Intrusion detection (chapt#10-13)

1) Defacing the Web site 2) Attempting to destroy the application's database or selling its contents. 3) Attempting to gain control of user accounts. 4) Launching secondary attacks. 5) attempting to gain access to other servers that are part of the network infrastructure.

After attackers gain control of a Web server, what are some of the post-exploitation actions they can use?

Apache can run more than twice as many web servers as IIS. Apache works in just abt any *nix platform as well as in Windows & is free.

Apache and IIS why use one over the other?

CGI is the interface that determines how a web server passes data to a web browser. It relies on Perl or other scripting or programming languages to create dynamic web pages which is different from ASPs. CGI programs written in Perl, C/C++, Unix shells, Visual Basic & FORTRAN. CGI example: #! /usr/bin/perl print "Content-type:text/html\n\n"; print "Hello Security Testers!";

CGI's (Common Gateway Interface) and how they operate:

Yes (wireless hackers can attempt to guess SSID, verify clients are not using a default SSID)

Can AP be configured not to provide SSID until after authentication?

Static web pages are created using HTML & displays same info regardless of time or user whereas information displayed by dynamic varies according to time, date, username & purchasing history. Dynamic web pages needs special components such as <form>element, AJAX, Common Gateway Interface(CGI), Active Server Pages(ASP), PHP, ColdFusion, JavaScript, & database connectors.

Comparison between Static and Dynamic Web pages.

depending on embedded OS. Most devices allow access through web browser. (note: APs have 2 antennaes)

Configuration of AP varies depending on what?

FALSE (creating an ADO connection to the database is the 1st step.)

Creating the ADO recordset is the 1st step to accessing database. TRUE or FALSE?

NO! most systems allow the content of HTTP traffic. So, network layer protection doesn't always prevent application-layer attacks from occurring.

Does the effectiveness of a company's firewalls or intrusion detection systems prevent HTTP traffic of entering?

FALSE (drones with an antenna & same software used in wardriving is used) Note: testers used the software Kismet.

During warflying, software that is different from wardriving is used. TRUE or FALSE?

WNIC (converts radio waves into digital signals)

For wireless technology to work, what should each node or computer must have?

Ad-hoc network

Give an eg of an independent WLAN without an AP.

Baby monitors, cell & smartphones, GPS devices, keyless entry, remote controls, garage door openers, two-way radios, bluetooth speakers..etc.

Give some examples of devices that use wireless technology?

different technologies use different frequencies referred to as bands, to transmit sound. e.g: AM radio stations use medium frequency (MF band), FM radio stations use high frequency (VHF band) (Note: frequency band is determined by the distance sound waves need to travel)

How are bands used?

it analyzes an application's source code for vulnerabilities and is, there only possible when the source code of an application is available. (note: reliable way to enumerate most application vulnerabilities that result from coding errors.)

How does SAST ( static application security testing) work?

By using TKIP (Temporal Key Integrity Protocol)

How does WPA (802.11i standard) improve encryption?

Inter-operability between back-end DBMSs is a key feature of the ODBC interface, allowing developers to focus on the application without worrying about a specific DBMS.

How does back-end DBMSs work with ODBC (open database connectivity_ interface?

Most web pages that display company information to users are stored on a database server. Web pages that prompt a user for information, such as name, phone number, address and so on, stored the information users enter in a database.

How does the connecting to databases from a Web application work?

In FHSS, data hops to other frequencies to avoid interference that might occur over a frequency band whereas, in DSSS, data is spread simultaneously over multiple frequencies instead of hopping to other frequencies. In OFDM, the bandwidth is divided into a series of frequencies called tones which allows higher throughput (data transfer rate) than FHSS & DSSS.

How is FHSS (Frequency hopping spread spectrum) different from DSSS (Direct sequence Spread spectrum)? What is OFDM (Othogonal frequency division multiplexing)?

Both are server-side scripting languages used for developing dynamic Web pages.

How is PHP scripting language similar to ColdFusion?

rename default SSID

If you can't disable SSID broadcasts, what is the other alternative to it for prevention of wireless attacks?

filters unauthorized MAC & IP addresses & prevents access.

In regards to countermeasures for wireless attacks, what happens if we use router?

Same key being used repeatedly was the problem in WEP. The enhancement made by WPA provides fresh keys that help prevent attacks that relied on reusing the old keys i.e someone running a program to decipher the key could likely do so after collecting a large no. of packets.

In regards to keys, what was the big problem in WEP which got enhanced with the rekeying mechanism in WPA?

Yes (supplicant, Authenticator and authentication server.)

Is "Authentication server" one of the components of 802.1X?

NO

Is it a good idea to broadcast SSID's?

Yes (but using the network resources is illegal)

Is wardriving legal?

OLE DB

Oracle, MS SQL server and MySQL are what kind of database connectivity technology?

validate.asp.

The contents of the username and password parameters are passed to the ASP page called?

Programming interface for connecting a Web application to a database. It defines technologies that allow applications, such as word or excel to interact with the web.

What are Active X Data Objects (ADO)?

PHP hypertext processor is similar to ASP, ColdFusion and enables web developers to create dynamic web pages.

What are PHP Hypertext Processor scripting languages?

The bigger the program & accessed by more people, more bugs & defects are possible. Some defects create security vulnerabilities.

What are Programming bugs?

name used to identify a WLAN. Configured on the AP as a unique, 1 to 32 character, case-sensitive alphanumeric name. (note: In wireless computers, SSID must be configured in before connecting, SSID transmitted with each packet, AP usually broadcasts SSID)

What are SSIDs (Service Set Identifiers)?

1) WNICs (transmit & receive wireless signals, access points which are the bridge between wired & wireless networks.) 2) WPA (wireless networking protocol) 3) A portion of RF spectrum, which replaces wire as the connection medium. 4) APs

What are parts of wireless networks?

Tcpdump or Wireshark.

What are some of the examples of sniffers?

1) Create an ADO connection to the database that needs to be accessed. 2) Open the database connection created in step 1 3) Create an ADO recordset, which contains rows from the table that is accessed. 4) Open the recordset. 4) Select the data that's needed from the recordset, based on particular criteria. 5) Close the recordset. 6) Close the database connection.

What are the ActiveX steps to accessing database?

-Using anti-wardriving software like Honeypots, Black Alchemy Fake AP could make it more difficult for hackers to discover our WLAN. -Using a router filters unauthorized MAC & IP addresses which could prevent hackers from easy access to our network. -Usage of special paint on the walls to prevent radio waves from leaving or entering the building where the network is could be quite effective. -Using an authentication server instead of relying on a wireless device is considered as an effective way of preventing network from wireless attacks. -Upgrading to WPA2 means better security since it uses AES encryption instead of TKIP. which is the encryption method used by WPA. -Also placing AP in DMZ & use a firewall because it filters out traffic. -Using EAP allows different protocols that enhances security. -Default SSID should be changed.

What are the countermeasures for wireless attacks?

1) using bad random number generators. 2) using a known weak method of encryption 3) an application doesn't actually enforce the use of secure channels 4) using a self-signed certificate instead of a purchased certificate.

What are the main reasons for problems in cryptography?

EAP-TLS, protected EAP, Microsoft PEAP.

What are the methods to improve wireless network security?

Written for Windows. Detects WLANs using 802.11 (b,g,n & ac) APs. capability to interface with GPS.

What are the qualities of Vistumbler freeware tool used for wardriving/warflying?

2.4 and 5

What are the two OS frequency for wireless networks?

Static Application Security Testing (SAST) & Dynamic Application Security Testing (DAST).

What are the two techniques used to test web application?

A1 : injection vulnerabilities A2: Authentication flaws & weaknesses A3: Cross-site scripting (XSS) A4: Insecure direct object reference A5: Security misconfigurations A6: Sensitive Data Exposure A7: Missing function level access control A8: Cross-site request forgery A9: Using components with known vulnerabilities A10: Unvalidated redirects and requests.

What are top 10 OWASP list?

Web application have bugs larger user base than standalone applications.

What are web applications?

Process information from a web form using a web application & this is easy way for attackers to intercept data users submit (HTML docs). Security testers should recognize when forms are used.

What are web servers?

defined specification for wireless connectivity (note: 802.11 is in physical layer of OSI model)

What did the 1st wireless technology 802.11 standard define?

hidden fields

What do application developers commonly use in tables and obscured URLs to enforce their access control instead of checking users' privileges before processing a request?

unsecured APs

What do hackers try to detect while driving around with inexpensive hardware & software?

Distribution system (DS)

What does 802.11 require to connect two BSSs?

Defines the process of authenticating & authorizing users on a network. Useful for WLAN security.

What does 802.1X standard define?

WPA & WPA2 -WPA2 uses AES (Advanced Encryption Standard) encryption.

What does VPN use?

approved projects.

What does letters behind the 802.11 denotes?

SSIDs (note: not all WNICs are compatible with scanning software)

What does most scanning software detect?

attackers insert ("inject") their own SQL statements within this statement.

What happens during SQL injection?

an attacker can cause a server to run code, overfill a buffer, perform database queries, reflect malicious content back to users & many other malicious actions.

What happens during the injection vulnerabilities?

a sequence no. is applied to the WEP IV field. (i.e if a packet is received with an IV equal to or less than the sequence no. received earlier, the packet is discarded.)

What happens in WPA that prevents a replay from occurring?

WPA2 (WPA2 uses AES encryption instead of TKIP)

What has officially replaced WPA in the official Wi-Fi standard?

When application gives a tester no indication that a SQL statement was run. It has its own set of tests that are required for detection.

What is "Blind SQL injection"?

BSS is collection of devices (AP & stations or just stations) that up a WLAN. BSS is the building block of 802.11 BSA is the coverage area an AP provides. (Note: As long as a station is within its BSA, it can communicate with other stations in the BSS)

What is BSS (Basic Service set) & BSA (Basic Service Area) used for?

DAST (Dynamic Application Security Testing) is analysis of a running application for vulnerabilities which can also be used alongside SAST to prioritize SAST findings. (in the absence of source code, DAST is all they can perform)

What is DAST?

Institute of Electrical and Electronics Engineers (defines several standards for wireless networks. IEEE project 802 : LAN & WAN standards)

What is IEEE?

standard database access method developed by SQL Access Group. It's interface allows an application to access data stored in a DBMS, such as Microsoft SQL, Oracle, or any system that can recognize & issue ODBC commands.

What is OBDC (open database connectivity)?

set of interface that enable applications to access data stored in a DBMS. Microsoft designed it to be faster, more efficient & more stable than its predecessor, ODBC. Uses connection strings.

What is OLE DB (object linking & embedding database)?

sound wave height (note: the sound wave's amplitude & frequency determine its volume & pitch)

What is amplitude?

it involves utilizing creative ways to bypass the flow a user is expected to follow. (For eg: if the user doesn't have adequate funds, transfer of money is halted. business logic testing involves in tricking the application into thinking we have $1,000,000 in our account when there is only $100. ) This vulnerability is crucial during application testing.

What is business logic testing?

rate at which sound waves repeat.

What is frequency?

Basic Service set (BSS) Basic Service Area (BSA) A WLAN running in infrastructure mode Ad-hoc network : an independent WLAN without an AP

What is in Basic architecture of 802.11 ?

it is the act of filtering, rejecting, or sanitizing a user's untrusted input before the application processes it and input validation can lead to data disclosure, alteration and destruction. (note: an eg of input validation gone wrong is SQL injection.)

What is input validation and what is the result of input validation problems?

defines how data is placed on carrier signal. (note: data spreads across a large-frequency bandwidth instead of traveling across just one frequency band.)

What is modulation in regards to spread spectrum?

set of rules formulated by an organization.

What is standard in terms of wireless network?

RSA algorithm

What is the 1st algorithm used for both encryption & digital signing & is still widely used, particularly in e-commerce?

removes the known WPS attacks vectors.

What is the benefit of removing WPS?

Home-XXX-2.4, Home-XXXX-5, tsunami. Default SSID for apple is Apple Network XXXXXX (note: change these default SSIDs for extra security)

What is the default SSID for Cisco? default SSID for Apple?

100m

What is the maximum distance for wireless APs?

1 or 2 Mbps for 802.11 and 2 Mbps for 802.15. Frequency for both is 2.4 GHz Modulation method for 802.11 is FHSS/DSSS and for 802.15 is FHSS.

What is the maximum speed rate of 802.11 and 802.15? What is their frequency and modulation method?

54 Mbps Frequency of 802.11a, and HiperLAN/2 is 5GHz. Frequency of 802.11g is 2.4 GHz. Modulation method for all of them is OFDM (orthogonal frequency division multiplexing)

What is the maximum speed rate of 802.11a, 802.11g and HiperLAN/2? What is their frequency and modulation method?

WiMAX (802.16 with frequency of 10-66 GHz, max.speed rate of 120Mbps. Uses OFDM) (Page: 311)

What is the most widely used implementation of wireless MAN technology?

Cryptography. -can be used on data that ppl want to keep private. (note: ciphertext is encrypted text)

What is the process of converting plaintext into ciphertext?

30-300 MHz (wavelength is 10 m - 1 m)

What is the range of VHF (very high frequency)?

Insecure direct object references and it can also reveal major areas of concern. (note: authorization testing is an important part of any application test)

What is the result of authorization testing?

Cryptanalysis

What is the study of breaking encrypting algorithms?

Laptop computer WNIC (not all are compatible) Antenna Software that identifies (company's SSID, signal strength, security type enabled)

What kind of equipments are used during wardriving?

Whether we can enter text with punctuation marks, single quotation mark followed by any SQL keywords. Whether we can get any sort of database error when attempting to inject SQL statements.

What should the basic testing look for?

developers can enable debugging which provides rich logging information helpful to diagnose issues. (note: if the debugging mode is left on after troubleshooting, it could be a rich source of information for attackers. Only generic message should be displayed to users in these error cases.)

When an application needs to undergo troubleshooting, what can developers do? (a web application can be configured or written to handle errors in what ways??)

find a way to subvert it

When developers decide to create their own cryptographic schemes instead of using the common crypto framework, what do experienced testers do?

Access Points (APs) (it is the radio transceiver that connects to network via ethernet cable and enables users to connect to a LAN)

Where are RF channels configured?

Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS is a requirement for all businesses that sell products online.

Where is the ten most critical webs application security risks paper published by OWASP (Open web application security project) built into?

802.1X and EAP (Extensible Authentication Protocol)

Which authentication mechanism wasn't available in WEP but is widely used in WPA?

EAP (Extensible Authentication Protocol) enhancement to PPP. allows company to select authentication method. Identifies owner, CA (certificate authority) & owner's public key.

Which basic concept of 802.1X contains X.509 information?

PPP (handles authentication by requiring a user to enter a valid username & password)

Which protocol is used to connect dial-up or DSL users?

VBScript (Visual Basic Script). Can insert VBScript into HTML Web pages to convert static Web pages into dynamic Web pages. Microsoft security bulletin search page is an excellent starting point for investigating VBScript vulnerabilities. (BLT applied here)

Which scripting language is the Microsoft version of JavaScript?

Kismet -A passive scanner, so it can detect even hidden network SSIDs. -can be used to detect rogue APs on a company's network. -GPS tools like GPSD, GISKismet work with Kismet.

Which tool is also a sniffer and an intrusion detection system?

Aircrack-ng (Note: Aircrack-ng replaced AirSnort) has fern wifi cracker & GUI front-end.

Which tool is used by most hackers to access WEP-enabled WLANs?

Kismet

Which wardriving tool runs on Linux, BSD Unix, MAC OS X & even Linux PDA's?

802.20 (frequency=below 3.5 GHz & max.speed rate of 1Mbps. Modulation method used is OFDM)

Which wireless MANs (metropolitan area networks) addresses wireless MANs for mobile users?

802.15

Which wireless standard is called wireless personal area network (WPAN)?

Use of 3rd party libraries saves developer time and means less documentation is required for complex routines of custom code. Keeping them current & secure is important.

Why are 3rd party libraries used?

Coz IR light can't penetrate walls, ceilings, or floors.

Why is IR (Infrared) technology restricted to a single room or line of sigh?

to recognize vulnerabilities when they exist

Why is it necessary to understand the technology of connecting databases

for enhancing security

Why use encryption?

Macro viruses and worms, & all worms that take advantage of cross-site scripting vulnerabilities are based on scripting language.

Why use one language over another?

Because it is a very specialized practice. (note: many security professionals have experience in networking but little or no experience in programming.)

Why was security, often referred to as AppSec, once overlooked by professionals?