Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Data Gathering
- -----------------
- - Whois -> We get info from a server.
- $ whois -h whois.educase.net [domain]
- - TheHarvester -> We get mails, subdomains, hosts from different public sources.
- $ theharvester -d [domain] -b [search engine]
- - DNS Enumeration -> We get info about the DNS.
- > IP, e-mail handling -> $ host [domain]
- > Server info -> $ host -t [domain]
- > $ [...]
- > Other DNS enumeration tools -> nsenum, dnsdict6, dnsmap.
- - Tracer oute -> Trace routes of packets sent by the server
- $ traceroute [domain]
- - Fingerprinting -> Generate HTTP errors to get information about the server. Force 404, 500...
- - Port Scanning -> Obtain server ports information
- $ nc -nvv -w 1 -z [server IP] [portMin-portMax]
- $ nmap -A [server IP]
- SweepNetwork ready for Grep -> $ nmap -sn -oG ping-sweep-nmap [server IP]
- $ grep Up ping-sweep-nmap | cut -d " " -f2
- Open ports -> $ nmap -sV 192.168.0.9
- Operating System -> $ nmap -O 192.168.0.9
- - Google Hacking:
- > intitle:index.of phpmyadmin
- > intitle:index.of phpmyadmin site:upc.edu
- > inurl:indexFrame.shtml Axis
- > Squirrelmail inurl:login.php "SquirrelMail version"
- > Zixmail inurl:/s/login?
- > filetype:txt "gmail" | "hotmail" -robots site:gov | site:us
- - Bing Hacking:
- > ext:log ws_ftp("C:\users" OR "documents and settings")
- > e-mail near:4 "microsoft.com"
- > "warning pg" near:10 select
- > ip:147.83.2.126
- - Shodanhq -> Find machines connected to the internet
- > shodanhq.com
- - Robtex -> More info / Less user-firendly
- > robtex.com
- Google Hacking Database -> www.exploit-db.com/google-hacking-database
- Social Networks -> Facebook, Twitter, Linkedin, Google+
- Maltego (Kali Application)
- Archive.org
- Social Engineering
- ------------------
- - Set -> setoolkit (Kali App)
- - Metadata -> Foca
- -> exiftool (Kali App)
- Web Application Security
- ------------------------
- - Tampering -> Intercecpt web communications and modify them.
- > We modify HTTP data packets.
- > Burp Suite (Kali Application) -> We need to configure the proxy of Burp Suite and IceWeasel.
- - Cross-Site Scripting (XSS) -> Inject code HTML, CSS, JS, etc. to get it rendered.
- > Generate a request to get a different rendered page:
- * Reflexed: Just stored in the current session.
- * Stored: Stored permanently in the server.
- - Cross-Site Request Forgery (CSRF) -> Make another user (admin) to do a request without having conscience of it.
- > When you don't have permissions to do the request.
- - SQL Injection -> Inject SQL code into a server DB to manipulate it, getting all the data, deleting it...
- > 'OR '1'='1
- > 'OR 1=1 #
- > 'OR 1=1 --
- > Blind SQL Injection: Blind, trying query combinations to get info about the database.
- - Open Redirect -> Let users to be redirecter to other sites that are not really what they want to visit (util in phishing).
- > http://apple.com?go=http://malware.com
- - Path Traversal -> Go traveling across file system..
- > Remote File Include (RFI) i Local File Include (LFI)
- - Code injection -> Inject code in a remote server.
- - Command injection -> Inject command in a remote server.
- - File Upload -> Execute code through a file, uploading a .php file for example.
- - Robots.txt -> Tells search engines what directories have them to list or not.
- - OWASP -> OpenSource organization that controls all erros and exploits that can be found in the internet.
- - Tips -> Client Side Verification:
- > Never trust the user.
- > Always check on the server side.
- - Most important tools -> Burp Suite, Zaproxy, Sqlmap, W3af, Nikto, WebScarab
- - CMS (Content Management System) identification ->
- > BlindElephant
- > WPScan
- > Plecost
- > Joomscan
- Mobile Application Security
- ---------------------------
- - Static Analysis -> Binary Analysis.
- > File Analysis.
- > Configuration.
- > API and libraries information.
- - Dynamic Analysis -> Network Analysis:
- > Weak Controls (server side)
- > Not encrypted transit.
- > Runtime Analysis.
- > Session controls, cryptographic controls...
- - Android:
- > Extract an APK from the store -> apkpure.com
- * ES File Explorer Backup.
- * From the apps directory on a rooted phone.
- * Some other extensions and webs.
- > Reversing the APK -> baksmali
- * androguard
- * dex2jar/jd-gui
- * jadx
- * ida pro
- * JEB
- > Code obfuscators:
- * ProGuard (The most useed).
- * yGuard (Easier to configure).
- * DexGuard (Commercial alternative).
- - IOS:
- > Reversing IPA application -> All the applications of the AppStore are encrypted.
- * Load the binary to memory to extract the code.
- * Clutch2: Extract the application loaded to memory.
- * Can generate new IPA's without signatures.
- * Clash-dump-z to extract the source code.
- > Keychain -> iOS provides a secure way to store passwords and sensitive info.
- * KeychainDumper: Does a dump of all the keychains of a device.
- > Encryption on iOS:
- * Device encryption: The system fully encrypts the iOS system using the AES key of the chip. Jailbraking the device make an attacker gain fully access to the file system.
- * Data Protection: Protects the files with the passcode/fingerprint.
- - Modify the application during the runtime:
- > Android: Xposed.
- > iOS: Cycript.
- > Both: Mobile Substrate, Frida, etc.
- Bugs and Exploits
- -----------------
- - Bug: Informatic error, even if it is in software or hardware.
- - Vulnerability: Bug that produces a security fail.
- - Exploit: Code to take aventage of a vulnerability.
- - Payload: Way to exploit a vulnerability.
- - 0-day: New bug that hasn't been reported yet.
- > Full disclosure =
- > Non-disclosure =
- > Debate =
- - Metasploit Framework
- - CVE Details: page with a vulnerability list with format CVE-YYYY-XXXX
- Reverse Engineering basics
- --------------------------
- - Analitze an executable compiled to take information about its behavior.
- - Used to search for vulnerabilities, risks...
- Buffer Overflow
- ---------------
- - Fill the memory stack to crash the service (buffer overflow).
- - Can be found looking at the source code, inverse engineering, or fuzzing.
- Buffer Overflows
- ----------------
- - Preventions and Protections
- > DEP (Data Execution Prevention)
- > ASLR (Adress Space Layout Randomization)
- > Canary
- - Metasploit
- > Msfconsole: Shell propia del framework Metasploit
- > Msfcli: Shell interactiva de Metasploit
- > Msfpayload: Shell de payloads
- > Msfencode: Shell per a encriptació
- > Msfvenom: Shell per a payloads encriptats (deixa els dos anteriors depricateds)
- Passwords
- ---------
- - Hash -> MD5, SHA-1, SHA-256, SHA-512
- - Encryption
- > Symmetric: Caesar, AES, RC4, etc.
- > Asymmetric: RSA, ElGamal, etc.
- - Codification:
- > URL encoding, Base64, etc.
- - Cracking passwords:
- > JohnTheRipper.
- > Hydra/Xhydra -> Provar combinacions User/Password online
- > Medusa.
- - Forensics
- > Tools: Autopsy, Foremost -> dftt.sourceforge.net/test8/
- > Anti-forensics tools.
- Anonymity
- ---------
- - Proxy -> Intermediate server.
- > Transparent -> Just intermediate.
- > Anonymous -> Hides your IP.
- > Distorting -> Random IP.
- > High anonymity -> Remove logs.
- - VPNs -> Free VPN and Paid VPN.
- - IRC -> Internet relay chat.
- - TrueCrypt.
- > VeraCrypt.
- > CipherShed.
- - BitLocker.
- - FileVault.
- Wireless Security
- -----------------
- - Bluetooth Security
- > BlueMaho (gui for testing)
- > Spooftooph (spoofing MAC adress)
- > Crackle (exploits pa)
- - WiFi Security
- > Monitor mode.
- $ airmon-ng start wlan0
- > Scan the air for wireless access points.
- $ airodump-ng mon0
- > Scanning for an specific access point.
- * bssid ->
- * essid ->
- $ airodump-ng --channel X --bssid XX:XX:XX:XX:XX --write output-file mon0
- > Deauthentication attack
- $ aireplay-ng --deauth 10000 -a XX:XX:XX:XX -c YY:YY:YY:YY mon0
- - WiFi encryption
- > WEP encryption (RC4)
- $ airodump-ng --channel X --bssid 00:00:00:00:00 --write outpit-file mon0
- $ aircrack-ng output-file.cap
- $ aireplay-ng --fake-auth 0 -a XX:XX:XX:XX -h YY:YY:YY:YY mon0 //Fake authentication
- $ aireplay-ng --arpreplay -b XX:XX:XX:XX -h YY:YY:YY:YY mon0 //Generate traffic
- > WPA encryption (TKIP)
- $ wash -i mon0
- $ reaver -b XX:XX:XX:XX -c C -i mon0
- * WPS pin.
- * Probably WPA PSK key.
- * stronger than wep.
- > WPA2 encryption (AES-CCMP)
- * Strongest at the moment.
- * Disconnect the user to get handshake.
Add Comment
Please, Sign In to add comment