IN5290

What is nmap?

Nmap is an universal port scanner. It is able to carry out ordinary and specific host and service discoveries. Nmap has a scripting engine which makes it capable of carrying out complex scanning as well as vulnerability discovery, fuzzing, etc. tasks. The main parameter is the scanning type that can be set with the -s switch, e.g. -sP: ping scan

What is operating system detection?

Nmap's remote OS detection usesT CP/IPstack fingerprinting. Nmapsends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.

What is a stack buffer overflow?

Occurs when a local variable on the stack is overwritten. This can happen when the size of the local variable is not considered.

How can you do XSS redirection?

Redirection is possible with e.g. the javascript document.location syntax

How can you protect against stack explotions?

Return to libc: Noexecution protection (DEP in Windows) assignes permission to memory segments (code and data), and the payload cannot be executed anymore. The idea is to use code reuse -> opens a shell, redirecting the execution there. Return oriented programming: Is able to bypass the non-executable memory protections and uses already existing code parts in the virtual address space to execute the payload. Can be used for both heap and redirecting related vulnerabilities.

How can you do XSS rewriting?

Rewriting the page is possible with e.g. the javascriptdocument.body.innerHTML syntax

How can you attack with SMTP (Simple Message Transfer Protocol)?

SMTP (Simple Message Transfer Protocol) is a standard for email transmission in widespread today. In case of open-relay settings, the user doesn't need to provide credentials. Anyone can send a mail with arbitrary fields. How to find open-relay SMTP? •If one of the client's SMTP allows open-relay access then any email can be written unseeingly •Spamboxes will probably contain some open-relay SMTP server How can the users make sure that an email arrived from the right person? •Check the email header •There's no 100% guarantee, use PGP (mail encryption)

What is a server-side script?

Script that is executed by the web server before the web page is sent to the user's computer. E.g.: php, perl, ruby, java

What is XSS filter evasion?

Server side scripts can filter out XSS attacks with proper input validation. Attacker can write characters in a special format to avoid filtering: -Decimal HTML character -Hexadecimal HTML character -Base64 encode -iFrame

What is a TCP handshake?

TCPhandshake is the process when a connection is about to be established in a specific port. SYN, SYN + ACK, ACK

What is Server Side Template Injection (SSTI)?

Template engines are widely used by web applications to present dynamic data via web pages. Unsafely embedding user input in templates enables Server-Side Template Injection. If a user input is substituted as template parameter without propervalidation then the vulnerability appears. After detecting the vulnerability the next step is to identify the template engine that was used (e.g. Smarty, Twig, Jade). Each template engine has specific exploitation. In case of a successful exploitation the attacker can even execute arbitrary shell commands.

What is the OSI model?

The OSI model is a theoretical representation of what happens between two nodes communicating on a network. data - application data - presentation data - session segments - transport packets - network frames - data link bits - physical All People Seems To Need Data Processing

What is heap overflow?

The basic example of the heap overflow is related to the free and the reallocation of a chunk. Each chunk contains a pointer pointing to the previous and to the next chunk. If the attacker controls the header of an entry (e.g. overwriting the datablock of a chunk next to the entry) then he can force the next heap allocation to be placed to a specific place.

How can you do XSS cookie stealing?

The cookies contain the session variables. If the attackermanages to steal the cookie with the session variable then he can carryout session fixation to obtain the victim's data. Syntax: alert(document.cookie)

What is SQL injection?

The easiest case of sql injection is when we have a direct influence onan action. User enters SQL statement into a form instead of a name or other data. Accepted code becomes part of database commands issued. Improper data disclosure, data damage and loss possible. Well-designed applications make injections ineffective.

How are heaps managed?

The heap consists of chunks. Free chunks with the same size (rounded to 8 bytes) are organized in double linked lists. When a heap memory is being freed it goes to a free list according to its size. When the code requests a dynamic buffer first the freelists are checked according to the requested size. If there is no free chunk for the size a chunk is created.

What is the heap?

The heap is a storage place where the processes allocate data blocks dynamically in runtime (unlike the stack). There are several types of heap implementation. Each OS provides one or more own heap implementations (e.g. Windows7: Low Fragmentation Heap), but programs can create their own heap implementations (e.g. Chrome) that are independent of the default OS solution. Because of the different solutions many custom heap allocators are available to tune heap performance for different usage patterns. The aim for the heap implementations are: • allocation and free should be fast • allocation should be the least wasteful • allocation and free should be secure

What is HTTP (Hypertext Transfer Protocol)?

The protocol used to communicate between web browsers and servers. -used in client-server model -sends request and recieves an answer from the server -consists of a header & a body -request: protocol version, requested file, webmethod, hostname -response: web asnwer, date, content type

How can you prevent against session related attacks?

The session variable should be stored in the cookies. Since only thesession id identifies the user, additional protection such as geoip significantly decreases the chance for the session id to be stolen. For protecting the session id there are several options: •Using SSL/TLS: if the packet is encrypted then the attacker cannot obtain the session id •Using HTTPOnly flag: additional flag in the response header that protects the cookie to be accessed from client side scripts •Using Geo location: bonding the session id to ip address is a bad idea, because the ip of a user can be changed during the browsing(dynamic ip addresses especially for mobile clients). But checking geolocations is a good mitigation. The session should be expired after there's no user interaction. If the session expires after a long time or never then the attacker has time to brute force the session variables. The optimal session expiry time depends on the type of the website. 30 minutes is generally a good value, it shouldn't be more then 6 hours.

What is a web server?

The web server is an application running under an OS. The user that runs the webserver should have the least privileges. The webserver configuration file contains almost all server settings.

When can you write local files with sql injection?

This is only possible if the following conditions are fulfilled: • Union select or stacked queries are enabled • With union select the attacker has to know or guess the row number and the types of the chained query • A writable folder is needed in the webroot that later is accessible by the attacker • The attacker has to know or guess the webroot folder in the server computer

What is fuzzing?

This is the first step to identify the vulnerability. It is a process of providing various data (invalid too) to the application. A segmentation fault (access violation in Windows) indicates some errors. A value can be invalid if: -format is incorrect -it contains unexpected values (e.g. %) -it is too long

What is service version detection?

Version detection interrogates the ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.

What are vulnerability databases?

Vulnerabilities are registered in a database, each vulnerability has a unique identification number.

What is fastbin into stack exploitation?

When the program allocates a memory region the chunk that is allocated will be busy. After the allocation is freed the chunk goes to some of the freelists. Freelists are linked lists which make the reallocation of memory easy and fast. • there is no size checking when filling a memory region (it can be overwritten) • one region can be freed twice (double free vulnerability) Following types exist: •Fast: small chunks are stored in size specific bins •Unsorted: when the chunks are freed they are initially stored in a single bin, they are sorted later •Small: the normal bins are divided into "small" bins, where each chunk has the same size, and "large" bins, where chunks have a range of sizes •Large: For small bins, you can pick the first chunk and just use it. For large bins, you have to find the "best" chunk, and possibly split it into two chunks Fastbins are stored in simple linked lists. All chunks have the same size. The pointer to the first fastbin chunk is not visible for us, but the pointer to the second fastbin chunk is stored in the first one, the pointer to the third element is stored in the second one, and so on. If we manage to overwrite the content of the first fastbin we can overwrite the address of the next fastbin. It is useful to force the OS to do the second allocation to a place where we would like to (e.g. into the stack).

How can you do a stack overflow exploit?

You should override the local variable and arrive to the return pointer. The size of this (padding) depends on the size of the local variable and the stack layout. It can be determined by using a string like "aaaaaaaabbbbbcccccdd" and then obtain the address from the error message. The new return address can point to the beginning of the payload. You can use debuggers like gdb for Linux to get to the part where the vulnerability occurs (start, s(step), until[address], finish).

How can you attack DNS?

Zone transfer: Since DNS data is stored redundantly the slave DNS can ask the master DNS to send a copy of a part of its database (zone) to the slave. Domain enumeration: • We can check if reverse lookup is enabled. • Also brute-force the domain names in the DNS database

How to find software vulnerabilities?

• Accidently: e.g. my pdf reader is keep crashing for the same input. (Note, one crash is not crash! If it's not possible to repeat then anything could have happened) • AV tools can report suspicious activity such as a port is opened, a new suspicious registry entry is created. Analyzing it in a sandboxed environment can reveal unknown vulnerabilities. (Note that in this case the vulnerability was known by someone in advance who created the malware) • Source code analysis (looking for patterns that can reflect vulnerabilities) • Binary code static analysis: reverse engineering or advanced specific solutions (code property graphs) • Binary code dynamic analysis (e.g. angr framework) • Fuzzing

How to do fastbin into stack exploitation?

• Allocate 3 buffers with the same size (id=0,1,2) • Free the first, the second and the first again (id=0,1,0), one chunk is on the freelist twice • Allocate a new buffer (id=3), id3 (busy) is the same as id0 (free) • Allocate another one (id=4), now the top of the freelist is the id0 chunk • Fill the content of id3 (it is on the same place as id0) and modify id0 fwd to be pointed to the stack part where we have the next return address • Allocate one more (id=5) to process the id0 freelist chunk • Allocate one more (id=6). This chunk will be on the stack • Fill the chunk id6 with the payload (jmp esp+ payload or ROP payload)

What are the different type of hackers?

• Black hat hackers: Hacking with malicious intent • White hat hackers: Perform penetration testing to promote the security • Script kiddies: amateurs (Usually young kids) using publicly available software tools to attack • Protest hackers (Protest against something e.g. anonymous) • Grey hat hackers: Usually white hat, but can be black hat • Red hat hackers: Stopping black hat hackers by attacking them • Blue hat hackers: Hacking in order to take revenge • Green hat hackers: Beginners to hacking

How can you prevent against CSRF attacks?

• Checking the referrer header in the client's HTTP request can preventCSRF attacks• Adding a per-request nonce "form key" to the URL and all forms inaddition to the standard session. • Adding a hash (session id, function name, server-side secret) to allforms • Loging off before visiting another site • Clearing browser's cookies at the end of each browser session CSRF real example: Samy worm in 2005

What are DNS-servers?

• DNS servers are all around the world • Organized in tree structure (13 root servers) • The top level domains (.com, .net, .edu, .no, .de, etc.) are directly under the root servers • DNS data are stored redundantly (master and slave server) Tool: Ip lookup with dns - reverse ip lookup

What are the steps of exploit development?

• Finding the vulnerability (e.g. with fuzzing), the application crashes • Find the reason of the crash (reverse engineering the code) • Decide whether the control flow can be redirected or not • Decide how and where to place the payload (e.g. on the stack, in the heap with spraying) • Bypass all the mitigations (DEP, ASLR, sandboxing, etc.) • Create a working version of the exploit (proof of concept)

How to start compromising a service?

• First use in the normal way - Is there any information disclosure? - Error messages, etc. - Restrictions • Force it to error and obtain information - Provide invalid data - Use it in an invalid way • Try factory defaults • Brute-forcing • Search for known exploits • Service specific exploitations • Unique ways

How can you write local files with sql injection?

• First, guess the webroot and the writable folder • Guess the number of columns from the original query and guess also the types of the rows • Test the union select if it is executed with different row numbers • Upload a simple string • Find an attacking script and upload it

What are the main steps of hacking?

• Information gathering • Identifying the target domain • Finding vulnerabilities • Exploiting the vulnerabilities • Lateral movements • Carry out the goal

Which SQL queries can be used for blind boolean based sqli explotation?

• Mysql version: SELECT @@version; • Mysql user, password: SELECT host, user, password FROM mysql.user; • Mysql databases: SELECT schema_name FROM information_schema.schemata; • Mysql tables: SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

What are some protections and mitigations for heap exploitation?

• No execute protection (Data Execution Prevention in Windows) • Address Space Layout Randomization (ASLR) • Canary (Stack cookie) • Position Independent Executables • Fortify (buffer overflow checks) • Relro (the Global Offset Table is readonly)

How do you find network ranges?

• Search for all domains including second and third level • Look for the corresponding ips • Check which database contains the ip owner (whois) • Check the ip ranges (ripe, arin, etc...) Tool: With the reverse whoisservice, we can search for domains by providing an email or name. Robtex is used for various kinds of research of IP numbers, Domain names, etc.

What is format description (generation) based fuzzing?

• The file format of protocol is described (what kind of variables are stored in the file in which place, relations, etc) • Very time consuming to describe the input format (e.g. the pdf reference 1-7 (file description from 2006) is 1310 pages • All combinations can be created theoretically

What is mutation based fuzzing?

• The input is created based on existing valid input • Mutations of input are made without the knowledge of the structure of the input (e.g. random) • Requires little setup time • The success is based on the mutation algorithm • Mutation can mess up the file format and prevent it to be processed (e.g. file checksums)

What is brute forcing?

• Trying out multiple combinations • How to generate the options? - Random - Trying out all combinations - Using a list or dictionary • Brute forcing tools - THC Hydra (ssh, ftp, http). Hydra was created by a hacker group The Hacker's choice. It is an universal brute-force tool that can be used for several protocols. - Ncrack - Medusa

What can you set in nmap?

• Type of scan (see detailed list later) • Additional tests (e.g. version detection) • Timing option (how many tries, how many parallel requests, max retries, scan delay, etc.) • Hosts / host input • Output result format (flat file, xml, etc.) • Filtering (e.g. show only open ports) • Scripts to run

How to exploit a Use-After-Free (UAF) vulnerability?

• Use html file with a value "test" and make sure it's destroyed (place is freed) • After "test" is destroyed, a fake object with the size of "test" should be reallocated in the heap to avoid use after free • The fake object has to be the same size as "test" to be allocated to the same place in the virtual memory • Determine where "test" was before the free (using pageheap) • Search for the corresponding memory allocation (allocation in the same place)

What is Google hacking?

• Using specific Google queries we can use smart filtering or get «hidden» data • Filter to domain: use the site keyword • Filter to file type with extension: use the type keyword • Interesting file extensions: doc, xls, txt, conf, inc, sql, ... • Expressions can be combined

What are the motivations behind hacking?

• What a cool thing to be a hacker • Because I can • Money • Revenge • Annoyance • Protesting against something • Organized and well-paid professional groups (mafia and state sponsored groups)

What is a list scan?

• With the -sL switch • Has no connection with the hosts • The DNS server is asked if a specific domain is registered in its database

What is a ping scan?

• With the -sP switch • Nmappings all the specified hosts • The available hosts are listed with their MAC address • ICMP messages are not always allowed in a network

What are the types of sql injection exploitations?

•Boolean based blind The attacker provided an input and observes the website answer. The answer is either page 1 or page 2 (only two options). There's no direct response to the attacker's query but it's possible to play a true and false game using the two different responses. The difference between the two responses can be only one byte or totally different. •Error based The attacker forces syntactically wrong queries and tries to map the database using the data provided by the error messages. •Union query The attacker takes advantage of the sql's union select statement. If the attacker can intervene to the sql query then he can append it with aunion select and form the second query almost freely. •Stacked query If the sql engine supports stacked queries (first query; second query;etc.) then in case of a vulnerable parameter the attacker closes the original query with a semicolon and writes additional queries to obtainthe data. •Time based blind It is the same as the boolean based, but instead of having two different web responses the difference is the response time (less trustworthy). •Reading local files The attacker can obtain data expect for the database •Writing local files With the select into outfilecommand the attacker can write local files •Executing OS commands In some cases the db engine has the right to execute OS level commands

What are the different XXS types?

•DOM based XSS: The data flow never leaves the browser, classicalexample: the source is a html element, the result is a sensitive methodcall. •Stored XSS: The user input is stored on the target server, such as ina database, in a message forum, visitor log. The victims will retrievethe xss through the web site. •Reflected XSS: The user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request. •Client Side XSS: The malicious data is used to fire a JavaScript call •Server Side XSS: The malicious data is sent to the server and theserver sends it back without proper validation

How can you prevent against XXS attacks?

•Escaping user input User input and key characters have to be escaped received by a webpage so that it couldn't be interpreted in any malicious way. Disallowspecific characters - especially < and > characters - from being rendered. E.g.<is converted into &lt; •Filtering It is like escaping, but instead of replacing the control character, it will besimply removed. •Input validation Validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users. Comparing the input against a whitelist or regexp. •Sanitizing input Changing unacceptable user input to an acceptable format (all previous 3)

How to compromise a website?

-First use it in a normal way -Check for static and dynamic content -Look for unintended content -Try to find hidden content without a link (e.g.: conf files) -Obtain as much info as possible -Force the site to error with invalid inputs and check the response -Use robots.txt -Directory brute-force with dirb (has a collection of typical webserver related folder names) -Input filtering -Web developer extentions -Tamper data: modify outgoing traffic -Postman: set custom headers and view cookies already set on the domain -Burpsuite -Hydra

What are the main methods of HTTP?

-GET: download data -POST: send data -HEAD: obtain the HTTP header -PUT: place content on the server (e.g restful services) (was used to upload content before ftp, potential vulnerability where an attacker could access the folder and upload arbitrary files) -DELETE: remove content -TRACE, DEBUG, OPTIONS -E.g: /index.php?first=a&second=b

What is virtual address space?

-an executable is launched and the OS generates a Virtual Address Space for the processes -each process has it's own virtual address -in order to use the real physical memory the OS provides a runtime memory translation between the virtual and physical memory -seperated into kernel (drivers) and user space (segments/stacks - code and data) -files generated from user space through the drivers -segments: code, data, stack, heap, dynamically loaded libraries

How can you attack ftp and ssh services?

-brute-forcing with Hydra -using exploits

How can you compile files to binary files?

-debug mode: variable and function names are saved and inserted into binary -release mode: only the necessary details are compiled -static linking: a copy of all the used external -dynamic linking: the external method are not inside the binary and it will be placed in the virtual address space of the process when the binary is launched by the OS

How to avoid infinite loops in packet switched networks?

-no planned route -> a packet can get stuck in an infinite loop -every packet should contain a ttl value (time to live) that is decreasing when arriving to the next network device (network hop) -when ttl is 1 the packet has to be dropped

What are some sql injection filter evasion techniques?

-white space -null bytes -sql comments -url encoding -character encoding -string concatenation -hex encoding

What are the steps of hacking?

1. General information gathering: collecting all available information from the target and systemize the information 2. Technical information gathering: collecting network and system specific information like target ip ranges 3. Identifying available hosts in the target network (which computer can be attacked) 4. Identifying available services in the target network (which service can be attacked) 5. Manual mapping of the services (to check how it looks like, the impressions, system reactions, mitigations, etc.) 6. Automatic vulnerability scanning (intelligent tools with huge vulnerability database) 7. Manual verification of the findings (to check if the previous findings are real - true positive) 8. Exploitation 9. Lateral movements (to move through the network) 10. Ensure access until the end of the project 11. Collect info - achieve primary and secondary goals 12. Remove clues 13. Reporting and presentation 14. Removing the attacking files!!! (tools, data, script created temporarily during the pentest)

How can you attack using Object Oriented Programming (OOP) and the vtable?

A basic principle of OOP is the polymorphism. Methods can be redefined for derived classes. Since the real type of an object is only decided in runtime, each object needs to have a virtual method table(vtable) that contains the object specific method addresses. The attacker can overwrite the vtable with a value pointing to an attacker controlled memory region.

What is the stack frame?

A continuous block inside the stack which stores the data of a method that was called (callee) by the caller. When a method is called, the caller or callee prepares the stack for the method execution. The stack frame contains the following data: -Method parameters: parameters to pass to the method -The return address of the method: address where the method was called -The local variables: dies after method is executed -The saved base pointer: reference to the local variables

What is the stack?

A data type segment that stores data in a LIFO (last in first out). Instructions place data (push) and pick + remove data (pop).

What is return oriented programming (ROP)?

A software vulnerability explotion method that is able to bypass the non-executable memory protections. The payload is divided into code-parts, and each code-part is executed by a gadget (small code block with one or more simple instructions and a ret type of instruction on the end).

What are session related attacks?

A user's session with a web application begins when the user first launchthe application in a web browser. Users are assigned a unique session ID that identifies them to your application. The session should be ended when the browser window is closed, or when the user has not requesteda page in a "very long" time. •Predictable session token: The attacker finds out what is the next session id and sets hisown session according to this. •Session sniffing: The attacker uses a sniffer to capture a valid session id •Client-side attacks (e.g. XSS): The attacker redirects the client browser to his own website and steals the cookie (Javascript: document.cookie) containing the session id •Man-in-the-middle attack The attacker intercepts the communication between two computers •Man-in-the-browser attack

What is Use-After-Free (UAF) exploit?

A vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. Pointers in a program refer to data sets in dynamic memory. If a data set is deleted or moved to another block but the pointer, instead of being cleared (set to null), continues to refer to the now-freed memory, the result is a dangling pointer. If the program then allocates this same chunk of memory to another object (for example, data entered by an attacker), the dangling pointer will now reference this new data set.

What is an ACK scan?

Ackscan is to determine if a firewall is stateful or stateless. • The stateless firewall examines a packet as it is independent of the previous packets. • The stateful firewall can follow packet streams considering previous packets. For a stateless firewall an ack package seems like the third step of the handshake. For the stateful firewall it is pointless. nmap -sA

What is an exploit?

An exploit (from the English verb to exploit, meaning "to use something to one's own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.

How is data transmition carried out in layer 4?

Apart from sending short simple messages, bigger datablocks can be transmitted between the hosts. The datatransfer is carried out in the 4th layer by using 2 different approaches: •UDP: streaming the data (no guarantee that all data will arrive, but fast) •TCP: the arrival of all data is guaranteed in the right order (trustworthy transmission, slower than UDP) In addition, the data transmission is carried out using portnumbers. One host can send and receive data in multiple channels using different port numbers for different services.

What is the goal of hacking?

Break the information security triple (confidentiality, integrity, availability) - Steal confidential information - Modify data - Make services unavailable (Denial Of Service) - To promote security (ethical hacking)

What is Burpsuite?

Burp is a graphical tool for testing websites. It provides a proxy to intercept the browsers traffic. It has several modules for manipulating the web traffic. • Spider: Automatic crawl of web applications • Intruder: Automated attack on web applications: -Sniper: one parameter, oneiteration -Battering ram: multipleparameters, one iteration -Pitchfork: multiple parameters,multiple iteration -Cluster bomb: multipleparameters, multiple iterationall combinations considered • Sequencer: Quality analysis of the randomness in a sample of data items • Decoder: Transform encoded data • Comparer: Perform comparison of packets • Scanner: Automatic security test (not free)

Why ethical hacking is necessary?

Checking the system from the attacker's perspective can reveal serious security deficiencies. The system security cannot be guaranteed without deep and regular penetration testing (but never perfect).

What is CIDR?

Classless interdomain routing (CIDR) is an addressing scheme for the Internet that allows more efficient use of IP addresses than the old Class A, B, and C scheme. It is more flexible and offers route aggregation (supernetting). A CIDR address is a network address that does not use original Class A, B, and C rules. For example, a CIDR address can look like this: 192.168.2.0/29.

What is JavaScript?

Client-side Programming Language

What is general information gathering?

Collecting all available information from the target and systemize the information • Usually the first step of every attack • Before getting contact with the target we need to prepare for the attack • General information gathering covers all the efforts that is done for collecting all the information from the target • The collected information should be analyzed as well in order to filter the important information • Sometimes it is not obvious which information will be useful later, all information should be systemized • The result of the information gathering is a huge dataset with dedicated information (e.g. user lists, etc.) • Google and social media are good methods to use (news, key-person, cache, accounts, build personal profile) • Tools: download static information using wget or Httrack, Foca, filtering via Google hacking (site:uio.no -www)

What is technical information gathering?

Collecting network and system specific information like target ip ranges. All data has to be published and accessible with the whoisprotocol. • Domain names of the target (hostname is a domain name that has at least one associated IP address) • Domain owner(s) of the target • Domain registrants • Ip addresses associated with the target websites • Ip ranges of the target • Ip range owner(s) • List of hosted websites • Hosting companies

What kind of errors (vulnerabilities) can we expect when compromising a service?

Configuration related errors: - Default credentials - Easy to guess credentials (we had information gathering before) - No or inappropriate protection against guessing (brute-force) - Unnecessary function - Privilege misconfigurations - Other configuration errors Software vulnerability related errors: - No input validation - Memory handling errors - Several others (see later)

What is Cross Site Scripting (XSS)?

Cross Site Scripting (XSS) is a frequently appearing web related vulnerability. If the website accepts input from the user without proper validation or encoding then the attacker can inject client side code to be executed in the browser. Without validation the attacker can provide • Html elements • Javascripts: Javascript can overwrite the website content, redirect the page or accessbrowser data e.g. the cookies. You can: -rewrite: the document content (defacing the site) to mislead the user -redirect: to another site to mislead the user -get cookie variables -keylogging: register a keyboard event listener using "addEventListener" -phishing: insert a fake login form into the page to obtain the user's credentials Local files of the client are not accessable.

What is Cross Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF) is an attack that forces an end userto execute un wanted actions on a web application in which they're currently authenticated. Example: The attacker sends a tricky link to the user that executes a malicious action (transfer money to Maria) without realizing it. If the user is previously logged in to the bank he has a valid session and the malicious action will be executed. Without the session the action will not be carried out.

How can you exploit LFI vulnerability?

Depending on the server and the php settings executing php scripts can be possible if the local file is the:php://input and the php script is the posted data. In other cases providing expect as file will execute the desired OS command. Using encoding and php://filter as input the server side scripts can be obtained. Encode the php file with base64 and the php script source reveals. If the attacker places the attacking script inside the user agent of the http head and the webserver has the right to access the/proc/self/environ file then he can execute any OS command in the name of the webserver application. If the environ file is not accessible by the webserver then the attacker can try to find the webserver processid and access the environ file through the processid. If the logs are accessible through the web server then the attacker can place the attacking php script in the logs to be executed in the same way as in the case of the/proc/selffolder. The logs can be in various places, one option is to check /var/log/apache2 folder.

What are content management systems (CMS)?

E.g.: WordPress. If a vulnerability appears in the CMS; millions of webpages can suddenly be vulnerable.

What are the differences between ethical and non-ethical hacking?

Ethical hacking • Legal (contract) • Promote the security by showing the vulnerabilities • Find all vulnerabilities • Without causing harm • Document all activities Non-ethical hacking • Illegal • Steal information, modify data, make service unavailable for own purpose • Find the easiest way to reach the goal (weakest link) • Do not care if the system destroys the system (but not too early) • Without documentation • Without report, delete all clues

What are binary files?

Files that can be executed by the OS. They contain machine code instructions that the CPU understands. The binary file format depends on the CPU architecture and the OS. To make a binary executable file, a source code has to be compiled. There's a direct connection between the machine code and the assembly code. If the source is written in assembly then the compilation is unambigous.

What are different types of ethical hacking?

From the attacker's location point of view: • External penetration testing • Web hacking • Internal penetration testing • Wireless penetration testing • Social Engineering From the attacker's access (right) point of view: • Black box testing • Grey box testing • White box testing

What is fuzzing (in detail)?

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs toa computer program. The program is then monitored for any sign of error (exceptions such as crashes, failing built-in code assertions, or memory leaks). How the program accepts the input? • File format fuzzing: invalid files are created and opened by the application (e.g. invalid pdf file is opened by a pdf reader) • Protocol fuzzing or network based fuzzing: the input is provided through network protocols (e.g. http request is sent with a wrong format) How to create invalid input? • Mutation based input generation Using existing input to create slightly different versions • Format description based input generation The format is described, the input is created using this • Response based input generation The input is based on the received response (interactive generation)

What is heap spraying?

Heap spraying is a payload delivery technique for heap related vulnerability exploitations. If we allocate an array with specific member size then the heap will be full with our data. The heap allocation addresses are random, but since we use multiple copies from the same object it is likely to have our data at 0x0c0c0c0ctoo.

What is HTML?

HyperText Markup Language: language used to tell a web browser how to make a page look. The HTML file can contain: -Pictures (png, jpg, gif) -Stylesheets (xss) -Javascript codes -Flash objects (swf) E.g: UiO's index.html

What are IP-addresses?

IP addresses are for the identification of computers during the communication (OSI 3rd layer). • In order to be easy to memorize it, 8bit (byte) blocks are used for ipv4 (32 bit) e.g. 129.240.171.52 • For ipv6 (128 bit) addresses are represented as eight groups of four hexadecimal digits e.g. 2001:0db8:0000:0042:0000:8a2e:0370:7334128

What are IP-ranges?

IP ranges contain more ip addresses. e.g. 129.240.171.56—129.240.171.63 (8 addresses)

What is a decoy scan?

If a TCP connection is established it will be logged by the firewalls - this is noisy (in a network with huge internet traffic there are several port scans by robots). Decoy scan uses the «needle in the haystack» theory: it sends out each request in multiple copies with different source ip.

What is reversed scan?

In case of reverse scanning,Nmaplooks for closed ports. The result of a reverse scan can be eitheropen/filtered or closed. It cannot be determined if a port is filtered or open.

What are the differences between circuit switched and packet switched networks?

In circuit switched networks, a virtual line is allocated between the communicating parties. The line is busy until the communication ends In packet switched networks, the caller sends packets to the direction of the reciever. There's no planned route, each network device chooses the most appropriate device as next considering routing tables and traffic

What is xpath injection?

Instead of storing datasets in databases, data can be stored in xml format. Xpath can be used to make a query, e.g. finding the full name of the user whose username is john and the password is imagine: $xml->xpath("/users/user[name='john' and password='imagine']/fullname") Finding the first user in the database: $xml->xpath("/users/user[position()=1]/fullname") Finding the penultimate user: $xml->xpath("/users/user[last()-1]/fullname") Other xpath functions can be used as well: last(), count(node-set), string(), contains(), etc.

What is internet control message protocol (ICMP)?

Layer 3 - internet control message protocol (ICMP) -to check if a host is responding -echo request -echo reply to make sure a host is turned on -default ttl's -traceroutes: hops Since ICMP contains the ttl value, it is possible to guess the receiver host's operating system by its ttl -> PING + traceroute (since all devices have to drop the packets with ttl=1, it is possible to map the route of a packet by repeating the ping with increasing ttlvalues).

What is Local file inclusion (LF)?

Local file inclusion (LFI) is a vulnerability when the attacker can include a local file of the webserver using the webpage. If the server side script uses an include file type of method and the input for the method is not validated then the attacker can provide a filename that points to a local file. Adding null character at the end of the directory sometimes works whenthe normal exploitation fail. E.g.: .../.../etc/passwd E.g.: .../.../etc/passwd%00

What are the different network scanning positons?

Mapping the network... -from the outside -from a compromised server -from the inside Typical services outside: Web, Ftp, ssh, dns, mail (SMTP, POP3, IMAP, Exchange), VPN and many others. Typical services inside: Netbios, SMB, Printer, RDP, DB services, LDAP, etc.

What is medusa?

Medusais a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC, etc.

What is the Metasploit Framework?

Metasploit Framework is a software platform for developing, testing, and executing exploits. • Its database contains ready exploits in a standardized format • Users can choose from the exploit lists to attack • Exploits can be customized with different payloads (one of the best payloads is the meterpreter shell) • Exploits can be used by setting a few parameters (loaded gun in the hand of script kiddies?)

What is Ncrack?

Ncrack is a high-speed network authentication cracking tool. Ncrack was designed using a modular approach, a command-line syntax similar to Nmapand a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts. Ncrack's features include full control of network operations, allowing for very sophisticated brute-forcing attacks, timing templates for ease of use,runtime interaction similar to Nmap's and manymore. Protocols supported include SSH, RDP, FTP,Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM and OWA.

What is SYN scan (half open scan)?

Nmap carries out syn scan with the -sS switch. Port numbers can be specified optionally. Example: nmap -sS -p80,43 host. Why to use syn scan instead of tcp scan? Does it have different result? The main difference is that in case of tcp scan the tcp connection is established for every open ports. Firewalls usually log only the established connections.

What is TCP full scan?

Nmap carries out tcp scan with the -sT switch. Port numbers can be specified optionally. Example: nmap -sT -p80,43 host Scanning all ports requires too much time (and too noisy).We can reduce the portnumbers by specifying them with the -p switch. Without -p nmap will scan the 1024 most popular ports.