Study Deck Flashcards
Human Rights 1998
Act to give effect to the rights and freedom guaranteed under the European Convention of Human Rights
Data Protection 1998
Act to provide the regulations of the processing of information related to individuals.
Police and Justice Act 2006
Act to establish a national policing improvement agency
Computer Misuse Act 1990
Act to secure computer material against unauthorised material. Criminalises the act of accessing or modifying data stored on a computer system without permision
Well-known ports
0-1023
Registered ports
1024-49,151
Dynamic and private ports
49,152-65,535
ICMP
Internet Control Message Protocol
ICMP type 0
Echo Reply
ICMP type 3 (code 0-3)
Destination Unreachable Code 0 - Network Unreachable Code 1 - Host Unreachable Code 2 - Protocol Unreachable Code 3 - Port Unreachable
ICMP type 5
Redirect
ICMP type 8
Echo Request
ICMP type 11
Time Exceeded
ICMP type 12
Parameter Problem
Traceroute
Tracks utility tracks the route that packets have taken from a network on their way to a host
OSI
Open System Interconnection
OSI Layer 7
Application - Human computer interactions - HTTP, FTP, SMTP, IMAP
OSI Layer 6
Presentation - ensures data is in a usable format and is where data encryptions occurs - Proxies, Firewalls, encryption compressions and character sets.
OSI Layer 5
Session - Maintains connections and is responsible for controlling ports and sessions - Firewalls
OSI Layer 4
Transport - transmits data using transmission protocols such as TCP and UDP
OSI Layer 3
Network - decides which physical path the data will take
OSI Layer 2
Data Link - defines the format of data on the network - WAN, LAN protocols
OSI Layer 1
Physical - transmits raw bit stream over physical medium
Ingress Filtering
Concept of fire-walling traffic that enter the network from external sources such as the internet
Encryption
Process whereby data is transformed in a way to guarantee confidentiality - requires secret to be used (key)
MD5
Message Digest Algorithm - Ron Rivest and uses 128-bit key - Vulnerable to rainbow tables
SHA
Secure Hash Algorithm
Hash function designed by NSA
SHA-1 160-bits
SHA-2 256/512 bits block sizes
HMAC
Hash-based Message Authentication Code - MAC is used to authenticate a message and provide integrity and authenticity assurance on messages
Works with other hash such as HMAC-SHA1
RSA
Rivest Shamir Adleman - Public key cryptography algorithm.
Slower than symmetric key algorithm but suitable for encryption (keys are much longer)
Uses two distinct prime numbers that can’t be factored
DES
Data Encryption Standard - old type of block cipher used in 1970s as an encryption standard - 64 bit block cipher using 54 bit key (Replace by AES)
Triple DES (3DES)
Triple Data Encryption Standard - applies cipher algorithm three times on each cipher block Block size is 64 bits but key can be up to 168 bits (Replaced by AES)
AES
Advanced Encryption Standard - Symmetric key encryption standard with three standards - AES 128, AES 192, AES 256. Cipher block is 128 bits but keys are 128,192,256 bits respectively
Used in WPA2, remote control applications and windows encrypting file system like bit locker
RC4
Stream Cipher used in protocols such as SSL, WEP, RDP
PGP
Pretty Good Privacy - Used for signing, encrypting and decrypting emails in order to increase the security communication - PGP uses symmetric key sessions (pre-shared keys)
IPSEC
Internet Protocol Security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).
AH
Authentication Header - Provides a mechanism for authentication only - (Integrity) -
ESP
Encapsulating Security Payload - Provides data confidentiality (encryption) and authentication (data integrity, data origin auth and replay protection).
SA
Security Association - The IPsec protocols use a security association, where the communicating parties establish shared security attributes such as algorithms and keys. As such IPsec provides a range of options once it has been determined whether AH or ESP is used.
ISAKMP
Internet Security Association and key management protocol
SSL
Secure Sockets Layer - Protocol used to secure websites
TLS
Transport Layer Security - Protocol used to secure websites- TLS 1.3 latest version
WEP
Wireless Equivalent Privacy - 802.11 defined as method to make wireless link equivalent to wire connection - uses RC4 (on data frames) - Shared key security method
TKIP
Temporary Key integrity protocol - used to make WEP more secure - 802.11I - Per packet mixing function - Message intergrity Code (MIC function) - enhanced IV
WPA
WPA improves on WEP in that it provides the TKIP encryption scheme to scramble the encryption key and verify that it hasn’t been altered during the data transfer.
PSK
Pre shared key - used in WPA and users enter shared secret in AP or client
SUID
u+s - File executes as owner o the file
SGID
g+s - File executes as the group owner
Sticky Bit
Sets a special restriction on deleting files. Only owner of file and root can delete files within directory
Umask
a command that determines the settings of a mask that controls how file permissions are set for newly created files.
netstat -noa
List processes and associated network socket in Windows
netstat -lptu
List processes and associated network socket in Linux
lsof -i
List processes that own a file or directory (linux)
‘wmic qfe list’ or ‘wmic qfe list full’
(Quick Fix Engineering) Windows command that lists all patches
uname -a
Check which kernel version linux os is running
WHOIS
Queries Top Level Domain (TLD) port 43
RIR
Regional Internet Registry
ARIN - American Registry of Internet Numbers
APNIC - Asian Pacific Network Information Centre
LACNIC - Latin America and Caribbean Network Information Centre
AfriNIC - African Network Information Centre
RIPE NCC - Europe, West Asia and former USSR
DNS
Domain Name Server - Port 53 TCP and UDP
A Record
Maps host name to IPv4 Address
CNAME
Maps multiple names (alias) to A record
Canonical Name
MX
Mail Exchange - Maps a domain to a mail server
NS
Name Server - Assigns a DNS zone to access the give authoritative name servers
PTR
Pointer - Maps IP addresses to the host names for reverse look ups
SOA
Start of Authority - Specifies authoritative info for a DNS zone.
HINFO
Host Information Resource Record - Provide OS and platform info
SRV
Service Locator - Specifies a generic service location record for newer protocols
AAAA
Maps host name to IPv6 Address
Dig
Can be used to preform DNS Zone Transfer - dD
Telnet
Port 23 - Provides remote access to servers and network equipment - Can be used to get banner from hosts to
SSH
Secure Shell Protocol - Port 22 - Replaced Telnet (Ssh more secure)
TFTP
Trivial File Transfer Protocol - UDP port 69 - Used for unauthenticated file transfers - Need file name and exact location
SNMP
Simple Network Management Protocol - UDP port 161 - Designed to provide information about network devices, software and systems
SNMP MIB
Simple Network Management Protocol Management information base which is implemented by some vendors and contain vendor specific information
NTP
Network Time Protocol - UDP port 123 - Can be queried for host name OS and ntp version
PCAP
Packet Capture - API that captures live network packet data.
Type of Files: .PCAP,Libpcap,WinPcap,PCAPng,Npcap
ARP
Address Resolution Protocol - Used by the internet protocol (IPv4) to map IP network addresses to hardware addresses (MAC Addresses) used by the data link protocol.
ARP Request,reply
RARP Request,reply
DHCP
Dynamic Host Configuration Procotol - UDP - used to provide local systems’ network settings such as IP address, subnet, default gateway and DNS.
port 67 68
Cisco Discovery Protocol (CDP)
Runs on all media that support Subnetwork Access Protocol; LAN,Frame Relay and ATM media - Data link Layer only
Hot Standby Router Protocol
Provides redundancy for IP Networks, ensuring that traffic can transparently recover from first hop failures.
Virtual Router Redundancy Protocol
VRRP - Computing networking protocol that provides for automatic assignment of available Internet Protocols routers to participating hosts
VLAN Trunking Protcol
provides a way for engineers to distribute VLAN configuration information among switches
Spanning Tree Protocol
STP (STP) was introduced into the networking world as a means to prevent layer 2 network loops (frame broadcast storms) from disrupting the service of a local area network.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by Cisco and released as an open standard beginning in 1993. Although derived from TACACS, TACACS+ is a separate protocol that handles authentication, authorization, and accounting (AAA) services
VOIP
Voice Over Internet Protocol -
PBX
Private branch exchange - Cost effect solution to telephony services in small and medium sized companies because it provides flexibility and intercommunication throughout companies.
SCCP
Skinny Call Control Protocol - lightweight protocol used in IP telephony and call management - developed by Cisco
SIP
Session Initiation Protocol - Session management protocol - UDP and TCP and supports TLS
SIP Methods
INVITE, ACK, BYE, CANCEL, REGISTER, OPTIONS
WPA2
device supports TKIP and AES
LEAP
Lightweight Extensible Authentication protocol - LEAP takes an MS CHAPv2 challenge and responses and transmits them clearly over the wireless network - Password used - Made from CISCO
PPTP
Point to point tunnelling protocol - TCP 1723 - to negotiate and establish connection and IP 47 (GRE) for data communication (legacy protocol)
mysql
Port 3306 (Maria db is free version) netstat or telnet to ID version
ms-sql
Microsoft SQL Server
TCP 1433
1434(SSRS) - provides referral service for mutiple SQL server instances
TCP 2433 - Hidden Mode
oracle
Use Transparent Network Substrate (TNS Protocol) to connect to the database port 1521 or (1526,1541)
Oracle DBSNMP User
used by OEM (Oracle Enterprise Manager) intelligent agent to log on automatically to remote servers, to provide information to oracle enterprise manager - SELECT ANY DICTIONARY priv needed
Default password needs to be changed to prevent access to sys.user$
Ms-sql server stored procedures
No output from Store procedure because not ran on the front end presentation tier
xp_cmdshell - query and execute OS calls directly
sp_makewebtask - dump results of SQL SELECT to HTML file
xp_regread - dump registry keys from database server and can obtain password
Threat modelling
designing of security flaws or vulnerability of an application by thinking based on specific functionality.
User Functionality
Business Logic
Software Package version installed on the system
XXS
Cross Site Scripting is a common attack vector that injects malicious code into a vulnerable web application.
SQL Injection
Attacker modifies a string that he/she knows will be processed by an SQL server running in the backend to form an SQL.
NetBIOS Name Server
UDP port 137 - Provides NetBIOS Name Table - nbtstat -n or nbtstat -A IP
net user /domain
list local and global groups user belongs to
NetBIOS name server, NetBIOS Datagram Service and NetBIOS session Service
UDP 138- gets info from datagram header and store in NetBios name cache and
TCP 139 - Authentication across windows workgroups or domain and provides access to resources such as printers
net view
used to show all computers within a network
net share
will show accessible SMB shares
SYSVOl
Important part of AD - SYSVOL folder is shared on an NTFS volume on all domains controllers in a domain and used to deliver policy and logon scripts to domain members
SNMP
Simple Network Management Protocol - UDP 161 - found on infrastructure devices such as switches and routers
LDAP
Lightweight Directory Access Protocol - Provides directory information to clients
LDAP Global Catalogue (GC) TCP 3268 - ldapsearch is a tool used for enum
FSMO
Flexible Single Master Operations - Five roles divided used in AD
Schema Operation master
Primary Domain Controller - Emulator operation master - Only one allowed in the forest - Only DC that can update AD schema
Domain naming operation master
The relative Identifier (RID) operation master - Responsible for adding and removing DC to and from the AD forest
Primary Domain Controller Emulator Operation Master (PDC)
PDC operation master role is domain wide setting (each domain in forest will have one) - responsible for synchronisation - PDCs sync time with forest root domain PDC role-holder and sync time with external time sources - ALSO, responsible for password change replications
Relative ID Operation Master Role (RID)
Domain wide setting (each domain has one) - responsible for maintaining a poll of relative identifiers that will be used when creating objects in the domain - RID is used in the process of creating a Security Identifier (SID) - Once RID is used to generate SID, it is not used again.
Infrastructure Operation Master
Role responsible for replicating SID and Distinguished name (DN) value change to cross-domains- Checks its database at regular intervals for foreigns group members from other domains and once it finds objects it check SID and DN values with the global catalogue servers. If mismatch it will replace its value with the global catalogue
FSMO Role Placement
The first DC in a AD forest will hold all five FSMO roles
Domain Controller
Component thats runs windows server OS and holds AD domain services role.
Global Catalogue Server
Global catalogue server holds the full writable copy of objects in its host domain and a partial copy of objects in other domains in the same forest
AD DNS
Without DNS an AD domain infrastructure cannot work because it wouldn’t be able to locate Domain Controllers and maintain a hierarchical infrastructure design.
Active Directory Database
Maintains a databse to store schema information, configuration information and domain information.
ntds.dit file is the AD database file - contains classes, attributes and relationships between the two.
C:\Windows\System32\ntds.dit
C:\Windows\NTDS\ntds.dit
Group Policy
Rules applied to manage application settings, security setting and system setting of the AD Objects
A set of Group Policy configurations is called a Group Policy Object (GPO)
Local Security Policy
Set of information about the security of a local computer -
1, domain trusted to authenticate logon attempts
2.which users can access systems
3.privilege assigned to accounts
4. security auditing policy
Local Security Authority stores the local policy info in a set of LSA policy Objects
Password Policies
Password Rules and Lock out policies, lifetime and password complexities
Account Lockout Policy
This setting control the threshold for this response and the actions to be taken after that threshold has been reach
LM Hash (Hash Storage)
Lan manager - old technique that Microsoft used back in the 1980s to create hash passwords. 14 character max, find in SAM or NTDS database on a DC - encrypted with DES - disabled in older systems like vista or 2008 srv
NT (NTLM) Hash (Hash Storage)
New Technology Lan Manager is the new way that Microsoft uses to hash password. In SAM db or NTDS.dit database. - RC4 Cipher (which is an old cryptographic methods such as AES or SHA-512
Version 2 use MD5 hash
Both unsalted hashes
Patch Management
Is a field on system management that involves acquiring, testing and installing patches to a computer
Software Update Services (SUS)
Free patch management tool from Microsoft to help system admins to deploy security patches - Each workstation connects to the SUS server and gets update from there
System Management Server (SMS)
2003 - Provides a rich management and servicing solution. Can be used to manage networked windows embedded standard- based devices alongside windows desktop and sever.
Windows Server Update Services (WSUS)
WSUS enables system administrators to deploy the latest Microsoft product updates- WSUS server can be the update source for other WSUS servers within the organisation (upstream server)
Microsoft Baseline Security Analyser (MBSA)
MSBA helps to stay on top of regular network auditing tasks by scanning both local and remote Microsoft systems from security Misconfigurations. Also can identify any missing security updates and service packs available through the Microsoft update technologies
Snowball effect
A small issue leads to another increasing severity and risk.
Microsoft Exchange Servers
Extended SMTP feature - Once connected to server EHLO command will enum authentication types
EternalBlue
SMBv1 vulnerability - 2017 - Mishandles specially-crafted packets from remote packets allowing an arbitrary code to be executed on the target. Wannacry ransom used Eternalblue to spread itself
Finger user enum
Finger protocol is a app level protocol that provides an interface between the finger command and the fingerd daemon - returns information about the users currently logged in to a specified host
TCP port 79 - ‘finger @IP’ or ‘finger oracle@IP’ or ‘finger user@IP’ users with string user
ruser
RPC service endpoint which listens to dynamic port - First connects to RPC port mapper and returns whereabouts of the rusersd service. If rusersd is running you can use ‘r -l 192.168.1.5’ to see users logged in.
rwho
rwhod service listens on port 513 - and if it is accessible, use the command rwho to query the service and get list of currents users logged in to the remote host
Solaris
Allows a malicious user to bypass authentication due to improper sanitation of input (Crafting a special telnet string)
FTP
TCP 20 - used to send data from server to client
TCP 21 - used to accept and process FTP commands from the client.
ID banner by using quote help or syst command
rwt in tmp directory with anonymous access
SMTP
Protocol for sending emails through several software packages such as sendmail, Microsoft exchange etc.
Commands: HELP,VRFY,EXPN, RCPT TO. MAIL FROM
POP-3
Post Office Protocol is a standard mail protocol used to receive emails from a remote server to a local email client.
common to not have a Lockout Policy so susceptible to brute forcing
IMAP
Internet Message Access Protocol an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection.
Plain text and also susceptible to brute forcing
NFS
Network File System is a distributed file system protocol that allows a user on a client computer to access files over a computer network much like local storage is accessed.
Port 2049 - UDP and TCP and NFSv4 is latest version
ro
Read only on NFS
rw
Read write on NFS
no_root_squash
Root on NFS is treated as nfsnobody by NFS server (security measure) - to disable such protection use no_squash_root
mount options
Nosuid - disables set user identifier or set group identifier bits to prevent remote users from gaining higher privileges
Noexec - prevents execution of binaries on mounted file systems
R-services
The most popular are “rsh” for a remote shell, “rlogin” for a remote login, and “rexec” for remote execution.
exec 512/tcp
login 513/tcp
shell 514/tcp
uses Pluggable Authentication Modules (PAM) username and password for auth, which can be overridden by ~/.rhost and /etc/hosts.equiv
X Windows System (X11 or X)
X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard.
X server 6000 to 6063
xhost + or - used to give access or remove access host
.xauthority
Magic cookie saved when user logs into X windows under the users home directory
XWININFO
get information about X windows using a build-in utility in Kali
xwininfo -tree -root -display IP
RPC
A number of Linux daemons run as remote procedure call services using dynamic ports.
rpcinfo can be used to query RPC port mapper to list the accessible RPC service endpoints
Portmapper
TCP and UDP port 111 or 32771
SSH
Secure Shell Protocol- encrypted access to linux, unix and windows OS and allows file access using secure copy (SCP) secure FTP (SFTP) and SSH Port forwarding.
Presentation Tier
Web browser and mobile clients support rich functionality using Javascript and other client-side technologies which interact with server APIs and Endpoints
Application Tier
Application server supports code execution written in languages like Java,Ruby,Python and Microsoft ASP.NET. Connectors and adaptors are used to negotiate the communications between the clients and applications.
Data Tier
The data stores used with web applications are databases, key-values stores and distributed file systems.
HTTP
Hypertext Transfer Protocol - Application level protocol for hypermedia information systems.
Connectionless, Independent Media and Stateless
URI
Uniform Resource Identifiers formatted case-insensitive strings containing a name, location and much more in order to identify a resource such as a website
HTTPS
TLS (Transport Layer Security) and SSL (Secure Socket Layer) are cryptographic protocols which provide secure communication over the HTTP protocol
GET
Passes parameters to the web app through URL
POST
Passes data to the server through the body of the request
HEAD
Gets the HTTP header without sending any payload
TRACE
when this method is used, the server bounces back the TRACE response with the original request message in the body of the response - used to Identify alterations to the request by intermediates devices such as firewalls and proxies
PUT AND DELETE
PUT is used to upload and DELETE is used to remove data
OPTIONS
Used to query the server for the methods that it supports
CONNECT
used to establish a tunnel to the server identified by a five URI
1xx
Informational - Request received and the process continued
2xx
Success - Action successfully recieved nd understood and accepted
3xx
Redirection - Further action must be taken in order to complete the request
4xx
Client Error - The request contains incorrect syntax or cannot be fulfilled
5xx
Server Error - The server failed to fulfill an apparently valid request
SOAP Protocol
Simple Object Access Protocol - XML message protocol in order for computers to exchange information.
- Communication protocol for internet
- Can extend HTTP for XML messaging
- Can exchange complete documents or call a remote procedure
- Can be used to broadcast a message
- Is platform and language - independent
- Enables clients applications to easily connect to remote services and invoke remote methods
- Is an EML way to define what information is sent and how
X-Frame Option
gives instructions to the broswer if and when a page should be displayed as part of another page
Strict-Transport-Security
HTST - HTTP Strict Transport Security - instructs browser to enforce a HTTPS connection
X-XXS Protection
Instructs website to used Cross-site Scripting protection
Content-Security-Policy
Sent from server to demand the location where scripts can be loaded
Set-Cookie
header may contain different flags. Expire sets a date til the cookie is valid
Persistent Cookie
Max-Age or Expires attribute and stored on disk by web browser until the expiration date.
Non persistent cookie
Stored in RAM on the client computer and deleted when the browser is closed
Secure Flag
Forces the web browser to send cookies though an encrypted connection such as HTTPS which prevents eavesdropping.
HTTPOnly
instructs the web browser not to expose the cookie through client-side scripts thus disallowing access to the cookie from any script
XML
Extensible Markup Language
XML Document Type Definition (DTD) is a document used to validate an XML document for a certain criteria. Acts as a validation template containing a definition a valid structure attributes and elements for an XML document.
PHP
Scripting language and interpreter are used on the server-side (on ISS and Apache) to support PHP functionality.
AJAX
Asynchronous Javascript and XML is a combination of technologies used to create fast and dynamic pages. Uses an asynchronous request-response method which makes the application more interactive. Allows content of a web page to be updated without submitting the entire page to the server.
DOM
Dynamic Object Model - is a framework to organise elements in an HTML or XML document. Convention for representing and interacting with HTML objects.
.NET Framework
Set of APIs that support an advanced type system,data,graphics,network and what is needed to write enterprise apps in a Microsoft ecosystem.
ISAPI
Internet Server Application Programming Interface provides application support within ISS through DLL that are mapped with specific file extensions
CGI
Common Gateway Interface is a way for a web server to pass a user request to an application programme and to receive data to forward them to the user. (part of HTTP protocol)
IIS Versions
- 0 2000
- 1 Windows XP
- 0 W Server 2003
- 0 W Server 2008 and Vista
- 5 Windows 7
- 0 Server 2012 and windows 8
- 5 Windows 2012 R2 and Windows 8.1
- 0 Windows 2016
EAP
Extensible Authentication Protocol - Used to authenticated people to wireless networks (WPA and WPA2 use it)
PEAP
Protected Extensible Authentication Protocol - TLS tunnel (SSL) authentication communication is encrypted in the tunnel
