Created by Cristian Osvaldo Gómez
about 2 years ago
|
||
Question | Answer |
5 phases to a penetration test | Reconnaissance Scanning & Enumeration Gaining Access Maintaining Access Covering Tracks |
Attack Types | OS: Attacks targeting default OS settings App level: Application code attacks Shrink Wrap: off-the-shelf scripts and code Misconfiguration: not configured well |
RFC 1918 | Private IP Standard |
RFC 3227 | Collecting and storing data |
ISO 27002 | InfoSec Guidelines |
CAN-SPAM | email marketing |
DMCA | Intellectual Property |
GLBA | Personal Finance Data |
FISMA | Gov Networks Security Std |
CVSS | Common Vuln Scoring System |
CVE | Common Vulns and Exposure |
Symmetric Encryption | Key pairs required = |
Symmetric Algorithms | DES: 56bit key (8bit parity); fixed block 3DES: 168bit key; keys ≤ 3 AES: 128, 192, or 256; replaced DES IDEA: 128bit key Twofish: Block cipher key size ≤ 256bit Blowfish: Rep. by AES; 64bit block RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit block) |
Asymmetric Encryption | Public key = Encrypt, Private Key = Decrypt |
Asymmetric Algorithms | Diffie-Hellman: key Exchange, used in SSL/ IPSec ECC: Elliptical Curve. Low process power/ Mobile EI Gamal: !=Primes, log problem to encrypt/ sign RSA: 2 x Prime 4,096bit. Modern std. |
Hash Algorithms | MD5: 128bit hash, expres as 32bit hex SHA1: 160bit hash,rq 4 use in US apps SHA2: 4 sep hash 224,256,384,512 |
Trust Models | Web of trust: Entities sign certs for each other Single Authority: CA at top. Trust based on CA itself Hierarchical: CA at top. RA’s Under to manage certs XMKS - XML PKI System |
Cryptography Attacks Known Plain-text | Search plaintext for repeatable sequences. Compare to t versions. |
Cryptography Attacks Ciphertext-only | Obtain several messages with same algorithm. Analyze to reveal repeating code. |
Cryptography Attacks Replay | Performed in MITM. Repeat exchange to fool system in setting up a comms channel. |
Digital Certificate | Used to verify user identity = nonrepudiation Version: Identifies format. Common = V1 Serial: Uniquely identify the certificate Subject: Whoever/whatever being identified by cert Algorithm ID: Algorithm used Issuer: Entity that verifies authenticity of certificate Valid from/to: Certificate good through dates Key usage: Shows for what purpose cert was made Subject’s public key: self-explanatory Optional fields: e.g., Issuer ID, Subject Alt Name... |
Reconnaissance | Gathering information on targets, whereas foot-printing is mapping out at a high level. |
Reconnaissance Google Hacking | Operator: keyword additional search items site: Search only within domain ext: File Extension loc: Maps Location intitle: keywords in title tag of page allintitle: any keywords can be in title inurl: keywords anywhere in url allinurl: any of the keywords can be in url incache: search Google cache only |
Reconnaissance DNS | port 53 nslokup (UDP), Zone xfer (TCP) |
Reconnaissance DNS Record types | Service (SRV): hostname & port # of servers Start of Authority (SOA): Primary name server Pointer (PTR): IP to Hostname; for reverse DNS Name Server (NS): NameServers with namespace Mail Exchange (MX): E-mail servers CNAME: Aliases in zone. list multi services in DNS Address (A): IP to Hostname; for DNS lookup DNS footprinting: whois, nslookup, dig |
Reconnaissance TCP Header Flags | URG: Indicates data being sent out of band ACK: Ack to, and after SYN PSH: Forces delivery without concern for buffering RST: Forces comms termination in both directions SYN: Initial comms. Parameters and sequence #’s FIN: ordered close to communications |
Reconnaissance DHCP | Client — Discover-> Server Client<—Offers—- Server Client —Request—> Server Client<—-ACK—- Server IP is removed from pool |
Scanning & Enumeration ICMP Message Types | 0: Echo Reply: Answer to type 8 Echo Request 3: Destination Unreachable: No host/ network Codes 0 ― Destination network unreachable 1― Destination host unreachable 6 ― Network unknown 7 ― Host unknown 9 ― Network administratively prohibited 10 ― Host administratively prohibited 13 ― Communication administratively prohabited 4: Source Quench: Congestion control message 5: Redirect: 2+ gateways for sender to use or the best route not the configured default gateway Codes 0 ― redirect datagram for the network 1 ― redirect datagram for the host 8: Echo Request: Ping message requesting echo 11: Time Exceeded: Packet too long be routed |
Scanning & Enumeration CIDR | Method of the representing IP Addresses IPv4 Notation /30=4 /28=16 /26=64 /24=256 /22=1024 /20=4096 .225.252 .255.240 .255.192 . 255.0 .248.0 .240.0 |
Scanning & Enumeration Port Numbers | 0 — 1023: Well-known 1024 — 49151: Registered 49152 — 65535: Dynamic |
Scanning & Enumeration Important Port Numbers | FTP: 20/21 SSH: 22 Telnet: 23 SMTP: 25 WINS: 42 TACACS: 49 DNS: 53 HTTP: 80 / 8080 Kerbers: 88 POP3: 110 Portmapper (Linux): 111 NNTP: 119 NTP: 123 RPC-DCOM: 135 NetBIOS/SMB: 137-139 IMAP: 143 SNMP: 161/162 LDAP: 389 HTTPS: 443 CIFS: 445 RADIUS: 1812 RDP: 3389 IRC: 6667 Printer: 515,631,9100 Tini: 7777 NetBus: 12345 Back Orifice: 27374 Sub7: 31337 |
Scanning & Enumeration HTTP error codes | 200 Series - OK 400 Series - Could not provide req 500 Series - Could not process req |
Scanning & Enumeration nmap | -sA: ACK scan -sF: FIN scan -sS:SYN -sT: TCP scan -sI: IDLS scan -sn: PING sweep -sN: NULL -sS: Stealth Scan -sR: RPC scan -Po: No ping -sW: Window -sX: XMAS tree scan -PI: ICMP ping - PS: SYN ping -PT: TCP ping -oN: Normal output -oX: XML output -A OS/Vers/Script -T<0-4>: Slow - Fast |
Scanning & Enumeration Scan Types | TCP: 3 way handshake on all ports. Open = SYN/ACK, Closed = RST/ACK SYN: SYN packets to ports (incomplete handshake). Open = SYN/ ACK, Closed = RST/ ACK FIN: Packet with FIN flag set Open = no response, Closed = RST XMAS: Multiple flags set (fin, URG, and PSH) Binary Header: 00101001 Open = no response, Closed = RST ACK: Used for Linux/Unix systems Open = RST, Closed = no response IDLE: Spoofed IP, SYN flag, designed for stealth. Open = SYN/ACK, Closed= RST/ACK NULL: No flags set. Responses vary by OS. NULL scans are designed for Linux/ Unix machines. |
Scanning & Enumeration NetBIOS | nbstat nbtstat -a COMPUTER 190 nbtstat -A 192.168.10.12 remote table nbtstat -n local name table nbtstat -c local name cache nbtstat -r -purge name cache nbtstat -S 10 -display ses stats every 10 sec 1B ==master browser for the subnet 1C == domain controller 1D == domain master browser |
Scanning & Enumeration SNMP | Uses a community string for PW SNMPv3 encrypts the community strings |
Sniffing and Evasion | IPv4 and IPv6 IPv4 == unicast, multicast, and broadcast IPv6 == unicast, multicast, and anycast. IPv6 unicast and multicast scope includes link local, site local and global |
Sniffing and Evasion | IPv4 and IPv6 IPv4 == unicast, multicast, and broadcast IPv6 == unicast, multicast, and anycast. IPv6 unicast and multicast scope includes link local, site local and global |
Sniffing and Evasion MAC Address | First half = 3 bytes (24bits) = Org UID Second half = unique number |
Sniffing and Evasion NAT (Network Address Translation) | Basic NAT is a one-to-one mapping where each internal IP== a unique public IP. Nat overload (PAT) == port address translation. Typically used as is the cheaper option. |
Sniffing and Evasion Stateful Inspection | Concerned with the connections. Doesn’t sniff ever packet, it just verifies if it’s a known connection, then passes along. |
Sniffing and Evasion HTTP Tunnelling | Crafting of wrapped segments through a port rarely filtered by the Firewall (e.g., 80) to carry payloads that may otherwise be blocked. |
Sniffing and Evasion Snort IDS | It has 3 modes: Sniffer/Packet logger/ Network IDS. Config file: /etc/snort, or c:\snort\etc #~alert tcp!HOME_NET any ->$HOME_ NET 31337 (msg : “BACKDOOR ATTEMPT-Back-orifice.”) Any packet from any address !=home network. Using any source port, intended for an address in home network on port 31337, send msg. Span port: port mirroring False Negative: IDS incorrectly reports stream clean |
Sniffing and Evasion IDS Evasion Tactics | Slow down OR flood the network (and sneak through in the mix) OR fragmentation |
Sniffing and Evasion TCPdump syntax | #~tcpdump flag(s) interface |
Attacking a System LM Hashing | 7 spaces hashed: AAD3B435B51404EE |
Attack types Passive Online | Sniffing wire, intercept cleartext password / replay / MITM |
Attack types Active Online | Password guessing |
Attack types Active Offline | Steal copy of password i.e., SAM file. Cracking efforts on a separate system |
Attck types Sidejacking | Steal cookies exchanged between systems and use tp perform a replay-style attack. |
Authentication Types | Type 1: Something you know Type 2: Something you have Type 3: Something you are |
Session Hijacking | Refers to the active attempt to steal an entire established session from a target 1. Sniff traffic between client and server 2. Monitor traffic and predict sequence 3. Desynchronise session with client 4. Predict session token and take over session 5. Inject packets to the target server |
Kerberos | Kerberos makes use of symmetric and asymmetric encryption technologies and involves: KDC: Key Distribution Centre AS: Authentication Service TGS: Ticket Granting Service TGT: Ticket Granting Ticket Process 1. Client asks KDC (who has AS and TGS) for ticket to authenticate throughout the network. this request is in clear text. 2. Server responds with secret key. hashed by the password copy kept on AD server (TGT). 3. TGT sent back to server requesting TGS if user decrypts. 4. Server responds with ticket, and client can log on and access network resources. |
SAM file Security Account Manager | C:\Windows\system32\config |
Registry | 2 elements make a registry setting: a key (location pointer), and valu (define the key setting). Rot level keys are as follows: HKEY_LOCAL_MACHINE_Info on Hard/software HKEY_CLASSES_ROOT ― Info on file associations and Object Linking and Embedding (OLE) classes HKEY_CURRENT_USER ― Profile info on current user HKEY_USERS ― User config info for all active users HEKY_CURRENT-CONFIG―pointer to\hardware Profiles\. HEKY_LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion |
Social Engineering Human based attacks | Dumpster diving Impersonation Technical Support Should Surfing Tailgating/ Piggybacking |
Social Engineering Computer based attacks | Phishing - Email SCAM Whaling - Targeting CEO’s Pharming - Evil Twin Website |
Social Engineering Types of Social Engineers | Insider Associates: Limited Authorized Access Insider Affiliates: Insiders by virtue of Affiliation that spoof the identity of the Insider Outsider Affiliates: Non-trusted outsider that use an access point that was left open |
Web-based Hacking | CSRF - Cross Site Request Forgery Dot-dot-slash Attack Variant of Unicode or un-validated input attack SQL Injection attack types Union Query: Use the UNION command to return the union of target Db with a crafted Db Tautology: Term used to describe behavior of a Db when deciding if a statement is true. Blind SQL Injection: Trial and Error with no responses or prompts. Error based SQL Injection: Enumeration technique. Inject poorly constructed commands to have Db respond with table names and other information |
Web-based Hacking | Buffer Overflow A condition that occurs when more data is written to a buffer than it has space to store and results in data corruption. Caused by insufficient bounds checking, a bug, or poor configuration in the program code. Stack: Premise is all program calls are kept in a stack and performed in order.Try to change a function pointer or variable to allow code exe Heap: Takes advantage of memory “on top of” the application (dynamically allocated). Use program to overwrite function pointers NOP Sled: Takes advantage of instruction called “no-op”. Sends a large # of NOP instructions into buffer. Most IDS protect from this attack. Dangerous SQL functions The following do not check size of destination buffers: gets() strcpy() stract() printf() |
Wireless Network Hacking Wireless sniffing | Compatible wireless adapter with promiscuous mode is required, but otherwise pretty much the same as sniffing wired |
Wireless Network Hacking 802.11 Specifications | WEP: RC4 with 24bit vector. Kers are 40 or 104bit WAP: RC4 supports longer keys; 48bit IV WPA/TKIP: Changes IV each frame and key mixing WPA2: AES + TKIP features; 48bit IV |
Wireless Network Hacking Bluetooth Attacks | Bluesmacking: DoS against a device Bluejacking: Sending messages to/from devices Bluesniffing: Sniffs for Bluetooth Bluesnarfing: actual theft of data from a device |
Want to create your own Flashcards for free with GoConqr? Learn more.