ReliaQuest
Reflected XSS
Injected script is reflected off the web server, such as in an error message, search result, or any other response. Attacks are delivered via another route such as email or other website. Code travels to vulnerable site and reflects attack back to user's browser; also called Non-Persistent or Type-II
MITM Attack
Intercepts communication between two systems
Burp Suite
Java-based web pentesting framework. Can be configured in your browser to route traffic through the burp suite proxy server and BS analyzes each request to and from the target app so you can analyze it
What is UDP?
Layer 4 protocol that doesn't provide acknowledgement of sent packets; tends to be used in voice and video streaming; no session multiplexing; connectionless; no flow control and relies on higher layer protocols
IDS vs IPS
IDS (intrusion detection system) sits on a switch on the network; detects threats that are already in the network and attacks in progress IPS (intrusion prevention system) sits before a switch; monitors internal traffic to block attacks
Host firewall
IP table in a Linux box
Stored XSS
Injected script is permanently stored on the target servers (i.e., database, message forum, comment field, etc.); also called Persistent or Type-I
How to browse directories, list users, processes, etc. in Linux
cd (change directory), pwd (print working directory), top (see user usage), ps (list all running processes), uname -all (Linux version), systemctl (all services)
How to copy files in Linux
cp
Where is local user info stored
etc/passwd file; can be opened using cat or less
Stateless firewall
Designed to protect network based on static info such as source and destination; use packet filtering rules that specify conditions
DDoS
DoS employs multiple attacking systems to deny the users access to a particular service or system
Hub
Essentially a repeater; sends incoming traffic to its port to all other ports
Where would you find a log in you're investigating an incident?
Event viewer - tool to search and view logs generated by Windows hosts; is a log aggregator /var/logs on Linux
DoS
Exploit a known vulnerability in a specific application, OS, protocol, or service in order to deny authorized users access
Pfsense Firewall
Firewall/router software distribution based on FreeBSD. Installed on a physical computer or virtual machine to make a dedicated firewall/router for a network
Suricata
Gets one packet at a time from the system; pre-processed, passed to detection engine, can use pcap in IDS mode, but can connect to nfnetlink_queue
What role does SIEM play in security operations?
Goal is to keep networks, computer systems, applications, and environments up and running in a secure and protected manner
Offensive Security: ARP Poisoning
When an attacker sends falsified ARP messages over the LAN to link an attacker's MAC address with the IP address of a legitimate computer or server on the network
Other ports
110 - default POP3 non-encrypted port 995 - used for secure POP3 connection 143 - default IMAP non-encrypted port 993 - used for secure IMAP connection 25 - default SMTP non-encrypted port 2525 - opened on all SiteGround servers in case 25 is filtered; non-encrypted SMTP 465 - used for secure SMTP connection
SIEM (Security Information and Event Management)
- Log consolidation: centralized logging to a server - Threat correlation: the intel used to sort through multiple logs to identify attacks - Incident management: workflow that executes once threat is identified - Reporting
Linux logs
/var/log
RSA Encryption
1. Client Hello - client sends hello message to server; includes TLS version, cipher suites, and the client random (string of random bytes) 2. Server Hello - server replies with message containing SSL cert, cipher suite, and server random 3. Authentication - client verifies server's SSL certificate with the cert authority; confirms the server's identity 4. Premaster Secret - client sends another client random; encrypted with public key and can only be decrypted with server's public key 5. Private Key - server decrypts premaster secret 6. Session Keys - client and server generate session keys from the client random, server random, and premaster secret; should arrive at same results 7. Client and Server Ready - client and server send a finished message to each other that is encrypted with session key 8. Secure Symmetric Encryption Achieved - handshake is completed; communication continues using session keys
TCP/IP Model
1. Network Interface Layer - encompasses physical and data link layers 2. Internet - encompasses network layer 3. Transport - encompasses transport layer; also connects systems, TCP/UDP 4. Application - encompasses session, presentation, and application layers; TCP looks at apps as apps
OSI Model
1. Physical - cables 2. Data Link - anything with a MAC address; network cards, switches 3. Network - anything with a logical address; IP addresses, routers 4. Transport - responsible for assembly/disassembly of packets 5. Session - responsible for the connection between two systems; TCP between server and client, shared folder between two computers 6. Presentation - responsible for converting data into a format that applications can read 7. Application - API inside of applications that allows for apps to connect
Most common ports leveraged in cyber attacks
22 - SSH: meterpreter (interactive shell that attacker can use to explore target machine and execute code), banner grabbing (attack sends request to system to gain more information), brute force, stealing PGP keys 80 - HTTP: websites, apache exploits 443 - HTTPS: secure websites, heartbleed (bug that can make memory readable) 20-21 - FTP: file transfer protocol, anonymous logic through WinSCP, disable anonymous login, banner grabbing, sniffing 3389 - RDP: brute force, DOS attack 53 - DNS: enumeration (check if a name exists in a database; iterative attack), can reveal the size of an organization 25 - SMTP
Nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.
Metasploit
A penetration-testing tool that combines known scanning techniques and exploits to explore potentially new types of exploits
Directory traversal
Aims to access files or directories outside of the web root folder by manipulating variables that reference files with the (../) sequence or by using absolute file paths
SQL Injection
An attack that targets SQL servers by injecting commands to be manipulated by the database; prevent by using input sanitation (prepared statements, stored procedures, whitelist input validation, escape user supplied input)
Wireshark
Application that captures and analyzes network packets
DMZ (demilitarized zone)
Area of a network that sits outside of the main company network; external facing services (web servers, guest networks, mail servers, DNS servers) are here; usually right after the firewall; traffic gets redirected here by firewall based on requested services
Router
Connect networks together and tend to be grouped with switches in a home setting
Switch
Connects computers within a network; send traffic from one port to another but keep a list of MAC addresses that are plugged into each port so that traffic is only sent to those devices
File permissions
Defined by owner, group, and everyone else
What is TCP?
Layer 4 protocol that provides acknowledgements of received packets; reliable because it resends lost packets; one drawback is that it has additional overhead (additional data that needs to be sent); used by application protocols like HTTP and FTP; provides session multiplexing - connection must be established first and is closed afterwards; provides end-to-end flow control which is realized using a sliding window - sends acknowledgement from receiver's end regarding the data that the receiver can receive at a time
Kali Linux
Linux distribution designed for digital forensics and pentesting
XSS (Cross Site Scripting)
Malicious script is injected into a website so that it executes when a user enters the site; can be used to steal cookies, session tokens, or rewrite the content of an HTML page
Polymorphic malware
Malware that can change its code after each use; changes are designed to not affect the functionality of the code
Systemd & SystemV
Method used to manage and launch services/applications on Linux hosts; similar to task manager on Windows
Stateful firewall
Monitors the entire state of any network connections; constantly analyze entire data packet; once it approves of a traffic the first time, is added to a state table and can travel more freely into network; very resource intensive and vulnerable to DDoS attacks; Windows Firewall but can be configured to be stateless
Bro/Zeek
NIDS features, incident response, forensics, file extraction, and hashing
Snort
Open source NIDS; packet sniffer that monitors network traffic in real time, analyzing each packet closely to detect a dangerous payload or suspicious anomaly; can be run in logging mode, packet capture mode, or IDS mode with the available rulesets
Ransomware
Performs some action and extracts ransom from a user; ransom is used to remove malware from machine
Worm
Piece of code that attempts to penetrate networks and computer systems by copying itself and propagating through networks and the Internet; does not rely on itself attaching to another piece of code
Virus
Piece of malicious code that replicates by attaching itself to another piece of executable code
Trojan
Piece of software that appears to do one thing but hides itself of other functionality
RedHat vs Ubuntu
RedHat is more geared towards enterprise systems where Ubuntu is more of a home desktop environment; Ubuntu is known to be more newbie-friendly
Su-
Run command as root
TCP 3-Way Handshake
SYN - client sends SYN segment to server requesting a connection; will let the server know what sequence number its segments will start with SYN/ACK - server responds with SYN + ACK signal bits, acknowledging the connection to be made; lets the client know what sequence number its segments will start with ACK - client acknowledges the server response Steps 1-2 establish the connection one way while steps 2-3 establish the connection the other way
Vulnerability Scanning vs. Vulnerability Sweeping
Scanning - scans any port on one or more hosts Sweeping - looks for a specific port across multiple hosts
Cron
Scheduler used by Linux systems; can use to have a box communicate to you at only certain times
Find-
Search a file system
Grep-
Search content of a file
Malware
Software that can be designed to cause damage or enable unauthorized access to a system
Bots
Software that performs some task under the control of another program; can create botnets
Keylogger
Software that records keystrokes
Examples of SIEMs
Splunk, SolarWinds, IBM Radar, RSA NetWitnews, AlienVault, LogRhythm
SSL/TLS Handshake
Takes place whenever connection via HTTPS is used; occurs AFTER a TCP connection has already been made 1. Specify which version of TLS will be used (1.0, 1.2, 1.3) 2. Decide which cipher suites will be used 3. Authenticate the server using the public key and the SSL cert authority's digital signature 4. Generate session keys in order to use symmetric encryption after handshake is complete
Man In The Browser Attack
Trojan horse is used to intercept and manipulate calls between the main application's executable and its security mechanisms or libraries ; used to cause financial fraud by manipulating transactions
Phishing
Type of social engineering in which the attacker attempts to obtain sensitive information from users by acting as a trusted entity
Windows 10 commands
netstat - aos: display stats of all active ports netstat -aon: display all network data on running ports netstat -a: display all active ports netstat -aon | find /i "LISTENING" | find "port#": list specific info about a port
How to update Linux system
yum or apt-get; varies depending on the version of Linux