├── 01-essential_knowledge.md
├── 02-reconnaissance_and_footprinting.md
├── 03-scanning_and_enumeration.md
├── 04-sniffing_and_evasion.md
├── 05-system_hacking.md
├── 06-web_server_and_web_application_hacking.md
├── 07-wireless_network_hacking.md
├── 08-mobile_and_iot_hacking.md
├── 09-security_in_cloud_computing.md
├── 10-malware_and_other_attacks.md
├── 11-cryptography.md
├── 12-social_engineering.md
├── 13-pen_testing.md
├── LICENSE
├── README.md
└── SUMMARY.md
/01-essential_knowledge.md:
--------------------------------------------------------------------------------
1 | # 01-Essential Knowledge
2 |
3 | ## Table of Contents
4 |
5 | - [Essential Knowledge](01-essential_knowledge.md#essential-knowledge)
6 | - [OSI Model \(Open System Interconnection\)](01-essential_knowledge.md#osi-model-open-system-interconnection)
7 | - [TCP/IP Model](01-essential_knowledge.md#tcpip-model)
8 | - [CIA Triad](01-essential_knowledge.md#cia-triad)
9 | - [Vulnerability](01-essential_knowledge.md#vulnerability)
10 | - [Vulnerability Categories](01-essential_knowledge.md#vulnerability-categories)
11 | - [Vulnerability Management Tools](01-essential_knowledge.md#vulnerability-management-tools)
12 | - [Security Controls](01-essential_knowledge.md#security-controls)
13 | - [Types of physical security controls](01-essential_knowledge.md#types-of-physical-security-controls)
14 | - [Security Incident and Event Management \(SIEM\)](01-essential_knowledge.md#security-incident-and-event-management-siem)
15 | - [Network Security Zones](01-essential_knowledge.md#network-security-zones)
16 | - [Security Policies](01-essential_knowledge.md#security-policies)
17 | - [Policy Categorizations](01-essential_knowledge.md#policy-categorizations)
18 | - [Types of Policy](01-essential_knowledge.md#types-of-policy)
19 | - [Risk Management](01-essential_knowledge.md#risk-management)
20 | - [5 Ways To Manage Risk](01-essential_knowledge.md#5-ways-to-manage-risk)
21 | - [Threat Modeling](01-essential_knowledge.md#threat-modeling)
22 | - [Business Analysis](01-essential_knowledge.md#business-analysis)
23 | - [Hacking](01-essential_knowledge.md#hacking)
24 | - [Types of Hacker](01-essential_knowledge.md#types-of-hacker)
25 | - [Types of Attack](01-essential_knowledge.md#types-of-attack)
26 | - [Hacking Phases](01-essential_knowledge.md#hacking-phases)
27 | - [Laws and Standards](01-essential_knowledge.md#laws-and-standards)
28 | - [Categories](01-essential_knowledge.md#categories)
29 | - [Standards](01-essential_knowledge.md#standards)
30 | - [ISO/IEC 27001:2013](01-essential_knowledge.md#isoiec-270012013)
31 | - [PCI DSS \(Payment Card Industry Data Security Standard\)](01-essential_knowledge.md#pci-dss-payment-card-industry-data-security-standard)
32 | - [Laws](01-essential_knowledge.md#laws)
33 | - [HIPAA \(Health Insurance Portability and Accountability Act\)](01-essential_knowledge.md#hipaa-health-insurance-portability-and-accountability-act)
34 | - [SOX \(Sarbanes Oxley Act\)](01-essential_knowledge.md#sox-sarbanes-oxley-act)
35 | - [DMCA \(The Digital Millennium Copyright ACT\)](01-essential_knowledge.md#dmca-the-digital-millennium-copyright-act)
36 | - [FISMA \(Federal Information Security Modernization Act Of 2002\)](01-essential_knowledge.md#fisma-federal-information-security-modernization-act-of-2002)
37 | - [NIST-800-53](01-essential_knowledge.md#nist-800-53)
38 | - [Terms to Know](01-essential_knowledge.md#terms-to-know)
39 |
40 | ## Essential Knowledge
41 |
42 | ### OSI Model \(Open System Interconnection\)
43 |
44 | | Layer | Description | Technologies | Data Unit |
45 | | :---- | :----------- | :-------------------- | :-------- |
46 | | 1 | Physical | USB, Bluetooth | Bit |
47 | | 2 | Data Link | ARP, PPP, MAC, STP | Frame |
48 | | 3 | Network | IP, IPsec, ICMP | Packet |
49 | | 4 | Transport | TCP, UDP | Segment |
50 | | 5 | Session | SCP, SOCKS, NetBIOS | Data |
51 | | 6 | Presentation | AFP, MIME, SSL | Data |
52 | | 7 | Application | FTP, HTTP, SMTP, SNMP | Data |
53 |
54 | ### TCP/IP Model
55 |
56 | | Layer | Description | OSI Layer Equivalent |
57 | | :---- | :------------- | :------------------- |
58 | | 1 | Network Access | 1, 2 |
59 | | 2 | Internet | 3 |
60 | | 3 | Transport | 4 |
61 | | 4 | Application | 5-7 |
62 |
63 | ### CIA Triad
64 |
65 | - **Confidentiality**: passwords, encryption
66 | - **Integrity**: hashing, digital signatures
67 | - **Availability**: anti-DoS solutions
68 |
69 |
Confidentiality != Authentication
70 |
71 | ### Vulnerability
72 |
73 | - **Common Vulnerability Scoring System** \(CVSS\): placing numerical score based on severity
74 | - **National Vulnerability Database** \(NVD\): US government repository of vulnerabilities
75 |
76 | #### Vulnerability Categories
77 |
78 | - **Default installation**: failure to change settings in an application that come by default
79 | - **Default passwords**: leaving default passwords that come with system/application
80 | - **Misconfiguration**: improperly configuring a service or application
81 | - **Missing patches**: systems that have not been patched
82 | - **Design flaws**: flaws inherent to system design such as encryption and data validation
83 | - **Operating System Flaws**: flaws specific to each OS
84 | - **Buffer overflow**: code execution flaw, eg: EIP \(Extended Instruction Pointer\) register
85 |
86 | #### Vulnerability Management Tools
87 |
88 | - Nessus
89 | - Qualys
90 | - GFI Languard
91 | - Nikto
92 | - OpenVAS
93 | - Retina CS
94 |
95 | ### Security Controls
96 |
97 | | Description | Examples |
98 | | :------------------------- | :-------------------------------------------- |
99 | | Physical | Guards, lights, cameras |
100 | | Technical | Encryption, smart cards, access control lists |
101 | | Administrative/Operational | Training awareness, policies, procedures |
102 |
103 | #### Types of physical security controls
104 |
105 | - **Preventive**: controls used to **stop potential attacks** by preventing users from performing specific actions, such as encryption and authentication
106 | - **Detective**: controls used to **monitor and alert** on malicious or unauthorized activity, such as IDS's and CCTV feeds monitored in real life, record any intrusion attempts
107 | - **Deterrent**: controls used to **discourage potential attackers and send warning messages to the attackers**, such as signs that warn possible attackers about the alarm system and monitoring in place
108 | - **Compensating**: controls used to **supplement directive controls** when the intended control is failed, such as administrator reviewing logs files for violations of company policy
109 | - **Corrective**: controls designed to **fix things after an attack** has been discovered and stopped
110 | - **Recovery**: controls used to **recover from security violations** and restore information and systems to a persistent state
111 |
112 | #### Security Incident and Event Management \(SIEM\)
113 |
114 | - Aggregating and providing search for log data
115 | - Functions related to a security operations center \(SOC\)
116 | - Identifying
117 | - Monitoring
118 | - Recording
119 | - Auditing
120 | - Analyzing
121 |
122 | #### Network Security Zones
123 |
124 | - **Internet**: uncontrollable
125 | - **Internet DMZ**: controlled buffer network
126 | - **Production Network Zone**: very restricted; controls direct access from uncontrolled zones; no users
127 | - **Intranet Zone**: controlled; has little to no heavy restrictions
128 | - **Management Network Zone**: might find VLANs and IPsec; highly secured; strict policies
129 |
130 | ### Security Policies
131 |
132 | - **Access Control**: what resources are protected and who can access them
133 | - **MAC** \(Mandatory Access Control\): access set by an administrator
134 | - **DAC** \(Discretionary Access Control\): allowing users to give access to resources that they own and control
135 | - **Information Security**: what can systems be used for
136 | - **Information Protection**: defining data sensitivity levels
137 | - **Password**: how long, characters required, etc.
138 | - **E-Mail**: proper and allowable use of email systems
139 | - **Information Audit**: defining the framework used for auditing
140 |
141 | #### Policy Categorizations
142 |
143 | - **Standard**: mandatory rules to achieve consistency
144 | - **Baseline**: providing the minimum security necessary, can compare to future states monitored over time to see what security and configuration changes have been made
145 | - **Procedure**: step-by-step instructions
146 | - **Guideline**: flexible or recommended actions
147 |
148 | #### Types of Policy
149 |
150 | - **Promiscuous**: wide open
151 | - **Permissive**: blocking only known dangerous things
152 | - **Prudent**: blocking most and only allows things for business purposes
153 | - **Paranoid**: locking everything down
154 |
155 | ### Risk Management
156 |
157 | - Risk identification
158 | - Risk assessment
159 | - Assessing the organization's risks and estimates the likelihood and impact of those risks
160 | - Assigning priorities for risk mitigation and implementation plans, which help to determine the quantitative and qualitative value of risk
161 | - Risk treatment
162 | - Risk tracking
163 | - Risk review
164 |
165 | #### 5 Ways To Manage Risk
166 |
167 | - Accept
168 | - Avoid
169 | - Transfer
170 | - Mitigate
171 | - Exploit
172 |
173 |
Transfer != Delegate
174 |
175 | #### Threat Modeling
176 |
177 | - Identify security objectives
178 | - Application Overview
179 | - Decompose application
180 | - Identify threats
181 | - Identify vulnerabilities
182 |
183 | #### Business Analysis
184 |
185 | - Business Impact Analysis \(BIA\): process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, identifies the critical systems that would be affected by them
186 | - Maximum Tolerable Downtime \(MTD\)
187 | - Business Continuity Plan \(BCP\): procedure for maintaining businesses during any event
188 | - Disaster Recovery Plan \(DRP\)
189 | - Annualized Loss Expectancy \(ALE\)
190 | - Annual Rate of Occurrence \(ARO\)
191 | - Single Loss Expectancy \(SLE\)
192 | - `ALE = SLE * ARO`
193 | - User Behavior Analysis \(UBA\): tracking users and extrapolating data in light of malicious activity
194 |
195 | ### Hacking
196 |
197 | #### Types of Hacker
198 |
199 | - **White Hat**: ethical hacker
200 | - **Black Hat**: hacker that seeks to perform malicious activities
201 | - **Gray Hat**: hacker that performs good or bad activities but do not have the permission of the organization they are hacking against
202 | - **Hacktivist**: someone who hacks for a cause
203 | - **Suicide Hacker**: not caring about any impunity to themselves
204 | - **Cyberterrorist**: motivated by religious or political beliefs to create fear or disruption
205 | - **State-Sponsored Hacker**: hacker that is hired by a government
206 | - **Script Kiddie**: uneducated in security methods, but uses tools that are freely available to perform malicious activities
207 | - **Cracker**: using tools for personal gain or destructive purposes
208 | - **Ethical Hacker**
209 | - Employing tools that hackers use with a customer's permission
210 | - Always obtaining an agreement from the client with specific objectives **before** any testing is done
211 |
212 | #### Types of Attack
213 |
214 | - **Operating System**: targeting OS flaws or security issues inside such as guest accounts or default passwords
215 | - **Application Level**: targeting on programming code and software logic
216 | - **Shrink-Wrap Code**: taking advantage of built-in code or scripts
217 | - **Misconfiguration**: taking advantage of systems that are misconfigured due to improper configuration or default configuration
218 | - **Infowar**: using of information and communication techniques to take competitive advantages over an opponent
219 |
220 | #### Hacking Phases
221 |
222 | 1. **Reconnaissance**: gathering evidence about targets
223 | 2. **Scanning & Enumeration**: obtaining more in-depth information about targets
224 | 3. **Gaining Access**: leveled attacks in order to gain access to a system
225 | 4. **Maintaining Access**: items in place to ensure future access
226 | 5. **Covering Tracks**: steps taken to conceal success and intrusion
227 |
228 | ### Laws and Standards
229 |
230 | #### Categories
231 |
232 | - **Criminal**: laws that protect public safety and usually have jail time attached
233 | - **Civil**: private rights and remedies
234 | - **Common**: laws that are based on societal customs
235 |
236 | #### Standards
237 |
238 | ##### ISO/IEC 27001:2013
239 |
240 | - Based on the British BS7799 standard, focuses on security governance
241 | - PDCA cycle is Plan, Do, Check and Act
242 |
243 | ##### PCI DSS \(Payment Card Industry Data Security Standard\)
244 |
245 | - Standard for organizations handling Credit Cards, ATM cards and other POS cards
246 | - 6 major objectives:
247 | 1. Build and Maintain a Secure Network and Systems
248 | 2. Protect card holder Data
249 | 3. Maintain a Vulnerability Management Program
250 | 4. Implement Strong Access Control Measures
251 | 5. Regularly Monitor and Test Networks
252 | 6. Maintain an Information Security Policy
253 |
254 | #### Laws
255 |
256 | ##### HIPAA \(Health Insurance Portability and Accountability Act\)
257 |
258 | - A law that sets privacy standards to protect patient medical records and health information shared between doctors, hospitals and insurance providers, requires employers standard national numbers to identify them on standard transactions
259 |
260 | ##### SOX \(Sarbanes Oxley Act\)
261 |
262 | - A law that requires publicly traded companies to submit to independent audits and to properly disclose financial information, contains 11 titles
263 |
264 | ##### DMCA \(The Digital Millennium Copyright ACT\)
265 |
266 | - A United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization \(WIPO\)
267 |
268 | ##### FISMA \(Federal Information Security Modernization Act Of 2002\)
269 |
270 | - A law to codify the authority of the Department of Homeland Security with regard to implementation of information security policies
271 |
272 | ##### NIST-800-53
273 |
274 | - Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA
275 | - 5 functions are Identify, Protect, Detect, Response and Recover
276 |
277 | ### Terms to Know
278 |
279 | - **Hack value**: perceived value or worth of a target as seen by the attacker
280 | - **Zero-day attack**: attack that occurs before a vendor knows or is able to patch a flaw
281 | - **Daisy Chaining**: gaining access to one network and/or computer then using the same information to gain access to multiple networks and computers that contain desirable information
282 | - **Doxing**: searching for and publishing information about an individual usually with a malicious intent
283 | - **Enterprise Information Security Architecture** \(EISA\): a set of requirements, processes, principles and models that determines how systems work within an organization
284 | - **Incident management**: dealing with specific incidents to mitigate the attack, resolving and preventing the future recurrence of a security incident
285 | - **Fingerprinting**: another word for port sweeping and enumeration
286 | - **Defense-in-Depth**: a security strategy in which security professionals use several protection layers throughout an information system
287 | - **Competitive Intelligence**: information gathered by businesses about competitors
288 |
--------------------------------------------------------------------------------
/02-reconnaissance_and_footprinting.md:
--------------------------------------------------------------------------------
1 | # 02-Reconnaissance and Footprinting
2 |
3 | ## Table of Contents
4 |
5 | - [Reconnaissance and Footprinting](02-reconnaissance_and_footprinting.md#reconnaissance-and-footprinting)
6 | - [Types of Footprinting](02-reconnaissance_and_footprinting.md#types-of-footprinting)
7 | - [Search Engines](02-reconnaissance_and_footprinting.md#search-engines)
8 | - [Website Footprinting](02-reconnaissance_and_footprinting.md#website-footprinting)
9 | - [Email Footprinting](02-reconnaissance_and_footprinting.md#email-footprinting)
10 | - [DNS Footprinting](02-reconnaissance_and_footprinting.md#dns-footprinting)
11 | - [Types of DNS Record](02-reconnaissance_and_footprinting.md#types-of-dns-record)
12 | - [SOA Record Fields](02-reconnaissance_and_footprinting.md#soa-record-fields)
13 | - [Regional Internet registtry \(RIR\)](02-reconnaissance_and_footprinting.md#regional-internet-registtry-rir)
14 | - [nslookup](02-reconnaissance_and_footprinting.md#nslookup)
15 | - [dig](02-reconnaissance_and_footprinting.md#dig)
16 | - [Network Footprinting](02-reconnaissance_and_footprinting.md#network-footprinting)
17 | - [OS Fingerprinting](02-reconnaissance_and_footprinting.md#os-fingerprinting)
18 | - [Banner Grabbing](02-reconnaissance_and_footprinting.md#banner-grabbing)
19 | - [Telnet](02-reconnaissance_and_footprinting.md#telnet)
20 | - [Netcat](02-reconnaissance_and_footprinting.md#netcat)
21 | - [Other Tools](02-reconnaissance_and_footprinting.md#other-tools)
22 |
23 | ## Reconnaissance and Footprinting
24 |
25 | - Looking for high-level information on a target
26 |
27 | ### Types of Footprinting
28 |
29 | - **Active**: requiring attacker to touch the device or network
30 | - Social engineering and other communications that require interaction with target
31 | - **Passive**: collecting information from publicly available sources
32 | - Websites, DNS records, business information databases
33 | - **Anonymous**: information gathering without revealing anything about yourself
34 | - **Pseudonymous**: making someone else take the blame for your actions
35 |
36 | ### Search Engines
37 |
38 | - **Alexa.com**: resource for statistics about websites
39 | - **NetCraft**: information about website and possibly OS info, used to discover restricted URLs
40 | - **Job Search Sites**: information about technologies can be gleaned from job postings
41 | - **Google**
42 | - filetype: look for file types
43 | - index of directory listings
44 | - info: contain Google's information about the page
45 | - intitle: string in title
46 | - inurl: string in url
47 | - link: find linked pages
48 | - related: find similar pages
49 | - site: find pages specific to that site
50 | - **EDGAR**: database maintained by SEC and includes filing information from public companies
51 | - **Shodan**: search engine that shows devices connected to the Internet
52 | - **Whois**: obtain registration information for the domain
53 |
54 | ### Website Footprinting
55 |
56 | - **Web mirroring**: allowing for discrete testing offline
57 | - HTTrack
58 | - Wget
59 | - WebRipper
60 | - Teleport Pro
61 | - Backstreet Browser
62 | - **Archive.org**: providing cached websites from various dates which possibly have sensitive information that has been now removed
63 | - **Web Spiders**: obtaining information from the website such as pages, etc.
64 |
65 | ### Email Footprinting
66 |
67 | - **Email header**: may show servers and where the location of those servers are
68 | - **Email tracking**: services can track various bits of information including the IP address of where it was opened, where it went, etc.
69 |
70 | ### DNS Footprinting
71 |
72 | - Zone transfer replicates all records, happening when a primary server's serial number higher than the secondary's serial number
73 | - **Name resolvers**: answering requests
74 | - **Authoritative Servers**: holding all records for a namespace, where all records for a domain belonging to an organization or enterprise reside
75 |
76 | #### Types of DNS Record
77 |
78 | | Name | Description | Purpose |
79 | | :---- | :----------------- | :--------------------------------------------- |
80 | | SRV | Service | Points to a specific service |
81 | | SOA | Start of Authority | Indicates the authoritative NS for a namespace |
82 | | PTR | Pointer | Maps an IP to a hostname |
83 | | NS | Nameserver | Lists the nameservers for a namespace |
84 | | MX | Mail Exchange | Lists email servers, low number high priority |
85 | | CNAME | Canonical Name | Maps a name to an A reccord |
86 | | A | Address | Maps an hostname to an IP address |
87 | | AAAA | IPv6 address | Maps an hostname to an IPv6 address |
88 |
89 | ##### SOA Record Fields
90 |
91 | - **Source Host**: hostname of the primary DNS
92 | - **Contact Email**: email for the person responsible for the zone file
93 | - **Serial Number**: revision number that increments with each change
94 | - **Refresh Time**: time in which an update should occur
95 | - **Retry Time**: time that a NS should wait on a failure
96 | - **Expire Time**: time in which a zone transfer is allowed to complete
97 | - **TTL** \(Time to Live\): minimum TTL for records within the zone
98 |
99 | #### Regional Internet registtry \(RIR\)
100 |
101 | - **AfriNIC**: Africa
102 | - **APNIC**: Asia Pacific
103 | - **ARIN**: North America
104 | - **LACNIC**: Latin America
105 | - **RIPE**: Europe, Middle East
106 |
107 | #### nslookup
108 |
109 | - Perform DNS queries: `nslookup [-options] [hostname]`
110 | - Determine if the entry is present in DNS cache with option: `-norecursive`
111 | - Provide the type of computer and OS a host: `set type=HINFO`
112 | - Interactive zone transfer
113 |
114 | ```text
115 | nslookup
116 | server
117 | set type = any
118 | ls -d domainname.com
119 | ```
120 |
121 | #### dig
122 |
123 | - Unix-based command like nslookup
124 | - `dig @server name type`
125 |
126 | ### Network Footprinting
127 |
128 | - IP address range can be obtained from regional registrar
129 | - Use traceroute to find intermediary servers
130 | - traceroute uses ICMP ECHO in Windows, hop count of 1
131 | - traceroute maps the route of a packet travel: manipulates the value of time to live \(TTL\) within packet to elicit a time exceeded in transit message
132 | - TTL is incremented by 1 for each hop discovered
133 | - Windows command: `tracert`
134 | - Linux command: `traceroute`
135 |
136 | ### OS Fingerprinting
137 |
138 | - **Active**: sending crafted packets to the target
139 | - **Passive**: sniffing network traffic for things such as TTL windows, DF \(Don't Fragment\) flags and ToS \(Type of Service\) fields
140 |
141 | ### Banner Grabbing
142 |
143 | - Getting information about OS or specific server info \(such as web server, mail server, etc.\)
144 | - **Active**: sending specially crafted packets and comparing responses to determine OS
145 | - **Passive**: reading error messages, sniffing traffic or looking at page extensions
146 |
147 | #### Telnet
148 |
149 | - Easy way to banner grabbing, connects via telnet on port:
150 |
151 | ```text
152 | telnet webserveraddress 80
153 | HEAD / HTTP/1.0
154 | ```
155 |
156 | #### Netcat
157 |
158 | - `nc `
159 |
160 | | Flag | Function |
161 | | :--- | :------------------------ |
162 | | -4 | IPv4 |
163 | | -6 | IPv6 |
164 | | -z | Report only open ports |
165 | | -u | Scan for UDP ports |
166 | | -l | Listen on a specific port |
167 | | -w | Timeout seconds |
168 | | -p | Specify source port |
169 |
170 | ### Other Tools
171 |
172 | - **OSRFramework**: uses open source intelligence to get information about target
173 | - **Metagoofil**: uses Google hacks to find information in meta tags
174 | - **Maltego**: social Engineering Tools
175 |
--------------------------------------------------------------------------------
/03-scanning_and_enumeration.md:
--------------------------------------------------------------------------------
1 | # 03-Scanning and Enumeration
2 |
3 | ## Table of Contents
4 |
5 | - [Scanning and Enumeration](03-scanning_and_enumeration.md#scanning-and-enumeration)
6 | - [Scanning](03-scanning_and_enumeration.md#scanning)
7 | - [Data transition methods](03-scanning_and_enumeration.md#data-transition-methods)
8 | - [Scanning Methodology](03-scanning_and_enumeration.md#scanning-methodology)
9 | - [TCP/IP \(Transmission Control Protocol/Internet Protocol\)](03-scanning_and_enumeration.md#tcpip-transmission-control-protocolinternet-protocol)
10 | - [TCP Flags](03-scanning_and_enumeration.md#tcp-flags)
11 | - [TCP Handshake](03-scanning_and_enumeration.md#tcp-handshake)
12 | - [Port Numbers](03-scanning_and_enumeration.md#port-numbers)
13 | - [Subnetting](03-scanning_and_enumeration.md#subnetting)
14 | - [ICMP \(Internet Control Message Protocol\)](03-scanning_and_enumeration.md#icmp-internet-control-message-protocol)
15 | - [Message Types](03-scanning_and_enumeration.md#message-types)
16 | - [Ping scanning tools](03-scanning_and_enumeration.md#ping-scanning-tools)
17 | - [Vulnerability Scanning](03-scanning_and_enumeration.md#vulnerability-scanning)
18 | - [Enumeration](03-scanning_and_enumeration.md#enumeration)
19 | - [NetBIOS \(Network Basic Input/Output System\) Enumeration](03-scanning_and_enumeration.md#netbios-network-basic-inputoutput-system-enumeration)
20 | - [NetBIOS code and meaning](03-scanning_and_enumeration.md#netbios-code-and-meaning)
21 | - [SNMP \(Simple Network Management Protocol\) Enumeration](03-scanning_and_enumeration.md#snmp-simple-network-management-protocol-enumeration)
22 | - [SMTP \(Simple Mail Transfer Protocol\) Enumeration](03-scanning_and_enumeration.md#smtp-simple-mail-transfer-protocol-enumeration)
23 | - [NTP \(Network Time Protocol\) Enumeration](03-scanning_and_enumeration.md#ntp-network-time-protocol-enumeration)
24 | - [LDAP \(Lightweight Directory Access Protocol\) Enumeration](03-scanning_and_enumeration.md#ldap-lightweight-directory-access-protocol-enumeration)
25 | - [Nmap](03-scanning_and_enumeration.md#nmap)
26 | - [Full connect scan](03-scanning_and_enumeration.md#full-connect-scan)
27 | - [TCP SYN scan \(Stealth scan\)](03-scanning_and_enumeration.md#tcp-syn-scan-stealth-scan)
28 | - [Responses to Full and SYN scan probe](03-scanning_and_enumeration.md#responses-to-full-and-syn-scan-probe)
29 | - [Inverse TCP flag scan \(FIN, URG and PSH scanning\)](03-scanning_and_enumeration.md#inverse-tcp-flag-scan-fin-urg-and-psh-scanning)
30 | - [NULL scan](03-scanning_and_enumeration.md#null-scan)
31 | - [Xmas scan](03-scanning_and_enumeration.md#xmas-scan)
32 | - [Responses to NULL, FIN, or Xmas scan](03-scanning_and_enumeration.md#responses-to-null-fin-or-xmas-scan)
33 | - [TCP ACK scan](03-scanning_and_enumeration.md#tcp-ack-scan)
34 | - [IDLE Scan](03-scanning_and_enumeration.md#idle-scan)
35 | - [Nmap Switches](03-scanning_and_enumeration.md#nmap-switches)
36 | - [hping](03-scanning_and_enumeration.md#hping)
37 | - [hping switch and description](03-scanning_and_enumeration.md#hping-switch-and-description)
38 |
39 | ## Scanning and Enumeration
40 |
41 | ### Scanning
42 |
43 | - Discovering systems on the network and looking at what ports are open as well as applications that may be running
44 |
45 | #### Data transition methods
46 |
47 | - **Connectionless Communication**: UDP \(User Datagram Protocol\) packets are sent without creating a connection. Examples are TFTP, DNS \(lookups only\) and DHCP
48 | - **Connection-Oriented Communication**: TCP packets require a connection due to the size of the data being transmitted and to ensure deliverability
49 |
50 | #### Scanning Methodology
51 |
52 | 1. **Check for live systems**: ping or other type of way to determine live hosts
53 | 2. **Check for open ports**: once you know live host IPs, scan them for listening ports
54 | 3. **Scan beyond IDS**: if needed, use methods to scan beyond the detection systems
55 | 4. **Perform banner grabbing**: grabbing from servers as well as perform OS fingerprinting
56 | 5. **Scan for vulnerabilities**: using tools to look at the vulnerabilities of open systems
57 | 6. **Draw network diagrams**: showing logical and physical pathways into networks
58 | 7. **Prepare proxies**: obscuring efforts to keep you hidden
59 |
60 | #### TCP/IP \(Transmission Control Protocol/Internet Protocol\)
61 |
62 | ##### TCP Flags
63 |
64 | | Flag | Name | Decimal number | Function |
65 | | :--- | :------------- | :------------- | :------------------------------------------------------------------------------- |
66 | | SYN | Synchronize | 2 | Set during initial communication. Negotiating of parameters and sequence numbers |
67 | | ACK | Acknowledgment | 16 | Set as an acknowledgment to the SYN flag. Always set after initial SYN |
68 | | RST | Reset | 4 | Forces the termination of a connection \(in both directions\) |
69 | | FIN | Finish | 1 | Ordered close to communications |
70 | | PSH | Push | 8 | Forces the delivery of data without concern for buffering |
71 | | URG | Urgent | 32 | Data inside is being sent out of band. Example is canceling a message |
72 |
73 | - How to remember TCP Flag's number
74 |
75 | ```text
76 | UAPRSF
77 | 000001 FIN
78 | 000010 SYN
79 | 000100 RST
80 | 001000 PSH
81 | 010000 ACK
82 | 100000 URG
83 | ```
84 |
85 | ##### TCP Handshake
86 |
87 | - Connection establishment: SYN -> SYN-ACK -> ACK
88 | - Connection termination: FIN -> ACK-FIN -> ACK
89 | - Sequence and Acknowledgment numbers calculation:
90 |
91 | ```text
92 | A.Seq = B.Ack
93 | A.Ack = B.Seq + B.Len + phantom byte
94 |
95 | - Connection establishment:
96 |
97 | -------- --------
98 | |Client| |Server|
99 | -------- --------
100 | │ │
101 | │ SYN [Seq#=0, Ack#=0] │
102 | │------------------------>│
103 | │ │
104 | │SYN, ACK [Seq#=0, Ack#=1]│
105 | │<------------------------│
106 | │ │
107 | │ ACK [Seq#=1, Ack#=1] │
108 | │------------------------>│
109 | -------- --------
110 | |Client| |Server|
111 | -------- --------
112 |
113 | (SYN as 1 phantom byte)
114 |
115 | - Data transfer:
116 |
117 | -------- --------
118 | |Client| |Server|
119 | -------- --------
120 | │ │
121 | │ PSH, ACK [Seq#=1, Ack#=1, Len=376] │
122 | │----------------------------------->│
123 | │ │
124 | │ ACK [Seq#=1, Ack#=377] │
125 | │<-----------------------------------│
126 | │ │
127 | │PSH, ACK [Seq#=1, Ack#=377, Len=270]│
128 | │<-----------------------------------│
129 | │ │
130 | │ ACK [Seq#=377, Ack#=271] │
131 | │----------------------------------->│
132 | -------- --------
133 | |Client| |Server|
134 | -------- --------
135 |
136 | - Connection termination (4-way TCP termination):
137 |
138 | - Server ends TCP session
139 |
140 | -------- --------
141 | |Client| |Server|
142 | -------- --------
143 | │ │
144 | │FIN, ACK [Seq#=271, Ack#=377]│
145 | │<----------------------------│
146 | │ │
147 | │ ACK [Seq#=377, Ack#=272] │
148 | │---------------------------->│
149 | -------- --------
150 | |Client| |Server|
151 | -------- --------
152 |
153 | - Client ends TCP session
154 |
155 | -------- --------
156 | |Client| |Server|
157 | -------- --------
158 | │ │
159 | │FIN, ACK [Seq#=377, Ack#=272]│
160 | │---------------------------->│
161 | │ │
162 | │ ACK [Seq#=272, Ack#=378] │
163 | │<----------------------------│
164 | -------- --------
165 | |Client| |Server|
166 | -------- --------
167 |
168 | (FIN as 1 phantom byte)
169 | ```
170 |
171 | ##### Port Numbers
172 |
173 | - **Internet Assigned Numbers Authority** \(IANA\): maintaining Service Name and Transport Protocol Port Number Registry which lists all port number reservations
174 | - Ranges
175 | - **Well-known ports**: 0-1023 \(2^10\)
176 | - **Registered ports**: 1024-49,151
177 | - **Dynamic ports**: 49,152-65,535 \(2^16\)
178 | - A service is said to be **listening** for a port when it has that specific port open
179 | - Once a service has made a connection, the port is in an **established** state
180 | - Netstat: showing open ports on computer
181 | - Display connections in numerical form: `netstat -an`
182 | - Display executables tied to the open port \(admin only\): `netstat -b`
183 | - Some important port numbers
184 |
185 | | Port Number | Protocol | Transport Protocol |
186 | | :---------- | :---------------- | :----------------- |
187 | | 20/21 | FTP | TCP |
188 | | 22 | SSH | TCP |
189 | | 23 | Telnet | TCP |
190 | | 25 | SMTP | TCP |
191 | | 53 | DNS name lookup | UDP |
192 | | 53 | DNS zone transfer | TCP |
193 | | 67 | DHCP | UDP |
194 | | 69 | TFTP | UDP |
195 | | 80 | HTTP | TCP |
196 | | 88 | Kerberos | TCP/UDP |
197 | | 110 | POP3 | TCP |
198 | | 123 | NTP | TCP/UDP |
199 | | 135 | RPC | TCP |
200 | | 137-139 | NetBIOS \(SMB\) | TCP/UDP |
201 | | 143 | IMAP | TCP |
202 | | 161/162 | SNMP | UDP |
203 | | 389 | LDAP | TCP/UDP |
204 | | 443 | HTTPS | TCP |
205 | | 445 | SMB | TCP/UDP |
206 | | 514 | SYSLOG | UDP |
207 | | 546 | dhcpv6 | TCP/UDP |
208 | | 631 | IPP \(Printing \) | TCP/UDP |
209 | | 3268 | Global Catalog | TCP/UDP |
210 | | 5355 | LLMNR | UDP |
211 |
212 | ##### Subnetting
213 |
214 | - **IPv4 Main Address Types**
215 | - **Unicast**: acted on by a single recipient
216 | - **Multicast**: acted on by members of a specific group
217 | - **Broadcast**: acted on by everyone on the network
218 | - **Limited**: delivered to every system in the domain \(255.255.255.255\)
219 | - **Directed**: delivered to all devices on a subnet and use that broadcast address
220 | - **Private addresses**: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
221 | - **Subnet mask**: determining how many address available on a specific subnet, also determining whether a destination system is on the same network as the source, represented by three methods:
222 | - **Decimal**: 255.240.0.0
223 | - **Binary**: 11111111.11110000.00000000.00000000
224 | - **CIDR** \(Classless Inter-Domain Routing\): x.x.x.x/12 \(where x.x.x.x is an ip address on that range\)
225 | - Network address: 1st address in the range, subnet mask bits + all 0s
226 | - Broadcast address: last address in the range, subnet mask bits + all 1s
227 | - Any other combination indicates an address in the range
228 | - Subnet calculation:
229 |
230 | ```text
231 | IP address: 130.192.202.202
232 | Subnet mask: 255.255.248.0
233 |
234 | - Step 1:
235 | IP | 10000010 11000000 11001010 11001010
236 | Subnet mask | 11111111 11111111 11111000 00000000
237 |
238 | - Step 2:
239 | Network Address | 10000010 11000000 11001
240 | Broadcast Address | 10000010 11000000 11001
241 |
242 | - Step 3:
243 | Network Address | 10000010 11000000 11001000 00000000
244 | Broadcast Address | 10000010 11000000 11001111 11111111
245 |
246 | - Step 4:
247 | Network Address: 130.192.200.0
248 | Broadcast Address: 130.192.200.255
249 | ```
250 |
251 | - Decimal to Binary:
252 |
253 | ```text
254 | 0 0 0 0 0 0 0 0
255 | 128 64 32 16 8 4 2 1
256 | ```
257 |
258 | #### ICMP \(Internet Control Message Protocol\)
259 |
260 | - ICMP is the easiest way to scan for live systems is through ICMP, but sometimes blocked on hosts that are actually live
261 | - Payload of an ICMP message can be anything \(RFC never set what it was supposed to be\); allows for covert channels
262 | - **Ping sweep**: easiest method to identify hosts
263 | - **ICMP ECHO scanning**: sending an ICMP ECHO Request to the network IP address, ping sweeping
264 | - ICMP Type 3 Code 13 indicates that traffic is being blocked by router or firewall
265 | - ICMP Type 3 Code 3 indicates that the client itself has the port closed
266 |
267 | ##### Message Types
268 |
269 | | ICMP Message Type | Description and Codes |
270 | | :------------------------- | :----------------------------------------------------------------------- |
271 | | 0: Echo Reply | Answer to a Type 8 Echo Request |
272 | | 3: Destination Unreachable | Error message followed by these codes: |
273 | | | 0 - Destination network unreachable |
274 | | | 1 - Destination host unreachable |
275 | | | 2 - protocol unreachable |
276 | | | 3 - port unreachable |
277 | | | 6 - Network unknown |
278 | | | 7 - Host unknown |
279 | | | 9 - Network administratively prohibited |
280 | | | 10 - Host administratively prohibited |
281 | | | 13 - Communication administratively prohibited |
282 | | 4: Source Quench | A congestion control message |
283 | | 5: Redirect | Sent when there are two or more gateways available for the sender to use |
284 | | | 0 - Redirect datagram for the network |
285 | | | 1 - Redirect datagram for the host |
286 | | 8: Echo Request | A ping message, requesting an echo reply |
287 | | 11: Time Exceeded | Packet took too long to be routed \(code 0 is TTL expired\) |
288 |
289 | ##### Ping scanning tools
290 |
291 | - Nmap: virtually always does a ping sweep with scans unless you turn it off
292 | - Angry IP Scanner
293 | - SolarWinds Engineer Toolkit
294 | - Advanced IP Scanner
295 | - Pinkie
296 |
297 | #### Vulnerability Scanning
298 |
299 | - Using complex or simple tools runs against a target to determine vulnerabilities
300 | - Tools
301 | - Nessus: industry standard
302 | - GFI LanGuard
303 | - Qualys
304 | - FreeScan - best known for testing websites and applications
305 | - OpenVAS - best competitor to Nessus and is free
306 |
307 | ### Enumeration
308 |
309 | - Listing the items that are found within a specific target
310 | - Always active by nature
311 |
312 | #### NetBIOS \(Network Basic Input/Output System\) Enumeration
313 |
314 | - NetBIOS provides name servicing, connectionless communication and some Session layer stuff
315 | - NetBIOS is the browser service in Windows designed to host information about all machines within domain or TCP/IP network segment
316 | - NetBIOS name is a **16-character ASCII string** used to identify devices Of those 16 characters, 15 are used for the device name, and the remaining character is reserved for the service name or name record type
317 | - NetBIOS name resolution doesn't work on IPv6
318 | - nbtstat \(on Windows\)
319 | - Local table: `nbtstat -n`
320 | - Remote information: `nbtstat -A `
321 | - Cache information: `netstat -c`
322 | - Other Tools
323 | - SuperScan
324 | - Hyena
325 | - NetBIOS Enumerator
326 | - NSAuditor
327 |
328 | ##### NetBIOS code and meaning
329 |
330 | | Code | Type | Meaning |
331 | | :--- | :----- | :------------------------ |
332 | | | UNIQUE | Hostname |
333 | | | GROUP | Domain name |
334 | | | UNIQUE | Windows Messenger service |
335 | | | UNIQUE | Domain master browser |
336 | | | GROUP | Domain controller |
337 | | | UNIQUE | Master browser for subnet |
338 | | | UNIQUE | File Service |
339 |
340 | #### SNMP \(Simple Network Management Protocol\) Enumeration
341 |
342 | - Used for network device management and uses both an agent and a manager to ensure logging and control
343 | - Agents are embedded in every network device
344 | - Manager is installed on a separate computer
345 | - There is a read-only and a read-write version
346 | - Default read-only string is **public**
347 | - Default read-write string is **private**
348 | - SNMP uses **community strings** which function as passwords, sent in cleartext unless using SNMP v3
349 | - **Management Information Base** \(MIB\): database that stores information, it uses ASN.1 \(Abstract Syntax Notation One\)
350 | - **Object Identifiers** \(OID\): identifiers for information stored in MIB
351 | - **SNMP GET**: getting information about the system
352 | - **SNMP SET**: setting information about the system
353 | - **Types of objects**
354 | - **Scalar**: single object
355 | - **Tabular**: multiple related objects that can be grouped together
356 | - Tools
357 | - Engineer's Toolset
358 | - SNMPScanner
359 | - OpUtils 5: includes SNMP tools
360 | - SNScan
361 |
362 | #### SMTP \(Simple Mail Transfer Protocol\) Enumeration
363 |
364 | - VRFY: verifying email addresses; code 200 success, code 550 failure
365 | - EXPN: providing actual delivery address of mailing list and aliases
366 | - RCPT TO: defining recipients
367 |
368 | #### NTP \(Network Time Protocol\) Enumeration
369 |
370 | - Querying can give you list of systems connected to the server name and IP
371 | - Tools
372 | - NTP Server Scanner
373 | - AtomSync
374 | - Commands
375 | - ntptrace
376 | - ntpdc
377 | - ntpq
378 |
379 | #### LDAP \(Lightweight Directory Access Protocol\) Enumeration
380 |
381 | - Connecting on 389 to a Directory System Agent \(DSA\)
382 | - Returning information such as valid user names, domain information, addresses, telephone numbers, system data, organization structure and other items, interface with Active Directory \(AD\)
383 | - Tools
384 | - Softerra
385 | - JXplorer
386 | - Lex \(The LDAP Explorer\)
387 | - LDAP Admin Tool
388 |
389 | ### Nmap
390 |
391 | #### Full connect scan
392 |
393 | - `nmap -sT`
394 | - TCP connect or full open scan
395 | - Full connection and then tears down with RST
396 | - Easiest to detect, but most reliable
397 |
398 | #### TCP SYN scan \(Stealth scan\)
399 |
400 | - `nmap -sS`
401 | - Half-open scan or stealth scan
402 | - Only sending SYN packets
403 | - Using abruptly ended connection before the three-way handshake
404 | - Hiding efforts and evading firewalls
405 |
406 | ##### Responses to Full and SYN scan probe
407 |
408 | | Probe Response | Assigned State |
409 | | :----------------- | :------------- |
410 | | TCP SYN/ACK packet | open |
411 | | TCP RST packet | closed |
412 |
413 | #### Inverse TCP flag scan \(FIN, URG and PSH scanning\)
414 |
415 | - Using FIN, URG or PSH flag
416 | - Setting just TCP FIN bit, do FIN scan: `nmap -sF`
417 |
418 | #### NULL scan
419 |
420 | - `nmap -sN`
421 | - TCP flag header is 0, no flag set
422 | - Not working against systems where RFC 793 is not implemented
423 |
424 | #### Xmas scan
425 |
426 | - `nmap -sX`
427 | - All flags \(FIN, PSH and URG\) are turned on so it's "lit up" like a Christmas tree
428 | - Not working against Windows machines
429 |
430 | ##### Responses to NULL, FIN, or Xmas scan
431 |
432 | | Probe Response | Assigned State |
433 | | :------------------------------------------------------------ | :--------------- |
434 | | No response received \(even after retransmissions\) | open or filtered |
435 | | TCP RST packet | closed |
436 | | ICMP unreachable error \(type 3, code 1, 2, 3, 9, 10, or 13\) | filtered |
437 |
438 | #### TCP ACK scan
439 |
440 | - ACK scan: `nmap -sA`
441 | - Window scan: `nmap -sW`
442 | - Probe packets with ACK flag set and a random sequence number to a recipient host
443 | - Multiple methods
444 | - TTL version: If TTL of RST packet < 64, port is open
445 | - Window version: If the Window on RST packet is anything other than 0, port is open
446 | - Can be used to check filtering: If ACK is sent and no response, stateful firewall present
447 |
448 | #### IDLE Scan
449 |
450 | - `nmap -sI `
451 | - Using a third party \(zombie\) to check if a port is open, exploits a side-channel
452 | - Only working if third party isn't transmitting data, in IDLE state
453 | - IPID gives the information about port open/closed:
454 | - Port closed: IPID increase of 1
455 | - Port open: IPID increase of 2
456 | - IPID increase of anything greater indicates zombie was not idle
457 |
458 | ```text
459 | - Step 1: Sending request to Zombie, getting IPID
460 | SYN/ACK
461 | Attacker -------> Zombie
462 | <-------
463 | RST IPID=x
464 |
465 | - Step 2: Sending a spoofed packet to target, target is responding to Zombie
466 | SYN IP=Zombie
467 | Attacker -------> Target
468 | Zombie <------- Target
469 | SYN/ACK
470 | Zombie -------> Target
471 | RST IPID=x+1
472 |
473 | - Step 3: Sending request to Zombie again, getting IPID
474 | SYN/ACK
475 | Attacker -------> Zombie
476 | <-------
477 | RST IPID=x+2
478 | ```
479 |
480 | #### Nmap Switches
481 |
482 | | Switch | Description |
483 | | :-------------- | :-------------------------------------------------------------- |
484 | | -sA | ACK scan |
485 | | -sF | FIN scan |
486 | | -sI | IDLE scan |
487 | | -sL | DNS scan \(list scan\) |
488 | | -sN | NULL scan |
489 | | -sO | Protocol scan \(tests which IP protocols respond\) |
490 | | -sP/sn | Ping scan |
491 | | -sS | TCP SYN scan |
492 | | -sT | TCP connect scan, full scan |
493 | | -sW | Window scan |
494 | | -sX | XMAS scan |
495 | | -PE/PP/PM | ICMP ECHO, timestamp, and netmask request discovery probes |
496 | | -P0/PN/Pn | No ping |
497 | | -PS | TCP SYN/ACK to given ports |
498 | | -oN | Normal output |
499 | | -oX | XML output |
500 | | -A | OS detection, version detection, script scanning and traceroute |
501 | | -F | Fast mode - Scan fewer ports than the default scan |
502 | | -f | Fragment packets |
503 | | -S | Spoof source address |
504 | | -O | Enable OS detection |
505 | | -T0 through -T2 | Serial scans. T0 is slowest |
506 | | -T3 through -T5 | Parallel scans. T3 is slowest. T3 is default level |
507 |
508 | ### hping
509 |
510 | - `hping3 -1 `
511 | - Powerful ping sweep and port scanning tool
512 | - Can craft packets
513 |
514 | #### hping switch and description
515 |
516 | | Switch | Description |
517 | | :------ | :--------------------------------------------------------------------- |
518 | | -1 | Sets ICMP mode |
519 | | -2 | Sets UDP mode |
520 | | -8 | Sets scan mode. Expects port range without -p flag |
521 | | -9 | Listen mode. Expects signature \(e.g. HTTP\) and interface \(-I eth0\) |
522 | | --flood | Sends packets as fast as possible without showing incoming replies |
523 | | -Q | Collects sequence numbers generated by the host |
524 | | -p | Sets port number |
525 | | -F | Sets the FIN flag |
526 | | -S | Sets the SYN flag |
527 | | -R | Sets the RST flag |
528 | | -P | Sets the PSH flag |
529 | | -A | Sets the ACK flag |
530 | | -U | Sets the URG flag |
531 | | -X | Sets the XMAS scan flags |
532 |
--------------------------------------------------------------------------------
/04-sniffing_and_evasion.md:
--------------------------------------------------------------------------------
1 | # 04-Sniffing and Evasion
2 |
3 | ## Table of Contents
4 |
5 | - [Sniffing and Evasion](04-sniffing_and_evasion.md#sniffing-and-evasion)
6 | - [Sniffing](04-sniffing_and_evasion.md#sniffing)
7 | - [Basic Knowledge](04-sniffing_and_evasion.md#basic-knowledge)
8 | - [NIC \(Network Interface Card\)](04-sniffing_and_evasion.md#nic-network-interface-card)
9 | - [MAC \(Media Access Control\)](04-sniffing_and_evasion.md#mac-media-access-control)
10 | - [ARP \(Address Resolution Protocol\)](04-sniffing_and_evasion.md#arp-address-resolution-protocol)
11 | - [IPv6](04-sniffing_and_evasion.md#ipv6)
12 | - [Protocols Susceptible](04-sniffing_and_evasion.md#protocols-susceptible)
13 | - [SPAN port \(Switched Port Analyzer\)](04-sniffing_and_evasion.md#span-port-switched-port-analyzer)
14 | - [Wiretapping/Telephone tapping](04-sniffing_and_evasion.md#wiretappingtelephone-tapping)
15 | - [MAC Flooding](04-sniffing_and_evasion.md#mac-flooding)
16 | - [Switch port stealing](04-sniffing_and_evasion.md#switch-port-stealing)
17 | - [DHCP Starvation \(Dynamic Host Configuration Protocol\)](04-sniffing_and_evasion.md#dhcp-starvation-dynamic-host-configuration-protocol)
18 | - [ARP Poisoning](04-sniffing_and_evasion.md#arp-poisoning)
19 | - [STP \(Spanning Tree Protocol\) attack](04-sniffing_and_evasion.md#stp-spanning-tree-protocol-attack)
20 | - [Spoofing](04-sniffing_and_evasion.md#spoofing)
21 | - [IP Spoofing Detection Techniques](04-sniffing_and_evasion.md#ip-spoofing-detection-techniques)
22 | - [Wireshark](04-sniffing_and_evasion.md#wireshark)
23 | - [tcpdump](04-sniffing_and_evasion.md#tcpdump)
24 | - [Other Sniffing Tools](04-sniffing_and_evasion.md#other-sniffing-tools)
25 | - [Evasion](04-sniffing_and_evasion.md#evasion)
26 | - [IDS \(Intrusion Detection System\)](04-sniffing_and_evasion.md#ids-intrusion-detection-system)
27 | - [Types of IDS](04-sniffing_and_evasion.md#types-of-ids)
28 | - [Types of Alerts](04-sniffing_and_evasion.md#types-of-alerts)
29 | - [IPS \(Intrusion Prevention System\)](04-sniffing_and_evasion.md#ips-intrusion-prevention-system)
30 | - [Types of IPS](04-sniffing_and_evasion.md#types-of-ips)
31 | - [Firewall](04-sniffing_and_evasion.md#firewall)
32 | - [Firewall Technologies](04-sniffing_and_evasion.md#firewall-technologies)
33 | - [Types of Firewall](04-sniffing_and_evasion.md#types-of-firewall)
34 | - [Honeypot](04-sniffing_and_evasion.md#honeypot)
35 | - [Evasion Techniques](04-sniffing_and_evasion.md#evasion-techniques)
36 | - [Firewall Evasion](04-sniffing_and_evasion.md#firewall-evasion)
37 |
38 | ## Sniffing and Evasion
39 |
40 | ### Sniffing
41 |
42 | - Capturing packets as they pass on the wire to review for interesting information
43 | - Sniffers operate at OSI Layer 2, upper layers won't be aware of sniffing because OSI layers are designed independently of each other,
44 | - **Passive sniffing**: watching network traffic without interaction; only works for same collision domain, like sniffing through a hub
45 | - **Active sniffing**: using methods to make a switch send traffic to you even though it isn't destined for your machine, like sniffing through a switch-based network
46 |
47 | #### Basic Knowledge
48 |
49 | ##### NIC \(Network Interface Card\)
50 |
51 | - Many wireless NICs have bad support for monitor mode in Windows. Catching general traffic is ok but not controlling packets
52 | - **Promiscuous mode**: NIC must be in this setting to look at all frames passing on the wire
53 | - **Collision Domains**
54 | - Traffic from your NIC, regardless of mode, can only be seen within the same collision domain
55 | - Switch has a collision domain for each port
56 | - Hub has one collision domain by default
57 |
58 | ##### MAC \(Media Access Control\)
59 |
60 | - Physical or burned-in address
61 | - Assigned to NIC for communications at the Data Link layer
62 | - 48 bits long, displayed as 12 hex characters separated by colons
63 | - First half of address is the **organizationally unique identifier**, identifying manufacturer
64 | - Second half ensures no two cards on a subnet will have the same address
65 |
66 | ##### ARP \(Address Resolution Protocol\)
67 |
68 | - Resolves IP address to a MAC address
69 | - Sending a request packet to all the network elements, asking for the MAC address from a specific IP
70 | - Working on a broadcast basis, both requests and replies are broadcast to everyone
71 | - Broadcast destination MAC address: `FF:FF:FF:FF:FF:FF`
72 | - Packets are `ARP_REQUEST` and `ARP_REPLY`
73 | - Stateless, each computer maintains its own ARP cache, which can be poisoned
74 | - ARP command
75 | - Display current ARP cache: `arp -a`
76 | - Clear ARP cache: `arp -d *`
77 |
78 | ##### IPv6
79 |
80 | - 128-bit address \(0000:0000:0000:0000:0000:0000:0000:0000 4x8+7=39 digits\), 8 groups of 4 hexadecimal digits
81 | - Sections with all 0s are shorted to nothing, just having start and end colons
82 | - Double colon can be used only once
83 | - Loopback address is `::1`
84 |
85 | | IPv6 Address Type | Description |
86 | | :---------------- | :---------------------------------------------------- |
87 | | Unicast | Addressed and intended for one host interface |
88 | | Multicast | Addressed for multiple host interfaces |
89 | | Anycast | Large number of hosts can receive; nearest host opens |
90 |
91 | | IPv6 Scopes | Description |
92 | | :---------- | :------------------------------------------------------------------------ |
93 | | Link local | Applies only to hosts on the same subnet \(Address block fe80::/10\) |
94 | | Site local | Applies to hosts within the same organization \(Address block fec0::/10\) |
95 | | Global | Includes everything |
96 |
97 | - Scope applies for multicast and anycast
98 | - Traditional network scanning is **computationally less feasible**
99 |
100 | ##### Protocols Susceptible
101 |
102 | - SMTP is sent in plain text and is viewable over the wire, until SMTPv3 which limits the information you can get, but you can still see it
103 | - SNMP community string, like user id or password
104 | - FTP, TFTP, IMAP, POP3, NNTP \(Network News Transfer Protocol\) and HTTP all send over clear text data
105 | - TCP shows sequence numbers, usable in session hijacking
106 | - TCP and UDP show open ports
107 | - IP shows source and destination addresses
108 | - Telnet and Rlogin show keystrokes including user names and passwords sent in cleartext
109 |
110 | #### SPAN port \(Switched Port Analyzer\)
111 |
112 | - Also known as **Port Mirroring**
113 | - A Cisco switch feature, switch configuration that makes the switch send a copy of all frames from other ports to a specific port
114 | - Not all switches have the ability to do this
115 | - Only listen
116 | - Modern switches sometimes don't allow SPAN ports to send data
117 |
118 | #### Wiretapping/Telephone tapping
119 |
120 | - **Active**: alerting or affecting the communication
121 | - **Passive**: only monitoring or recording the traffic
122 | - **Lawful interception**: legally intercepting communications between two parties for surveillance
123 |
124 | #### MAC Flooding
125 |
126 | - Switches either flood or forward data
127 | - If a switch doesn't know what MAC address is on a port, it will flood the data until it finds out
128 | - MAC Flooding by sending so many MAC addresses to the CAM table that it can't keep up
129 | - MAC Flooding will often destroy the switch before you get anything useful, doesn't last long to get noticed
130 | - Most modern switches protect against this
131 | - **CAM Table**
132 | - The table on a switch that stores which MAC address is on which port
133 | - If table is empty or full, everything is sent to all ports
134 | - Tool: Macof
135 |
136 | #### Switch port stealing
137 |
138 | - Using MAC flooding to sniff packets
139 | - Flooding switch with forged gratuitous ARP packets with target MAC as source, and attacker's MAC as destination
140 | - A race condition of attacker's flooded packets and target host packets will occur, switch has to change MAC address binding constantly
141 |
142 | #### DHCP Starvation \(Dynamic Host Configuration Protocol\)
143 |
144 | - Attempting to exhaust all available addresses from the server, denial-of-service attack
145 | - Attacker sends so many requests that the address space allocated is exhausted
146 | - DHCPv4 packets: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK
147 | - DHCPv6 packets: Solicit, Advertise, Request \(Confirm, Renew, Rebind\), Reply
148 | - **DHCP Steps**
149 | 1. Client sends DHCPDISCOVER
150 | 2. Server responds with DHCPOFFER
151 | 3. Client sends request for IP with DHCPREQUEST
152 | 4. Server sends address and config via DHCPACK
153 | - Tool: Yersinia
154 | - **Rogue DHCP Server Attack**: setup to offer addresses instead of real server. Can be combined with starvation to real server
155 | - Countermeasures
156 | - To counter DHCP starvation, ussing port security to limit max. number of MAC addresses on switch
157 | - To counter rogue DHCP server attack, configuring DHCP snooping: `ip dhcp snooping`
158 |
159 | #### ARP Poisoning
160 |
161 | - Also called **ARP spoofing** or **gratuitous ARP responses**
162 | - Using special packet to update ARP cache even without a request, used to poison cache on other machines
163 | - Changing the cache of machines so that packets are sent to the attacker instead of the intended target
164 | - Can trigger alerts because of the constant need to keep updating the ARP cache of machines
165 | - **Countermeasures**
166 | - Permanently adding Default gateway MAC into each machine's cache
167 | - Using Dynamic ARP Inspection \(DAI\), DHCP snooping database to prevent MITM
168 | - Using XArp to detect ARP attacks
169 | - Tools
170 | - Cain and Abel
171 | - Ufasoft Snif
172 | - dsniff
173 |
174 | #### STP \(Spanning Tree Protocol\) attack
175 |
176 | - Attacker has access to switch ports that are able to become trunk ports, then introduce a rogue switch spanning tree priority into the network
177 | - Countermeasure: loop protection
178 |
179 | #### Spoofing
180 |
181 | - **MAC Spoofing**
182 | - An address-based authentication attack, changes your MAC address. Benefit is CAM table uses most recent address
183 | - Making switch send all packets to your address instead of the intended one until the CAM table is updated with the real address again
184 | - Port security allows traffic from a specific MAC address to enter to a port
185 | - Port security can slow this down, but doesn't always stop it
186 | - A security feature on switches that allows an administrator to manually assign MAC addresses to a specific port
187 | - Spoofing Tool: Technitium MAC Address Changer
188 | - **Countermeasures**
189 | - DHCP Snooping Binding Table: filters untrusted DHCP messages
190 | - Dynamic ARP Inspection
191 | - IP Source Guard: security feature in switch that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on DHCP snooping binding database
192 | - Encryption: encrypting communication between AP and computer
193 | - Retrieval of MAC Address: retrieving MAC address from NIC directly instead of from OS
194 | - Implementation of IEEE 802.1X suites: Port-based Network Access Control \(PNAC\), enforces access control when user joins the network
195 | - AAA \(Authentication, Authorization, Accounting\): using AAA server mechanism in order to filter MAC addresses subsequently
196 | - **IRDP \(Internet Router Discovery Protocol\) Spoofing**
197 | - Attacker sends ICMP Router Discovery Protocol messages advertising a malicious gateway
198 | - Passive sniffing, MITM, DoS
199 | - **Countermeasure**: disables IRDP on hosts
200 | - **DNS Poisoning/Spoofing**
201 | - Changing where machines get their DNS information from, allowing attacker to redirect to malicious websites
202 | - **DNS Cache Poisoning**: allowing attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls
203 | - **DNSSEC**: helping prevent DNS poisoning by encrypting records
204 |
205 | #### IP Spoofing Detection Techniques
206 |
207 | - **Direct TTL Probes**
208 | - Sending packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet
209 | - TTL in the reply is not as the same as the packet being checked, it's a spoofed packet
210 | - This technique is successful when the attacker is in a different subnet from that of the victim
211 | - **IP Identification Number**
212 | - Sending probe to host of suspect spoofed traffic that triggers reply and compare the IP ID with suspect traffic
213 | - IP IDs are not close in value to the packet being checked, suspect traffic is spoofed
214 | - This technique is deemed successful even if the attacker is in the same subnet
215 | - **TCP Flow Control Method**
216 | - Attackers sends spoofed TCP packets, will not receive the target's SYN-ACK packets
217 | - Attackers cannot therefore be responsive to change in the congestion window size
218 | - When received traffic continues after a window size is exhausted, most probably the packets are spoofed
219 |
220 | #### Wireshark
221 |
222 | - Previously known as Ethereal
223 | - Can be used to follow streams of data
224 | - Can also filter the packets by specific packet type or specific source address, for example:
225 | - Filter out the noise from ARP, DNS and ICMP requests: `! (arp or icmp or dns)`
226 | - Display HTTP GET requests: `http.request`
227 | - Display TCP segments that contain the word _string_: `tcp contains string`
228 | - Display telnet packets containing that IP: `ip.addr==172.17.15.12 && tcp.port==23`
229 | - Display TCP requests with ACK flag set: `tcp.flags==0x16`
230 | - Display all TCP connections with SYN packets: `tcp.flags.syn==1`
231 |
232 | #### tcpdump
233 |
234 | - Recent version is WinDump \(for Windows\)
235 | - `tcpdump [flag] [interface]`
236 | - Put the interface in listening mode: `tcpdump -i eth1 `
237 | - `-n` flag to not perform DNS resolution on IP addresses
238 | - `tcptrace` can be used to analyze tcpdump file
239 |
240 | #### Other Sniffing Tools
241 |
242 | - Ettercap: also can be used for MITM attacks, ARP poisoning. Has active and passive sniffing
243 | - Snort: usually discussed as an Intrusion Detection application
244 | - SteelCentral Packet Analyzer
245 | - Capsa Network Analyzer
246 | - OmniPeek
247 | - Observer Analyzer
248 | - Wi.cap. Network Sniffer Pro: mobile network packet sniffer for ROOT ARM droids
249 | - Packet Capture: network traffic sniffer app with SSL decryption
250 |
251 | ### Evasion
252 |
253 | #### IDS \(Intrusion Detection System\)
254 |
255 | - Hardware or software devices that examine streams of packets for malicious behavior
256 |
257 | ##### Types of IDS
258 |
259 | - **Signature based**: comparing packets against a list of known traffic patterns
260 | - **Anomaly based**: making decisions on alerts based on learned behavior and "normal" patterns
261 | - **HIDS** \(Host-based intrusion detection system\): examining specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs
262 | - **NIDS** \(Network-based intrusion detection system\): scanning network traffic, do not use host system resources
263 | - **NBA** \(Network behavior analysis\): examining network traffic to identify threats that generate unusual traffic flows
264 | - **Snort**: a widely deployed IDS that is open source
265 |
266 | - Runs in three different modes
267 | - **Sniffer Mode**: watching packets in real time
268 | - **Packet Logger Mode**: saving packets to disk for review at a later time
269 | - **NIDS Mode**: analyzing network traffic against various rule sets
270 | - Syntax
271 |
272 | - Alert about traffic coming not from an external network to the internal one on port 31337:
273 |
274 | ```text
275 | alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-Backorifice")
276 | ```
277 |
278 | - Example output:
279 |
280 | ```text
281 | 10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA
282 | **xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF**
283 | ```
284 |
285 | ##### Types of Alerts
286 |
287 | - **True Positive** \(Attack - Alert\): activity was an attack, IDS identifies as an attack
288 | - **False Positive** \(No Attack - Alert\): activity was acceptable, but IDS identifies as an attack
289 | - **False Negative** \(Attack - No Alert\): activity was an attack, but IDS identifies as an acceptable behavior
290 | - **True Negative** \(No Attack - No Alert\): activity was acceptable, IDS identifies as an acceptable behavior
291 |
292 | #### IPS \(Intrusion Prevention System\)
293 |
294 | - Identifying malicious activity, logs information about this activity, reports it and attempts to block or stops it
295 |
296 | ##### Types of IPS
297 |
298 | - **NIPS** \(Network-based intrusion prevention system\): monitoring the entire network for suspicious traffic by analyzing protocol activity
299 | - **HIPS** \(Host-based intrusion prevention system\): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host
300 | - **WIPS** \(Wireless intrusion prevention system\): monitoring a wireless network for suspicious traffic by analyzing wireless networking protocols
301 |
302 | #### Firewall
303 |
304 | - An appliance within a network protects internal resources from unauthorized access
305 | - Only uses rules that **implicitly denies** traffic unless it is allowed
306 | - Often uses **network address translation** \(NAT\) which can apply a one-to-one or one-to-many relationship between external and internal IP addresses
307 | - **Bastion Host**: hosts on the screened subnet designed to protect internal resources, using the concept "separation of duties"
308 | - **Screened Subnet**: DMZ, hosts all public-facing servers and services
309 | - **Private zone**: hosts internal hosts that only respond to requests from within that zone
310 | - **Multi-homed**: firewall that has 2 or more interfaces
311 |
312 | ```text
313 | - Single Homed Network:
314 |
315 | Enterprice ---------- ISP
316 |
317 | - Dual Homed Network:
318 |
319 | Enterprice ========== ISP
320 |
321 | - Single Multi-homed Network
322 |
323 | ---------- ISP1
324 | Enterprice
325 | ---------- ISP2
326 |
327 | - Dual Multi-homed Network
328 |
329 | ========== ISP1
330 | Enterprice
331 | ========== ISP2
332 | ```
333 |
334 | ##### Firewall Technologies
335 |
336 | | OSI | Firewall Technology |
337 | | :-- | :--------------------------------------------------------- |
338 | | 7 | VPN, Application Proxies |
339 | | 6 | VPN |
340 | | 5 | VPN, Circuit-level Gateway |
341 | | 4 | VPN, Packet Filtering |
342 | | 3 | VPN, NAT, Packet Filtering, Stateful Multilayer Inspection |
343 | | 2 | VPN, Packet Filtering |
344 | | 1 | Not Applicable |
345 |
346 | ##### Types of Firewall
347 |
348 | - **Packet-filtering**: only looking at packet headers \(IP address, packet type and port number\), layer 3 Network
349 | - **Circuit-level gateway**: checking TCP handshake, does not filer individual packets, firewall that works on layer 5 Session
350 | - **Application-level gateway**: working like a proxy, allowing specific services in and out, WAF, layer 7 Application
351 | - **Stateful inspection**: combining above 3 types of firewalls, dynamic packet filtering, firewalls that track the entire status of a connection
352 |
353 | #### Honeypot
354 |
355 | - A system setup as a decoy to entice attackers, to research attack methodologies
356 | - Should not include too many open services or look too easy to attack
357 | - **High interaction**: actually running all services and applications and is designed to be completely compromised
358 | - **Medium interaction**: simulating a real OS, applications and its services
359 | - **Low interaction**: simulating a number of services and cannot be completely compromised
360 | - Examples
361 | - Specter
362 | - Honeyd
363 | - KFSensor
364 |
365 | #### Evasion Techniques
366 |
367 | - **Fragmentation**: splitting up packets so that the IDS can't detect the real intent, `nmap -f`
368 | - **Time-To-Live Attack** \(TTL\)
369 |
370 | - Each router along a data path decrements TTL by 1
371 | - TTL reaches 0, package is dropped
372 | - Attacker has a prior knowledge of topology of target network, in order to calculate TTL
373 | - Breaking traffic to fragments, eg: Frag 1, Frag 2, Frag 3
374 | - Sending fragments as below as an exmaple:
375 |
376 | ```text
377 | Attacker NIDS Router Victim
378 | Frag 1 -> Frag 1 -> Frag 1
379 | Frag 2, TTL=1 -> Frag 1, 2 Dropped Frag 1, Waiting 2
380 | Frag 3 -> Frag 1, 2, 3 -> Frag 1, 3 Waiting 2
381 | False Reassembly
382 | Real Frag 2 -> Frag 2 -> Frag 1, 2, 3, Correct Reassembly
383 | ```
384 |
385 | - **Slow down**: faster scanning such as using nmap's -T5 switch will get you caught. Pros use -T1 switch to get better results
386 | - **Unicode encoding**: working with web requests - using Unicode characters instead of ascii can sometimes get past
387 | - **Network flooding**: triggering alerts that aren't your intended attack so that confuses firewalls/IDS and network admins
388 | - **Insertion Attack**: confusing IDS by forcing it to read invalid packets
389 | - **Spoofing**: can only be used when you don't expect a response back to your machine
390 | - **Source routing**: specifying the path a packet should take on the network; most systems don't allow this anymore
391 | - **IP Address Decoy**: sending packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from
392 | - `nmap -D RND:10 x.x.x.x`
393 | - `nmap -D decoyIP1,decoyIP2....,sourceIP,.... [target]`
394 | - **Proxy**
395 | - Hiding true identity by filtering through another computer
396 | - Also can be used for other purposes such as content blocking evasion, etc
397 | - **Proxy chains**: chains multiple proxies together
398 | - Proxy Switcher
399 | - Proxy Workbench
400 | - ProxyChains
401 | - **Tor**
402 | - A specific type of proxy that uses multiple hops to a destination
403 | - Endpoints are peer computers
404 | - **Anonymizers**: hiding identity on HTTP traffic \(port 80\)
405 | - Tools
406 | - Nessus: also a vulnerability scanner
407 | - ADMutate: creating scripts not recognizable by signature files
408 | - Whisker: session Splicing
409 |
410 | ##### Firewall Evasion
411 |
412 | - **Firewalking**: going through every port on a firewall to determine what is open
413 | - Firewall type can be discerned by banner grabbing
414 | - The best way around a firewall will always be a compromised internal machine
415 | - **HTTP tunneling**: crafting port 80 segments to carry a payload for protocols the firewall may have, then on other end \(internal machine\) to pull the payload out of all those 80 packets
416 |
--------------------------------------------------------------------------------
/05-system_hacking.md:
--------------------------------------------------------------------------------
1 | # 05-System Hacking
2 |
3 | ## Table of Contents
4 |
5 | - [System Hacking](05-system_hacking.md#system-hacking)
6 | - [Windows Security Architecture](05-system_hacking.md#windows-security-architecture)
7 | - [LM Hashing](05-system_hacking.md#lm-hashing)
8 | - [Ntds.dit](05-system_hacking.md#ntdsdit)
9 | - [Kerberos](05-system_hacking.md#kerberos)
10 | - [Registry](05-system_hacking.md#registry)
11 | - [Root Level Keys](05-system_hacking.md#root-level-keys)
12 | - [Types of Registry Values](05-system_hacking.md#types-of-registry-values)
13 | - [Important Locations](05-system_hacking.md#important-locations)
14 | - [Executables](05-system_hacking.md#executables)
15 | - [MMC \(Microsoft Management Console\)](05-system_hacking.md#mmc-microsoft-management-console)
16 | - [Null session](05-system_hacking.md#null-session)
17 | - [Linux Security Architecture](05-system_hacking.md#linux-security-architecture)
18 | - [Important Directories](05-system_hacking.md#important-directories)
19 | - [Important Linux Commands](05-system_hacking.md#important-linux-commands)
20 | - [System Hacking Goals](05-system_hacking.md#system-hacking-goals)
21 | - [Authentication and Password](05-system_hacking.md#authentication-and-password)
22 | - [Three Types of Authentication](05-system_hacking.md#three-types-of-authentication)
23 | - [Types of Password Attacks](05-system_hacking.md#types-of-password-attacks)
24 | - [Non-electronic](05-system_hacking.md#non-electronic)
25 | - [Active online](05-system_hacking.md#active-online)
26 | - [Passive online](05-system_hacking.md#passive-online)
27 | - [Offline](05-system_hacking.md#offline)
28 | - [Privilege Escalation](05-system_hacking.md#privilege-escalation)
29 | - [Types of Privilege Escalation](05-system_hacking.md#types-of-privilege-escalation)
30 | - [Four Methods](05-system_hacking.md#four-methods)
31 | - [Executing Applications](05-system_hacking.md#executing-applications)
32 | - [Hiding Files](05-system_hacking.md#hiding-files)
33 | - [ADS \(Alternate Data Stream\)](05-system_hacking.md#ads-alternate-data-stream)
34 | - [Attribute](05-system_hacking.md#attribute)
35 | - [Steganography](05-system_hacking.md#steganography)
36 | - [Rootkit](05-system_hacking.md#rootkit)
37 | - [Types of Rootkits](05-system_hacking.md#types-of-rootkits)
38 | - [Covering Tracks](05-system_hacking.md#covering-tracks)
39 |
40 | ## System Hacking
41 |
42 | ### Windows Security Architecture
43 |
44 | - Authentication credentials stored in SAM file
45 | - Older systems use LM hashing. Current uses NTLM v2 \(MD5\)
46 | - Windows network authentication uses Kerberos
47 | - **Security Context**: user identity and authentication information
48 | - **Security Identifier** \(SID\) - identifies a user, group or computer account
49 | - **Resource Identifier** \(RID\) - portion of the SID identifies a specific user, group or computer
50 | - The end of the SID indicates the user number
51 | - Example SID: S-1-5-21-3874928736-367528774-1298337465-**500**
52 | - **Administrator Account**: SID of 500
53 | - **Regular Accounts**: start with a SID of 1000
54 | - **SAM Database** \(Security Account Manager\)
55 | - File stores encrypted local passwords
56 | - Location: C:\Windows\System32\Config
57 |
58 | #### LM Hashing
59 |
60 | - Password is restricted to a maximum of 14 characters, converted to uppercase
61 | - The “fixed-length” password is split into two 7-byte halves
62 | - These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a null bit after every seven bits \(so 1010100 becomes 10101000\). This generates the 64 bits needed for a DES key
63 | - Each of the two keys is used to DES-encrypt the constant ASCII string `KGS!@#$%`, resulting in two 8-byte ciphertext values
64 | - Blank section hash: `AAD3B435B51404EE`
65 | - SAM file presents as `UserName:SID:LM_Hash:NTLM_Hash:::`
66 |
67 | #### Ntds.dit
68 |
69 | - Database file on a domain controller that stores passwords
70 | - Including the entire Active Directory
71 | - Location: `%SystemRoot%\NTDS\Ntds.dit` or `%SystemRoot%System32\Ntds.dit`
72 |
73 | #### Kerberos
74 |
75 | - Using both symmetric and asymmetric encryption
76 | - Steps of exchange:
77 | 1. Client asks **Key Distribution Center** \(KDC\) for a ticket. Sent in cleartext of user ID to **Authentication Server** \(AS\) \(Neither the secret key nor the password is sent to the AS\)
78 | 2. Server responds with **Ticket Granting Ticket** \(TGT\). This is a secret key which is hashed by the password copy stored on the server
79 | 3. If client can decrypt it, the TGT is sent back to the server requesting a **Ticket Granting Service** \(TGS\) service ticket
80 | 4. Server sends TGS service ticket which client uses to access resources
81 | - Tools: both take a long time to crack
82 | - KerbSniff
83 | - KerbCrack
84 |
85 | #### Registry
86 |
87 | - Collection of all settings and configurations make the system run
88 | - Made up of keys and values
89 |
90 | ##### Root Level Keys
91 |
92 | - **HKEY_LOCAL_MACHINE** \(HKLM\): information on hardware and software
93 | - **HKEY_CLASSES_ROOT** \(HKCR\): information on file associates and OLE classes
94 | - **HKEY_CURRENT_USER** \(HKCU\): profile information for the current user including preferences
95 | - **HKEY_USERS** \(HKU\): specific user configuration information for all currently active users
96 | - **HKEY_CURRENT_CONFIG** \(HKCC\): pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current
97 |
98 | ##### Types of Registry Values
99 |
100 | - **REG_SZ**: character string
101 | - **REG_EXPAND_SZ**: expandable string value
102 | - **REG_BINARY**: a binary value
103 | - **REG_DWORD**: 32-bit unsigned integer
104 | - **REG_LINK**: symbolic link to another key
105 |
106 | ##### Important Locations
107 |
108 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
109 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
110 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
111 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run \(run app as soon as user logs in\)
112 |
113 | ##### Executables
114 |
115 | - regedit.exe
116 | - regedt32.exe \(preferred by Microsoft\)
117 |
118 | #### MMC \(Microsoft Management Console\)
119 |
120 | - Used by Windows to administer system
121 | - "snap-ins" that allow you to modify sets, such as Group Policy Editor
122 |
123 | #### Null session
124 |
125 | - Anonymous connection to an inter-process communication \(IPC\) network service
126 | - NetBIOS is vulnerable to it
127 | - **Countermeasure**: create restrict anonymous registry key
128 |
129 | ### Linux Security Architecture
130 |
131 | - Linux Systems use User IDs \(UID\) and Group IDs \(GID\), found in `/etc/passwd`
132 | - Root has UID and GID of 0
133 | - First user has UID and GID of 500
134 | - Password are stored in `/etc/shadow` for most current systems
135 | - `/etc/password` stores passwords in hashes
136 | - `/etc/shadow` stores passwords encrypted \(hashed and salted\) and is only accessible by root
137 |
138 | #### Important Directories
139 |
140 | | Directory | Description |
141 | | :-------- | :------------------------------------------------------------------------------ |
142 | | / | Root directory |
143 | | /home | Holds the user home directories |
144 | | /etc | All administration files and passwords. Both password and shadow files are here |
145 | | /usr | Holds almost all the information, commands and files unique to the users |
146 | | /mnt | Holds the access locations you've mounted |
147 | | /bin | Basic Linux commands |
148 | | /sbin | Yystem binaries folder which holds more administrative commands |
149 | | /dev | Contains pointer locations to various storage and input/output systems |
150 |
151 | #### Important Linux Commands
152 |
153 | | Command | Description |
154 | | :------- | :-------------------------------------------------------------------------------------- |
155 | | adduser | Add a user to the system |
156 | | cat | Display contents of file |
157 | | cp | Copy |
158 | | ifconfig | Display network configuration information |
159 | | kill | Kill a running process |
160 | | ls | Display the contents of a folder. -l option provides most information. |
161 | | man | Display the manual page for a command |
162 | | passwd | Used to change password |
163 | | ps | Process status. -ef option shows all processes |
164 | | rm | Remove files. -r option recursively removes all subdirectories |
165 | | su | Allow you to perform functions as another user \(super user\) |
166 | | pwd | Display current directory |
167 | | chmod | Change permissions of a folder or file |
168 | | | `Read` 4 \(100\), `Write` 2 \(010\), `Execute` 1 \(001\) |
169 | | | `777`: Three 7s in order stand for `user`, `group`, and `others`, result is `rwxrwxrwx` |
170 |
171 | - Adding an ampersand `&` after a process name indicates it should run in the background
172 | - Linux Enumeration Commands
173 | - **finger**: info on user and host machine
174 | - **rpcinfo and rpcclient**: info on RPC in the environment
175 | - **showmount**: displays all shared directories on the machine
176 |
177 | ### System Hacking Goals
178 |
179 | - **Gaining Access**: using information gathered to exploit the system
180 | - **Escalating Privileges**: granting hacked account as admin or pivots to an admin account
181 | - **Executing Applications**: putting back doors into the system to maintain access
182 | - **Hiding Files**: making sure the files left behind are not discoverable
183 | - **Covering Tracks**: cleaning up everything else \(log files, etc.\)
184 |
185 | ### Authentication and Password
186 |
187 | - **Strength of passwords**
188 | - Determined by length and complexity
189 | - Complexity is defined by number of character sets used \(lower case, upper case, numbers, symbols, etc.\)
190 | - **Default passwords**
191 | - Always should be changed and never leave what they came with
192 | - Databases such as cirt.net, default-password.info and open-sez.me all have databases of these
193 |
194 | #### Three Types of Authentication
195 |
196 | - **Something You Are**
197 | - **Active**: interaction required \(retina scan or fingerprint scanner\)
198 | - **Passive**: no interaction required \(iris scan\)
199 | - uses biometrics to validate identity \(retina, fingerprint, etc.\), downside: a lot of false negatives
200 | - **False acceptance rate** \(FAR\) - rate that a system accepts access for people that shouldn't have it
201 | - **False rejection rate** \(FRR\) - rate that a system rejects access for someone who should have it
202 | - **Crossover error rate** \(CER\) - combination of the two; the lower the CER, the better the system
203 | - **Something You Have**
204 | - Usually consists of a token of some kind \(swipe badge, ATM card, etc.\)
205 | - This type usually requires something alongside it \(such as a PIN for an ATM card\)
206 | - Some tokens are single-factor \(such as a plug-and-play authentication\)
207 | - **Something You Know**: better known as a password
208 | - **2FA** \(Two-Factor Authentication\): when you have two types of authentication such as something you know \(password\) and something you have \(access card\)
209 |
210 | #### Types of Password Attacks
211 |
212 | ##### Non-electronic
213 |
214 | - Social engineering attacks, most effective
215 |
216 | ##### Active online
217 |
218 | - Done by directly communicating with the victim's machine
219 | - Active online attacks are easier to detect and take a longer time
220 | - Including dictionary and brute-force attacks, hash injections, phishing, Trojans, spyware, keyloggers and password guessing
221 | - **Keylogging**: process of using a hardware device or software application to capture keystrokes of a user
222 | - **LLMNR/NBT-NS**
223 | - Attack based off Windows technologies that caches DNS locally
224 | - Responding to these poisoned local cache, sends over an NTLM v2 hash, it can be sniffed out and then cracked
225 | - Tools
226 | - NBNSpoof
227 | - Metasploit
228 | - Responder
229 | - Can combine `net` commands with a tool such as **NetBIOS Auditing tool** or **Legion** to automate the testing of user IDs and passwords
230 | - Tools
231 | - Hydra
232 | - Metasploit
233 |
234 | ##### Passive online
235 |
236 | - Sniffing the wire in hopes of intercepting a password in clear text or attempting a replay attack or man-in-the-middle attack
237 | - Tools
238 | - Cain and Abel: can poison ARP and then monitor the victim's traffic
239 | - Ettercap: works very similar to Cain and Abel. However, can also help against SSL encryption
240 |
241 | ##### Offline
242 |
243 | - When the hacker steals a copy of the password file and does the cracking on a separate system
244 | - **Dictionary Attack**: using a word list to attack the password, the fastest method of attacking
245 | - **Brute force Attack**
246 | - Tries every combination of characters to crack a password
247 | - Can be faster if you know parameters \(such as at least 7 characters, should have a special character, etc.\)
248 | - **Rule-based Attack**: attacker obtains some information about the password
249 | - **Hybrid Attack**: taking a dictionary attack and replaces characters \(such as a 0 for an o\) or adds numbers to the end
250 | - **Syllable Attack**: when passwords are not known words, attackers use the dictionary and other methods to crash them, as well as all possible dominations of them
251 | - **Rainbow tables**: using pre-hashed passwords to compare against a password hash. Is faster because the hashes are already computed
252 | - **Distributed Network Attack** \(DNA\): recovering password protected files that uses unused processing power of machines across the network to decrypt passwords
253 | - Tools
254 | - Cain
255 | - John the Ripper
256 |
257 | ### Privilege Escalation
258 |
259 | #### Types of Privilege Escalation
260 |
261 | - **Vertical**: lower-level user executes code at a higher privilege level
262 | - **Horizontal**: executing code at the same user level but from a location that would be protected from that access
263 |
264 | #### Four Methods
265 |
266 | 1. Crack the password of an admin, primary aim
267 | 2. Take advantage of an OS vulnerability
268 | - **DLL Hijacking**: replacing a DLL in the application directory with your own version which gives you the access you need
269 | 3. Use a tool that will provide you the access such as Metasploit
270 | 4. Social engineering a user to run an application
271 |
272 | ### Executing Applications
273 |
274 | - Executing things such as keyloggers, spyware, back doors and crackers
275 | - ECC refers executing applications as owning a system
276 |
277 | ### Hiding Files
278 |
279 | #### ADS \(Alternate Data Stream\)
280 |
281 | - Works only on Windows
282 | - Hides a file from directory listing on an NTFS file system
283 | - Can be run by `start readme.txt:badfile.exe`
284 | - Can also create a link to this and make it look real: `mklink innocent.exe readme.txt:badfile.exe`
285 | - **Countermeasures**
286 | - Show ADS: `dir /r`
287 | - Blow away all ADS by copying files to a FAT partition
288 | - Every forensic kit looks for this
289 |
290 | #### Attribute
291 |
292 | - In Windows: `attrib +h filename`
293 | - In Linux: simply add a dot `.` to the beginning of the filename
294 |
295 | #### Steganography
296 |
297 | - Steganography can hide data and files, more details in `./11-Cryptography.md`
298 |
299 | #### Rootkit
300 |
301 | - Software puts in place by attacker to obscure system compromise
302 | - Hiding processes and files
303 | - Also allowing for future access
304 | - Examples:
305 | - Horsepill: Linus kernel rootkit inside initrd
306 | - Grayfish: Windows rootkit that injects in boot record
307 | - Azazel
308 | - Avatar
309 | - Necurs
310 | - ZeroAccess
311 | - One way to detect rootkits is to map all the files on a system and then boot a system from a clean CD version and compare the two file systems
312 |
313 | ##### Types of Rootkits
314 |
315 | - **Hypervisor level**: rootkits that modify the boot sequence of a host system to load a VM as the host OS
316 | - **Hardware level**: hiding malware in devices or firmware
317 | - **Boot loader level**: replacing boot loader with one controlled by hacker
318 | - **Application level**: directed to replace valid application files with Trojans
319 | - **Kernel level**: attacking boot sectors \(MBR: Master Boot Record\) and kernel level replacing kernel code with back-door code; most dangerous
320 | - **Library level**: using system-level calls to hide themselves
321 |
322 | ### Covering Tracks
323 |
324 | - Don't just delete, key sign that an attack has happened. Option is to corrupt a log file, because this can happen all the time.
325 | - Best option is to be selective and delete the entries pertaining to your actions
326 | - Also disabling auditing ahead of time to prevent logs from being captured
327 | - In Windows: need to clear application, system and security logs; Tool Elsave can clear Windows logs
328 | - In Windows: clear MRU \(Most Recent Used\) list
329 | - **clearev**: meterpreter shell command to clear log files
330 | - **Time stomping**: manipulating time stamps on files, used to set file times which to throw off investigations or identify intrusions
331 |
--------------------------------------------------------------------------------
/06-web_server_and_web_application_hacking.md:
--------------------------------------------------------------------------------
1 | # 06-Web Server and Web Application Hacking
2 |
3 | ## Table of Contents
4 |
5 | - [Web Server and Web Application Hacking](06-web_server_and_web_application_hacking.md#web-server-and-web-application-hacking)
6 | - [Web Organizations](06-web_server_and_web_application_hacking.md#web-organizations)
7 | - [OWASP Web Top 10 Application Security Risks 2017](06-web_server_and_web_application_hacking.md#owasp-web-top-10-application-security-risks-2017)
8 | - [Web Server Architecture](06-web_server_and_web_application_hacking.md#web-server-architecture)
9 | - [Technology Stacks](06-web_server_and_web_application_hacking.md#technology-stacks)
10 | - [Web Server Attack Methodology](06-web_server_and_web_application_hacking.md#web-server-attack-methodology)
11 | - [Web Server and Application Attacks](06-web_server_and_web_application_hacking.md#web-server-and-application-attacks)
12 | - [Injections](06-web_server_and_web_application_hacking.md#injections)
13 | - [File Injection](06-web_server_and_web_application_hacking.md#file-injection)
14 | - [Command Injection](06-web_server_and_web_application_hacking.md#command-injection)
15 | - [LDAP Injection](06-web_server_and_web_application_hacking.md#ldap-injection)
16 | - [SOAP Injection](06-web_server_and_web_application_hacking.md#soap-injection)
17 | - [SQL Injection](06-web_server_and_web_application_hacking.md#sql-injection)
18 | - [XSS \(Cross-site scripting\)](06-web_server_and_web_application_hacking.md#xss-cross-site-scripting)
19 | - [CSRF \(Cross-Site Request Forgery\)](06-web_server_and_web_application_hacking.md#csrf-cross-site-request-forgery)
20 | - [Clickjacking](06-web_server_and_web_application_hacking.md#clickjacking)
21 | - [Buffer Overflow \(Smashing the stack\)](06-web_server_and_web_application_hacking.md#buffer-overflow-smashing-the-stack)
22 | - [Other attacks](06-web_server_and_web_application_hacking.md#other-attacks)
23 |
24 | ## Web Server and Web Application Hacking
25 |
26 | ### Web Organizations
27 |
28 | - **Web 2.0**: dynamic applications; have a larger attack surface due to simultaneous communication
29 | - **Internet Engineering Task Force** \(IETF\): creating engineering documents to help make the Internet work better
30 | - **World Wide Web Consortium** \(W3C\): a standards-developing community
31 | - **Open Web Application Security Project** \(OWASP\): an organization focused on improving the security of software
32 | - **WebGoat**: project maintained by OWASP which is an insecure web application meant to be tested
33 |
34 | ### OWASP Web Top 10 Application Security Risks 2017
35 |
36 | - **A1 Injection Flaws**: SQL, OS and LDAP injection
37 | - **A2 Broken Authentication and Session Management**: functions related to authentication and session management that aren't implemented correctly
38 | - **A3 Sensitive Data Exposure**: not properly protecting sensitive data \(SSN, CC numbers, etc.\)
39 | - **A4 XML External Entities \(XXE\)**: exploiting XML processors by uploading hostile content in an XML document
40 | - **A5 Broken Access Control**: having improper controls on areas that should be protected
41 | - **A6 Security Misconfiguration**: across all parts of the server and application
42 | - **A7 Cross-Site Scripting \(XSS\)**: taking untrusted data and sending it without input validation
43 | - **A8 Insecure Deserialization**: improperly de-serializing data
44 | - **A9 Using Components with Known Vulnerabilities**: libraries and frameworks that have known security holes
45 | - **A10 Insufficient Logging and Monitoring**: not having enough logging to detect attacks
46 |
47 | ### Web Server Architecture
48 |
49 | - **Most Popular Servers**: Apache, IIS and Nginx
50 | - Apache runs configurations as a part of a module within special files \(http.conf, etc.\)
51 | - IIS runs all applications in the context of LOCAL_SYSTEM
52 | - IIS 5 had a ton of bugs - easy to get into
53 | - **N-Tier Architecture**: distributing processes across multiple servers; normally as three-tier: Presentation \(web\), logic \(application\) and data \(database\)
54 | - **Error Reporting**: should not be showing errors in production; easy to glean information
55 | - **HTML**: markup language used to display web pages
56 | - **HTTP Request Methods**
57 | - **GET**: retrieving whatever information is in the URL; sending data is done in URL
58 | - **HEAD**: identical to get except for no body return
59 | - **POST**: sending data via body - data not shown in URL or in history
60 | - **PUT**: requesting data be stored at the URL
61 | - **DELETE**: requesting origin server delete resource
62 | - **TRACE**: requesting application layer loopback of message
63 | - **CONNECT**: reserved for use with proxy
64 | - **HTTP Error Messages**
65 | - **1xx: Informational**: request received, continuing
66 | - **2xx: Success**: action received, understood and accepted
67 | - **3xx: Redirection**: further action must be taken
68 | - **4xx: Client Error**: request contains bad syntax or cannot be fulfilled
69 | - **5xx: Server Error**: server failed to fulfill an apparently valid request
70 |
71 | #### Technology Stacks
72 |
73 | | Stack Layer | Service | Technic |
74 | | :---------- | :---------------------- | :--------------------- |
75 | | 7 | Custom Web Applications | Business Logic |
76 | | 6 | Third Party Components | Open Source/Commercial |
77 | | 5 | Web Server | Apache/MS IIS |
78 | | 4 | Database | Oracle/MySQL/MS SQL |
79 | | 3 | Operating System | Windows/Linux/OS X |
80 | | 2 | Network | Router/Switch |
81 | | 1 | Security | IPS/IDS |
82 |
83 | ### Web Server Attack Methodology
84 |
85 | - **Information Gathering**: Internet searches, whois, reviewing robots.txt
86 | - **Web Server Footprinting**: banner grabbing
87 | - nmap
88 | - Detect vulnerable TRACE method: `nmap --script http-trace -p80 localhost`
89 | - List email addresses: `nmap --script http-google-email `
90 | - Discover virtual hosts on same IP address you're footprinting, `*` is online db such as IP2Hosts: `nmap --script hostmap-_* `
91 | - Enumerate common web apps: `nmap --script http-enum -p80 `
92 | - Grab robots.txt: `nmap -p80 --script http-robots.txt `
93 | - Find out what options are supported by an HTTP server: `nmap --script http-methods `
94 | - Other tools
95 | - Netcraft
96 | - HTTPRecon
97 | - ID Serve
98 | - HTTPrint
99 | - **Website Mirroring**
100 | - Bringing the site to your own machine to examine structure, etc.
101 | - Tools
102 | - Wget
103 | - BlackWidow
104 | - HTTrack
105 | - WebCopier
106 | - SurfOffline
107 | - **Vulnerability Scanning**
108 | - Scanning web server for vulnerabilities
109 | - Tools
110 | - Nessus
111 | - Nikto: specifically suited for web servers; still very noisy like Nessus; scan files and vulnerable CGIs
112 | - **Session Hijacking**
113 | - **Web Server Password Cracking**
114 |
115 | ### Web Server and Application Attacks
116 |
117 | - Most often hacked before of inherent weaknesses built into the program
118 | - First step is to identify entry points \(POST data, URL parameters, cookies, headers, etc.\)
119 | - Tools
120 | - WebScarab: provided by OWASP
121 | - Burp Suite
122 | - httprint
123 | - **Cookies**:
124 | - Small text-based files stored that contains information like preferences, session details or shopping cart contents
125 | - Can be manipulated to change functionality \(e.g. changing a cooking that says "ADMIN=no" to "yes"\)
126 | - Sometimes, but rarely, can also contain passwords
127 | - **DNS Amplification**: uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything
128 | - **Directory Transversal** \(../ or dot-dot-slash\)
129 | - Example: `http://www.example.com/../../../../etc/password`
130 | - File requested that should not be accessible from web server
131 | - Using Unicode to possibly evade IDS: `%2e` for dot and `%sf` for slash
132 | - **Parameter Tampering** \(URL Tampering\): manipulating parameters within URL to achieve escalation or other changes
133 | - **Hidden Field Tampering**: modifying hidden form fields producing unintended results
134 | - **Web Cache Poisoning**: replacing the cache on a box with a malicious version of it
135 | - **Wfetch**: Microsoft tool that allows you to craft HTTP requests to see response data
136 | - **Misconfiguration Attack**: improper configuration of a web server
137 | - **Password Attack**: attempting to crack passwords related to web resources
138 | - **Connection String Parameter Pollution**: injection attack that uses semicolons to take advantage of databases that use this separation method
139 | - **Web Defacement**: simply modifying a web page to say something else
140 | - **Shellshock**
141 | - Causes Bash to unintentionally executing commands when commands are concatenated on the end of function definitions
142 | - RCE via Apache CGI Script
143 | - Tools
144 | - Brutus: brute force web passwords of HTTP
145 | - Hydra: network login cracker
146 | - Metasploit
147 | - Exploits hold the actual exploit
148 | - Payload contains the arbitrary code if exploit is successful
149 | - Auxiliary used for one-off actions \(like a scan\)
150 | - NOPS used for buffer-overflow type operations
151 |
152 | #### Injections
153 |
154 | ##### File Injection
155 |
156 | - Attacker injects a pointer in a web form to an exploit hosted elsewhere
157 |
158 | ##### Command Injection
159 |
160 | - Attacker gains shell access using Java or similar
161 |
162 | ##### LDAP Injection
163 |
164 | - Attacker exploits applications that construct LDAP statements
165 | - Format for LDAP injection including `)(&)`
166 |
167 | ##### SOAP Injection
168 |
169 | - Injecting query strings in order to bypass authentication
170 | - Using XML to format information
171 | - Messages are one way in nature
172 |
173 | ##### SQL Injection
174 |
175 | - Injecting SQL commands into input fields to produce output
176 | - Double dash \(--\) tells the server to ignore the rest of the query: `' OR 1 = 1 --`, basically tells the server if 1 = 1 \(always true\)
177 | - Basic test to see if SQL injection is possible is just inserting a single quote `'`
178 | - **In-band SQL injection**: using same communication channel to perform attack
179 |
180 | - **Error-based SQL Injection**: most common used, inserting bad input to get database-level error message
181 | - System stored procedure
182 | - Illegal/Logically incorrect query: `SELECT * FROM users WHERE name='bob"' AND password =`, gets `'Unclosed quotation mark after sting " AND password='xxx"."`
183 | - **UNION SQL Injection**: most common used, using `UNION` clause to append a malicious query
184 | - **Tautology**: using always true statements to test SQL \(e.g. 1=1\)
185 |
186 | A **End of Line Comment**: writing a line of code that ends in comment `--`
187 |
188 | `SELECT * FROM users WHERE name='admin'--' AND password = 'password'`
189 |
190 | - **Inline Comment**: using in-line comment `/* */`
191 | - **Piggybacked Query**: using semicolon `;` to add malicious query after original query
192 |
193 | - **Out-of-band SQL injection**: using different communication channels \(e.g. export results to file on web server\)
194 | - **Blind/inferential SQL injection**: error messages and screen returns don't occur, usually have to guess whether command work or use timing to know
195 | - Time delay: inserting wait function for delay
196 | - Boolean exploitation: manipulating valid statements that evaluate to true and false in HTTP request parameter
197 | - `https://example.com/item.aspx?id=67 and 1=2` gets SQL query `SELECT * FROM items WHERE ID=67 AND 1=2`, if vulnerable to SQL injection, no item will show
198 | - `https://example.com/item.aspx?id=67 and 1=1` gets SQL query `SELECT * FROM items WHERE ID=67 AND 1=1`, if vulnerable to SQL injection, item 67 will show
199 | - Heavy query: in case it's impossible to use time delay function in query, generates heavy queries instead
200 | - **MS SQL Server injection**: running commands from SQL shell by using `xp_cmdshell`
201 | - **Countermeasures**
202 | - To counter **Database server runs OS commands**
203 | - Running database service account with minimal rights
204 | - Disabling commands like xp_cmdshell
205 | - To counter **Using privileged account to connect to database**
206 | - Monitoring DB traffic using an IDS, WAP
207 | - Using low privileged account for DB connection
208 | - To counter **Error message revealing important information**
209 | - Suppressing all error messages
210 | - Using custom error messages
211 | - To counter **No Data validation at the server**
212 | - Filtering all client Data
213 | - Sanitizing Data
214 | - Tools
215 | - Sqlmap
216 | - sqlninja
217 |
218 | #### XSS \(Cross-site scripting\)
219 |
220 | - Inputting JavaScript into a web form alters what the page does
221 | - Can also be passed via URL `http://IPADDRESS/";!--"=&{()}`
222 | - Can be malicious by accessing cookies and sending them to a remote host
223 | - Can be mitigated by setting **HttpOnly** flag for cookies
224 | - **DOM Based XSS** (Type 0): a form of XSS where the entire tainted data flow from source to sink takes place in the browser, and the data flow never leaves the browser. e.g.: the URL of the page or an element of HTML...
225 | - **Stored XSS** (Persistent or Type I): stores the XSS in a forum or like on the target server, for multiple people to access
226 | - **Reflected XSS** (Non-persistent or Type II): occurs when user input is immediately returned by a web application, without permanently storing the user provided data
227 |
228 | #### CSRF \(Cross-Site Request Forgery\)
229 |
230 | - Forcing an end user to execute unwanted actions on an app they're already authenticated on
231 | - Inheriting identity and privileges of victim to perform an undesired function on victim's behalf
232 | - Capturing the session and sends a request based off the logged in user's credentials
233 | - Can be mitigated by sending **random challenge tokens**
234 |
235 | #### Clickjacking
236 |
237 | - Also known as a user interface redress attack
238 | - Used to trick web users to click something different from what they think they are clinking
239 |
240 | #### Buffer Overflow \(Smashing the stack\)
241 |
242 | - Attempting to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system
243 | - Inputting more data than the buffer is allowed
244 | - Including stack, heap, NOP sleds \(hex value 0x09\) and more
245 |
246 | #### Other attacks
247 |
248 | - **Session Fixation**: attacker logs into a legitimate site and pulls a session ID, then sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials
249 | - **Fuzzing**: inputting random data into a target to see what will happen
250 | - **HTTP Response Splitting**
251 | - Adding header response data to an input field so server splits the response
252 | - It's not an attack by itself, so it must be combined with another attack
253 | - Can be used to redirect a user to a malicious site
254 | - **CSPP** \(Connection Stream Parameter Pollution\): polluting connection strings between the Web application authenticating a user to the database, for example, by injecting phony parameters into the connection strings using semicolons as separators
255 |
--------------------------------------------------------------------------------
/07-wireless_network_hacking.md:
--------------------------------------------------------------------------------
1 | # 07-Wireless Network Hacking
2 |
3 | ## Table of Contents
4 |
5 | - [Wireless Network Hacking](07-wireless_network_hacking.md#wireless-network-hacking)
6 | - [Wireless Terminologies](07-wireless_network_hacking.md#wireless-terminologies)
7 | - [Types of Wireless Authentication Model](07-wireless_network_hacking.md#types-of-wireless-authentication-model)
8 | - [Types of Wireless Antennas](07-wireless_network_hacking.md#types-of-wireless-antennas)
9 | - [Wireless Standards](07-wireless_network_hacking.md#wireless-standards)
10 | - [How to remember all 802.11x standards](07-wireless_network_hacking.md#how-to-remember-all-80211x-standards)
11 | - [Wireless Encryption](07-wireless_network_hacking.md#wireless-encryption)
12 | - [WEP \(Wired Equivalent Privacy\)](07-wireless_network_hacking.md#wep-wired-equivalent-privacy)
13 | - [IV \(Initialization Vector\)](07-wireless_network_hacking.md#iv-initialization-vector)
14 | - [WPA/WPA2 \(Wi-Fi Protected Access\)](07-wireless_network_hacking.md#wpawpa2-wi-fi-protected-access)
15 | - [Wireless Hacking Threats](07-wireless_network_hacking.md#wireless-hacking-threats)
16 | - [Wireless Attacks](07-wireless_network_hacking.md#wireless-attacks)
17 | - [Rogue Access Point](07-wireless_network_hacking.md#rogue-access-point)
18 | - [Evil Twin](07-wireless_network_hacking.md#evil-twin)
19 | - [Honeypot AP Attack](07-wireless_network_hacking.md#honeypot-ap-attack)
20 | - [Ad Hoc Connection Attack](07-wireless_network_hacking.md#ad-hoc-connection-attack)
21 | - [DoS Attack](07-wireless_network_hacking.md#dos-attack)
22 | - [MAC Filter](07-wireless_network_hacking.md#mac-filter)
23 | - [Wireless Hacking Methodology](07-wireless_network_hacking.md#wireless-hacking-methodology)
24 | - [Network Discovery](07-wireless_network_hacking.md#network-discovery)
25 | - [GPS Mapping](07-wireless_network_hacking.md#gps-mapping)
26 | - [Wireless Traffic Analysis](07-wireless_network_hacking.md#wireless-traffic-analysis)
27 | - [Tools](07-wireless_network_hacking.md#tools)
28 | - [Wireless Encryption Cracking](07-wireless_network_hacking.md#wireless-encryption-cracking)
29 | - [WEP Cracking](07-wireless_network_hacking.md#wep-cracking)
30 | - [WPA Cracking](07-wireless_network_hacking.md#wpa-cracking)
31 | - [Bluetooth Hacking](07-wireless_network_hacking.md#bluetooth-hacking)
32 | - [Bluetooth Modes](07-wireless_network_hacking.md#bluetooth-modes)
33 | - [Bluetooth Attacks](07-wireless_network_hacking.md#bluetooth-attacks)
34 |
35 | ## Wireless Network Hacking
36 |
37 | ### Wireless Terminologies
38 |
39 | - **Access Point** \(AP\): used to connect wireless devices to a wireless/wired network
40 | - **Association**: process of connecting a wireless device to an AP
41 | - **Service Set Identifier** \(SSID\)
42 | - 32 char unique wireless identifier given to WLAN
43 | - Can be hidden, but provides no security
44 | - **Orthogonal Frequency-Division Multiplexing** \(OFDM\): carrying waves in various channels
45 | - **Multiple input, Multiple output OFDM** \(MIMO-OFDM\): influencing spectral efficiency of 4G and 5G services
46 | - **Direct-Sequence Spread Spectrum** \(DSSS\): combining all available waveforms into a single purpose
47 | - **Frequency-hopping Spread Spectrum** \(FHSS\): also known as FH-CDMA, transmitting radio signals by rapidly switching a carrier among many frequency channels
48 | - **Basic Service Set** \(BSS\): communication between a single AP and its clients
49 | - **Basic Service Set Identifier** \(BSSID\): MAC address of the wireless access point
50 | - **ISM Band**: a set of frequencies for international industrial, scientific, and medical communities
51 | - **Spectrum Analyzer**: verifying wireless quality, detecting rogue access points and detects attacks, Wireless Intrusion Prevention System \(WIPS\) is also capable of searching for and locating rogue access points
52 | - **2 types of wireless networks**: Ad hoc \(no access point\) and Infrastructure
53 | - **LEAP**: proprietary version of EAP developed by Cisco
54 | - **PEAP**: protocol that encapsulates EAP within TLS tunnel
55 |
56 | #### Types of Wireless Authentication Model
57 |
58 | - **Open System**: no authentication
59 | - **Shared Key Authentication**: authentication through a shared key/password
60 | - **Centralized Authentication**: authentication through something like RADIUS \(Remote Authentication Dial-In User Service\)
61 |
62 | #### Types of Wireless Antennas
63 |
64 | - **Directional Antenna**: **uni**directional antenna, signals in one direction, eg: Yagi Uda antenna
65 | - **Omnidirectional Antenna**: signals in all directions
66 | - **Parabolic Grid Antenna**: a semi-dish in form of grid, long-distance Wi-Fi transmissions by making highly focused radio beams
67 | - **Dipole Antenna**: also called doublet, is bilaterally symmetrical balanced antenna, feeds on a balanced parallel-wire RF transmission line
68 | - **Reflector Antenna**: used to concentrate EM energy that radiated or received at a focal point
69 |
70 | ### Wireless Standards
71 |
72 | | Standard | Speed \(Mbps\) | Freq. \(GHz\) | Modulation Type | Range \(Meters\) |
73 | | :----------------- | :------------- | :------------ | :-------------------- | :--------------- |
74 | | 802.11 | 1, 2 | 2.4 | DSSS, FHSS | 20-100 |
75 | | 802.11a | 54 | 5 | OFDM | 35-100 |
76 | | 802.11b | 11 | 2.4 | DSSS | 35-140 |
77 | | 802.11g | 54 | 2.4 | OFDM | 38-140 |
78 | | 802.11n | 54-600 | 2.4, 5 | MIMO-OFDM | 70-250 |
79 | | 802.15.1 Bluetooth | 25-50 | 2.4 | GFSK, π/4-DPSK, 8DPSK | 10-240 |
80 | | 802.15.4 Zigbee | 0.25 | 2.4 | O-QPSK, GFSK, BPSK | 1-100 |
81 | | 802.16 WiMax | 34-1000 | 2-11 | SOFDMA | 1600-9650 |
82 |
83 | - **802.11d**: enhancement to 802.11a and 802.11b, global portability, allow variation in freq, power levers, and bandwidth
84 | - **802.11e**: guidance for prioritization of data, voice and voice transmission enabling QoS
85 | - **802.11i**: standard for WLANs \(Wireless Local Area Networks\) that provides improved encryption for networks using 802.11a, 802.11b, and 802.11g standards; denfines WPA2-Enterprise/WPA2-Personal for Wi-Fi
86 | - **802.11ac**: high throughput network at 5GHz, faster and more reliable than 802.11n, Gigabit networking
87 | - **Z-Wave**: primarily for home automation, 800-900 MHz radio, 100 meters range
88 |
89 | #### How to remember all 802.11x standards
90 |
91 | - **Speed 54 OFDM**: ang
92 | - **Frequency 5**: an
93 | - **Range**: a\<b=g\<n
94 | - **n**: s600, f2.4/5, MIMO-OFDM, 250
95 | - **d/e/i/ac**: **d**iversity global, **e**nsure QoS, **i**mplement encryption, **ac**celeration
96 |
97 | ### Wireless Encryption
98 |
99 | #### WEP \(Wired Equivalent Privacy\)
100 |
101 | - WEP doesn't effectively encrypt anything
102 |
103 | ##### IV \(Initialization Vector\)
104 |
105 | - Used to calculate a 32-bit integrity check value \(ICV\)
106 | - IVs are generally small and are frequently reused
107 | - Sent in clear text as a part of the header, combined with RC4 makes it easy to decrypt the WEP key
108 | - An attacker can send disassociate requests to the AP to generate a lot of these
109 |
110 | #### WPA/WPA2 \(Wi-Fi Protected Access\)
111 |
112 | - WPA uses TKIP \(Temporal Key Integrity Protocol\) with a 128-bit key
113 | - WPA changes the key every 10,000 packets
114 | - WPA transfers keys back and forth during an **Extensible Authentication Protocol** \(EAP\)
115 | - WPA uses four-way handshake to derive keys
116 | - **WPA2 Personal**: using a Pre-shared key \(PSK\) to authenticate, preconfigured password
117 | - **WPA2 Enterprise**: can tie an EAP or RADIUS server into the authentication
118 | - WPA2 ensures FIPS 140-2 compliance
119 | - **Message Integrity Codes** \(MIC\): named MICHEAL, hashes for CCMP to protect integrity
120 | - **Cipher Block Chaining Message Authentication Code** \(CBC-MAC\): integrity process of WPA2
121 |
122 | | Wireless Standard | Encryption | IV Size \(Bits\) | Key Length \(Bits\) | Integrity Check \(ICV\) |
123 | | :---------------- | :--------- | :--------------- | :------------------ | :---------------------- |
124 | | WEP | RC4 | 24 | 40/104 | CRC-32 |
125 | | WPA | RC4 + TKIP | 48 | 128 | MIC/CRC-32 |
126 | | WPA2 | AES-CCMP | 48 | 128 | CBC-MAC \(CCMP\) |
127 |
128 | ### Wireless Hacking Threats
129 |
130 | - Access Control Attacks: War Driving, Rogue AP, MAC Spoofing, AP Misconfiguration, Ad Hoc Association, Promiscuous Client, Client Mis-association, Unauthorized Association
131 | - Integrity Attacks: Data Frame Injection, WEP Injection, Bit-Flipping Attack, Replay Attacks
132 | - Confidentiality Attacks: Eavesdropping, Traffic Analysis, Cracking WEP Key, Evil Twin AP, Honeypot AP, Session Hijacking, Masquerading, MITM
133 | - Availability Attacks: AP Theft, Disassociation Attack, EAP Failure, Beacon Flood, DoS, Auth/De-auth Flood, Routing Attack, ARP Cache Poisoning Attack
134 | - Authentication Attacks: Cracking, Identity Theft, Shared Key Gusseing, Password Speculation, Application Login Theft, Key Reinstallation Attack
135 |
136 | ### Wireless Attacks
137 |
138 | #### Rogue Access Point
139 |
140 | - Placing an access point controlled by an attacker
141 |
142 | #### Evil Twin
143 |
144 | - Also known as a mis-association attack
145 | - A rogue AP with a SSID similar to the name of a popular network
146 |
147 | #### Honeypot AP Attack
148 |
149 | - Faking a well-known hotspot with a rogue AP
150 |
151 | #### Ad Hoc Connection Attack
152 |
153 | - Directly connecting to another phone via ad-hoc network
154 | - Not very successful as the other user has to accept connection
155 |
156 | #### DoS Attack
157 |
158 | - Either sends de-auth packets to the AP or jam the wireless signal
159 | - With a de-auth, attacker can have the users connect to attacker's AP instead if it has the same name
160 |
161 | #### MAC Filter
162 |
163 | - Only allowing certain MAC addresses on a network
164 | - Easily broken because you can sniff out MAC addresses already connected and spoof it
165 | - Tools for spoofing including **SMAC** and **TMAC**
166 |
167 | ### Wireless Hacking Methodology
168 |
169 | #### Network Discovery
170 |
171 | - WarWalking: walks around with Wi-Fi to detect open wireless networks
172 | - WarDriving: driving around with Wi-Fi to detect open wireless networks
173 | - WarFlying: using drones to detect wireless networks
174 | - WarChalking: drawing symbols in public places to advertise open Wi-Fi networks
175 | - Tools
176 | - inSSIDer Office: Wi-Fi optimization and troubleshooting tool
177 | - WifiExplorer: known as Wi-Fi scanner, mobile platform to discover Wi-Fi networks
178 |
179 | #### GPS Mapping
180 |
181 | - Discovers a target wireless network then draws a map of the network
182 | - Tool
183 | - WiGLE: map for wireless networks
184 | - NetStumbler: tool to find networks, a Windows tool
185 | - Skyhook: Wi-Fi AP database
186 | - Wi-Fi Finder: hotspot finder
187 |
188 | #### Wireless Traffic Analysis
189 |
190 | - Determine Wi-Fi requirements
191 | - Learn capabilities of a wireless card
192 | - Determine chipset of Wi-Fi card
193 | - Verify chipset capabilities
194 | - Determine drivers and patches required
195 | - Tools
196 | - AirPcap: Wi-Fi USB dongle
197 | - Wireshark with AirPcap: Wi-Fi packet sniffer
198 | - SteelCentral Packet Analyzer
199 | - OmniPeek Enterprise
200 | - Ekahau Spectrum Analyzer
201 | - Airodump-np: reveal hidden SSID
202 | - AirMagnet WiFi Analyzer
203 | - **Kismet**
204 | - Wireless packet analyzer/sniffer used for discovery
205 | - Working on Linux and OSX, Win 10 under WSL
206 | - Working without sending any packets \(passively\)
207 | - Working by channel hopping
208 | - Can detect access points that have not been configured
209 | - Can discover wireless networks that not sending beacon frames
210 | - Ability to sniff packets and save them to a log file \(readable by Wireshark/tcpdump\)
211 |
212 | #### Tools
213 |
214 | - **NetSurveyor**
215 | - Tool for Windows that does similar features to NetStumbler and Kismet
216 | - Doesn't require special drivers
217 | - **WiFi Adapter**
218 |
219 | - AirPcap is mentioned for Windows, but isn't made anymore
220 | - **pcap**: driver library for Windows
221 |
222 | ```text
223 | port and host
224 | ```
225 |
226 | - **libpcap**: driver library for Linux
227 |
228 | - Cisco Adaptive Wireless IPS: security auditing tool
229 | - WatchGuard WIPS: IPS
230 | - AirMagnet Planner: wireless network planning tool
231 | - Zenmap: vulnerability scanning tool
232 | - Wi-Fi Protector: protects phone from ARP attack, such as DoS or MITM
233 | - WiFiGuard
234 |
235 | #### Wireless Encryption Cracking
236 |
237 | ##### WEP Cracking
238 |
239 | - Easy because of weak IVs
240 | - Process
241 | 1. Start a compatible adapter with injection and sniffing capabilities
242 | 2. Start a sniffer to capture packets
243 | 3. Force the creation of thousands of packets \(generally with de-auth\)
244 | 4. Analyze captured packets
245 | - Methods to crack WEP including **PTW**, **FMS**, **Korek** technique
246 | - Tools
247 | - **Aircrack-ng**
248 | - sniffer, detector, traffic analysis tool and a password cracker
249 | - Using **dictionary list** attacks for WPA and WPA2
250 | - Other attacks **PTW**, **FMS**, and **Korek** are for WEP only
251 | - Cain and Abel
252 | - Sniffing packets and cracks passwords \(may take longer\)
253 | - Relying on statistical measures and PTW technique to break WEP
254 | - KisMAC: MacOS tool to brute force WEP or WPA passwords
255 | - WEPAttack
256 | - WEPCrack
257 | - Portable Penetrator
258 |
259 | ##### WPA Cracking
260 |
261 | - Much more difficult than WEP cracking
262 | - Using a constantly changing temporal key and user-defined password
263 | - **Key Reinstallation Attack** \(KRACK\): replaying attack that uses third handshake of another device's session
264 | - Most other attacks are simply brute-forcing password
265 | - Tools
266 | - Elcomsoft Wireless Security Auditor
267 | - WIBR: WiFi Bruteforce Hack
268 |
269 | ### Bluetooth Hacking
270 |
271 | #### Bluetooth Modes
272 |
273 | - **Discovery mode**: how the device reacts to inquiries from other devices
274 | - **Discoverable**: answering all inquiries
275 | - **Limited Discoverable**: restricting the action
276 | - **Nondiscoverable**: ignoring all inquiries
277 | - **Pairing mode**: how the device deals with pairing requests
278 | - **Pairable**: accepting all requests
279 | - **Non-pairable**: rejecting all connection requests
280 |
281 | #### Bluetooth Attacks
282 |
283 | - **Bluesmacking**: sending oversized ping to victim's device, DoS attack
284 | - **Bluejacking**: sending unsolicited messages
285 | - **Bluesnarfing**: stealing information via Bluetooth
286 | - **Bluesniffing**: finding hidden and discoverable Bluetooth devices
287 | - **Bluebugging**: remotely taking over a device via Bluetooth, sniffs data
288 | - **Blueprinting**: collecting device information over Bluetooth to create info graphics
289 | - Other attacks: MAC Spoofing Attack, MITM/Impersonation Attack
290 | - Tools
291 | - BluetoothView: monitoring activity of Bluetooth devices around you
292 | - Super Bluetooth Hack: all-in-one package
293 | - Bluetooth Firewall
294 |
--------------------------------------------------------------------------------
/08-mobile_and_iot_hacking.md:
--------------------------------------------------------------------------------
1 | # 08-Mobile and IoT Hacking
2 |
3 | ## Table of Contents
4 |
5 | - [Mobile and IoT Hacking](08-mobile_and_iot_hacking.md#mobile-and-iot-hacking)
6 | - [Mobile Platform Hacking](08-mobile_and_iot_hacking.md#mobile-platform-hacking)
7 | - [Three Main Avenues of Attack](08-mobile_and_iot_hacking.md#three-main-avenues-of-attack)
8 | - [Device Attacks](08-mobile_and_iot_hacking.md#device-attacks)
9 | - [Network Attacks](08-mobile_and_iot_hacking.md#network-attacks)
10 | - [Data Center/Cloud Attacks](08-mobile_and_iot_hacking.md#data-centercloud-attacks)
11 | - [OWASP Top 10 Mobile Risks 2016](08-mobile_and_iot_hacking.md#owasp-top-10-mobile-risks-2016)
12 | - [Mobile Platforms](08-mobile_and_iot_hacking.md#mobile-platforms)
13 | - [Android Rooting](08-mobile_and_iot_hacking.md#android-rooting)
14 | - [iOS Jailbreaking](08-mobile_and_iot_hacking.md#ios-jailbreaking)
15 | - [Mobile Attacks](08-mobile_and_iot_hacking.md#mobile-attacks)
16 | - [IoT Hacking](08-mobile_and_iot_hacking.md#iot-hacking)
17 | - [Basic Components](08-mobile_and_iot_hacking.md#basic-components)
18 | - [Architecture Levels](08-mobile_and_iot_hacking.md#architecture-levels)
19 | - [IoT Technologies and Protocols](08-mobile_and_iot_hacking.md#iot-technologies-and-protocols)
20 | - [IoT Operating Systems](08-mobile_and_iot_hacking.md#iot-operating-systems)
21 | - [IoT Communicating Models](08-mobile_and_iot_hacking.md#iot-communicating-models)
22 | - [Threat vs Opportunity](08-mobile_and_iot_hacking.md#threat-vs-opportunity)
23 | - [OWASP Top 10 IoT Risks 2014](08-mobile_and_iot_hacking.md#owasp-top-10-iot-risks-2014)
24 | - [IoT Attacks](08-mobile_and_iot_hacking.md#iot-attacks)
25 |
26 | ## Mobile and IoT Hacking
27 |
28 | ### Mobile Platform Hacking
29 |
30 | #### Three Main Avenues of Attack
31 |
32 | ##### Device Attacks
33 |
34 | - Browser based: Phishing, Framing \(using iFrame\), Clickjacking, Man-in-the-Mobile, Buffer Overflow, Data Caching
35 | - Phone/SMS based: Baseband Attack \(GSM/3GPP vulnerability\), SMiShing
36 | - Application based: Sensitive Data Storage, No/Weak Encryption, Improper SSL Validation, Configuration Manipulation, Dynamic Runtime Injection, Unintended Permissions, Escalated Privileges
37 | - OS based: No/Weak Passcode, iOS Jailbreaking, Android Rotting, OS Data Caching, Passwords and Data Accessible, Carrier-loaded Software, User-initiated Code
38 |
39 | ##### Network Attacks
40 |
41 | - Wi-Fi, Rogue AP, Packet Sniffing, MITM, Session Hijacking, DNS Poisoning, SSLStripk \(MITM, SSL/TLS vulnerability\), Fake SSL Certificates
42 |
43 | ##### Data Center/Cloud Attacks
44 |
45 | - Web server based: Platform Vulnerabilities, Server Misconfiguration, XSS, CSRF, Weak Input Validation, Brute-Force
46 | - Database based: SQL Injection, Privilege Escalation, Data Dumping, OS Command Execution
47 |
48 | #### OWASP Top 10 Mobile Risks 2016
49 |
50 | - **M1 Improper Platform Usage**: misuse of features or security controls \(Android intents, TouchID, Keychain\)
51 | - **M2 Insecure Data Storage**: improperly stored data and data leakage
52 | - **M3 Insecure Communication**: poor handshaking, incorrect SSL, clear-text communication
53 | - **M4 Insecure Authentication**: authenticating end user or bad session management
54 | - **M5 Insufficient Cryptography**: code that applies cryptography to an asset, but is insufficient \(does NOT include SSL/TLS\)
55 | - **M6 Insecure Authorization**: failures in authorization \(access rights\)
56 | - **M7 Client Code Quality**: catchall for code-level implementation problems
57 | - **M8 Code Tampering**: binary patching, resource modification, dynamic memory modification
58 | - **M9 Reverse Engineering**: reversing core binaries to find problems and exploits
59 | - **M10 Extraneous Functionality**: catchall for backdoors that were inadvertently placed by coders
60 |
61 | #### Mobile Platforms
62 |
63 | - **Mobile Device Management** \(MDM\)
64 | - Helping enforce security and deploy apps from enterprise
65 | - MDM solutions including IBM MaaS360, XenMobile
66 | - **Bring Your Own Device** \(BYOD\): dangerous for organizations because not all phones can be locked down by default
67 |
68 | ##### Android Rooting
69 |
70 | - Ability to have root access on an Android device
71 | - Tools: KingoRoot, TunesGo Root Android Tool
72 |
73 | ##### iOS Jailbreaking
74 |
75 | - Installing a modified set of kernel patches that allows users to run not signed applications, bypassing user limitations as set by Apple
76 | - **Userland Exploit**
77 | - Using loophole in system app
78 | - Allowing user-level access but not allows iboot-level access
79 | - Firmware updates can patch it
80 | - **iBoot Exploit**
81 | - Using loophole in iBoot \(iDevice's thrid bootloader\)
82 | - Can be Semi-tethered
83 | - Allowing user-level access and iboot-level access
84 | - Firmware updates can patch it
85 | - **BootROM Exploit**
86 | - Using loophole in SecureROM \(iDevice's first bootloader\)
87 | - Allowing user-level access and iboot-level access
88 | - Firmware updates can **NOT** patch it
89 | - Only hardware update of bootrom by Apple can patch it
90 | - **Untethered**: kernel remaining patched after reboot, with or without a system connection
91 | - **Semi-Tethered**: no longer retaining patches after reboot, device is still usable as normal
92 | - **Tethered**: removing all patches after reboot, device may get in boot loop, must be re-jailbreak with a computer
93 | - Tools
94 | - Cydia: app for iOS to find and install software on a jailbroken iOS device
95 | - Pangu Anzhuang: app, no PC required jailbreak method
96 | - Keen Jailbreak: an unofficial semi-tethered tool
97 |
98 | #### Mobile Attacks
99 |
100 | - **App Store attacks**: malicious apps placed in app store, no vetting
101 | - **Android Device Administration API**: allowing for security-aware apps that may help
102 | - **SMS Phishing** \(SMiShing\)
103 | - Sending text message with malicious links
104 | - People tend to trust these more because they happen less
105 | - Apps
106 | - NetCut: blocks Wi-Fi access, works only on rooted devices
107 | - zANTI: hacking app
108 | - Network Spoofer: changing websites from Android phone
109 | - Low Orbit Ion Cannon \(LOIC\): performing Dos/DDos attacks
110 | - DroidSheep: performing session hijacking/sidejacking, using libpcap and arpspoof
111 | - Orbit Proxy: Tor
112 | - FaceNiff: sniffer
113 | - Trojans
114 | - BankBot/Spy.Banker.LA: Android Trojan, banking Trojan
115 | - SpyDealer: Android Trojan, spying Trojan
116 | - AceDeceiver Trojan: iOS Trojan, MITM
117 | - Spy/MobileSpy!iPhoneOS: iOS Trojan
118 | - ZitMo: Zeus-in-the-mobile, banking Trojan
119 | - Mobile Spyware
120 | - mSpy
121 | - FlexiSPY
122 | - Security Tools
123 | - Find My Device/Phone: tracking tool
124 | - Kaspersky Mobile Antivirus
125 | - X-Ray: vulnerability scanner
126 | - Avira Mobile Security
127 | - Lookout Personal: identifying protection, theft prevention
128 | - Zimperium's zIPS: mobile intrusion prevention system app
129 | - BullGuard Mobile Security: complete mobile phone antivirus
130 | - Malwarebytes for Android: anti-spyware
131 | - Pen Testing Tool: Hackode
132 |
133 | ### IoT Hacking
134 |
135 | - IoT is a collection of devices using sensors, software, storage and electronics to collect, analyze, store and share data
136 | - Application + Network + Mobile + Cloud = IoT
137 |
138 | #### Basic Components
139 |
140 | - Sensing Technology: sensors
141 | - IoT gateways: used to bridge the gap between the IoT device and end user
142 | - cloud Server/Data Storage
143 | - Remote Control using Mobile App
144 |
145 | #### Architecture Levels
146 |
147 | - **Edge Technology Layer**: consisting of sensors, RFID tags, readers and the devices
148 | - **Access Gateway Layer**: first data handling, message identification and routing
149 | - **Internet Layer**: crucial layer which serves as main component to allow communication
150 | - **Middleware Layer**: two-way mode, between application and hardware, handles data and device management, data analysis and aggregation
151 | - **Application Layer**: responsible for delivery of services and data to users
152 |
153 | #### IoT Technologies and Protocols
154 |
155 | - **Short range Wireless Communication**: Bluetooth Low Energy \(BLE\), Light-Fidelity \(Li-Fi\), Near-field Communication \(NFC\), QR Codes and Barcodes, Radio Frequency Identification \(RFID\), Thread, Wi-Fi, Wi-Fi Direct, Z-Wave, Zig-Bee
156 | - **Medium Range Wireless Communication**: HaLow, LTE-Advanced
157 | - **Long Range Wireless Communication**: LPWAN, Very Small Aperture Terminal \(VSAT\), Cellular
158 | - **Wired Communication**: Ethernet, Multimedia over Coax Alliance \(MoCA\), Power-line Communication \(PLC\)
159 |
160 | #### IoT Operating Systems
161 |
162 | - **RIOT OS**: embedded systems, actuator boards, sensors; is energy efficient
163 | - **ARM mbed OS**: mostly used on wearables and other low-powered devices
164 | - **RealSense OS X**: Intel's depth sensing version; mostly found in cameras and other sensors
165 | - **Nucleus RTOS**: used in aerospace, medical and industrial applications
166 | - **Brillo**: Android-based OS; generally found in thermostats
167 | - **Contiki**: OS made for low-power devices; found mostly in street lighting and sound monitoring
168 | - **Zephyr**: option for low-power devices and devices without many resources
169 | - **Ubuntu Core**: used in robots and drones; known as "snappy"
170 | - **Integrity RTOS**: found in aerospace, medical, defense, industrial and automotive sensors
171 | - **Apache Mynewt**: used in devices using Bluetooth Low Energy Protocol
172 |
173 | #### IoT Communicating Models
174 |
175 | - **Device to Device**: communicates directly with other IoT devices
176 | - **Device to Cloud**: communicates directly to a cloud service
177 | - **Device to Gateway**: communicates with a gateway before sending to the cloud
178 | - **Back-End Data Sharing**: like device to cloud but adding abilities for parties to collect and use the data
179 |
180 | #### Threat vs Opportunity
181 |
182 | - **Misconfigured** and **Misapprehended**: posing unprecedented risk to personal data, privacy and safety
183 | - **Apprehended** and **Protected**: boosting transmissions, communications, delivery of services and standard of living
184 |
185 | #### OWASP Top 10 IoT Risks 2014
186 |
187 | - I1 Insecure Web Interface
188 | - I2 Insufficient Authentication/Authorization
189 | - I3 Insecure Network Services
190 | - I4 Lack of Transport Encryption/Integrity Verification
191 | - I5 Privacy Concerns
192 | - I6 Insecure Cloud Interface
193 | - I7 Insecure Mobile Interface
194 | - I8 Insufficient Security Configurability
195 | - I9 Insecure Software/Firmware
196 | - I10 Poor Physical Security
197 |
198 | #### IoT Attacks
199 |
200 | - **Exploiting HVAC Attack**: attacking on HVAC systems, Heating, Ventilation and Air Conditioning
201 | - **Rolling Code**: jamming a key fob's communications, steals the code and then creates a subsequent code
202 | - **BlueBorne Attack**: attacking against Bluetooth devices by exploiting vulnerabilities of Bluetooth protocol
203 | - **Jamming Attack**: jamming signal between sender and receiver with malicious traffic, makes two endpoints unable to communicate with each other
204 | - **Remote Access using Backdoor**: exploiting vulnerabilities in IoT device to turn it into a backdoor and gain access to target network
205 | - **Remote Access using Telnet**: exploiting an open telnet port to obtain information
206 | - **Sybil Attack**: using multiple forged identities to create the illusion of traffic
207 | - **Replay Attack**: intercepting legitimate messages from a valid communication and continuously send the intercepted message to target device to perform a DoS attack or crash the target device
208 | - **Forged Malicious Device**: replacing authentic IoT devices with malicious ones, if they have physical access to the network
209 | - Other attacks: Exploit Kits, DDoS Attack, MITM Attack, Side Channel Attack, Ransomware Attack
210 | - Case Study: **Dyn Attack**
211 | - **Mirai** malware: finding IoT devices to infect and adds them to botnet
212 | - Triggers DDoS 1+ Tbps attack on OVH and DYN in October 2016
213 | - Hacking Tools
214 | - Search engine: Shodan, Censys, Tingful
215 | - MultiPing: information gathering tool to find IP addres of any IoT devices
216 | - Foren6: IoT traffic sniffer
217 | - Z-Wave Sniffer
218 | - beSTORM: vulnerability scanning tool, smart fuzzer to find butter overflow
219 | - RFCrack: obtaining rolling code
220 | - Attify: attacking Zigbee networks
221 | - HackRF One: an advanced hardware and software, performs BlueBorne or AirBorne attacks, such as replay, fuzzing, jamming etc
222 | - Firmware Mod Kit: reconstructing firmware images for embedded devices
223 | - Firmalyzer Enterprise: performing automated security assessment on software that powers IoT device firmware
224 | - Security Tools
225 | - SeaCat.io: SaaS to operate IoT products
226 | - DigiCert IoT Security Solution
227 |
--------------------------------------------------------------------------------
/09-security_in_cloud_computing.md:
--------------------------------------------------------------------------------
1 | # 09-Security in Cloud Computing
2 |
3 | ## Table of Contents
4 |
5 | - [Security in Cloud Computing](09-security_in_cloud_computing.md#security-in-cloud-computing)
6 | - [Cloud Computing Basics](09-security_in_cloud_computing.md#cloud-computing-basics)
7 | - [Characteristics](09-security_in_cloud_computing.md#characteristics)
8 | - [Limitations](09-security_in_cloud_computing.md#limitations)
9 | - [Three Types of Cloud Computing Services](09-security_in_cloud_computing.md#three-types-of-cloud-computing-services)
10 | - [IaaS \(Infrastructure as a Service\)](09-security_in_cloud_computing.md#iaas-infrastructure-as-a-service)
11 | - [PaaS \(Platform as a Service\)](09-security_in_cloud_computing.md#paas-platform-as-a-service)
12 | - [SaaS \(Software as a Service\)](09-security_in_cloud_computing.md#saas-software-as-a-service)
13 | - [Deployment Models](09-security_in_cloud_computing.md#deployment-models)
14 | - [NIST Cloud Architecture](09-security_in_cloud_computing.md#nist-cloud-architecture)
15 | - [Cloud Security](09-security_in_cloud_computing.md#cloud-security)
16 | - [Main Threats](09-security_in_cloud_computing.md#main-threats)
17 | - [Attacks](09-security_in_cloud_computing.md#attacks)
18 |
19 | ## Security in Cloud Computing
20 |
21 | ### Cloud Computing Basics
22 |
23 | #### Characteristics
24 |
25 | - On-demand self service
26 | - Distributed storage
27 | - Rapid elasticity
28 | - Automated management
29 | - Broad network access
30 | - Resource pooling
31 | - Measure service: pay-per-use
32 | - Virtualization technology
33 |
34 | #### Limitations
35 |
36 | - Organizations have limited control and flexibility
37 | - Prone to outages and other technical issues
38 | - Security, privacy, and compliance issues
39 | - Contracts and lock-ins
40 | - Depending on network connections
41 |
42 | #### Three Types of Cloud Computing Services
43 |
44 | | On-Premises | IasS | PasS | SaaS |
45 | | :------------- | :--- | :--- | :--- |
46 | | App | | | x |
47 | | Data | | | x |
48 | | Runtime | | x | x |
49 | | Middleware | | x | x |
50 | | O/S | | x | x |
51 | | Virtualization | x | x | x |
52 | | Servers | x | x | x |
53 | | Storage | x | x | x |
54 | | Networking | x | x | x |
55 |
56 | ##### IaaS \(Infrastructure as a Service\)
57 |
58 | - Providing virtualized computing resources
59 | - Third party hosts the servers with hypervisor running the VMs as guests
60 | - Subscribers usually pay on a per-use basis
61 |
62 | ##### PaaS \(Platform as a Service\)
63 |
64 | - Geared towards software development
65 | - Hardware and software hosted by provider
66 | - Providing ability to develop without having to worry about hardware or software
67 |
68 | ##### SaaS \(Software as a Service\)
69 |
70 | - Provider supplies on-demand applications to subscribers
71 | - Offloading the need for patch management, compatibility and version control
72 |
73 | #### Deployment Models
74 |
75 | - **Public Cloud**: services provided over a network that is open for public to use
76 | - **Private Cloud**: cloud solely for use by one single tenant; usually done in larger organizations
77 | - **Community Cloud**: cloud shared by several organizations, but not open to public
78 | - **Hybrid Cloud**: a composition of two or more cloud deployment models
79 |
80 | #### NIST Cloud Architecture
81 |
82 | - **Cloud Consumer**: acquiring and uses cloud products and services
83 | - **Cloud Provider**: purveyor of products and services
84 | - **Cloud Carrier**: organization with responsibility of transferring data; akin to power distributor for electric grid
85 | - **Cloud Auditor**: performing independent examination of cloud service control
86 | - **Cloud Broker**: managing use, performance and delivery of services as well as relationships between providers and subscribers
87 |
88 | ```text
89 | Provider <-----------------------
90 | ^ | IasS, PasS, SasS
91 | | IasS, PasS, SasS | and other services
92 | | |
93 | | |
94 | Auditing Service v Brokered Service v
95 | Auditor <------------------> Broker <------------------> Customer
96 | ^
97 | |
98 | | Physical
99 | | Infrastructure
100 | |
101 | v
102 | Carrier
103 | ```
104 |
105 | ### Cloud Security
106 |
107 | - Problem with cloud security is what you are allowed to test and what should you test
108 | - Another concern is if the hypervisor is compromised, all hosts on that hypervisor are as well
109 | - Tools
110 | - Qualys Cloud Platform: end-to-end IT security solution
111 | - CloudPassage Halo: instant visibility and continuous protection for servers in any cloud
112 | - Core CloudInspect: pen-testing application for AWS EC2 users
113 |
114 | #### Main Threats
115 |
116 | - **Data Breach or Loss**: biggest thraet
117 | - Abuse of Cloud Resources
118 | - Insecure Interfaces and APIs
119 | - Insufficient due diligence: moving an application without knowing the security differences
120 | - Shared technology issues: multi-tenant environments that don't provide proper isolation
121 | - Unknown risk profiles: subscribers simply don't know what security provisions are made in the background
122 | - Others including malicious insiders, inadequate design and DDoS
123 |
124 | #### Attacks
125 |
126 | - **Service Hijacking**
127 | - Using Social Engineering Attacks
128 | - - Using Networking Sniffing
129 | - **Session Hijacking**
130 | - Using XSS Attack
131 | - Using Session Riding: basically CSRF
132 | - **DNS Attacks**
133 | - DNS Poisoning
134 | - **Cybersquatting**: conducting phishing scams by registering a domain name that is similar to a cloud service provider
135 | - **Domain Hijacking**: stealing a cloud service provider's domain name
136 | - **Domain Snipping**: registering an elapsed/past domain name
137 | - **Side Channel Attack** or **Cross-guest VM Breach**
138 | - Using an existing VM on the same physical host to attack another
139 | - This is more broadly defined as using something other than the direct interface to attack a system
140 | - **SQL Injection Attack**: targeting SQL servers running vulnerable database applications
141 | - **Cryptanalysis Attack**: weak or broken encryption, weak random number generation
142 | - **Wrapping Attack**: SOAP message intercepted and data in envelope is changed and sent/replayed
143 | - **DoS** and **DDoS Attack**
144 | - **Man-in-the-Cloud \(MITC\) Attack**: carried out by abusing cloud file synchronization services, plants attacker's synchronization token on victim's drive to gain access of victim's files
145 |
--------------------------------------------------------------------------------
/10-malware_and_other_attacks.md:
--------------------------------------------------------------------------------
1 | # 10-Malware and Other Attacks
2 |
3 | ## Table of Contents
4 |
5 | - [Malware and Other Attacks](10-malware_and_other_attacks.md#malware-and-other-attacks)
6 | - [Malware](10-malware_and_other_attacks.md#malware)
7 | - [Malware Basics](10-malware_and_other_attacks.md#malware-basics)
8 | - [Trojan](10-malware_and_other_attacks.md#trojan)
9 | - [Types of Trojans](10-malware_and_other_attacks.md#types-of-trojans)
10 | - [Some Trojan Port Numbers](10-malware_and_other_attacks.md#some-trojan-port-numbers)
11 | - [Tools](10-malware_and_other_attacks.md#tools)
12 | - [Virus](10-malware_and_other_attacks.md#virus)
13 | - [Types of Viruses](10-malware_and_other_attacks.md#types-of-viruses)
14 | - [Worm](10-malware_and_other_attacks.md#worm)
15 | - [Analyzing Malware](10-malware_and_other_attacks.md#analyzing-malware)
16 | - [Static Analysis](10-malware_and_other_attacks.md#static-analysis)
17 | - [Dynamic Analysis](10-malware_and_other_attacks.md#dynamic-analysis)
18 | - [Heuristic Analysis](10-malware_and_other_attacks.md#heuristic-analysis)
19 | - [Tools](10-malware_and_other_attacks.md#tools)
20 | - [Preventing Malware](10-malware_and_other_attacks.md#preventing-malware)
21 | - [DoS \(Denial of Service\) Attacks](10-malware_and_other_attacks.md#dos-denial-of-service-attacks)
22 | - [Basic Categories](10-malware_and_other_attacks.md#basic-categories)
23 | - [Tools](10-malware_and_other_attacks.md#tools)
24 | - [Session Hijacking](10-malware_and_other_attacks.md#session-hijacking)
25 | - [Steps](10-malware_and_other_attacks.md#steps)
26 | - [Countermeasures](10-malware_and_other_attacks.md#countermeasures)
27 | - [IPsec \(Internet Protocol Security\)](10-malware_and_other_attacks.md#ipsec-internet-protocol-security)
28 | - [Tools](10-malware_and_other_attacks.md#tools)
29 |
30 | ## Malware and Other Attacks
31 |
32 | ### Malware
33 |
34 | #### Malware Basics
35 |
36 | - Software designed to harm or secretly access a computer system without informed consent
37 | - Most is downloaded from the Internet with or without the user's knowledge
38 | - **Overt Channels**: legitimate communication channels used by programs
39 | - **Covert Channels**: used to transport data in unintended ways
40 | - **Wrappers**: programs that allow you to bind an executable to an innocent file
41 | - Example: IExpress Wizard
42 | - **Crypters**
43 | - Using a combination of encryption and code manipulation to render malware undetectable to security programs
44 | - Example: BitCrypter
45 | - **Packers**
46 | - Compressing the executable into a smaller size, and obscure the actual program, which helps evade signature based detection
47 | - **Entry point** of an executable may refer to a named section of code where the label is the name of a packer
48 | - **Droppers**: installing other malware files on to system either from malware package or Internet
49 | - **Downloader**: downloading other malware from Internet on to PC
50 | - **Injector**: injecting its code into other vulnerable running process and changes the way of execution in order to hide or prevent removal
51 | - **Obfuscator**: concealing its code, makes it hard for security mechanisms detect or remove it
52 | - **Exploit Kit**: helping to deliver exploits and payloads, like Crimepack
53 |
54 | #### Trojan
55 |
56 | - Software that appears to perform a desirable function but instead performs malicious activity
57 | - To hackers, it is a method to gain and maintain access to a system
58 | - Trojans are means of delivery whereas a backdoor provides the open access
59 |
60 | ##### Types of Trojans
61 |
62 | - **Remote Access Trojan** \(RAT\): providing attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others
63 | - PoisonIvy
64 | - MoSucker
65 | - Blackhole
66 | - **Backdoor Trojan**: RAT has UI, the client component, whereas a backdoor does not
67 | - **Botnet Trojan**: infecting numerous of computers across a large geographical area to create a network of bots that is controlled through a Command and Control \(C&C\) center
68 | - Necurs
69 | - Mirai
70 | - **E-banking Trojans**: intercepting victim's account informed before the system can encrypt it, and send it to the attacker's C&C center
71 | - Zeus
72 | - **Proxy Server Trojan**: usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet
73 | - **Covert Channel Tunneling Trojan** \(CCTT\): a RAT, creating arbitrary data transfer channels in previously authorized data streams
74 | - **Defacement Trojan**: once spreading over the system, can destroy or change the entire content present in a database
75 | - **Command Shell Trojan**: providing a backdoor to connect to through command-line access
76 | - **Netcat**
77 | - "Swiss army knife" of tcp/ip hacking
78 | - Providing all sorts of control over a remote shell on a target
79 | - Can connect over TCP or UDP, from any port
80 | - Offering DNS forwarding, port mapping and forwarding and proxying
81 | - Connect: `nc -e IPaddress Port#`
82 | - Open a listening port on 55555 from target machine: `nc -l -p 5555 -e /bin/bash`
83 | - **CryptCat**: encrypted version of netcat
84 |
85 | ##### Some Trojan Port Numbers
86 |
87 | | Trojan Name | Port |
88 | | :---------------- | :------ |
89 | | Death | 2 |
90 | | Senna Spy | 20 |
91 | | Hackers Paradise | 31,456 |
92 | | TCP Wrappers | 421 |
93 | | Doom, Santaz Back | 666 |
94 | | Silencer, WebEx | 1001 |
95 | | RAT | 1095-98 |
96 | | SubSeven | 1243 |
97 | | Shiva-Burka | 1600 |
98 | | Trojan Cow | 2001 |
99 | | Deep Throat | 6670-71 |
100 | | NetBus | 12345-6 |
101 | | Whack a Mole | 12361-3 |
102 | | Back Orifice | 31337,8 |
103 |
104 | ##### Tools
105 |
106 | - **Process Explorer** \(PE\): Microsoft tool that shows you everything about running processes
107 | - **Registry Monitoring Tools**
108 | - SysAnalyzer
109 | - Active Registry Monitor
110 | - Regshot
111 | - **Tripwire**: integrity verifier that can act as a HIDS in protection against Trojans
112 | - **SIGVERIF**: building into Windows to verify the integrity of the system
113 | - Log file can be found at c:\windows\system32\sigverif.txt
114 | - Looking for drivers that are not signed
115 |
116 | #### Virus
117 |
118 | - Self-replicating program that reproduces by attaching copies of itself into other executable code
119 | - Usually installed by user clicking on malicious file attachments or downloads
120 |
121 | ##### Types of Viruses
122 |
123 | - **Virus Hoax**: a kind of bluff and false alarm claiming reports about nonexistent viruses to cause fear
124 | - **Fake Antivirus**: trying to convince a user has a virus and have them download an AV that is a virus itself
125 | - **Ransomware**: malicious software designed to deny access to a computer until a price is paid; usually spread through email
126 | - **Locky**: Using RSA-2048 and AES-128 to lock files
127 | - **WannaCry**: famous ransomware, within 24 hours had 230,000 victims, exploited unpatched SMB vulnerability
128 | - **Petya-NotPetya**: spreading over network using WMIC \(Windows Management Instrumentation Command-line\) by capturing all credentials from local machine using Mimikatz
129 | - **Boot Sector Virus**: known as system virus, moving boot sector to another location and then inserts its code in the original location
130 | - **Shell Virus**: wrapping around an application's code, inserting itself before the application's
131 | - **Cluster Virus**: modifying directory table entries so every time a file or folder is opened, the virus runs
132 | - **Multipartite Virus**
133 | - Attempting to infect both boot sector and files
134 | - Generally referring to viruses with multiple infection methods, or executing different in different places on target at the same time
135 | - **Macro Virus**: written in VBA, infects template files, mostly MS Word and MS Excel
136 | - **Polymorphic Code Virus**: mutating its code by using a polymorphic engine; difficult to find because code is always changing
137 | - **Encryption Virus**: using encryption to hide the code from antivirus
138 | - **Metamorphic Virus**: rewriting itself every time it infects a new file
139 | - Win32/ Simile
140 | - Zmist: Mistfall is the first virus uses technique called code integration. This code inserts itself into other code and regenerates code and rebuilds the executable
141 | - **Stealth Virus**: known as tunneling virus, attempts to evade AVs by actively altering and corrupting the service call interrupts while running
142 | - **Cavity Virus**: overwriting portions of host files as to not increase the actual size of the file; uses null content sections
143 | - **Armored Virus**: containing a variety of mechanisms specifically coded to make its detection and decryption very difficult
144 | - **Companion/Camouflage Virus**: spoofing a scanner by camouflaging itself to the identical file name as targeted program file
145 | - **Cluster Virus**: modifying directory table entries so that it points users or system processes to the virus code instead of the actual program
146 | - **Sparse Infector Virus**
147 | - Only infecting occasionally, like every tenth program executed
148 | - Deciding which file to infect based on certain conditions, like target file with max. size of 128kb
149 | - **File Extension Virus**: changing the file extensions of files to take advantage of most people having them turned off \(readme.txt.vbs shows as readme.txt\)
150 | - **Logic Bomb Virus**: triggered by a response to an event, such as launching an application or when a specific date/time is reached
151 |
152 | #### Worm
153 |
154 | - Self-replicating malware that sends itself to other computers without human intervention
155 | - Usually doesn't infect files, just resides in active memory
156 | - Often used in botnets
157 |
158 | ### Analyzing Malware
159 |
160 | - **Sheep Dip**: referring to analysis of suspect files
161 | - **Sheep Dip Computer**: installed with port monitors, file monitors, network monitors and antivirus software, connects to a network only under strictly controlled conditions
162 |
163 | #### Static Analysis
164 |
165 | - Dismantling of a given executable into binary format to study its functionalities and features
166 | - Tools
167 | - HashMyFiles: file fingerprinting
168 | - VirusTotal: online malware scanning
169 | - PEiD: identifying packing/obfuscation methods
170 | - Dependency Walker: listing all dependent modules of an executable file
171 | - IDA Pro: disassembler and debugger
172 |
173 | #### Dynamic Analysis
174 |
175 | - Running malware and identifying changes to the system, usually in a sandbox environment
176 | 1. Make sure you have a good test bed
177 | - Use a VM with NIC in host-only mode and no open shares
178 | 2. Analyze the malware on the isolated VM in a static state
179 | - Tools - binText and UPX help with looking at binary
180 | 3. Run the malware and check out processes
181 | - Use Process Monitor, etc. to look at processes
182 | - Use NetResident, TCPview or even Wireshark to look at network activity
183 | 4. Check and see what files were added, changed, or deleted
184 |
185 | #### Heuristic Analysis
186 |
187 | - Detecting new or unknown viruses that are usually variants of an already existing virus family
188 | - Drawback: too many false positives
189 | - Can be static or dynamic
190 | - **Static Heuristic Analysis**: The anti-virus analyzes the file format and code structure to determine if the code is viral
191 | - **Dynamic Heuristic Analysis**: The anti-virus performs a code emulation of the suspicious code to determine if the code is viral
192 |
193 | #### Tools
194 |
195 | - IDA Pro
196 | - Anubis
197 | - Threat Analyzer
198 |
199 | ### Preventing Malware
200 |
201 | - Make sure you know what is going on in your system
202 | - Have a good antivirus that is up to date
203 | - **DEP** \(Data Execution Prevention\): prevents from accidentally executing a potentially malicious batch or PowerShell script in Windows
204 | - **DLP** \(Data Loss Prevention\): a strategy for preventing end users from sending sensitive or critical information outside of the corporate network
205 |
206 | ### DoS \(Denial of Service\) Attacks
207 |
208 | - Seeking to take down a system or deny access to it by authorized users
209 | - **Botnet**: network of zombie computers a hacker uses to start a distributed attack
210 | - Can be controlled over HTTP, HTTPS, IRC, or ICQ
211 |
212 | #### Basic Categories
213 |
214 | - **Fragmentation Attack**: taking advantage of the system's ability to reconstruct fragmented packets
215 | - **Volumetric Attack**: bandwidth attack, consuming all bandwidth for the system or service
216 | - **Application Attack**
217 | - Consuming the resources necessary for the application to run
218 | - Application level attack is against weak code
219 | - Application attack is just the general term
220 | - **TCP state-exhaustion Attack**: going after load balancers, firewalls and application servers by attacking connection state tables
221 | - **SYN Flood**: sending thousands of SYN packets with fake source IP address and not responding to the SYN/ACK packets; lots of half connections where the 3-way hanndshake is never completed; eventually target runs out of resources
222 | - **ICMP flood**: sending ICMP ECHO packets with a spoofed address; eventually reaches limit of packets per second sent
223 | - **Smurf**: sending large number of pings to the broadcast address of the subnet with source IP spoofed as the target, entire subnet responds exhausting the target; using ICMP ECHO requests
224 | - **Fraggle**: same as Smurf but with UDP packets
225 | - **Ping of Death**: fragmenting ICMP messages, after reassembled, ICMP packet is larger than the maximum size and crashes the system
226 | - **Teardrop**: overlapping numerous garbled TCP/IP fragments with oversized payloads, causes older systems to crash due to fragment reassembly
227 | - **Phlashing**: also known as bricking a system, causing permanent damage to a system
228 | - **LAND Attack** \(Local Area Network Denial\): sending a TCP SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
229 | - **DDoS** \(Distributied Denial of Service\): incoming traffic flooding the victim originates from many different sources
230 | - **DRDoS** \(Distributied Reflexion Denial of Service\): using IP spoofing, the source address is set to targeted victim, which means all the replies will go to the target and flood the target
231 | - **Slowloris**: trying to keep many connections to the target web server open and hold them open as long as possible
232 |
233 | #### Tools
234 |
235 | - Low Orbit Ion Cannon \(LOIC\): DDoS tool that floods a target with TCP, UDP or HTTP requests
236 | - Trinity: Linux based DDoS tool
237 |
238 | ### Session Hijacking
239 |
240 | - Attacker waits for a session to begin and after the victim authenticates, steals the session for himself
241 | - Predicting can be done by knowing the window size and the packet sequence number
242 | - Also can be done via brute force, calculation or stealing
243 |
244 | #### Steps
245 |
246 | 1. Sniff the traffic between the client and server
247 | 2. Monitor the traffic and predict the sequence numbering
248 | 3. Desynchronize the session with the client
249 | 4. Predict the session token and take over the session
250 | 5. Inject packets to the target server
251 |
252 | #### Countermeasures
253 |
254 | - Using unpredictable session IDs
255 | - Limiting incoming connections
256 | - Minimizing remote access
257 | - Regenerating the session key after authentication
258 | - Using **IPsec** to encrypt
259 |
260 | #### IPsec \(Internet Protocol Security\)
261 |
262 | - **Transport Mode**
263 | - Payload and ESP trailer are encrypted, not IP header
264 | - Can be used in NAT because the original packet is still routed in exactly the same manner as it would have been without IPsec
265 | - **Tunnel mode**
266 | - Everything is encrypted
267 | - Cannot be used with NAT
268 | - **Architecture Protocols**
269 | - **Authentication Header**: guarantying the integrity and authentication of IP packet sender
270 | - **Encapsulating Security Payload** \(ESP\): providing origin authenticity and integrity as well as confidentiality
271 | - **Internet Key Exchange** \(IKE\): producing the keys for the encryption/decryption process, port 500
272 | - **Oakley**: using Diffie-Hellman to create master and session keys
273 | - **Internet Security Association Key Management Protocol** \(ISAKMP\): software that facilitates encrypted communication between two endpoints
274 |
275 | #### Tools
276 |
277 | - **Ettercap**: man-in-the-middle tool and packet sniffer on steroids
278 | - **Zaproxy**
279 | - **Paros proxy**
280 | - **Burp Suite**
281 | - **Hamster**
282 | - **IKE-scan**: IPsec VPN scanning and fingerprinting tool
283 |
--------------------------------------------------------------------------------
/11-cryptography.md:
--------------------------------------------------------------------------------
1 | # 11-Cryptography
2 |
3 | ## Table of Contents
4 |
5 | - [Cryptography](11-cryptography.md#cryptography)
6 | - [Cryptography Basics](11-cryptography.md#cryptography-basics)
7 | - [Classical Ciphers](11-cryptography.md#classical-ciphers)
8 | - [Modern Ciphers](11-cryptography.md#modern-ciphers)
9 | - [Based on type of key used](11-cryptography.md#based-on-type-of-key-used)
10 | - [Based on type of input data](11-cryptography.md#based-on-type-of-input-data)
11 | - [Cryptanalysis Methods](11-cryptography.md#cryptanalysis-methods)
12 | - [Code Breaking Methodologies](11-cryptography.md#code-breaking-methodologies)
13 | - [Encryption Algorithms and Techniques](11-cryptography.md#encryption-algorithms-and-techniques)
14 | - [Encryption types in OSI](11-cryptography.md#encryption-types-in-osi)
15 | - [Symmetric Encryption](11-cryptography.md#symmetric-encryption)
16 | - [DES \(Data Encryption Standard\)](11-cryptography.md#des-data-encryption-standard)
17 | - [3DES \(Triple Data Encryption Standard\)](11-cryptography.md#3des-triple-data-encryption-standard)
18 | - [AES \(Advanced Encryption Standard\)](11-cryptography.md#aes-advanced-encryption-standard)
19 | - [RC \(Rivest Cipher\)](11-cryptography.md#rc-rivest-cipher)
20 | - [Blowfish](11-cryptography.md#blowfish)
21 | - [Twofish](11-cryptography.md#twofish)
22 | - [Asymmetric Encryption](11-cryptography.md#asymmetric-encryption)
23 | - [RSA \(Rivest–Shamir–Adleman\)](11-cryptography.md#rsa-rivestshamiradleman)
24 | - [Diffie-Hellman](11-cryptography.md#diffie-hellman)
25 | - [ECC \(Elliptic Curve Cryptosystem\)](11-cryptography.md#ecc-elliptic-curve-cryptosystem)
26 | - [Public Key Infrastructure \(PKI\)](11-cryptography.md#public-key-infrastructure-pki)
27 | - [Components of PKI](11-cryptography.md#components-of-pki)
28 | - [PKI Process Flow](11-cryptography.md#pki-process-flow)
29 | - [Digital Certificates](11-cryptography.md#digital-certificates)
30 | - [Digital Signatures](11-cryptography.md#digital-signatures)
31 | - [Digital Signature workflow](11-cryptography.md#digital-signature-workflow)
32 | - [Full Disk Encryption \(FDE\)](11-cryptography.md#full-disk-encryption-fde)
33 | - [Encrypted Communication](11-cryptography.md#encrypted-communication)
34 | - [Secure Sockets Layer \(SSL\)](11-cryptography.md#secure-sockets-layer-ssl)
35 | - [Channelsecurity](11-cryptography.md#channelsecurity)
36 | - [SSL/TLS handshake process](11-cryptography.md#ssltls-handshake-process)
37 | - [Transport Layer Security \(TLS\)](11-cryptography.md#transport-layer-security-tls)
38 | - [Two Layers](11-cryptography.md#two-layers)
39 | - [PGP \(Pretty Good Privacy\)](11-cryptography.md#pgp-pretty-good-privacy)
40 | - [PGP Encryption and Decryption Workflow](11-cryptography.md#pgp-encryption-and-decryption-workflow)
41 | - [Cryptography Attacks](11-cryptography.md#cryptography-attacks)
42 | - [Hash Algorithms](11-cryptography.md#hash-algorithms)
43 | - [MD5 \(Message Digest algorithm\)](11-cryptography.md#md5-message-digest-algorithm)
44 | - [SHA \(Secure Hash Algorithms\)](11-cryptography.md#sha-secure-hash-algorithms)
45 | - [RIPEMD \(RACE Integrity Primitives Evaluation Message Digest\)](11-cryptography.md#ripemd-race-integrity-primitives-evaluation-message-digest)
46 | - [Attacks](11-cryptography.md#attacks)
47 | - [Steganography](11-cryptography.md#steganography)
48 | - [Methods](11-cryptography.md#methods)
49 | - [Ways to Identify](11-cryptography.md#ways-to-identify)
50 | - [Tools](11-cryptography.md#tools)
51 |
52 | ## Cryptography
53 |
54 | ### Cryptography Basics
55 |
56 | - Science or study of protecting information whether in transit or at rest
57 | - Rendering the information unusable to anyone who can't decrypt it
58 | - Taking plain text, applies cryptographic method, turn it into cipher text
59 | - **Cipher**: an algorithm performing encryption and decryption
60 |
61 | #### Classical Ciphers
62 |
63 | - **Substitution**: bits are replaced by other bits
64 | - **Transposition**: not replacing, simply changes order
65 |
66 | #### Modern Ciphers
67 |
68 | ##### Based on type of key used
69 |
70 | - **Private Key**: same key used for encryption and decryption
71 | - **Public Key**: 2 different keys used for encryption and decryption
72 |
73 | ##### Based on type of input data
74 |
75 | - **Block Cipher**
76 | - Data bits are split up into blocks and fed into the cipher
77 | - Each block of data \(usually 64 bits\) is encrypted with key and algorithm
78 | - Simpler and slower than stream ciphers
79 | - Key chosen for cipher must have a length larger than the data, if not, it is vulnerable to frequency attacks
80 | - **Stream Cipher**
81 |
82 | - Readable bits are encrypted one at a time in a continuous stream
83 | - Working at a high rate of speed
84 | - Usually done by an XOR operation \(exclusive or\)
85 |
86 | ```text
87 | 0 XOR 0 = 0
88 | 1 XOR 1 = 0
89 | 0 XOR 1 = 1
90 | 1 XOR 0 = 1
91 | ```
92 |
93 | #### Cryptanalysis Methods
94 |
95 | - Study and methods used to crack cipher text
96 | - **Linear Cryptanalysis**
97 | - Working best on block ciphers
98 | - Given enough pairs of plaintext and corresponding ciphertext, key can be obtained
99 | - **Differential Cryptanalysis**
100 | - Applying to symmetric key algorithms
101 | - Comparing differences in the inputs to how each one affects the outcome
102 | - Working with **chosen plaintext** originally, also works with **known plaintext and ciphertext**
103 | - **Integral Cryptanalysis**
104 | - Useful against block ciphers
105 | - Input vs Output comparison same as differential, however, runs multiple computations of the same block size input
106 |
107 | #### Code Breaking Methodologies
108 |
109 | - **Brute Force**: exhaustive search, keys are determined by trying every possible combination of characters
110 | - **Frequency Analysis**: study of the frequency of letters or groups of letters in a ciphertext, can be used to crack a substitution cipher, like rotation cipher ROT13
111 | - **Trickery and Deceit**
112 | - Requiring a high level of mathematical and cryptographic skills
113 | - Using social engineering techniques to trick someone to encrypt and send a known message
114 | - **One-time Pad**
115 | - Assuming to be unbreakable
116 | - A shared random key that has to be the same length or longer than the cipher text
117 | - Each individual bit or character of plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition
118 | - **Drawback**: key length is same as that of message, impossible to encrypt and send large messages
119 |
120 | ### Encryption Algorithms and Techniques
121 |
122 | - **Algorithm**: step-by-step method of solving a problem
123 | - **Encryption Algorithms**: mathematical formulas used to encrypt and decrypt data
124 | - Keys should still change on a regular basis even though they may be "unhackable"
125 | - Per U.S. Government, an algorithm using at least a 256-bit key cannot be cracked
126 |
127 | #### Encryption types in OSI
128 |
129 | | Encryption type | OSI layer |
130 | | :--------------------------------------- | :---------------------------------------------------- |
131 | | Link encryption | 2, everything including original headers is encrypted |
132 | | Network encryption | 3, everything in the packet is encrypted |
133 | | Protocol encryption | 4, specific protocols are entirely encrypted eg. SSL |
134 | | Service based encryption | 5, encryption for specific services on specific hosts |
135 | | Data encryption | 6 |
136 | | Application based information encryption | 7 |
137 |
138 | ### Symmetric Encryption
139 |
140 | - One key is used to encrypt and decrypt the data, known as single key or shared key
141 | - Problems include key distribution and management
142 | - Suitable for large amounts of data
143 | - Harder for groups of people because more keys are needed as group increases
144 | - Doing nothing for non-repudiation, only performs confidentiality
145 |
146 | #### DES \(Data Encryption Standard\)
147 |
148 | - Block cipher, 56-bit key, 64-bit block size
149 | - Quickly outdated and now considered not very secure
150 | - Kerberos 1-4 used DES
151 |
152 | #### 3DES \(Triple Data Encryption Standard\)
153 |
154 | - Block cipher, 168-bit key
155 | - More effective than DES but much slower
156 | - 3 keys are used:
157 | - 1st key is used to encrypt the plain text
158 | - 2nd key is used to decrypt ciphertext resulting from the first round of encryption
159 | - 3rd key is used to encrypt the ciphertext that resulted from the decryption with the 2nd key
160 |
161 | #### AES \(Advanced Encryption Standard\)
162 |
163 | - Iterated block cipher, 128, 192 or 256 bit key, 128-bit block size
164 | - Symmetric key algorithm
165 | - Working by repeating same operation multiple times
166 | - Replacing DES, much faster than DES and 3DES
167 | - Original name is Rijndael
168 |
169 | #### RC \(Rivest Cipher\)
170 |
171 | - RC4 is a symmetric key **stream** cipher
172 | - RC5 is a parameterized algorithm with variable block size, 128-bit key, 2-bit working registers
173 | - RC6 is a symmetric key block cipher, uses integer multiplication and 4-bit working registers
174 |
175 | #### Blowfish
176 |
177 | - Fast symmetric block cipher, 64-bit block size, 32 to 448 bits key
178 | - Replaced by AES
179 | - Considered public domain
180 |
181 | #### Twofish
182 |
183 | - Block cipher, 128-bit block, up to 256 bit key
184 |
185 | ### Asymmetric Encryption
186 |
187 | - Using two types of keys for encryption and decryption
188 | - One key encrypts, the other decrypts
189 | - The private key is used to digitally sign a message
190 |
191 | #### RSA \(Rivest–Shamir–Adleman\)
192 |
193 | - Achieving strong encryption through the use of two large prime numbers
194 | - Factoring two prime numbers to create key sizes up to 4096 bits
195 | - Modern de-facto encryption standard
196 | - **Downside**: slower than symmetric especially on bulk encryption and processing power
197 |
198 | #### Diffie-Hellman
199 |
200 | - Developed as a key exchange protocol
201 | - Used in SSL and IPsec
202 | - If digital signatures are waived, vulnerable to MITM attacks
203 |
204 | #### ECC \(Elliptic Curve Cryptosystem\)
205 |
206 | - Using points on elliptical curve along with logarithmic problems
207 | - Using less processing power, smaller keys, good for mobile devices
208 |
209 | ### Public Key Infrastructure \(PKI\)
210 |
211 | - Structure designed to verify and authenticate the identity of individuals
212 | - **Cross-Certification**
213 | - Allowing a CA to trust another CS in a completely different PKI
214 | - Allowing both CAs to validate certificates from either side
215 | - **Single-authority system**: CA at the top that creates and issues certificates
216 | - **Hierarchical trust system**
217 | - CA at the top \(root CA\)
218 | - Making use of one or more RAs \(subordinate CAs\) underneath it to issue and manage certificates
219 |
220 | #### Components of PKI
221 |
222 | - **Certificate Management System**: generates, distributes, stores, and verifies certificates
223 | - **Validation Authority**: \(VA\) used to validate certificates, stores certificates with their public keys
224 | - **Certificate Authority**: \(CA\) third party to issue and verify digital certificates
225 | - Comodo
226 | - IdentTrust
227 | - Symantec
228 | - GoDaddy
229 | - **End user**: requests, manages, and uses certificates
230 | - **Registration Authority**: \(RA\) acts as verifier for the certificate authority
231 |
232 | #### PKI Process Flow
233 |
234 | A user applies for a certificate with his public key at a RA. RA confirms the user's identity to CA which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a VA which again receives information about issued certificates by the CA.
235 |
236 | ```text
237 | Cert. info
238 | --------> CA --------------------------> VA
239 | | | |^
240 | |OK | ||
241 | | | ||
242 | RA |Cert. OK || Cert.
243 | ^ | ||
244 | |Pub. K | ||
245 | | v Sign with Cert. v|
246 | --------- User ---------------> Contracing Party
247 | ```
248 |
249 | ### Digital Certificates
250 |
251 | - **Certificate**: electronic file that is used to verify a user's identity, provides non-repudiation
252 | - **Non-repudiation**: a recipient can ensure the identity of the sender and neither party can deny sending
253 | - **X.509**: standard used for digital certificates, public key encryption
254 | - **Self-Signed Certificates**
255 | - Not signed by a CA
256 | - Signed by the same entity it certifies
257 | - Generally not used for public, used for development purposes
258 | - The certificate verification rarely occurs due to necessity of disclosing the private key
259 |
260 | ### Digital Signatures
261 |
262 | - Unforgeable and authentic
263 | - When signing a message, you sign it with your **private** key and the recipient decrypts the hash with your **public** key
264 | - **Digital Signature Algorithm** \(DSA\): used in generation and verification of digital signatures per FIPS 186-2
265 |
266 | #### Digital Signature workflow
267 |
268 | ```text
269 | - Sign
270 | Hashing Algo. Digital Sign
271 | Message --------------> Message -------------------------> Message
272 | + hash value using sender's PRIVATE key + singed hash
273 |
274 | - Seal
275 | Encrypt Seal
276 | ----------------> Encrypted message --------------------------> Sealed message
277 | using one-time + sysmmetric key Encrypt sysmmetric key
278 | sysmmetric key using recipient's PUBLIC key
279 |
280 | - Open
281 | Decrypt Decrypt
282 | Sealed message ---------------------------> Encrypted message --------------------> Message
283 | with recipient's PRIVATE key + sysmmetric key with sysmmetric key + signed hash
284 |
285 | - Verify
286 | Unlock signed hash Rehash message & Compare
287 | -----------------------> Message -------------------------> Verified message
288 | with sender's PUBLIC key + Hash value
289 | ```
290 |
291 | ### Full Disk Encryption \(FDE\)
292 |
293 | - Encrypting every bit of data stored on a disk or a disk volume
294 | - Working similar to text-message encryption and protects data even OS is not active
295 | - Preventing real-time exchange of information from compromising threats
296 | - Ensuring security of the system
297 | - Tools
298 | - VeraCrypt
299 | - Symantec Drive Encryption
300 | - BitLocker Drive Encryption
301 |
302 | ### Encrypted Communication
303 |
304 | #### Secure Sockets Layer \(SSL\)
305 |
306 | - Using both asymmetric and symmetric authentication mechanisms
307 | - Encrypting data at Transport Layer and above
308 | - Using RSA asymmetric encryption and digital certificates
309 | - Having largely been replaced by TLS
310 |
311 | ##### Channelsecurity
312 |
313 | - **Private channel**:: encrypted messages, a simple handshake defines secret key
314 | - **Authenticated channel**: encrypted server endpoint, client endpoint is optionally authenticated
315 | - **Reliable channel**: message transfer has an integrity check
316 |
317 | ##### SSL/TLS handshake process
318 |
319 | ```text
320 | -------- --------
321 | │Client│ │Server│
322 | -------- --------
323 | │ │
324 | │ Cipher Suite │
325 | │--------------------------------------------->│
326 | │ │
327 | │ SSL Cert. (Public Key) │
328 | │<---------------------------------------------│
329 | │ │
330 | Public Key │
331 | Verified │
332 | │ Encrypted Session Key │
333 | │ (generated using server Public Key) │
334 | │--------------------------------------------->│
335 | │ Session Key
336 | │ decrypted
337 | │ Session Key is in place │
338 | │<-------------------------------------------->│
339 | │ │
340 | │ Session Key used for encryption & decryption │
341 | │<-------------------------------------------->│
342 | -------- --------
343 | │Client│ │Server│
344 | -------- --------
345 | ```
346 |
347 | #### Transport Layer Security \(TLS\)
348 |
349 | - Using RSA 1024 and 2048 bits, successor to SSL
350 | - Allowing both client and server to authenticate to each other
351 | - TLS Record Protocol provides secured communication channel
352 |
353 | ##### Two Layers
354 |
355 | - **TLS Record Protocol**
356 | - Connection is private: using symmetric cryptography for data encryption
357 | - Connection is reliable: providing message integrity check
358 | - **TLS Handshake Protocol**
359 | - Providing connection security that has three basic properties:
360 | - The peer's identity can be authenticated using asymmetric cryptography
361 | - The negotiation of a shared secret is secure
362 | - The negotiation is reliable
363 | - TLS Handshake Protocol operates on top of TLS record layer
364 |
365 | #### PGP \(Pretty Good Privacy\)
366 |
367 | - Features conventional and public key cryptography
368 | - The file format uses asymmetric encryption to encrypt a symmetric encryption key
369 | - The symmetric encryption key encrypts the data
370 | - Both symmetric and asymmetric keys are used, known as hybrid cryptosystem
371 | - Used for signing, compress and encryption of emails, files and directories
372 | - Using a decentralized model, called web of trust, where individual users sign keys that belong to other people to validate that key are who they say they are
373 |
374 | ##### PGP Encryption and Decryption Workflow
375 |
376 | ```text
377 | - Encryption
378 | Compress Encrypt
379 | Data ----------------> -----------------------------> Cipher text
380 | reduce patterns with Random key as secret key
381 |
382 | Encrypt
383 | Random key --------------------------> Encrypted Random key
384 | with recipient's PUBLIC key
385 |
386 | - Decryption
387 | Decrypt
388 | Encrypted Random key ---------------------------> Random key
389 | with recipient's PRIVATE key
390 |
391 | Decrypt
392 | Cipher text ---------------> Data
393 | with Random key
394 | ```
395 |
396 | ### Cryptography Attacks
397 |
398 | - **Known-plaintext Attack** \(KPA\)
399 | - Obtaining some plaintext blocks along with corresponding ciphertext and cipher
400 | - Working on block ciphers, linear cryptanalysis
401 | - **Ciphertext-only Attack**: \(COA\)
402 | - Gaining copies of several ciphertexts with the same algorithm
403 | - Recovering encryption key from ciphertext
404 | - **Chosen-plaintext Attack** \(CPA\)
405 | - Obtaining ciphertexts corresponding to a set of plaintexts of attacker's own choosing
406 | - Attempting to derive the key used
407 | - **Adaptive Chosen-plaintext Attack**
408 | - Modifying content of message by making a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions
409 | - **Chosen-Ciphertext Attack** \(CCA\)
410 | - Obtaining plaintexts corresponding to a set of ciphertexts of attacker's own choosing
411 | - Must have access to communication channel between sender and receiver
412 | - **Lunchtime Attack** or **Midnight Attack**: attacker can have access to system for only a limited amount of time, can access only few plaintext-ciphertext pairs
413 | - **Adaptive Chosen-ciphertext** \(CCA2\): selecting a series of ciphertexts and then observes the resulting plaintext blocks
414 | - **Related-key Attack**: obtaining ciphertexts encrypted under two different keys, useful if attacker can obtain plaintext and matching ciphertext
415 | - **Dictionary Attack**: constructing a dictionary of plaintext along with its corresponding ciphertext
416 | - **Chosen-key Attack**: breaking an n bit key cipher into 2^n/2 numbers of operations
417 | - **Timing Attack**: repeatedly measuring exact execution times of modular exponentiation operations
418 | - **Meet-in-the-middle Attack**
419 | - Using some sort of time-space trade-off to drastically reduce the effort to perform a brute-force attack \(e.g., transforming an attack that requires 2exp128 time into one that takes 2exp64 time and 2exp64 space\)
420 | - May also refer to a type of attack over certain block ciphers, where the attacker decompose the problem in two halves and proceeds on each part separately
421 | - **Side-Channel Attack**: monitoring environmental factors such as power consumption, timing and delay
422 | - **DUHK Attack** \(Don't Use Hard-Coded Keys\)
423 | - Allowing attackers to access keys in certain VPN implementations
424 | - Affecting devices using ANSI X9.31 with a hard-coded seed key
425 | - **Escrow key**
426 | - Stored in a safe place by a trusted third party
427 | - Enabling companies to remain compliant with government mandates regarding its ability to gain access when necessary
428 | - Government Access to Keys \(GAK\) allowing the government to gain access to encrypted communications without interference from the company being investigated
429 | - Tools
430 | - L0phtcrack: used mainly against Windows SAM files
431 | - John the Ripper: UNIX/Linux tool for the same purpose
432 | - CrypTool
433 | - Cryptobench
434 |
435 | ### Hash Algorithms
436 |
437 | - One-way mathematical function that produces a fix-length string \(hash\) based on the arrangement of data bits in the input
438 | - Used for integrity
439 | - **Salt**: used with a hash to obscure the hash, collection of random bits
440 |
441 | #### MD5 \(Message Digest algorithm\)
442 |
443 | - Produces 128 bit hash expressed as 32 digit hexadecimal number
444 | - Having serious flaws
445 | - Still used for file download verification
446 |
447 | #### SHA \(Secure Hash Algorithms\)
448 |
449 | - **SHA-1**: 160 bits, developed by NSA
450 | - **SHA-2**
451 | - Four separate hash functions
452 | - Outputs of 224, 256, 384 and 512 bits
453 | - SHA-256 uses 32-bit block words
454 | - SHA-512 uses 64-bit block words
455 | - **SHA-3**: using sponge construction
456 |
457 | #### RIPEMD \(RACE Integrity Primitives Evaluation Message Digest\)
458 |
459 | - 160-bit hash algorithm
460 | - Working through 80 stages made up of 6 blocks that executes 16 times each
461 | - Using modulo 32 addition
462 |
463 | #### Attacks
464 |
465 | - **Collision**
466 | - Occurring when two or more files create the same hash output
467 | - Rare but can happen and can be used an attack
468 | - **Birthday attack**: attack that depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations
469 | - **Rainbow Tables**: containing precomputed hashes to try and find out passwords
470 | - Tools
471 | - HashCalc
472 | - MD5 Calculator
473 |
474 | ### Steganography
475 |
476 | - Practicing of concealing a message inside another medium so that only the sender and recipient know of its existence
477 | - **Steganalysis**: the process of discovering the existence of the hidden information in a medium, the reverse process of steganography
478 |
479 | #### Methods
480 |
481 | - Least significant bit insertion: changes least meaningful bit
482 | - Makes and filters \(grayscale images\): like watermarking
483 | - Algorithmic transformation: hides in mathematical functions used in image compression
484 | - **Noisy areas**: noisy areas are those that draw less attention, like areas with a great deal of natural color variation in the image
485 | - **Transform domain technique**: Steganography hides the information in significant parts of the cover image such as cropping, compression, and some other image processing areas
486 |
487 | #### Ways to Identify
488 |
489 | - Text: character positions are key; blank spaces, text patterns
490 | - Image: file larger in size; some may have color palette faults
491 | - Audio & Video: require statistical analysis
492 |
493 | #### Tools
494 |
495 | - QuickStego
496 | - gifshuffle
497 | - MP3Stego
498 | - SNOW
499 | - OpenStego
500 |
--------------------------------------------------------------------------------
/12-social_engineering.md:
--------------------------------------------------------------------------------
1 | # 12-Social Engineering
2 |
3 | ## Table of Contents
4 |
5 | - [Social Engineering](12-social_engineering.md#social-engineering)
6 | - [Social Engineering Phases](12-social_engineering.md#social-engineering-phases)
7 | - [Reasons This Works](12-social_engineering.md#reasons-this-works)
8 | - [Human-Based Attacks](12-social_engineering.md#human-based-attacks)
9 | - [Impersonation](12-social_engineering.md#impersonation)
10 | - [Eavesdropping](12-social_engineering.md#eavesdropping)
11 | - [Shoulder Surfing](12-social_engineering.md#shoulder-surfing)
12 | - [Dumpster Diving](12-social_engineering.md#dumpster-diving)
13 | - [Reverse Social Engineering](12-social_engineering.md#reverse-social-engineering)
14 | - [Piggybacking](12-social_engineering.md#piggybacking)
15 | - [Tailgating](12-social_engineering.md#tailgating)
16 | - [Rubber-hose Attack](12-social_engineering.md#rubber-hose-attack)
17 | - [Computer-Based Attacks](12-social_engineering.md#computer-based-attacks)
18 | - [Pop-Up Windows](12-social_engineering.md#pop-up-windows)
19 | - [Phishing](12-social_engineering.md#phishing)
20 | - [Spear Phishing](12-social_engineering.md#spear-phishing)
21 | - [Whaling](12-social_engineering.md#whaling)
22 | - [Pharming](12-social_engineering.md#pharming)
23 | - [Spimming \(Spam over Instant Messaging\)](12-social_engineering.md#spimming-spam-over-instant-messaging)
24 | - [Fake Antivirus](12-social_engineering.md#fake-antivirus)
25 | - [Mail Relaying](12-social_engineering.md#mail-relaying)
26 | - [Watering hole](12-social_engineering.md#watering-hole)
27 | - [Baitting attack](12-social_engineering.md#baitting-attack)
28 | - [Mobile-Based Attacks](12-social_engineering.md#mobile-based-attacks)
29 | - [Insider Threats](12-social_engineering.md#insider-threats)
30 | - [Insiders](12-social_engineering.md#insiders)
31 | - [Types of Threats](12-social_engineering.md#types-of-threats)
32 |
33 | ## Social Engineering
34 |
35 | - The art of manipulating a person or group into providing information or a service they would otherwise not have given
36 |
37 | ### Social Engineering Phases
38 |
39 | 1. Research \(dumpster dive, visit websites, tour the company, etc.\)
40 | 2. Select the victim \(identify frustrated employee or other target\)
41 | 3. Develop a relationship
42 | 4. Exploit the relationship \(collect sensitive information\)
43 |
44 | ### Reasons This Works
45 |
46 | - Human nature \(trusting others\)
47 | - Ignorance of social engineering efforts
48 | - Fear \(of consequences of not providing the information\)
49 | - Greed \(promised gain for providing requested information\)
50 | - A sense of moral obligation
51 |
52 | ### Human-Based Attacks
53 |
54 | - Always be pleasant because it gets more information
55 |
56 | #### Impersonation
57 |
58 | - Pretending to be someone you're not
59 | - Can be anything from a help desk person up to an authoritative figure \(FBI agent\)
60 | - Posing as a tech support professional can really quickly gain trust with a person
61 | - **Vishing** Voice or VoIP phishing: an impersonation technique in which attacker uses Voice over IP \(VoIP\) technology to trick individuals into revealing their personal information
62 |
63 | #### Eavesdropping
64 |
65 | - Listening in on conversations about sensitive information
66 |
67 | #### Shoulder Surfing
68 |
69 | - Looking over someone's shoulder to get info
70 | - Can be done long distance with binoculars, etc.
71 |
72 | #### Dumpster Diving
73 |
74 | - Looking for sensitive information in the trash
75 | - Shredded papers can sometimes indicate sensitive info
76 | - Passive activity
77 |
78 | #### Reverse Social Engineering
79 |
80 | - Getting someone to call you and give information
81 | - Often happening with tech support, eg: an email is sent to user stating they need them to call back due to technical issue
82 | - Involved techniques: **Sabotage**, **Marketing**, and **Support**
83 |
84 | #### Piggybacking
85 |
86 | - Attacker pretends that badge is lost and attacker asks someone to hold/open the door, **with consent** of the authorized person
87 |
88 | #### Tailgating
89 |
90 | - Attacker has a fake badge and walks in behind someone who has a valid one, **without consent** of the authorized person
91 |
92 | #### Rubber-hose Attack
93 |
94 | - Extracting secrets from people by use of torture or coercion
95 |
96 | ### Computer-Based Attacks
97 |
98 | - Can begin with sites like Facebook where information about a person is available
99 |
100 | #### Pop-Up Windows
101 |
102 | - Hoax letters: warns the recipients of a non-existent computer virus threat
103 | - Chain letters: offers free gifts
104 | - Instant Chat Messenger: chats via instant chat messages to gather personal information
105 | - Spam Emails
106 |
107 | #### Phishing
108 |
109 | - Crafting an email that appears legitimate but contains links to fake websites or to download malicious content
110 | - **Ways to Avoid Phishing**
111 | - Beware unknown, unexpected or suspicious originators
112 | - Beware of who the email is addressed to
113 | - Verify phone numbers
114 | - Beware bad spelling or grammar
115 | - Always check links
116 |
117 | ##### Spear Phishing
118 |
119 | - Targeting a person or a group with a phishing attack
120 | - Can be more useful because attack can be targeted
121 |
122 | ##### Whaling
123 |
124 | - Going after CEOs or other C-level executives
125 |
126 | ##### Pharming
127 |
128 | - Use of malicious code that redirects a user's traffic
129 | - 2 ways to perform:
130 | - DNS Cache Poisoning
131 | - Host File Modification
132 |
133 | ##### Spimming \(Spam over Instant Messaging\)
134 |
135 | - Using IM as a tool to spread spam
136 |
137 | #### Fake Antivirus
138 |
139 | - Pretending to be an anti-virus but is a malicious tool
140 | - Very prevalent attack
141 |
142 | #### Mail Relaying
143 |
144 | - Bouncing e-mail from internal to external mails servers continuously
145 | - Ensuring that no one knows they sent the spam out to thousands of users at a time
146 |
147 | #### Watering hole
148 |
149 | - The victim is of a particular group \(organization, industry, or region\)
150 | - Attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected
151 | - Looking for specific information may only attack users coming from a specific IP address
152 |
153 | #### Baitting attack
154 |
155 | - Attacker leaves malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them, give them legitimate and curiosity-piquing labels, and waits for victims
156 |
157 | ### Mobile-Based Attacks
158 |
159 | - Publishing malicious apps
160 | - Repackaging legitimate apps
161 | - Fake security applications
162 | - **SMiShing**: SMS Phishing
163 |
164 | ### Insider Threats
165 |
166 | #### Insiders
167 |
168 | - Privileged Users: most trusted employees of the company
169 | - Disgruntled Employees: unhappy employees or contract workers
170 | - Terminated Employees
171 | - Accident-Prone Employees: accidentally losing device or sending email to incorrect recipients... which leads to unintentional data disclosure
172 | - Third Parties
173 | - Undertrained Staff: trusted employee becomes an unintentional insider due to lack of cybersecurity training
174 |
175 | #### Types of Threats
176 |
177 | - Malicious insider: disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware to corporate network
178 | - Negligent Insider: uneducated on potential security threats, more vulnerable to social engineering attacks
179 | - Professional Insider: most harmful insider, using technical knowledge to identify weakness and vulnerability of company's network and sell confidential information
180 | - Compromised Insider: outsider compromises insider having access to critical assets of an organization
181 |
--------------------------------------------------------------------------------
/13-pen_testing.md:
--------------------------------------------------------------------------------
1 | # 13-Pen Testing
2 |
3 | ## Table of Contents
4 |
5 | - [Pen Testing](13-pen_testing.md#pen-testing)
6 | - [Security Audit](13-pen_testing.md#security-audit)
7 | - [Vulnerability Assessment](13-pen_testing.md#vulnerability-assessment)
8 | - [Product-Based Solutions](13-pen_testing.md#product-based-solutions)
9 | - [Service-Based Solutions](13-pen_testing.md#service-based-solutions)
10 | - [Tree-Based Assessment](13-pen_testing.md#tree-based-assessment)
11 | - [Inference-Based Assessment](13-pen_testing.md#inference-based-assessment)
12 | - [Penetration Testing](13-pen_testing.md#penetration-testing)
13 | - [Phases of Pen Testing](13-pen_testing.md#phases-of-pen-testing)
14 | - [Types of Pen Testing](13-pen_testing.md#types-of-pen-testing)
15 | - [Teams](13-pen_testing.md#teams)
16 | - [Automated Testing Tools](13-pen_testing.md#automated-testing-tools)
17 | - [Security Testing Methodology](13-pen_testing.md#security-testing-methodology)
18 | - [Proprietary Methodologies](13-pen_testing.md#proprietary-methodologies)
19 | - [Open-Source and Public Methodologies](13-pen_testing.md#open-source-and-public-methodologies)
20 |
21 | ## Pen Testing
22 |
23 | ### Security Audit
24 |
25 | - Policy and procedure focused
26 | - Tests whether organization is following specific standards and policies
27 |
28 | ### Vulnerability Assessment
29 |
30 | - Scans and tests for vulnerabilities but does **not intentionally exploit them**
31 |
32 | #### Product-Based Solutions
33 |
34 | Product-based solutions are installed in the organization's internal network. They are installed in a private or non-routable space, or the Internet-addressable portion of an organization's network. If they are installed in the private network or, in other words, behind the firewall, they cannot always detect outside attacks.
35 |
36 | #### Service-Based Solutions
37 |
38 | Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network; others are hosted outside the network. A drawback of this solution is that attackers can audit the network from outside.
39 |
40 | #### Tree-Based Assessment
41 |
42 | In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. This approach relies on the administrator to provide a starting shot of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning.
43 |
44 | #### Inference-Based Assessment
45 |
46 | In an inference-based assessment, scanning starts by building an inventory of protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.
47 |
48 | ### Penetration Testing
49 |
50 | - Looking for vulnerabilities and **actively seeking to exploit them**
51 | - Need to make sure you have a great contract in place to protect you from liability
52 | - Clearly defined, full scale test of security controls
53 |
54 | #### Phases of Pen Testing
55 |
56 | - **Pre-Attack Phase**: reconnaissance and data-gathering
57 | - Planning and preparation: Rule of Engagement \(RoE\)
58 | - Methodology design
59 | - Network information gathering
60 | - **Attack Phase**: attempts to penetrate the network and execute attacks
61 | - Penetrating perimeter
62 | - Acquiring target
63 | - Escalating privileges
64 | - Execution, implantation, retracting
65 | - **Post-Attack Phase**: cleanup to return a system to the pre-attack condition and deliver reports
66 | - Reporting
67 | - Clean-up
68 | - Artifact destruction
69 |
70 | #### Types of Pen Testing
71 |
72 | - **Black Box**: without any knowledge of the system or network
73 | - **White Box**: complete knowledge of the system
74 | - **Gray Box**: some knowledge of the system and/or network
75 | - **External Assessment**: analyzing publicly available information; conducting network scanning, enumeration and testing from the network perimeter
76 | - **Internal Assessment**: performed from within the organization, from various network access points
77 |
78 | #### Teams
79 |
80 | - **Red Team**: attacking
81 | - **Blue Team**: defending
82 | - **Purple Team**: doing both attacking and defending
83 |
84 | #### Automated Testing Tools
85 |
86 | - **Metasploit**: framework for developing and executing code against a remote target machine
87 | - **Core Impact Pro**: best known, all-inclusive automated testing framework, tests everything from web applications and individual systems to network devices and wireless
88 | - **CANVAS**: hundreds of exploits, automated exploitation system and extensive exploit development framework
89 |
90 | ### Security Testing Methodology
91 |
92 | #### Proprietary Methodologies
93 |
94 | - IBM
95 | - McAfee Foundstone
96 | - EC-Council LPT: Licensed Penetration Tester
97 |
98 | #### Open-Source and Public Methodologies
99 |
100 | - OWASP: Open Web Application Security Project
101 | - OSSTMM: Open-Source Security Testing Methodology Manual
102 | - ISSAF: Information System Security Assessment Framework
103 | - NIST: National Institute of Standards and Technology
104 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright 2020 Scott Craig
190 | Modifications Copyright 2020 Kevin Cui
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CEHv10 Study Guide++
2 |
3 |
Forked [CEHv10StudyGuide](https://github.com/scottymcraig/CEHv10StudyGuide)
4 |
5 |
Many updates corresponding to CEHv10 courseware
6 |
7 |
My personal study notes
8 |
9 | = CEHv10 Study Guide 
10 |
11 | | CHAPTER | NAME | LINK |
12 | | :------ | :------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- |
13 | | 01 | Essential Knowledge | [
](01-essential_knowledge.md) |
14 | | 02 | Reconnaissance and footprinting | [
](02-reconnaissance_and_footprinting.md) |
15 | | 03 | Scanning and Enumeration | [
](03-scanning_and_enumeration.md) |
16 | | 04 | Sniffing and Evasion | [
](04-sniffing_and_evasion.md) |
17 | | 05 | System Hacking | [
](05-system_hacking.md) |
18 | | 06 | Web Server and Web Application Hacking | [
](06-web_server_and_web_application_hacking.md) |
19 | | 07 | Wireless Network Hacking | [
](07-wireless_network_hacking.md) |
20 | | 08 | Mobile and IoT Hacking | [
](08-mobile_and_iot_hacking.md) |
21 | | 09 | Security in Cloud Computing | [
](09-security_in_cloud_computing.md) |
22 | | 10 | Malware and Other Attacks | [
](10-malware_and_other_attacks.md) |
23 | | 11 | Cryptography | [
](11-cryptography.md) |
24 | | 12 | Social Engineering | [
](12-social_engineering.md) |
25 | | 13 | Pen Testing | [
](13-pen_testing.md) |
26 |
27 | Read it on GitBook: [https://kevcui.gitbook.io/cehv10studyguideplusplus](https://kevcui.gitbook.io/cehv10studyguideplusplus)
28 |
29 | ---
30 |
31 | Enjoy your studies!
32 |
33 | ---
34 |
35 |
36 |
--------------------------------------------------------------------------------
/SUMMARY.md:
--------------------------------------------------------------------------------
1 | # Table of contents
2 |
3 | * [CEHv10 Study Guide++](README.md)
4 | * [01-Essential Knowledge](01-essential_knowledge.md)
5 | * [02-Reconnaissance and Footprinting](02-reconnaissance_and_footprinting.md)
6 | * [03-Scanning and Enumeration](03-scanning_and_enumeration.md)
7 | * [04-Sniffing and Evasion](04-sniffing_and_evasion.md)
8 | * [05-System Hacking](05-system_hacking.md)
9 | * [06-Web Server and Web Application Hacking](06-web_server_and_web_application_hacking.md)
10 | * [07-Wireless Network Hacking](07-wireless_network_hacking.md)
11 | * [08-Mobile and IoT Hacking](08-mobile_and_iot_hacking.md)
12 | * [09-Security in Cloud Computing](09-security_in_cloud_computing.md)
13 | * [10-Malware and Other Attacks](10-malware_and_other_attacks.md)
14 | * [11-Cryptography](11-cryptography.md)
15 | * [12-Social Engineering](12-social_engineering.md)
16 | * [13-Pen Testing](13-pen_testing.md)
17 |
18 |
--------------------------------------------------------------------------------