├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
   1 | # OSSA Notes
   2 | 
   3 | Notes for the ThinkSECURE Organizational Systems Security Analyst (OSSA) Certification. Information here was sourced from both study guides provided by ThinkSECURE and personal anecdotes from the March 2018 run of the certification examination.
   4 | 
   5 | NOTE: *Information listed here may not accurately reflect content that is involved in any particular future runs of the examination*
   6 | 
   7 | ## Table of Contents
   8 | 
   9 | - [Table of Contents](#table-of-contents)
  10 | - [Introduction](#introduction)
  11 | - [Course Content](#course-content)
  12 |     - [1. What Is Information Security](#1-what-is-information-security)
  13 |         - [Origins of Cyberattacks](#origins-of-cyberattacks)
  14 |         - [Basic Security Concepts](#basic-security-concepts)
  15 |         - [8-Step Security Gameplan](#8-step-security-gameplan)
  16 |     - [2. Defending Your Turf & Security Policy Formulation](#2-defending-your-turf--security-policy-formulation)
  17 |         - [4Ps of Defence](#4ps-of-defence)
  18 |         - [4 Steps of Defending Networks & Systems](#4-steps-of-defending-networks--systems)
  19 |     - [3. Network 101](#3-network-101)
  20 |         - [Sniffing](#sniffing)
  21 |         - [OSI Model](#osi-model)
  22 |         - [Layer 2 Frames](#layer-2-frames)
  23 |         - [Layer 3 IP](#layer-3-ip)
  24 |         - [Address Resolution Protocol (ARP)](#address-resolution-protocol-arp)
  25 |         - [Layer 4 TCP & UDP](#layer-4-tcp--udp)
  26 |         - [Domain Name System (DNS)](#domain-name-system-dns)
  27 |     - [4. Defensive Tools & Lockdown](#4-defensive-tools--lockdown)
  28 |         - [Firewall](#firewall)
  29 |         - [Network Intrusion Detection System (NIDS)](#network-intrusion-detection-system-nids)
  30 |         - [Host-based Intrusion Detection System (HIDS)](#host-based-intrusion-detection-system-hids)
  31 |         - [Honeypots](#honeypots)
  32 |         - [Cryptography](#cryptography)
  33 |     - [5. The 5E Attacker Methodology](#5-the-5e-attacker-methodology)
  34 |         - [Preparation](#preparation)
  35 |         - [Exploration](#exploration)
  36 |         - [Enumeration](#enumeration)
  37 |         - [Exploitation](#exploitation)
  38 |         - [Embedding](#embedding)
  39 |         - [Egress](#egress)
  40 |         - [Reporting](#reporting)
  41 |     - [6. Wireless Insecurity](#6-wireless-insecurity)
  42 |         - [802.11 Basics](#80211-basics)
  43 |         - [Attacks](#attacks)
  44 |         - [Typical WLAN Deficiencies](#typical-wlan-deficiencies)
  45 |     - [7. Incident Response & Computer Forensics](#7-incident-response--computer-forensics)
  46 |         - [Incident Response Framework](#incident-response-framework)
  47 |         - [Computer Forensics](#computer-forensics)
  48 |         - [Information Gathering](#information-gathering)
  49 |     - [8. The Impact of Law](#8-the-impact-of-law)
  50 |         - [The Need To Know](#the-need-to-know)
  51 |         - [State of Cybercrime Law](#state-of-cybercrime-law)
  52 |         - [Issues With Enforcement](#issues-with-enforcement)
  53 |         - [When to Enforce](#when-to-enforce)
  54 | - [Useful Commands](#useful-commands)
  55 | 
  56 | ## Introduction
  57 | 
  58 | The examination duration is 4 hours long and includes 45 multiple choice questions with five options. There may be more than one correct answer, no correct answers or all five correct options for each question. For every option that is correctly selected, 1 mark is awarded, and for every incorrect option that is selected, one mark is deducted. To effectively answer a question, you must ensure that the `Answer?` checkbox is checked. If it is not checked, you will be awarded 0 marks for that question since it is considered that you have not chosen to answer that question.
  59 | 
  60 | Since this examination involves negative marking, I highly suggest that you do not answer questions that you are completely uncertain of as trying to guess answers to questions brings a higher chance of getting the answers wrong and hence getting more marks deducted.
  61 | 
  62 | The bulk of the examination focuses on two topics: analyzing network traffic and network scanning. Hence, I would suggest placing more focus on getting comfortable with using WireShark and nmap. Additionally, I would also advice that you read up on concepts that are related to these two tools. Some of the aforementioned concepts may include but are not limited to:
  63 | 
  64 | - TCP three way handshakes
  65 | - TCP flags
  66 | - TCP protocols
  67 | 
  68 | During the examination, I highly suggest that you begin off by performing nmap scans of all the hosts involved and specified in the question paper and record down all the information you can retrieve. During this time, focus on answering questions from other sections and topics during this time. This is because in a class of 20 students, the limited bandwidth will result in very long scan times so having to repeat the nmap scans multiple times over to get information you have missed out on will be a huge waste of time.
  69 | 
  70 | ## Course Content
  71 | 
  72 | This section contains the information included in the training programme for the certification
  73 | 
  74 | ### 1. What Is Information Security
  75 | 
  76 | #### Origins of Cyberattacks
  77 | 
  78 | - The Curious: people who found tools on the internet and randomly picks IP addresses to test on
  79 | - The Malicious: dislike of other persons or organizations
  80 | - The Criminal: attacks with intent to commit crime
  81 | - The Competitor: attacks against competing businesses in the same industry
  82 | - The Natural: natural causes such as disasters resulting in denial of service
  83 | - The Politically-charged: politically or bureaucratically motivated attacks
  84 | 
  85 | #### Basic Security Concepts
  86 | 
  87 | ##### CIA Triad
  88 | 
  89 | - Confidentiality: preventing others from finding out about things (encryption)
  90 | - Integrity: how to keep data and platform in a state of "wholeness" (hash)
  91 | - Availability: notion of maintaining on-demand accessibility (redundancy)
  92 | 
  93 | ##### SOB Troika
  94 | 
  95 | The CIA triad answers many concerns to IT security, however in a real world perspective, IT security is a cost centre and it does not exist for IT security's sale alone, many other factors may be considered along with IT security within an organization
  96 | 
  97 | - Security
  98 | - Operations
  99 | - Business
 100 | 
 101 | ##### Trust & Verify
 102 | 
 103 | The concept of not taking anything at face value is important in IT security. For instance if a vendor says their product can perform the job, you have to test the vendor's assertion and find out yourself.
 104 | 
 105 | ##### Ask The Oracle
 106 | 
 107 | Another good habit is the skill of looking for information whenever you are unsure of something, want to find out more about a topic, encounter an error message or face a problem that needs to be resolved. The oracle in question is defined a source of information, a good example being Google due to its comprehensiveness
 108 | 
 109 | If your choice of tool are search engines such as Google, it is also good to develop your skill in phrasing search entries and validating and narrowing search results.
 110 | 
 111 | #### 8-Step Security Gameplan
 112 | 
 113 | The Security Gameplan is a summary framework which shows the general execution of a security implementation. This is because security implementations are not full-featured products that can be bought form vendors, but must be approached in a holistic perspective that takes account policies, people and other non-technical factors
 114 | 
 115 | 1. Identify Centers of Gravity
 116 |     - What are considered important assets
 117 |     - Where are they located
 118 |     - Is danger real or imagined
 119 |     - Establish valuation baseline
 120 |     - Determine consequence of a threat materializing
 121 | 2. Understand the Threats
 122 |     - Identify what constitutes a threat to your assets
 123 |     - Segregate into categories such as internal/external, natural/man-made
 124 |     - Take the perspective of attackers
 125 |     - Understand the environment you operate in
 126 | 3. Gather Information from Stakeholders
 127 |     - Get roles of stakeholders in assets to be protected
 128 |     - Get feedback from parties involved in changes to reduce resistance
 129 |     - Maintain dialogue with concerned parties to refine plan
 130 | 4. Develop Baselines
 131 |     - Take stock of equipment, configurations, applications
 132 |     - Set in place policies, procedures and platforms to identify deviations to baselines
 133 |     - Develop baselines based on normal operating periods
 134 | 5. User and Corporate Education
 135 |     - People are weakest link, as technical defences can be circumvented through human exploitation
 136 |     - Explain rationale for proposals and convince management by equating security benefit to bottom-line results
 137 |     - Emphasize impact on bottom line
 138 | 6. Establish Platform Defense
 139 |     - Setup defensive procedures & emplace defensive platforms
 140 |     - Conduct research into applicable defensive mechanisms and optimum employment
 141 |     - Understand how attackers may try to circumvent the defensive mechanisms
 142 | 7. Establish Business Continuity & Disaster Recovery
 143 |     - Conduct regular drills
 144 | 8. Maintain Balance
 145 |     - Ensure initiatives are followed up on
 146 |     - Continue to highlight evolving challenges and threats
 147 |     - Undertake applicability reviews
 148 |     - Patching
 149 |     - Check for compliance with law
 150 | 
 151 | ---
 152 | 
 153 | ### 2. Defending Your Turf & Security Policy Formulation
 154 | 
 155 | #### 4Ps of Defence
 156 | 
 157 | - Policies: direction a company is going to take in order to achieve whatever goals it states in the policy
 158 | - Procedures: detailed steps, standards and workflow necessary to achieve the milestones needed to ensure policy is complied with
 159 | - Platforms: deployed to support the delivery and fulfillment of the procedures
 160 | - People: operates the platforms in the manner dictated by procedures in order to attain and be compliant to the policies
 161 | 
 162 | #### 4 Steps of Defending Networks & Systems
 163 | 
 164 | 1. Vulnerability Identification
 165 |     - Keep track of both technical and non-technical issues in order to be able to identify areas which need attention
 166 | 2. Platform Lockdown
 167 |     - Principle of least privilege applies
 168 |     - Deploy Triple-A (authentication, authorization, accounting)
 169 |     - Implement logging mechanisms to record actions on critical servers and send logs to secure servers or write-one media
 170 | 3. Monitor The Setup
 171 |     - Implement management overlay to keep track of traffic, access, user numbers, etc and ensure it is protected
 172 |     - Automate alerting mechanism
 173 | 4. Damage Control
 174 |     - If breach is detected, implement containment procedures
 175 |     - Conduct triage to limit fallout and contain damage
 176 |     - Involve forensics team to assess impact
 177 | 
 178 | ---
 179 | 
 180 | ### 3. Network 101
 181 | 
 182 | #### Sniffing
 183 | 
 184 | THe identification of network traffic, to give a better idea of the true nature of traffic within your network.
 185 | 
 186 | The sniffer of choice for most IT security practitioners is Wireshark. **For the purpose of this certification, it is important for you to be proficient at the usage of Wireshark as a significant portion of the examination will involve analysis of network traffic**
 187 | 
 188 | #### OSI Model
 189 | 
 190 | |Number|Name|
 191 | |---|---|
 192 | |Layer 7|Application|
 193 | |Layer 6|Presentation|
 194 | |Layer 5|Sessions|
 195 | |Layer 4|Transport|
 196 | |Layer 3|Network|
 197 | |Layer 2|Data Link|
 198 | |Layer 1|Physical|
 199 | 
 200 | #### Layer 2 Frames
 201 | 
 202 | A frame is like an envelope containing a letter, it has an address directed towards a recipient and some content inside.
 203 | 
 204 | ##### Components of a frame
 205 | 
 206 | - Frame headers and trailers perform synchronization
 207 | - Header of a frame contains MAC address of origin and destination network adapter, in the format of xx:xx:xx:yy:yy:yy (6 bytes)
 208 | - MAC address allows identification for type of device
 209 | 
 210 | ##### Attacking Switches
 211 | 
 212 | Attackers can target the Content Addressable Memory (CAM) table with bogus entries, with tools such as Macof, to take up CAM table space. Legitimate entries are crowded out, causing the switch to be unable to determine legitimately connected clients, causing it to forward all frames out of every port in attempt to get frame to its destination address, enabling attackers to sniff traffic within the network.
 213 | 
 214 | #### Layer 3 IP
 215 | 
 216 | Internet Protocol is used to deliver packets from source to destination. Similarly, the source and destination headers are stored in headers.
 217 | 
 218 | IP is connectionless, meaning there is no pre-established connection between sender and recipient, instead relying on upper layer protocols to ensure delivery and to re-assemble the IP packets in the right order at the destination.
 219 | 
 220 | Addressing is in the format of aa.bb.xx.yy (32-bit) for IPv4. The last block of IPv4 addressing having been distributed in 2011, IPv6 was developed to deal with the address shortage, utilizing 128-bit hexadecimal addressing.
 221 | 
 222 | Routers are used to route packets. They receive packets from one interface and forwards it to another interface. No known routes will result in dropped packets.
 223 | 
 224 | ##### Time To Live (TTL) Values
 225 | 
 226 | TTL values can be used to determine the operating system of a host as they are usually consistent across many different machine running the same operating system.
 227 | 
 228 | |OS|TTL|
 229 | |--|---|
 230 | |Windows 95|32|
 231 | |Linux|64|
 232 | |Windows XP/Vista/7/Server|128|
 233 | 
 234 | NOTE: *Due to hops over a network, the TTL value of a system may differ from the values stated above, generally, the closest estimate will be sufficient enough to determine the operating system*
 235 | 
 236 | ##### Private IP Ranges
 237 | 
 238 | Due to the lack of IPv4 addresses, certain ranges of IP addresses were reserved for use on private networks. They include:
 239 | 
 240 | - Class A: 10.0.0.0 through 10.255.255.255
 241 | - Class B: 172.0.0.0 through 172.31.255.255.255
 242 | - Class C: 192.168.0.0 through 192.168.255.255
 243 | 
 244 | These addresses can be used anywhere so long as Network Address Translation (NAT) is performed as they are non-routable over the internet. As a result, they are based on destination, as the source can be spoofed by attackers within private ranges in Distributed Denial of Service Attacks (DDoS)
 245 | 
 246 | ##### Amplification Attacks Through IP Broadcast
 247 | 
 248 | Each network contains broadcast address which relays all packets sent to the broadcast address to be forwarded to all hosts within the network.
 249 | 
 250 | Attackers can spoof source IP address to reflect attack back on a third party.
 251 | 
 252 | Smurf Attacks
 253 | 
 254 | 1. Attacker sends 23KB ICMP echo request with destination address of 3.3.3.255 to network 3.3.3.0/24 with source address as 2.2.2.2
 255 | 2. Gateway router at 3.3.3.0/24 receives echo requests and detects the destination address is a broadcast address, forwarding the echo request to all hosts within the 3.3.3.0/24 network
 256 | 3. All live hosts receive echo request and responds with ICMP echo reply, flooding host at 2.2.2.2 with responses, possibly overwhelming it
 257 | 
 258 | #### Address Resolution Protocol (ARP)
 259 | 
 260 | ARP is employed by a host when it wants to find out the IPv4 address held by a network adapter address (MAC address). This system can result in some problems:
 261 | 
 262 | - ARP has no way of telling whether information contained in ARP reply is legitimate
 263 | - Attacker can send unsolicited ARP replies to hosts informing them that the IP address for a particular host is held by the attacker's MAC address
 264 | - Host accepts this ARP reply, poisoning its cache
 265 | - Any packets sent to IP address will instead be redirected to the attacker
 266 | - Attacker can "insert" himself between poisoned hosts, called a Man-In-The-Middle attack
 267 | 
 268 | ##### Routing
 269 | 
 270 | Routing is the process of getting a packet from source host A to destination host B.
 271 | 
 272 | To send a packet to the internet, the gateway first has to be determined, which involves ARP requests to determine the MAC address of the gateway. Data is thus sent from host-to-host, host-to-router, router-to-router
 273 | 
 274 | #### Layer 4 TCP & UDP
 275 | 
 276 | ##### Transmission Control Protocol (TCP)
 277 | 
 278 | TCP provides reliable, ordered and error-checked delivery of a stream of data between applications running on hosts communicating over an IP network.
 279 | 
 280 | ##### Three-way Handshake
 281 | 
 282 | Three way handshakes are required to be established between two hosts before data can be transferred between two hosts over TCP.
 283 | 
 284 | Establishing connection between Host A and Host B:
 285 | 
 286 | |Packet|Type|Direction|
 287 | |---|---|---|
 288 | |Packet 1|SYN|Host A --> Host B|
 289 | |Packet 2|SYN/ACK|Host A <-- Host B|
 290 | |Packet 3|ACK|Host A --> Host B|
 291 | 
 292 | Attackers can exploit this by never sending ACK packets to complete the handshake and sending more SYN packets, resulting in the target assigning more memory to hold incomplete handshakes.
 293 | 
 294 | ##### Four-way Termination
 295 | 
 296 | Four way terminations are used to indicate that two hosts want to stop communications
 297 | 
 298 | Establishing termination between Host A and Host B:
 299 | 
 300 | |Packet|Type|Direction|
 301 | |---|---|---|
 302 | |Packet 1|FIN/ACK|Host A --> Host B|
 303 | |Packet 2|ACK|Host A <-- Host B|
 304 | |Packet 3|FIN/ACK|Host A <-- Host B|
 305 | |Packet 4|ACK|Host A --> Host B|
 306 | 
 307 | Attackers can use FIN flagged packets to conduct reconnaissance if a firewall is stopping SYN flagged packets from going through. The default reaction to receiving a FIN packet is to terminate an existing connection using a 4-way termination. However, if there is no existing connection prior to the FIN packet, the host may send a RST packet in response. The receipt of an RST flagged packet shows that there is a host behind the firewall.
 308 | 
 309 | ##### User Datagram Protocol (UDP)
 310 | 
 311 | UDP is a protocol used to transfer packets between hosts in a connectionless method, based on best-effort delivery of packets. It is used for applications such as SNMP or DNS where speed is of priority.
 312 | 
 313 | UDP poses challenges to identifying services as a response can only be obtained under the following conditions:
 314 | 
 315 | - Target with open service residing behind UDP port receives UDP packet with matching payload protocol (eg: DNS query payload for DNS service behind UDP port 53 will receive a DNS response)
 316 | - Target with no service residing behind UDP port receiving UDP packet will return ICMP unreachable packet
 317 | - All other scenarios will result in no replies from the host
 318 | 
 319 | #### Domain Name System (DNS)
 320 | 
 321 | DNS ties IP addresses to canonical names which usually include memorable phrases, allowing users to be able to access service easily.
 322 | 
 323 | DNS Query:
 324 | 
 325 | - DNS query sent (who is example.com)
 326 | - Server checks cache for DNS record, if absent, forwards to .com root server, the authoritative name server for secure**.com**
 327 | - Receives reply from authoritative name server (example.com is 8.8.8.8)
 328 | - Sends response to requester (example.com is at 8.8.8.8)
 329 | 
 330 | ##### DNS Poisoning
 331 | 
 332 | A classic case of DNS poisoning starts with an attacker sending an email to their target with a link to a domain controlled by the attacker. The client will try to query the ISP DNS server for the attacker's DNS server. Once verified, the client will now receive DNS responses from the attacker's DNS. Attacker can provide illegitimate responses to the client's queries and can redirect them to malicious websites.
 333 | 
 334 | DNS poisoning can occur when an attacker pre-locates himself along the path of transmission of a DNS response from the ISP DNS server to the client making the request. He can then rewrite the contents of the response from the DNS server to the client with an arbitrary value.
 335 | 
 336 | ---
 337 | 
 338 | ### 4. Defensive Tools & Lockdown
 339 | 
 340 | #### Firewall
 341 | 
 342 | Firewalls act as barriers between computers in an network.
 343 | 
 344 | Firewalls can come in multiple forms, which include and are not limited to:
 345 | 
 346 | - Appliance - Firmware code residing on dedicated hardware platform
 347 | - Software - Installed on server as point defence
 348 | - Personal - For workstations and individuals
 349 | 
 350 | There are also different types of firewalls:
 351 | 
 352 | - Packet Filter
 353 | 
 354 |     Sits between internal network nd rest of the world, allowing packets to pass through it when travelling to and fro the internal network and the internet. The packet filter will compare packets to a set of rules which decides whether the packet should be forwarded onto the next hop or discarded.
 355 | 
 356 |     Certain firewalls will send a notice when a packet has been dropped, it is discouraged to have such setup, instead the firewall should silently drop packets which do not match rules.
 357 | 
 358 |     Packet filters compare packets to rules usually based on factors such as source addresses and ports, destination addresses and ports.
 359 | 
 360 |     As a result, packet filters are normally fast as they do not perform data checking, easy to setup, wide compatibility with applications. Additionally, Network Address Translations and Network Address Port Translation also adds to the security of packet filters.
 361 | 
 362 | - Stateful Packet Inspection (SPI)
 363 | 
 364 |     SPIs are similar to packet filters, but maintain state about each connection passing through them. It has built in knowledge about TCP/IP rules for data flow between two hosts and can detect incorrectly sequenced packets and inconsistent IP protocol options as a result.
 365 | 
 366 |     Attackers cannot send packets that appear to be part of an existing connection (packets sent to port 80 without initiating a connection will be rejected).
 367 | 
 368 |     SPIs can help to mitigate DoS attacks (SYN floods), track established connections and allow inbound packets based on state and is relatively fast
 369 | 
 370 | - Application Proxy
 371 | 
 372 |     Proxies break up connection between server and client, acting as a middleman handling connection between each other. It masks the IP stack and characteristics of server it is protecting, resulting in any fingerprinting attempt against the network stack hitting the proxy first and not the server. Additionally, if an attacker tries to make use of fragmented packets of fields in IP packet, the internal server will never receive the packet.
 373 | 
 374 |     Certain proxies have knowledge of application-specific data and cen therefore check the legality of traffic between the server and client. (Web application proxy can check the legality of a HTTP GET request before forwarding it to the web server)
 375 | 
 376 |     One major disadvantage is that it since it is application specific, it has to be written to handle specific application protocols. A web application proxy may not be able to understand traffic meant for a FTP server.
 377 | 
 378 | - Proxy Firewall
 379 | 
 380 |     Adding on to application proxies, it is able to perform payload-level inspection. It combines stateful packet inspection, proxy technologies and application-protocol awareness.
 381 | 
 382 |     Proxy firewalls still act like proxies, it acts as a middleman and receives packets between clients and servers and examines the packets between the 2 connections. It interrogates the behavior and logic of what is being requested and returned, protecting against application-specific attacks. (eg: A web-app firewall protects against attacks such as SQL injection and XSS, parameter or URL tampering and buffer overflows by analysing the contents of each incoming and outgoing attack)
 383 | 
 384 | ##### Firewall Rules of Thumb
 385 | 
 386 | - Block inbound packets (ingress)
 387 | - Block outbound packets (egress)
 388 | - Implicit deny-all
 389 | 
 390 | ##### Firewall Deployment
 391 | 
 392 | - Internet -> External DMZ -> External FW -> Internal DMZ -> Internal FW -> Network (expensive to purchase equipment for)
 393 | - Internet -> FW -> DMZ / Network (risk of rule confusion due to multiple interfaces)
 394 | 
 395 | #### Network Intrusion Detection System (NIDS)
 396 | 
 397 | A NIDS monitors traffic on its network segment as a data source, accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses it. Network based identification involves looking at packets and are considered to be of interest if it matches a signature.
 398 | 
 399 | There are three primary types of signatures:
 400 | 
 401 | - String Signatures: Looks for text strings that indicate a possible attack, can be refined to reduce number of false positives by using compound string signatures
 402 | - Port Signatures: Watches for connection attempts to well-known ports, if directed to unused ports, it is an indication of suspicious activity
 403 | - Header Condition Signatures: Watches for dangerous or illogical combinations in packet headers
 404 | 
 405 | NIDS requires a connection to a network segment to monitor, which can include hubs, switch-port monitoring or active taps
 406 | 
 407 | An example of a NIDS is [Snort](http://www.snort.org)
 408 | 
 409 | #### Host-based Intrusion Detection System (HIDS)
 410 | 
 411 | HIDS focus on monitoring and analyzing the internals of a system rather than its external interfaces. It usually uses a database of system objects it should monitor and can also be made to check that appropriate regions of memory have not been modified.
 412 | 
 413 | Some problems with HIDS include:
 414 | 
 415 | - Many HIDS can only monitor certain types of systems
 416 | - HIDS do not have access to core communication functionality of system, incapable of fending off attacks against protocol stack
 417 | - Cannot inform before something happens
 418 | - Expensive
 419 | 
 420 | An example of a HIDS software is [Tripwire](http://sorceforge.net/projects/tripwire)
 421 | 
 422 | #### Honeypots
 423 | 
 424 | A honeypot is a trap set to detect, deflect or to counteract attempts at unauthorized use of information systems. It generally consists of a computer system, data or a network that appears to be part of a network but is actually isolated and protected. It also seems to contain information or resources that would be of value to attackers.
 425 | 
 426 | ##### Low-Interaction Honeypots
 427 | 
 428 | Low-interaction honeypots have allow attackers limited abilities, they normally work by emulating services and operating systems.
 429 | 
 430 | Advantages:
 431 | 
 432 | - Easy to deploy and maintain with minimal risk
 433 | - Requires only installation of software, OS and services to be emulated and monitored.
 434 | - Emulated services mitigate risk by containing attacker's activity, attacker never has access to OS
 435 | 
 436 | Disadvantages:
 437 | 
 438 | - Logs only limited information and are designed to capture known activity
 439 | - Easy for attacker to detect low-interaction honeypot
 440 | 
 441 | ##### High-Interaction Honeypots
 442 | 
 443 | High-interaction honeypots are more complex solutions which involve real operating systems and applications. Nothing is simulated, allow attackers to access real services.
 444 | 
 445 | Advantages:
 446 | 
 447 | - Can capture extensive amounts of information. Allowing attackers full and real extent of systems to interact with, their full behavior can be learnt
 448 | - Provides an open environment that captures all activity, allowing high-interaction solutions to learn unexpected behavior
 449 | 
 450 | Disadvantages:
 451 | 
 452 | - Risk is increased as attackers can use real OS to attack non-honeypot systems
 453 | - More complex to deploy and maintain
 454 | 
 455 | ##### Common Errors In Deploying Honeypots
 456 | 
 457 | - Creating contiguous range of fake hosts with have exactly the same characteristics
 458 | - Attacker would only have to scan entire target range to identify hosts which appear to have same configuration
 459 | - In normal enterprise environments, real servers are deployed on business requirements and are rarely exactly identical
 460 | - Try to make each honeypot host as unique as possible and spread across IP subnet
 461 | 
 462 | An example of a honeypot is [Honeyd](http://honeyd.org)
 463 | 
 464 | #### Cryptography
 465 | 
 466 | Cryptography is the field of mathematics and computer science concerned with encryption and authentication.
 467 | 
 468 | ##### Transposition Cipher
 469 | 
 470 | A transposition cipher changes the position of one character from the plaintext to another in the cipher text. An example of a transposition cipher is the Railfence Cipher.
 471 | 
 472 | ``` raw
 473 | WE ARE DISCOVERED FLEE AT ONCE
 474 | 
 475 | W R I O R F E O E
 476 | E E S V E L A N R
 477 | A D C E D E T C X
 478 | ```
 479 | 
 480 | ##### Substitution Cipher
 481 | 
 482 | A substitution cipher is a method of encryption by which units of plaintext are substituted with cipher text according to a regular system.
 483 | 
 484 | ``` raw
 485 | Plaintext alphabet:  abcdefghijklmnopqestuvwxyz
 486 | Ciphertext alphabet: ZEBRASCDFGHIJKLMNOPQTUVWXY
 487 | 
 488 | Message: Flee at once, we are discovered
 489 | Cipher:  SIAA ZA LKBA, VA ZOA RFPBLUAOAR
 490 | ```
 491 | 
 492 | ##### Block Cipher
 493 | 
 494 | Block ciphers are a symmetric key cipher which operates on fixed-length groups of bits as plaintext and ciphertext. Examples include Data Encryption Standard (DES), Triple DES (3DES) and Advanced Encryption Standard (AES).
 495 | 
 496 | ##### Stream Cipher
 497 | 
 498 | Stream ciphers are a symmetric cipher where plaintext digits are encrypted one at a time and in which the transformation of successive digits varies during encryption. Examples include Rivest Cipher 4 (RC4), HC-256 and CryptMT.
 499 | 
 500 | Stream ciphers are preferred over block ciphers where lower latency encrypted communications is desired. For example, RC4 is used as a cipher for WEP and WPA encryption under the 802.11 wireless networking implementation.
 501 | 
 502 | ##### Uses of Cryptography
 503 | 
 504 | 1. Proving Integrity by Hashing
 505 | 
 506 |    A hash function is a function which examines the input data and produces an output of a fixed length, called a hash value. Even if two values differ by a bit, the output will have significant differences. If two hashes of the same function are different, the inputs are definitely different. Examples of hash algorithms include Message Digest 5 (MD5) and Secure Hashing Algorithm (SHA).
 507 | 
 508 | 2. Sending Data Using Symmetric Key Encryption
 509 | 
 510 |    Symmetric-key algorithms are a class of algorithms for cryptography that use the same key for encryption and decryption. In practice, it means that it represents a shared secret between two or more parties that can be used to maintian a private information link. It is not feasable for cases involving large numbers of people, as the comprimise of one key requires changing keys for all parties involved, having different keys for everyone means maintining a whole array of keys per person.
 511 | 
 512 | 3. Remote Networking Using Virtual Private Networking
 513 | 
 514 |    VPNs use symmetric key encryption to encrypt communications between two end points.
 515 | 
 516 |    a. Transport Mode with Authentication Header (AH):
 517 | 
 518 |     ```raw
 519 |     <-----Original IP Packet----->
 520 |     --------------------------------------------------------
 521 |     | Data | TCP/UDP | IP Header | AH | Original IP Header |
 522 |     --------------------------------------------------------
 523 |     <---------------------Signed by AH--------------------->
 524 |     ```
 525 | 
 526 |     AH used in transport mode will create a checksum of the original IP packet and store the hash within the AH. The IP header is added to the new header of the packet. At the destination, the hash of the payload is calculated again and checked against the AH to ensure that it has not been modified. AHs in transport mode help to ensure integrity of the packet.
 527 | 
 528 |    b. Transport Mode with Encapsulating Security Payload (ESP):
 529 | 
 530 |     ```raw
 531 |                                     <-----Original IP Packet----->
 532 |     ------------------------------------------------------------------------------------------------
 533 |     |ESP Auth Trailer | ESP Trailer | Data | TCP/UDP | IP Header | ESP Header | Original IP Header |
 534 |     ------------------------------------------------------------------------------------------------
 535 |                       <---------Encrypted with ESP Header-------->
 536 |                       <---------------Signed by ESP Auth Trailer-------------->
 537 |     ```
 538 | 
 539 |    ESP used in transport mode will encrypt the original IP packet with the ESP header. The data within this portion of the packet is now unreadable to people without the decryption key. The ESP Auth header is then used to create a checksum of the now encrypted packet. The original IP header is then inserted at the head of the packet. At the destination, a hash of the encrypted portion of the packet is generated and compared to the ESP Auth Trailer to ensure it has not been modified and is then decrypted using the ESP header. AH in transport mode ensures that the confidentiality and integrity of the packet.
 540 | 
 541 |    c. Tunnel Mode with AH
 542 | 
 543 |    ```raw
 544 |     <-----Original IP Packet----->
 545 |     ---------------------------------------------------
 546 |     | Data | TCP/UDP | IP Header | AH | New IP Header |
 547 |     ---------------------------------------------------
 548 |     <---------------------Signed by AH---------------->
 549 |     ```
 550 |     AH in tunnel mode works the same way as AH in transport mode, with the exception that a new IP header is added to the head of the packet instead of re-using the original IP header.
 551 | 
 552 |    d. Tunnel Mode with ESP
 553 | 
 554 |     ```raw
 555 |                                     <-----Original IP Packet----->
 556 |     -------------------------------------------------------------------------------------------
 557 |     |ESP Auth Trailer | ESP Trailer | Data | TCP/UDP | IP Header | ESP Header | New IP Header |
 558 |     -------------------------------------------------------------------------------------------
 559 |                       <---------Encrypted with ESP Header-------->
 560 |                       <---------------Signed by ESP Auth Trailer-------------->
 561 |     ```
 562 | 
 563 |     ESP in tunnel mode works the same way as ESP in transport mode, with the exception that a new IP header is added to the head of the packet instead of re-using the original IP header.
 564 | 
 565 |    In transport mode, the original IP headers remain unmodified while only the payload is authenticated and/or encrypted. Transport mode is incompatible in networks with communications required to be made over NAT.
 566 | 
 567 |    In tunnel mode, the entire IP packet is authenticated and/or authenticated. A new IP header is added to the packet. It is generally used for end-to-end communications (gateway-to-gateway).
 568 | 
 569 | 4. Sending Data Using Public-Key Cryptography
 570 | 
 571 |    Public key crpytography is a form of cryptography which allows users to communicate without having prior access to a shared key. This is done by using keypairs, designated public and private keys. It should not be possible to deduce the private key given a public key. Public-key crryptography can be used to perform encryption (keeping a message secret to anyone who does not possess a specific private key) as digital signatures (allow anyone to verify a message has been created using a specific private key)
 572 | 
 573 |     ```raw
 574 |    receipient's public key + plaintext = ciphertext
 575 |    ciphertext + receipient's private key = plaintext
 576 |    ```
 577 | 
 578 | 5. Proving Identity Using Digital Signatures
 579 | 
 580 |    Digital signatures are encryption schemes for authenticating digital information.
 581 | 
 582 | 6. Ransomware
 583 | 
 584 |    Ransomware are malicious software which uses asymmetric encryption to encrypt files in order to extort money from victims in exchange for the private key to decrypt their files.
 585 | 
 586 | ##### Trust Standards: Public Key Cryptography (PKI)
 587 | 
 588 | PKI is an arrangement which provides for third-party vetting of and vouching for user identities. Public keys are typically contained in certificates. PKI arrangements enable users to be authenticated to each other, and to use information in identity certificates to encrypt and decrypt messages travelling to and fro. PKIs usually consist of client software, server software and hardware and operational procedures. A user may digitally sign messages using his private key and another user can check the signature using the public key contained in that user's digital certificate. An example of such software is [GNUPrivacyGuard (GPG)](http://www.gnupg.org)
 589 | 
 590 | ---
 591 | 
 592 | ### 5. The 5E Attacker Methodology
 593 | 
 594 | #### Preparation
 595 | 
 596 | - Sandboxing
 597 | 
 598 |     Consider tools as untested and suspicious until proven otherwise, do not test production or live systems with unproven tools, instead, use sandboxing - a controlled environment where tools can be tested without fear of impact on production networks. Some tools that can be used include VMWare and Virtualbox.
 599 | 
 600 |     Characterstics:
 601 | 
 602 |     - Must not be connected to production systems or netwoks
 603 |     - Must not be used for production purposes
 604 |     - Must be tightly controlled for effects or changes done to system and/or network.
 605 |     - Preferably something which does not save the state of machine or allows snapshot so that it can be rolled back to a known untainted state.
 606 | 
 607 | - Tool Repositories
 608 | 
 609 |     Examples of resources which house zero-day vulnerabilities include [Full Disclosure Mailing List](http://nmap.org/mailman/listinfo/fulldisclosure), [Exploit-DB](http://exploit-db.com), [Packet Storm](http://packetstormsecurity.com)
 610 | 
 611 | - Checking Tool Authenticity
 612 | 
 613 | #### Exploration
 614 | 
 615 | Exploration is usually the first phrase in an attacker's attempt to understand more about the target. It is usually the longest as even though it is simple in concept and execution, it must be repeated multiple times for multiple leads.
 616 | 
 617 | ##### Human-Driven Approach
 618 | 
 619 | This approach utilises physical human effort and geographic placement in initiating the hunt and recovery for information.
 620 | 
 621 | - Human Engineering: Process of exploiting the weaknesses in human beings and plays on the natural tendency to trust
 622 | - Dumpster Diving: Refers to the collection of trash in the hope of getting information as many people tend to throw away valuable information
 623 | - Physical Intimidation: Intrusion, impersonation
 624 | 
 625 | ##### Computer Aided Approach
 626 | 
 627 | This approach uses the internet and public techincal resources to obtain the desired information.
 628 | 
 629 | - Scoping Out Forums: Typically, people who ask questions when trying to solve a problem, often leave tell-tale cules to who they work for and what platforms they use
 630 | - Domain Registrars & WHOIS: ICANN requires domain registrants enter in valid contact information, administrative and technical contacts are prime candidates for information harvesting
 631 | - DNS Servers: Zone transfers, reverse lookups and other queries can be run against nameservers for a given domain, resulting in vital clues into setup of a target's internal network
 632 | 
 633 | #### Enumeration
 634 | 
 635 | Armed with information gathered under exploration, this is the next step in an attacker's attempt to determine as many weaknesses as possible resident in the target which can include but are not limited to: wardriving, wardialing, port scanning, OS discover, tracerouting, vulnerability assessment, web-based vulnerabilities.
 636 | 
 637 | The procedure usually is to:
 638 | 
 639 | 1. Port scan target for list of open/closed or filtered ports
 640 | 2. Attempt to identify type of service behind each open port via default content, error displays or fonts
 641 | 3. Attempt to determine whether application is vulnerable
 642 | 4. Identify OS via TTL and services
 643 | 5. Try to identify teh routes into and out of a network and its topology
 644 | 
 645 | ##### Enumeration Tools
 646 | 
 647 | - NMAP: Classic port scanning tool with ping sweeping, port scanning, OS discovery
 648 | - Unicornscan: Scans for UDP ports much faster than NMAP
 649 | - Nessus: Classic vulnerability assessment tool, recommended to check for application vulnerabilities on [CVEDetails](http://cvedetails.com) / [National Vulnerability Database](http://web.nvd.nist.gov/view/vuln/search) / [Common Vulnerabilities & Exposure](https://cve.mitre.org/cve/cve.html)
 650 | - HTTPrint: tool used to determine a web application's type and version
 651 | - AMAP: Port scanning tool for applications
 652 | - Online Services
 653 | - Brain, Logic & Common Sense
 654 | 
 655 | #### Exploitation
 656 | 
 657 | Once a target has been enumerated, the attacker moves on to attempt to gain control over the target via any weaknesses found during enumeration. Exploitation can be performed using any of the following (in increasing order of difficulty): ready-made tools from repositories, exploit-code compilation, techniques & methods, self-crafted tools.
 658 | 
 659 | ##### Spoofing & Man-in-the-Middle Attacks
 660 | 
 661 | Spoofing is the act of assuming somebody or something's identity, in order to hide true identity, especially when sending malicious traffic, confuse incident handlers and investigators or insertion between an established connection or data flow.
 662 | 
 663 | An exmple of such exploit is ARP poisoning. An overview of how ARP poisoning works is as follows:
 664 | 
 665 | - Target requests for remote SSL connection to server and gets attacker's IP
 666 | - Target establishes SSL connection with attacker
 667 | - Attacker establishes SSL connection with actual server and forwards traffic between both
 668 | - Target now sends data to server which attacker can now see
 669 | 
 670 | ##### Denial of Service
 671 | 
 672 | Denial of Service is an attempt to disrupt the availibility component of the CIA triad. Most common usage is by sending specially crafted packets to vulnerable applications or to send large amounts of traffic that consume CPU cycles, network bandwidth, memory and storage. DoS has evolved to a volumetric-traffic-based attack called distributed DoS (DDos)
 673 | 
 674 | DDoS are leunched from legions of comprimised and controlled hosts that can be marshelled into a concerted strike against a single target or group of targets. For instance, a 16KB ICMP request packet sent to from 10000 hosts amount to 1.2GB of packets. These hosts are taeked with various methods to bring down the target's services mainly through exhaustion of target's network bandwitdh, as opposed to hardware resources.
 675 | 
 676 | A bot or zombie client is a program capable of performing functions issued from a controller. A botnet is a collection of infected hosts. They are usually installed on unsuspecting users' systems through exploits of OS vulnerability, trojans or payloads of worms. On activation, bots typically join channels on IRC servers and listen for commands from controllers. An example of such is PhatBot.
 677 | 
 678 | ##### Exploit Fundementals
 679 | 
 680 | - Buffer/Heap Overflows: Most commonly seen exploit type, considered most easily exploitable condition, caused by lack of programmic checks in handling of user-supplied variables which lead to execution of arbitrary code. Exploit is based off how data can be overflowed outside of its assigned space into the memory space of other data, changing the way how the prorgam runs.
 681 | - Shell Code: Small piece of assembly language used to launch programs, can be found on [Shell Storm](http://www.shell-storm.org/shellcode), [Packet Storm](https://packetstormsecurity.com/files/tags/shellcode/). There are two types of shell, BIND shells which listen on previously closed ports allowing attackers to connect to the shell, REVERSE shells used when firewalls block all access to closed ports, this way, it initiates a connection outbount.
 682 | - Format String Vulnerability: Incorrectly used format specifiers in C functions, allowing attackers to overwrite or insert data into memory locations to allow them to run arbitrary code.
 683 | - Metasploit Framework: Provides useful informtaion performing penetration testing, IDS signature development and exploit research
 684 | 
 685 | ##### Web Applications
 686 | 
 687 | - Web-recon tools: Netcat, Stunnel, HTTPrint
 688 | - Web-fuzzing tools: Spike Proxy, Webscarab, Crowbar, JBroFuzz
 689 | - Web-interception tools: Achilles, Paros, Burp Proxy, SSLstrip
 690 | - Web-session Management: CookieDigger
 691 | 
 692 | Web Servers vs Web Applications:
 693 | 
 694 | - Web Server: A network service that serves up content residing on web server or behind it (eg Apache, IIS).
 695 | - Web Application: Customized content, modules or functionality that is served up by web servers and requires a web server to run (eg Internet login portals, Search forms).
 696 | 
 697 | Weaknesses in webserver do not equate to weaknesses in web applications, web apps often require manual effort testing because they are customized as opposed to web servers which are tested using standardized tools. It is also important to look at web applications as they are constantly being targeted by attackers since network layer protection cannot be used to stop or detect application layer attacks.
 698 | 
 699 | Netcat: a web-server reconnisance tool which can be used to send crafted HTTP requests
 700 | 
 701 | ##### OWASP Top 10
 702 | 
 703 | It is a list compiled by Open souece Web Application Security Project which outlines the 10 most common and major web application flaws.
 704 | 
 705 | 1. Unvalidated input
 706 | 2. Broken access controls
 707 | 3. Broken authenticaiton and session management
 708 | 4. Cross site scripting flaws
 709 | 5. Buffer overflows
 710 | 6. Injection flaws
 711 | 7. Improper error handling
 712 | 8. Insecure Storage
 713 | 9. Application DoS
 714 | 10. Insecure configuration management
 715 | 
 716 | ##### Password Cracking
 717 | 
 718 | - Windows Passwords: SAM Database
 719 | 
 720 |     SAM database is part of Windows which stores 2 cryptographic hashes of all user passwords for user accounts located on it: LAN Manager (case insensitive, LM hash with DES, maximum of 14 characters) or Windows NTLM (case sensitive, uses MD4)
 721 | 
 722 | - Rainbow Tables: A database of all possible plaintext-ciphertext pairs, meaning that each hash does not need to be recalculated, since pre-computation is already done, ciphertext can be cracked in shorter time.
 723 | 
 724 | An example of a password-cracking program is OPHCrack.
 725 | 
 726 | #### Embedding
 727 | 
 728 | Embedding is the action undertaken by attackers to retain access in case of a future need. The access established is usually not using the same as the exploit used in gaining initial access
 729 | 
 730 | 1. Backdoors
 731 | 
 732 |     A means for accessing a computer system or application that its maintainers or users are usually not aware of, regular protocols used to evade detection inclue ICMP, P2P, HTTP. Commands are tunnelled inside the protocol payload field. An example is ID Software's backdoor on Quake2 allowing unlogged remote RCON access to any Quake2 server.
 733 | 
 734 | 2. Trojans
 735 | 
 736 |     A tool which grants administrator-level control to an attacker, most require end-user interaction in order to be planted. Examples include Assassin, LANfiltrator.
 737 | 
 738 | 3. Rootkits
 739 | 
 740 |     A program which buries itself into a host's OS and hides its presence by feeding false information to programs attempting to access selected processes. other parts of the OS or other programs.
 741 | 
 742 |     - Traditional Rootkits: Replace critical OS executables to let attacker have back-door access and hide on the systems, often requires attackers to already have root access, allows attackers to maintain root level access by implementing backdoor and hiding evidence of system compromise.
 743 |     - Kernel Rootkit: Kernel controls applications and system executables which make calls to it called syscalls, kernel rootkits modify these syscalls and can hide files, directories, processes, network connections without modifying any system binaries. They work by attempting to intercept syscalls, perform a modified action and deliver back the results to the application or system executable which called it.
 744 | 
 745 | ##### Defence Against Embedding Tools
 746 | 
 747 | - Checksums: Take a baseline checksum for later comparison since traditional rootkits replace system executables
 748 | - System.map: Kernel rootkits modify table holding syscall addresses to replace kernel syscalls with their own code to point to the module's replacement function. This is called teh system.map and comparison of this map against actual addresses of all syscalls can reveal differences.
 749 | - kern_check.c: Compares system.map against kernel syscall table.
 750 | - CheckIDT
 751 | - check-ps: Detect hidden processes
 752 | - Kstat
 753 | - samhain
 754 | 
 755 | #### Egress
 756 | 
 757 | Egress is defined as the act of an attacker removing evidence that may indicate his or her actions.
 758 | 
 759 | 1. File Hiding
 760 | 
 761 |     - Linux
 762 |         - Prefix with a `.` to hide files or directories
 763 |         - Can be shown using `ls -a`
 764 |     - Windows - File Attribites
 765 |         - Set attributes of files to hidden to avoid casual detection
 766 |         - In NTFS filesystems, specific permissions can be set to avoid files being deleted
 767 |     - Windows - Alternate Data Stream (ADS): used to stream hidden files behind visible files
 768 |     - Windows - Advanced & Persistent ADS
 769 |         - Can be performed by 2-stage process using \\?\ and protected device names
 770 |         - Create or access persistent files using immutable protected device name strings: `type 'path&filename'\CON:'filename'`
 771 | 
 772 | 2. Log Modification/Removal
 773 | 
 774 |     - Linux
 775 |         - Uses `syslog` service to keep record of events that occur in OS, configuration file is found at `/etc/syslog.conf`
 776 |         - Most of logs are stored in `/var/log`
 777 |         - Current login: `/var/run/utmp`
 778 |         - Past logins: `/var/log/wtmp`
 779 |         - Previous methods of logging in log: `/var/log/lastlog`
 780 |     - Windows
 781 |         - Default log path is: `%SystemRoot%\System32\Config`
 782 |         - Event Viewer is program to view log entries
 783 |         - To delete logs, EventLog service has to be stopped, which violates Windows NT security mode, trigerring an automatic reboot in 60 seconds. Attacker will need to navigate to directory and remove or replace with altered copies within 60 seconds. This can be negated with a rootkit.
 784 | 
 785 | 3. Executable Removal
 786 | 
 787 |     Binaries that cannot be hidden would have to be removed securely, through tools such as Eraser
 788 | 
 789 | #### Reporting
 790 | 
 791 | Reporting of a penetration test or audit should be done in a face-to-face manner to ensure right perception of results, avoid sending large teams, ensure reports are delivered to client in person.
 792 | 
 793 | ---
 794 | 
 795 | ### 6. Wireless Insecurity
 796 | 
 797 | #### 802.11 Basics
 798 | 
 799 | Security/encryption implementations for WLAN include:
 800 | 
 801 | 1. Open
 802 | 
 803 |     Anyone can connect, typically used in hotspots, can be used as jump-off points for attacks
 804 | 
 805 | 2. Wired Equivalent Privacy (WEP)
 806 | 
 807 |     Characteristics: Uses 40/64 or 104/128 bit keys as standard, was part of 802.11i standard
 808 | 
 809 |     WEP revolves around a stream cipher, the RC4 encryption algorithm, data is encrypted as it is fed into the cipher to produce stream of cipher text via XOR operation based on a random initialization vector and a pre-shared key. WEP also uses a CRC algorithm to test the integrity of a transmitted packet. A weakness of this implementation is the possibility of IV collisions.
 810 | 
 811 | 3. WiFi Protected Access - Pre-Shared Key (WPA-PSK)/WPA2-PSK
 812 | 
 813 |     Characteristics: Uses TKIP in place of WEP, uses an ASCII passphrase up to 64 characters long to derive key hierarchy used by TKIP, aka Simple Secure Network (SSN) for WPA-PSK and Robust Secure Network (RSN) for WPA2-PSK
 814 | 
 815 |     Problems: Can be broken, in under 5 minutes at 150mbps with steady flow of traffic if ARP-replay injected is used, also breakable if passphrase is dictionary-guessable or if first two frames of 4-way handshake are captured, problems demonstrate need for more robust forms of 802.11 frame encryption
 816 | 
 817 | 4. WPA/WPA2
 818 | 
 819 |     Characteristics: Similar to WPA/WPA2-PSK but uses 802.1x together with authentication server to generate key hierarchy in place of pre-shared key element, master key is now considered truely random, not known to be crackable using current generation of WPA-crackingtools.
 820 | 
 821 | 5. VPNoL
 822 | 
 823 |     Characteristics: Uses VPN architecture riding at layer 3 over WLAN, independent of frame layer payload encryption, effective even it 802.11 level security is breached by current or future attacks.
 824 | 
 825 | #### Attacks
 826 | 
 827 | - Warchalking: Tool to search for free 802.11 services in the area
 828 | - Wardriving: Active search for free WLAN access, considered a crime in many countries.
 829 | 
 830 | #### Typical WLAN Deficiencies
 831 | 
 832 | - Not enabling frame level encryption (WPA/WPA2)
 833 | - Using dictionary based WPA-PSK passphrases
 834 | - Not turning off SSID broadcasts in beacon frames
 835 | - Not using MAC or IP address filtering
 836 | - Not segmenting the WLAN as a DMZ
 837 | - Not turning off unneeded AP services (telnet, SNMP)
 838 | - Leaving AP settings defaulted (logins, passwords)
 839 | - SSID defaulted/revealing
 840 | - Not minimizing RF emanations
 841 | 
 842 | ---
 843 | 
 844 | ### 7. Incident Response & Computer Forensics
 845 | 
 846 | #### Incident Response Framework
 847 | 
 848 | Reasons for Incident Response capabilities:
 849 | 
 850 | - Ability to respond to incidents in a consistent, systematic manner
 851 | - Minimize impact to businesses due to damage, theft or denial of service
 852 | - Better prepare for handling future incidents and to provide feedback for enhancing current security practices
 853 | - Proper handling of legal issues that might stem from an incident
 854 | 
 855 | NOTE: **Refer to Threat-Liability Disruption Potential Matrix in coursebook for tool to identify risks of scanarios**
 856 | 
 857 | Incident Policies dictate management's commitment to scope and definition of security incidents and spells out response structure, prioritization, performance measures as well as reporting of such incidents within organization.
 858 | 
 859 | IR teams are usually structured into the following models:
 860 | 
 861 | - Team Model: Centralized incident response team for single campus deployments, distributed incident response team for multi-location deployments
 862 | - Staffing Model: In-house, fully-outsourced or partially-outsourced teams dependent on different factors
 863 | 
 864 | Factors to consider for In-house or outsourced IR teams: Need for 24/7 availibility, cost of hiring, development, maintainence, time commitment
 865 | 
 866 | ##### Incident Response Phases
 867 | 
 868 | Phase 1: Preparation
 869 | 
 870 | - Policies & Procedures
 871 |     - Develop incident scenarios, DRP and BCP plans
 872 |     - Establish chain of command and hot-button list
 873 |     - Determine escalation thresholds and procedures
 874 |     - Determine PR and legal involvement
 875 | - Communications & Facilities
 876 |     - Encryption software
 877 |     - Incident reporting mechanism
 878 |     - Secure storage facility
 879 |     - Pagers, mobile phones
 880 |     - War room
 881 |     - Offsite recovery centers
 882 | - IR Kit (Hardware & Software)
 883 | - Technical & Documentary Resources
 884 | 
 885 | Phase 2: Detection & Analysis
 886 | 
 887 | - Likely precursor (sign that incident may occur in future) or indication (sign that incident may be occuring or has occured) sources
 888 |     - NIDS/HIDS
 889 |     - Antivirus softwaer
 890 |     - File integrity checks
 891 |     - Third party monitoring services
 892 |     - Logs from OS, service or applications
 893 |     - Network device logs
 894 |     - Honeypot logs
 895 |     - Information on new vulnerabilities, exploits or incidents at other sites
 896 |     - People from within or outside of organization
 897 | - Effective Analysis
 898 |     - Profile network & systems before incidents occur
 899 |     - Understand normal behaviors
 900 |     - Use centralized logging and log retention policies together with NTP to keep system times synchronized
 901 |     - Perform event correlation between different defences
 902 |     - Share knowledge through knowledge portals
 903 |     - Research
 904 |     - Run packet sniffers to collect additional information
 905 |     - Create diagnosis matrix for less experienced staff
 906 | - Incident Documentation
 907 |     - Record all facts
 908 |     - Documents and recordings need to be timestamped, dated and signed
 909 |     - 2-man teams, one documents, other performs technical tasks
 910 |     - Maintain status of incident
 911 | - Incident Prioritization
 912 |     - Business impact of incident
 913 |     - Criticality of resource involved in incident
 914 | - Incident Notification
 915 |     - Execute & follow notification and escalation prodecures
 916 |     - Periodic updates
 917 |     - If incident affects external parties, ensure PR and legal departments are updated
 918 | 
 919 | Phase 3: Containment, Eradication & Recovery
 920 | 
 921 | - Containment: Execute damage control actions
 922 | - Eradication: Eliminate undesirables from target
 923 | - Recovery: Rebuild from scratch, retrieve from backup, reset accounts, tighten netwotk perimeter
 924 | 
 925 | Phase 4: Post-Incident Activity
 926 | 
 927 | - Share experiences
 928 | - Deficiencies in current environment
 929 | - What should be done differently in the future
 930 | - What preventative or corrective actions required to deter future incidents
 931 | - Request for additional budget or resources
 932 | 
 933 | #### Computer Forensics
 934 | 
 935 | Computer forensics refers to the processes by which computer or digital evidence is identified, preserved, analyzed, interpreted and presented
 936 | 
 937 | The roles of a computer forensics investigator include:
 938 | 
 939 | - Protect seized evidence, verified replication
 940 | - Recover deleted files
 941 | - Discover files contained in seized materials
 942 | - Discover swap, temp, file slack metadata and artifacts
 943 | - Explore all unallocated space
 944 | - Conduct searches for key terms, special data
 945 | - Note any observed versus expected files, folders, binaries, www data, emails and file conditions
 946 | - Prepare written report
 947 | - Provide expert consultation and testimony
 948 | 
 949 | Chain of Custody: Refers to the handling of evidence in a manner by which the evidence is always known and can be proven to be at a given place, in given hands at a given time. A complete chain of custody record needs to be kept for each piece of evidence obtained, from time evidence is collection to time case is tried in court.
 950 | 
 951 | ##### Non-Volatile Data Acquisition
 952 | 
 953 | Non-volatile data is data which will not be lost when power is lost, frequently refers to data stored in locations such as hard-disk drives, PDAs, removable storage devices. Actions to be taken to retrieve data from non-volatile sources include: physical bit-by-bit copy, use of write-blockers to prevent changes, sanitization of target storage device for evidence.
 954 | 
 955 | - **Physical vs Logical Copy**: Physical copies are bit-by-bit copies of an entire medium while logical copies are a copy of files within a filesystem. Physical copies contain more data than logical copies which include deleted files, unallocated space, file slack. Physical copies are preferred over logical copies as only physical copies may be accepted in court.
 956 | - **File Slack & Unallocated Spcae**: Files that are deleted or erased in MS-DOS or Windows based OS are not actually erased and may still be present in unallocated spaces and file slacks.
 957 | - **Hashing**: Proves that forensics duplicate is a one-to-one exact match and integrity of duplication
 958 | - `dd` can be used to perform duplication of storage devices, `dcfldd` can be used to generate hashes of acquired data
 959 | 
 960 | ##### Volatile Data Acquisition
 961 | 
 962 | Volatile data is data which will be lost when power is lost, frequently referring to data stored in RAM, swapfiles or cache, usually involved when traditional methods cannot be applied. Examples of such data include date-time stamps, current network connections, open networks ports, running services and processes.
 963 | 
 964 | - [Windows Forensic Toolchest](http://www.foolmoon.net/security/sft): Provides automated incident response on Windows system.
 965 | - Forensic Server Project: Client application created to collect volatile Windows information, server controlled by investigator and placed on network.
 966 | 
 967 | ##### Disk & File Analysis Tools
 968 | 
 969 | - File types can be determined by looking at file headers using hexadecimal viewers or editors against [lists](http://www.digitalintelligence.com/software/disoftware/drivespy/filetype.ini) of filetypes and their respective headers
 970 | - Sleuth Kit & Autopsy: Collection of unix-based CLI files and volume-system forensic analysis tools
 971 | - Filedisk: Allows for mounting of dd-created images
 972 | - Disk Investigator: Helps to uncover hidden file in storage
 973 | 
 974 | #### Information Gathering
 975 | 
 976 | 1. Web Browsing Information
 977 | 
 978 |     - Internet Explorer stores browsing traces which do not get deleted by clearing internet caches in data files, tools such as Pasco can be used to recover entries.
 979 |     - Cookies can also give an idea to what sites the user has visited, using tools such as Galleta to crawl through cookies to determine creation time to identify when the user visited the site.
 980 | 
 981 | 2. Email Header Analysis
 982 | 
 983 |     Email headers often provide useful information regarding sender, from where and at what time they sent the information. Spammers will attempt to hide or obfuscate headers by placing false headers or using UTF-8 to encode subject or body text to overcome spam-filtering rules. When dealing with spam mail, often the only reliable MX header is the last one which directly exchanges with your own mail relay.
 984 | 
 985 | 3. Malicious Code & Infection Analysis: Locate & Identify
 986 | 
 987 |     You may encounter malware that are 0-day which antivirus software cannot contain as their virus definition do not contain the malware signature. In such cases, the malware have to be manually removed.
 988 | 
 989 |     Step 1: Identify strange connections with `netstat -an` and take note of suspicious files or directories.
 990 | 
 991 |     Step 2: Check superfetch or prefetch data files in `%SYSTEMROOT%\Prefetch` to get an idea of what applications are being executed.
 992 | 
 993 |     Step 3: Check for places where files are hidden in `%SYSTEMROOT%` or `%SYSTEMDIRECTORY` using `dir /o:d /t:c` to check file creation time, `dir /o:d /t:a` to check when files were last accessed and `dir /o:d /t:w` to check when files were last written to.
 994 | 
 995 |     Step 4: Check for places where malware start from, two most common locations in registry are `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` and `HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce`, a more comprehensive list can be found [here](http://securitystartshere.org/downloads/ossa/forensics/silentrunners.htm).
 996 | 
 997 |     Step 5: Use signature checking to verify authenticity of code, compare hashes to ensure that publisher's software executable is not comprimised or infected with malware.
 998 | 
 999 |     Step 6: Use hex editor or strings command to see what text, boasts or ego-trips attackers have hidden in their executables.
1000 | 
1001 |     Step 7: Check online for similar observations to find possible countermeasures.
1002 | 
1003 |     Step 8: Check what resources (files, network connections) are being accessed by any processes through autoruns, process monitor, process explorer, what registry entries are being accessed.
1004 | 
1005 |     Step 9: Understand how malware work by decompiling binaries using tools such as OllyDbg, IDA Pro, WinDbg or Decompiler after damage has been contained.
1006 | 
1007 | ---
1008 | 
1009 | ### 8. The Impact of Law
1010 | 
1011 | #### The Need To Know
1012 | 
1013 | - Individual: Know that your actions are not violating a law
1014 | - Corporate: Understand liability of companies
1015 | - Permissable Actions: Retaliative actions are not exempt from law, follow proper legal procedures to prosecute attackers
1016 | - Harmonization: Keep in touch with evolution of cybercrime law throughout the world
1017 | 
1018 | #### State of Cybercrime Law
1019 | 
1020 | Full list of individual country's reports [here](https://www.privacyinternational.org/reports/research-reports)
1021 | 
1022 | #### Issues With Enforcement
1023 | 
1024 | Key issues when it comes to prosecuting cyber-criminals include:
1025 | 
1026 | - Insufficient Evidence: Lack of or insufficient logging
1027 | - Corrupt or Non-probative Evidence: Data destroyed through improper methods or gathering and collection, improper handling or chain-of-custody
1028 | - Best Evidence Rule: Original piece of evidence is superior to a copy
1029 | - Circumstancial or Indirect Evidence: Evidence that implies something but does not directly prove it
1030 | - Jurisdictional Boundaries: Location of attacker, victim and crime committed
1031 | - Extradiction Treaties
1032 | - Prosecution Cost vs Asset Value
1033 | 
1034 | Points of consideration for security practitioners
1035 | 
1036 | - Collection Method: Gather and collect evidence in non-destructive manner
1037 | - Tag & Bag: Ensure everything collected is accounted for, sealed and labelled
1038 | - Involve legal entities once incident is determined to have impact on business' main activity
1039 | 
1040 | #### When to Enforce
1041 | 
1042 | Refer to Computer Misuse and Cybersecurity Act of Singaprore (Cap 50A) for relevant legislature within Singapore
1043 | 
1044 | ---
1045 | 
1046 | ## Useful Commands
1047 | 
1048 | ##### Snort (NIDS)
1049 | 
1050 | - Start Snort: `snort -c /etc/snort/snort.conf &`
1051 | - View Snort alerts: `tail -f /var/log/snort/alert`
1052 | 
1053 | ##### Tripwire (HIDS)
1054 | 
1055 | - Take snapshot: `tripwire --init`
1056 | - Check system: `tripwire --check`
1057 | - View report: `twprint -m r --twrfile /var/lib/tripwire/report/<filename>-<timestamp>.twr`
1058 | 
1059 | ##### GPG
1060 | 
1061 | - Generate keypair: `gpg --gen-key`
1062 | - Import public keys: `gpg --import <filename>`
1063 | - View imported keys: `gpg --fingerprint`
1064 | - Verify signature of file: `gpg --verify <signature> <filename>`
1065 | 
1066 | ##### Dig
1067 | 
1068 | - Find IP address of server: `dig securitystartshere.org`
1069 | - Find MX records: `dig securitystartshere.org mx`
1070 | - Find NS records: `dig securitystartshere.org ns`
1071 | - Find SOA records: `dig securitystartshere.org soa`
1072 | - Query DNS server: `dig @ns4191.dns.dyn.com securitystartshere.org`
1073 | - Zone transfer: `dig @ns4191.dns.dyn.com securitystartshere axfr`
1074 | 
1075 | ##### Nmap
1076 | 
1077 | - Ping Sweep: `nmap -sP -n 10.50.1.0/24`
1078 | - SYN Stealth Scan: `nmap -sS <IP Address>`
1079 | - Recommended SYN Scan Flags: `nmap -sS -n -Pn -vv -p<target port range> -g<source port range> <target IP address> --max-retries=<value> --min-parallelism=<value> --max-rtt-timeout=<value> ms`
1080 | - ACK Scan: `nmap -sA <IP Address>`
1081 | - Version Detection: `nmap -sV -Pn -n -p<port numbers> -vv <IP Address>`
1082 | 
1083 | ##### Nmap Results
1084 | 
1085 | - Open: Port is open and accepting requests
1086 | - Closed: Port is accessible but no services are listening on it (RST packet received)
1087 | - Filtered: Port cannot be determined open as packets are not reaching host. This usually denotes a firewall on the port which drops packets.
1088 | 
1089 | ##### ADS
1090 | 
1091 | - Hide files: `type c:\6\nc.exe > c:\6\hobbit.txt:hidenc.exe`
1092 | - Stream text files: `notepad c:\<full path>\<desired filename>:hidden.txt`
1093 | - Run streamed files (Windows XP & earlier): `start c:\<full path>\<desired filename>:hidenc.exe`
1094 | - Run streamed files (Windows Vista & later): `wmic process call create c:\<full path>\<desired filename>:hidenc.exe`
1095 | 
1096 | ##### Forensics
1097 | 
1098 | - Mount images: `filedisk /mount 0 c:\9b\usb.dd /ro G:`
1099 | - Extract file from images: `foremost -T -i usb.dd`
1100 | 


--------------------------------------------------------------------------------