CS 454 Final
Web browsers
Browsers provide sandboxing capabilities to isolate extensions and plugins.
tools for forensics
CAINE
XSS Mitigations
Convert untrusted input into a sage form, where the input is displayed as data to the user
CONNECT
Converts the request connection to a transparent TCP/IP tunnel
XSS
Cross-Site Scripting
tools for forensics
DEFT
XSS attack type
DOM-based xss
Tools to practice security testing on iOS
Dang vulnerable iOS
DELETE
Deletes the specified resource
XSS Request Forgery Attacks
Different from XSS because they exploit the trust that an application has in a user's browser
DOM
Document Object Model
TRACE
Does a message loopback test along the path to the target resource
Injection-Based Vulnerabilities
Dynamic code injection
rainbow tables
Tables used to derive a password by looking at the hashed value. These precomputed tables are used for reversing cryptographic hash functions. A tool called RainbowCrack can be used to automate the cracking of passwords using rainbow tables.
Static and dynamic binary analysis
This is done using disassemblers and decompilers to translate an app's binary code or bytecode back into a more understandable format. By using these techniques on native binaries, you can obtain assembler code that matches the architecture for which the app was compiled.
port
This is optional portion of the URL designates the port number to which the target web server listens. (The default port number for HTTP servers is 80, but some configurations are set up to use an alternate port number.) In this case, the server is configured to use port 8123.
host
This is the IP address (numeric or DNS-based) for the web server being accessed; it usually follows the colon and two forward slashes. In this case, the host is theartofhacking.org.
path
This is the path from the "root" directory of the server to the desired resource. In this case, you can see that there is a directory called dir. (Keep in mind that, in reality, web servers may use aliasing to point to documents, gateways, and services that are not explicitly accessible from the server's root directory.)
scheme
This is the portion of the URL that designates the underlying protocol to be used (for example, HTTP, FTP); it is followed by a colon and two forward slashes (//). In this example, the scheme is http.
path-segment-params
This is the portion of the URL that includes optional name/value pairs (that is, path segment parameters). A path segment parameter is typically preceded by a semicolon (depending on the programming language used), and it comes immediately after the path information. In this example, the path segment parameter is id=89. Path segment parameters are not commonly used. In addition, it is worth mentioning that these parameters are different from query-string parameters (often referred to as URL parameters).
query-string
This optional portion of the URL contains name/value pairs that represent dynamic parameters associated with the request. These parameters are commonly included in links for tracking and context-setting purposes. They may also be produced from variables in HTML forms. Typically, the query string is preceded by a question mark. Equals signs (=) separate names and values, and ampersands (&) mark the boundaries between name/value pairs. In this example, the query string is name=omar&x=true.
OWASP SeraphimDroid
This privacy and device protection application for Android devices helps users learn about risks and threats coming from other Android applications.
HTTP Protocol
This protocol transaction consists of a single request and response
docker-bench-security
This script, created by Docker, checks for common security best practices when deploying Docker containers in production.
Dev-Sec.io
This tool allows you to automatically apply hardening best practices to different types of servers
CIS Docker Benchmark
This tool provides an automated way to test containers against well-known security best practices.
docker-explorer
This tool was created by Google to help analyze offline Docker file systems. It can be useful when performing forensic analysis of Docker containers.
Hypervisor-based keylogger
This type of keylogger is effective in virtual environments, where the hypervisor could be compromised to capture sensitive information.
Memory-injection-based keylogger
This type of keylogger tampers with the memory tables associated with the browser and other system functions.
XSS Request Forgery Attacks
Typically affect applications or sites that rely on a user's identity
Injection-Based Vulnerabilities
Uncontrollable format string
PUT
Uploads a representation of the specified URI
XSS Mitigations
Use CSS escape and strictly validate before inserting untrusted data into HTML-style properly values
XSS Mitigations
Use X-XSS-Protection response header
Clickjacking Mitigation
Use defensive code in the application to make sure the current frame is the top-level window
XSS Mitigations
Use the HTTPOnly cookie flag
XSS Mitigations
User URL escape before inserting untrusted data into HTML URL parameter values
Authenticated Session
Uses a session ID (token), a name/value pair
clickjacking
Using multiple transparent or opaque layers to induce a user into clicking on a web button or link on a page that he or she was not intending to navigate or click. Clickjacking attacks are often referred to as UI redress attacks. User keystrokes can also be hijacked by using clickjacking techniques. It is possible to launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool a user into entering information or clicking on links in an invisible frame that could be rendered from a site the attacker created.
common tools for persistence
VNC
Virtual machines
Virtual machines can be used to restrict a guest operating system to run sandboxed so that the applications do not run natively on the host system and can only access host resources through the hypervisor.
lock bypass
a technique used in lock picking to get past a lock. locks may be bypassed in many ways, including by using simple loiding attempts (using a "credit card" or similar items against self-closing "latch" locks) and bypassing padlocks by shimming
PsExec
a utility used for executing processes on a windows system
reverse shell
a vulnerability in which an attacking system has a listener (port open), and the victim initiates a connection back to the attacking system
Clickjacking
also called UI redress attacks
Web Application Description Language (WADL) documents
an XML-based language for describing web applications
Web Services Description Language (WSDL) documents
an XML-based language that is used to document the functionality of a web service
fasle positive
an alert that incorrectly indicated that a vulnerability is present
false negative
an instance in which a security tool intended to detect a particular threat fails to do so
group policy object (gpo)
an item inside active directory that contains settings for user accounts, client computer settings, or settings for configuring policies on servers. typically, the goal is to configure gpos in such a way that they cannot be overridden by users
tools and frameworks to test android-based systems and apps
androick
HPP
attacker can append the same parameter to the GET or POST data but with a different value
Exploiting insecure direct object vulnerabilities
attacker can bypass authorization and access
bind shell
attacker connects to victim on listening port
Cookie Manipulation
attacker writes controllable data into the value of a cookie
Metasploit
auxiliary
CVSS environmental metric group
availability requirement
bash shell
available for linux, MacOS X, and even windows
common physical security attack
badge cloning
tampering techniques for mobile apps
binary patching ("modding")
Types of SQL Injection Attacks
blind (or inferential) sql injection
tools for vulnerability scanning
burp suite
tools for software assurance
buzzers and fuzz testing
tools for credential attacks
cain and abel
python
can be sued to automate receptive tasks and create applications
HPP
can happen if multiple http parameters have the same name
Exploiting insecure direct object vulnerabilities
can happen when web apps allow direct access to objects based on user input
tools for passive reconnaissance
censys
tools for credential attacks
cewl
post-engagement activities
clean any information added to databases
post-engagement activities
clean up any files left from successful or unsuccessful exploitation attempts
OWASP top mobile security risk
client code quality
HTTP status code 400-499
client errors
tampering techniques for mobile apps
code injection
iOS security core feature
code signing
OWASP top mobile security risk
code tampering
physical device security attack
cold boot attack
bash shell
command shell and language interpreter
Sysinternals and PSExec
command-line suite of tools to control windows-based computers from a remote terminal (run, kill, and stop services)
actions you can take on a compromised system
conducting dns and directory services enumeration
CVSS environmental metric group
confidentiality requirement
use cases for penetration testing tools
configuration compliance
actions you can take on a compromised system
configuring port forwarding
do not require their own OS
containers
META-INF
contains the metadata of manifest.mf, cert.rsa, and cert.sf
Local file inclusion
could allow an attacker to read and execute files on the victim's system
way to maintain persistence of a compromised system
creating additional back doors
way to maintain persistence of a compromised system
creating and manipulating scheduled jobs and tasks
way to maintain persistence of a compromised system
creating custom daemons and processes
way to maintain persistence of a compromised system
creating new users
way to maintain persistence of a compromised system
creating reverse and bind shells
actions you can take on a compromised system
creating ssh tunnels or proxies to communicate to the internal network
use cases for penetration testing tools
credential attacks
Exploiting Application Vulnerabilities
credential brute forcing
container example
cri-o
Local file inclusion
critical if a web app is running with high privileges or as root
use cases for penetration testing tools
debugging
tampering techniques for mobile apps
debugging and tracing
use cases for penetration testing tools
decompilation
covering your tracks and cleaning up
delete all files, executable binaries, scripts, and temp files from compromised systems
covering your tracks and cleaning up
delete all user accounts used during the test
tools for passive reconnaissance
dig
covering your tracks and cleaning up
do this after creating and delivering the report to the client
container example
docker
common physical security attack
dumpster diving
software assurance
dynamic application security testing (DAST)
decompilation, disassembling, and debugging tools
edb debugger
common physical security attack
egress sensors
bash shell
enables you to create scripts, parse data, and automate tasks
common tools for evasion
encapsulation and tunneling using DNS and protocols such as NTP
Metasploit
encoders
common tools for evasion
encryption
iOS security core feature
encryption and data protection
tools for active reconnaissance
enum4linux
use cases for penetration testing tools
enumeration
use cases for penetration testing tools
evasion
EXIF
exchangeable image file format information from graphic files, as well as the information discovered through the URL of a scanned website
actions you can take on a compromised system
executing additional exploits
tools for passive reconnaissance
exiftool
CVSS temporal metric group
exploit code maturity
CVSS base metric group
exploitability metrics
Exploiting Application Vulnerabilities
exploiting kerberos vulnerabilities
Metasploit
exploits
OWASP top mobile security risk
extraneous functionality
common physical security attack
fence jumping
tools for software assurance
findbugs, findsecbugs, and sonarqube
tools for passive reconnaissance
foca
use cases for penetration testing tools
forensics
Software assurance
fuzzing
iOS security core feature
general exploit mitigations
remote access protocols
gives you a full, interactive GUI of the compromised computer
lateral movement (pivoting)
goal is to move form one device to another to avoid detection, steal sensitive data, and maintain access
iOS security core feature
hardware security
tools for credential attacks
hashcat
post-engagement activities
have the client or system owner validate that your clean up is sufficient
Simple Object Access Protocol (SOAP)
his standards-based web services access protocol was originally developed by Microsoft and has been used by numerous legacy applications for many years. SOAP exclusively uses XML to provide API services. XML-based specifications are governed by XML Schema Definition (XSD) documents. SOAP was originally created to replace older solutions such as the Distributed Component Object Model (DCOM) and Common Object Request Broker Architecture (CORBA).
tools for passive reconnaissance
host
tools for credential attacks
hydra
Tools to practice security testing on iOS
iGoat
Tools to practice security testing on iOS
iMAS
decompilation, disassembling, and debugging tools
ida
decompilation, disassembling, and debugging tools
immunity debugger
CVSS base metric group
impact metrics
OWASP top mobile security risk
improper platform usage
Online brute-force attacks
in this type of attack, the attacker actively tries to log in to the application directly by using many different combinations of credentials
offline brute-force attack
in this type of attack, the attacker can gain access to encrypted data or hashed passwords
HTTP Staus code 100-199
informational
OWASP top mobile security risk
insecure authentication
OWASP top mobile security risk
insecure authorization
OWASP top mobile security risk
insecure communication
OWASP top mobile security risk
insecure data storage
OWASP top mobile security risk
insufficient cryptography
CVSS environmental metric group
integrity requirement
Clickjacking
involves using multiple.e transparent or opaque layers to induce a user into clicking a button or link that was not intended
time delay
it is possible to use database commands to delay answers. an attacker may use this technique when he or she doesn't get any output or error messages from the application
Clickjacking
keystrokes can also be hijacked using clickjacking techniques
actions you can take on a compromised system
launching brute-force attacks
container example
linux containers (lxc)
common physical security attack
lock picking
Stored (persistent) XSS Attack
malicious code or script is permanently stored on a vulnerable or malicious server using a database
Reflected XSS Attack
malicious code or scripts are injected using any method that yields a response as part of a valid HTTP request
tools for passive reconnaissance
maltego
Directory traversal vulnerabilities
manipulate variables that reference files with dot-dot-slash (../) sequences and its variations
tools for credential attacks
medusa
exploitation frameworks
metasploit
creating reverse and bind shells
meterpreter module in metasploit
tools for credential attacks
mimikatz
Tools to practice security testing on iOS
mobisec live environment mobile testing framework
Command Injection
modern app frameworks have better defenses against theses attacks
CVSS environmental metric group
modified base metrics
tools for software assurance
mutiny fuzzing framework
tools for credential attacks
ncrack
creating reverse and bind shells
netcat
XSS Mitigations
never insert untrusted data except in allowed locations
tools for vulnerability scanning
nexpose
tools for vulnerability scanning
nikto
tools for active reconnaissance
nmap
Metasploit
nops
tools and frameworks to test android-based systems and apps
nowsecure app testing
tools for passive reconnaissance
nslookup
decompilation, disassembling, and debugging tools
objdump
Local file inclusion
occurs when a web app allows a user to submit input into files or upload files to the server
metasploit
one of the most popular exploitation frameworks
tools for vulnerability scanning
openVAS
container example
openVz
Types of SQL Injection Attacks
out-of-band sql injection
tools for vulnerability scanning
owasp zed attack proxy (ZAP)
tools for credential attacks
patator
Metasploit
payloads
tools for software assurance
peach
actions you can take on a compromised system
performing arp scans and pin sweeps
use cases for penetration testing tools
persistence
common physical security attack
piggybacking/tailgating
Metasploit
post (for post-exploitation)
windows legitimate utilities
powershell
common tools for persistence
powershell/powersploit
ruby
programming language used in many web and other types of applications
Dang Vulnerable iOS
provides an iOS application to practice mobile attacks and security defenses
PCI Data Security Standard
provides reporting guidelines that are useful for structuring your report
HTTP proxies
proxies that make requests to web servers on behalf of other clients. they enable HTTP transfers across firewalls and can also provide support for caching of HTTP messages. proxies can also perform other roles in complex environments, including network address translation (NAT) and filtering of HTTP requests
common tools for evasion
proxy chains
session fixation attack
the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim's web browser
executive summary
the section of a penetration testing report that provides enough information for anyone reading the report to get a clear idea of the results
tools for passive reconnaissance
theharvester
cat, cd, pwd, ls
these same as the commands found in linux or unix-based systems
Code injection
this allows you to explore and modify processes at runtime
CERT.SF
this file lists resources and the hash of the corresponding lines in the MANIFEST.MF file
MANIFEST.MF
this file stores hashes of the app resources
CERT.RSA
this file stores the app's certificate(s)
clair
this is an open source static analysis for Docker containers from Core-OS
out-of-band technique
this is typically used to obtain records from the database by using a different channel. for example, it is possible to make an HTTP connection to send the results to a different web server or a local machine running a web service
union operator
this is typically used when a sql injection vulnerability allows a select statement to combine two queries into a single result or a set of results
error-based technique
this is used to force the database to generate an error in order to enhance and refine an attack (injection)
boolean
this is used to verify whether certain conditions are true or false
notary
this open source project includes a server and a client for running and interacting with trusted containers
common tools for evasion
tor
actions you can take on a compromised system
uploading additional tools
XSS Mitigations
use HTML escape before inserting untrusted data into HTML element content or HTML common attributes
XSS Mitigations
use JavaScript escape before inserting untrusted data into JavaScript data values
Directory traversal vulnerabilities
use absolute file paths to access files on the vulnerable system
XSS Mitigations
use an auto-escaping template system
clearev
used to clear the application, system, and security logs on a windows-based system
remote access protocols
used to communicate with a compromised system
SQL: CREATE DATABSE
used to create a new database
SQL: CREATE TABLE
used to create a new table
SQL: CREATE INDEX
used to create an index or a search key element
SQL: DROP TABLE
used to delete a table
SQL: DROP INDEX
used to delete and index
SQL: DELETE
used to delete data from a database
ps
used to display a list of running processes on the victim system
webcam_list
used to display all webcams on the victim system
lpwd and lcd
used to display and change the local directory (on the attacking system)
ipconfig
used to display the network interface configuration and IP addresses of the victim system
idletime
used to display the number of seconds that the suer at the victim system has been idle
getuid
used to display the user logged in on the compromised system
download
used to download a file form a victim system
hashdump
used to dump the contents of the SAM database in a windows system
resource
used to execute Meterpreter commands listed inside a text file, which can help accelerate the actions taken on the victim system
shell
used to go into a standard shell on the victim system
SQL: INSERT INTO
used to insert new data into a database
search
used to locate files on the victim system
migrate
used to migrate to a different process on the victim system
SQL: ALTER DATABASE
used to modify a database
SQL: SELECT
used to obtain data from a database
edit
used to open and edit a file on a victim system using the vim linux environment
execute
used to run commands on the victim system
webcam_snap
used to take a snapshot using a webcam of the victim system
SQL: UPDATE
used to update data in a database
upload
used to upload a file to the victim system
Clickjacking
uses a combination of CSS stylesheets, frames, and text boxes
actions you can take on a compromised system
using local system tools
actions you can take on a compromised system
using management profiles and compromised credentials to perform additional enumeration and system manipulation
actions you can take on a compromised system
using vpn to access the internal network
common tools for evasion
veil
DOM-based XSS Attack
victim clicks on a malicious URL link, loading a site that has a vulnerable DOM route handler; payload executes the attack in the user's context on that site
reverse shell
victim connects to attacker on listening port
remote access protocol example
vnc
use cases for penetration testing tools
vulnerability scanning
Cookie Manipulaiton
vulnerable applications store user input and then embed that input in a response within a part of the DOM
tools for credential attacks
w3af
tools for vulnerability scanning
w3af
tools for passive reconnaissance
whois
decompilation, disassembling, and debugging tools
windows debugger
windows legitimate utilities
windows management instrumentation (Wmi)
common tools for persistence
x server forwarding
remote access protocol example
x server forwarding
tools for active reconnaissance
zenmap
Cookie Manipulaiton
This input is later processed in an unsafe manner by a client-side script
Binary patching ("modding")
This involves changing the compiled app in binary executables or tampering with resources. Modern mobile operating systems such as iOS and Android enforce code signing to mitigate binary tampering.
aqua security
This is a commercial tool for securing container-based applications.
NowSecure App Testing
This is a mobile app security testing suite for Android and iOS mobile devices.
bane
This is an AppArmor profile generator for Docker containers.
dagda
This is another tool for performing static analysis of known vulnerabilities.
Exploiting Application Vulnerabilities
taking advantage of default credentials in use
decompilation, disassembling, and debugging tools
the GNU project debugger (GDP)
Ret2libc
A "return-to-libc" attack, which is an attack that typically starts with a buffer overflow. In this type of attack, a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the executable memory of the process. This is done to potentially bypass the not-execute (NX) bit Linux feature and allow the attacker to inject his or her own code.
CPassword
A component of Active Directory's Group Policy Preferences that was used to allow administrators to set passwords via Group Policy. If administrators used CPassword to perform common tasks (such as changing the local administrator account), any user with basic read rights to the SYSVOL directory could obtain the authentication key and crack it by using tools such as John the Ripper and Hashcat.
need-to-know
A determination that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized function. This determination helps manage the dissemination of information.
PCI DSS Penetration Testing Guide
A great reference for all aspects of the penetration testing process. This document covers topics such as penetration testing components, qualifications of a penetration tester, penetration testing methodologies, and penetration testing reporting guidelines.
dreads framework
A handy tool that can ingest the results from many penetration testing tools and allows a penetration tester to compile and output reports in formats such as CSV, HTML, and PDF. It is very flexible because it allows a tester to use existing add-ons or create new ones.
Kernel-based keylogger
A program on the machine obtains root access to hide itself in the operating system and intercepts keystrokes that pass through the kernel. This method is difficult both to write and to combat. Such keyloggers reside at the kernel level, which makes them difficult to detect, especially for user-mode applications that don't have root access. They are frequently implemented as rootkits that subvert the operating system kernel to gain unauthorized access to the hardware. This makes them very powerful. A keylogger using this method can act as a keyboard device driver, for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
penetration testing report
A report that follows a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.
Shodan
A search engine for devices connected to the Internet that continuously scans the Internet and exposes its results to users via the website Shodan and also via an API. Attackers can use this tool to identify vulnerable and exposed systems on the Internet (such as misconfigured IoT devices, infrastructure devices, and so on). Penetration testers can use this tool to gather information about potentially vulnerable systems exposed to the Internet without actively scanning the victim.
web session
A sequence of HTTP request and response transactions between a web client and a server, including pre-authentication tasks, the authentication process, session management, access control, and session finalization. Numerous web applications keep track of information about each user for the duration of the web transactions. Several web applications have the ability to establish variables such as access rights and localization settings; these variables apply to each and every interaction a user has with the web application for the duration of the session.
Session
A sequence of HTTP requests and response transactions between a web client and a server
tailgating
A situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility.
CVSS
A standard created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) that is used to identify the principal characteristics of a vulnerability and rate the vulnerability using a numeric score that reflects its severity.
sysinternals
A suite of tools that allows administrators to control Windows-based computers from a remote terminal. It is possible to use Sysinternals to upload, execute, and interact with executables on compromised hosts. The entire suite works from a command-line interface and can be scripted to run commands that can reveal information about running processes and to kill or stop services.
keylogger
A tool that an attacker uses to capture keystrokes of users in a system in order to steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user's keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.
blind (or inferential) SQL injection
A type of attack in which the attacker does not make the application display or transfer any data but instead reconstructs the information by sending specific statements and discerning the behavior of the application and database.
in-band sql injection
A type of attack in which the attacker obtains data by using the same channel that is used to inject SQL code. This is the most basic form of an SQL injection attack, in which the data is dumped directly in a web application (web page).
out-of-band sql injection
A type of attack in which the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query, or the attacker might be able to send the compromised data to another system.
cross-site request forgery (CSRF or XSRF)
A type of attack that involves unauthorized commands being transmitted from a user who is trusted by the application. CSRF is different from XSS in that it exploits the trust that an application has in a user's browser. CSRF vulnerabilities are also referred to as "one-click attacks" or "session riding." CSRF attacks typically affect applications (or websites) that rely on a user's identity. An attacker may trick a user's browser into sending HTTP requests to a target website. For example, a user who is authenticated by an application based on a cookie saved in the browser might unwittingly send an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.
command and control (c2)
A type of system that attackers use to send commands and instructions to compromised systems. A C2 can be an attacker's system (desktop, laptop, and so on) or a dedicated virtual or physical server. Attackers often use virtual machines in a cloud service or even other compromised systems. Even services such as Twitter, Dropbox, and Photobucket have been used for C2 tasks. C2 communication can be as simple as maintaining a timed beacon, or "heartbeat," to launch additional attacks or for data exfiltration.
Reflected XSS Attack example
A user being persuaded to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user's browser, causing it to execute the code or script
shell
A utility (software) that acts as an interface between a user and the operating system (the kernel and its services). For example, in Linux there are several shell environments, such as bash, ksh, and tcsh. In Windows, the shell is the command prompt (command-line interface), which is invoked by cmd.exe as well as PowerShell.
cross-site scripting (XSS)
A very common web application vulnerability that can lead to installation or execution of malicious code, account compromise, session cookie hijacking, revelation or modification of local files, or site redirection. There are three major types of XSS: reflected XSS, stored (persistent), and DOM-based XSS.
XSS Mitigations
Prevent DOM-based by following OWASP's recommendations
race condition
A vulnerability in which a system or an application attempts to perform two or more operations at the same time but, due to the nature of such system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. Race condition attacks are very difficult to perform. Race conditions are also referred to as time of check to time of use (TOCTOU) attacks. An example of a race condition is a security management system pushing a configuration to a security device (such as a firewall or an intrusion prevention system) and then rebuilding access control lists and rules from the system.
html injection
A vulnerability that occurs when an unauthorized user is able to control an input point and inject arbitrary HTML code into a web application. Successful exploitation could lead to disclosure of a user's session cookies, which could be used to impersonate a victim or to allow the attacker to modify the web page or the application content seen by victims.
tools for forensics
AIDA
Writable services
Administrators often configure Windows services that run with SYSTEM privileges. This could lead to a security problem because an attacker may obtain permissions over the service or over the folder where the binary of the service is stored (or both). Services configured this way are also often found in third-party software (TPS) and may be used for privilege escalation.
tools for software assurance
American fuzzy lop
credentials brute-force attack
An attack in which the attacker attempts to log in to an application or a system by trying different usernames and passwords.
command injection
An attack in which the attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell. This type of attack involves trying to send operating system commands so that the application can execute them with the privileges of the vulnerable application.
Nikto
An open source, freely available web server scanner that can test for various issues, such as outdated server software, dangerous methods, and many other vulnerabilities typically found in web servers.
anchore
Anchore is used to analyze container images for the presence of known security vulnerabilities and against custom security policies. It has both open source and commercial versions.
common tools for persistence
Apple Remote Desktop
remote access protocol example
Apple Remote Desktop
Command Injection
Attacker tries to execute operating system commands via a vulnerable application
HEAD
Basically the same as GET but returns only HTTP headers and no document body
exploitation frameworks
BeEF
tools for vulnerability scanning
Qualys
GraphQL
GraphQL is a query language for APIs that provides many developer tools. GraphQL is now used for many mobile applications and online dashboards. Many different languages support GraphQL. You can learn more about GraphQL at link.
Injection-Based Vulnerabilities
HTML script injection
HTML5
HTML5 has a sandbox attribute for use with iframes.
HPP
HTTP parameter pollution
HTTP status code 300-399
HTTP redirects
Unquoted service paths
If an executable (application binary) is enclosed in quotation marks (""), Windows knows where to find it. On the contrary, if the path where the application binary is located doesn't contain any quotation marks, Windows will try to locate it and execute it inside every folder of this path until it finds the executable file. An attacker can abuse this functionality to try to elevate privileges if the service is running under SYSTEM privileges. A service is vulnerable if the path to the executable has a space in the filename and the filename is not wrapped in quotation marks; exploitation requires write permissions to the path before the quotation mark.
XSS Mitigations
Implement content security policy
sandbox
In cybersecurity, a means of isolating running applications to minimize the risk of software vulnerabilities spreading from one application to another. Sandboxes are also used to run untested or untrusted software from unverified or untrusted third parties, suppliers, users, or websites. For example, sandboxes are used in order to test malware without allowing the software to compromise the host system. In web development, a sandbox is a mirrored production environment that developers use to create an application before migrating it to a production environment. Companies like Amazon, Google, and Microsoft, among others, provide sandboxing services.
Types of SQL Injection Attacks
In-band sql injection
Debugging and tracing
It is possible to identify and isolate problems in a program as part of the software development life cycle. The same tools used for debugging are valuable to reverse engineers even when identifying bugs is not their primary goal. Debuggers enable program suspension at any point during runtime, inspection of the process's internal state, and even register and memory modification.
physical device security attack
JTAG debugging, reconnaissance, and tampering
tools for credential attacks
John the ripper
Web form-grabbing keylogger
Keyloggers can steal data from web form submissions by recording the web browsing on submit events.
LFI
Local file inclusion
JavaScript-based keylogger
Malicious JavaScript tags can be injected into a web application and then capture key events (for example, the onKeyUp() JavaScript function).
common tools for persistence
Microsoft's Remote Desktop protocol (RDP)
remote access protocol example
Microsoft's Remote Desktop protocol (rdp)
tools for vulnerability scanning
Nessus
tools and frameworks to test android-based systems and apps
OWASP seraphimdroid
Injection-Based Vulnerabilities
Object injection
XSS Request Forgery Attacks
Occur when unauthorized commands are transmitted from a user that the application trusts
HTML Injection
Occurs when an unauthorized users controls an input point and injects arbitrary HTML code into a web application
Microsoft Office
Office has a sandbox mode to prevent unsafe macros from harming the system.
decompilation, disassembling, and debugging tools
OllyDbg
Oscap-docker
OpenSCAP (created by RedHat) includes the oscap-docker tool, which is used to scan Docker containers and images
tools for forensics
PALADIN
Command Injection
Possible when an app does not validate data supplied by the user
Injection-Based Vulnerabilities
Remote file inclusion
RFI
Remote file inclusion
HTTP Protocol
Request/response model
GET
Retrieves information from the server
OPTIONS
Returns the HTTP methods that the server supports
tools for forensics
SIFT Workstation
Injection-Based Vulnerabilities
SQL Injection
XSS Mitigations
Sanitize HTML markup with a library such as ESAPI
tools for forensics
Security Onion
Sandboxing on native hosts
Security researchers may use sandboxing to analyze malware behavior. Even commercial solutions such as Cisco's ThreatGrid use sandbox environments that mimic or replicate the victim system to evaluate how malware infects and compromises such a system.
POST
Sends data to the server (typically using HTML forms, API requests, and so on)
HTTP Protocol
Server maintains the state of the interaction throughout the session
Injection-Based Vulnerabilities
Shell injection
HTTP Protocol
Simple, stateless application-level protocol in the TCP/IP protocol suite
tools for forensics
Skadi
windows management instrumentation (Wmi)
The infrastructure used to manage data and operations on Windows operating systems. It is possible to write WMI scripts or applications to automate administrative tasks on remote computers. WMI also provides functionality for data management to other parts of the operating system, including the System Center Operations Manager and the Windows Remote Management (WinRM). Threat actors use WMI to perform different activities in a compromised system.
Java virtual machines
These VMs include a sandbox to restrict the actions of untrusted code, such as a Java applet.
Secure Computing Mode (seccomp) and seccomp-bpf (seccomp extension)
These are sandboxes built in the Linux kernel to only allow the write(), read(), exit(), and sigreturn() system calls.
Representational State Transfer (REST)
This API standard is easier to use than SOAP. It uses JSON instead of XML, and it uses standards such as Swagger and the OpenAPI Specification for ease of documentation and to encourage adoption.
androick
This collaborative research project allows any user to analyze an Android application.
assets
This directory contains app assets (files used within the Android app, such as XML files, JavaScript files, and pictures), which the AssetManager can retrieve.
classes.dex
This directory contains classes compiled in the DEX file format that the Dalvik virtual machine/Android runtime can process. DEX is Java bytecode for the Dalvik virtual machine, and it is optimized for small devices.
lib
This directory contains native compiled libraries that are part of the APK, such as the third-party libraries that are not part of the Android SDK.
res
This directory contains resources that haven't been compiled into resources.arsc.
resources.arsc
This file contains precompiled resources, such as XML files for layout.
AndroidManifest.xml
This file contains the definition of the app's package name, target, and minimum API version, app configuration, components, and user-granted permissions.
.NET Common Language Runtime
This implementation enforces restrictions on untrusted code.
A jail
This implementation is commonly used in mobile devices where there is restricted filesystem namespace and rule-based execution to not allow untrusted applications to run in the system. This is where the term jail-braking comes in. Users may "jail-break" their phones to be able to install games and other applications. With a jail-broken phone, an attacker can more easily impersonate applications and deliver malware to the user because a jail-broken device does not have the security controls in place to prevent malware from running on the system.
Rule-based execution in SELinux and AppArmor security frameworks
This implementation restricts control over what processes are started, spawned by other applications, or allowed to inject code into the system. These implementations can control what programs can read and write to the file system.
Adobe Reader
This implementation runs PDF files in a sandbox to prevent them from escaping the PDF viewer and tampering with the rest of the computer.
Software fault isolation (SFI)
This implementation uses sandboxing methods in all store, read, and jump assembly instructions to isolated segments of memory.
Insecure Direct Object Reference
Vulnerabilities that are exploited when web applications allow direct access to objects based on user input. Successful exploitation could allow attackers to bypass authorization and access resources that should be protected by the system (for example, database records, system files). This type of vulnerability occurs when an application does not sanitize user input and does not perform appropriate authorization checks.
HTTP parameter pollution (HPP)
Vulnerabilities that are introduced when multiple HTTP parameters have the same name. HPP may cause an application to interpret values incorrectly. It is possible to take advantage of HPP vulnerabilities to bypass input validation, trigger application errors, or modify internal variables values.
sql injection (sqli)
Vulnerabilities that can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts, or "injects," partial or complete SQL queries via a web application. SQL commands are injected into data-plane input in order to execute predefined SQL commands.
API-based keylogger
With this type of keylogger, compromising APIs reside inside a running application. Different types of malware have taken advantage of Windows APIs, such as GetAsyncKeyState() and GetForeground Window(), to perform keylogging activities.
socat
a C2 utility that can be used to create multiple reverse shells
dropbox c2
a c2 utility that uses dropbox
twittor
a c2 utility that uses twitter direct messages for command and control
powersploit
a collection of powershell modules that can be used for post exploitation and other phases of an assessment
PowerSploit
a collection of powershell modules that can be used for post-exploitation
dnscat2
a dns-based c2 utility that supports encryption and that has been used by malware, threat actors, and pen testers
JTAG
a hardware access interface that allows a penetration tester to perform debugging of hardware implementations. debuggers can use JTAG access registers, memory contents, and interrupts, and they can even pause or redirect software instruction flows
Swagger (OpenAPI)
a modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS)
meterpreter
a post-exploitation module that is part of the Metasploit framework
wmimplant
a powershell based tool that leverages wmi to create a c2 channel
rainbow table
a precomputed table for reversing cryptographic hash functions and for cracking password hashes
dumpster diving
a process in which an unauthorized individual searches for and attempts to collect sensitive information form the trash
trevorc2
a python base c2 utility created by Dave Kennedy of trustedsec
wsc2
a python based c2 utility that uses web sockets
methodology
a section of a penetration testing report that provides details about the process followed. this section provides the details of the methodology that the tester followed and any modification made throughout the process
Subresource Integrity (SRI)
a security feature that allows you to provide a hash of a file fetch by a web browser (client)
Kerberoast
a set of tools for attacking Microsoft kerberos implementations
bind shell
a situation in which an attacker opens a port or a listener on a compromised system and waits for a connection. this is done in order to connect to the victim from any system and execute commands and further manipulate the victim
piggybacking
a situation in which an unauthorized individual follows an authorized individual to enter a restricted building or facility
fence jumping
a situation in which an unauthorized individual jumps a fence or a gate to enter a restricted building or facility
lock picking
the act of manipulating or tampering with a lock to enter a building or obtain access to something else that is protected by a lock
tools for passive reconnaissance
recon-ng
use cases for penetration testing tools
reconnaissance
Exploiting Application Vulnerabilities
redirect attacks
XSS attack type
reflected xss
CVSS temporal metric group
remediation level
covering your tracks and cleaning up
remove all backdoors, daemons, services, and rootkits
covering your tracks and cleaning up
remove all custom data form your systems, including attacking systems and support systems
post-engagement activities
remove any malicious scripts
post-engagement activities
remove any user accounts created
CVSS temporal metric group
report confidence
covering your tracks and cleaning up
return any modified systems and their configurations to the original values
OWASP top mobile security risk
reverse engineering
container example
rocket (rkt)
iOS security core feature
sandbox
iOS security core feature
secure boot
Clickjacking Mitigation
send the proper content security policy (CSP) frame ancestors directive response headers to instruct the browser not to allow framing from other domains
physical device security attack
serial console debugging, reconnaissance, and tampering
HTTP status code 500-599
server errors
Exploiting Application Vulnerabilities
session hijacking
tools for passive reconnaissance
shodan
Stored (persistent) XSS Attack
signing an online guestbook with malicious code
containers
similar in some ways to virtual machines
Remote file inclusion
similar to LFI but instead of accessing a file on the victim, the attacker executes code hosted on the attacking system
use cases for penetration testing tools
software assurance
SFI
software fault isolation
tools for vulnerability scanning
sparta
tools for vulnerability scanning
sqlmap
tampering techniques for mobile apps
static and dynamic binary analysis
software assurance
static application security testing (SAST)
XSS attack type
stored (persistent) xss
HTTP status code 200-299
succesful transactions
windows legitimate utilities
sysinterals and psexec