulnerability identification relies on debugging tools. Generators usually use combinations of static fuzzing vectors (known-to-be-dangerous values), or totally random data.
RIPEMD-160
- A message digest algorithm that produces a 160-bit hash value after performing 160 rounds of computations on 512-bit blocks.
Software Interrupt
- A software interrupt is a type of interrupt that is caused either by a special instruction in the instruction set or by an exceptional condition in the processor itself. A software interrupt is invoked by software, unlike a hardware interrupt, and is considered one of the ways to communicate with the kernel or to invoke system calls, especially during error or exception handling.
WPA2
- AES and CCMP
Block Cipher - Block size / Key Size
- AES: 128 / 128 192 256 - Rijndael Variable: 128 / 192 256 - Twofish: 128 / 1 - 256 - Blowfish: 64 / 32 - 448 - DES: 64 / 56 (+8 parity bits) - IDEA: 64 / 128 - RC2: 64 / 128 - Skipjack: 64 / 80 - RC5: 32 64 128 / 0 - 2048
Cookies
- Add stateful information to the stateless http protocol
User Behavior Analytics
- Advanced threat detection by analyzing user behavior patterns and alerting on anomalies.
GFI LanGuard (Vulnerability Assessment Tool)
- Agent Client Based - Paid - Does some remediation (Windows update..)
State-exhaustion attacks
- Also known as protocol attacks, state-exhaustion attacks target the connection state tables in firewalls, web application servers, and other infrastructure components. - Ping of Death. 65,536-byte ping packet is defragmented and sent to a target server as fast as possible.
SaaS (Software as a Service)
- App and data managed by provider. -The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure
PaaS (Platform as a Service)
- Applications and data are yours to manage - The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.
Security Audit vs Risk Assessment
- Audit is completed by third party / Assessment can be internal or external - Audit is more detailed / Assessment is high level - Audit uses official documentation as the guide / Assessment uses benchmarks or industry standards.
System Boot Notes
- BIOS loads - Makes sure there is CPU, memory and video - CMOS is bios memory: contains settings for memory and cpu - BIOS Performs POST tests on hardware - Picks boot device - Old Way Reads first part MBR - New way UEFI: Bigger boot devices, backup copy of boot instructions, larger space for boot instructions. - Bootloader loads kernel and ramdisk (minimal drivers to read from the file system) - Kernel loads other device drivers and the OS - During system boot, the OS loader loads the boot file system, the RAW file system, and all drivers of type SERVICE_BOOT_START before the loader transfers control to the kernel. These drivers are in memory when the kernel gets control.
Hex
- Base 16 - the line starts at 1 and multiply by 16 for the next entry on the line then multiply that by 16 ..and so on. - multiplier per line line entry can be one of 16 entries (0 to 9 then a - f). a is 10 and f is 15. - Multiply per entry then add. - One hex digit is equal to one nibble - One nibble is half on octet or a byte or 4 bits. - Hex to binary to Decimal --- EX: 5F ---- 5 x 16 + 15 x 1 = 95 --- use binary table 8|4|2|1 --- 0 eights 1 four 0 twos 1 one (0101) --- F (which is 15) 1111 in binary --- put them together (0101111) --- Use base two table 128|64|32|16|8|4|2|1 --- 0 128s , 1 64s, 0 32s..... -- - 95 in dec is 5F in Hex and 01011111 in binary --- EX: 1A5F --- Need four nibble tables and combine --- 0001101001011111 --- Just keep doubling the binary table --- 4096|2048|1024|512|256|128|64|32|16|8|4|2|1 --- 6751 in decimal is 1A5F in Hex - Can also create a base 16 table where each place is a multiple of 16 right to left starting with 1. --- 4096 | 256 | 16 | 1 --- E7A916 = 14×4096+7×256+10×16+9×1
Binary
- Base 2 - the line starts at 1 and multiply by two for the next entry on the line then multiply that by two ..and so on. - multiplier per line line entry can be one of two digits (0 or 1). - Multiply per entry then add to get decimal - To see conversion to decimal and Hex see HEX entry.
Iot / Edge and Fog Computing
- Both edge computing and fog computing focus on pushing intelligence and processing capabilities to the network edge, closer to where the data originates and away from the cloud. - Edge: things are hardwired into a controller and the controller scrubs the data. - Fog: things are hardwired to a controller, but the data is sent to a gateway for scrubbing.
Beacon Flood Attack
- Broadcast countless wireless netoworks
TCP Conversation
- C is client / S is Server 1. C: SYN 2. S: SYN/ACK 3. C: ACK - Connection open - C/S: ACK, data - C/S: ACK, data - C or S: If C initiate then C:FIN/ACK - S: ACK - S: FIN/ACK - C: ACK - Closed
SHA3
- Can be implement in place of SHA2. - 224, 256, 384, or 512 bit output - Result of a NIST competion - AKA Keccak - Has nothing to do with SHA1 or SHA2 - 64 bit word size 24 rounds - block
C++
- Can do anything - Easier than C - Nmap written in C++ - Buffer overflow susceptible
C
- Can do anything - hard to learn - Buffer overflow susceptible
Cookie Poisoning
- Change a cookie to get personal info or access to things. - Mitigate. Encryption
Circuit Level Gateway
- Circuit-level gateways work at the session layer of the OSI model, or as a "shim-layer" between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. - Does not look at individual packets. I only concerned with the TCP connection handshake - No UDP
SMURF attack
- DDoS that sends to broadcast address - Windows will not respond to a ping to the broadcast address.
Blue Team
- Defense
TKIP
- Different key for every packet - incorporated the sequence number in the key - Uses RC4 - Deprecated - MIC attack
Diffie-Hellman
- Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together. - B to the A mod p = A to the B mod p
Hashing Functions general
- Digest is length Divide bit length by 4 to get length of hash - HEX numbers/characters are 4 bits - Provides integrity, authenticity (proof or origin and non-repudiation)
HEX Dump
- Each place is 4 bits. Two are taken together as one byte. - First 14 Bytes Row of Ethernet (0000): --The first 14 bytes are the Ethernet Header -- First 6 bytes: Dest. MAC (no conversion) -- Next 6 bytes: Src. MAC -- Last 2: Ether Type --- 08 00 : IP --- 08 06 : ARP - Last 2 of row 0000 all of second row 0010 and first two of third row 0020 are the IP header. -- 10th byte is protocol (hex) --- 06 is TCP --- 01 is ICMP --- 11 is UDP -- 13-16: Source IP -- 17-20: Destination IP - The next 20 bytes are TCP header (if a TCP packet) - First 2 bytes (4 places convert to decimal ): source port - Next 2: Dest. port - 14th byte is the flags field - Convert each place individually to binary then combine. locate on the binary line (1 to 128) - 11 would be 1 and 1 or 00010001 - ACK and FIN - FIN=1 (first bit is 1) - SYN=2 (second bit is 1) - RST=4 - PSH=8 - ACK=16 - URG=32 - 5th to 8th is the sequence number - 9th to 12th is the acknowledgement number
Physical Security Threats
- Environmental - Man-made
Application Flood Attack
- Exploit a networked application to execute a DoS attack. - Not necessarily a bug needed.
FIN TCP Flag (1) : Flag order (FSRPAU)
- FIN (1) The FIN flag always appears when the last packets are exchanged between hosts or connections. It is important to note that when a host sends a FIN flag to close a connection that it may continue to receive data until the remote host has also closed the connection.
FIN Scan
- FIN packets can bypass firewalls without modification. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall.
Screened Host
- Firewall (or computer) that sits between your perimeter router and the internal lan - Packet filtering
Nessus
- Free version for home use - Vulnerability scanner. It has its own scripting engine which is called NASL. Finds vulnerabilities in Unix, Windows, and common web scripts. - port scan, weak passwords, denial of service, and more
Boot Process Security
- From Vista forward drivers can't be loaded into kernel mode that arent signed. - To bypass this with rootkit attacker needs to modify the boot process before the kernel is loaded. Telling the kernel that the attackers process can load unsigned code.
Attify Zigbee Framework
- GUI wrapper for KillerBee - Hacking IoT Zigbee OS devices
EAP (Extensible Authentication Protocol)
- Generally used in wireless networks. - WPA/WPA2 use is - LEAP: Cisco Light weight ... - --Passwords only needed - --No encryption just hashed - PEAP : protected extensible authentication encrypted tunnel Supports multiple authentication methods, such as token card, Kerberos, certificates etc
Python
- Good for scripting
ike protocol
- IKE is the key exchange. IPSEC encrypts the traffic. - is an IPsec (Internet Protocol Security) standard protocol used to ensure security for virtual private network (VPN) negotiation and remote host or network access.
ISO 27001
- ISMS is the key here - is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes 1. Define a security policy. 2. Define the scope of the ISMS. 3. Conduct a risk assessment. 4. Manage identified risks. 5. Select control objectives and controls to be implemented. 6. Prepare a statement of applicability.
SHA2
- Improvement on SHA1. Can output 224, 384, or 256, 512 bit hash (digest/length). Still viable. - SHA-256: 512 bit blocks / 32 bit (word) size / 64 rounds (truncated 224) - Performs better 32 bit CPU - SHA-512: 1024 bit blocks / 64 bit (word) size / 80 rounds (truncated 384) - Performs better 64 bit CPU - block
ISO 27002
- In short it is implementation guidance for ISO 27001.
XMAS Scan
- In this type of scan, the FIN, PSH, and URG flags are set. Closed ports respond to this type of packet with an RST packet. This scan can be used to determine which ports are open. For example, an attacker could send this packet to port 53 on a system and see whether an RST packet is returned. If not, the DNS port might be open.
IDS Evasion Techniques
- Insertion (TTL) IDS process but end point does not. - Evasion: IDS does not process but end host does.
Evade an IDS (Intrusion detection system)
- Insertion: IDS accepts a packet the end system rejects. - Evasion: Get end system to accept a packet the IDS rejects. - Fragmentation attack: split attack into multiple small packets so IDS has problems re-assembling properly - Low Bandwidth attack: Slow attack down to evade detection - DoS: IDS normally fail open instead of closed. Overwhelm the resources. - Encrypted streams - Session splicing: put two streams together - TTL attacks: When the timeout is not the same for the IDS and the client.
ChosenkKey Attack
- Intent is to break the cyrptosystem - Attacker knows the sytem and may even know the key. - Find output of two keys that are predictably similar.
Shodan / Censys / Thingful
- IoT search engines.
RIoT / Foren6
- IoT vulnerability scanners
DMCA (Digital Millennium Copyright Act)
- It criminalizes circumvent measures (commonly known as digital rights management or DRM) - The legislation implements two 1996 World Intellectual Property Organization (WIPO) treaties. WIPO copyright treaty and WIPO Performances and Phonograms treaty.
Cryptography Notes
- Key size / Key length : number of bits in a key - Bit strength (n) is the 2 to the n possibility of breaking the cipher. - Most ciphers are designed where the key size and bit strength is the same, but not always the case. - Symmetric ciphers are stronger in general than asymmetric, and the bit strength even though they have the same bit strength are not equally hard to brute force.
Bash
- Linux scripting
Volumetric Attacks
- Many sources overwhelm bandwidth with UDP or ICMP
Buffer Overflow
- Mitigations: - Bounds Checking - Randomizing memory layout - Leave space between buffers and watch for things written there. - Use safe libraries - Pointer Protection: Pointguard uses XOR of pointers. - Make Heap and Stack non executable (CPU flag NX or XD) - Deep packet Inspection - it is possible to write into areas known to hold executable code and replace it with malicious code,
ADS (Alternative data streams)
- NTFS only - Hide file inside a file below will create - type C:\mysecrets.txt > C:\legal.txt:mysecrets.txt - view - notepad legal.txt:mysecrets.txt - Detect: - dir /R
NTLM
- NTLMv1 is broken. Uses DES - NTLMv2 uses HMAC-MD5 (Not brute forceable) - To set AD to only use NTLMv2 set authentication level to 5.
Shodan
- Need basic search criteria - Country: "IT"
nbtstat
- Netbios names and cache on machine it is run on. - nbtstat -c show netbios cache
Angry IP Scanner
- Network / Port scanner - uses Ping
802.11 Packet Types
- Not all network cards and OS's when sniffing will capture management and control packets. - Management - These packets are used to establish connectivity between hosts at layer two. Some important subtypes of management packets include authentication, association, and beacon packets. - Control - Control packets allow for delivery of management and data packets and are concerned with congestion management. Common subtypes include Request-to-Send and Clear-to-Send packets. - Data - These packets contain actual data and are the only packet type that can be forwarded from the wireless network to the wired network.
Red Team
- Offense / Penetration testing
Perl
- Old - Legacy web systems
Stack-based buffer overflow
- Overwriting variables or pointers of the program to change the behavior - Trampolining. In that technique, an attacker will find a pointer to the vulnerable stack buffer, and compute the location of their shellcode relative to that pointer
Kerberos Hacks
- Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials * https://blog.stealthbits.com/detect-pass-the-ticket-attacks - Golden Ticket: A ticket that grants a user domain admin access (Forge Kerberos tickets) --- Compromise the KRBTGT account (Generates and validates tickets) --- Need Domain / Domain SID / KRBTGT Password Hash (need to be domain admin) - Silver Ticket: A forged ticket that grants access to a service - Credential stuffing/ Brute force: automated continued attempts to guess a password - Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access - DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
Vulnerability scanning vs penetration testing
- Penetration scanning requires human to tweak and conduct the test. / Vulnerability scanning does not. - Vulnerability scanning is generally wider scope - Vulnerability scanning is cheaper - Penetration testing could turn up vulnerabilities that aren't known / Vulnerability scanning deals with only known.
Back Orifice
- Port 31337 Program Designed for remote system administration Trojan Allows a user to control a computer running Microsoft windows xp and earlier. Can take screenshots on a computer screen and send them back to the hacker
Openvss
- Port scanning a vulnerability tool. - Web Based - Suggests mitigations - Marks with CVE numbers - Only have to give it an IP
Honeypots Misc
- Ports that show a particular service running but deny a three-way handshake connection indicate the presence of a honeypot
SSTP (Secure Socket Tunneling Protocol)
- Pros 1. Decent security 2. Microsoft supported 3. Uses Port 443 - firewall friendly 4. It is secure - Cons 1. Owned by Microsoft (not open source) 2. Susceptible to SSL 3.0 type attacks - but can use AES
Open VPN
- Pros 1. Open source 2. Versatile 3. Windows compatible 4. Can run on port 443 or any port
PPTP (Point to Point Tunneling Protocol)
- Pros 1. Wide Support 2. Easy to setup 3. Fast -Cons 1. insecure / broken 2. Can be blocked with ease (has to use port 1723)
PGP
- Public/Private Key (Symmetric and asymmetric) - encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address.
Recon-ng
- Recon-ng is a full-featured Web Reconnaissance framework written in Python (CLI - Linux) - Used to get social media reports
RSA
- Rivest / Shamir / Adleman - public-key cryptosystems and is widely used for the encryption key is public and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry is based on factorization of the product of two large prime numbers - uses variable length keys between 1024 and 4096 bits - RSA claims that 1024-bit are still viable but should be rplaced. 2048-bit keys are sufficient until 2030 - Really neither block or stream, but encryption/decryption works on blocks.
Grid Computer
- SETI is an example
SHA-384 / 512
- SHA2 - All output their respective number of bits - All use 1024 bit block size for processing
SHA-160 / 224 / 256
- SHA2 - All output their respective number of bits - All use 512 bit block size for processing
SSL / TLS notes
- SSL 3.0 is subject to the poodle vulnerability. - TLS replaced SSL - TLS 1.0 and 1.1 are vulnerable - TLS 1.2 and 1.3 are viable
SYN Flood Mitigation
- SYN Flood is Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation. A. SYN cookies. Instead of allocating a record,send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address,port number,and other information. When the client responds with a normal ACK,that special sequence number will be included,which the server then verifies. Thus,the server first allocates memory on the third packet of the handshake,not the first. B. RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point,the server knows the client is valid and will now accept incoming connections from that client normally D. Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection E. Micro Blocks. Instead of allocating a complete connection,simply allocate a micro record of 16-bytes for the incoming SYN object
WPScan
- Scans word press sites - Hacks and recon
Zwave / Zigbee
- Short range (30 to 100 Feet) - Used in smart homes IoT.
HMAC (Hash-Based Message Authentication Code)
- Similar to digital signature but uses symmetric keys. - Does not supply non-repudation because it uses a shared key. - Variable length
RFCrack / HackRF
- Software defined radio attack tool - Key fobs - IoT stuff - HackRF is a device
SQL Injection basics
- Start with single quote because this will escape text input.
Bit Flip Attack
- Stream Cipher only - Don't actually decrypt just interfere with message but can effect the output predictably if you know which bits to flip. - Protect: Use our shared key to to derive two sub keys (k1 and k2), hash the message with k1, append the hash to k2 and hash again.
Email tracking
- Such email tracking is usually accomplished using standard web tracking devices known as cookies and web beacons. When an email message is sent, if it is a graphical HTML message (not a plain text message) the email marketing system may embed a tiny, invisible tracking image (a single-pixel gif, sometimes called a web beacon) within the content of the message. When the recipient opens the message, the tracking image is referenced. When they click a link or open an attachment, another tracking code is activated.
Blowfish Cipher
- Symetric key Block cipher similar to AES but uses 64 bit block size instead of AES's 128 bit - Is susceptible to birthday attacks
AES (Rijndael)
- Symmetric Block cipher - 128-bit data, 128/192/256-bit keys - Stronger and faster than Triple-DES - Interestingly, AES performs all its computations on bytes rather than bits - FTPS, HTTPS, SFTP, AS2, WebDAVS, OFTP, WPA2 - Four major operations 1. Substitute bytes 2. Shift rows 3. Mix Columns 4. Add round key (XOR)
SOCKS protocol
- TCP proxy protocol - SOCKS5 supports UDP, DNS, and authentication / SOCKS4 does not. - Socks4 and Socks5 doesn't mean you're protected. A Socks is just a proxy type. A proxy just passes your connection to someone else, then they pass it to your destination. However, your traffic is still completely visible
IDS Evasion
- TTL: Insertion. IDS process but host does not. desync of IDS and end point. - MAC Address Attack: Packet has MAC of IDS and IP of endpoint. IDS receives but endpoint won't. desynchronization. - Encryption between malware and CC - IP Fragmentation Attack: Overlap the reassembly data / Set Do not fragment with large packet. IDS sits between two routers with different MTU --- Both result in desyncronization. - Polymorphic Blending Attack: Evade signature detection through code obfuscation, encryption, byte substitution. Key here is signature evasion. - Mix NOP instructions with real code that does not effect the running of the malicious code.
Application Firewall
- The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls. - A network-based application layer firewall is a computer networking firewall operating at the application layer of a protocol stack,[1] and is also known as a proxy-based or reverse-proxy firewall. - WAF - A host-based application firewall can monitor any application input, output, and/or system service calls made from, to, or by an application. This is done by examining information passed through system calls instead of or in addition to a network stack. A host-based application firewall can only provide protection to the applications running on the same host.
Session fixation attack
- The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. Shared with attacker - Session Hijack happens before the user logs in.
Cover Generation Technique Stenography
- The cover (image) is generated for the sole purpose of hiding something. - Not taking an existing image or file--creating a new one.
Idle Scan (IPID)
- The key to an idle scan is to find a zombie that is idle and increments IP packets globally. Low latency is important. - IPID is a counter in the TCP header. - Attacker sends a SYN/ACK to zombie - Zombie not expecting sends RST with its IPID - Attacker sends SYN packet spoofed to look like it is coming from the zombie - Target sends a SYN/ACK (open port) or a RST (Closed port) to the zombie. -- Target sends SYN/ACK (open port) Zombie, not expecting, sends RST and increments its IPID. -- Target sends RST (closed port) and zombie ignores. Leaving its IPID unchanged. - By seeing if the IPID is incremented, you can determine if the port is open. - Many ISPs don't allow packets out that are from a spoofed IP.
Shellcode
- The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine. - is a piece of machine code (commonly) that we can use as the payload for an exploit - Null bytes (0x00) will disturb functionality of overflows using string handling. They mean end of string.
SNORT Rules EX: alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
- The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options. The words before the colons in the rule options section are called option keywords. - This one says if you find "00 01 86 a5" in any packet from any interface going to any ip on the 192.168.1.0/24 network to port 111 send the message "mountd access". -W : list available interfaces -v : verbose -V : Snort version -c : location of configuration file -T : Test config file -i : interface -L : logging mode -l : log directory
xp_cmdshell
- The xp_cmdshell is a very powerful extended procedure used to run the command line (cmd). This is very useful to run tasks in the operative system like copying files, create folders, share folders, etc. using T-SQL.
Spatial Domain Stenography
- These techniques use the pixel gray levels and their color values directly for encoding the message bits. - Adds a lot of noise.
OSSTMM (Open Source Security Testing Methodology Manual)
- This is a methodology to test the operational security of physical locations, human interactions, and all forms of communications such as wireless, wired, analog, and digital. - Defines three types of compliance 1. Legislative - deals with governmental regulations 2. Contractual - deals with requirements that are enforced by an industry or group. PCI-DDs is an example. 3. Standards-based - deals with practices that are recommended and must be certified by and organization or group - Interactive Controls : directly influence visibility, access, or trust interactions 1. Authentication is a control through the challenge of credentials based on identification and authorization. 2. Indemnification is a control through a contract between the asset owner and the interacting party. This contract may be in the form of a visible warning as a precursor to legal action if posted rules are not followed, specific, public legislative protection, or with a third-party assurance provider in case of damages like an insurance company. 3. Resilience is a control over all interactions to maintain the protection of assets in the event of corruption or failure. 4. Subjugation is a control assuring that interactions occur only according to defined processes. The asset owner defines how the interaction occurs which removes the freedom of choice but also the liability of loss from the interacting party. 5. Continuity is a control over all interactions to maintain interactivity with assets in the event of corruption or failure. - Process Controls : Class B controls which are used to create defensive processes. directly influence visibility, access, or trust interactions 6. Non-repudiation is a control which prevents the interacting party from denying its role in any interactivity. 7. Confidentiality is a control for assuring an asset displayed or exchanged between interacting parties cannot be known outside of those parties. 8. Privacy is a control for assuring the means of how an asset is accessed, displayed, or exchanged between parties cannot be known outside of those parties. 9. Integrity is a control to assure that interacting parties know when assets and processes have changed. 10. Alarm is a control to notify that an interaction is occurring or has occurred.
Sub7
- Trojan - Server Client - Key logging - Can be controlled via IRC - Remote control
showmount
- Unix shares from NFS daemon Displays a target hosts' NFS exported file system and clients attached
Phlashing Attack
- Upload or "flash" a devices firmware. - Permanent DoS - Backdoor
Evil Twin AP
- Use device (pineapple) to broadcast the same SSID as the target legitimately attaches to. - MItM attack - Protections: VPN, WIPS (WiFi protection systems)
Apache Protect against info leak
- Use mod_negotiation ( hides file extensions in the URL) - ServerTokens Prod (will change Header to production only, i.e. Apache) - ServerSignature Off (will remove the version information from the page generated by apache web server.) - Generic error messages
QAM (quadrature amplitude modulation)
- Used in 802.11 - A combination of AM and PM; it converts a digital signal to analog form by varying the amplitude and the phase of the carrier signal, enabling encoding of up to four data bits. It is similar to QPSK.
Java
- Used in Android - Portable to desktops / phones - No buffer overflows (very very rare occasions)
Rolling Code Attack
- Used to steal cars - Keyless entry/start - Two person (device) attack - One person jams the signal near the car - Second person clones the key fab by capturing the traffic.
screened subnet
- Using two firewalls or one multi-homed firewall to screen off network segments. (DMZ, Intranet, internet)
Common Vulnerability Scoring System V3 Descriptions
- V2 is different - AV:N - Attack Vector (network/adjacent/local/physical) - AC:H - Attack Complexity (High/Low) - C:N - Confidentiality Impact (none/low/high) - AC:L - Attack Complexity (low/high) - PR:N - Privileges Required (None/Low/High) - S:U - Scope (Unchanged/Changed) - I:N - Integrity Impact (None/low/high) - A:N - Availability Impact (None/low/high)
HVAL hash function
- Variable length - 128 / 160 / 192 / 224 / 256
Blueborne attack
- Vulnerability in unpatched blue tooth that allows complete access to a device via blue tooth in any device state.
Javascript
- Web sites / Web servers use - Pretty easy to use
nikto
- Web vulnerability scanner - nikto -h http://whatever.com -root /blweb - above does a quick scan and says the root is /blweb. Don't have to use root flag if default is root.
ICMP Misc
- Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.
TCP Spoof Note
- You can't spoof your IP and successfully used TCP. The return packets won't go to you.
IaaS (Infrastructure as a Service)
- You manage OS and up. - The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications
Chosen Ciphertext attack
- a cryptanalyst can analyse any chosen ciphertexts together with their corresponding plaintexts and choose ciphertexts and get the plain text (both). His goal is to acquire a secret key or to get as many information about the attacked system as possible. - Chosen plain text can only turn plain text into ciphertext, not ciphertext into plaintext.
LORA
- a long range, low power wireless platform - 10KM / 6 miles
Jump To Register Buffer Overflow
- allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. - overwrite the return pointer with something that will cause the program to jump to a known pointer
nmap
- displays exposed services on a target machine along with other useful information such as the verion and OS detection. - nmap -sP 10.0.0.0/24 ping scans the network, listing machines that respond to ping. MAC, Hardware Vendor, IP - Has a scripting engine that expands it's capabilities as a vulnerability scanner
Digital Signature Standard (DSS)
- document that NIST puts out to specify the digital signature algorithms & the encryption algorithms approved for use by the U.S. Federal Government: - Hashing must be SHA-3 - Three NIST approved algorithms: DSA / RSA / ECDSA
SMB (Server Message Block Protocol)
- enables an application -- or the user of an application -- to access files on a remote server, as well as other resources, including printers, mail slots and named pipes. - Port 445 - Layer 7 (Application) - WannaCry and Petya (ransomware) used SMB version 1.0 - Now at version 3.1.1 (2015)
Transform Domain Steganography
- encode message bits in the transform domain coefficients of the image. - Watermarking - Large file hiding (need large image)
PCI DSS (Payment Card Industry Data Security Standard)
- industry regulated
SMB Signing
- is a Windows feature that allows you to digitally sign at the packet level. - Protects against MiTM attacks
netstat
- is a command line tool for monitoring network connections both incoming and outgoing as well as viewing routing tables, interface statistics etc
Netcat
- is a computer networking utility for reading from and writing to network connections using TCP or UDP. - it can produce almost any kind of connection -u : UDP mode -p : listen port -e : program to execute after connection -l : listen mode -L : listen even after connection -v or -w : run verbosly -n : don't resolve name -z : don't send data -w1: waint not more than 1 second for connection - r : randomly choose ports in range - Ncat is better and available with Nmap.
WebGoat
- is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
PSK (Phase shift keying)
- is a digital modulation process which conveys data by changing (modulating) the phase of a constant frequency reference signal (the carrier wave). The modulation is accomplished by varying the sine and cosine inputs at a precise time. It is widely used for wireless LANs, RFID and Bluetooth communication
Burp Suite
- is a graphical tool for testing Web application security - proxy intercepts traffic and manipulates it - Eliminates security warnings - Can generate clickjacking attacks - Session hijacking
Metasploit's Meterpreter
- is a post-exploitation tool based on the principle of 'In memory DLL injection'. - makes the target run the injected DLL by creating a new process in the target that calls the injected DLL.
Null Scan
- is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn't contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flags - The expected result of a Null Scan on an open port is no response. Since there are no flags set, the target will not know how to handle the request. It will discard the packet and no reply will be sent. If the port is closed, the target will send an RST packet in response.
PKI (Public Key Infrastructure)
- is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. - certificate authority (CA) that stores, issues and signs the digital certificates - registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA - central directory—i.e., a secure location in which to store and index keys
Common Criteria
- is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria is more formally called "Common Criteria for Information Technology Security Evaluation. - Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product, such as a firewall. The Evaluation Assurance Level (EAL) defines how thoroughly the product is tested. Evaluation Assurance Levels are scaled from 1-7, with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests.
Diffie-Hellman key exchange
- key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. - Group 1 : 768 BIT (not secure) - 2 : 1024 (secure and fast) more secure and slower from here - 5 : 1536 - 14 : 2048 - 15 : 3072 - 19 : 256 elliptic curve - 20 : 384 elliptic curve
RPC
- rpcinfo: available for linux and windows server. Shows rpc information. - RPC: It enables remote users or RPC clients to execute commands and transfer data using RPC calls or over the RPC protocol. - RPC spans the transport layer and the application layer. - Exchange uses RPC - WIndows: MMC, AD, WMI - Client : Server
N-Tier/Multi-Tier Architecture
- s a client-server architecture in which presentation, application processing, and data management functions are physically separated. The most widespread use of multi-tier architecture is the three-tier architecture - 1: Presentation 2: logic 3: Data - only communicate with adjacent layers - Must be independent of each other
Google Searches
- sailing OR boating : either the word sailing or the word boating - printer -cartridge : the word printer but NOT the word cartridge - Toy Story +2 : movie title including the number 2 - define:serendipity : definitions of the word serendipity - how now * cow : the words how now cow separated by one or more words - addition; 978+456 - percentage; 50% of 100 - raise to a power; 4^18 (4 to the eighteenth power) - old in new (conversion) : 45 celsius in Fahrenheit - site:(search only one website) : site:lifewire.com "torrent sites" - link:(find linked pages) - #...#(search within a number range) : nokia phone $200...$300 - safesearch: (exclude adult content) - --- - safesearch:breast cancer - info: (find info about a page) : info:www.lifewire.com - related: (related pages) : related:www.lifewire.com - cache: (view cached page) : cache:google.com - filetype:(restrict search to specific filetype) : zoology filetype:ppt - allintitle: (search for keywords in page title) : allintitle:"nike" running - inurl:(restrict search to page URLs) inurl:chewbacca - site:.edu (specific domain search) site:.edu, site:.gov, site:.org, etc. - site:country code (restrict search to country) site:.br "rio de Janeiro" - intext:(search for keyword in body text) intext:parlor - allintext: (return pages with all words specified in body text) allintext:north pole - phonebook:(find a phone number) phonebook:Google CA - bphonebook: (find business phone numbers)
HTTPOnly Flag
- the cookie cannot be accessed through client side script - is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (all major browsers support it).
Google Search URL/Title/Text
- website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. - intitle:intranet inurl:intranet+intext:"human resources"
Stealth Virus
- while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results - Stealth viruses hide in files, partitions and boot sectors and are adept at deliberately avoiding detection
hping3
-T : Traceroute mode -a : hostname (Spoof) -s : source port -p : dest port -c : count - Can use TCP instead of ICMP - Can use ICMP - Firewall testing - Advanced port scanning - Network testing, using different protocols, TOS, fragmentation - Manual path MTU discovery - Advanced traceroute, under all the supported protocols - Remote OS fingerprinting - Remote uptime guessing - TCP/IP stacks auditing - help predict sequence numbers
Pass the Hash Attack
1. An expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network. 2. PtH is not necessarily an exploitation technique, it is a feature provided by Microsoft Windows. Therefore there is no fix. It is possible to manage the risk of PtH style attacks but it requires horizontal segregation of authentication privileges. 3. Protections a. Different passwords for all users b. strong passwords c. Disable LM Hashes
Vulnerability Management Life-Cycle (BVRRVM)
1. Baseline (Pre-Engagement) - Pre-Planning/Assessment/Engagement phase - Need to understand the business / procedures / processes day to day - what security controls do they already have in place - define the scope - Official paper work - Scheduling 2. Vulnerability Assessment (Pre-Engagement) - Scan for known vulnerabilities - Patches / Mis-configs / physical site security maybe/ ..... 3. Risk Assessment - Take those vulnerabilities and figure our how they are a threat - What is the risk they will happen - What is the bad stuff that could happen 4. Remediation - Fix it - Figure out who is going to fix it et... - Develop new processes and controls - Keep it from happening again 5. Verify - Is the remediation working. - Try to break it. 6. Monitor - Watch and make sure protections stay in place - New procedures are being followed.
Digital Signature process
1. Bob generates a message digest of original plain text message using hash algorithm 2. Bob encrypts ONLY the digest with his private key. (This is the digital signature) 3. Bob appends the signature with the plain text message. 4. Receiver uses Bob's public key to decrypt and then hashes the plain text message to verify the two hashes match.
WPA2 crack
1. Capture the four way handshake with a program like airmon-ng 2. Crack the password with a program like hashcat or aricrack-ng 3. NOTE: if you are impatient you can deauth a client to force the handshake. Can use a program like airodump-ng and aireplay-ng.
Kerberos Authentication
1. Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC) - Client uses it's password as an encryption key to encrypt part of the request. 2. The KDC verifies the credentials and sends back an encrypted TGT and session key. - 3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key 4. The client stores the TGT in non-persistent memory and when it expires the local session manager will request another TGT (this process is transparent to the user) -- If the Client is requesting access to a service or other resource on the network, this is the process: 5. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access 6. The KDC verifies the TGT of the user and that the user has access to the service 7. TGS sends a valid session key for the service to the client - Part of that key is encrypted with the key of the server granting access (file server maybe) 8. Client forwards the session key to the service to prove their identity. The server now knows you are who you say you are and can use your username to grant access to the resources it has a record of you being able to access. The file server does not store the ticket.
IoT Communication models
1. Device to Device 2. Device to cloud 3. Device to Gateway 4. Back-End-Data Sharing - used to scale the device to cloud model to allow for multiple devices to interact with one or more application servers
HIPPA - Health Insurance Portability and Accountability Act (1996)
1. Electronic transaction code sets: Adopting a uniform set of medical codes is intended to simplify the process of submitting claims electronically and reduce administrative burdens on health care providers --- 1. International Classification of Diseases --- 2. Current Procedural Terminalogy --- 3. HCFA Common Procedure Coding System --- 4. Code on Dental Procedures and Names --- 5. National Drug Codes 2. Security Rule: requires appropriate administrative, transmission, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information 3. Compliance and enforcement: HHS' Office for Civil Rights is responsible for enforcing the Privacy and Security Rules 4. National identifier requirements. --- 1. Employer (EIN) --- 2. Provider (NPI) ------ a. Type 1 is a person ------ b. Type 2 is health care provider (hospital..) --- 3. Health Plan (HPID) - may be going away --- 4. Patient: No standard yet
System Hacking Cycle
1. Enumeration 2. Cracking Passwords 3. Escalating privileges 4. Executing Applicaitons 5. Hiding files 6. Covering Tracks
Risk Management Phases (IATTR)
1. Identification -- Internal and External 2. Assessment 3. Treatment -- Implement proper controls to mitigate 4. Tracking -- make sure controls are being implemented -- make sure controls aren't creating new risk 5. Review -- Check effectiveness of mitigating controls
Threat Modeling (IADII) - Risk assessment for applications
1. Identify Objectives -- What are you trying to achieve -- How much time and effort will it take 2. Application Overview -- Laying out all the aspects of a system ---- Elements / Components ---- Data / Data flows ---- Security mechanisms ---- Trust boundries 3. Decompose application -- Deep dive into the system -- Can uncover more threats 4. Identify threats 5. Identify vulnerabilities
IOT Hacking methodology
1. Information Gathering - Shodan, Censys, Thingful 2. Vulnerability Scanning - Multi-Ping, NMAP, RIoT, Foren6 3. Launch Attack - RFCrack, Attify Zigbee Framework, HackRF 4. Gain Access 5. Maintain Access
OWASP Top 10
1. Injeciton - Injection attacks occur when the user is able to input untrusted data tricking the application/system to execute unintended commands 2. Broken Authentication - Broken authentication occurs when the application mismanages session related information such that the user's identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc 3. Sensitive Data Exposure - Attackers can sniff or modify the sensitive data if not handled securely by the application. A few examples include use if weak encryption keys, use of weak TLS 4. XML External Entities (XXE) - An application is vulnerable to XXE attacks if it enabled users to upload a malicious XML which further exploits the vulnerable code and/or dependencies 5. Broken Access Control - Broken access control occurs if a user is able to access unauthorized resources, this can be access to restricted pages, database, directories etc 6. Security Misconfigurations - Examples of these security misconfigurations are weak passwords, default passwords, default scripts stored on the servers, default directories, default error messages etc 7. Cross Site Scripting - Cross-site scripting occurs when an attacker is able to insert untrusted data/scripts into a web page. 8. Insecure Deserialization - Some of the applications save data on the client side and they may be using object serialization. Applications which rely on the client to maintain state may allow tampering of serialized data. This is a new entry in the list and is difficult to exploit. 9. Using Components with Knows Vulnerabilities - The components can be coding frameworks, libraries, vulnerable functions, network frameworks etc. 10. Insufficient logging and monitoring - To ensure the malicious intent of the attackers gets noticed beforehand, it is essential to log all the activity and monitor it for any suspicious behavior. --- https://www.greycampus.com/blog/information-security/owasp-top-vulnerabilities-in-web-applications
Physical Security Control Types
1. Preventive -- Gates, doors, locks, guards 2. Detective -- Sensors, Video 3. Deterrent -- Warning signs 4. Recovery -- BDCR plans, Backups 5. Compensating -- Hot-site backup, redundant power, hot spare
IRT (Incident Response Team)
1. Proactively assessing and mitigating 2. Quick response to incidents 3. Manage IR procedures -- Legalities, Requirements 4. Follow procedures (stay on book) -- minimize damage 5. Analyze -- what occurred -- impact 6. Single point of contact 7. Recommend new controls 8. Build relationships
Security Policy Types
1. Promiscuous -- No security policy 2. Permissive -- Block bad stuff everything else ok 3. Prudent -- Allow good stuff block everything else 4. Paranoid -- Everything or almost everything is disallowed.
Botnet Scanning Methods - How bots scan to infect other bots
1. Random: Randomly look 2. Hit-List: Use a list 3. Topological: Scans host discovered by currently exploited device 4. Permutation: Scan list of devices create through random algorithm
Session Hijacking Process
1. Sniff the active session packets 2. Monitor for vulnerable protocols (non-encrypted) 3. Session ID Retrieval: Predict the session ID 4. Stealing: In application-level hijacking, active attacks are pursued to steal the session Id : While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process. 5. Take one of the parties offline: Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm 6. Take over session and maintain connection: The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier.
Risk Assesment
1. Technical Safeguards - Those that protect how you are storing your data 2. Organizational Safeguards - "minimum necessity rule." This Rule is designed to ensure and determine who has access to specific data and to consider whether it is required or necessary to perform their duties. 3. Physical Safeguards - door locks, key cards.. 4. Administrative Safeguards - are the protection of information from a legal perspective and include such things as business associate agreements, employee confidentiality agreements, background checks, termination checklists
IoT Owasp Top 10 2018
1. Weak / Hard Coded passwords 2. Insecure network protocols 3. Insecure Access interfaces 4. Use of insecure components - old software libraries 5. Lack of Secure Update Mechanism 6. Insufficient privacy protection 7. Insecure Data Transfer and Storage 8. Lack of Physical Hardening 9. Insufficient Security Configurability 10. Lack of device management
Kerberos Notes
1. a protocol for authentication 2. uses tickets to authenticate 3. avoids storing passwords locally or sending them over the internet 4. involves a trusted 3rd-party (key distribution center) 5. built on symmetric-key cryptography
Dynamic Ports
49152 - 65535
IoT Connectivity
4G LTE, Bluetooth, GPS, LoRa, mesh networking, RFID, WiDi, Zigbee, Z-wave
RC4, RC5, RC6
A series of symmetric encryption algorithms by Ron Rivest. Sometimes called "Ron's Cipher" or Rivest's Cipher - RC4 implementation (not the cipher itself) in WEP is broken -- RC4 -- a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. -- RC5 -- Block cipher - a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. 2-bit registers -- RC6 -- adds two features to RC5: the inclusion of integer multiplication and the use of four 4-bit working registers.
Syllable Attack
A syllable attack is the combination of both a brute force attack and a dictionary attack. This is often used when the password is a nonexistent word. The attacker takes syllables from dictionary words and combines them in every possible way to try to crack the password.
Bluesnarfing
Bluesnarfing is a device hack performed when a wireless, Bluetooth-enabled device is in discoverable mode. Bluesnarfing allows hackers to remotely access Bluetooth device data, such as a user's calendar, contact list, emails and text messages. This attack is perpetrated without the victim's knowledge - Not as much control as bluebugging.
Tiny Fragment Attack
Break a datagram into small enough pieces that they evade being detected at bad but are reassembled to deliver the payload.
Birthday Attack
Brute force / can be used to find collisions in a cryptographic hash function. Varying two inputs until there variations are equal then substituting the fraudulent variation for the legitimate. Like varying a good and bad contract by adding things like spaces or commas that don't alter the meaning of the contract the finding a collision in the hashes of these altered contracts.
CCMP
CCMP based on AES Block CIpher (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection
CRL
Certificate Revocation List
Polymorphic Virus
Changes every time it executes but keeps the same core
Least Significant Bits Stenography
Changing the least signifigant bit (the last bite or two of each 8 bits). Then pick out the last bit or two and put them together to create a digital file.
Blackjacking
Exploiting a blackberry device or BES to attack the LAN - Blooover tool to exploit
Stingray
Fake Cell tower - DoS, MITM, Location tracking - Expensize hardware phones can detect - Software exists but not great - Put your phone in a box that won't allow signals out (can't track)
Pineapple
Fake WiFi - MITM - Mitigate: VPN, turn WiFi off when not using
IPSEC Notes
Five Steps in IPSec tunnel 1. Initiation: Manually or when a router receives traffic that is defined as needing IPSec 2. IKE phase 1: ISAKMP Security Association (SA) tunnel. - - Tunnel management stuff - Management channel - UDP 500 - Auth - DH - Hash - Key (How do we do crypto) - Bi-Directional tunnel. (Only One) 3. IKE phase 2: build IKE phase 2 tunnel inside phase 1 tunnel - Moves end user data - Uni-Directional tunnel ( there are two) 4. Data transfer through phase 2 tunnel 5. Termination IP at layer 3 ESP at layer 4 - Don't have port numbers. Has SPI (Security Parameter index) Different for each of the two data tunnels.
Neotrace
Footprinting/Route Determination. Enhanced GUI-based Traceroute tool that provides more feedback regarding failed connections than typical traceroute programs. Features include printer and HTML output, a detailed whois display, continuous ping, instant browser access to nodes.
Botnet
Group of Malware that "calls home" to a command and control center for further instructions after it infects a computer. 1. Telnet IRC (Internet Relay Chat) is popular way to communicate for C&C, disguised HTTP traffic, encoded TCP. P2P (peer to peer) networks are used too. 2. Used for DD0S, click fraud (sending fake clicks to sites), keylogging. 3. Protect - Patch, block C&C server, Sinkholing, reverse engineer a kill switch, reset device, passwords
NIST SP 800-37
Guide for applying is the key here. The risk management framework is the rules. The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. - I am going to call you and tell you how to do it.
Startup Registry Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Get vs Post
HTTP POST requests supply additional data from the client (browser) to the server in the message body. In contrast, GET requests include all required data in the URL.
Fingerprint
Hash of a public key
IoT Owasp Top 10 2014
I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability - Everyone is admin (bad) I9 Insecure Software/Firmware I10 Poor Physical Security
IA (Information Assurance)
ICAAN 1. Integrity 2. Confidentiality 3. Availability 4. Authentication - is about one party (say, Alice) interacting with another (Bob) to convince Bob that some data really comes from Alice 5. Non-Repudiation: Can't deny ownership prove to third party. IA Standards a. NIST b. PCIDSS c. Sarbanes-Oxley d. HIPPA e. CSA (Cloud security alliance)
Brute Force Attack
In a brute force attack, the attacker tries every possible combination of characters until the correct password is found
MIMO
In radio, multiple-input and multiple-output, or MIMO (/ˈmaɪmoʊ, ˈmiːmoʊ/), is a method for multiplying the capacity of a radio link using multiple transmission and receiving antennas to exploit multipath propagation.[1] MIMO has become an essential element of wireless communication standards including IEEE 802.11n (Wi-Fi), IEEE 802.11ac (Wi-Fi), HSPA+ (3G), WiMAX (4G), and Long Term Evolution (LTE 4G). More recently, MIMO has been applied to power-line communication for 3-wire installations as part of ITU G.hn standard and HomePlug AV2 specification.[2][3]
Untethered Jailbreaking
Initial jailbreak requires PC, but not after
TCP Sequence Numbers
Initial sequence number is random 32-bit number. Explained in relative numbers. - Each side keeps track of their Sequence and Acknowledgement numbers. - SYN or FIN flag in a received packet triggers an ACK increase by 1. And sequence numbers increase. - Sequence is increased by packet size of the previous packet. ----- It keeps track on the sending side so you can resend unacked packets. - The ACK is increase by the packet size of the received packet. ---- Says I am good up to the number of that many data packets ---- ACK bit is set when sending payload back normally. So the packet doesn't have to be just an ACK to acknowledge. ----- If delayed ACK is set the acknowledging side will ACK two packets at a time.
IV (Initialization vector)
Initialization Vector. Initialization Vector is a fixed-size input to a cryptographic primitive. It is typically required to be random or pseudorandom. The point of an IV is to tolerate the use of the same key to encrypt several distinct messages.
Sinkholing
Intercepting Botnet C&C communication and redirecting to your server
IETF
Internet Engineering Task Force - develops and promotes voluntary Internet standards and protocols, in particular the standards that comprise the Internet protocol suite (TCP/IP).
Radius
It is a centralized authentication and authorization management system. Often referred to as AAA RADIUS stands for Remote Authentication Dial In User Service. RADIUS is an AAA protocol for applications such as Network Access or IP Mobility It works in both situations, Local and Mobile. It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.
tcpdump
Linux tool is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached
Depth Assessment Tool
Looking for zero day
Common Vulnerability Scoring System V3 Ratings
Low: .1 - 3.9 Medium: 4.0 - 6.9 High: 7.0 - 8.9 Critical: 9.0 - 10.0
Common Vulnerability Scoring System V2 Ratings
Low: 0 - 3.9 Medium: 4.0 - 6.9 High: 7.0 - 10.0
Amplification Factor (DDoS)
Measures the increase in the attackers send bytes to the number of bytes sent to the victim
Sigverif
Microsoft A tool used to verify system and other critical files to determine if they have a signature.
Cluster Virus
Modifies pointers - cluster virus modifies directory table entries so that directory entries point to the virus code instead of the actual program. There is only one copy of the virus on the disk infecting all the programs in the computer system. It will launch itself first when any program on the computer system is started and then the control is passed to the actual program
RFC 2048
Multipurpose Internet Mail Extensions (MIME) Part Four: Registration Procedures - MIME email protocol to exchange different kinds of data files on the Internet: audio, video, images, application programs, and other kinds
IKEv2
Needs to be paired with IPSec. It is only a tunneling protocol - Pros 1. Internet key exchange version 2 2. Uses AES so does V1 3. Stable so is V1 4. Supports MOBIKE - allows you to bounce between internet connections. 5.. Simplified message exchange 6. Support for mobile - Cons 1. Not available on all platforms 2. Only open source version can be trusted
L2TP (Layer 2 Tunneling Protocol)
Needs to be paired with IPSec. It is only a tunneling protocol - Pros 1. Uses AES ciphers 2. All platforms 3. Easy to setup - Cons 1. Not firewall friendly (when behind one) 2 Rumored to be broken by NSA 3. Uses PSK (could be stolen if not protected) 4. UDP port 500 - can be blocked
NMAP
Network scanner, ports, host details, OS -n : Never do DNS resolution -sS : TCP SYN (Half Open / Stealth) -p : port - 192.168.1-5 will scan class C .1.X through .5.X -S : spoof source IP -O : OS detection -g : source port - sU : UDP Scan -sO : ip protocol scan -sn : host discovery no port scan -sT : TCP Connect port scan -sn : host discovery only (no ports) -T : set timing template higher is faster -A : enable OS detection, version, and script scanning, and traceroute -v : increase verbosity -vv more -V : version - allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. ... Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the eight-bit IP protocol field
Connect Scan
Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. - It completes the connection. Unlike SYN scan - This is the case when a user does not have raw packet privileges or is scanning IPv6 networks
Bastion Host
Placed before the firewall, or could be the firewall. Filters traffic. is the only host computer that a company allows to be addressed directly from the public network and that is designed to screen the rest of its network from security exposure. - Can operate at Application (layer 7) or Session (layer 5)
ACK Tunneling
Similare to icmp tunneling. Used by trojans to communicate out. Ordinary packet filtering firewalls rely on the fact that a session always starts with a SYN segment from the client. Thus, they apply their rule sets on all SYN segments, and simply assume that any ACK segments are part of an established session.
WEP How did we fix it
Some of the significant changes implemented with WPA included message integrity checks (to determine if an attacker had captured or altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES)
DNS Basic Query Flood
Using multiple sources of compromised computers (botnets), the attacker generates a distributed volumetric denial-of-service attack that floods the DNS server. According to the DNS standard, a DNS server processes every request
802.1q
VLANs - often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network
Computer Fraud and Abuse Act (CFAA)
is a United States cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law (18 U.S.C. 1030), which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization.
Superscan
is a free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.[1]
FSK (Frequency Shift Keying)
is a frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier signal.[1] The technology is used for communication systems such as telemetry, weather balloon radiosondes, caller ID, garage door openers,
Control Objectives for Information and Related Technology (COBIT)
is a good-practice framework used globally by those who have the primary responsibility for business processes and technology, depend on technology for relevant and reliable information, and provide quality, reliability and control of information and related technology.
Chosen Plain Text Attack
is a model for cryptanalysis which assumes that the attacker can choose random plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme.
Air Crack NG
is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.
whois
is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system,
BBProxy
is a security assessment tool that is written in Java and runs on Blackberry devices. lt allows the device to be used as a proxy between the Internet and an internal network.
Timing Attack
is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. - RSA can be attacked like this - proxy can mitigate : The downside of this approach is that the time used for all executions becomes that of the worst-case performance of the function
Covert Channel
is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. "not intended for information transfer at all,
sqlmap
is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Spyware
software that enables a user to obtain convert information about another's computer activities by transmitting data covertly from their hard drive.
Netsh
tool is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running
finger
unix command that shows user information
Firesheep
was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies
DNSSEC
- Does not encrypt - Only Signs - Servers up the chain vouch for the public keys given out by the servers below. - Prevents BIND redirection - Effective against cache poisoning - Susceptible to DNS zone dictionary attack -- Needs to prove non-existence Starting with the root server the responses contain the hash of the public key (DS Record) of the next step (.com then google.com). The responses from the next step downs are signed with the private key of the responding server and can be validated by the public key sent from the server above it. 1. RRSet - Resource Record Set: a set of rcords with the same type and same domain/zone 2. RRSig - Resource Record Signature: a record containing an RRSet's digital signature 3. DS Record - Delegation of Signing: a record containing the hash/digest of a child domain's/zone's PubKSK. 4. Attackers answer at the recursive part of the query quicker than the real server. Client will take the first answer. 4b. Attacker would set TTL to 24 hours to keep the record cached for that long.
Session Hijack mitigations
- Encryption - expiring sessions - Strong Passwords - Good anti virus on clients - Sett Cookie to HTTP only: this prevents javascript from accessing helps prevent XSS - Strong algorithm for session IDs - Single Session IDs - Don't use HTTP - Have framework control sessions (PHP...) - Patch - Good Logging - Secure serialization -- Serialization is the process of turning an object in memory into a stream of bytes so you can do stuff like store it on disk or send it over the network.
Enumeration Counter Measures
- Encryption is the most effective Works in some places - Don't use old services - Stop unnecessary services - Disable unnecessary ports - Restrict Anonymous access Restrict null session Microsoft windows registry - Disable old accounts
IPSEC Tunnel Mode
- Entire IP packet encrypted. New IP header
DLL Hijacking
- Escalation through software manipulation - Don't allow dlls to load from current direcory - Can hack registry setting to point to malicious directory of dlls - Side load - DLLS in the WinSXS directory are - validated on meta-data only. Easy to spoof - Name bad DLL as an old school dll that is still approved but not necessarily present, and put it in an approved folder
IPSEC Transport Mode
- IP header is not encrypted. - Client Server: RDP, Telnet
DNS General
- Iterative DNS query - send me what you can but don't ask anyone else - Recursive DNS query - give me what I need and ask everyone you need to - TCP for zone transfer - UDP for name queries
4 Way handshake WPA and WPA2 EAPOL Extensible Authentication Protocol over LAN
- Key is created using the PMK / Anonce / Snonce / MAC of Both ----- PMK (password) never transmitted over air - 1. (ANonce and Key Replay Counter) Authenticator (AP) sends ANonce and Key Replay Counter to supplicant (client) - No encryption and the MIC bit is not set - Any changes to the ANonce value will be recognized in the response from the supplicant - The supplicant now has all the attributes to construct the PTK (unique). - 2. (SNonce and MIC same Replay Counter as it received) / Supplicant sends generates SNonce and MIC (protects) value (using HMAC MD5 [hash] : 16 byte MIC value) - MIC value proves that the supplicant knows the PMK (hash includes all the data including the key value) - Verifies integrity and authentication 3. The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC. Tells supplicant it is ready. 4. The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.
Cain and Abel
- MiTM attacks - ARP Poisoning and enables sniffing This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols
WEP
- Not secure: The IV (initialization vector) was too small. - Uses RC4 insecure stream cipher
Drive By Attack
- Once you're on the page, the malicious code embedded into the website (usually an exploit kit) starts scanning your computer for security vulnerabilities. Just so you know, the security holes on your PC are usually created by outdated apps of all kinds, from plugins to browsers, chat apps and beyond. Once the appropriate weakness has been spotted, malware goes on to infiltrate the system and take control of it. Just like in the graphic below: - Protectiong: Remove uneeded or old plug ins / don't used prvileged account to surf web / Firewall / jisable javascript / web filtering software / ad blockers
XSS mitigations
- Positive XSS Prevention Model: Treat HTML page like a parameterized database query. - Good Code: Escape - input filtering - Should always be confirmation required for sensitive data - Cookies should have short lives - Same origin (protocol,domain,port) policy. If defeated can access everything on the page. - Use XSS browser protections - Content security policy in the browser - Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. Escape untrusted data: Characters are escaped by being replaced with a three character string of the form %xx where xx is the ASCII hexadecimal representation of the reserved character
XSS (Cross Site Scripting)
- Really just HTML injection attack.
Cross Site Scripting
- Reflected Attack: When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS. - Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Amplified Reflection DoS
- Send out packets with a fake response IP at one time, all the responses come back to the spoofed IP 2. Protections - Rate Limiting: limit bandwidth to or from. Is indiscriminate and not the best - REGEX filter on traffic - effective, but needs a ton of processing power. - Port Blocking - Block IP based on threat intelligence
SOX (Sarbanes-Oxley) Law - Publicly Traded
- Senior execs take full responsibility for financial reports - Disclosure of conflict of interest - Protections for whistler blowers - Act of 2002. Long title. An Act To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes
HEX
- Shorthand for binary - DEC: 0-15 / HEX 0-9 then A-F
ARP poisoning Mitigation
- Static ARP / VPN / Enable DAI Dynamic Arp inspection on your switch - ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped - Enable DHCP snooping binding table
Session Hijacking
- Steal or predict session tokens - Predict session IDs - Happens at transport layer
Types of SQL Injection
- Union SQL Injection - System Stored Procedure - End of line comment: After injecting code into a particular field, legitimate code that follows is nullified through usage of end of line comments - Illegal / bad logic : crashes database - Blind SQL injeciton: When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.
WPA TKIP
- Upgrade to WEP - Increased the size of the IV and used Mixing functions - Uses RC4 insecure stream cipher -
Injection
- an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.
Stateless Protocol
- is a communications protocol in which no information is retained by either sender or receiver, meaning that each is unaware of the state of the other - IP / HTTP - Side Note: FTP / TCP are STATEFUL because the maintain connection/state information.
CSRF (Cross Site Request Forgery)
- someone includes an image that isn't really an image (for example in an unfiltered chat or forum), instead it really is a request to your bank's server to withdraw money: - <img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory"> - Now, if you are logged into your bank account and your cookies are still valid (and there is no other validation), you will transfer money as soon as you load the HTML that contains this image.
DNS Cache Poisoning
1. DNS cache poisoning tries to forge the response from an authoritative name server to force a recursive server to store forged information in its internal cache. For this reason, the attack is called cache poisoning. 2. Mitigate: Use random source port (not 53) - Random query ID - randomize the case of letters and check queries for the random upper and lower. - IP randomization - 3. RFC 5452 defines measures for making DNS more resilient to cache poisoning. All measures aim at increasing the entropy of queries that recursive servers issue to authoritative servers.
Incident management processes (PACNCIRP)
1. Preparation -- Have a plan 2. Detection and Analysis -- problem has been reported discovered -- Alert - Look at interesting log file 3. Classification and Prioritization -- What happened how important 4. Notification 5. Containment -- Complex - pull plug / keep evidence 6. Forensic Investigation -- Who was behind it / how 7. Eradication and Recovery 8. Post-incident Activities -- Deep dive / reports / changes
MAC Flooding
1. Send huge number of frames with different addresses to the switch - MAC Address Table is full and it is unable to save new MAC addresses. It will lead the switch to enter into a fail-open mode and the switch will now behave same as a network hub. It will forward the incoming data to all ports like a broadcasting. Let's see what are the benefits of the attacker with the MAC Flooding attack. 2. Prevent - Port security - Authenticate with AAA server - Prevent ARP Spoofing / IP spoofing - IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
Fragmentation Attack
1. Sending packets bigger than the receivers MTU to overwhelm the receiver's resources. DoS. 2. HTTP Fragmentation can be used to hold open multiple connections by splitting data into tiny fragments and sending them in slowly. Holding the session open. Repeat this with many sources can consume resources. 3. Teardrop attack overwhelm reassembly mechanisms.
Replay Attack
1. Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session which Bob accepts, thus granting Eve access.[1] 2. Protect Against: Use single time sessions, one time passwords, timestamps : This works because a unique, random session id is created for each run of the program thus a previous run becomes more difficult to replicate
Golden Ticket Attack
1. The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special hidden account with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass-the-hash technique to log into any account, 2. Attacker needs elevated privelages 3. Mitigate: Limit user access, Limit Domain admin user access, use admin accounts sparingly, Create a terminal server as an in between for connections to the domain controllers,
Privilege escalation attacks
1. Windows service runs local system account. Buffer overflow causes compromise of service. 2. Screensaver runs under local system. Can get user to install bad screen saver. 3. Cross zone scripting - is a type of privilege escalation attack in which a website subverts the security model of web browsers, thus allowing it to run malicious code on client computers. 4. Jailbreaking - is the act or tool used to perform the act of breaking out of a chroot or jail in UNIX-like operating systems or bypassing digital rights management 5. Mitigation: Address space layout randomization to help prevent buffer overruns that allow instructions to be executed from privileged areas in memory / Patching / encryption / Data execution prevention: Marking parts of memory as non-executable
NTLM (NT Lan Manger)
1. is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000 2. LM and NTLMv1 are obsolete NTLMv2 is safer but not great 3. NTLMv2 based on MD4. User can't authenticate server (one way). MITM, 8 character passwords can be cracked in a day.
DoS Syn Flood aka half opened
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it never sent a SYN.
Memorandum of Understanding or Agreement
A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection
RAT
A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet.
DNS Apmlification Refelctive Attack
A standard DNS request is smaller than the DNS reply. In a DNS amplification attack, the attacker carefully selects a DNS query that results in a lengthy reply that's up to 80 times longer than the request (e.g., "ANY"). The attacker sends this query using a botnet to third-party DNS servers to spoof the source IP address with the victim's IP address (see Figure 3). The third-party DNS servers send their responses to the victim's IP address. With this attack technique, a relatively small botnet can carry out a volumetric flood of large responses toward the victim to saturate its Internet pipe.
DNS Brute Force Attacks
Brute force attacks use scripts or other tools to find all subdomains for a certain domain and expose the organization's public—and possibly private—network.
SYN Cookie protect against Syn Flood
By specifically calculating the initial TCP sequence number (syn cookie) with a specific, secret math function in the SYN-ACK response, the server does not need to maintain this state table. On receipt of the ACK from the Client, the TCP sequence number is checked against the function to determine if this is a legitimate reply. If the check is successful, then the server will create the TCP session and the user connection will proceed as normal.
DNS Attack Protection
Firewall: Block outbound DNS queries - Use different port for DNS - DNSSEC - Use secure protocols HTTPS / SFTP / SSH - Read only host file - Do not allow unsolicited DNS responses. A response message is never unsolicited - Drop Quick retransmissions Any legitimate DNS client does not send the same queries too soon, even when there is packet loss - Do not allow same queries too soon if you have already sent the response - Enforce TTL - Drop DNS queries and responses that are anomalous - Drop unexpected or unsolicited DNS queries that you have not seen earlier - Force the DNS client to prove that it is not spoofed. Force TCP transmission or forcing retransmission - Cache responses and save the DNS server from getting overloaded - Use ACLs - Use the power of Geo-location ACLs, BCP38 and IP Reputation - TSIG - Authenticate database updates
Metasploit
Hacking Toolset
Cisco IP Source Guard
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Source Routing (used to session hijack)
IP has the ability to specify a route. Can be used to specify the to and from for packets in the packet itself. Rarely used for good anymore.
LM Hash
LM hash (also known as LanMan hash or LAN Manager hash) is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. - No password would have this hash - aad3b435b51404eeaad3b435b51404ee - Last 7 blank - end with : AA-D3-B4-35-B5-14-04-EE - All passwords converted to uppercase - Only 14 characters - Divided into 7 and 7 length hashes
UPnP / SSDP protocol - Amplification DDoS
Many devices, including some residential routers, have a vulnerability in the UPnP software that allows an attacker to get replies from port number 1900 to a destination address of their choice. With a botnet of thousands of devices the attackers can generate sufficient packet rates and occupy bandwidth to saturate links - SSDP is the protocol that UPnP uses. - UPnP is a zero config network protocol that is unauthenticated. - UPnP = automatic, unauthenticated port-forwarding of any external port to any internal machine port.
SQL Injection protection
Option 1: Use of Prepared Statements (with Parameterized Queries) Option 2: Use of Stored Procedures Option 3: White List Input Validation Option 4: Escaping All User Supplied Input Also: Enforcing Least Privilege Also: Performing White List Input Validation as a Secondary Defense
OSI Model
P D N T S P A Physical - Data Link - Network - Transport - Session - Presentation - Application (People do not think santa provides anything) - Layer 1 (Physical) Ethernet pyciscal 10 base T.. - Layer 2 (Data Link) Ethernet CHAP Frame Relay VLAN MAC ARP Switching Layer - Layer 3 (Network) IP / ARP some too IP Address Routing Layer Packets are fragmented - Layer 4 (Transport) TCP UDP Post Office Layer - Sending to a specific IP/Port - Layer 5 (Session) Netbios SMB Set up communications Tunneling Protocols - Layer 6 (Presentation) TLS SSL - Layer 7 (Application) HTTP POP SMTP FTP
DNS Recursive Flood
This is a sophisticated DNS-flood attack in which the attacker generates a distributed, volumetric flood toward the DNS servers (see Figure 2). The flood is made of random subdomains of single or multiple target domains. The attacker sends a pre-crafted DNS query to the DNS recursive server that contains a random string prepended to the victim's domain (for example, xxxyyyy.www.VictimDomain.com). The DNS recursive server will repeatedly attempt to get an answer from the authoritative name server with no success. Sending different false subdomains with the victim's domain name will eventually increase the DNS recursive server's CPU utilization until it is no longer available
DNS Tunnels - Hiding Information
This technique is not an attack per-se, rather it is a way to use DNS's infrastructure and protocol to pass data under the radar. The technique is using the DNS protocol as a tunnel, while actually sending the data inside the DNS requests and responses. This technique is used to bypass corporate firewalls, Wi-Fi monetization mechanisms, Data-Loss-Prevention systems and any other technology used to inspect or limit data over the wire. Malwares often use this technique to pass data and communicate with the outside world, in order to avoid the organization's security infrastructure
FISMA (Federal Information Security Management Act)
United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. 9 Steps 1. Categorize the information to be protected. 2. Select minimum baseline controls. 3. Refine controls using a risk assessment procedure. 4. Document the controls in the system security plan. 5. Implement security controls in appropriate information systems. 6. Assess the effectiveness of the security controls once they have been implemented. 7. Determine agency-level risk to the mission or business case. 8. Authorize the information system for processing. 9. Monitor the security controls on a continuous basis.
Virus
a piece of code that is capable of, needs help to spread, and typically has a detrimental effect, such as corrupting the system or destroying data.
Fuzzing
is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data, called fuzz, to the test subject in an attempt to make it crash.
WPA to WPA2
is the mandatory use of AES algorithms and the introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP. However, TKIP is still preserved in WPA2 as a fallback system and for interoperability with WPA