- The Curious
- The Malicious
- The Criminal
- The Competitor
- The Natural
- The Politically- charged
- Confidentiality
- Integrity
- Availability
- Security
- Operations
- Business
- site:
- filetype:
- intitle:
- allintext:
- loc:
- ip:
- Identify Centers of Gravity
- Understand the Threats
- Gather Information from Stakeholders
- Develop Baselines
- User and Corporate Education
- Establish Platform Defense
- Establish Business Continuity and Disaster Recovery
- Maintain Balance
- Policies
- Procedures
- Platform
- People
- Vulnerability Identification
- Platform Lockdown
- Monitor The Setup
- Damage Control
- Hub will send packets to all ports
- Switch will only send to the intended recipient
- Application
- Presentation
- Session
- Transport
- Network
- Data Link
- Physical
lsof -Pn -i4
- Max size = 1582 bytes
- Frame header/trailer does synchronization
- Mac address is 6 bytes
- Mixture of hub and bridge
- CAM table stores MAC addresses
- Connectionless
- IPv4 Addressing is 32-bits
- IPv6 addressing is 128-bits hexadecimal
- Refer to page 56 for TTL values
- Private ranges allow spoofed DOS attacks
- Broadcast allows amplification attacks
- Routes traffic using static or dynamic routes and segments broadcast domains
- No route to known destination = dropped packet
- Find the IPv4 address held by a MAC address
- IPv6 uses router advertisement frames instead
- Internet Control Message Protocol
- Protocol at the network layer, on pair with IP
- Packet INternet Groper (PING) is a type of ICMP (echo-request)
- SYN
- SYN-ACK
- ACK
- FIN/ACK from A to B
- ACK from B
- FIN/ACK from B to A
- ACK from A
- Unified Datagram Protocol
- Connectionless
- ‘Best effort’ delivery
- Useful for application like SNMP or DNS where speed is required
- Important to read pg 73
- Domain Name System
- 13 root servers
- Every computer has a DNS cache
- Appliance
- Software
- Personal
- Packet Filter
- Stateful Packet Inspection (SPI)
- Application Proxy
- Proxy Firewall (aka Application Firewall / NG firewall)
- Inbound (Ingress) blocking
- Outbound (Egress) blocking
- Implicit Deny-All
- In some cases, the blocking may be done by application or both IP/Port and application
- Classic/Old-style DMZ Deployment
- Collapsed DMZ Deployment
- Smoothwall
- Firestarter
- M0n0wall
- FREESCO
- Windows XP/VISTA/7 Built-in Firewall
- FilSecLab Personal Firewall Pro/Standard
- NetDefender
- Zonelabs’ ZoneAlarm (GUI)
- Network-based Intrusion Detection System
- Place the NIC in promiscuous mode to capture all network traffic
- String Signature
- Port Signature
- Header Signature
- hubs
- switch-port mirroring
- active taps
- SNORT (pg 105)
- Focuses on monitoring and analysis on the internals of a computing system
- Uses a database of system objects it should monitor
- System Integrity Verifiers (SIV)
- Log file monitors (LFM)
- Operating System Patches
- Tripwire
- OSSEC HIDS
- AIDE
- File Checksum Integrity Verifier (FCIV)
- A Trap set to detect, deflect or in some manner counteract
- Sugarcane : honeypot setup as an open proxy (not very common nowadays)
- Entraps attackers, buying time for SysaAdmin to respond
- Low-Interaction and High-Interaction Honeypots (pg 115)
- Honeyd
- Anti-Virus Software
- Transposition Cipher
- Substitution Cipher
- Block Cipher
- Stream Cipher
- Providing Integrity by Hashing
- Sending Data using Symmetric Key Encryption
- Remote Networking Using Virtual Private Networking
- Sending Data Using Public-Key Cryptography
- Proving Identity using Digital Signature
- Ransomware
- Tools are considered untested and suspicious until proven otherwise
- Do not test live / production systems with untested tools
- Use sandboxing
- Check tool authenticity (pg 151)
- Exploration
- Enumeration
- Exploitation
- Embedding
- Egress
- Social Engineering
- Dumpster Diving
- Physical Violation
- Scoping out PHPBB, Forums, Technical Help postings, Electronic Bulletin Boards
- Domain Registrars and WHOIS
- DNS Servers
- WHOIS
centralops.netintodns.comrobtex.comnetwork-tools.comserversniff.netdnsbench.comdomainsbyip.comtools-on.net/net.shtml
- War Driving
- Wardialling
- Portscanning
- OS Discovery
- Tracerouting
- Vulnerability assessment
- Web-based Vulnerabilities
- Nmap
- Unicornscan
- Nessus
- HTTPrint
- AMAP
- CVEDetails (
http://cvedetails.com) - National Vulnerability Database (
https://web.nvd.nist.gov/view/vuln/search) - Common Vulnerabilities & Exposures (
https://cve.mitre.org/cve/cve.html) - Shodan Vulnerability Search (
http://www.shodan.io) - SecurityFocus Archives (
http://www.securityfocus.com) - alpha.hackerwhacker.com/freetools.php (tracerout check for open port)
- t1shopper.com/tools/port-scan (allows list of ports to be scan)
- serversniff.net (webserver, nameserver section, etc)
- mxtoolbox.com (mailserver checks)
- subnetonline.com (lots of stuff)
- Wayback Machine (
https://archive.org/web/)
- Ready-made tools from tool repositories
- Exploit-code compilation (.c files)
- Techniques & Methods
- Self-Crafted tools or ‘sploits’ (“roll your own”)
- The act of assuming somebody’s or some thing’s identity
- Reasons to Spoof:
- To hide true identity, especially if sending malicious traffic
- Confuse incident handlers & investigators (e.g. via log file manipulation)
- Insertion between an established connection or data flow (i.e. session-hijacking/MITM)
- Done successfully using ARP poisoning
- Attempts to disrupt the Availability component of the CIA Triad
- Sending of specially crafted packets to vulnerable applications listening on TCP or UDP ports
- Evolved into Distributed DOS (DDOS)
- Made possible with the usage of Botnets & Zombies (PhatBot) (pg 188)
- Buffer/Heap Overflows
- Shell Code (www.shell-storm.org/shellcode , packetstormsecurity) (pg 197)
- 2 Types of Shell
- BIND (listening) Shell
- Reverse Shell
- Format String Vulnerability
- The Metasploit Framework
- Netcat
- Stunnel (SSL)
- HTTPrint
- Spike Proxy
- Webscarab
- Crowbar
- JBroFuzz
- Achilles
- Paros
- Burp Proxy
- SSLstrip
- CookieDigger
- Web Server is a network service that serves up content residing either on the web server or behind it (apache web server, IIS web server)
- Web application is customized content, modules and/or functionality that is served up by a web server and require a web server to run (search forms, intranet login portal)
- Unvalidated Input
- Broken Access Controls
- Broken Authentication & Session Management
- Cross Site Scripting Flaws
- Buffer Overflows
- Injection Flaws
- Improper Error Handling
- Insecure Storage
- Application Denial of Service
- Insecure Configuration Management
SAM Database stores 2 Cryptographic hashes of all user passwords (Windows)
- Win95/Win98 implements LanMan Authentication
- Not case-sensitive
- LM Hash, with intermediate DES algorithm used
- Maximum 14 characters for LM Hash to be stored and used for authentication to AD. If >14, LM Hash is not used. NTLM is used instead
- Case-sensitive
- Uses MD4 algorithm
- OPHCrack (pg 214)
- md5decrypter.co.uk
- http://crackstation.net
- md5.my-addr.com
- Backdoors
- Trojans (RATs)
- Rootkits
- Traditional Rootkit
- Kernel Rootkit
-
Checksumming
-
System.map
- kern_check.c (program)
- CheckIDT
- check-ps
- Kstat
- samhain
- File Hiding
- Log Modification/Removal
- Executable Removal
- Prefix the file or directory with a “.”
ls -ato show hidden files
- Attribute of file can be checked to “hidden”
- NTFS system can set specific permissions to prevent files from being deleted
- Alternate Data Stream (ADS) (pg 234)
- Store up to 252 hidden files
- Applies only to NTFS filesystem
- Executable can be stored but need to specify the entire file path of the file to be hidden, as well as when you are executing the hidden executable file
notepad message.txt:secret.txtto hide and show the secret.txt behind message.txttype c:\6\nc.exe > c:\6\hobbit.txt:hidenc.exeto hide hidenc.exe behind hobbit.txtstart c:\6\hobbit.txt:hidenc.exeto run the hidden executableLADS.exewill display hidden files in the directory which LADS is running- For Windows Vista and up, can run
dir /rto reveal streamed files
- Advanced ADS (pg 236)
- can be performed by using
\\?\and protected device name
- can be performed by using
- Steganography
- outguess (hide or transfer information)
- steg-objects (detect presence of steg-objects)
- stegdetect (detect presence of steg-objects)
- uses
syslogservice to keep a record of events that occur in the OS - syslog does most of its logging to
/var/log - Current login log
/var/run/utmp - Past login log
/var/log/wtmp - Previous methods of logging in log
/var/log/lastlog
- Windows NT-based system logging is controlled by EventLog service
- Stopping EventLog service will violate Windows NT security model, triggering an automatic reboot in 60 seconds
- The 60seconds reboot can be negated with a rootkit
- For binaries that cannot be hidden
- Removal in a secure manner
- An useful tool is
Eraser
- should be done in a face to face manner as far as possible
- Avoid sending an army when meeting external customer
- Should deliver report document to client prior to the meeting in a secure manner. (By hand or GPG/PGP encrypted email)
- Personal /SOHO
- Open
- Web
- WPA-PSK / WPA2-PSK
- Enterprise-Level
- WPA / WPA2
- VPNoL
- Developed from hobo-language
- Warchalks tell you whether there is free 802.11 service in the area
- Mainly found in the west
- Looking for free WLAN access
- A crime in many countries
- Can augment WLAN NICs with “cantennas”
- Not enabling frame-level encryption such as WPA / WPA2
- Using dictionary based WPA-PSK passphrases
- Not turning off SSID broadcasts in Beacon Frames
- Not using MAC or IP address filtering
- Not segmenting the WLAN as a DMZ
- Not turning off unneeded AP services (e.g. telnet, snmp)
- Leave AP settings defaulted (e.g logins & password)
- SSID defaulted/revealing
- Not minimizing the RF emanations
Incident Response Capabilities are needed for:
- Ability to respond to incidents in a consistent, systematic manner
- Minimize impact to business due to damage, theft or DoS
- To better prepare for handling future incidents and to provide feedback for enhancing current security practices
- Proper handling of legal issues that might stem frim an incident
ThinkSECURE Threat-Liability-Disruption Potential (TLDP) Matrix (TLDP Matrix) (pg 270)
- Team Model
- Staffing Model
https://resources.infosecinstitute.com/advantages-disadvantages-outsourcing-incident-response/#gref
- Preparation (pg 275)
- Detection & Analysis
- Containment, Eradication & Recovery
- Post-Incident Activity
Computer Forensics
- process by which computer or digital evidence is
Identified,Preserved,Analyzed,InterpretedandPresented - CF and IR are directly interconnected and related (pg 291)
- Role of a Computer Forensics Investigator “CFI” (pg 293)
- Chain of Custody (pg 295)
- Non volatile information
- Volatile information (pg 306)
- Root cause analysis
- Determine level of destruction
- Find evidence to support prosecution
- Motive establishment
- What is the “suspect” software/malware doing
- File Header (pg 313)
- more…
- Web Browsing Investigation
- Pasco (internet cache)
- Galleta (cookies)
- Web Historian
- Email Header Analysis (pg 323)
- Last one which directly exchanges with own mail relay is often the most reliable
- Malicious Code & Infection Analysis (pg 328)
- They need to talk
- They need to run
- They need to reside somewhere
- They need to start somewhere
- Legitimate code may be signed by their publishers
- They typically hide stuff in binaries
- I’m unlikely to be the first to get hit
- They need to access something on my system
- See what they do inside
- Individual
- Corporate
- Permissible Actions
- Harmonization
- USA (pg 350)
- Malaysia (pg 352)
- Singapore (pg 352)
- Thailand (pg 352)
- Laws are only as good as their enforcement (pg 356)
- Key issues when it comes to prosecuting cyber criminals:
- Insufficient evidence
- Corrupted/Non-probative evidence
- The Best Evidence Rule
- Circumstantial / Indirect Evidence
- Jurisdictional boundaries
- Extradition Treaties
- Prosecution Cost vs Asset Value
- Key issues when it comes to prosecuting cyber criminals:
- What you as a Security Practitioner need to consider if you assess potential prosecution likely (pg 358)
- Singapore Computer Misuse & Cybersecurity Act
- CMA Law Enforcement Rights (pg 362)
- What is an offence (pg 364) (cmca)
- Enhanced Punishment For Damaging Protected Computers (pg 368)
- run using
snort -c /etc/snort/snort.conf &orsnort -A console -c /etc/snort/snort.conf &which will display out the alerts instead of logging to a file in/var/log/snort/alert
tripwire --initto take a snapshot of the filesystem specified in the tripwire policy filetripwire --checkto check for any changes in the filesystemtwprint -m r –twrfile /var/lib/tripwire/report/<filename> - <timestamp>.twrto view tripwire reporttripwire --update-policy -Z low /etc/tripwire/twpol.txtto update the Tripwire database
chown -R nobody *to change ownership of all files in the Honeyd kit directory to nobody./start-arpd.sh./start-honeyd.sh
dig securitystartshere.orgto find IP address from the DNS server your workstation is configured to use, about the record securitystartshere.orgdig securitystartshere.org mxto find MX (Mail Exchanger) records, from the DNS server your workstation is configured to use, about the record securitystartshere.org. This will tell us which servers are responsible for sending and/or receiving emails for the domain securitystartshere.orgdig securitystartshere.org nsto find NS (name server) records, from the DNS server your workstation is configured to use, about the record securitystartshere.org. This will tell us which servers are responsible for answering domain queries for the domain securitystartshere.orgdig securitystartshere.org soato find SOA (start of authority) records of the domain securitystartshere.org.dig @<authoritative nameserver, e.g. ns4191.dns.dyn.com> securitystartshere.orgis used when you know the ip or name of the DNS server for a particular domain. It will yield additional information about the name servers that are responsible for the domaindig @10.50.1.1 pod1.com axfrwill do a zone transfer of the domainpod1.comand dump out all the records pertaining to thepod1.comdomain which it is authoritative for.- 2 ways to block DNS zone transfer
- Block TCP port 53
- Set up the DNS server to only allow certain IP addresses to perform zone transfer
whois securitystartshere.orgwhois 202.120.30.50
nmap -sS -n -Pn -vv -p <target port range> --reason <target IP address>-sVto show version of the service running
xprobe2 10.50.1.1- specify open port for more reliable results
tcp:22:open
cheops-agent -nto start the servercheaops-ngto start the client- click
ViewspacethenAdd Networkto indicate which network range to scan
nessusd -Dto start the servernessusto start the client
./httprint -h http://10.50.1.1 -s <full path to the signatures.txt fileto find webserver version./nikto.pl -host 10.50.1.3to scan for vulnerabilities in the web server code- enter a non existent url and see the returned error page which will show the webserver version
ettercap -Gto start ettercap- Start
unified sniffingmode and underHosts,Scan for hosts- Click on
Hosts liststo view all the hosts scanned
- Click on
- Victim is
target 1 - Gateway is
target 2
- Burp Proxy
- Burp Suite
- Packetstormsecurity.org
- msfconsole
- msfweb
- Error message can reveal important info
- OPHCrack (3)
- run
fgdumpto dump out the SAM database - the password hashes are stored in a .pwdump extension file
- Load password file
- Start
nc -l -p 48800 -e c:\windows\system32\cmd.exe(victim)nc <ip addr> 4800(attacker)
type c:\6\nc.exe > c:\6\hobbit.txt:hidenc.exeto hide/stream nc.exe behind hobbit.txtnotepad c:\6\message.txt:hidden.txtto hide/stream message.txt behind hidden.txt- LADS.exe can detect ADS
- S-tools
- PLAY AROUND WITH THE ENCRYPTION TYPE
- InSSIDer
- foremost -T -i usb.dd (pg 146) (better)
- PASCO
- GALLETA
curl <url> 80nc <url> 80- Pg 118 of textbook
Deny firewall rule will result in nmap showing filtered (no response)
Reject firewall rule will result in nmap showing filtered (Port unreachable)