Professional Documents
Culture Documents
1.0 Threats, Attacks, Vulnerabilities PDF
1.0 Threats, Attacks, Vulnerabilities PDF
first need to classify them. Then we need to define how these threats can be delivered to the target computer.
Afterward we can discuss how to prevent security threats from happening and troubleshoot them if they do occur.
-Virus
computer virus is One well-known example of a virus is the or one of several other permutations of this fictitious love.
Boot sector: Initially loads into the first sector of the hard drive; when the computer boots, the virus then loads into
memory.
Macro: Usually placed in documents and e-mailed to users in the hopes that the users will open the document, thus
executing the virus.
Program: Infects executable files.
Encrypted: Uses a simple cipher to encrypt itself. The virus consists of an encrypted copy of the virus code (to help avoid
detection) and a small decryption module. Different encrypting keys can be used for each file to be infected, but usually Screen clipping taken: 7/15/2019 4:51 AM
there is only one decrypting code.
Polymorphic: Builds on the concept of an encrypted virus, but the decrypting module is modified with each infection. So,
it can change every time it is executed in an attempt to avoid antivirus detection.
Metamorphic: Similar to polymorphic but rewrites itself completely each time it is going to infect a new file in a further
attempt to avoid detection.
Stealth: Uses various techniques to go unnoticed by antivirus programs.
Armored: Protects itself from antivirus programs by tricking the program into thinking that it is located in a different
place from where it actually resides. Essentially, it has a layer of protection that it can use against the person who tries
to analyze it; it will thwart attempts by analysts to examine its code.
:
Retro virus - a virus that attacks or bypasses the antivirus software installed on a computer.
Stealth virus: a virus that attempts to avoid detection by antivirus software and from the operating system by remaining
in memory.
Phage virus - a virus that modifies and alters other programs and databases.
Screen clipping taken: 7/15/2019 4:55 AM
Advanced Persistent Threat (APT) - a set of stealthy and continuous computer hacking processes often orchestrated by a
person or persons targeting a specific entity.
Usually targets either private organization, states, or both for business or political motives.
APT processes require a high degree of covertness over a long period of time.
The "advanced" process signifies sophisticated techniques using malware to exploit vulnerabilities in systems
The "persistent" process suggests that an external command and control system is continuously monitoring and
extracting data from a specific target.
The "threat" process indicates human involvement in orchestrating the attack
Malware Delivery
The method that a threat uses to access a target is known as a threat vector. Collectively, the means by which an
attacker gains access to a computer in order to deliver malicious software is known as an attack vector. Probably the
most common attack vector is via software.
Email, FTP, PTP,websites, advertisements, portable media storage devices, connected smartphones
Indicators of Compromise (IoC) - an artifact observed on a network or in an operating system that with high confidence indicates a computer
intrusion. (virus signatures, MD Hash, IP addresses, URLs)
"Applications that can help to secure your computers against malware threats include antivirus programs, anti-spyware applications, or
combination anti-malware programs"
CIA
Confidentiality, integrity, and availability are the cornerstones of information security.
Confidentiality is the principle that only authorized people, processes, or systems have access to
information and that information must be protected from unauthorized disclosure.
Integrity is the principle that information or systems should be protected from unintentional,
unauthorized, or accidental changes.
Availability is the principle that information systems are operating and accessible when needed.
Social Engineering Describes a class of techniques uses to manipulate people by deception, into divulging information or performing an action (e.g. unwitting
(psychology) malware distribution)
- The information may be useful or a stepping stone in carrying out an attack
Using perception, persuasion, and influence, social engineers take advantage of basic human instincts and responses including:
- The instinct to respond to authority
- The tendency to trust people
- The desire to be responsive
- The fear of getting into trouble
- The threat of harm
- The promise of a reward
- The process by which intruders gain access to facilities, network, systems, data, and even employees by exploiting the generally trusting nature of people.
- The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Phishing - sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information
Spear Phishing: sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
• Vishing: making phone calls or leaving voice messages purporting to be from reputable companies.
• Pharming: traffic redirect to a spoofed web site
• Variants - SMiShing - sending fraudulent text messages
Communications Spoofing
Physical
- Tailgaiting
- Dumpster Diving
- Shoulder Surfing
IP spoofing: a technique used to gain unauthorized access to machines, whereby an attacker illicitly
impersonates another machine by manipulating IP packets. IP Spoofing involves modifying the packet
header with a forged (spoofed) source IP address, a checksum, and the order value.
ARP spoofing: when an attacker sends a fake ARP (Address Resolution Protocol) messages over a local
area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate
computer or server on the network.
Main-in-the-Middle Attacks
An attack where the attacker secretly relays and possibly alters the communication between two parties
who believe they are directly communicating with each other.
The attacker may either observe (confidentiality attack) or alter (integrity attack)
Types of Actors
http://professormesser.link/800115
Passive Reconnaissance - they want to learn more about your organization (IP addresses, OS versions,
locations, in the cloud)
Active Reconnaissance - trying to get or extract info from your organization ; port scan, vulnerability
scan (applications, patch versions, systems, firewall rules)
Exploitation
Additional Research
Continued Exploitation
Reporting
Netcraft.com
Nikto - tool use to scan for vulnerability on web servers and find out what might be running.
Angry IP Scanner
Introduction
The Network Vulnerabilities Part 1 module provides you with the instruction and
Server hardware to develop your hands on skills in the defined topics. This module
includes the following exercises:
• Network Footprinting
• Packet Sniffing
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
• SY0-501 1.2: Compare and contrast types of attacks
• SY0-501 2.2: Given a scenario, use appropriate software tools to assess the
security posture of an organization
• SY0-501 2.4: Given a scenario, analyse and interpret output from security
technologies
Lab Diagram
During your session you will have access to the following lab configuration. Depending
on the exercises you may or may not use all of the devices, but they are shown here in
the layout to get an overall understanding of the topology of the lab.
Figure 1.23 Screenshot of PLABWIN10: Kali on Zenmap entering the scan address.
Step 12
This will scan available hosts in the mentioned network ID 192.168.27.0
This will take about 3 minutes to complete.
Figure 1.25 Screenshot of PLABWIN10: Kali on Zenmap reviewing the scan results.
Step 14
Click on Topology tab and then click Fisheye.
The topology tab, shows the discovered network hosts detected by the scan.
Figure 1.27 Screenshot of PLABWIN10: Kali on Zenmap reviewing the scan results.
Step 16
Click Ports/Hosts tab to see summary detected open ports in 192.168.27.18.
Close Zenmap application, discarding any changes.
Minimize the root’s X desktop (kali:1) - TigerVNC window
Figure 2.3 Screenshot of PLABWIN10: Wireshark viewing the network capture information.
Step 4
Click on Statistics and then select Conversations.
Figure 2.5 Screenshot of PLABWIN10: Wireshark viewing the network capture information.
Step 6
This section shows us the devices who are communicating on the network and we can
see that 192.168.27.18 is having quite a few conversations with various addresses on
the network.
Figure 2.7 Screenshot of PLABWIN10: Wireshark viewing the network capture information.
Shutdown all virtual machines used in this lab, before proceeding to the next module.
Alternatively you can log out of the lab platform.
Summary
In this lab you completed the following practical tasks:
• Network Footprinting
• Packet Sniffing
The Network Vulnerabilities Part 2 module provides you with the instruction and
Server hardware to develop your hands-on skills in the defined topics. This module
includes the following exercises:
• Denial of Service
• Anti-Phishing Toolbar
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
• SY0-501 1.2: Compare and contrast types of attacks
• SY0-501 3.2: Given a scenario, implement secure network architecture concepts
Lab Diagram
During your session, you will have access to the following lab configuration. Depending
on the exercises you may or may not use all of the devices, but they are shown here in
the layout to get an overall understanding of the topology of the lab.
Figure 1.1 Screenshot of the PLABWIN10 desktop: Wireshark icon on taskbar is highlighted on the
PLABWIN10 Windows desktop.
Step 2
On the User Account Control dialog box, click Yes.
Figure 1.3 Screenshot of the PLABWIN10 desktop: Capture > Options menu-options are highlighted on
The Wireshark Network Analyzer window.
Step 4
On the Input tab of the WireShark: Capture Interfaces dialog box, click the textbox
next to Capture filter for selected interfaces and type:
tcp port 80
Note: Please Ensure the Ethernet Interface is selected.
Then, click Start the capture.
Step 5
Switch to PLABDM01, open Internet Explorer type the following URL into the address
Figure 1.5 Screenshot of the PLABDM01 desktop: The default page of the IIS is displayed in the Internet
Explorer.
Step 6
Minimize all open windows. Right-click the Start charm and select Control Panel.
Figure 1.6 Screenshot of the PLABDM01 desktop: Right-clicking on the Start charm to select Control
Panel.
Step 7
From the View by drop-down, select Large icons.
Figure 1.7 Screenshot of the PLABDM01 desktop: The default view of the Control Panel is displayed.
Step 8
Click the Internet Options applet.
Step 9
On Internet Properties dialogue box, under Browsing history section, click Delete.
Figure 1.9 Screenshot of the PLABDM01 desktop: General tab on the Internet Properties dialog box is
displayed showing the required Delete button available.
Step 10
All checkboxes will be selected by default. Click Delete.
Figure 1.10 Screenshot of the PLABDM01 desktop: Closing of the Internet Options dialog box.
Step 12
Switch to the PLABWIN10 and review the details in WireShark, note the SYN >
SYN/ACK > ACK sequence in the first three packets (hint: try scrolling up to the
beginning of the capture).
The remainder of the capture shows the PLABDM01workstation retrieving the page
using HTTP.
Minimize WireShark application.
Figure 1.13 Screenshot of the PLABWIN10 desktop: Select TigerVNC Viewer from the Start menu.
Step 14
In the VNC Viewer: Connection Details dialog box, type the following in the VNC
server textbox:
192.168.0.3:1
Click Connect.
Figure 1.15 Screenshot of the PLABWIN10 desktop: Providing the password in the Password textbox of
the VNC authentication dialog box.
Step 16
After successful authentication, you should see the Kali window. If prompted with an
error, click OK.
Figure 1.17 Screenshot of the PLABWIN10 desktop: Starting the terminal by double-clicking the Root
Terminal icon.
Step 18
Run the following command (remember that it is case sensitive and ignore the line
break - type the whole command:
hping3 192.168.0.1 -p 80 -i u1000 -S -q --rand-source
Press Enter.
Figure 1.23 Screenshot of the PLABWIN10 desktop: Clicking Start on the Capture menu on the
Wireshark - Capture Interfaces dialog box.
Alert: If Start is greyed out, please select options and make sure Ethernet is selected.
Figure 1.24 Screenshot of the PLABWIN10 desktop: Discarding the current capture by clicking on the
Continue without Saving button.
Step 25
Hping3 crafts "SYN" (sequence) packets from random spoofed IP addresses and
sends them out at very short intervals.
Note the flood of packets captured by Wireshark on PLABWIN10.
Note: You may lose connectivity to PLABWIN10 while working on this lab, as a result of
a flood of SYN packets being sent to the interface. If this happens, reconnect to
PLABWIN10 through the Practice Labs web application.
Figure 1.25 Screenshot of the PLABDC01 desktop: Wireshark capture window is displayed listing the
captured data packets.
Step 26
Switch to PLABDM01 workstation, restore IE and refresh to the same webpage you did
previously
1.0 Threats, Attacks, Vulnerabilities Page 142
previously
http://PLABWIN10/
You will notice it may take a bit longer to load or not load at all.
Stop Wireshark without saving the capture and close all open windows
on PLABWIN10 and PLABDM01.
Figure 1.26 Screenshot of the PLABDM01 desktop: Browser window trying to access the specified
website is displayed.
Keep all devices powered on in their current state and proceed to the next exercise.
Figure 2.1 Screenshot of the PLABWIN10 desktop: Internet Explorer icon on taskbar is
highlighted on the PLABWIN10 Windows desktop.
Step 2
From Practice-labs intranet, you will be directed to Tools and resources page.
Click Installation_Files.
Figure 2.4 Screenshot of the PLABWIN10 desktop: Tools and resources > Tools
webpage is displayed on the PLABWIN10 Windows desktop.
Step 4
You can see Firefox Setup 67.0.exe under this location, click this file.
On the notification toolbar, click Save.
Keep all devices powered on in their current state and proceed to the next task.
Task 2 - Download and Install Anti-Phishing Toolbar: Netcraft
NetCraft offers a toolbar for Mozilla Firefox, Google Chrome and Opera Web browsers.
This toolbar helps you detect phishing Websites as well as provide detailed report of a
Website including its rank.
In this task, you will learn to use Netcraft anti-phishing toolbar.
To use Netcraft Anti-phishing toolbar, perform the following steps:
Figure 2.21 Screenshot of the PLABWIN10 desktop: Required URL typed in the
address bar at the top is displayed on the Welcome to Firefox webpage.
Step 2
The Netcraft Extension page is displayed.
Figure 2.23 Screenshot of the PLABWIN10 desktop: Download the Netcraft Extension
button is displayed on the web browser window.
Step 4
The Download Now page is displayed. Click Firefox.
Figure 2.24 Screenshot of the PLABWIN10 desktop: Download Now webpage showing
the Firefox option available is displayed on the web browser window.
Step 5
Click Add to Firefox.
Figure 2.29 Screenshot of the PLABWIN10 desktop: Specified toolbar integrated into
the web browser is displayed on the web browser window.
Step 2
Select and right-click a URL and select Copy.
Note: You may have to try several urls before you encounter the error, if you have tried
all of the links on the page please select See more suspected phishes…And this will
provide more links.
Figure 2.30 Screenshot of the PLABWIN10 desktop: Context menu (that appears on
1.0 Threats, Attacks, Vulnerabilities Page 151
Figure 2.30 Screenshot of the PLABWIN10 desktop: Context menu (that appears on
right-clicking a listed phishing website) > Copy menu-options are displayed PhishTank
website.
Step 3
Paste the Website name in the address bar on a new tab and press Enter.
Figure 2.31 Screenshot of the PLABWIN10 desktop: Pasting the Website name in the
address bar.
Step 4
The phishing Website warning page is displayed.
A Firefox red screen alert of “Deceptive site ahead” might be shown instead of the
Netcraft site blocked page. If this occurs, select see details and then “ignore the risk” or
try another link from http://www.phishtank.com
Figure 2.33 Screenshot of the PLABWIN10 desktop: Phishing Site Blocked webpage is
3 of 4
NextT
Summary
In this lab you completed the following practical tasks:
• MitM with ARP Spoofing
• Denial of Service
• Anti-Phishing Toolbar
Prev
4 of 4
T
Introduction
The module Scanning and Remediating Vulnerabilities with OpenVAS provides you
with the instructions and devices to develop your hands-on skills in the following topics.
• Connecting to Win10 and Kali
• OpenVAS Scanning
• Security Active Directory Access LDAP
• Validating Security Changes with OpenVAS
Lab time: It will take approximately 1.5 hours to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
• SY0-501 1.5: Explain vulnerability scanning concepts
Lab Diagram
During your session, you will have access to the following lab configuration. Depending
on the exercises you may or may not use all of the devices, but they are shown here in
the layout to get an overall understanding of the topology of the lab.
1 of 6
NextT
2 of 6
NextT
Figure 2.6 Screenshot of PLABKALI01: Greenbone showing the Port lists for scanning.
Step 3
A brief review of this list shows all the ports that NMAP scanner will check against. This
list is designed against the NMAP version 5.5.1.
This is a very invasive scan as it takes places against all the TCP ports from 1-65535
and then focuses on famous UDP ports which are more selectively chosen at a total of
999. UDP port scanning can take a while longer to complete so knowing which ports are
important can be a great time saver.
Reviewing this on your favorite search engine or theory support materials would be
Figure 2.7 Screenshot of PLABKALI01: Greenbone showing the exact Port range used
for a NMAP 5.51 scan type.
Step 4
Again hover over the Configuration tab and then move down to Scan Configs.
Figure 2.11 Screenshot of PLABKALI01: Greenbone showing further settings for the
Full and Fast option.
Step 7
Scroll down the page to view the Network Vulnerability Test Preferences.
Within this area we can see multiple tests used against SSL, LDAP, Services, etc.
Review these to have a better understanding of what exactly the test is going to
perform.
3 of 6
NextT
Figure 3.1 Screenshot of PLABDC01: Accessing Command Prompt from the Start Icon.
Step 2
So longing as there are no devices or users in this part of LDAP for ‘Pre-Windows 2000
Compatible Access’ it can be safely removed. Its main function is backwards
compatibility for older hardware and applications, for example, Windows NT 4.0 RAS
Servers.
Click on Start then move to Run.
Enter:
dsa.msc
Click Remove.
Figure 3.6 Screenshot of PLABDC01: Active Directory Users and Computers Windows
Security Notice.
The notice tells us there is an inheritance problem.
Click OK.
Click Advanced.
Click the Permissions Tab and click the Principles Header to organize the values by
name.
Figure 3.11 Screenshot of PLABDC01: Group Policy Management editing the policy.
Step 2
Then follow this path.
Computer Configuration \ Policies\ Windows Settings\ Security Settings\Local Policies\ Security Options
Figure 3.20 Screenshot of PLABDC01: Registry Editor changing the registry value.
Step 3
Exit the registry.
Figure 3.22 Screenshot of PLABDC01: Desktop selecting Network and Sharing Center.
Step 2
Click Ethernet.
4 of 6
NextT
Figure 4.7 Screenshot of PLABKALI01: PDF format being viewed of the Delta Report.
Scrolling down we find the vulnerability we worked on.
Figure 4.8 Screenshot of PLABKALI01: PDF format being viewed of the Delta Report.
5 of 6
NextT
Summary
You covered the following activities in this module:
• Connecting to Win10 and Kali
• OpenVAS Scanning
• Security Active Directory Access LDAP
• Validating Security Changes with OpenVAS