├── .obsidian ├── hotkeys.json ├── appearance.json ├── app.json ├── core-plugins.json ├── graph.json ├── core-plugins-migration.json ├── workspace ├── workspace-mobile.json └── workspace.json ├── README.md ├── ports.md ├── hash_crypto.md ├── summary.md ├── nmap.md ├── others.md ├── tools.md └── attacks.md /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "accentColor": "" 3 | } -------------------------------------------------------------------------------- /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "promptDelete": false, 3 | "livePreview": false, 4 | "vimMode": true, 5 | "spellcheck": true 6 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | These are my notes for the CEH v11 exam. The information is based on Viktor Afimov's exam preparation course on [Udemy](https://www.udemy.com/share/104Cs43@K8VC7T_QYkuy5oSZbjj9V6fixUFm7J0lpnWpmJ4ewFBVy0TN63fgt-UNdIxwH3Hx/). Not everything is covered here, only the topics that was not clear for me. Feel free to extend these notes. -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "canvas", 8 | "outgoing-link", 9 | "tag-pane", 10 | "page-preview", 11 | "daily-notes", 12 | "templates", 13 | "note-composer", 14 | "command-palette", 15 | "editor-status", 16 | "bookmarks", 17 | "outline", 18 | "word-count", 19 | "file-recovery" 20 | ] -------------------------------------------------------------------------------- /ports.md: -------------------------------------------------------------------------------- 1 | ### TCP 2 | port|service| 3 | ---|---| 4 | 21|FTP| 5 | 22|SSH| 6 | 23|Telnet| 7 | 25|SMTP| 8 | 53|DNS| 9 | 80|HTTP| 10 | 110|POP3| 11 | 139|NetBIOS| 12 | 143|IMAP| 13 | 389|LDAP| 14 | 443|HTTPS| 15 | 445|SMB| 16 | 636|LDAPS| 17 | 995|POP3| 18 | 19 | --- 20 | ### UDP 21 | port|service| 22 | ---|---| 23 | 53|DNS| 24 | 67,68|DHCP| 25 | 69|TFTP| 26 | 123|NTP| 27 | 161|SNMP| 28 | 29 | 30 | If you see port 515 is open, the target is probably a printer. 31 | -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": true, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": true, 16 | "centerStrength": 0.518713248970312, 17 | "repelStrength": 10, 18 | "linkStrength": 1, 19 | "linkDistance": 250, 20 | "scale": 1, 21 | "close": false 22 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins-migration.json: -------------------------------------------------------------------------------- 1 | { 2 | "file-explorer": true, 3 | "global-search": true, 4 | "switcher": true, 5 | "graph": true, 6 | "backlink": true, 7 | "outgoing-link": true, 8 | "tag-pane": true, 9 | "page-preview": true, 10 | "daily-notes": true, 11 | "templates": true, 12 | "note-composer": true, 13 | "command-palette": true, 14 | "slash-command": false, 15 | "editor-status": true, 16 | "starred": true, 17 | "markdown-importer": false, 18 | "zk-prefixer": false, 19 | "random-note": false, 20 | "outline": true, 21 | "word-count": true, 22 | "slides": false, 23 | "audio-recorder": false, 24 | "workspaces": false, 25 | "file-recovery": true, 26 | "publish": false, 27 | "sync": false, 28 | "canvas": true, 29 | "bookmarks": true 30 | } -------------------------------------------------------------------------------- /hash_crypto.md: -------------------------------------------------------------------------------- 1 | # SHA-1 2 | Produces a 160 bit digest from a message on principles similar to those used in MD4 and MD5. 3 | 4 | --- 5 | # SHA-2 6 | Consists of six hash functions with hash values that are 224, 256, 384 or 512 bits. 7 | 8 | --- 9 | # RSA 10 | Based on factoring the product of two large prime numbers. Uses private keys. 11 | 12 | --- 13 | # MD5 14 | Hash function producing a 128 bit hash value. 15 | 16 | --- 17 | # RC5 18 | Simple symmetric key block cipher. 19 | 20 | --- 21 | # Twofish 22 | Symmetric key block cipher with 128 bit block size, and key size up to 256 bits. 23 | 24 | --- 25 | # Triple DES 26 | Uses 64 bit clock size encrypted three times. 27 | 28 | --- 29 | # AES 30 | Symmetric, fixed block size of 128 bits and a key size of 128, 192, 256 bits. 31 | 32 | --- 33 | # DES 34 | Symmetric key encryption algorithm with 64 bits of block size and 56 bits of key size. 35 | 36 | --- 37 | # CAST-128 38 | 12 or 16 round Feistel network with a 64 bit block size and a key size between 40 and 128 bits. 39 | 40 | --- 41 | # Serpent 42 | Symmetric key block cipher, 128 bits blocks representing 32 round SP-network operating on a block of four 32 bit words. -------------------------------------------------------------------------------- /summary.md: -------------------------------------------------------------------------------- 1 | # [Basic Ports And Services](ports.md) 2 | # [Basic Tools And Use-cases](tools.md) 3 | # [Basic Attack Types And Descriptions](attacks.md) 4 | # [Basic Nmap Flags](nmap.md) 5 | # [Hashing/encryption algorithms](hash_crypto.md) 6 | # [Others](others.md) 7 | 8 | --- 9 | ## OSI 10 | #|Layer| 11 | ---|---| 12 | 7|Application| 13 | 6|Presentation| 14 | 5|Session| 15 | 4|Transport| 16 | 3|Network| 17 | 2|Data Link| 18 | 1|Physical| 19 | 20 | Layer 2: 21 | - Sniffers operate here. 22 | Layer 6: 23 | - PKI encrypts and decrypts the data here. 24 | 25 | ---- 26 | ## CVSS 27 | Rating|CVSS Score| 28 | ---|---| 29 | None|0.0| 30 | Low|0.1-3.9| 31 | Medium|4.0-6.9| 32 | High|7.0-8.9| 33 | Critical|9.0-10.0| 34 | 35 | 36 | --- 37 | ## Risk 38 | Potential that a threat will exploit vulnerabilities of an asset or group of assets. 39 | 40 | --- 41 | ## Threat 42 | It can potentially adversely impact a system through unauthorized access, destruction, disclosure, DDoS or modification of data. 43 | 44 | --- 45 | ## Wi-Fi types 46 | Amendments|Range, meters| 47 | ---|---| 48 | 802.11|20-100| 49 | 802.11a|35-100| 50 | 802.11b|35-140| 51 | 802.11g|38-140| 52 | 802.11n|70-250| 53 | 802.16 (WiMAX)| 1609.34-9656.06| 54 | 55 | --- 56 | ## Vulnerability management lifecycle 57 | 1. Identify assets and create a baseline 58 | 2. Vulnerability scan 59 | 3. Risk assessment 60 | 4. Remediation 61 | 5. Verification 62 | 6. Monitor 63 | 64 | --- 65 | ## Assessment types 66 | 67 | ##### Passive assessment 68 | Traffic sniffing on the network to identify the active systems, network services, applications and vulnerabilities. 69 | 70 | ##### Active assessment 71 | A type of vulnerability assessment that uses network scanners to identify the hosts, services and vulnerabilities present in a network. 72 | 73 | ##### External assessment 74 | Examines the network from a hacker's point of view to identify exploits and vulnerabilities accessible to the outside world. These use firewalls, routers and servers. 75 | 76 | ##### Internal assessment 77 | Involves scrutinizing the internal network to find exploits and vulnerabilities. -------------------------------------------------------------------------------- /nmap.md: -------------------------------------------------------------------------------- 1 | # nmap 2 | flag|name|details| 3 | ---|---|---| 4 | -sX|Xmas scan|Sets the FIN, PHS, URG flags. If port is closed then RST will be sent back to us.| 5 | -sY|SCTP init scan|Stealthy, never completes SCTP associations.| 6 | -sN|NULL scan|Doesn't set any bits (TCP header is 0)| 7 | -sF|FIN scan|Sets only the TCP FIN bit| 8 | -sP|Skip port scan|Doesn't do port scan after host discovery, and only prints available hosts that responded to the scan.| 9 | -sA|TCP ACK scan|Used for mapping out firewall rulesets, determining if they're stateful or not, and which ports are filtered.| 10 | -sV|Version detection|Enables version detection. Alternative: -A| 11 | -T[0/1/2/3/4/5]|Time|lower number: slower, but reduced possibility of IDS detection; greater number: faster, but makes more noise| 12 | -sS|TCP Stealth scan|Fast, never completes a TCP connection.| 13 | -sU|UDP scan|Sends UDP packets and finds services running on UDP ports.| 14 | -sM|TCP Maimon scan|Same as NULL, FIN and Xmas scans except the probe is FIN/ACK. An RST packet is generated in response indicating whether the port is open or not (Stateful firewalls return no RST packet).| 15 | -sT|TCP Connect scan|Sends TCP packets and finds services running on TCP ports.| 16 | -F|Fast scan|Scans 100 ports instead of 1000.| 17 | -oX|XML output|XML output| 18 | -oG|Grep searchable output|Grep searchable output.| 19 | -O|OS scan|Requires root privilege.| 20 | -R|DNS resolution for all targets|Always reverses DNS resolution on the target IP addresses.| 21 | -r|random|Randomize port scans.| 22 | -PP|ICMP timestamp ping|ICMP timestamp ping| 23 | -PU|UDP ping|UDP ping| 24 | -PN|Don't ping|Don't ping| 25 | -PY|SCTP init ping|SCTP init ping| 26 | -D|Decoy|It appears to the remote host that the hosts you specify as decoys are scanning too.| 27 | -f|fragment packets|Uses tiny fragmented IP packets.| 28 | -S|Spoof source address|Spoof source address.| 29 | -A|Aggressive|Enables advanced and aggressive options.| 30 | 31 | --- 32 | # Other scans 33 | ## Banner Grabbing 34 | Technique used to gain information about a computer's operating system on the network. 35 | 36 | --- 37 | ## IDLE/IPID Scanning 38 | Consists of sending spoofed packets to a computer to find out what services are available. Accomplished by impersonating another computer (zombie) which network traffic is very slow or nonexistent. 39 | 40 | --- 41 | ## UDP Scanning 42 | Sends UDP packets to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. -------------------------------------------------------------------------------- /others.md: -------------------------------------------------------------------------------- 1 | # Macvlan networking 2 | Network connection between Docker container interfaces and parent host interface. 3 | 4 | --- 5 | # Overlay networking 6 | Creates a distributed network among multiple Docker daemon hosts. 7 | 8 | --- 9 | # Host networking 10 | The container's network stack is not isolated from the Docker host, the container shares the host's networking namespace and the container does not get its own IP-address allocated. 11 | 12 | --- 13 | # Bridge networking 14 | Uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. 15 | 16 | --- 17 | # Static application security testing (SAST) 18 | Used to secure software by reviewing the source code of the software to identify vulnerabilities. 19 | 20 | --- 21 | # Dynamic application security testing (DAST) 22 | Used to identify vulnerabilities in web applications through front-end. 23 | 24 | --- 25 | # Mobile application security testing (MAST) 26 | Blend of SAST and DAST. Tests mobile applications for mobile-specific issues such as jailbreaking, rooting, spoofed Wi-Fi connections etc. 27 | 28 | --- 29 | # Interactive application security testing (IAST) 30 | Blend of SAST and DAST. Checks whether a known vulnerability can be exploited in a running application. 31 | 32 | --- 33 | # DNSSEC 34 | A suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. 35 | 36 | --- 37 | # SOAP 38 | Exchanges data between web services. Allows for any programming model. Using Extensible Markup Language. Compatible with application level protocols like SMTP, FTP, HTTP, HTTPS etc. 39 | Has three major characteristics: 40 | - extensibility 41 | - neutrality 42 | - independence 43 | 44 | --- 45 | # Heartbleed bug 46 | OpenSSL vulnerability in the cryptography library. 47 | 48 | --- 49 | # Shellshock 50 | A family of security bugs in the bash shell. Could enable an attacker to cause bash to execute arbitrary commands and gain unauthorized access to servers. 51 | 52 | --- 53 | # Poodle 54 | MiTM exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. 55 | 56 | --- 57 | # Fuzz testing 58 | Automated software testing technique that involves providing invalid, random data as inputs to a computer. 59 | 60 | --- 61 | # Concolic testing 62 | Hybrid software verification technique that performs symbolic execution. 63 | 64 | --- 65 | # ZigBee 66 | Short range (10-100m) communication protocol. 67 | 68 | --- 69 | # Dragonblood 70 | WPA3 vulnerability. 71 | 72 | --- 73 | # Public Key Infrastructure (PKI) 74 | A structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange. 75 | 76 | --- 77 | # Yagi antenna 78 | 10 MHz to VHF UHF 79 | 80 | --- 81 | # Unspecified proxy activities 82 | The attacker created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection. -------------------------------------------------------------------------------- /.obsidian/workspace: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "84c10b1924de685d", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "4626265f74eb6a39", 8 | "type": "leaf", 9 | "state": { 10 | "type": "markdown", 11 | "state": { 12 | "file": "ports.md", 13 | "mode": "preview", 14 | "source": true 15 | } 16 | } 17 | } 18 | ], 19 | "direction": "vertical" 20 | }, 21 | "left": { 22 | "id": "7a7a42064fffe76d", 23 | "type": "mobile-drawer", 24 | "children": [ 25 | { 26 | "id": "5f8142d1b5c0c628", 27 | "type": "leaf", 28 | "state": { 29 | "type": "file-explorer", 30 | "state": {} 31 | } 32 | }, 33 | { 34 | "id": "2c842bb5f74aca0a", 35 | "type": "leaf", 36 | "state": { 37 | "type": "search", 38 | "state": { 39 | "query": "", 40 | "matchingCase": false, 41 | "explainSearch": false, 42 | "collapseAll": false, 43 | "extraContext": false, 44 | "sortOrder": "alphabetical" 45 | } 46 | } 47 | }, 48 | { 49 | "id": "01bd4a782782dd4e", 50 | "type": "leaf", 51 | "state": { 52 | "type": "tag", 53 | "state": { 54 | "sortOrder": "frequency", 55 | "useHierarchy": true 56 | } 57 | } 58 | }, 59 | { 60 | "id": "2f9abedf8a8c9244", 61 | "type": "leaf", 62 | "state": { 63 | "type": "starred", 64 | "state": {} 65 | } 66 | } 67 | ], 68 | "currentTab": 0 69 | }, 70 | "right": { 71 | "id": "7ed76ae3b9f9d782", 72 | "type": "mobile-drawer", 73 | "children": [ 74 | { 75 | "id": "ef65ec335a7d9ee8", 76 | "type": "leaf", 77 | "state": { 78 | "type": "backlink", 79 | "state": { 80 | "file": "ports.md", 81 | "collapseAll": false, 82 | "extraContext": false, 83 | "sortOrder": "alphabetical", 84 | "showSearch": false, 85 | "searchQuery": "", 86 | "backlinkCollapsed": false, 87 | "unlinkedCollapsed": true 88 | } 89 | } 90 | }, 91 | { 92 | "id": "aa8dca7a1484e497", 93 | "type": "leaf", 94 | "state": { 95 | "type": "outgoing-link", 96 | "state": { 97 | "file": "ports.md", 98 | "linksCollapsed": false, 99 | "unlinkedCollapsed": true 100 | } 101 | } 102 | }, 103 | { 104 | "id": "7d2899beb5be14fa", 105 | "type": "leaf", 106 | "state": { 107 | "type": "outline", 108 | "state": { 109 | "file": "ports.md" 110 | } 111 | } 112 | } 113 | ], 114 | "currentTab": 0 115 | }, 116 | "active": "4626265f74eb6a39", 117 | "lastOpenFiles": [ 118 | "summary.md", 119 | "others.md", 120 | "README.md", 121 | "hash_crypto.md", 122 | "attacks.md", 123 | "nmap.md", 124 | "ports.md", 125 | "tools.md", 126 | "Basic.md" 127 | ] 128 | } -------------------------------------------------------------------------------- /.obsidian/workspace-mobile.json: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "84c10b1924de685d", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "76ab34c4a70373f3", 8 | "type": "tabs", 9 | "children": [ 10 | { 11 | "id": "a02e8c5610251511", 12 | "type": "leaf", 13 | "state": { 14 | "type": "empty", 15 | "state": {} 16 | } 17 | } 18 | ] 19 | } 20 | ], 21 | "direction": "vertical" 22 | }, 23 | "left": { 24 | "id": "7a7a42064fffe76d", 25 | "type": "mobile-drawer", 26 | "children": [ 27 | { 28 | "id": "5f8142d1b5c0c628", 29 | "type": "leaf", 30 | "state": { 31 | "type": "file-explorer", 32 | "state": { 33 | "sortOrder": "alphabetical" 34 | } 35 | } 36 | }, 37 | { 38 | "id": "2c842bb5f74aca0a", 39 | "type": "leaf", 40 | "state": { 41 | "type": "search", 42 | "state": { 43 | "query": "", 44 | "matchingCase": false, 45 | "explainSearch": false, 46 | "collapseAll": false, 47 | "extraContext": false, 48 | "sortOrder": "alphabetical" 49 | } 50 | } 51 | }, 52 | { 53 | "id": "01bd4a782782dd4e", 54 | "type": "leaf", 55 | "state": { 56 | "type": "tag", 57 | "state": { 58 | "sortOrder": "frequency", 59 | "useHierarchy": true 60 | } 61 | } 62 | }, 63 | { 64 | "id": "2f9abedf8a8c9244", 65 | "type": "leaf", 66 | "state": { 67 | "type": "starred", 68 | "state": {} 69 | } 70 | } 71 | ], 72 | "currentTab": 0 73 | }, 74 | "right": { 75 | "id": "7ed76ae3b9f9d782", 76 | "type": "mobile-drawer", 77 | "children": [ 78 | { 79 | "id": "ef65ec335a7d9ee8", 80 | "type": "leaf", 81 | "state": { 82 | "type": "backlink", 83 | "state": { 84 | "collapseAll": false, 85 | "extraContext": false, 86 | "sortOrder": "alphabetical", 87 | "showSearch": false, 88 | "searchQuery": "", 89 | "backlinkCollapsed": false, 90 | "unlinkedCollapsed": true 91 | } 92 | } 93 | }, 94 | { 95 | "id": "aa8dca7a1484e497", 96 | "type": "leaf", 97 | "state": { 98 | "type": "outgoing-link", 99 | "state": { 100 | "linksCollapsed": false, 101 | "unlinkedCollapsed": true 102 | } 103 | } 104 | }, 105 | { 106 | "id": "7d2899beb5be14fa", 107 | "type": "leaf", 108 | "state": { 109 | "type": "outline", 110 | "state": {} 111 | } 112 | } 113 | ], 114 | "currentTab": 0 115 | }, 116 | "left-ribbon": { 117 | "hiddenItems": { 118 | "switcher:Open quick switcher": false, 119 | "graph:Open graph view": false, 120 | "canvas:Create new canvas": false, 121 | "daily-notes:Open today's daily note": false, 122 | "templates:Insert template": false, 123 | "command-palette:Open command palette": false 124 | } 125 | }, 126 | "active": "5f8142d1b5c0c628", 127 | "lastOpenFiles": [ 128 | "others.md", 129 | "README.md", 130 | "attacks.md", 131 | "tools.md", 132 | "hash_crypto.md", 133 | "nmap.md", 134 | "ports.md", 135 | "summary.md", 136 | "Basic.md" 137 | ] 138 | } -------------------------------------------------------------------------------- /.obsidian/workspace.json: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "84c10b1924de685d", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "a911d9a3766654b5", 8 | "type": "tabs", 9 | "children": [ 10 | { 11 | "id": "4626265f74eb6a39", 12 | "type": "leaf", 13 | "state": { 14 | "type": "markdown", 15 | "state": { 16 | "file": "ports.md", 17 | "mode": "preview", 18 | "source": true 19 | } 20 | } 21 | } 22 | ] 23 | } 24 | ], 25 | "direction": "vertical" 26 | }, 27 | "left": { 28 | "id": "28fe3559b5499dc6", 29 | "type": "split", 30 | "children": [ 31 | { 32 | "id": "017df43bf9c11a96", 33 | "type": "tabs", 34 | "children": [ 35 | { 36 | "id": "c0aec4cd98bfbc68", 37 | "type": "leaf", 38 | "state": { 39 | "type": "file-explorer", 40 | "state": { 41 | "sortOrder": "alphabetical" 42 | } 43 | } 44 | }, 45 | { 46 | "id": "33624e23ef68357c", 47 | "type": "leaf", 48 | "state": { 49 | "type": "search", 50 | "state": { 51 | "query": "", 52 | "matchingCase": false, 53 | "explainSearch": false, 54 | "collapseAll": false, 55 | "extraContext": false, 56 | "sortOrder": "alphabetical" 57 | } 58 | } 59 | }, 60 | { 61 | "id": "e7ee4c210da07618", 62 | "type": "leaf", 63 | "state": { 64 | "type": "bookmarks", 65 | "state": {} 66 | } 67 | } 68 | ] 69 | } 70 | ], 71 | "direction": "horizontal", 72 | "width": 300 73 | }, 74 | "right": { 75 | "id": "2355c81eac3bd24b", 76 | "type": "split", 77 | "children": [ 78 | { 79 | "id": "b02293d1526df7e4", 80 | "type": "tabs", 81 | "children": [ 82 | { 83 | "id": "b1f5052c22dfcf42", 84 | "type": "leaf", 85 | "state": { 86 | "type": "backlink", 87 | "state": { 88 | "file": "ports.md", 89 | "collapseAll": false, 90 | "extraContext": false, 91 | "sortOrder": "alphabetical", 92 | "showSearch": false, 93 | "searchQuery": "", 94 | "backlinkCollapsed": false, 95 | "unlinkedCollapsed": true 96 | } 97 | } 98 | }, 99 | { 100 | "id": "296523b626451890", 101 | "type": "leaf", 102 | "state": { 103 | "type": "outgoing-link", 104 | "state": { 105 | "file": "ports.md", 106 | "linksCollapsed": false, 107 | "unlinkedCollapsed": true 108 | } 109 | } 110 | }, 111 | { 112 | "id": "cd6f3e6347831b74", 113 | "type": "leaf", 114 | "state": { 115 | "type": "tag", 116 | "state": { 117 | "sortOrder": "frequency", 118 | "useHierarchy": true 119 | } 120 | } 121 | }, 122 | { 123 | "id": "5254d3ca6048eec3", 124 | "type": "leaf", 125 | "state": { 126 | "type": "outline", 127 | "state": { 128 | "file": "ports.md" 129 | } 130 | } 131 | } 132 | ] 133 | } 134 | ], 135 | "direction": "horizontal", 136 | "width": 300, 137 | "collapsed": true 138 | }, 139 | "left-ribbon": { 140 | "hiddenItems": { 141 | "switcher:Open quick switcher": false, 142 | "graph:Open graph view": false, 143 | "canvas:Create new canvas": false, 144 | "daily-notes:Open today's daily note": false, 145 | "templates:Insert template": false, 146 | "command-palette:Open command palette": false 147 | } 148 | }, 149 | "active": "4626265f74eb6a39", 150 | "lastOpenFiles": [ 151 | "summary.md", 152 | "others.md", 153 | "README.md", 154 | "hash_crypto.md", 155 | "attacks.md", 156 | "nmap.md", 157 | "ports.md", 158 | "tools.md", 159 | "Basic.md" 160 | ] 161 | } -------------------------------------------------------------------------------- /tools.md: -------------------------------------------------------------------------------- 1 | # Maltego 2 | Used in OSINT and forensics. Used for examining links between data with graphs and link analysis. 3 | 4 | --- 5 | # Analyst's Notebook 6 | Reveals relationships between data entities to discover patterns and provide insight into data. 7 | 8 | --- 9 | # Metasploit 10 | Provides information about security vulnerabilities and aids penetration testing and IDS signature development. Metasploit Framework is a tool for developing and executing exploit code against remote target machine. 11 | 12 | --- 13 | # Whisker 14 | Used for session splicing attacks. 15 | 16 | --- 17 | # tcpdump 18 | Wirechark for CLI. Packet analyzer. Can be used for passive OS fingerprinting. 19 | 20 | --- 21 | # tcpsplice 22 | A tool for extracting portions of packet trace files generated using tcpdump's -w flag. 23 | 24 | --- 25 | # Burp Suite 26 | Set of tools used for penetration testing of web applications. Developed in Java. 27 | 28 | --- 29 | # Hydra 30 | Network logon cracker. Uses different approaches to perform brute-force attacks in order to guess the right username and password combination. 31 | 32 | --- 33 | # Kismet 34 | Packet sniffer, network detector, and IDS for 802.11(a, b, g, n) wireless LANs. 35 | 36 | --- 37 | # Nessus 38 | Vulnerability scanner. Remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer connected to a network. 39 | 40 | --- 41 | # Cain and Abel 42 | Password recovery tool for Windows NT. 43 | 44 | --- 45 | # Nikto 46 | Command line vulnerability scanner that scans web servers for dangerous files/CGIs. 47 | 48 | --- 49 | # Armitage 50 | Graphical cyber attack management tool for the Metasploit project that visualizes targets and recommends exploits. 51 | 52 | --- 53 | # Snort 54 | Open source NIDS and IPS. 55 | 56 | --- 57 | # John the Ripper 58 | Open source password security auditing and password recovery tool. 59 | 60 | --- 61 | # Kon-Boot 62 | Software utility that allows users to bypass Windows NT and macOS passwords. 63 | 64 | --- 65 | # Aircrack-ng 66 | Network software suite designed for 802.11 WEP and WPA-PSK keys cracking and can recover keys once enough data packets have been captured. 67 | 68 | --- 69 | # IPsec 70 | - Uses key exchange 71 | - Provides authentication 72 | - Encrypts payloads 73 | - Works at network layer (3) 74 | - End-to-End encryption 75 | - Encapsulating Security Payload (ESP) provides confidentiality for the contents of packets. 76 | - IPsec driver performs protocol level functions required to encrypt and decrypt packets. 77 | 78 | --- 79 | # Snort 80 | Network sniffer, can record network activity, can detect and prevent network intrusion. 81 | 82 | --- 83 | # Bluto 84 | Python-based tool for DNS recon, DNS zone transfer testing, DNS wild card checks, DNS brute-forcing, email enumeration etc. 85 | 86 | --- 87 | # Kernel rootkit 88 | Sits undetected in the core components of the OS. 89 | 90 | --- 91 | # Hypervisor rootkit 92 | Exploits hardware virtualization features. 93 | 94 | --- 95 | # Firmware rootkit 96 | Gains access to software that run devices, like routers, network cards, hard drives or system BIOS. 97 | 98 | --- 99 | # Infoga 100 | Tool for gathering information from different public sources and checks if emails were leaked. 101 | 102 | --- 103 | # JXplorer 104 | Can be used to gather information from an LDAP service. 105 | 106 | --- 107 | # ARIN 108 | American Registry for Internet Numbers. Tells you who an IP address is registered to. 109 | 110 | --- 111 | # RADIUS 112 | Authenticates users via analog modems, Digital Subscriber Lines (DSL), wireless data services and VPNs over a Frame Relay network. 113 | 114 | --- 115 | # Ettercap 116 | Used for HTML injection. MiTM 117 | 118 | --- 119 | # CHNTPW 120 | Utility for resetting or blanking local passwords used by Windows NT. 121 | 122 | --- 123 | # Syhunt Hybrid 124 | Vulnerability scanner that combines comprehensive static and dynamic security checks to detect XSS, File Inclusion, SQLi, command execution etc. 125 | 126 | --- 127 | # Evilginx 128 | MiTM attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server. 129 | 130 | --- 131 | # XOIC 132 | DDoS attacking tool. 133 | 134 | --- 135 | # PyLoris 136 | A slow HTTP DDoS tool. 137 | 138 | --- 139 | # sixnet-tools 140 | Tool for exploiting sixnet RTUs. 141 | 142 | --- 143 | # CxSAST 144 | Application performance management software, includes features such as diagnostic tools. 145 | 146 | --- 147 | # CeWL 148 | Ruby app which spiders a given url to a specified depth, optionally following external links and returns a list of words which can be used by password crackers. 149 | 150 | --- 151 | # Orbot 152 | Free software to be anonymous on the Internet for android users. 153 | 154 | --- 155 | # Shadowsocks 156 | Free encryption protocol project to circumvent Internet censorship. 157 | 158 | --- 159 | # Psiphon 160 | Free Internet censorship circumvention tool that uses a combination of VPN, SSH and HTTP Proxy. 161 | 162 | --- 163 | # Netsparker 164 | Automated and fully configurable web application scanner. 165 | 166 | --- 167 | # Hootsuite 168 | Social media management platform. Available to search for both geotagged and non-geotagged information on social media sites. 169 | 170 | --- 171 | # BetterCAP 172 | Toolset for performing reconnaissance and attacking Wi-Fi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. 173 | 174 | --- 175 | # Gobbler 176 | OS detection tool. 177 | 178 | --- 179 | # wash 180 | Utility to identify WPS enabled access points. 181 | 182 | --- 183 | # Censys 184 | Automated monitoring solution, to scan employees home networks for vulnerabilities. 185 | 186 | --- 187 | # Wapiti 188 | Website and web application audit software. -------------------------------------------------------------------------------- /attacks.md: -------------------------------------------------------------------------------- 1 | # aLTEr 2 | Virtual communication tower (4G cell tower) between 2 authentic endpoints. MiTM 3 | 4 | --- 5 | # KRACK attack 6 | Key Reinstallation Attack is a replay attack on the Wi-Fi protected access protocol that secures Wi-Fi connections. 7 | 8 | --- 9 | # Cross-Site Request Forgery (CSRF) 10 | And innocent end-user is tricked by attacker into submitting a web request without their consent. 11 | 12 | --- 13 | # Server-side request forgery 14 | The attacker abuses functionality on the server to read or update internal resources. 15 | 16 | --- 17 | # Command Injection Attacks 18 | Execution of arbitrary commands on the host operating system via a vulnerable application. 19 | 20 | --- 21 | # File Inclusion Attack 22 | An application builds a path to an executable code using and attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. 23 | 24 | --- 25 | # Hidden Field Manipulation Attack 26 | Exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. 27 | 28 | --- 29 | # Web Parameter Tampering 30 | Manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions. 31 | 32 | --- 33 | # Cookie Tampering 34 | Used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker. 35 | 36 | --- 37 | # XSS Reflection 38 | XSS (Cross Site Scripting) is a web application vulnerability that permits an attacker to inject code into an outside website's contents. 39 | 40 | --- 41 | # SQLi 42 | Code injection technique, used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution. 43 | 44 | ## Blind SQLi 45 | Attacker sends payloads to the server and observes the response and behavior of the server to learn more about its structure. Attacker cannot see information about the attack in-band. 46 | #### Boolean blind SQLi 47 | The result will vary depending on whether the query is true or false. 48 | #### Time based blind SQLi 49 | The attacker can see from the time the database takes to respond whether the query is true or false. 50 | 51 | ## Error based SQLi 52 | Attacker gets information about the database from the error message. 53 | 54 | ## UNION SQLi 55 | UNION keyword can be used to retrieve data from other tables within the database. 56 | 57 | ## Out-of-band SQLi 58 | Used when the attacker cannot use the same channel to launch the attack and gather information , or when a server is too slow or unstable for these actions. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker. 59 | 60 | # Compound SQLi 61 | Using SQLi alongside cross-side scripting, DDoS, DNS hijacking. 62 | 63 | # Tautology 64 | Extract data using OR clause so WHERE will always be true. 65 | 66 | # End-of-Line comment 67 | SELECT * FROM user WHERE name = 'x' AND userid IS NULL; --'; 68 | 69 | --- 70 | # Sybil attack 71 | A reputation system is subverted by creating multiple identities. 72 | 73 | --- 74 | # Exploit kits 75 | Collection of exploits, one-in-all tool for managing a variety of exploits altogether. 76 | 77 | --- 78 | # Wrapping 79 | Injecting a faked element into a message structure so that a valid signature covers the unmodified element while the faked one is processed by the application logic. Attacker can perform an arbitrary Web Service request while authenticating as a legitimate user. 80 | 81 | --- 82 | # Cloudborne 83 | Allowing an attacker to implant persistent backdoors for data theft into bare-metal cloud servers, which would be able to remain intact as the cloud infrastructure moves from customer to customer. 84 | 85 | --- 86 | 87 | # Side channel attack 88 | Based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself. 89 | 90 | --- 91 | # Adaptive chosen-plaintext attack 92 | Choosing subsequent plaintexts based on the information from the previous encryption. 93 | 94 | --- 95 | # Known plaintext attack 96 | Attacker has access to both the plaintext and its encrypted version. 97 | 98 | --- 99 | # Bluejacking 100 | Used to send messages to users without the recipient's consent. 101 | 102 | --- 103 | # Bluesmacking 104 | Variation of a common attack against networks, devices, and applications known as DDoS. 105 | 106 | --- 107 | # Bluesnarfing 108 | Unauthorized access of information from a wireless device through a Bluetooth connection. 109 | 110 | --- 111 | # Bluebugging 112 | Caused by lack of awareness. Similar to Bluesnarfing. 113 | 114 | --- 115 | # Footprinting 116 | Part of reconnaissance process used to gather information about a target computer system or network. 117 | Used for obtaining: 118 | - Domain names 119 | - IP Addresses 120 | - Namespaces 121 | - Employee information 122 | - Phone numbers 123 | - E-mails 124 | - Job information 125 | 126 | --- 127 | # Enumeration 128 | Process that establishes an active connection to the target hosts to discover potential attack vectors in the system. 129 | Used for obtaining: 130 | - Usernames, group names 131 | - Hostnames 132 | - Network shares and services 133 | - IP tables and routing tables 134 | - Service settings and Audit configurations 135 | - Application and banners 136 | - SNMP and DNS Details 137 | 138 | --- 139 | # Scanning 140 | Scanning a website's security, web-based program, network or filesystem for either vulnerabilities or unwanted file changes. Active collection of information associated with a direct impact on the target. 141 | 142 | --- 143 | # Firewalking 144 | Method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall. 145 | 146 | --- 147 | # Trickery and deceit 148 | It involves the use of social engineering techniques to extract cryptographic keys. 149 | 150 | --- 151 | # One-Time Pad 152 | Contains many non-repeating groups of letters or number keys, which are chosen randomly 153 | 154 | --- 155 | # Frequency Analysis 156 | The study of the frequency or letters or groups of letters in a cipher text. 157 | 158 | --- 159 | # Meet-in-the-middle attack 160 | Generic space-time tradeoff cryptographic attack agains encryption schemes that rely on performing multiple encryption operations in a sequence. 161 | 162 | --- 163 | # Man-in-the-middle attack 164 | Attacker alters the communication between two parties who believe they are directly communicating with each other. 165 | 166 | - [ ] --- 167 | # Stealth virus 168 | Changes the code that can be used to detect it. 169 | 170 | --- 171 | # Tunneling virus 172 | Attempts to bypass detection by antivirus scanner by installing itself in the interrupt handler chain. 173 | 174 | --- 175 | # Cavity virus 176 | Infects files without changing the size or damaging the file by overwriting the unused areas of executable files. 177 | 178 | --- 179 | # Polymorphic virus 180 | Infects files with an encrypted copy of itself, which is decoded by a decryption module. 181 | 182 | --- 183 | # Multipartite virus 184 | Can attack both the boot sector and executable files. 185 | 186 | --- 187 | # Insertion attack 188 | IDS evasion technique that depends on the TTL fields of a TCP/IP header. 189 | 190 | --- 191 | # Obfuscation 192 | The process of concealing something important, valuable, or critical. An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. 193 | 194 | --- 195 | # Unicode invasion 196 | Using Unicode representation, where each character has a unique value regardless of the platform to evade IDS. 197 | 198 | --- 199 | # Collision attack 200 | Tries to find two inputs that generate the same hash value. 201 | 202 | --- 203 | # Baiting 204 | Exploits human curiosity, like leaving an infected pendrive in a parking lot waiting for someone to plug it in their computer. 205 | 206 | --- 207 | # Quid Pro Quo 208 | "Something for something" attack. Hacker impersonates IT staff. Contacts the target and offers to upgrade or install software. 209 | 210 | --- 211 | # Reverse social engineering 212 | Attacker convinces the target that they have a problem that the attacker can solve. 213 | 214 | --- 215 | # CRLF injection 216 | Web app attack injecting Carriage Return and Line Feed into the user's input to trick the server that the current object is terminated and a new object has been initialized. 217 | 218 | --- 219 | # Slowloris 220 | DDoS attack which allows a single machine to take down another machine's web server with minimal bandwidth. Layer 7. 221 | 222 | --- 223 | # Untethered jailbreaking 224 | Devices is jailbroken after reboot. 225 | 226 | --- 227 | # Tethered jailbreaking 228 | Requires a computer to keep the device jailbroken. 229 | 230 | --- 231 | # Semi-tethered jailbreaking 232 | After reboot the device stays jailbroken but needs a computer to enable the jailbrake features. 233 | 234 | --- 235 | # Semi-untethered jailbreaking 236 | After reboot the device stays jailbroken with features off, but they can be enabled without a computer. 237 | 238 | --- 239 | # Session donation 240 | Attacker creates an account and sends authenticated link to the victim. Convincing the victim to provide more information about their account. 241 | 242 | --- 243 | # Cryptanalysis attack 244 | Study of ciphertext to understand how they work and finding and improving techniques for defeating or weakening them. 245 | 246 | --- 247 | # Replay attack 248 | Attacker eavesdrops on a secure network communication, intercepts it, and fraudulently delays or resends it to misdirect the receiver into doing what the hacker wants. 249 | 250 | --- 251 | # STP attack 252 | LAN-switches network protocol. 253 | 254 | --- 255 | # Diversion theft 256 | Attacker persuades delivery and transport companies that their deliveries and services are requested elsewhere. 257 | 258 | --- 259 | # DROWN attack 260 | Attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. 261 | 262 | --- 263 | # Agent Smith attack 264 | Malicious application from a third party app store. 265 | 266 | --- 267 | # Fileless malware 268 | Malicious software that uses legitimate programs to infect the computer. It does not rely on files and leaves no footprint. 269 | 270 | --- 271 | # Skimming 272 | Capturing and stealing cardholder's personal payment information. 273 | 274 | --- 275 | # Rainbow table attack 276 | A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. 277 | 278 | --- 279 | # Brute force attack 280 | Consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. 281 | 282 | --- 283 | # Dictionary attack 284 | A form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. 285 | 286 | --- 287 | # Hybrid attack 288 | Attacker blends two or more kinds of tools to carry out the assault. 289 | 290 | --- 291 | # Daisy chaining 292 | Gaining access to a network or a computer and using the same information to gain access to multiple networks and computers that contains desirable information. 293 | 294 | --- 295 | # Netbios enumeration 296 | Used to get shared resources on individual hosts on the network and the list of computers belonging to the domain. 297 | 298 | --- 299 | # Corporate espionage 300 | A practice of using espionage techniques for commercial or financial purposes. 301 | e.g.: 302 | - Trespassing onto a competitor's property or accessing their files without permission 303 | - Posing as a competitor's employee in order to learn company trade secrets or other confidential information 304 | - Wiretapping a competitor 305 | - Hacking into a competitor's computer 306 | - Attacking a competitor's website with malware 307 | 308 | --- 309 | # Markov Chain 310 | Uses an analysis to calculate the probability of placing characters in a quasi-brute force attack. 311 | 312 | --- 313 | # Toggle Case 314 | Creates every possible case combination for each word in a dictionary. The password candidate 'do' would also generate 'Do', 'dO' and 'DO'. 315 | 316 | --- 317 | # MAC flooding 318 | Tries to overflow the CAM table. 319 | 320 | --- 321 | # Internal monologue attack 322 | Allows NTLMv1 challenge-response hashes to be obtained from the victim's system, without injecting code in the memory or interacting with protected services such as the LSASS. 323 | 324 | --- 325 | # WS-Address spoofing 326 | Scenario: 327 | _An attacker sends a SOAP message containing WS-Address information to a web service server. The `` element doesn't contain the address of the attacker but instead the web server client which the attacker chosen to receive the message._ 328 | 329 | --- 330 | --------------------------------------------------------------------------------