CHFI - Chapter 8 (Investigating Web Attacks)
SmartWhoIs and ActiveWhoIs are examples of..?
IP Address locating tools
Arises when a web application is unable to handle technical issues properly and the website returns info, such as database dumps, stack traces, and codes
Improper Error Handling
In Whitespace manipulation, when attackers replace the keywords, some WAFs may replace the keywords with white space. In such case, the attackers use which characters to eliminate the space and bypass the firewalls.
%0b
what is / in hex
%2F
What is < in hex
%3C
What is > in hex
%3E
On Windows Server 2012, the IIS log files are stored by default in this location
%SystemDrive%\inetpub\logs\LogFiles
With the implementation of proper firewalls, IDS, IPS, antivirus, etc., it becomes difficult for the attackers to perform attacks like XSS and SQL injection and bypass the security mechanisms. To avoid this, the attackers perform these obfuscation techniques mentioned below to bypass them and perform malicious activities.
1. Hex encoding (%3c/script%3e>) 2. In-line comment (+/*!select*/+) 3. Char encoding/ double encoding (/union%252f%252a /select%252f%252a*/) 4. Toggle Case (SeLecT/) 5. Replaced Keywords (UNunionION+SEselectLECT+) 6. White space manipulation (use "%0b")
IN this apache log entry what is the what is the size of the object? 10.10.10.10 - jason [17/Aug/2016:00:12:34 +0300] "GET /images/content/bg_body_1.jpg HTTP/1.0" 676 1458
1458
Telnet runs on which port?
23
IN this log entry what is the size of the returned object? 10.10.10.10 - mina [17/Aug/2017:00:12:34 +0300] "GET /images/hello.jpg HTTP/1.0" 500 600
600
Name a network information utility that allows you to look up all the available information about an IP address, hostname or domain, name of the network provider, administrator and technical support contact information.
SmartWhois, ActiveWhois
Which parameter would you use with netstat to check the executable used for a connection
-b
Which parameter would you use with netstat to display per protocol stats
-s
Which parameter would you use with netstat to display the current connection offload state
-t
This is an example of an error log from what type of webserver? [Mon Sep 16 14:25:33.812856 2016] [core:error] [pid 12485:tid 8589745621] [client 10.10.255.14] File does not exist: /images/content/bg_body_1.jpg
Apache
This is an example of the log from what type of web server? 10.10.10.10 - mina [17/Aug/2017:00:12:34 +0300] "GET /images/hello.jpg HTTP/1.0" 500 1458
Apache
This is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.
Broken Access Control:
Refers to vulnerable management functions, including user updates, recovery of passwords, or resetting passwords
Broken Account Management
Attack Occurs when the application fails to guard memory properly and allows writing beyond maximum size
Buffer Overflow
The attackers attempting to compromise the e-commerce websites mostly use these types of attacks. They manipulate the hidden fields and change the data stored in them. They can substitute the original prices with the price of their choice and conclude the transactions. This sort of attack is faced by many online stores
Hidden Manipulation
What is CAPTCHA?
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs)
Attack causes Modification of a website's remnant data for bypassing security measures or gaining unauthorized information
Cookie poisoning
In this attacking method, an authenticated user in made to perform certain tasks on the web application that is chosen by an attacker. Example: A user clicking on a particular link sent through an email or chat.
Cross Site Request Forgery:
The SQL injection attacks incidents can be found at three locations
IDS logs, Database logs, web server logs
Name the three main IIS components
HTTP.sys, WWW service, WAS service
Which Apache core component handles the server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them.
HTTP_MAIN
Which Apache core component interacts with the client?
HTTP_PROTOCOL
Which Apache core component controls the step by step procedure involved between the modules to complete a client request and is also responsible for error handling.
HTTP_REQUEST
:Theattackers attempting to compromise the e-commerce websites mostly use these types of attacks. They manipulate the hidden fields and change the data stored in them. They can substitute the original prices with the price of their choice and conclude the transactions.
Hidden Manipulation
Refers to a drawback in a web application where it unintentionally reveals sensitive data to an unauthorized user
Information Leakage
This threat refers to a drawback in a web application where it unintentionally reveals the sensitive information to an unauthorized user.
Information leakage
The attackers inject malicious code, commands or scripts into the input gates of flawed web applications in such a way that the applications interpret and run with the newly supplied malicious input, which in turn allows them to extract sensitive information.
Injection Flaws
When developers expose various internal implementation objects such as files, directories, database records, or key-through references, it results in an insecure direct object reference. For example, if a bank account number is a primary key, there is a chance of attackers compromising the application and taking advantage of such references.
Insecure Direct Object References:
If the developers make any mistakes while enforcing the encryption techniques on a web application or ignore the security aspects of some parts of the application, this sensitive information might be at risk due to type of threat
Insecure Storage
Attack Occurs when an attacker is allowed to gain access as a legitimate user to a web application or data such as account records, credit card numbers, passwords, or other authenticated information
Insecure storage
This kind of attack can simulate failure conditions and force all browsers to downgrade from attempting to negotiate TLS 1.2, making them fall back to SSL 3. At that point, a cryptographic attack can occur
MITM
This is a technique used by the attackers to create a number of variants of malicious code, thereby making it difficult for security mechanisms, such as web application firewalls, intrusion detection systems, etc., to detect it.
Obfuscation
Man in the middle is one of the examples of this type of attack. Hackers use tools like Webscarab and Paros proxy for the attacks.
Parameter/Form Tampering
Occurs when attackers intend to manipulate the communication exchanged between the client and server to make changes in application data
Parameter/Form Tampering
This is an example of what kind of XSS bypassing? +UNunionION+SEselectLECT+
Replaced Keywords
What is this an example of? http://www.bank.com/accounts.php?id=1+UNunionION+SEselectLECT+1, 2,3--
Replaced Keywords:
Occurs when attackers insert commands via input data nd are able to tamper with the data
SQL Injection
Failing to implement this can allow attackers to access session cookies
SSL/TLS
What does SIEM stand for?
Security Information and Event Management
. In this attack-type, the attacker tricks the user to access a genuine web server using an explicit session ID value. The attacker assumes the identity of the victim and exploits those credentials at the server.
Session Fixation Attack
What is this an example of? http://www.bank.com/accounts.php?id=1+UnIoN/**/SeLecT/**/1,2,3--
Toggle Case:
What does IIS WAS service stand for?
Windows Process Activation Service
This Apache component handles allocation of resource pools.
alloc.c
When attackers exploit HTTP by using this threat,they gain access to the unauthorized directories. Then, the attackers may execute commands outside the web server's root directory.
directory traversal
Within an IIS log record, where is the browser type listed?
fourth from extreme right
This apache element is responsible for reading and handling of the configuration files. One of the main tasks of http_config is that it arranges all the modules, which the server will call during various phases of the request handling.
http_config
What is IIS' main process exe
inetinfo.exe
Check for creation of new accounts in administrator group
lusrmgr.msc
Analyze at NetBIOS over TCP/IP activity
nbtstat -S
Analyze at NetBIOS over TCP/IP activity with destination IP to Netbios mapping
nbtstat -s
which net command will you use to check lockout duration in minutes
net accounts
which net command will you use to check on open sessions
net session
Look for unusual network services
net start
which net command will you use to check which services are started
net start
Which net command will provide the following output: Status Local Remote Network ---------------------------------- Unavailable H: \\xxx\yy\zz Microsoft Windows
net use
which net command will you use to create a share or check on file and printer shares and if sessions have been opened up with other systems
net use
which net command will you use to create a new account
net user
which net command will you use to check file and printer shares and their purpose
net view
Find if TCP and UDP ports have unusual listening
netstat -na
Find scheduled and unscheduled tasks on the local host
schtasks
The detection of a cookie poisoning attack includes intrusion prevention products. These products trace the cookie's "???" command given by the web server.
set
What is an good example of an IIS log name
u_eYYMMDD.log
