Chapter 6 - Web-Based Hacking: Servers & Apps Flashcards
IETF
Internet Engineering Task Force - Creates engineering documents to help make the internet work better
W3C
World Wide Web Consortium - A standards-developing community
OWASP
Open Web Application Security Project - Organization focused on improving the security of software.
Web Server attack Methodology
Information Gathering (Whois), Footprinting (banner grab), Website mirroring, Vulnerability Scanning, Session Hijacking, Password Cracking
Banner Grab
Method for web server footprinting
Netcraft
Web server footprinting tool
HTTPRecon
Web server footprinting tool
ID Serve
Web server footprinting tool
nmap
Powerful footprinting tool
nmap -script http-trace -p80 localhost.
Detects vulnerable TRACE method
nmap -script http-google-email
Lists email addresses
nmap -script hostmap-*
Discovers virtual hosts on the IP address you are tryingto footprint; * is replaced by online database
nmap -script http-enum -p80
enumerates common web apps
nmap -p80 -script http-robots.txt
Grabs the robots.txt file
Nikto
Vulnerability scanner specifically suited for web servers
Wget
Website mirroring tool
Black Widow
Website mirroring tool
HTTrack
Website mirroring tool
WebCopier Pro
Website mirroring tool
Web Ripper
Website mirroring tool
SurfOffline
Website mirroring tool
HTTPrint
Website mirroring tool
What is N-Tier Architecture?
Distributes processes across multiple servers; normally as three tier: Presentation (web), logic (application), and data (database)
What is WebGoat
Project maintained by OWASP which is an insecure web app meant to be tested.
Http request: GET
retrieves whatever information is in the URL; sending data is done in URL
Http Request: HEAD
identical to get except for no body in return
Http Request: POST
sends data ia body - data not shown in URL or in history
Http Request: PUT
Requests data be stored at the URL
Http Request: DELETE
Requests origin server delete resource
Http Request: TRACE
Requests application layer loopback of message
Http Request: CONNECT
Reserved for use with proxy (Post and Get can be manipulated by proxy)
HTTP Error: 1xx
Informational - request received, continuing
HTTP Error: 2xx
Success - Action received, understood and accepted
HTTP Error: 3xx
Redirection - Further action must be taken
HTTP Error 4xx
Client Error - Request contains bad syntax or cannot be fulfilled
HTTP Error 5xx
Server Error.- server failed to fulfill an apparently valid request
Web Server Attack: DNS Amplification
Uses recursive DNS to DoS a target; Amplifies DNS answers to target until it can’t do anything.
Web Server Attack: Directory Transversal
requests file that should not e accessible from web server. Example: http://www.example.com/etc/passwd
Web Server Attack: Parameter Tampering (URL Tampering)
Manipulating parameters within URL to achieve escalation or other changes.
Web Server Attack: Hidden Field Tampering
Modifying hidden form fields producting unintended results (Example: Look at source code and change price of item to $0.00
Web Server Attack: Web Cache Poisoning
Replacing the cache on a box with a malicious version of it
Web Server Attack: Misconfiguration Attack
Same as before - improper configuration of a web server
Web Server Attack: Password Attack
Attempting to crack passwords related to web resources
Web Server Attack: Connection String Parameter Pollution
Injection attack that uses semicolons to take advantage of databases that use this separation method.
Web Server Attack: Web Defacement
Simply modifying a web page to say something else
Brutus
Tool for attacking web server. Brute force passwords of HTTP
Hydra
Network login cracker
WFETCH
Microsoft tool that allows you to craft HTTP requests ot see response data (BURP does this too)
Shellshock
Causes Bash to unintentionally execute commands when commands are concatenated on the end of function definitions.
Web App Attacks - Tools for identifying entry points
WebScarab, HTTPPrint, BurpSuite
What is “Web 2.0”
Dynamic web application; have a larger attack surface due to simultaneous communication
Web App Attack: File Injection
Attacker injects a pointer in a web form to an exploit hosted elsewhere
Web App Attack: Command Injection
Attacker gains shell access using Java or similar
Web App Attack: LDAP Injection
Exploits applications that construct LDAP statements. Format is )(&)
Web App Attack: SOAP Injection
Simple Object Access Protocol - Can inject query strings in order to bypass authentication. Uses XML to format info. Compatible with HTTP and SMTP. Messages are typically “one way” in nature.
Buffer Overflow (Smashing the Stack)
Attempts to write data into an application’s buffer area to overwrite adjacent memory, execute code or crash a system
What is a canarie?
Used to monitor for buffer overflow attacks. Placed between buffer and control data.
Ways to prevent buffer overflow
Secure coding techniques, Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP)
Cross-Site Scritping (XSS)
Inputting JavaScript into a web form that alters what the page does. Can be passed via URL: www.google.com/. Can access cookies and send to remote host.
Stored XSS (Persistent)
Stores the XSS in a forum or comment field of some sort for multiple people to access.
Cross-Site Request Forgery (CSRF)
Forces an end user to execute unwanted actions on an app they’re already authenticated on. Inherits identity and privileges of victim to perform an undesired function on victim’s behalf. Captures session and sends a request based off logged in user’s credentials.
Session Fixation
Attacker logs into a legitimate site and pulls a session ID; sends link with session ID to victim. Once victim logs in, attacker can now log in and run with user’s credentials.
What does the following expression accomplish: ‘OR 1=1 –
Tells the server if 1=1 (always true) to allow login. The Double-Dash (-) tells server to ignore rest of the query (usually the password)
Fuzzing
Inputting random data into a target in order to see what will happen.
Tautology
using always true statements to test SQL
In-band SQL injection
Uses same communication channel to perform attack. Most common, used with UNION statements.
Out-of-Band SQL Injection
Contrary to in-band, this type of SQL injection uses different communication channels for the attack and results. It’s also more difficult to do.
Blind SQL Injection (inferrential)
Occurs when attacker knows the database is susceptible to injection, but error messages and screen returns don’t come back to attacker.
SQL Injection Tools
Sqlmap, sqlninja, Havij, SQLBrute, Pangolin, SQLExec, Absinthe, BobCat
HTTP Response Splitting
adds header response data to an input field so server splits the response.
Countermeasure for web app attacks
Input scrubing for injection, SQL parameterized queries, patching servers, turning off unnecessary services, ports, and protocols.
Modulation type: OFDM
Orthogonal Frequency-Division Multiplexing (OFDM) - carries waves in various channels (think cable tv)
Modulation type: DSSS
Direct-Sequence Spread Spectrum (DSSS) - Combines all available waveforms into a single purpose.
802.11 Series
Defines the standards for wireless networks
DNS Record Type: SRV
Service - this record defines the hostname and port number of servers providing specific services, such as a Directory Services server.
DNS Record Type: SOA
Start of Authority - This record identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
DNS Record Type: PTR
Pointer - This maps an IP address to a hostname (providing for reverse DNS lookups). Usually associated with e-mail server records.
DNS Record Type: NS
Name Server - This record defines the name servers within your namespace. These servers are the ones that respond to your clients’ request for name resolution
DNS Record Type: MX
Mail Exchange - This record identifies your email servers within your domain.
DNS Record Type: CNAME
Canonical Name - This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.
DNS Record Type: A
Address - This record maps an IP address to a hostname and is used most often for DNS lookups.
802.15.1
Bluetooth Standards
802.15.4
Zigbee - Low power, low data rate, close proximity ad-hoc networks
802.16
WiMAX - broadband wireless metropolitan area networks. 40 Mbps
Wireless Standard - 802.11a
Mbps - 54 Frequency - 5 GHz Modulation Type: OFDM
Wireless Standard - 802.11b
Mbps - 11 Frequency - 2.4 GHz Modulation Type: DSSS
Wireless Standard - 802.11d
Mbps - Variation of a & b. Frequency - Global Use
Wireless Standard - 802.11e
Mbps - QoS Initiative Frequency - Data and Voice
Wireless Standard - 802.11g
Mbps - 54 Frequency - 2.4 GHz. Modulation Type: OFDM and DSSS
Wireless Standard - 802.11i
Mbps - WPA/WPA2 Encryption
Wireless Standard - 802.11n
Mbps - 100+ Frequency: 2.4 - 5. Modulation Type: OFDM
Wireless Standard - 802.11ac
Mbps - 1000 Frequency: 5 GHz Modulation Type: QAM
Orthogonal Frequency - Division Multiplexing (OFDM)
Carries waves in various channels
Direct-Sequence Spread Spectrum (DSSS)
Combines all available waveforms into a single purpose.
Basic Service Set Identifier (BSSID)
MAC address of wireless access point.
Three types of Authentication are:
Open System - No authentication Shared Key Authentication - authentication through shared key (pw) Centralized Authentication - Authentication through something like RADIUS
Assocation vs Authentication
Association is the act of connecting; Authentication is the act of identifying the client.
Spectrum Analyzer
Verifies wireless quality, detects rogue access points and detects attacks
Directional Antenna
Signals in one direction; Yagi antenna is a type
Omnidirectional Antenna
Signals in all directions
WEP
Wired Equivalent Privacy - Encryption: RC4. IV Size: 24 bits. Key Length: 40/104. Integrity Check: CRC-32
WPA
Wi-Fi Protected Access - Encryption: RC4 + TKIP IV Size: 48 bits. Key Length: 128 bits. Integrity Check: Michael/CRC-32
WPA2
Encryption: AES-CCMP IV Size: 48 bits Key Length: 128-bits Integrity Check: CBC-MAC (CCMP)
WPA2 Enterprise vs WPA2 Personal
Enterprise: Can tie an EAP or RADIUS server into authentication. Personal: Uses a pre-shared key to authenticate.
Message Integrity Code (MIC)
Hashes for CCMP to protect integrity.
Cipher Block Chaining Message Authentication Code (CBC-MAC)
Integrity process of WPA2
WIGLE
Tool for network discovery that can map for wireless networks
NetStumbler
Tool for network discovery
Kismet
Wireless packet analyzer/sniffer that can be used for discovery. Works passively and can detect access points.
NetSurveyor
Tool for Windows that does network discovery
pcap vs libcap
pcap - driver library for Windows libcap - Drivery library for Linux
Rogue Access point
Places an access point controlled by an attacker
Evil Twin
Rogue AP with a SSID similar to the name of a popular network
Honeyspot
Fakinga well known hotspot with a rogue AP
Ad Hoc Connection Attack
Connecting directly to another phone via ad-hoc network. User must accept connection
Aircrack-ng
Sniffer, detector, traffic analysis tool and password cracker. Uses Dictionary attacks for WPA and WPA2.
Cain & Abel
Sniffs packets and cracks passwords. Relies on Statistical measures and the PTW technique to break WEP
KisMAC
MacOS tool to brute force WEP or WPA passwords
KRACK
Key Installation Attack (KRACK) - Method for cracking WPA. Replay attack that uses third handshake of another device’s session.
OmniPeek
Provides data like Wireshark in addition to network activity and monitoring.
AirMagnet WiFi Analyzer Pro
Sniffer, traffic analyzer and network-auditing suite
WiFi Pilot
Wireless sniffer
