CHFI - Chapter 8 (Investigating Web Attacks)

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

SmartWhoIs and ActiveWhoIs are examples of..?

IP Address locating tools

Arises when a web application is unable to handle technical issues properly and the website returns info, such as database dumps, stack traces, and codes

Improper Error Handling

In Whitespace manipulation, when attackers replace the keywords, some WAFs may replace the keywords with white space. In such case, the attackers use which characters to eliminate the space and bypass the firewalls.

%0b

what is / in hex

%2F

What is < in hex

%3C

What is > in hex

%3E

On Windows Server 2012, the IIS log files are stored by default in this location

%SystemDrive%\inetpub\logs\LogFiles

With the implementation of proper firewalls, IDS, IPS, antivirus, etc., it becomes difficult for the attackers to perform attacks like XSS and SQL injection and bypass the security mechanisms. To avoid this, the attackers perform these obfuscation techniques mentioned below to bypass them and perform malicious activities.

1. Hex encoding (%3c/script%3e>) 2. In-line comment (+/*!select*/+) 3. Char encoding/ double encoding (/union%252f%252a /select%252f%252a*/) 4. Toggle Case (SeLecT/) 5. Replaced Keywords (UNunionION+SEselectLECT+) 6. White space manipulation (use "%0b")

IN this apache log entry what is the what is the size of the object? 10.10.10.10 - jason [17/Aug/2016:00:12:34 +0300] "GET /images/content/bg_body_1.jpg HTTP/1.0" 676 1458

1458

Telnet runs on which port?

23

IN this log entry what is the size of the returned object? 10.10.10.10 - mina [17/Aug/2017:00:12:34 +0300] "GET /images/hello.jpg HTTP/1.0" 500 600

600

Name a network information utility that allows you to look up all the available information about an IP address, hostname or domain, name of the network provider, administrator and technical support contact information.

SmartWhois, ActiveWhois

Which parameter would you use with netstat to check the executable used for a connection

-b

Which parameter would you use with netstat to display per protocol stats

-s

Which parameter would you use with netstat to display the current connection offload state

-t

This is an example of an error log from what type of webserver? [Mon Sep 16 14:25:33.812856 2016] [core:error] [pid 12485:tid 8589745621] [client 10.10.255.14] File does not exist: /images/content/bg_body_1.jpg

Apache

This is an example of the log from what type of web server? 10.10.10.10 - mina [17/Aug/2017:00:12:34 +0300] "GET /images/hello.jpg HTTP/1.0" 500 1458

Apache

This is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.

Broken Access Control:

Refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords

Broken Account Management

Attack Occurs when the application fails to guard memory properly and allows writing beyond maximum size

Buffer Overflow

The attackers attempting to compromise the e-commerce websites mostly use these types of attacks. They manipulate the hidden fields and change the data stored in them. They can substitute the original prices with the price of their choice and conclude the transactions. This sort of attack is faced by many online stores

Hidden Manipulation

What is CAPTCHA?

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs)

Attack causes Modification of a website's remnant data for bypassing security measures or gaining unauthorized information

Cookie poisoning

In this attacking method, an authenticated user in made to perform certain tasks on the web application that is chosen by an attacker. Example: A user clicking on a particular link sent through an email or chat.

Cross Site Request Forgery:

The SQL injection attacks incidents can be found at three locations

IDS logs, Database logs, web server logs

Name the three main IIS components

HTTP.sys, WWW service, WAS service

Which Apache core component handles the server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them.

HTTP_MAIN

Which Apache core component interacts with the client?

HTTP_PROTOCOL

Which Apache core component controls the step by step procedure involved between the modules to complete a client request and is also responsible for error handling.

HTTP_REQUEST

:Theattackers attempting to compromise the e-commerce websites mostly use these types of attacks. They manipulate the hidden fields and change the data stored in them. They can substitute the original prices with the price of their choice and conclude the transactions.

Hidden Manipulation

Refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user

Information Leakage

This threat refers to a drawback in a web application where it unintentionally reveals the sensitive information to an unauthorized user.

Information leakage

The attackers inject malicious code, commands or scripts into the input gates of flawed web applications in such a way that the applications interpret and run with the newly supplied malicious input, which in turn allows them to extract sensitive information.

Injection Flaws

When developers expose various internal implementation objects such as files, directories, database records, or key-through references, it results in an insecure direct object reference. For example, if a bank account number is a primary key, there is a chance of attackers compromising the application and taking advantage of such references.

Insecure Direct Object References:

If the developers make any mistakes while enforcing the encryption techniques on a web application or ignore the security aspects of some parts of the application, this sensitive information might be at risk due to type of threat

Insecure Storage

Attack Occurs when an attacker is allowed to gain access as a legitimate user to a web application or data such as account records, credit card numbers, passwords, or other authenticated information

Insecure storage

This kind of attack can simulate failure conditions and force all browsers to downgrade from attempting to negotiate TLS 1.2, making them fall back to SSL 3. At that point, a cryptographic attack can occur

MITM

This is a technique used by the attackers to create a number of variants of malicious code, thereby making it difficult for security mechanisms, such as web application firewalls, intrusion detection systems, etc., to detect it.

Obfuscation

Man in the middle is one of the examples of this type of attack. Hackers use tools like Webscarab and Paros proxy for the attacks.

Parameter/Form Tampering

Occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data

Parameter/Form Tampering

This is an example of what kind of XSS bypassing? +UNunionION+SEselectLECT+

Replaced Keywords

What is this an example of? http://www.bank.com/accounts.php?id=1+UNunionION+SEselectLECT+1, 2,3--

Replaced Keywords:

Occurs when attackers insert commands via input data nd are able to tamper with the data

SQL Injection

Failing to implement this can allow attackers to access session cookies

SSL/TLS

What does SIEM stand for?

Security Information and Event Management

. In this attack-type, the attacker tricks the user to access a genuine web server using an explicit session ID value. The attacker assumes the identity of the victim and exploits those credentials at the server.

Session Fixation Attack

What is this an example of? http://www.bank.com/accounts.php?id=1+UnIoN/**/SeLecT/**/1,2,3--

Toggle Case:

What does IIS WAS service stand for?

Windows Process Activation Service

This Apache component handles allocation of resource pools.

alloc.c

When attackers exploit HTTP by using this threat,they gain access to the unauthorized directories. Then, the attackers may execute commands outside the web server's root directory.

directory traversal

Within an IIS log record, where is the browser type listed?

fourth from extreme right

This apache element is responsible for reading and handling of the configuration files. One of the main tasks of http_config is that it arranges all the modules, which the server will call during various phases of the request handling.

http_config

What is IIS' main process exe

inetinfo.exe

Check for creation of new accounts in administrator group

lusrmgr.msc

Analyze at NetBIOS over TCP/IP activity

nbtstat -S

Analyze at NetBIOS over TCP/IP activity with destination IP to Netbios mapping

nbtstat -s

which net command will you use to check lockout duration in minutes

net accounts

which net command will you use to check on open sessions

net session

Look for unusual network services

net start

which net command will you use to check which services are started

net start

Which net command will provide the following output: Status Local Remote Network ---------------------------------- Unavailable H: \\xxx\yy\zz Microsoft Windows

net use

which net command will you use to create a share or check on file and printer shares and if sessions have been opened up with other systems

net use

which net command will you use to create a new account

net user

which net command will you use to check file and printer shares and their purpose

net view

Find if TCP and UDP ports have unusual listening

netstat -na

Find scheduled and unscheduled tasks on the local host

schtasks

The detection of a cookie poisoning attack includes intrusion prevention products. These products trace the cookie's "???" command given by the web server.

set

What is an good example of an IIS log name

u_eYYMMDD.log


Ensembles d'études connexes

Nursing Concepts - Cardiovascular

View Set

Chapter 4: Loops: Participation Activities

View Set

Managerial Accounting, 4e (Whitecotton) Chapter 6 testbank

View Set