Network Security Fundamentals: Protocols, Scanning, and Vulnerabilities, Exams of Nursing

Download Network Security Fundamentals: Protocols, Scanning, and Vulnerabilities and more Exams Nursing in PDF only on Docsity! CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS A1) Benefits of pentesting - ✔M️anage risk. Increase business continuity. Minimise client-side attacks. Protect clients, partners and third-parties. Comply with regulation. A1) Pentest structure - ✔R️econnaissance (i.e. find live hosts, sweeping, find services, scanning, banner matching, find vulnerabilities). Target prioritisation (e.g. assess servers rather than printers). Testing of services and exploitation if applicable. Consult/Confirm with customer if ok to exploit. Inform customer of any high risk issues that need addressing immediately. A1) Project Lifecycle - ✔D️ata Gathering / Scoping / Briefing. Testing. Report Writing. Debriefing A2) Computer Misuse Act 1990 - ✔T️he Act defines 3 specific offences: 1. Unauthorised access to computer material (that is, a program or data). 6 months or Level 5 fine (£5000 currently). 2. Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime. 5 years, max fine. 3. Unauthorised modification of computer material. 5 years, max fine. In general: You must not test a system without prior authorisation (e.g. as agreed in written scope/contract). You should never test without informing the client beforehand. Amended by Part 5 of Police and Justice Act 2006. A2) Police and Justice Act 2006 - ✔A️n amendment and update to the Computer Misuse Act 1990 in Part 5 of the Police and Justice Act 2006 are: Section 35. Unauthorised access to computer material. Section 36. Unauthorised acts with intent to impair operation of computer, etc. Section 37. Making, supplying or obtaining articles for use in computer misuse offences. Section 38. Transitional and saving provision. In general: Part V includes a few sections on Computer Misuse Act 1990. Provision for DoS as an offence. Increased penalties. Making available tools to the Internet. Dual-use tools liable. A2) Human Rights Act 1998 - ✔L️ots of general human rights involved such as right to marry, discrimination, privacy, slavery, guilty etc. Human Rights Act 1998 is relevant to Computer usage as: "Protects the right of individuals against unreasonable disruption of and intrusion into their lives, while balancing this individual right with those of others." In general: Article 8: Right to respect for private and family life. Right to privacy. With Acceptable Usage Policy (AUP), you waive the right to privacy on network. A2) Data Protection Act 1998 - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔I️n general: Deals with PII (Personal Information ID). Data about identifiable users should only be used for the purpose intended. Should not make a local copy (e.g. HR Database) A2) Handling Data (6 catergories) - ✔D️ata classification set by uk.gov. Important for CHECK member to know the protective marking of test/report. 1. NPM — Non Protective Marking. 2. PROTECT — Not sensitive enough to make classification. Sensitive but not high risk. 3. RESTRICTED — Pentests are usually RESTRICTED as a minimum 4. CONFIDENTIAL — (Prejudical). 5. SECRET — (Serious Injuries). 6. TOP SECRET (EGD). A4) 5 Principles of Risk Management - ✔A️ssess risk and determine needs. Establish a central management focus. Implement appropriate policies and related controls. Promote awareness. Monitor and evaluate policy and control effectiveness. A3) Sensible scoping questions (7) - ✔1️. What technologies are being used? 2. Can we get access to the application (Web Application)? 3. How many users are there? 4. How many pages are there? Are they dynamic or static? 5. What are you expecting us to find? 6. Will this be a white box or black box test? 7. Will the testing be onsite or remote? B1) OSI - ✔O️pen Standards Interconnection (OSI) developped by International Standards Organisation (ISO) B1) OSI Model. What and stages? - ✔M️odel is set of 7 layers that define the different stages that data must go through to travel from one device to another over a network. {7} Application, {6} Presentation, {5} Session, {4} Transport, {3} Network, {2} Data Link, {1} Physical. Higher layers more specific, lower layers more generic. Please Do Not Tell Sales People Anything. B1) Physical Layer - ✔P️hysical layer defines electrical and physical specifications for devices, i.e. relationship between a device and a transmission medium (e.g. copper or fibre optical cable, Shielded/unshielded twisted pair, 10Base-2, 10Base-T, 100Base-TX, 1000B-T, RJ45, Coaxial, Fibre-optical cables, Copper cables) B1) Data Link Layer - ✔D️ata Link layer provides means to transfer data between network entities using a common addressing format. Data Link layer has Logical Link Control (LLC) sublayer for multiplexing several network protocols (e.g. IP, IPX, Decnet and Appletalk) to coexist in multipoint network. Data Link layer has Media Access Control (MAC) sublayer for addressing and terminal/network nodes to communicate within a multiple access network. MAC address, PPP, HDLC, ADCCP. B1) Network Layer - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS used, intended to support self-configuring systems to allow then to discover their network addresses. Type 17 (subnet address mask request) = Reveals the subnet mask used by the target host, used when mapping networks B1) ICMP Probing tools - ✔S️ing (works like Ping but with enhancements as you can send diff types of ICMP). Works like "sing -echo" "sing -tstamp" "sing -mask". nmap -sP.ICMPscan, can do all of the ICMP types with flags -T (timestamp) -N (Netmask) -I (info) -E (echo) B1) ICMP OS Fingerprinting - ✔O️fir Arkin's Xprobe2 utility performs OS fingerprinting by primarily analyzing responses to ICMP probes B1) Microsoft PPTP - ✔1️. The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. A PPTP tunnel is started by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a GRE tunnel to the same peer. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. Microsoft PPTP uses TCP port 1723 to negotiate and establish connection and IP protocol 47 (GRE) for data communication. 2. Uses MS- CHAP for authentication which PPTPv1 and PPTPv2 and vulnerable to bruteforce attacks. B2) Cat 5/Fibre - ✔C️oaxial/Cat 5/Fiber Optics is pyhsical part of the physical layer. Coax cable is an older technology used in connecting networks. Cat 5 is made from copper and is twister pairs. B2) Cat 5 Characteristics - ✔1️) Performance up to 100MHz 2) Suitable for 10BASE-T, 100BASE-TX (Fast Ethernet), 1000BASE-T (Gigabit Ethernet). 3) Category 5 enhanced (Cat 5e) supersedes Cat 5. Category 6 cable (Cat 6) is a cable standard for Gigabit Ethernet. 4) Normally use RJ45 connectors. B2) What are 10/100/1000baseT (Ethernet) - ✔1️) They are standards that carry traffic on physical layers. B2) 10base - ✔T️ characteristics - 1) Also known as ethernet over twisted pair or IEEE 802.3i 2)10base-T transmits at speed of 10Mbit/s using baseband transmission using twisted pair cables B2) 100base - ✔T️X characteristics - 1) 100base-TX (IEEE 802.3u) is most common of the Fast Ethernet standard. Fast Ethernet covers copper (100base-TX, 100base-T4, 100base-T2) and fibre-optic (100base-FX, CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS 100base - ✔S️X, 100base-BX, 100base-LX10) technologies. B2) 1000base - ✔T️ characteristics - 1000base-T (IEEE 802.3ab) is a standard for gigabit Ethernet over copper wiring. B2) Token Ring. Where? How fast? Describe? Cabling? - ✔1️) LAN technology which resides in the Data Link Layer (DLL) of the OSI, similar to ethernet. 2) Token Ring Network operates at 4mbps and 16mbps. 16mbps Token Ring a.k.a. Fast Token Ring. 3) Token is passed along the cyclic network. No collision. Each node has timeslice to perform processing. Special token frame circles the network when no station transmitting. Station converts token into data frame for transmission. Token Priority has 8 levels to assign to stations. Token Ring standardised with IEEE 802.5. 4) Token Ring cabling uses IBM "Type-1" shielded twisted pair with unique genderless connector (a.k.a. Boy George connector) B2) What is a WLAN? What OSI layer? - ✔1️) A wireless local area network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio). WLAN usually provides a connection through an access point to the wider Internet. 2) WLAN is a data link layer protocol. WIFI Data Link similar to ethernet. Uses radio spectrum (shared like a hub). Usually has link layer Encryption with Authentication protocol. B2) 802.11 standards (4) - ✔1️) 802.11a = 50mb/s 5GHz 2) 802.11b = 11mb/s 2.4GHz 3) 802.11g = 50mb/s 2.4GHz 4) 802.11n = MIMO (multiple in multiple out) B2) Other data link technologies? (5) - ✔D️irect connection (invisible), Serial Protocol (RS-232), Point-to-point (PPP), Asymmetric Digital Subscriber Line (ASDL), High-Level Data Link Control (HDLC) B2) Bridges - ✔B️ridge connects two networks together. Operates on Data Link Layer (over ethernet). Bridge learns who is on what segment. Stores MAC addresses. Repeater sends data on without interpreting it B2) Hubs (3) - ✔1️) Hubs are a form of repeater for an Ethernet LAN, which has multiple ports. (Sometimes known as "multi-port repeaters" or "active star networks"). 2) A hub is a shared network device. When sniffing a hub, can see all traffic. 4) A hub duplicates data packets received on one port, making it available to all other ports. Allows data sharing between all devices connected to the hub. B2) Switches (6) - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔1️) Switch is like a device with multiple bridges. 2) Unlike a standard hub, a switch keeps a record of the MAC addresses of the devices attached to it. 3) When a switch receives a data packet, it forwards the packet directly to the recipient device by looking up the MAC address. 4) Switch is a network device does packet inspection and identifies where to send data. 5) Switch ports are segmented from each other. Switch ports can run at different speeds. 6) When sniffing a switch, can only see broadcast traffic. B2) MAC Flooding Switches - ✔1️) Different forged source MAC addresses can be set on devices connecting to a switch. 2) The Content Addressable Memory Table (CAM) stores the MAC address to Physical Port translations. When CAM fills up, it causes a memory overflow / timeout. Overflow forces switch to fallback into broadcast/hub mode. 3) Early switches with limited memory had this issue. Restarting switch is a temporal measure to reset the state. 4) Fixes include: Limit MAC addresses on each port; Rate Limit to 10 requests/second; More memory in switch. B2) VLAN (7) - ✔1️) Virtual Local Area Network (VLAN) is a concept of partitioning aphysical network so that distinct broadcast domains are created. 2) Achieved on switches and routers. 3) VLANs splits ethernet up. Can assign different ports to different networks. 4) Using a switch for different segments on network and handling firewalls and segregation of routers and protected systems is not a certified solution. 5) For traffic to be sent to specific VLANs, packets are tagged with 802.1Q tag. 6) VLANs are local to switch's database and VLAN information not passed between switches. 7) Do not use VLANs with Wireless B2) VLAN Trunking (4) - ✔1️) Trunking provides VLAN identification for frames travelling between switches. 2) Trunk port allows traffic from any VLAN to through the switch. 3) Trunk port uses 802.1Q tagging. Tagged for backward compatbility. 4) Trunking must be configured on both ends of the link. B2) VLAN Security Implications - ✔A️s an example of a double tagging attack, consider a secure web server on a VLAN called VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN2, creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards the packet. The VLAN2 switch expects that the packet will be treated as a standard TCP packet by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔1️) Spoofing is where the source address is forged. 2) can occur on most OSI layers. 3) Spoofing attacks are blind. If source address is forged, the attacker will not receive any data back. B6) Spoofing on each layer (2,3,4 and 7)? - ✔E️thernet (Layer 2: DL). Able to set any source address, e.g. MAC address. Not a bug. IP (Layer 3: Network). Able to set any destination address. UDP/ICMP (Layer 4: Transport). Able to set source address. Cannot trust source address as transport is connectionless. TCP (Layer 4: Transport). If the TCP sequence numbering is predictable, then it is spoofable. SMTP (Layer 7: App). B6) How to prevent spoofing? (3) - ✔1️) Not trusting the source address. 2) Sign with PGP. For example, with SMTP, anyobdy can send on someone's behalf and forge an email address. With PGP, the message is signed with a signature. 3). Fix TCP sequence number such that it is random. Do not allow to trace. B6) How can you bypass a firewall with Filtering? - ✔F️or example, Firewalls set for internal network, allow DNS/NTP to go outbound. WWW server may have some data, e.g. NTP to synchronise the time or SMTP to handle mail. Attacker can set a reverse shell, cmd.exe B6) What is content filtering? (1 + 4 examples) - ✔L️imit traffic by applications. Based on application level details. 1) SMTP Mail Addresses (MAIL TO / RCPT FROM) 2) Web URLs (Blacklist of disallowed URLs/whitelist of allowed URLs) 3) FTP Filenames 4) Stateful Inspection at firewall B6) How do you achieve content filtering and what are the protocols used? (2) - ✔1️) Content filtering using a proxy with an application level gateway 2) On PIX Firewall, PIX defines the content filtering protocol as FIXUP. On Checkpoint Firewalll, Checkpoint defines the content filtering protocol as RESOURCE. Some fixup/resource are on by default (e.g. DNS/SMTP) B8) NTP OS Fingerprint (How and what port) - ✔N️TP (Network Time Protocol) services listen on UDP port 123 and can be queried to obtain remote hostname, NTP daemon version and OS platform details B8) OS Fingerprinting Options (4) - ✔1️) ARP fingerprinting' is restrictive to local LANs. Tool: arp-fingerprinting (arp- scan). 2) Assess 'Ping TTL'. When doing a ping sweep TTL will return different values. TTL=255 for Cisco and Linux. TTL=128 for most identifible OS. Usually Windows. e.g. TTL of 123 is also Windows. TTL=64 for Linux. 3) Assess available 'Network Services'. If ports 135, 137, 139 and 445 are open, it is a Windows system. If port 111 is open, it is probably a Solaris/Unix system. 4) TCP/IP Stack Fingerprinting. If TCP/21 is closed and TCP/22 is open, then it is possible to find out operating system.Tool: nmap -O -P0 -n -v -P 21,22 host B8) TTL for OS's? (3) - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔A️ssess 'Ping TTL'. When doing a ping sweep TTL will return different values. TTL=255 for Cisco and Linux. TTL=128 for most identifible OS. Usually Windows. e.g. TTL of 123 is also Windows. TTL=64 for Linux. Solaris TTL=256 B8) Application Fingerprinting Techniques (5) - ✔1️) Banner Analysis 2) Probing ports 3) Manual. e.g. telnet and "GET / HTTP/1.0" 4) Automated. e.g. amap45)HTML Data Inspection (distinct links, files/folder presence) B8) Passive fingerprinting techniques (definition + 2) - ✔N️o traffic generation. Send, receive or sniff data.Tool: p0f B9) Application Fingerprinting Options (3) - ✔S️MTP, Finger, Telnet B9) Evaluation of responsive but unknown network applications (3) - ✔T️ime protocol, ping or fping if there are lots to test. traceroute (tracert and similar with ping -r) B9) SMTP for application fingerprinting? - ✔T️CP/25. RFC 821 (b.1982). Plain Text Protocol. No authentication. Information Leakage (Vulnerability): 1)Different responses to particular commands. RCPT TO: if recipient is OK, it responds with a status of 250 2.1.5. If not found, it responds with error/blank. 2) VRFY verifies address. If it works, it is a bug. 3) EXPN expands address. If it works, it is a bug. Implementation: Mail server used to run under root/administrator. Hence possible to bring up root shell (untrusted). Sendmail has no authentication. B9) Finger for application fingerprinting (Description and Vulnerabilities) - ✔1️) TCP/79. RFC 742 (1979). Plain Text Protocol. No authentication. Used to find out user status and information. AKA Name/Finger protocol. Name and finger programs that provide status reports on a particular computer system or a particular person at network sites. Default on Solaris installation. (Finger Protocol, Finger Client program, Finger Server program.) Daemon is fingerd or in.fingerd (for Internet). 2) Vulnerabilities Information Leakage, Daemon implementation issues. B9) Telnet for application fingerprinting (5) - ✔T️CP/23. RFC 854. Plain Text Protocol. Used for remote login. Used to connect to Linux/Unix systems or Network devices (e.g. Cisco Routers), still seen in the latter. SSH is the secure replacement. B9) Time protocol for unknown host - ✔T️CP/37, UDP/37. RFC 868. Binary protocol. Returns a 32-bit value. In seconds since 1st January 1970. Network Byte Order — big endian. B9) Ping - ✔r️ vs Traceroute (6) - 1) Ping limitation is that is only 9 slots for the IP header and only records up 9 entries at a time vs 30 in traceroute. 2) traceourite is one-way directional, ping is not as it will reply. 3) Ping can completely map a network (so CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS better to use on an internal network). 4) Traceroute not a protocol but a tool 5) Traceroute is more flexible and can work even if the host is unreachable 6) with traceroute, if a host is listening on a port it will not get back ICMP, it will keep listening and return *** B9) What is RPC? - ✔R️emote Procedure Call is a technique for building distributed systems. Basically, it allows a program on one machine to call a subroutine on another machine without knowing that it is remote. RPC is not a transport protocol: rather, it is a method of using existing communications features in a transparent way. B9) Linux vs Windows RPC - ✔1️) ONC/RPC (Open Network Computing RPC) is primarily used in Linux/Unix. vs DCE/RPC (Distributed Computing Environment RPC) is primarily used in Windows. 2) Unix Portmapper is on TCP/111 and UDP/111 vs Windows Portmapper is on TCP/135. (Also uses 136 — 139) B10) What is the point of filtering and firewalling? - ✔W️ithout it you could conenct to any address on any port. Filtering limits IP traffic (usually on Layer 3 and 4) B10) How does IP filtering work? - ✔F️iltering limits IP traffic (usually on layer 3 and 4). Filtering by source and destination IP address (Network Layer). Filtering by destination port (Transport Layer). Filtering by protocol (Network Layer). B10) Host based firewall? (3) - ✔1️) Host-based firewall is where the host protects itself only. Host-based firewall is useful for second-line defense. Windows Firewall is an example of a host-based system. 2) Most have static filtering. 3) Windows Firewall has IP Filtering (which is static). Linux Firewall uses IP tables (which is dynamic). B10) IPsec? (3) - ✔1️) Internet Protocol Security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks. 2) IPSec contains IP filtering. It can drop, allow in the clear, allow encrypted traffic. 3) IPSec uses a policy database. It has better control than Windows. B10) Stateful packet inspection? - ✔A️lso known as Dynamic Packet Filtering, it aims to monitor active connections on a network. They keep track of each connection and constantly check if they are valid, which is why it offers a better protection than static packet filtering. Static only checks the headers of the packet in order to determine whether they should be allowed through a firewall. Can open up a dynamic rule for 60 seconds etc B10) Static filtering syntax (2) - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS decrypting texts, e-mails, files, directories and whole disk partitions to increase the security of e-mail communications. B12) Wireless Encryption Importance - ✔W️ireless should have encryption. Very easy to sniff over the air. The wireless signal has a range. Wireless standard is 802.11. B12) WEP - ✔W️ireless Equivalent Privacy (WEP) WEP (Wireless Equivalent Privacy) introduced in 1997. For encryption used RC4 (Stream Cipher). RC4 encryption should not reuse the key as XOR the key itself gives the cipher text. WEP has two methods of authentication: 'Shared' and 'Open System': 'Open System' does not require authentication per se. The keys must be right to encrypt data frames. 'Shared' uses a configure WEP key to encrypt a challenge back to the server. At least WEP is better than no encryption B12) TKIP - ✔T️emporal Key Integrity Protection (TKIP) . TKIP uses RC4 (128-bit) and this is used in most wireless hardware B12) WPA - ✔W️i-Fi Protected Access (WPA). WPA-TKIP has weakness that allows attackers to decrypt data packets for a keystream B13) What is the Unix security model? - ✔E️verything is a file. e.g. files, devices, etc. File protection is the key security point. /dev is a device. /proc is a file with system config/process. 2 classes of users: 'users' and superuser'. All users have an ID, 'uid'. 'Users' have uid!=0. Superuser have uid=0. 'root' is default superuser and convention. 'root' can be renamed but causes problems. 'root' has control of most of the OS. Look to root' a system B13) Unix File Protection - ✔E️very file has meta-data associated. Meta data is admin-useful data. A file has an 'OWNER', a 'GROUP' and a 'MODE'. The 3 bits represents permissions. For normal files, bit 0 represents execute', bit 1 represents 'write' and bit 2 reprsents 'read'. For special permissions, bit 0 represents the 'sticky bit', bit 1 represents 'SGID' and bit 2 represents 'SUID'. SUID can set UID/GUID. B13) File vs Directory UNIX perms - ✔F️ile = R | Read Data, W | Write Data, X | Execute Program. Directory = R | List Contents (ls), W | Add, Delete, Rename Files in directory, X | Traverse Directory B13) Normal UNIX permissions for files, programs and directories? - ✔T️ext Files usually have permissions of 640. Programs usually have permissions of 750. Directories usually have permissions of 755 B13) CRON - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔C️RON runs scheduled tasks. CRON is a program that runs every minute. Configuration files are stored in a CRONTAB. B13) Linux Priv Esc (3) - ✔1️. Writable SUID executable files. (e.g. root 4777). Note: Writing to the file drops the setuid bit in most OS. 2. Writable files that are executed/processed by root. (e.g. crontab) 3. Files in a writable directory executed by root. (e.g. can change files in a writable directory). B13) Privileges when creating files - ✔1️) Programs can control permissions set when files are created while running program. e.g. 0666 and 0777. 2) umask can be set at the system login and in the user profile. Unix uses umask as a template on what default permissions a file should have. Windows uses inheritance. umask set to 0002 prevents world-write access to the file.3) 000 => No restriction 777 => No access B14) Listing processes on Unix (4) - ✔1️)ps, PID, process ID is a number. PPID, parent PID. 'Terminal' column can be any device. 2) "pstree" lists process as a tree. 3) "top" — gives the memory dump in memory. 4) "lsof" — lists open files B14) What does netstat do? - ✔D️isplays network sockets (listener/active). netstat works on Linux, Solaris and Windows. Interested in TCP Sockets and UDP Sockets. UNIX domain sockets are also displayed. B14) netstat flags (6) - ✔>️ netstat # works in Windows as well as Unix/Linux. > netstat -a # displays all sockets. > netstat -n # do not resolve ports to names. $ netstat -t # TCP only (Linux). $ netstat -u # UDP only (Linux). $ netstat -p # Shows owner of process (Must be root in Linux) B14) Listing processes in Windows (4) - ✔1️) Process tab in task manager — This is GUI-based and not good for getting process list. 2) tlist.exe — part of the resource tool kit (on older Windows OS) 3) tasklist.exe — works on XP (not XP Home) and onwards and onboard most operating systems. 4 Sysinternals tools, e.g. procmon, sysmon and pstat B14) Windows, Solaris and Linux patches? - ✔S️olaris/Windows use patch updates. Linux use updated packages B14) How to assess patches on Unix? (5) - ✔F️or a good patch assessment, check the following: 1) Installed patches (e.g. showrev). 2) Full list of (manufacturer released) available patches. 3) Installed components. 4) OS Version (e.g. uname). 5) Architecture (e.g. uname). B14) How to assess patches on Solaris? (3) - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔1️) Installed patches (showrev), 2) Check pathdiag.xref for all available patches for all systems back to 1990 (found and stored in /var/tmp). 3) Can use Patch Check Advanced (pca) to assess. This will show 2 numbers. First number is the number of patches missing. Second number is the total number of days out of date. B14) How to assess patches on Windows? (3) - ✔1️) wmic qfe (works on windows XP and above) 2) Released patches can be found in Security Patch Bulletin Catalog (mssecure.xml/mssecure 1.cab) or in Microsoft Security Bulletins page. 3) Tools like: hfnetchk, hfnetchkpro, MBSA, Nessus, Languard B14) Forensics plan for finding interesting files - ✔F️or forsenics, create a copy. However must ensure nothing is changed on master (primarily anything effects last action date). Mount drive as read-only. You may need to generate hash of drive. Having a write-blocker device can be used to make a copy. Police and Criminial Evidence (PACE) act guidelines recommend that volatile data is captured before system is powered down (as shutdown processes saves data and closes files) B14) Find interesting files on Linux? - ✔f️ind command will locate diles on a Linux/Unix system by their date, size, name, owner/group, mode. filetype. find B14) Find command syntax - ✔$️ find / -name x.txt # Look for x.txt on the system. $ find / -name *.txt # WRONG! * expands out and find doesn't work as expected. $ find / -name '*.txt' # CORRECT! This finds all text files. $ find / -name "*.txt" # CORRECT! $ find / -name \*.txt # CORRECT! B14) Find command for files with special permissions in Unix/Solaris vs Linux - ✔1️) Unix/Solaris = $ find / -perm -4000 # finds all setuid files (directory/links). $ find / -perm -0002 # finds all world writable files (usually tempfiles). $ find / -perm -002 - type f # finds all world writable files only. $ find / -perm -002 -type d # finds all world writable directories only. $ find / -mode -4000 # finds all SUID files $ find / -mode - 2000 # finds all GID files. 2) Linux = $ find / -perm +4000 # finds all setuid files (directory/links). $ find / -perm /4000 # finds all setuid files (directory/links). This is a new format. $ find / -mode +4000 # finds all SUID files. $ find / -mode +2000 # finds all GID files B14) Interesting directories on unix - ✔/️tmp # Store temporary files like SSH Key files. Cleared out regularly. /var/tmp # Not cleared out so often. B14) Linux/Unix commands for finding info about a file (7) - ✔c️d, ls, stat (Only in Linux, tells information about the file and metadata), lsof (list of open files), less/more/cat/tail/head show the file contents, df (shows partitions mounted), od (takes a binary file and looks at the contents) CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS C2) DNS Record Types AAAA - ✔I️Pv6 Address Record. IPv6 address of a particular host (128-bit) C2) DNS Record Types CNAME - ✔C️anonical Name Record. An alias for the real name of the host. C2) DNS Record Types MX - ✔M️ail Exchange Record. Maps a domain name to a list of message transfer agents (MTA). C2) DNS Record Types NS - ✔N️ame Server Record. Delegates a DNS zone/subtree to given authoritative name server C2) DNS Record Types PTR - ✔P️ointer Record. Pointer to a CNAME. Used for Reverse DNS lookup as maps IP address to hostname. PTR record uses .arpa format for IP address. C2) DNS Record Types SOA - ✔S️tart of Authority Record. Admin record. Specifies authoritative information about DNS and denotes the start of a DNS zone/sub-tree. SOA information includes primary name server, email address of domain administrator, domain serial number, timers relating to refresh. C2) DNS Record Types TXT - ✔T️ext Record. Originally arbitrary human-readable text but record carries machine- readable data, such as RFC1464. TXT record can relate to: Opportunistic Encryption (OE), Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), DNS based Service Discovery (DNS-SD) C2) DNS Record Types AXFR - ✔A️uthoritative Zone Transfer. Transfer entire zone file from the master name server to secondary name servers. IXFR = Incremental Zone Transfer. Requests a zone transfer of the given zone but only differences from a previous serial number. C2) DNS Record Types HINFO - ✔H️info Record. Host type and operating system information. C2) DNS Vulnerabilities - ✔1️) Incorrect Admin Information. 2) Zone transfer. 3) Version information (Information leakage on finding out version of BIND. Query the Version.bin TXT record for the CHAOS class. CHAOS TXT Version.bind). 4) Cache poisioning, problem is DNS does not have authentication or encryption. Solution is to use DNSSEC. DNSSEC is the standard but not seen in infrastructure. 5. BIND vulnerabilities, should know the major ones for V4 & V8. Problem if reachable from Internet CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS C3) How to get webapp info from HTML content etc (5) - ✔1️) Look for known files on target web site (e.g. /robots.txt). 2) Look for server information leaked in http response banner. Look for application version in displayed content. 3) Look for names, phone numbers, email addresses, internal IP addresses in displayed content/within HTML source. 4) Look for comments/metadata within HTML source. 5) Look for error pages. C4) Google hacking operators - ✔1️)filetype:doc (ext:doc) searches for specific doc filetype 2) site:domain.com searches only for specific site or domain. 3) cache:domain.com searches google's cached version of a web page. 4) intext:word searches for pages with terms that appear in text of page 5) allintext:word searches for pages with all the terms that appear in text of page. 6) inanchor, allinanchor, intitle, allintitle, inurl, allinurl. C5) NNTP Newsgroups Recon - ✔1️) " site:groups.google.com" search for news articles with that . 2) Other search engines designed for news articles from different sites (e.g. newslookup.com) 3) Search for mailing list (e.g. lsoft.com) 4) Search engine designed for forum entries (e.g. omgili.com) C6) Email analysis - ✔1️) Note the Sender: of the email is not the same as From: This is an administrative assistant. 2) Received: and Return-Path headers contain trace fields and leak information. D1) Weaknesses in Telnet - ✔P️asses authentication details in the clear (look for 'User Access Verification Password' response), bruteforce, 'show ver' and 'show run' will display current configuration once authenticated, default passwords D1) Weaknesses in Web based protocols - ✔C️onnect to the management interface, HTTP is in the clear, username and password guessing, web applicarion vulnerabilities, default creds, old router bug that shows config (http://router/level/99/exec/showconfig) D1) SSH weaknesses - ✔I️dentify version in banner, look for 'User Access Verification Password' response), bruteforce, 'show ver' and 'show run' will display current configuration once authenticated, default passwords D1) SNMPv1 and 2c weaknesses - ✔r️uns on UDP/161, still widely used, SNMPv1 has no ecnryption, SNMPv1 uses community name as password authentication and no username is required, the SNMP MIB (Managed Information Base) data can be retrieved from a device by specifying the correct read community string. Enumerate Usernames of Active Accounts in Windows: snmpwalk -c public 192.168.51.29 .1.3.6.1.4.1.77.1.2.25 CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS D1) SNMP3 weaknesses/features - ✔h️as improvements but not commonly seen, SNMPv3 has encryption with DES and AES and uses HMACs. Recommend SNMPv3 or choose a strong community string. SNMPv3 has username + password no D1) SNMP communiction structure - ✔c️lient sends command to server, server responds. Commands include: GET, GET NEXT, SET. GET NEXT gets the value from a list. Management Information Base (MIB) contains SNMP structure D1) SNMP, OID vs MIB? - ✔O️ID is object identifier. Anything and everything that can be monitored by SNMP has an OID. Let's say that you want to measure the temp of a server, this would be an OID that is a bunch of numbers separated by dots. MIB is management information base. It is a text file that allows us to translate numerical OIDs in the text- based OIDs. There are a few default OIDs/MIBs that you can query like sysuptime.0. The network monitoring device will connect to the device it wants to monitor over Port 161 and then ask for a certain OID result D1) How do you use SNMP maliciously? - ✔B️y nature this can be used to amend device config, if an attacker can read your packets and get your community string then they could take control of the device. SNMP can also be used to enumerate user accounts, passwords, groups, system names, devices etc. D1) Types of SNMP community string? - ✔1️) Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is "public." 2) Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device 's configurations. The default community string for this mode is "private." D1) SNMP tools/commands - ✔T️his includes 'snmpget' (get request), 'snmpset' (set request), 'snmpwalk' (get next request), 'snmptable' (get the value into a formatted table) and 'snmpnetstat' (output like netstat format), most commonly tool used is 'snmpwalk' D1) Cisco SNMP vulns - ✔U️pload router config over TFTP from Cisco devices using SNMP request (must have read-write access). Tools that can automate the task: Metasploit auxiliary/scanner/snmp/cisco config tftp D1) TFTP Functionality? - ✔R️uns on UDP/69. No authentication required. No directory listing, cd or pwd. Only supports GET and PUT. Used in switchers, routers and embedded devices. Can access any file under the TFTP root directory. TFTP can be used to transfer configuration/files between routers and server along with SNMP. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS address 224.0.0.2 (v1) an 224.0.0.102 (v2) on UDP/1985. Not a routing protocol and does not advertise IP routes or affecting the route table. D3) HSRP Vulnerabilities - ✔S️end specially crafted packets so that it thinks you are the 'Active' router and redirects traffic your way to cause MiTM or DoS D3) What is VRRP? - ✔O️pen source redundancy protocol that increases router availability. Similarly to HSRP it operates with a primary/backup or load sharing model. VRRP uses 00-00- 5E-00-01-XX as MAC address. XX is the Virtual Router IDentifier (VRID). VRRP sends hello messages to multicast address 224.0.0.18 using IP/112. VRRP not a routing protocol and does not advertises IP routes or affecting the route table. D3) VRRP Vulnerabilities - ✔L️oki is a tool for attacking VRRP. The same vulnerabilities exist in VRRP as in HSRP with minor differences, such as denial of service (DoS), man in the middle (MITM) attack (rerouting traffic through the hacker's PC), and some information leakage. D3) What is VTP - ✔V️LAN Trunking Protocol. Cisco proprietary protocol that switches use to exchange VLAN information. It propagates the Virtual Local Area Networks (VLAN) information (such as VLAN ID or VLAN name) on the whole LAN. Authentication is optional. D3) VTP Vulnerabilties - ✔I️f used without authentication, inject spoofed VTP packets to change VLAN configuration. Corrupt the VTP database. DoS by triggering certain errors etc. D3) What is STP? - ✔U️sed by bridges and switches to detect and prevent loops. The spanning tree protocol (STP) was introduced into the networking world as a means to prevent layer 2 network loops (frame broadcast storms) from disrupting the service of a local area network. STP uses clever mechanisms to prevent loops by virtually disconnecting redundant links. D3) STP Vulnerabilities - ✔N️o authentication. Inject spoofed STP packets to disrupt network operation. Our attack vector is to disrupt the switch's spanning-trees, destabilize their MAC address- tables and hold the network in a constant state of reelecting the root bridge. We can achieve this, because there is no authentication mechanism build into the STP D3) What are TACACS+ and RADIUS? - ✔B️oth are protocols used to provide authentication, authorisation and accounting in a network as well as Access Control. Terminal Access Controller Access-Control System Plus (TACACS+). TACACS+ is a Cisco proprietary protocol (TCP/49). Remote Authentication Dial In User Service (RADIUS) is open standard so can be CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS used with non-cisco hosts. It uses UDP 1812 and 1813. All AAA packets are encryped in TACACS+ but only passwords are encrypted in RADIUS D3) TACACS+ Vunerabilities - ✔N️o integrity checking to make sure the packets have no been tampered with. No protection against replay attacks (as long as a packet has the correct TACACS+ sequence number, it will be accepted). Session ID collision (encryption mechanism for TACACS+ depends heavily on session if for each session). Session ID randomness (session IDs will eventually be reused, which can result in the decryption of packets). Lack of padding (could reveal the length of a user password). MD5 context leak (theoretical vulnerability exists whereby part of a packet may be decrypted, due to the presence of certain bytes. D4) What is IPSec? - ✔I️Psec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from. Within the term "IPsec," "IP" stands for "Internet Protocol" and "sec" for "secure." The Internet Protocol is the main routing protocol used on the Internet; it designates where data will go using IP addresses. IPsec is secure because it adds encryption* and authentication to this process. D4) What problem does IPsec solve? - ✔I️P is inherently insecure. It is possible to intercept/manipulate traffic between sender and receiver meaning that you can: sniff network traffic, spoof IPs, modify data packets and replay attack. IPSec is designed to provide security for the Internet Protocol as it allows secure, encrypted communication between endpoints. D4) IPsec vs SSL/TLS? - ✔A️nother protocol for VPNs is SSL/TLS, which operates at a different layer in the OSI model than IPsec. D4) How do you connect to an IPSec VPN? - ✔U️sers can access an IPsec VPN by logging into a VPN application, or "client." This typically requires the user to have installed the application on their device. VPN logins are usually password-based. While data sent over a VPN is encrypted, if user passwords are compromised, attackers can log into the VPN and steal this encrypted data. D4) What are the components of IPSec? (3) - ✔I️nternet Key Exchnge (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) D4) What happens in IKE? - ✔I️nternet Key Exchange. This provides authentication and key exchange for establishing and maintaining IPsec communications. It uses 3 forms of authentication: pre-shared keys (PSK), public key encryption and digital signatures. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS These are used to authenticate the 2 parties and decide on tunnel parameters such as which hash they will use (MD5/SHA1), which authentication (RSA), which Group (DH, asymmetric encryption), Lifespan and Encryption (AES/DES). This stage is called Security Association. D4) IKE vs ISAKMP? - ✔I️nternet Security Exchange and Key Management Protocol (ISAKMP) is part of IKE. (IKE has ISAKMP, SKEME and OAKLEY). IKE establishes the shared security policy and authenticated keys. ISAKMP is the protocol that specifies the mechanics of the key exchange. D4) How would you identify a device running an IPSec service? Attack it?(2 + 1) - ✔E️xposed UDP port 500. ike-scan utility will scan ranges for the presence of IKE VPN services (using -q flag). Can also fingerprint a VPN server using the -M -o flags. Attacking it you could reverse engineer the set of conditions they agreed on during IKE. D4) IKE Phase 1 Modes? - ✔M️ain or Aggressive: Main mode is more secure and has more steps, aggressive is faster and skips a few steps. D4) What happens in Authentication Headder (AH) - ✔T️his is the next step of IPsec after IKE. It provides protection from data modification and replay attacks. Integrity checks on the packet header, would complain if the external IP changed D4) What happens in ESP? - ✔E️ncapsulating Security Payload (ESP) is the next step of IPsec after IKE and AH. It encapsulates and encrypts IP datagrams D4) How does IPsec work? - ✔I️Psec connections include the following steps: 1) Key exchange: Keys are necessary for encryption; a key is a string of random characters that can be used to "lock" (encrypt) and "unlock" (decrypt) messages. IPsec sets up keys with a key exchange between the connected devices, so that each device can decrypt the other device's messages. 2) Packet headers and trailers: All data that is sent over a network is broken down into smaller pieces called packets. Packets contain both a payload, or the actual data being sent, and headers, or information about that data so that computers receiving the packets know what to do with them. IPsec adds several headers to data packets containing authentication and encryption information. IPsec also adds trailers, which go after each packet's payload instead of before. 3)Authentication: IPsec provides authentication for each packet, like a stamp of authenticity on a collectible item. This ensures that packets are from a trusted source and not an attacker. 4)Encryption: IPsec encrypts the payloads within each packet and each packet's IP header. This keeps data sent over IPsec secure and private. Transmission: Encrypted IPsec packets travel across one or more networks to their destination using a transport protocol. At this stage, IPsec traffic differs from regular IP traffic in that it most often uses UDP as its transport protocol, rather than CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔W️ired Equivalent Privacy. First attempt to secure Wi-Fi. Completely ineffective due to security flaws. It uses RC4 stream cipher in conjunction with a 40 or 104 bit key. D6) Wireless IV? - ✔I️nitialisation Vector. RC4 internal state reset on every frame. Every frame encrypted with the same keystream so same result produced over and over. To solve this we use a 24-bit initialisation vector prepended to the key. It is sent unencrypted with the cipher text and allows decryption. D6) What is wrong with IV? - ✔R️C4 needs a unique IV to prevent repition. 50% probablility that IV will repeat after 5000 packets. In a busy network repititions happen frequently. D6) TKIP? - ✔T️emporal Key Integrity Protocol. Enryption algorithm used within WEP. It is a suite of algorithms,. Uses RC4. 128-bit encryption key. D6) WPA? - ✔W️i-Fi protected access. Intermediate security protocol that will replace WEP. Implements a Message Integrity Check which prevents packet tampering. D6) WPA2? - ✔R️eplaced WPA and implements mandatory elements of 802.11 standard. CCMP - AES based encryption D6) Wireless authentication modes (4) - ✔O️pen authentciation, MAC-based access control, Pre-Shared Keys (PSK), WPA2 Enterprise with 802.11x authenticaton D6) Wireless authentication protocols (3) - ✔a️dditional authetnication protocols were required to bolster WEP. A number of competing methods emerged which provide stronger authentication and means to derive/distribute keys to network clients. The protocols are: EAP, LEAP and PEAP. D6) EAP - ✔E️xtensible Authentication Protocol (EAP) provides authentication for point-to-point connections and wireless connections. Primary authenticaton method for WPA/WPA2. Defines a message format. D6) LEAP - ✔L️ightweight EAP. Created by Cisco, not used by Windows, uses a modified version of MS-CHAP. Passwords can be compromised using the ASLEAP tool. D6) PEAP - ✔P️rotected EAP. EAP encapsulated in a TLS tunnel. Joint project. D6) Wireless enumeration tools - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔a️ircrack-ng suite. Suite of tools for enumeration and exploitation. Airmon-ng places wireless interfaces in monitor mode. Airodump-ng is a powerful wireless sniffing tool (automatic channel switching, filter captured traffic by cipher suite, deterine clients connected to an AP, determine clients MAC addresses). Aircrack-ng is a key cracking tool. Airdecap-ng decrypts captured files. Wireshark. D7) Hubs vs Swithces - ✔H️ubs are unmanaged network devices. They have no IP. They repeat traffic to all ports on all devices. Switches can be managed or unmanaged (cisco is managed). SNMP or Telnet can be used to manage. Switches have an IP address.D7) Routers - Routers have 1 IP per interface. Layer 3 devices. Offer services for device management including HTTP, HTTPS, SNMP, SSH, Telnet etc. D7) IDS - ✔I️ntrusion Detection System. Distracts testers away from testing. Solution is to put IDS in monitor mode or put the tester IP into their access list. D7) Cisco Routers - ✔C️isco is the most popular vendor for routers. It uses Interworking Operating System (IOS) which means it can support multiple OS (XP, Vista etc). The software comes in major versions and patches. D7) Find a version of Cisco router? - ✔H️TTP: config file? SNMP: System.SysDesc.0. Telnet/SSH (once authenticated) router > show ver. Telnet/SSH (unauthenticated) User Access Verification/Password D7) Firewalls vs Routers - ✔F️irewalls can make changes to packets, routers can't. They use Network Address Translation for mapping of IPs. They use Port Address Translation for mapping of ports. No TTL decrement. Have a state table whereas routers dont. Firewall used to control access D7) How do firewalls control traffci (3) - ✔N️etwork level (IP address): what address can talk to each protected system. Transport level: what port/services. Application level: what mail/web commands can be used. Does not apply to Link Level (MAC address) D7) Firewall rules - ✔D️EFAULT PERMIT allows everything and blocks bad traffic. Does not work as not ALL badd traffic can be identified. DEFAULT DENY allows good traffic only and denies everything else. Cisco and Checkpoint have different jargon. First match in the rules that it finds it uses that and most firewalls will drop packet it no match. D7) ANY firewall rule - ✔A️NY should raise alarms. As a source it should only be used in it a public server. As a service it shouldn't be used. As a destination you should ask if it is really publicly accessible. Never allow ANY outbound traffic. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS D7) STEALTH RULE - ✔r️ule that blocks access to the firewall IP adddress at the top of the rule base. E1) What is NetBIOS? - ✔1️) NetBIOS provides communication services on local networks. It uses a software protocol called NetBIOS Frames that allows applications and computers on a local area network to communicate with network hardware and to transmit data across the network. 2) It lies between transport/application level. 3) It can be used with 3 different Network layer protocols: IPX, NetBEUI (NetBIOS Frame) andIP. E1) What services does NetBIOS provide (3) - ✔N️etBIOS provides 3 services to upper level. 1)"Name Service" for Name registration and name resolution. 2) "Session Service" for Connection-oriented session between 2 systems. 3) "Datagram Service" for Connectionless service between any systems. E1) NetBIOS Names? (4) - ✔1️) NetBIOS names are ALWAYS 16 characters long. 15-character name and 1- character suffix which is displayed in hex. 2) 2 types of names are 'Unique' and 'Group'. 3) Names are hard to manage as it is a 'flat namespace'. 4) Problems arise when for example merging companies/domains. There would be a conflicit of namespace as there is no hierarchy associated. E1) nbstat? (3) - ✔n️btstat is a standard windows command which works for NetBIOS over TCP. nbtstat lets you look at NetBIOS name table (for local and remote). -a gives you all the details E1) NetBIOS over TCP? (1 + ports) - ✔N️BT or NetBT is NetBIOS over TCP. Described in RFC-1001 and RFC-1002. Name Service (UDP/137). Datagram Service (UDP/138) is connectionless. Session Service (TCP/139) is connection-oriented. E1) Domain/Workgroup Idenfitication? - ✔1️) Verify NetBIOS services are running. "nmap -sS -p139,445 192.168.147.0/24". 2) E1) NetBIOS suffix? - ✔1️) These are the 2 characters after a name and can indicate the services offered and server role. 2) 00 = workstation, 1C = domain controller etc etc. U is only one IP address assigned, G is a group and may have multiple IP addresses E1) NetBIOS domain/workgroup assumptions from looking at nbstat/suffixes? (3) - ✔1️) Computer is a Domain Controller (DC) if Domain Controllers (<1C> / G). 2) Computer is part of a Workgroup and NOT domain if MSBROWSE (<01> / G) with no Domain Controllers (<1C> / G). 3) Computer is part of domain if neither MSBROWSE nor Domain Controllers. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS E3) NTDS.dit - ✔T️he Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. E4) Admin account brutefroce - ✔A️dminstrator never locked out. E4) Windows Authentication Methods (3) - ✔1️) Oldest is LAN Manager, not supported by every OS, weak encryption. 2) NTLM v1 uses Lanman DES, can be more than 14 characters, stronger than LM. NTLM v2 uses NT MD4, server-client communication with random number challenges and shared secrets (password hash). 3) Kerberos v5 used by 2000, 2003, XP when in a domain E4) Local Vs Domain Authentication - ✔1️) Local Authentication details are stored in SAM (Security Accounts Manager). There is a protected registry area where even administrator cannot read it. SAM stores LM + NTLM Hashe. 2) Domain Authentication details are stored in the ACTIVE DIRECTORY. Active Directory shares LM + NTLM hashes. Local Secrity Authority (LSA) handles longin and maintains a database of secret information. LSA secrets has credentials for services that run as local users. Debug properties can be used to dump LSA secrets. E4) Offline password cracking tools (5) - ✔T️ools that can perform checks are lcp (lc5), lophtcrack (need licence), ophcrack, john and cain&abel. Rainbow tables are precompiled tables for reversing cryptographic hash functions for cracking password hashes. By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. E3) AD Trust Model - ✔T️wo-way (No real separation between domains). Transitive. Implicit trust within forest. Separation between forests. In 2003, forest roots are trusted. Tool: nltest. Trust doesn't grant access. Just gives the ability to grant access. ACL is required. No access by default. E3) Group Policy - ✔A️ way to manage computer and user settings. Managed centrally in Active Directory (AD). Alternative to local policy registry changes. Easier to manage and scalable. Computer policies (processed at boot) and User policies (processed at login). Net Command can be used to add accounts and groups. E3) Windows Registry - ✔R️egistry is a hierarchial configuration database. The hierarchy is formed of keys and values. Similar to folders and files in a directory tree. Keys are container objects. Values are Name, Type or Data. Types include REG DWORD and REG SZ. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS E5) Windows common post-exploitation activies (6) - ✔o️btain password hashes, both from the local SAM and cached credentials. obtaining locally-stored clear-text passwords. crack password hashes. check patch levels. derive list of missing security patches. reversion to previous state E5) Windows Vulns (5) - ✔1️) Password guessing. 2) Lack of OS and application patches. 3) Authentication credentials on the file system if any. 4) Vulnerable services. netstat gets a process listing. 5) Writeable system files. Executable to write. e.g. replace a service owned by an administrator. E5) Public Windows Exploits to know about (3) - ✔m️s03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution). ms08- 067 (Vulnerability in Server Service Could Allow Remote Code Execution (958644). ms09-001 (Vulnerabilities in SMB Could Allow Remote Code Execution) E5) Windows Priv Esc? - ✔L️ook AT scheduling. Look for writable executable files. Look for services that run executable files that can be modified by any user. Overwrite with executable that can write file. E5) Windows Password Grabbing - ✔S️AM is protected and not readable. pwdump is a family of tools to dump passwords. Need admin access. pwdump2 and 6 most popular (different versions for different versions of windows E5) Get Windows patch levels whilst on system? - ✔"️systeminfo" gives a partial list of patches. (Standard user). "wmic qfe" gives a complete list of patches installed. 'HKLM\Software\Microsoft\Updates\' and 'Microsoft\Windows\NT\Current Version\Hotfix' . "Add/Remove Programs" (appwiz.cpl) may list some Microsoft security patches installed and when. E6) What is a service pack? - ✔S️ervice Pack is a collection of patches and new features. Patches are defined as "hotfixes" in Microsoft. E6) Microsoft patching schedule? - ✔R️elease scehdule occurs 2nd Tuesday of every month and known as "patch tuesday". Some patches released at other times. Attackers try to announce vulnerability or attack on "exploit wednesday". Every patch requires a reboot. Critical servers are not necessarily patched as soon as patch is released. E6) List patches on machines? (various OS) - ✔T️o list what patches are installed in XP, 2003 use 'wmic qfe'. To list what patches are installed in NT, 2000 use 'HKLM\Software\Microsoft\Updates\' and 'Microsoft\ Windows\NT\Current Version\Hotfix' CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS E6) What is SMS - ✔S️ystems Management Server. SMS now called System Center Configuration Manager. Provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware/software inventory. E6) What is WSUS? (5) - ✔W️indows Server Update Services (WSUS). Earlier version called Software Update Services (SUS). Enables administration and distribution of updates and hotfixes released for Microsoft products in corporate environment. WSUS downloads updates from Microsoft Update website and then distribution them to computer on local network. WSUS allows administrators to check updates against their systems. WSUS gives no control to user. E6) What is MBSA? (3) - ✔M️icrosoft Baseline Security Analyzer (MBSA). Software tool to determine security state by assessing missing security updates and less secure security settings. Can use offline scan file, wsusscn2.cab (30MB) to compare against E7) Windows Desktop Breakout Physical - ✔P️hysical Access is unconstrained. Real locks required to stop people opening systems up. Boot from CD or USB should be disabled. OS can be mounted from these systems. Install new primary Disk. Boot off same primary disk. Reset BIOS password (Remove NVRAM battery or reset password jumper). BIOS should be blocked with a password set. Problem if BIOS allows the order to be changed. E7) Linux Boot Loader - ✔L️ILO/GRUB used in Linux. Left-shift (F8). Kernel is loaded and parameters is added. e.g. init = /bin/bash/ E7) Application breakout - ✔P️assword Guessing. Writable system files. Vulnerable Services. Credentials in scripts or text files. Missing OS or application patch E8) What is Microsoft Exchange - ✔M️icrosoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. In layman's terms, it's a piece of software that runs on a server and manages all your emails. Incoming, outgoing, saved, drafts, calendars-everything is done through Microsoft Exchange and stored on the server. E8) Outlook and Microsoft Exchange - ✔E️xchange is the software that provides the back end to an integrated system for email, calendaring, messaging, and tasks. Outlook is an application installed on your computer to communicate with it. Outlook is the client used to provide access to POP3/IMAP, calendar, contacts. Protocol used is MAPI/RPC (exchange RPC). Very messy to lockdown. Messaging Application Programming Interface (MAPI). Outlook Web Access (OWA) is the web interface. CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS F2) Linux common post-exploitation activities - ✔e️xfiltrate password hashes. crack password hashes. check patch levels. derive list of missing security patches.reversion to previous state F2) Solaris Vulns (4) - ✔1️) Calendar Management Service Daemon (CMSD) is run on port 32779. rpc.cmsd is owned by bin BUT run as root. CMSD Buffer Overflow Vulnerability, CA-1999- 08.html, CVE-1999-0696. Solaris 8 and earlier are vulnerable. CMSD Buffer Overflow Vulnerability, CVE-2010-3509. Solaris 10 and earlier are vulnerable. 2) Telnet ttyprompt vulnerability causes privilege escalation, CA-2001-34.html, CVE- 2001-0797. Solaris 8 and earlier are vulnerable. 3) Kodak Color Management Server (KCMS) Vulnerability permits any file to be read as root, CVE-2003-0027. Solaris 9 and earlier are vulnerable. 4) sadmind root command execution vulnerability affects Solaris 9 and earlier, CVE-2003-0722. sadmindadm build path() Buffer Overflow affects Solaris 9 and earlier, CVE-2008-4556. METASPLOIT CAN BE USED FOR THESE F2) Linux vulns - ✔1️. General lack of patch management for the OS. 2. Outdated third-party applications. 3. Lack of password enforcement 4. General lack of system hardening 5. Lack of backups F2) Unix Post exploitation (Password and shadow) - ✔S️hadow file is /etc/shadow in Linux/Solaris. Shadow file is /etc/master.passwd in BSD. F2) Unix Post Exploitation (Password Cracking) - ✔J️ohn the Ripper, John merges password and shadow file but is CPU-intensive. John has 3 different modes.1. Single-crack mode, which is based on username/gcos. 2. Word-list, which uses a permutated dictionary attack and additional numbers. 3. Incremental, which uses a brute-force attack. Can tune each of these modes. If you get a number of passwords, could apply password policy. F2) Unix Package and Patch Management - ✔P️ackage is an installed software. Patch is a security update/bugfix. Different distributions have different programs to update. Redhat (fedora, redhatentrprise, centos...), debian (debian, ubuntu), solaris. Redhat and Debian do not have separate command for patches. Tarball is source code to compile. Debian backports the version, so may look like a vulnerable version. F2) Patch management programs Unix - ✔R️edhat uses redhat package management (RPM). "rpm -qa" # q=query; a=all. Debian uses dpkg. "dpkg -l". Solaris uses pkginfo, showrev, patchadd. "pkginfo" ."showrev -a". "showrev -p" # shows installed patches. "patchadd -p" # requires root, very slow F3) FTP Active vs Passive Mode - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔T️here are 2 modes. Active mode and Passive mode. Passive Mode is newer. FTP clients have active mode on by default. (Command Line). Web broswer uses passive mode. Active Mode = Client tells server what port data will be sent from, can cancel transfer. Passive = Server tells client what port to use. Remember, TCP 21 is control channel, TCP 20 is the data channel. F3) Issues with FTP - ✔E️verything passed in the clear including username/password. Anonymous FTP used for public FTP sites. Write access can allow storage of rubbish files. USER: ftp, anonymous. PASSWORD: , (e.g. x@y> F3) FTP Bounce attack - ✔T️his is only on passive mode where the client tells the server what to do. You initiate a connection with the FTP server but instead of putting your own IP for the server to connect to you put a 3rd machines IP and the FTP server will make a connection to that machine. You will then effectively have FTP access to that machine and can 'ls' or send files. F4) Sendmail? - ✔S️endmail is a Message Transfer Agent (MTA). F4) What is MTA? - ✔A️ mail server can have many names: mail relay, mail router, Internet mailer. But the most common alias is an MTA. This may refer to a mail transfer agent, a message transfer agent, or a mail transport agent. No matter which name you use, MTAs play an essential role in the Internet message handling system. They transfer electronic mail messages between users. In this article, we'll explore how MTAs work, what effect they have on email deliverability, and many other related questions. F4) Open mail relay? - ✔O️pen mail relay is a SMTP server configured such that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. F4) POP-3 - ✔1️. POP3 listens on TCP port 110 and TCP port 995 (SSL/TLS). It provides email services F4) IMAP - ✔I️MAP services run on TCP port 143. It is much the same as POP3; user authenticates with plaintext network service and then manage and collect email F5) What is NFS? - ✔N️FS (Network File System) is used for diskless workstation solution to a network server. Many versions from 1984 - 2000. It allows file sharing between multiple servers. Very easy to use, servers already have a kernel and so can mount stuff CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS easily in most cases. Servers controls what can be exported and to who. NFS supports up to 10-20 clients. Tool: showmount. Option 'e' shows exports. F5) Root squashing, nosuid and noexec - ✔r️oot squashing is when you upload someting to an NFS mount as root and instead of it being uploaded and owned by 'root', as would be expected, it uploads it as 'nobody' which means it has reduced privileges. nosuid, Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program. noexec, Prevents execution of binaries on mounted file systems. F6) What are R* services - ✔R️efer to a class of remote tools in UNIX systems. The most popular are "rsh" for a remote shell, "rlogin" for a remote login, and "rexec" for remote execution. Propreitary protocols used in BSD/Unix. rlogin (TCP/513) is used for remote login (similar to telnet). rsh (TCP/514) is used for remote command execution. Authentication based on source IP address. rlogin and rsh are cleartext protocols. rwho, rusers, rstatd, rexec. F6) what is rhosts? - ✔T️he .rhosts file is the user equivalent of the /etc/hosts. equiv file. It contains a list of host-user combinations, rather than hosts in general. If a host-user combination is listed in this file, the specified user is granted permission to log in remotely from the specified host without having to supply a password. Entries have one or two variables. "host" allows specified host with same user. "host user" allows specified host and user. "+" character is wildcard. F6) rhosts/hosts.equiv files - ✔I️f hackers can capture a user ID and password by using a network analyzer or can crash an application and gain root access via a buffer overflow, one thing they look for is what users are trusted by the local system. That's why it's critical to assess these files yourself. The /etc/hosts.equiv and .rhosts files list this information. The $home/.rhosts files in Linux specify which remote users can access the Berkeley Software Distribution (BSD) r-commands (such as rsh, rcp, and rlogin) on the local system without a password. The /etc/hosts.equiv file won't give away root access information, but it does specify which accounts on the system can access services on the local host. For example, if tribe were listed in this file, all users on the tribe system would be allowed access. As with the .rhosts file, external hackers can read this file and then spoof their IP address and hostname to gain unauthorized access to the local system. Hackers can also use the names located in the .rhosts and hosts.equiv files to look for names of other computers to attack. F6) Securing rcommands - ✔B️adly configured trusts allow attacker access. "+ +" allows any host and any user to connect. VERY BAD. Trust host concept is obsolete. R services should not be used in a modern environment. F6) rwho - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔0️.9 is depreciated. (1991). 1.0 still supported. (1996). 1.1 (RFC-2016) is most common. (1997-1999) G1) Attributes of GET request? (4) - ✔1️) GET method encodes submission in URL e.g. http://host/script? var1=value1&var2=value2. 2) Above URL can be logged by proxy and stored in local browser cache. 3) GET method NOT SUITABLE for sensitive data. 4) GET is a safe method. It is read-only and used for retrieval. G1) Cookie Flag Attributes - ✔"️Domain" in cookies determine which web servers, the client will return information from. e.g. .microsoft.com applies to any website subdomain in this domain. However cannot set to suffixes only such as .com, .co.uk 2) "Path" is optional and determines under which particular resource tree, the cookie has access to. 3) "Secure" is optional and returns a cookie if over SSL only. G1) Entity Tags - ✔E️ntity Tag (E-Tag) determines if content of URL has changed condition. If e-tags match, no need to download body content again. Entity Tag is used in browser caching G1) Purpose of proxies? (4)-1) - ✔A️llows access to websites that client cannot access directly. For example, Client may not have access to DNS. 2) Proxies can cache responses from the server for later use. 3) Proxies can filter using whitelisting/blacklisting. 4)"Authentication" can be enforced so that random users cannot hop through the proxy. Transport Proxy is used to intercept/filter traffic. Normally used by ISP. 5) Anonymizer Proxy hides user's IP address G1) Caching, why, techniques and limitations - ✔W️hy? Stores copies of web documents. Reduces bandwidth use and time. e.g. caches patches and UNIX files. Reduces server load. 2) 1. Client Cache. All clients have cache on their browser. private cache is on disk or in memory. 2. Proxy Cache• outbound proxy, shared by a related group of people 3. Reverse Proxy Cache, Inbound proxy, User commands are effected, Web accelerator. 3) Limitations, only static content can be stored on cache (e.g. html, jpg, gif). Proxies cannot cache programs due to its dynamic behaviour (e.g. cgi, script pages). Proxies cannot cache HTTPS as it has no way of reading the encrypted text. Can store sensitive data, should be disabled (via headers Pragma and Cache-Control G1) Reason for host header? - ✔e️.g. 'Host: www.yahoo.com' e.g. 'Host: www.yahoo.co.uk', why? because some webserver will have many virtual hosts on them so just the IP isn't enough to be accurate. G1) Content Length Header - ✔I️ndicate the length of the body, Interesting if 2 'Content-Length' headers are used. e.g. Content-Length: 12 e.g. Content-Length: 24, In the request, some servers will CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS get the 1st header, while some will get the second one. Attacker can use the technique of HTTP Request Smuggling. G1) HTTP TRACE method? - ✔T️race Method, ask the server to echo back the content of the request. Used for debugging. An attack called cross-site tracing or XST using the TRACE method. A website with malicious content could trace back the content. Recommendation: Disable the trace method. Echoes back the received request so that a client can see what (if any) changes or additions have been made by intermediate servers. G2) Apache Web Server Characteristics - ✔O️pen source web server. Often used for Linux/Unix. Windows supported. 2 major versions, 1.x and 2.x (current). G2) Chunked Encoding Vulnerability - ✔B️uffer overflow attack for Apache (chunk-encoded HTTP request that causes Apache to use an incorrect size.) G2) Double Decode Vuln - ✔I️IS vuln that can bypass path traversal controls. Double dot encoding can be used by to execute arbitrary. Same impact as unicode as that leads to directory traversal. e.g. Having %2F, IIS will decode it as /. However IIS performs second decoding. e.g. Decoding: %252F decodes to %2F and double decodes to / . So http://sitename/script/..%252F..%252F/winnt/system32 G2) Unicode Vulnerabilities - ✔M️aking the webserver decode %2F etc ( / ) in order to perform path traversal type vulns G2) mod-userdir Info disclosure - ✔A️pache vuln. mod userdir Information Disclosure http://site/ ~ user. Allows user enumeration. If user not there, it will respond with user not found. (CVE-2001-1013) G2) Win32 Batch file remote command execution - ✔W️in32 Batch file remote command execution (CVE-2002-0061) does not filter pipe character. | pipe allows to execute 2 commands. Use the pipe character | which only affected Windows version and not the Linux version. G2) Random webserver needed to know other than Apache and IIS? - ✔I️BM Websphere, main components is WAS (Websphere Application Server), uses open standard, it uses Java, XML, Web services. Sun Web Server, Netscape Entrprise Server (2000), bought by Sun. Renamed to iplanet (2000-2002) Sun One (2002-2003) Sun Java System Web Server (2003-2011) Oracle iPlanetWev Server (2011-Current) G3) What is the 3 tiered architecture? - ✔S️calable architecture. Standard architecture for web services. 1. Presentation = 'Web server'. 2. Application = 'Logic' (Programs that run). 3. Data = 'Database' CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS G4) What is SOAP? - ✔S️imple Object Access Protocol (SOAP). Based off of a pretty standard RPC call, but across the internet. SOAP uses XML and couples data and structure into a flat file. Can use different structures/flexible. SOAP runs over HTTP, HTTPS, SMTP (any TCP/IP). Firewall friendly protocol. Takes stateless model and uses it. G4) XML message format? - ✔T️ransport message contains: "Envelope", "Header", "Body", "Fault". "Envelope" defines that a soap method is following. "Header" provides application specific information. "Body" is the data itself. "Fault" is optional and provides information about errors. G4) WSDL? - ✔W️eb Services Description Language (WSDL). XML Document specific. Location (usually IP address & Port). Operations (available functions). Message Structure and Types. G4) UDDI? - ✔U️niversal Description Discovery & Integration (UDDI). UDDI is like a directory/yellow pages for WSDL (used in SAP, Oracle, Microsoft). XML-based registry G4) HTTP HEAD, PUT, TRACE and CONNECT definitions - ✔H️EADRetrieves header response only. PUT Requests that the enclosed entity be stored under the supplied URL. TRACE Echoes back the received request so that a client can see what (if any) changes or additions have been made by intermediate servers. CONNECT Converts the request connection to a transparent TCP/IP tunnel G4) HTTP 100 Response codes - ✔I️nformational, 100-Continue; 101-Switching Protocol; 102-Processing G4) HTTP 200 Response codes - ✔S️uccessful, 200-OK; 201-Created; 202-Accepted; 203-Non Authoriative Info; 204- No Content; 205-Reset Content; 206-Partial Content; 207-MultiStatus; 208-Already reported; G4) HTTP 300 Response codes - ✔R️edirect, 300-Multiple Choices; 301-Moved Permanently; 302-Moved Temporarily; 303-See Other; 304-Not modified; 305-Use Proxy; 307-temporary Redirect G4) HTTP 400 Response codes - ✔C️lient error, 400-Bad Request; 401-Unauthorised; 402-Payment Required; 403- Forbidden; 404-File not Found; 405-Method not allowed; 406-Not acceptable; 407- Proxy authentcation; 408-Request Timeout; 409-Conflict; 410-Gone; 411-Length Required; 412-Precondition Failed; G4) HTTP 500 Response codes - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS programming languages. Programs written for the .NET Framework execute in a software environment, known as the Common Language Runtime (CLR). An application virtual machine that provides services such as security, memory management, and exception handling. The class library and the CLR together constitute the .NET Framework. G8) ISAPI? - ✔I️nternet Server Application Programming Interface (ISAPI). Allows developers to add on a function used by C or C++. C and C++ can cause buffer overflows if extra care is not taken. In IIS 4 & 5, used to run the same function. There are 2 types of ISAPI. (i) filters — see every request/response. (ii) extension — completely new application and does things on-the-fly. For IIS 4 & 5, always recommend to disable ISAPI as it is not necessary G8) ISAPI Vulns? - ✔1️) ISAPI IDA & IDQ Data Leakage. Found in IIS/4.0. IDA & IDQ extensions. http://sitename/x.idq and http://sitename/x.ida It will return that it cannot find C:\ inetpub\x.idq. 2) ISAPI IDQ Buffer Overflow. Buffer overflow in ISAPI extension using long argument in ida/idq files (CVE-2001-0500). Gives remote access on local system. Used by Code Red worm. Biggest implication for IIS. G8) What are apache modules? - ✔A️pache comes with basic functionality, but you can add more with modules. This allows you to add, delete and edit features for your apache installation. They are pieces of software or programs that allow you to add a particular functionality to your webserver. To see what modules are installed on your server run httpd -l G8) General pupose Apache modules - ✔m️od deflate, mod zip, mod proxy, mod rewrite. G8) Security apache modules - ✔m️od security, mod ssl. G8) Apache module vulns - ✔m️od userdir allows user enumeration (CVE-2001-1013). mod jk has a buffer overflow (CVE-2007-0774) where version <= 1.2.20 with Win32 only. G9) WebDAV? - ✔W️EB-based Distributed Authoring and Versioning (WebDAV). HTTP Extensions allows modification/creaton/delete/write to document/web content. First seen 1996. RFC2518. Web folders (webdav) used in Windows 98 (NT/2000). Not often used nowadays. Legacy. G9) Java - ✔J️ava is a programming language developed by Sun Microsystems. Taken over by Oracle. Java is a portable language that compiled binary code. Used by web browsers and are called applets. Browser contains Java Virtual machine. Used by web servers and are called servlets. In browser, untrusted code runs in a sandbox CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS context for security. It is better than ActiveX. For buffer overflow, there are automatic array bounds checking. Pure Java application tend to be more secure than PHP. JSP is a way to run applets as servlet G9) Active X - ✔M️icrosoft framework for defining reusable software components in a programming language-independent way. Internet Explorer also allows the embedding of ActiveX controls in web pages. However, ActiveX will not work on all internet platforms. HX) Types of information available in web page source that may prove useful - ✔H️idden Form Fields. Database Connection Strings. Credentials. Developer Comments. Other included files. Authenticated-only URLs. Client-side scripts. HX) Web App recon techniques - ✔H️TML source review (can use wget -r -m -nv to download all HTML source code locally, then grep for script, @, TYPE=HIDDEN, comments). Analysis of server-side file extensions (file extensions can tell you the server platform). Session ID fingerprinting (can tell you the backend technology). Active backend database technology assessment. Tools like Wikto/Nikto HX) File Extensions To Web Server Tech? - ✔A️SP = IIS, ASPX/ASMX = IIS 5.0 or later using .NET framework, CFM = coldfusion, DO= IBM Websphere, JSP = Sun Java Server Pages (likely Unix), PHP = Generic but probs Apache, PL/PHTML = Generic but probs Unix HX) Session ID to Webserver tech - ✔A️SPSESSIONID = IIS using ASP, ASP.NET_SessionID = Microsoft IIS using .NET Framework ASP scripting. CFID/CFTOKEN = Adobe ColdFusion. JROUTE = Sun Java System Application Serve. JSESSIONID = Various JSP engines, including Apache Tomcat, IBM WebSphere Application Server, and Caucho Resin; depending on the format of the session ID value itself, you can fingerprint the exact engine. PHPSESSID = PHP HX) Enumerating backend databases techniques? - ✔c️an be enumerated by passing erroneous data as variables to web application components, thus spawning a response that will indicate the backend database server technology. Basicly SQL injection stuff and getting version HX) Request smuggling? - ✔P️utting multiple requests inside of each other, the backend encoding may not filter bad stuff in the 3rd/4th requests HX) Web app auth issues - ✔D️efault or guessable user accounts. HTTP form brute-force. Session management weaknesses (Weak session ID generation through obfuscation of known variables such as username, or lack of a salt when performing cryptographic hashing, Session fixation, where a new session ID is not reissued upon login, Insufficient timeout and expiration mechanisms, leading to brute-force and replay attacks) CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS HX) Types of command injections? - ✔O️S, SQL, LDAP and XML HX) LDAP Injection? - ✔I️n LDAP injection, an attacker modifies a string that he knows will be processed by a backend LDAP server to form an LDAP statement. In much the same way that attackers use SQL escape characters to execute arbitrary SQL statements server- side, they can also use LDAP characters ( ) | ( * ) to modify and create LDAP statements. HX) LDAP injection vulns? - ✔W️eb applications using backend LDAP servers can be exploited in several ways. The three main types of attack involve: Bypassing LDAP-based authentication mechanisms (try adding some pipes and wildcards to the uid). Reading data from the LDAP directory (try adding these: )(|(cn=*), )(|(objectclass=*), )(|(homedirectory=*). Modifying data within the LDAP directory HX) Web app security checklist (7) - ✔u️pdated, input validation, secure session ID, ensure associate apache components such as mod_jk and PHP are disabled if you are not using them. Remove default files. Don't expose debugging info. Rule of least access. HX) Encryption vs Encoding? - ✔1️) encoding is just an algorithm used to change data from one format to another, no key required to go backwards. It is used so that data can be safely consumed by another system (think binary). The goal is not to keep it secret but make it flow well. Encryption tries to keep things secret and requires a key to get back the plaintext. HX) Recognise Encoded Value (Base64, UTF-8)? - ✔F️irst three bytes 0xEF,0xBB,0xBF is probably a UTF-8 encoded file. Base64 the length of a Base64-encoded string is always a multiple of 4. Only these characters are used by the encryption: "A" to "Z", "a" to "z", "0" to "9", "+" and "/" The end of a string can be padded up to two times using the "="-character. Example (dGVzdGVlZmVlZg==) HX) Encryption for data in transit vs at rest? - ✔D️ata can be exposed to risks both in transit and at rest and requires protection in both states. As such, there are multiple different approaches to protecting data in transit and at rest. Encryption plays a major role in data protection and is a popular tool for securing data both in transit and at rest. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit. For protecting data at rest, enterprises can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself. Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. All data at the storage level is encrypted with AES256 by default, with the exception of a small number of Persistent Disks created prior to 2015 that use AES128. AES is CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS J1) What is MSDE? - ✔M️SDE (Microsoft SQL Server Desktop Engine) (SQL Server 2000). Used as a cut down version of SQL Server. It is bundled without software products. No Configuration, SA password is always blank. Obsolete. Replaced by SQL Server Express. J2) RDBMS? - ✔O️racle Relational Database Management System J2) TNS Listener - ✔T️NS Listener runs on tcp/1521. TNS Listener allows anyone to connect without password. Version and configuration can be leaked. Can use "tnscmd" tool. Use scanner/oracle/tnslsnr version (Metasploit). Use scanner/oracle/sidenum (Metasploit) J2) Oracle Default Accounts - ✔1️) SYS:CHANGE_ON_INSTALL. 2) SYSTEM:MANAGER 3) DBSNMP:DBSNMP 4)SYSADM:SYSADM 5)SCOTT:TIGER 6) OUTLN:OUTLN 7) MDSYS:MDSYS J2) Oracle Queries (10) - ✔1️) SELECT * FROM v$version; = Show Version. 2) SELECT * FROM product component version; = Show Version. 3) SELECT username,password from dba users; = Show Database User/Password. Obsolete in 11g. 4) SELECT name,password FROM SYS.USER$ WHERE password is not null; = Show Database User/Password DES Hash (up to 10g). SELECT name,spare4 FROM SYS.USER$ WHERE password is not null; = Show Database User/-Password SHA- 1 Hash (up to 10g_. 5) SELECT * FROM all users; 6) SELECT * FROM v$database; 7) SELECT * FROM v$instance; 8 ) SELECT owner, table name FROM all tables; 9) SELECT owner, table name FROM dba tables; 10) SELECT table name FROM user tables; J2) Where are passwords stored in Oracle? - ✔H️ashes are stored in a table called SYS.USERS$. SELECT USERNAME,PASSWORD, ACCOUNT STATUS FROM DBA USERS; e.g. use DBSNMP because it is likely to be available. J2) Oracle database instances - ✔O️racle defines database instances as SIDs. Different groups of users have different access rights for different DB instances. Good user/database segregation J2) Tools - ✔O️racle SQL Developer. Oscanner. SQL Tools. tnscmd J3) mySQL - ✔M️ost installations are on Unix/Linux. There is a Windows version. By default, listens on TCP/3306. J3) mySQL accounts - CPSA FINAL Exam 460 Questions and Answers Graded A+ PASS ✔D️efault account is 'root' with no password. root can only connect from local host in latest version, even though root/blank password is default. J3) % in SQL - ✔%️ is a SQL wildcard. J3) mySQL tools - ✔m️ySQL Client. To find the version of mySQL client running locally:$mysql --help. $ mysql -? . To find the version of mySQL server running locally: $ mysqld -v J3) mySQL useful queries - ✔I️n mySQL, there is no need to type go. But all queries need to end with a semicolon ; 2) To find the version of mySQL server running remotely through the mySQL client:> select version();> select user();> show databases;> show tables from ;> select host, user, password from user; 3) The last query only shows the hashes and not the plain text password. 4) A password hash cracker is required. J3) PostGresql - ✔A️nother open source DB. It uses TCP/5432 (UDP/5432). It is an object-relational database management system (ORDBMS). Postgres supports transaction integrity whereas mySQL does not. Postgres supports views, stored procedures, triggers, etc J3) ODBC - ✔A️ software API that uses database. Independent layer between application and database. Main advantage is the application can be independent to the DB. DB system is independent (can use any db server). Operating System (OS) is independent (e.g. Windows, Linux, Mac). Programming lanaguage is independent (e.g. Ruby, VB, PHP, etc). Java calls it, JDBC. J3) DB2 - ✔I️BM Websphere is likely to be using DB2. It may use: TCP/523, UDP/523, TCP/6789, TCP/6790. J3) Teradata - ✔T️eradata RDBMS is a massively parallel processing system. Ideal for huge data warehousing. (e.g. for billing data, supplier data and combinations). It uses TCP/8002 (UDP/8002) J3) SQLi tools - ✔S️QLMap. SQLNinj