Random Flashcards
c:\type c:\badfile.exe > c:readme.txt:badfile.exe
Command to embed for NTFS streaming
start readme.txt:badfile.exe
Command to use hidden ADS file
httpd.conf
Sets apache web server status
Six stages of web server attack methodology
Information gathering, web server foot printing, website mirroring, vulnerability scanning, session hijacking, password cracking
server errors: 1XX
Informational: request recieved. processing
server errors: 2XX
success. received understood accepted
server errors: 3XX
Redirection. Further action must be taken to process
server errors: 4XX
Client error. Contains bad syntax or cannot be fulfilled
server errors: 5XX
Server error Failed to fulfuill apparently vailid request
DNS amplification attack
manipulating recursive DNS to DOS a target. Use of botnet to to amplify dns answers to the target
CSPP
Connection string parameter pollution injection attack that takes advantage osf web applications that use semi-colons ; to communicate with databases to separate parameters
Web attack tools
Burp Suite, WebScarab, HTTPrint,
VPN Protocol Authentication only, Whole packet. provides data integrity, data origin authentication, and an optional replay protection service. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the header. IT authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.
AH (Authentication Header)
protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). Authentication mechanism authenticates only the IP datagram portion of the IP packet.
ESP Encapsulating Security Payload
Tunnel Mode
ESP tunnel mode encrypts the entire packet, including the original packet headers
Transport Mode
ESP transport mode only encrypts the data, not the original headers; this is commonly used when the sending and receiving system can “speak” IPsec natively.
Promiscuous Policy
This policy doesn’t impose any restrictions on the usage of system resources. for example, with a promiscuous net policy, there’s no restriction on net access. A user will access any web site, transfer any application, and access a laptop or a network from a foreign location. whereas this may be helpful in company businesses wherever people that travel or work branch offices need to access the structure networks, several malware, virus, and Trojan threats are present on the internet and because of free net access, this malware will return as attachments while not the data of the user. Network directors should be very alert whereas selecting this kind of policy
Permissive Policy
Policy begins wide-open and only the known dangerous services/attacks or behaviors are blocked. for instance, in a very permissive net policy, the bulk of net traffic is accepted, however many proverbial dangerous services and attacks square measure blocked. as a result of solely proverbial attacks and exploits are blocked, it’s not possible for directors to stay up with current exploits. directors are perpetually enjoying catch-up with new attacks and exploits. This policy ought to be updated often to be effective.
Prudent Policy
A prudent policy starts with all the services blocked. The administrator permits safe and necessary services singly. It logs everything, like system and network activities. It provides most security whereas permitting only proverbial however necessary dangers.
paranoid policy
A paranoid policy forbids everything. There’s a strict restriction on all use of company computers, whether or not it’s system usage or network usage. There’s either no net association or severely restricted net usage. Because of these to a fault severe restrictions, users typically try and notice ways that around them.
Hyena
Windows enumeration tool with GUI
CRIME attack
Compression Ratio Info-Leak Made Easy (CRIME) is a client-side attacker that looks to exploit the vulnerabilities present in the data compression features of protocols such as SSL/TLS, SPDY, and HTTPS. By obtaining and decrypting the secret session cookies, an attacker can obtain access and hijack the session. The information they obtain from the decrypted cookie provides the authentication information required to open a new session with the web application.
According to the EC-Council, the typical Internet of Things (IoT) architecture consists of how many layers?
Application Layer: Delivery of various applications to different IoT users
Middleware Layer: Device management and information management
Internet Layer: Connection between the endpoints
Access Gateway Layer: Protocol translation and messaging
Edge Technology Layer: Sensors, devices, machines, intelligent edge nodes of all types.
IOT eco-system access control
The ecosystem access control controls how the IoT device environment is governed and how they are provided access to the rest of the network. Because the devices interface constantly, and mesh together, there is an implicit trust between the devices which can be attacked. There is also the potential to abuse the enrollment functionality of a new device if it is automated, which is likely for large IoT deployments. Decommissioning a device also presents an attack surface if it is not properly wiped and deprovisioned from the system. Finally, the lost access procedures cover how a user can regain access to the device, which can potentially be abused by an attacker to obtain access.
Vulnerability Assessment Life-Cycle
Creating baseline, Vulnerability Assessment,Risk Assessment, Remediation, Verification, Monitor
IOT architecture layers
Application Layer: Delivery of various applications to different IoT users
Middleware Layer: Device management and information management
Internet Layer: Connection between the endpoints
Access Gateway Layer: Protocol translation and messaging
Edge Technology Layer: Sensors, devices, machines, intelligent edge nodes of all types.
4 typical IoT Communication Models
Device-to-Device Model: An example would be a light switch being wirelessly connected with a WiFi light bulb
Device-to-Cloud Model: An example could be a temperature sensor connected to an Application Service Provider’s cloud.
Device-to-Gateway Model: An example would be where an IoT device transfers the data to a gateway which may or may not communicate that data with a cloud for additional access
Back-end Data-Sharing Model: An example of this model would be where an IoT light sensor is connected to a readily available Application Service provider #1 who enables other service providers to access and utilize App. Service provider #1’s data.
product based vulnerability Assessment Solutions
deployed within the network. Usually dedicated for internal network
Service based vulnerability Assessment Solutions
third-party solutions which offers security and auditing. This can be host either inside or outside the network. This can be a security risk of being compromised.
Tree-based Assessment
The approach in which auditor follows different strategies for each component of an environment
Inference-based Assessment
approach to assist depending on the inventory of protocols in an environment
CVSS system
None: 0.0
Low: 0.1 - 3.9
Medium: 4.0 - 6.9
High: 7.0 - 8.9
Critical: 9.0 - 10.0CVSS access/attack vectors
physical (P) The attacker must either have physical access to the vulnerable system (e.g. firewire attacks)
The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either:
the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or
the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Adjacent (A) The attacker must have access to the broadcast or collision domain of the vulnerable system (e.g. ARP spoofing, Bluetooth attacks).
Network (N= 1)The vulnerable interface is working at layer 3 or above of the OSI Network stack. These types of vulnerabilities are often described as remotely exploitable (e.g. a remote buffer overflow in a network service)
Impact metrics (CVSS)
CIA measures by H=high(.660) L=LOW (.275) N=none (0.0)
unicast
is used to refer to a single host
multicast address
used to deliver a package to a group of destinations. Any packet sent to a multicast address, will be delivered to every host that has joined that particular group
anycast address
very similar to the multicast address, but packets will be delivered to only one random host, instead of the entire group
Broadcast
IP address that is used to target all systems on a specific subnet network instead of single hosts. In other words broadcast address allows information to be sent to all machines on a given subnet rather than to a specific machine.
is used to refer to a single host
Unicast
used to deliver a package to a group of destinations. Any packet sent to a multicast address, will be delivered to every host that has joined that particular group
Multicast
very similar to the multicast address, but packets will be delivered to only one random host, instead of the entire group
Anycast
IP address that is used to target all systems on a specific subnet network instead of single hosts. In other words broadcast address allows information to be sent to all machines on a given subnet rather than to a specific machine.
Broadcast
Ping of death
Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.
POODLE Attack
stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0.
DUHK Attack
Don’t Use Hard-Code Keys (DUHK) is a cryptographic vulnerability that enables an attacker to ascertain encryption keys that are being implemented to secure virtual private network (VPN) communications or web sessions. ANSI X9.31 Random Number Generator (RNG). The pseudorandom number generators (PRNGs)
chosen cipher text attacks
n a chosen ciphertext attack, the attacker can additionally (a chosen ciphertext attack is usually understood to subsume a chosen plaintext attack) choose some ciphertext and is handed the corresponding plaintext. In other words, the attacker may encrypt and decrypt arbitrary messages.
Chosen Plain text
n a chosen plaintext attack, the attacker chooses some plaintext and is handed the corresponding ciphertext. In other words, the attacker may encrypt arbitrary messages.
Known Plain text
During known-plaintext attacks, the attacker has an access to the ciphertext and its corresponding plaintext. His goal is to guess the secret key (or a number of secret keys) or to develop an algorithm which would allow him to decrypt any further messages
In a known-plaintext attack, the attacker has access to at least one example of plaintext and its corresponding ciphertext. This means the attacker is able to observe the plaintext prior to encryption and also see the corresponding encryption result.
Bluetooth uses which digital modulation technique
PSK (phase-shift keying)
data-gathering activities associated with a risk assessment
Threat identification, vulnerability identification, control analysis
what layer of the OSI layer does the encryption and decryption of the message take place?
what layer of the OSI layer does the encryption and decryption of the message take place?resentation
Which tool can be used to perform session splicing attacks
Whisker
Cyber kill chain
Step 1 – Reconnaissance
In this stage, attackers are selecting their victim and researching their security vulnerabilities. They may be locating what sensitive data you have, where it’s stored, who has access to it and what the best routes are into the network.
Step 2 – Weaponization
The attackers have finished their research into your organization’s vulnerabilities and have selected their targets. In this step, they are working out how best to get inside the network. This might be through a virus or malware tailored to exploit known vulnerabilities.
Step 3 – Delivery
The attack method is delivered into the target environment. The actual method used may vary but it most commonly comes through malicious email attachments, websites, or USB devices.
Step 4 – Exploitation
In this step, the malicious code has been inserted or the vulnerability has been exploited, and the attackers are setting themselves up to execute on their mission.
Step 5 – Installation
The malware installs an access point that enables the attackers to get access to the target environment.
Step 6 – Command and Control
The attackers now have uninterrupted access to the target environment and can manipulate it at will.
Step 7 – Actions on Objective
The original goals of the attack can now be executed on command. The outcome of this could be anything from data theft to Ransomware. Whatever the objective is, if this step is completed successfully, you have been the victim of a data breach and are likely going to face severe costs to reputation and the bottom line.
Server-side request forgery
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
