Security Informatics

1. Data Gathering
2. -----------------
3. - Whois -> We get info from a server.
4. $ whois -h whois.educase.net [domain]
5.  
6. - TheHarvester -> We get mails, subdomains, hosts from different public sources.
7. $ theharvester -d [domain] -b [search engine]
8.  
9. - DNS Enumeration -> We get info about the DNS.
10. > IP, e-mail handling -> $ host [domain]
11. > Server info -> $ host -t [domain]
12. > $ [...]
13. > Other DNS enumeration tools -> nsenum, dnsdict6, dnsmap.
14.  
15. - Tracer oute -> Trace routes of packets sent by the server
16. $ traceroute [domain]
17.  
18. - Fingerprinting -> Generate HTTP errors to get information about the server. Force 404, 500...
19.  
20. - Port Scanning -> Obtain server ports information
21. $ nc -nvv -w 1 -z [server IP] [portMin-portMax]
22. $ nmap -A [server IP]
23. SweepNetwork ready for Grep -> $ nmap -sn -oG ping-sweep-nmap [server IP]
24. $ grep Up ping-sweep-nmap | cut -d " " -f2
25. Open ports -> $ nmap -sV 192.168.0.9
26. Operating System -> $ nmap -O 192.168.0.9
27.  
28. - Google Hacking:
29. > intitle:index.of phpmyadmin
30. > intitle:index.of phpmyadmin site:upc.edu
31. > inurl:indexFrame.shtml Axis
32. > Squirrelmail inurl:login.php "SquirrelMail version"
33. > Zixmail inurl:/s/login?
34. > filetype:txt "gmail" | "hotmail" -robots site:gov | site:us
35.  
36. - Bing Hacking:
37. > ext:log ws_ftp("C:\users" OR "documents and settings")
38. > e-mail near:4 "microsoft.com"
39. > "warning pg" near:10 select
40. > ip:147.83.2.126
41.  
42. - Shodanhq -> Find machines connected to the internet
43. > shodanhq.com
44.  
45. - Robtex -> More info / Less user-firendly
46. > robtex.com
47.  
48. Google Hacking Database -> www.exploit-db.com/google-hacking-database
49.  
50. Social Networks -> Facebook, Twitter, Linkedin, Google+
51.  
52. Maltego (Kali Application)
53.  
54. Archive.org
55.  
56. Social Engineering
57. ------------------
58. - Set -> setoolkit (Kali App)
59.  
60. - Metadata -> Foca
61. -> exiftool (Kali App)
62.  
63. Web Application Security
64. ------------------------
65. - Tampering -> Intercecpt web communications and modify them.
66. > We modify HTTP data packets.
67. > Burp Suite (Kali Application) -> We need to configure the proxy of Burp Suite and IceWeasel.
68.  
69. - Cross-Site Scripting (XSS) -> Inject code HTML, CSS, JS, etc. to get it rendered.
70. > Generate a request to get a different rendered page:
71. * Reflexed: Just stored in the current session.
72. * Stored: Stored permanently in the server.
73.  
74. - Cross-Site Request Forgery (CSRF) -> Make another user (admin) to do a request without having conscience of it.
75. > When you don't have permissions to do the request.
76.  
77. - SQL Injection -> Inject SQL code into a server DB to manipulate it, getting all the data, deleting it...
78. > 'OR '1'='1
79. > 'OR 1=1 #
80. > 'OR 1=1 --
81. > Blind SQL Injection: Blind, trying query combinations to get info about the database.
82.  
83. - Open Redirect -> Let users to be redirecter to other sites that are not really what they want to visit (util in phishing).
84. > http://apple.com?go=http://malware.com
85.  
86. - Path Traversal -> Go traveling across file system..
87. > Remote File Include (RFI) i Local File Include (LFI)
88.  
89. - Code injection -> Inject code in a remote server.
90.  
91. - Command injection -> Inject command in a remote server.
92.  
93. - File Upload -> Execute code through a file, uploading a .php file for example.
94.  
95. - Robots.txt -> Tells search engines what directories have them to list or not.
96.  
97. - OWASP -> OpenSource organization that controls all erros and exploits that can be found in the internet.
98.  
99. - Tips -> Client Side Verification:
100. > Never trust the user.
101. > Always check on the server side.
102.  
103. - Most important tools -> Burp Suite, Zaproxy, Sqlmap, W3af, Nikto, WebScarab
104.  
105. - CMS (Content Management System) identification ->
106. > BlindElephant
107. > WPScan
108. > Plecost
109. > Joomscan
110.  
111. Mobile Application Security
112. ---------------------------
113. - Static Analysis -> Binary Analysis.
114. > File Analysis.
115. > Configuration.
116. > API and libraries information.
117.  
118. - Dynamic Analysis -> Network Analysis:
119. > Weak Controls (server side)
120. > Not encrypted transit.
121. > Runtime Analysis.
122. > Session controls, cryptographic controls...
123.  
124. - Android:
125. > Extract an APK from the store -> apkpure.com
126. * ES File Explorer Backup.
127. * From the apps directory on a rooted phone.
128. * Some other extensions and webs.
129.  
130. > Reversing the APK -> baksmali
131. * androguard
132. * dex2jar/jd-gui
133. * jadx
134. * ida pro
135. * JEB
136.  
137. > Code obfuscators:
138. * ProGuard (The most useed).
139. * yGuard (Easier to configure).
140. * DexGuard (Commercial alternative).
141.  
142. - IOS:
143. > Reversing IPA application -> All the applications of the AppStore are encrypted.
144. * Load the binary to memory to extract the code.
145. * Clutch2: Extract the application loaded to memory.
146. * Can generate new IPA's without signatures.
147. * Clash-dump-z to extract the source code.
148.  
149. > Keychain -> iOS provides a secure way to store passwords and sensitive info.
150. * KeychainDumper: Does a dump of all the keychains of a device.
151.  
152. > Encryption on iOS:
153. * Device encryption: The system fully encrypts the iOS system using the AES key of the chip. Jailbraking the device make an attacker gain fully access to the file system.
154. * Data Protection: Protects the files with the passcode/fingerprint.
155.  
156. - Modify the application during the runtime:
157. > Android: Xposed.
158. > iOS: Cycript.
159. > Both: Mobile Substrate, Frida, etc.
160.  
161. Bugs and Exploits
162. -----------------
163. - Bug: Informatic error, even if it is in software or hardware.
164.  
165. - Vulnerability: Bug that produces a security fail.
166.  
167. - Exploit: Code to take aventage of a vulnerability.
168.  
169. - Payload: Way to exploit a vulnerability.
170.  
171. - 0-day: New bug that hasn't been reported yet.
172. > Full disclosure =
173. > Non-disclosure =
174. > Debate =
175.  
176. - Metasploit Framework
177.  
178. - CVE Details: page with a vulnerability list with format CVE-YYYY-XXXX
179.  
180. Reverse Engineering basics
181. --------------------------
182. - Analitze an executable compiled to take information about its behavior.
183.  
184. - Used to search for vulnerabilities, risks...
185.  
186. Buffer Overflow
187. ---------------
188. - Fill the memory stack to crash the service (buffer overflow).
189.  
190. - Can be found looking at the source code, inverse engineering, or fuzzing.
191.  
192. Buffer Overflows
193. ----------------
194. - Preventions and Protections
195. > DEP (Data Execution Prevention)
196. > ASLR (Adress Space Layout Randomization)
197. > Canary
198.  
199. - Metasploit
200. > Msfconsole: Shell propia del framework Metasploit
201. > Msfcli: Shell interactiva de Metasploit
202. > Msfpayload: Shell de payloads
203. > Msfencode: Shell per a encriptació
204. > Msfvenom: Shell per a payloads encriptats (deixa els dos anteriors depricateds)
205.  
206. Passwords
207. ---------
208. - Hash -> MD5, SHA-1, SHA-256, SHA-512
209.  
210. - Encryption
211. > Symmetric: Caesar, AES, RC4, etc.
212. > Asymmetric: RSA, ElGamal, etc.
213.  
214. - Codification:
215. > URL encoding, Base64, etc.
216.  
217. - Cracking passwords:
218. > JohnTheRipper.
219. > Hydra/Xhydra -> Provar combinacions User/Password online
220. > Medusa.
221.  
222. - Forensics
223. > Tools: Autopsy, Foremost -> dftt.sourceforge.net/test8/
224. > Anti-forensics tools.
225.  
226. Anonymity
227. ---------
228. - Proxy -> Intermediate server.
229. > Transparent -> Just intermediate.
230. > Anonymous -> Hides your IP.
231. > Distorting -> Random IP.
232. > High anonymity -> Remove logs.
233.  
234. - VPNs -> Free VPN and Paid VPN.
235.  
236. - IRC -> Internet relay chat.
237.  
238. - TrueCrypt.
239. > VeraCrypt.
240. > CipherShed.
241.  
242. - BitLocker.
243.  
244. - FileVault.
245.  
246. Wireless Security
247. -----------------
248. - Bluetooth Security
249. > BlueMaho (gui for testing)
250. > Spooftooph (spoofing MAC adress)
251. > Crackle (exploits pa)
252.  
253. - WiFi Security
254. > Monitor mode.
255. $ airmon-ng start wlan0
256. > Scan the air for wireless access points.
257. $ airodump-ng mon0
258. > Scanning for an specific access point.
259. * bssid ->
260. * essid ->
261. $ airodump-ng --channel X --bssid XX:XX:XX:XX:XX --write output-file mon0
262. > Deauthentication attack
263. $ aireplay-ng --deauth 10000 -a XX:XX:XX:XX -c YY:YY:YY:YY mon0
264.  
265. - WiFi encryption
266. > WEP encryption (RC4)
267. $ airodump-ng --channel X --bssid 00:00:00:00:00 --write outpit-file mon0
268. $ aircrack-ng output-file.cap
269. $ aireplay-ng --fake-auth 0 -a XX:XX:XX:XX -h YY:YY:YY:YY mon0 //Fake authentication
270. $ aireplay-ng --arpreplay -b XX:XX:XX:XX -h YY:YY:YY:YY mon0 //Generate traffic
271. > WPA encryption (TKIP)
272. $ wash -i mon0
273. $ reaver -b XX:XX:XX:XX -c C -i mon0
274. * WPS pin.
275. * Probably WPA PSK key.
276. * stronger than wep.
277. > WPA2 encryption (AES-CCMP)
278. * Strongest at the moment.
279. * Disconnect the user to get handshake.