IN5290
What is CIDR?
Classless interdomain routing (CIDR) is an addressing scheme for the Internet that allows more efficient use of IP addresses than the old Class A, B, and C scheme. It is more flexible and offers route aggregation (supernetting). A CIDR address is a network address that does not use original Class A, B, and C rules. For example, a CIDR address can look like this: 192.168.2.0/29.
What is JavaScript?
Client-side Programming Language
What are rainbow tables?
• The problem with brute-forcing that it is very slow • The problem with pre-calculation that there is not enough space to store the hashes • One mixing idea is the rainbow table: Tables that hold the translations of stored password hashes. Can also use precomputed hash databases. John The Ripper or Hashcat hash-modes.
How can you attack ftp and ssh services?
-brute-forcing with Hydra -using exploits
What is needed for the tcp/ip communication?
• Valid ip • Netmask • Gateway • Dns(es) Can we do something without valid ip? Yes, we can listen to the traffic. The network topology can be different for the network (ring, star, line). Packets addressed to a different device can pass through our computerand also the broadcast messages. The network card works in layer 2 level and the addressing is done by the MAC. Normally all network cards process only the packet that has its own MAC in the destination field. On the other hand network cards can work in promiscous mode too.
What is a list scan?
• With the -sL switch • Has no connection with the hosts • The DNS server is asked if a specific domain is registered in its database
What is a ping scan?
• With the -sP switch • Nmappings all the specified hosts • The available hosts are listed with their MAC address • ICMP messages are not always allowed in a network
What is DNS poisoning?
A general expression for different attacks to manipulate the dns database to divert Internet traffic away from legitimate servers and towards fake ones. In case of internal networks one option is to do a man in the middle attack with ARP poisoning.
What is a hash?
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. It is a one-way function, which is practically infeasible to invert or reverse the computation. Hashing is also deterministic, the same input always provides the same output, the hash.
How to do hybrid password cracking?
The attacker tries all cleartexts in the dictionary file an its permutations: • Calculate the hash of the first cleartext • Compare the result with the hash that has to be cracked • If it is identical then the cleartext was found • If it is not identical then the next version of the current clear text has to be considered • If there is no more hybrid version then the next version has to be taken • Hybrid words: - Double (TrondheimTrondheim) - Reverse (miehdnorT) - Substitute (Tr0ndh41m) - Numbers added (Trondheim0 - Trondheim99)
How to do dictionary based password cracking?
The attacker tries all cleartexts in the dictionary file: • Calculate the hash of the first cleartext • Compare the result with the hash that has to be cracked • If it is identical then the cleartext was found • If it is not identical then the next clear text has to be taken from the dictionary • The number of combinations depends on cleartexts in the dictionary file: - Normal words - Sleng - Geography names - Famous people
How to do brute-force password cracking?
The attacker tries all combinations: • Calculate the hash of the first cleartext • Compare the result with the hash that has to be cracked • If it is identical then the cleartext was found • If it is not identical then the next clear text has to be checked • The number of combinations depends on 2 parameter: - The alphabet (which characters can be used) - The length of the password
What are the steps for internal network hacking?
Internal network hacking steps: -identifying available hosts in the target network -identifying available services in the target network -manual mapping of the services -automatic vulnerability scanning -manual verification of the findings -exploitation -lateral movements -ensure access -collect info -remove clues
What is Mimikatz?
Mimikatz is an open-source application that allows users to view and save authentication credentials. • Pass the hash (pass that exact NTLM hash string to the target computer to login without cracking the hash) • Pass the ticket (Mimikatz provides functionality for a user to pass a kerberos ticket to another computer and login with that user's ticket.) • Kerberos Golden Ticket (a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket gives you domain admin credentials to any computer on the network that doesn't expire)
What is monitor mode?
Monitor mode is for wireless adapters (WNIC). It allows to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first.
What is salting?
Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed, typically this "salt" is placed in front of each password.
What is a server-side script?
Script that is executed by the web server before the web page is sent to the user's computer. E.g.: php, perl, ruby, java
What is ARP (Address Resolution Protocol)?
Since both the MAC address and the ip address are needed for acommunication (level 2 + 3) a special protocol is used to discover and maintain the ip mac pairs. ARP is a network protocol used to find out the hardware (MAC) address of a device from an IP address. It is used when a device wants to communicate with some other device on a local network. The sending device uses ARP to translate IP addresses to MAC addresses. The device sends an ARP request message containing the IP address of the receiving device. All devices on a local network segment see the message, but only the device that has that IP address responds with the ARP reply message containing its MAC address. The sending device now has enough information to send the packet to the receiving device.
What is HTTP (Hypertext Transfer Protocol)?
The protocol used to communicate between web browsers and servers. -used in client-server model -sends request and recieves an answer from the server -consists of a header & a body -request: protocol version, requested file, webmethod, hostname -response: web asnwer, date, content type
How to compromise a website?
-First use it in a normal way -Check for static and dynamic content -Look for unintended content -Try to find hidden content without a link (e.g.: conf files) -Obtain as much info as possible -Force the site to error with invalid inputs and check the response -Use robots.txt -Directory brute-force with dirb (has a collection of typical webserver related folder names) -Input filtering -Web developer extentions -Tamper data: modify outgoing traffic -Postman: set custom headers and view cookies already set on the domain -Burpsuite -Hydra
What are the main methods of HTTP?
-GET: download data-POST: send data -HEAD: obtain the HTTP header -PUT: place content on the server (e.g restful services) (was used to upload content before ftp, potential vulnerability where an attacker could access the folder and upload arbitrary files) -DELETE: remove content -TRACE, DEBUG, OPTIONS -E.g: /index.php?first=a&second=b
What is virtual address space?
-an executable is launched and the OS generates a Virtual Address Space for the processes -each process has it's own virtual address -in order to use the real physical memory the OS provides a runtime memory translation between the virtual and physical memory -seperated into kernel (drivers) and user space (segments/stacks - code and data) -files generated from user space through the drivers -segments: code, data, stack, heap, dynamically loaded libraries
How can you compile files to binary files?
-debug mode: variable and function names are saved and inserted into binary -release mode: only the necessary details are compiled -static linking: a copy of all the used external -dynamic linking: the external method are not inside the binary and it will be placed in the virtual address space of the process when the binary is launched by the OS
How to avoid infinite loops in packet switched networks?
-no planned route -> a packet can get stuck in an infinite loop -every packet should contain a ttl value (time to live) that is decreasing when arriving to the next network device (network hop) -when ttl is 1 the packet has to be dropped
What are the steps of hacking?
1. General information gathering: collecting all available information from the target and systemize the information 2. Technical information gathering: collecting network and system specific information like target ip ranges 3. Identifying available hosts in the target network (which computer can be attacked) 4. Identifying available services in the target network (which service can be attacked) 5. Manual mapping of the services (to check how it looks like, the impressions, system reactions, mitigations, etc.) 6. Automatic vulnerability scanning (intelligent tools with huge vulnerability database) 7. Manual verification of the findings (to check if the previous findings are real - true positive) 8. Exploitation 9. Lateral movements (to move through the network) 10. Ensure access until the end of the project 11. Collect info - achieve primary and secondary goals 12. Remove clues 13. Reporting and presentation 14. Removing the attacking files!!! (tools, data, script created temporarily during the pentest)
What is the stack frame?
A continuous block inside the stack which stores the data of a method that was called (callee) by the caller. When a method is called, the caller or callee prepares the stack for the method execution. The stack frame contains the following data: -Method parameters: parameters to pass to the method -The return address of the method: address where the method was called -The local variables: dies after method is executed -The saved base pointer: reference to the local variables
What is return oriented programming (ROP)?
A software vulnerability explotion method that is able to bypass the non-executable memory protections. The payload is divided into code-parts, and each code-part is executed by a gadget (small code block with one or more simple instructions and a ret type of instruction on the end).
What are session related attacks?
A user's session with a web application begins when the user first launchthe application in a web browser. Users are assigned a unique session ID that identifies them to your application. The session should be ended when the browser window is closed, or when the user has not requesteda page in a "very long" time. •Predictable session token: The attacker finds out what is the next session id and sets hisown session according to this. •Session sniffing: The attacker uses a sniffer to capture a valid session id •Client-side attacks (e.g. XSS): The attacker redirects the client browser to his own website and steals the cookie (Javascript: document.cookie) containing the session id •Man-in-the-middle attack The attacker intercepts the communication between two computers •Man-in-the-browser attack
What is Use-After-Free (UAF) exploit?
A vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. Pointers in a program refer to data sets in dynamic memory. If a data set is deleted or moved to another block but the pointer, instead of being cleared (set to null), continues to refer to the now-freed memory, the result is a dangling pointer. If the program then allocates this same chunk of memory to another object (for example, data entered by an attacker), the dangling pointer will now reference this new data set.
What is an ACK scan?
Ackscan is to determine if a firewall is stateful or stateless. • The stateless firewall examines a packet as it is independent of the previous packets. • The stateful firewall can follow packet streams considering previous packets. For a stateless firewall an ack package seems like the third step of the handshake. For the stateful firewall it is pointless. nmap -sA
How is data transmition carried out in layer 4?
Apart from sending short simple messages, bigger datablocks can be transmitted between the hosts. The datatransfer is carried out in the 4th layer by using 2 different approaches: •UDP: streaming the data (no guarantee that all data will arrive, but fast) •TCP: the arrival of all data is guaranteed in the right order (trustworthy transmission, slower than UDP) In addition, the data transmission is carried out using portnumbers. One host can send and receive data in multiplechannels using different port numbers for different services.
What is Burpsuite?
Burp is a graphical tool for testing websites. It provides a proxy to intercept the browsers traffic. It has several modules for manipulating the web traffic. • Spider: Automatic crawl of web applications • Intruder: Automated attack on web applications: -Sniper: one parameter, oneiteration -Battering ram: multipleparameters, one iteration -Pitchfork: multiple parameters,multiple iteration -Cluster bomb: multipleparameters, multiple iterationall combinations considered • Sequencer: Quality analysis of the randomness in a sample of data items • Decoder: Transform encoded data• Comparer: Perform comparison of packets • Scanner: Automatic security test (not free)
Why ethical hacking is necessary?
Checking the system from the attacker's perspective can reveal serious security deficiencies. The system security cannot be guaranteed without deep and regular penetration testing (but never perfect).
What is general information gathering?
Collecting all available information from the target and systemize the information • Usually the first step of every attack • Before getting contact with the target we need to prepare for the attack • General information gathering covers all the efforts that is done for collecting all the information from the target • The collected information should be analyzed as well in order to filter the important information • Sometimes it is not obvious which information will be useful later, all information should be systemized • The result of the information gathering is a huge dataset with dedicated information (e.g. user lists, etc.) • Google and social media are good methods to use (news, key-person, cache, accounts, build personal profile) • Tools: download static information using wget or Httrack, Foca, filtering via Google hacking (site:uio.no -www)
What is technical information gathering?
Collecting network and system specific information like target ip ranges. All data has to be published and accessible with the whoisprotocol. • Domain names of the target (hostname is a domain name that has at least one associated IP address) • Domain owner(s) of the target • Domain registrants • Ip addresses associated with the target websites • Ip ranges of the target • Ip range owner(s) • List of hosted websites • Hosting companies
What kind of errors (vulnerabilities) can we expect when compromising a service?
Configuration related errors: - Default credentials - Easy to guess credentials (we had information gathering before) - No or inappropriate protection against guessing (brute-force) - Unnecessary function - Privilege misconfigurations - Other configuration errors Software vulnerability related errors: - No input validation - Memory handling errors - Several others (see later)
What is Cross Site Scripting (XSS)?
Cross Site Scripting (XSS) is a frequently appearing web related vulnerability. If the website accepts input from the user without proper validation or encoding then the attacker can inject client side code to be executed in the browser. Without validation the attacker can provide • Html elements • Javascripts: Javascript can overwrite the website content, redirect the page or accessbrowser data e.g. the cookies. You can: -rewrite: the document content (defacing the site) to mislead the user -redirect: to another site to mislead the user -get cookie variables -keylogging: register a keyboard event listener using "addEventListener" -phishing: insert a fake login form into the page to obtain the user's credentials Local files of the client are not accessable.
What is Cross Site Request Forgery (CSRF)?
Cross-Site Request Forgery (CSRF) is an attack that forces an end userto execute unwanted actions on a web application in which they'recurrently authenticated. Example: The attacker sends a tricky link to the user that executes amalicious action (transfer money to Maria) without realizing it. If the user is previously logged in to the bank he has a valid session andthe malicious action will be executed. Without the session the action will not be carried out.
How can you exploit LFI vulnerability?
Depending on the server and the php settings executing php scripts can be possible if the local file is the:php://input and the php script is the posted data. In other cases providing expect as file will execute the desired OS command. Using encoding and php://filter as input the server side scripts can be obtained. Encode the php file with base64 and the php script source reveals. If the attacker places the attacking script inside the user agent of the http head and the webserver has the right to access the/proc/self/environ file then he can execute any OS command in the name of the webserver application. If the environ file is not accessible by the webserver then the attacker can try to find the webserver processid and access the environ file through the processid. If the logs are accessible through the web server then the attacker can place the attacking php script in the logs to be executed in the same way as in the case of the/proc/selffolder. The logs can be in various places, one option is to check /var/log/apache2 folder.
What are content management systems (CMS)?
E.g.: WordPress. If a vulnerability appears in the CMS; millions of webpages can suddenly be vulnerable.
What are the differences between ethical and non-ethical hacking?
Ethical hacking • Legal (contract) • Promote the security by showing the vulnerabilities • Find all vulnerabilities • Without causing harm • Document all activities Non-ethical hacking • Illegal • Steal information, modify data, make service unavailable for own purpose • Find the easiest way to reach the goal (weakest link) • Do not care if the system destroys the system (but not too early) • Without documentation • Without report, delete all clues
What are binary files?
Files that can be executed by the OS. They contain machine code instructions that the CPU understands. The binary file format depends on the CPU architecture and the OS. To make a binary executable file, a source code has to be compiled. There's a direct connection between the machine code and the assembly code. If the source is written in assembly then the compilation is unambigous.
What are different types of ethical hacking?
From the attacker's location point of view: • External penetration testing • Web hacking • Internal penetration testing • Wireless penetration testing • Social Engineering From the attacker's access (right) point of view: • Black box testing • Grey box testing • White box testing
What is fuzzing (in detail)?
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs toa computer program. The program is then monitored for any sign of error (exceptions such as crashes, failing built-in code assertions, or memory leaks). How the program accepts the input? • File format fuzzing: invalid files are created and opened by the application (e.g. invalid pdf file is opened by a pdf reader) • Protocol fuzzing or network based fuzzing: the input is provided through network protocols (e.g. http request is sent with a wrong format) How to create invalid input? • Mutation based input generation Using existing input to create slightly different versions • Format description based input generation The format is described, the input is created using this • Response based input generation The input is based on the received response (interactive generation)
What is heap spraying?
Heap spraying is a payload delivery technique for heap related vulnerability exploitations. If we allocate an array with specific member size then the heap will be full with our data. The heap allocation addresses are random, but since we use multiple copies from the same object it is likely to have our data at 0x0c0c0c0ctoo.
What is HTML?
HyperText Markup Language: language used to tell a web browser how to make a page look. The HTML file can contain: -Pictures (png, jpg, gif) -Stylesheets (xss) -Javascript codes -Flash objects (swf) E.g: UiO's index.html
What are IP-addresses?
IP addresses are for the identification of computers during the communication (OSI 3rdlayer, see later). • In order to be easy to memorize it, 8bit (byte) blocks are used for ipv4 (32 bit) e.g. 129.240.171.52 • For ipv6 (128 bit) addresses are represented as eight groups of four hexadecimal digits e.g. 2001:0db8:0000:0042:0000:8a2e:0370:7334128
What is a decoy scan?
If a TCP connection is established it will be logged by the firewalls - this is noisy (in a network with huge internet traffic there are several port scans by robots). Decoy scan uses the «needle in the haystack» theory: it sends out each request in multiple copies with different source ip.
What is reversed scan?
In case of reverse scanning,Nmaplooks for closed ports. The result of a reverse scan can be eitheropen/filtered or closed. It cannot be determined if a port is filtered or open.
What are the differences between circuit switched and packet switched networks?
In circuit switched networks, a virtual line is allocated between the communicating parties. The line is busy until the communication ends In packet switched networks, the caller sends packets to the direction of the reciever. There's no planned route, each network device chooses the most appropriate device as next considering routing tables and traffic
What is xpath injection?
Instead of storing datasets in databases, data can be stored in xml format. Xpath can be used to make a query, e.g. finding the full name of the userwhose username is john and the password is imagine: $xml->xpath("/users/user[name='john' and password='imagine']/fullname") Finding the first user in the database: $xml->xpath("/users/user[position()=1]/fullname") Finding the penultimate user: $xml->xpath("/users/user[last()-1]/fullname") Other xpath functions can be used as well: last(), count(node-set), string(), contains(), etc.
What is internet control message protocol (ICMP)?
Layer 3 - internet control message protocol (ICMP) -to check if a host is responding -echo request -echo reply to make sure a host is turned on -default ttl's -traceroutes: hops Since ICMP contains the ttl value, it is possible to guess the receiver host's operating system by its ttl -> PING + traceroute (since all devices have to drop the packets with ttl=1, it is possible to map the route of a packet by repeating the ping with increasing ttlvalues).
What is Local file inclusion (LF)?
Local file inclusion (LFI) is a vulnerability when the attacker can include a local file of the webserver using the webpage. If the server side script uses an include file type of method and the input for the method is not validated then the attacker can provide a filename that points to a local file. Adding null character at the end of the directory sometimes works whenthe normal exploitation fail. E.g.: .../.../etc/passwd E.g.: .../.../etc/passwd%00
What are the different network scanning positons?
Mapping the network... -from the outside -from a compromised server -from the inside Typical services outside: Web, Ftp, ssh, dns, mail (SMTP, POP3, IMAP, Exchange), VPN and many others. Typical services inside: Netbios, SMB, Printer, RDP, DB services, LDAP, etc.
What is medusa?
Medusais a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC, etc.
What is the Metasploit Framework?
Metasploit Framework is a software platform for developing, testing, and executing exploits. • Its database contains ready exploits in a standardized format • Users can choose from the exploit lists to attack • Exploits can be customized with different payloads (one of the best payloads is the meterpreter shell) • Exploits can be used by setting a few parameters (loaded gun in the hand of script kiddies?)
What is Ncrack?
Ncrack is a high-speed network authentication cracking tool. Ncrack was designed using a modular approach, a command-line syntax similar to Nmapand a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. Ncrack's features include full control of network operations, allowing for very sophisticated brute-forcing attacks, timing templates for ease of use,runtime interaction similar to Nmap's and manymore. Protocols supported include SSH, RDP, FTP,Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM and OWA.
What is SYN scan (half open scan)?
Nmap carries out syn scan with the -sS switch. Port numbers can be specified optionally. Example: nmap -sS -p80,43 host. Why to use syn scan instead of tcp scan? Does it have different result? The main difference is that in case of tcp scan the tcp connection is established for every open ports. Firewalls usually log only the established connections.
What is TCP full scan?
Nmap carries out tcp scan with the -sT switch. Port numbers can be specified optionally. Example: nmap -sT -p80,43 host Scanning all ports requires too much time (and too noisy).We can reduce the portnumbers by specifying them with the -p switch. Without -p nmap will scan the 1024 most popular ports.
What is operating system detection?
Nmap's remote OS detection usesT CP/IPstack fingerprinting. Nmapsends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.
What is nmap?
Nmapis an universal port scanner. It is able to carry out ordinary and specific host and service discoveries. Nmap has a scripting engine which makes it capable of carrying out complex scanning as well as vulnerability discovery, fuzzing, etc. tasks. The main parameter is the scanning type that can be set with the -s switch, e.g. -sP: ping scan
What is a stack buffer overflow?
Occurs when a local variable on the stack is overwritten. This can happen when the size of the local variable is not considered.
How can you protect against stack explotions?
Return to libc: Noexecution protection (DEP in Windows) assignes permission to memory segments (code and data), and the payload cannot be executed anymore. The idea is to use code reuse -> opens a shell, redirecting the execution there. Return oriented programming: Is able to bypass the non-executable memory protections and uses already existing code parts in the virtual address space to execute the payload. Can be used for both heap and redirecting related vulnerabilities.
How can you do XSS rewriting?
Rewriting the page is possible with e.g. the javascriptdocument.body.innerHTML syntax
How can you attack SMTP (Simple Message Transfer Protocol)?
SMTP (Simple Message Transfer Protocol) is a standard for email transmission in widespread today. In case of open-relay settings, the user doesn't need to provide credentials. Anyone can send a mail with arbitrary fields. How to find open-relay SMTP? •If one of the client's SMTP allows open-relay access then any email can be written unseeingly •Spamboxes will probably contain some open-relay SMTP server How can the users make sure that an email arrived from the right person? •Check the email header •There's no 100% guarantee, use PGP (mail encryption)
What is XSS filter evasion?
Server side scripts can filter out XSS attacks with proper input validation. If the vulnerable input parameter is passed in the URL then the XSSpayload is placed in the url. It is a perfect way to send misleading links. Hackers try to discover ways of injecting code in areas commonly overlooked by developers and totally transparent to the client user. The Cross Site Scripting can be sent in the HTTP header too.
What is a TCP handshake?
TCPhandshake is the process when a connection is about to be established in a specific port. SYN, SYN + ACK, ACK
What is Server Side Template Injection (SSTI)?
Template engines are widely used by web applications to present dynamic data via web pages. Unsafely embedding user input in templates enables Server-Side Template Injection. If a user input is substituted as template parameter without propervalidation then the vulnerability appears. After detecting the vulnerability the next step is to identify the template engine that was used (e.g. Smarty, Twig, Jade). Each template engine has specific exploitation. In case of a successful exploitation the attacker can even execute arbitrary shell commands.
What is the OSI model?
The OSI model is a theoretical representation of what happens between two nodes communicating on a network. data - application data - presentation data - session segments - transport packets - network frames - data link bits - physical All People Seems To Need Data Processing
What is heap overflow?
The basic example of the heap overflow is related to the free and the reallocation of a chunk. Each chunk contains a pointer pointing to the previous and to the next chunk. If the attacker controls the header of an entry (e.g. overwriting the datablock of a chunk next to the entry) then he can force the next heap allocation to be placed to a specific place.
How can you do XSS cookie stealing?
The cookies contain the session variables. If the attackermanages to steal the cookie with the session variable then he can carryout session fixation to obtain the victim's data. Syntax: alert(document.cookie)
What is SQL injection?
The easiest case of sql injection is when we have a direct influence onan action. User enters SQL statement into a form instead of a name or other data. Accepted code becomes part of database commands issued. Improper data disclosure, data damage and loss possible. Well-designed applications make injections ineffective.
How are heaps managed?
The heap consists of chunks. Free chunks with the same size (rounded to 8 bytes) are organized in double linked lists. When a heap memory is being freed it goes to a free list according to its size. When the code requests a dynamic buffer first the freelists are checked according to the requested size. If there is no free chunk for the size a chunk is created.
What is the heap?
The heap is a storage place where the processes allocate data blocks dynamically in runtime (unlike the stack). There are several types of heap implementation. Each OS provides one or more own heap implementations (e.g. Windows7: Low Fragmentation Heap), but programs can create their own heap implementations (e.g. Chrome) that are independent of the default OS solution. Because of the different solutions many custom heap allocators are available to tune heap performance for different usage patterns. The aim for the heap implementations are: • allocation and free should be fast • allocation should be the least wasteful • allocation and free should be secure
What is peach fuzzing?
The random strategy will run forever. This strategy will select up toMaxFieldsToMutate elements to mutate at a time. For each selected element one of it's corresponding mutators is selected at random. Peach derives the randomness of these selections from randomly generated seed number.
How can you prevent against session related attacks?
The session variable should be stored in the cookies. Since only thesession id identifies the user, additional protection such as geoip significantly decreases the chance for the session id to be stolen. For protecting the session id there are several options: •Using SSL/TLS: if the packet is encrypted then the attacker cannot obtain the session id •Using HTTPOnly flag: additional flag in the response header that protects the cookie to be accessed from client side scripts •Using Geo location: bonding the session id to ip address is a bad idea, because the ip of a user can be changed during the browsing(dynamic ip addresses especially for mobile clients). But checking geolocations is a good mitigation. The session should be expired after there's no user interaction. If the session expires after a long time or never then the attacker has time to brute force the session variables. The optimal session expiry time depends on the type of the website. 30 minutes is generally a good value, it shouldn't be more then 6 hours.
When can you write local files with sql injection?
This is only possible if the following conditions are fulfilled: • Union select or stacked queries are enabled • With union select the attacker has to know or guess the row number and the types of the chained query • A writable folder is needed in the webroot that later is accessible by the attacker • The attacker has to know or guess the webroot folder in the server computer
What is fuzzing?
This is the first step to identify the vulnerability. It is a process of providing various data (invalid too) to the application. A segmentation fault (access violation in Windows) indicates some errors. A value can be invalid if: -format is incorrect -it contains unexpected values (e.g. %) -it is too long
What is service version detection?
Version detection interrogates the ports to determine more about what is actually running. The nmap-service-probesdatabase contains probes for querying various services and match expressions to recognize and parse responses.
What is fastbin into stack exploitation?
When the program allocates a memory region the chunk that is allocated will be busy. After the allocation is freed the chunk goes to some of the freelists. Freelists are linked lists which make the reallocation of memory easy and fast. • there is no size checking when filling a memory region (it can be overwritten) • one region can be freed twice (double free vulnerability) Following types exist: •Fast: small chunks are stored in size specific bins •Unsorted: when the chunks are freed they are initially stored in a single bin, they are sorted later •Small: the normal bins are divided into "small" bins, where each chunk has the same size, and "large" bins, where chunks have a range of sizes •Large: For small bins, you can pick the first chunk and just use it. For large bins, you have to find the "best" chunk, and possibly split it into two chunks Fastbins are stored in simple linked lists. All chunks have the same size. The pointer to the first fastbin chunk is not visible for us, but the pointer to the second fastbin chunk is stored in the first one, the pointer to the third element is stored in the second one, and so on. If we manage to overwrite the content of the first fastbin we can overwrite the address of the next fastbin. It is useful to force the OS to do the second allocation to a place where we would like to (e.g. into the stack).
How can you do a stack overflow exploit?
You should override the local variable and arrive to the return pointer. The size of this (padding) depends on the size of the local variable and the stack layout. It can be determined by using a string like "aaaaaaaabbbbbcccccdd" and then obtain the address from the error message. The new return address can point to the beginning of the payload. You can use debuggers like gdb for Linux to get to the part where the vulnerability occurs (start, s(step), until[address], finish).
How can you attack DNS?
Zone transfer: Since DNS data is stored redundantly the slave DNS can ask the master DNS to send a copy of a part of its database (zone) to the slave. Domain enumeration: • We can check if reverse lookup is enabled. • Also brute-force the domain names in the DNS database
How to find software vulnerabilities?
• Accidently: e.g. my pdf reader is keep crashing for the same input. (Note, one crash is not crash! If it's not possible to repeat then anything could have happened) • AV tools can report suspicious activity such as a port is opened, a new suspicious registry entry is created. Analyzing it in a sandboxed environment can reveal unknown vulnerabilities. (Note that in this case the vulnerability was known by someone in advance who created the malware) • Source code analysis (looking for patterns that can reflect vulnerabilities) • Binary code static analysis: reverse engineering or advanced specific solutions (code property graphs) • Binary code dynamic analysis (e.g. angr framework) • Fuzzing
How to do fastbin into stack exploitation?
• Allocate 3 buffers with the same size (id=0,1,2) • Free the first, the second and the first again (id=0,1,0), one chunk ison the freelist twice • Allocate a new buffer (id=3), id3 (busy) is the same as id0 (free) • Allocate another one (id=4), now the top of the freelist is the id0 chunk • Fill the content of id3 (it is on the same place as id0) and modify id0 fwd to be pointed to the stack part where we have the next return address • Allocate one more (id=5) to process the id0 freelist chunk • Allocate one more (id=6). This chunk will be on the stack • Fill the chunk id6 with the payload (jmp esp+ payload or ROP payload)
What are the different type of hackers?
• Black hat hackers: Hacking with malicious intent • White hat hackers: Perform penetration testing to promote the security • Script kiddies: amateurs (Usually young kids) using publicly available software tools to attack • Protest hackers (Protest against something e.g. anonymous) • Grey hat hackers: Usually white hat, but can be black hat • Red hat hackers: Stopping black hat hackers by attacking them • Blue hat hackers: Hacking in order to take revenge • Green hat hackers: Beginners to hacking
How can you prevent against CSRF attacks?
• Checking the referrer header in the client's HTTP request can preventCSRF attacks• Adding a per-request nonce "form key" to the URL and all forms inaddition to the standard session. • Adding a hash (session id, function name, server-side secret) to allforms • Loging off before visiting another site • Clearing browser's cookies at the end of each browser session CSRF real example: Samy worm in 2005
What are DNS-servers?
• DNS servers are all around the world • Organized in tree structure (13 root servers) • The top level domains (.com, .net, .edu, .no, .de, etc.) are directly under the root servers • DNS data are stored redundantly (master and slave server) Tool: Ip lookup with dns - reverse ip lookup
What are the steps of exploit development?
• Finding the vulnerability (e.g. with fuzzing), the application crashes • Find the reason of the crash (reverse engineering the code) • Decide whether the control flow can be redirected or not • Decide how and where to place the payload (e.g. on the stack, in the heap with spraying) • Bypass all the mitigations (DEP, ASLR, sandboxing, etc.) • Create a working version of the exploit (proof of concept)
How to start compromising a service?
• First use in the normal way - Is there any information disclosure? - Error messages, etc. - Restrictions • Force it to error and obtain information - Provide invalid data - Use it in an invalid way • Try factory defaults • Brute-forcing • Search for known exploits • Service specific exploitations • Unique ways
How can you write local files with sql injection?
• First, guess the webroot and the writable folder • Guess the number of columns from the original query and guess also the types of the rows • Test the union select if it is executed with different row numbers • Upload a simple string • Find an attacking script and upload it
What are the main steps of hacking?
• Information gathering • Identifying the target domain • Finding vulnerabilities • Exploiting the vulnerabilities • Lateral movements • Carry out the goal
Which SQL queries can be used for blind boolean based sqli explotation?
• Mysql version: SELECT @@version; • Mysql user, password: SELECT host, user, password FROM mysql.user; • Mysql databases: SELECT schema_name FROM information_schema.schemata; • Mysql tables: SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
What are some protections and mitigations for heap exploitation?
• No execute protection (Data Execution Prevention in Windows) • Address Space Layout Randomization (ASLR) • Canary (Stack cookie) • Position Independent Executables • Fortify (buffer overflow checks) • Relro (the Global Offset Table is readonly)
How do you find network ranges?
• Search for all domains including second and third level • Look for the corresponding ips • Check which database contains the ip owner (whois) • Check the ip ranges (ripe, arin, etc...) Tool: With the reverse whoisservice, we can search for domains by providing an email or name. Robtexis used for various kinds of research of IP numbers, Domain names, etc.
What is format description (generation) based fuzzing?
• The file format of protocol is described (what kind of variables are stored in the file in which place, relations, etc) • Very time consuming to describe the input format (e.g. the pdf reference 1-7 (file description from 2006) is 1310 pages • All combinations can be created theoretically
What is mutation based fuzzing?
• The input is created based on existing valid input • Mutations of input are made without the knowledge of the structure of the input (e.g. random) • Requires little setup time • The success is based on the mutation algorithm • Mutation can mess up the file format and prevent it to be processed (e.g. file checksums)
What is brute forcing?
• Trying out multiple combinations • How to generate the options? - Random - Trying out all combinations - Using a list or dictionary • Brute forcing tools - THC Hydra (ssh, ftp, http). Hydra was created by a hacker group The Hacker's choice. It is an universal brute-force tool that can be used for several protocols. - Ncrack - Medusa
What can you set in nmap?
• Type of scan (see detailed list later) • Additional tests (e.g. version detection) • Timing option (how many tries, how many parallel requests, max retries, scan delay, etc.) • Hosts / host input • Output result format (flat file, xml, etc.) • Filtering (e.g. show only open ports) • Scripts to run
How to exploit a Use-After-Free (UAF) vulnerability?
• Use html file with a value "test" and make sure it's destroyed (place is freed) • After "test" is destroyed, a fake object with the size of "test" should be reallocated in the heap to avoid use after free • The fake object has to be the same size as "test" to be allocated to the same place in the virtual memory • Determine where "test" was before the free (using pageheap) • Search for the corresponding memory allocation (allocation in the same place)
What is Google hacking?
• Using specific Google queries we can use smart filtering or get «hidden» data • Filter to domain: use the site keyword • Filter to file type with extension: use the type keyword • Interesting file extensions: doc, xls, txt, conf, inc, sql, ... • Expressions can be combined
What are the motivations behind hacking?
• What a cool thing to be a hacker • Because I can • Money • Revenge • Annoyance • Protesting against something • Organized and well-paid professional groups (mafia and state sponsored groups)
What are the types of sql injection exploitations?
•Boolean based blind The attacker provided an input and observes the website answer. The answer is either page 1 or page 2 (only two options). There's no direct response to the attacker's query but it's possible to play a true and false game using the two different responses. The difference between the two responses can be only one byte or totally different. •Error based The attacker forces syntactically wrong queries and tries to map the database using the data provided by the error messages. •Union query The attacker takes advantage of the sql's union select statement. If the attacker can intervene to the sql query then he can append it with aunion select and form the second query almost freely. •Stacked query If the sql engine supports stacked queries (first query; second query;etc.) then in case of a vulnerable parameter the attacker closes the original query with a semicolon and writes additional queries to obtainthe data. •Time based blind It is the same as the boolean based, but instead of having two different web responses the difference is the response time (less trustworthy). •Reading local files The attacker can obtain data expect for the database •Writing local files With the select into outfilecommand the attacker can write local files •Executing OS commands In some cases the db engine has the right to execute OS level commands
What are the different XXS types?
•DOM based XSS: The data flow never leaves the browser, classicalexample: the source is a html element, the result is a sensitive methodcall. •Stored XSS: The user input is stored on the target server, such as ina database, in a message forum, visitor log. The victims will retrievethe xss through the web site. •Reflected XSS: The user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request. •Client Side XSS: The malicious data is used to fire a JavaScript call •Server Side XSS: The malicious data is sent to the server and theserver sends it back without proper validation
How can you prevent against XXS attacks?
•Escaping user input User input and key characters have to be escaped received by a webpage so that it couldn't be interpreted in any malicious way. Disallowspecific characters - especially < and > characters - from being rendered. E.g.<is converted into < •Filtering It is like escaping, but instead of replacing the control character, it will besimply removed. •Input validation Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. Comparing the input against a whitelist or regexp. •Sanitizing input Changing unacceptable user input to an acceptable format (all previous 3)
How can you attack using Object Oriented Programming (OOP) and the vtable?
A basic principle of OOP is the polymorphism. Methods can be redefined for derived classes. Since the real type of an object is only decided in runtime, each object needs to have a virtual method table(vtable) that contains the object specific method addresses. The attacker can overwrite the vtable with a value pointing to an attacker controlled memory region.
What is the stack?
A data type segment that stores data in a LIFO (last in first out). Instructions place data (push) and pick + remove data (pop).
What is an exploit?
An exploit (from the English verbto exploit, meaning "touse something to one's own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
What is the goal of hacking?
Break the information security triple (confidentiality, integrity, availability) - Steal confidential information - Modify data - Make services unavailable (Denial Of Service) - To promote security (ethical hacking)
What are the types of ethical hacking projects?
From the attacker's location point of view: • External penetration testing • Web hacking • Internal penetration testing • Wireless penetration testing • Social Engineering From the attacker's access (right) point of view: • Black box testing • Grey box testing • White box testing
How can you do XSS redirection?
Redirection is possible with e.g. the javascript document.location syntax
What are vulnerability databases?
Vulnerabilities are registered in a database, each vulnerability has a unique identification number.
What is ARP poisoning?
ARP poison routing is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
What is Active Directory (AD)?
Active Directory provides the methods for storing directory data and making this data available to network users and administrators. It stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information. It provides a broad range of directory-based identity-related services. A server running the Active Directory Domain Service (ADDS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. Protocols: • Lightweight Directory Access Protocol (LDAP) • Kerberos • DNS Services: Domain, Lightweight directory services, Certificate services, Right management Active Directory attacks: • LDAP reconnaissance • Local admin mapping • Local privilege escalation • Domain privilege escalation • Impersonate an AD domain controller (Directory Replication Service)
What are automatic vulnerability scanners?
Automatic tools can carry out fast vulnerability identification. They have huge vulnerability databases that contain the requests that have to besent for checking a vulnerability. Based on the answer the scanner decides wheter the vulneraility exists or not. The main characteristics of the scanners are: • working with predifened web requests • since the complexity is not too high (they cannot really find connections between actions), usually they have several false positives • the identified vulnerabilities are categorized according to the severity (critical, high, medium, low, information disclosure) • scans usually can be customized (which scripts to run) • tools can be trained how to login to a password protected web area E.g.: VEGA
How to avoid ARP poisoning?
Dynamic ARP Inspection (DAI) is a security feature that helps prevent ARP poisoning and other ARP-based attacks by intercepting all ARP(Address Resolution Protocol) requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations. The DAI verification consists primarily of intercepting each ARP packet and comparing its MAC address and IP address information against the MAC-IP bindings contained in a trusted binding table. The trusted binding table is dynamically populated by DHCP snooping. DAI allows the configuration of static ARP ACLs to support systems that use statically configured IP addresses.
How to do port scanning on internal networks?
For host and service identification port scanning can be used here as well. There's one significant difference. The internal network range is much larger. • Identifying network sub-ranges in use. It can be done using the packet sniffing data (if there's a specific ip in use scan the whole /24subnet there) • Identifying special network sub-range domains (e.g. server domains, printer domains) using the captured data • Carrying out limited port scans e.g. 10.0-255,0-255.1 (checking only the ips ending with 1) The service identification can be done in the same way as in the case of external network hacking (tcp scan, udp scan, syn scan, etc.). Making an inventory for the discovered hosts and services is even more important than in the case of external hacking.
How are passwords stored?
Having login function for websites requires to store the usernames and passwords: • When the user register an account, a new dataset is created in the database with the username and the provided password • When the user logs in, the provided password is compared with the one that is stored for the user, if they match the user gets appropriate session • The easiest (but very unsecure) way of storing the password is to store the username and the password as "cleartext" • Storing the password as a cleartext has the danger that anyone who has access to the database (even if an attacker dumps the database e.g. with SQL injection) has all usernames and passwords, therefore the passwords have to be stored in a much more secure way
What are IP-ranges?
IP ranges contain more ip addresses. e.g. 129.240.171.56—129.240.171.63 (8 addresses)
What is promiscous mode?
In promiscuous mode the NIC passes all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive (MAC). This mode is normally used for packet sniffing.
What is Netbios?
Network Basic Input/Output System (Netbios) provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. •NetBIOS Name Serviceis a service providing name lookup, registration, etc (tcp 137) •NetBIOS Datagram Service is a connectionless service to send data (udp 138) •NetBIOS Session service lets two computers establish a connection for a "conversation", allows larger messages to be handled, and provides error detection and recovery (tcp 139) For NetBIOS troubleshooting the nbtstat is used.
How to get access to the internal network?
Physical access: • Simple walk inside the building and find an endpoint • How to get inside if there's access restriction - Tail gating: An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access- Standing in front of the restricted area with a big packet and ask somebody to help (hold the door) - Go inside in a normal way with fake reason (have a real meeting inside the building, going in for job interview) - Taking a real job inside (insider attack) Logical access: • Do we have link? (Is the endpoint patched?) • Do we get ip with DHCP? The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks. •Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses connecting the port.
What is PowerSploit?
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
What is Server Message Block (SMB)?
SMB is mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It can run: • Directly over tcp (tcp/445) • On Netbios (tcp 137/139, udp 138) SMB has different versions: -2.1 is introduced with Windows7 -3.1 was introduced with Windows 10.
What is a web server?
The web server is an application running under an OS. The user that runs the webserver should have the least privileges. The webserver configuration file contains almost all server settings.
How to bypass port security?
We need a valid MAC address for the port: • Sniffing the traffic to obtain a valid MAC • Plug out a device from the network (e.g. printer) and fake our MAC
What is wireshark?
Wireshark is a packet sniffer. It sets the NIC to promiscous mode and displays all the traffic crossing the NIC. Each frame that crossed the NIC can be analyzed in more details, all the data with its name appears when opening the frame data. In case there's no access to the network (no ip) relevant information can be revealed by only sniffing the traffic of other devices. What can we see from the wireshark traffic? • MAC addresses in use • Ips in use • Traffic directions • Possible subnets • Proxy servers • Server zone • Clear text data Wireshark has advanced traffic filtering capabilities. It is also capable to follow a chain of a specific communication as well as present statistical data from the traffic.
Where to use crypto in ethical hacking?
• Ethical hackers usually have non confidential agreement, all data used/revealed during the project should be well protected • All communication to client or inside the ethical hacking team must be secured
What is Pretty Good Privacy (PGP)?
• Everyone has a key pair: public key + private key • The public key is shared with others • The private key should be secured
How to protect the files/ data that we use during the penetration testing?
• Full disk encryption • Encrypted containers - E.g. Veracrypt
What are the types of encryptions?
• In symmetric cryptography we use one key to create the cipher text and the same key to get back the key text • In asymmetric cryptography we have a key pair, one is used for encryption and the other is for decryption • In case of hashing we produce a hash that cannot be reverted to cleartext E.g.: ceasar cipher/ vigenere cipher/ Morse / Brainf*ck
What is domain user privilege escalation?
• Passwords in SYSVOL & Group Policy Preferences\\domain\SYSVOL\domain\Policies • MS14-068 Kerberos Vulnerability • Kerberos TGS Service Ticket Offline Cracking (Kerberoast) • Credential theft: local privilege escalation-> local admin, log in to other workstations, find domain admin credentials on other workstations • Gain Access to the Active Directory Database File (ntds.dit)
What are the different types of hash cracking?
•Brute-force based: The attacker tries out all combinations, time consuming •Dictionary based: The attacker has a list of possible clear texts, only those hashes are cracked that were in the list •Hybrid: It combines dictionary attacks with brute-forcing. Not only the dictionary words but slight modifications of it are tried. Trondheim -> Tr0ndhe1m, miehdnorT, TRONDHEIM, etc. •Rainbow tables: It uses precalculated hashes that are ordered in chains and very effective to store and search