From 53bad03de9c4937248d62419e468bdcb0f135720 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Mon, 7 Jun 2021 23:39:09 +0200 Subject: [PATCH] Fix typos --- README.md | 6 ++--- .../data-leakage-backup-and-recovery.md | 6 ++--- chapters/01-introduction/hacker-types.md | 2 +- chapters/01-introduction/hacking-stages.md | 6 ++--- .../identity-access-management-(iam).md | 2 +- .../01-introduction/incident-management.md | 8 ++++++- .../information-security-controls.md | 2 +- .../information-security-overview.md | 6 ++--- .../laws-standards-and-regulations.md | 4 +++- .../01-introduction/penetration-testing.md | 4 ++-- chapters/01-introduction/security-policies.md | 4 ++-- .../02-footprinting/email-footprinting.md | 4 ++-- .../02-footprinting/footprinting-overview.md | 18 +++++++------- .../search-engines-and-online-resources.md | 6 ++--- .../02-footprinting/website-footprinting.md | 6 ++--- ...is-geoiplocation-and-dns-interrogation.md} | 8 +++---- .../bypassing-ids-and-firewall.md | 6 ++--- .../scanning-networks-overview.md | 10 ++++---- .../03-scanning-networks/scanning-tools.md | 2 +- chapters/03-scanning-networks/tcpip-basics.md | 10 ++++---- .../dns-enumeration.md | 8 +++---- .../enumeration-overview.md | 8 +++---- .../img/smtp-user-enum.png | Bin .../escalating-privileges.md | 2 +- .../executing-applications.md | 11 +++++---- chapters/06-system-hacking/hiding-files.md | 8 +++---- chapters/06-system-hacking/linux-basics.md | 6 ++--- chapters/07-malware/malware-analysis.md | 22 +++++++++--------- chapters/07-malware/malware-overview.md | 8 +++---- chapters/07-malware/trojans.md | 4 ++-- chapters/07-malware/viruses.md | 2 +- chapters/08-sniffing/sniffing-overview.md | 4 ++-- chapters/08-sniffing/sniffing-tools.md | 4 ++-- chapters/08-sniffing/spoofing-attacks.md | 4 ++-- .../09-wireless-networks/aaa-protocols.md | 2 +- .../wireless-networks-overview.md | 2 +- .../wireless-security-tools.md | 2 +- .../wireless-threats-and-attacks.md | 2 +- .../social-engineering-overview.md | 6 ++--- .../social-engineering-types.md | 4 ++-- .../evading-ids.md | 6 ++--- .../firewall-overview.md | 4 ++-- ...trusion-detection-system-(ids)-overview.md | 2 +- .../12-web-servers/hacking-web-servers.md | 2 +- .../web-server-threats-and-attacks.md | 8 +++---- .../13-web-applications/denial-of-service.md | 8 +++---- .../owasp-top-10-threats.md | 13 +++++------ .../13-web-applications/session-hijacking.md | 20 +++++++++------- .../sql-injection-overview.md | 4 ++-- .../14-sql-injection/sql-injection-types.md | 2 +- chapters/15-cryptography/cryptanalysis.md | 2 +- .../encrypting-communication.md | 2 +- chapters/15-cryptography/encrypting-disk.md | 4 ++-- .../15-cryptography/hashing-algorithms.md | 4 ++-- .../15-cryptography/tunneling-protocols.md | 10 ++++---- .../16-cloud-computing/cloud-computing.md | 6 ++--- .../16-cloud-computing/container-security.md | 10 ++++---- .../17-mobile-platforms/mobile-attacks.md | 4 ++-- .../17-mobile-platforms/mobile-hacking.md | 6 ++--- chapters/18-iot-and-ot/iot-hacking.md | 22 +++++++++--------- chapters/18-iot-and-ot/iot-security.md | 2 +- 61 files changed, 192 insertions(+), 178 deletions(-) rename chapters/02-footprinting/{whois-geoiplocation-and-dns-interogation.md => whois-geoiplocation-and-dns-interrogation.md} (92%) rename chapters/{04-enumaration => 04-enumeration}/dns-enumeration.md (95%) rename chapters/{04-enumaration => 04-enumeration}/enumeration-overview.md (98%) rename chapters/{04-enumaration => 04-enumeration}/img/smtp-user-enum.png (100%) diff --git a/README.md b/README.md index 751ce0f..89fd7ab 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ 2. Footprinting 1. [Footprinting overview](./chapters/02-footprinting/footprinting-overview.md) 2. [Search engines and online resources](./chapters/02-footprinting/search-engines-and-online-resources.md) - 3. [WHOIS, GeoIpLocation and DNS interrogation](./chapters/02-footprinting/whois-geoiplocation-and-dns-interogation.md) + 3. [WHOIS, GeoIpLocation and DNS interrogation](./chapters/02-footprinting/whois-geoiplocation-and-dns-interrogation.md) 4. [Email footprinting](./chapters/02-footprinting/email-footprinting.md) 5. [Website footprinting](./chapters/02-footprinting/website-footprinting.md) 6. [Network footprinting](./chapters/02-footprinting/network-footprinting.md) @@ -61,8 +61,8 @@ 5. [Bypassing IDS and firewall](./chapters/03-scanning-networks/bypassing-ids-and-firewall.md) 6. [Banner grabbing](./chapters/03-scanning-networks/banner-grabbing.md) 4. Enumeration - 1. [Enumeration Overview](./chapters/04-enumaration/enumeration-overview.md) - 2. [DNS enumeration](./chapters/04-enumaration/dns-enumeration.md) + 1. [Enumeration Overview](./chapters/04-enumeration/enumeration-overview.md) + 2. [DNS enumeration](./chapters/04-enumeration/dns-enumeration.md) 5. Vulnerabilities 1. [Vulnerability analysis](./chapters/05-vulnerabilities/vulnerability-analysis.md) 2. [Common vulnerabilities](./chapters/05-vulnerabilities/common-vulnerabilities.md) diff --git a/chapters/01-introduction/data-leakage-backup-and-recovery.md b/chapters/01-introduction/data-leakage-backup-and-recovery.md index 950f829..9b8dc0f 100644 --- a/chapters/01-introduction/data-leakage-backup-and-recovery.md +++ b/chapters/01-introduction/data-leakage-backup-and-recovery.md @@ -14,7 +14,7 @@ - Corporate espionage, phishing, malware - Business partners, consultants when company outsources - - Less surveilance than own employees. + - Less surveillance than own employees. #### Internal threats @@ -83,7 +83,7 @@ - because backing-up everything is too costly and takes up much storage. 2. **Choose appropriate backup media** - Reliable, solid, preferably cheap - - E.g. USBs or portable media for personal users, and HDD/SDDs for companies with PCIs for more speed. + - E.g. USBs or portable media for personal users, and HDD/SDDs for companies for more speed. 3. **Choose the appropriate backup strategy** - Check features such as scheduling, monitoring file changes to update back-ups, protocols, integrations... - Paid vs Free @@ -99,7 +99,7 @@ - If A fails you can reconstruct based on data in B and C - RAIDing is not only for backups, can also use for faster read and writes - E.g. BIG = Everything is seen as one drive. File is written two all of them. Crazy write & read speeds. If single disk dies all data is gone. -5. **Choose the appropiate backup method** +5. **Choose the appropriate backup method** - **Cold backup** - Performed while system is not in use. - E.g. at nights, during weekends. diff --git a/chapters/01-introduction/hacker-types.md b/chapters/01-introduction/hacker-types.md index 6b7a726..f062ba2 100644 --- a/chapters/01-introduction/hacker-types.md +++ b/chapters/01-introduction/hacker-types.md @@ -54,7 +54,7 @@ ## Grey hat hackers -- Also known as ***grayhat***, ***gray hat***, ***gray-hat***, ***grey hat***, ***grayhat*** or ***grey-hat*** hackers. +- Also known as ***grayhat***, ***gray hat***, ***gray-hat***, ***grey hat***, ***greyhat*** or ***grey-hat*** hackers. - 📝 Might break laws, regulations and ethical standards but do not have explicitly malicious indent. - Middleground; Not as bad as black, not as ethical as white hackers. diff --git a/chapters/01-introduction/hacking-stages.md b/chapters/01-introduction/hacking-stages.md index 8885b20..220fbec 100644 --- a/chapters/01-introduction/hacking-stages.md +++ b/chapters/01-introduction/hacking-stages.md @@ -17,7 +17,7 @@ - In scanning you're acting on gathered information to gather information - Examples -| Reconnaissance | Scanning | +| [Reconnaissance](#1-reconnaissance) | [Scanning](#2-scanning) | | ------ | ----- | | Scan the perimeter network you need the IP addresses | Use e.g. `nmap` to figure out what the configuration is. | | Get e-mails. | Use phishing to gather personal data | @@ -41,7 +41,7 @@ - Keeping admin/root privileges so hacker can continue using the system. - After breaking into a system, you attempt to elevate privileges to do more. - Maintain persistent access, because your connection might break, then you start again -- Can prevent other hackers from accessing the system by installing backdoors, rootkits, or Trojans. +- Can prevent other hackers from accessing the system by installing backdoors, rootkits, or trojans. - 💡 You can install tools to give you persistance access and gathers data to use compromise more such as keylogger. - 💡 You can use the machine as proxy so all traces are lead back to the proxy. - You can minimize the risks being discovered this way. @@ -56,5 +56,5 @@ - Activities: - Clear certain entries in log files: Not all, or it'll be suspicious - Masquerade your activities: Make them as similar as possible as legitimate activities - - E.g. good keyloggers masquerades itself behind legitimate activities + - E.g. a good keylogger masquerade itself behind legitimate activities - Mimics other programs behavior by adding more behavior. diff --git a/chapters/01-introduction/identity-access-management-(iam).md b/chapters/01-introduction/identity-access-management-(iam).md index 789c401..28e0adb 100644 --- a/chapters/01-introduction/identity-access-management-(iam).md +++ b/chapters/01-introduction/identity-access-management-(iam).md @@ -115,4 +115,4 @@ - Directory service - Data synchronization - Metadirectory - - Virtual Directory + - Virtual directory diff --git a/chapters/01-introduction/incident-management.md b/chapters/01-introduction/incident-management.md index a170627..2ffdcec 100644 --- a/chapters/01-introduction/incident-management.md +++ b/chapters/01-introduction/incident-management.md @@ -23,7 +23,13 @@ 9. **Post-incident activities** (lessons learnt) - Record what happened with final review. - Have discussion about how to avoid it in future. -- 🤗 E.g. a developer in [Dropbox miscoded](https://www.cnet.com/news/dropbox-confirms-security-glitch-no-password-required/) authentication function to always return true. Anyone could login as whichever you user you want by just typing their e-mail. They had review policy but no one paid attention. They had protocols against major breach. Realized that it was critical and then they brought down the service to prevent huge damage (containment), and conducted investigation to see what has happened and started recovery process. It was recorded and documented for current and future employees. +- 🤗 E.g. a developer in [Dropbox miscoded](https://www.cnet.com/news/dropbox-confirms-security-glitch-no-password-required/) authentication function to always return true. + - Anyone could login as whichever you user you want by just typing their e-mail. + - They had review policy but no one paid attention. + - They had protocols against major breach. + - Realized that it was critical and then they brought down the service to prevent huge damage (containment) + - Conducted investigation to see what has happened and started recovery process + - It was recorded and documented for current and future employees ## Emergency response plan diff --git a/chapters/01-introduction/information-security-controls.md b/chapters/01-introduction/information-security-controls.md index 35a5889..a9bc97b 100644 --- a/chapters/01-introduction/information-security-controls.md +++ b/chapters/01-introduction/information-security-controls.md @@ -7,7 +7,7 @@ - **Availability**: At all times data needs to be available to those who need it, e.g. stock market - **Confidentiality**: No leaks, e.g. ensuring policies are in-place - **Authenticity**: Only those who are authorized can access something - - **Non-repudition**: If you do something, you cannot say I did not do it, e.g. signatures, log files, camera videos. + - **Non-repudiation**: If you do something, you cannot say I did not do it, e.g. signatures, log files, camera videos. - Processes to achieve information assurance are: - Security policies - Network and user authentication strategy diff --git a/chapters/01-introduction/information-security-overview.md b/chapters/01-introduction/information-security-overview.md index 7bb14fc..c7423e1 100644 --- a/chapters/01-introduction/information-security-overview.md +++ b/chapters/01-introduction/information-security-overview.md @@ -61,7 +61,7 @@ 5. Patch is created - Sometimes vendor may not patch it e.g. if software is outdated or has no support. 6. Patch is applied - - Sometimes they're not! E.g. home routers has vulnerabilities that has been known for years as ISPs do not usually configure routers after setup. + - Sometimes they're not! E.g. home routers has vulnerabilities that has been known for years as ISPs do not usually configure routers after setup - Timeframe between patch is created and applied is used by malicious hackers to maximum extend. - Many times corporations are slower to react which causes harm. @@ -91,14 +91,14 @@ - Get access to one of the systems - E.g. an Android phone. They have many vulnerabilities. - They don't get updates after a while. - - If they exceed design limits e.g. when operating when it's hot outside, then the hardware flaws occuring causes exploaitable software attacks such as [Bitsquatting](https://en.wikipedia.org/wiki/Bitsquatting) + - If they exceed design limits e.g. when operating when it's hot outside, then the hardware flaws occurring causes exploitable software attacks such as [Bitsquatting](https://en.wikipedia.org/wiki/Bitsquatting) 5. Get access to - Information such as bank accounts, credit card details - After infecting one device, jump other devices in bank network if e.g. the mobile phone is also used in bank network. ### Doxing -- Finding and publishing someone's personally identifial information for malicious reasons. +- Finding and publishing someone's personally identifiable information (PII) for malicious reasons. - E.g. an individuals name, e-mail address or sensitive data of an organization. - E.g. confidential government files get leaked to the public. - Steps diff --git a/chapters/01-introduction/laws-standards-and-regulations.md b/chapters/01-introduction/laws-standards-and-regulations.md index 6bdb348..266cbff 100644 --- a/chapters/01-introduction/laws-standards-and-regulations.md +++ b/chapters/01-introduction/laws-standards-and-regulations.md @@ -59,7 +59,9 @@ - Set of worldwide information security standards - Also known as ***ISMS Family of Standards*** or ***ISO27K*** -- **ISO/IEC** = The International Standard for Standardization (ISO) and the International Electrotechnical Commission (IEC) +- ISO/IEC stands for + - "The International Standard for Standardization (ISO)" + - and "The International Electrotechnical Commission (IEC)" ### ISO/IEC 27001:2013 diff --git a/chapters/01-introduction/penetration-testing.md b/chapters/01-introduction/penetration-testing.md index 77a55d1..cb2a9c6 100644 --- a/chapters/01-introduction/penetration-testing.md +++ b/chapters/01-introduction/penetration-testing.md @@ -4,7 +4,7 @@ - discover vulnerabilities (and document) - evaluate the security - Detailed analysis of weaknesses in design, technical flaws, and vulnerabilities in organizations information security. -- E.g. • [phishing](./../10-social-engineering/social-engineering-types.md#phishing) • [testing authentication](./../13-web-applications/hacking-web-applications.md#authentication-attacks) using [dictionaries](./../06-system-hacking/cracking-passwords-overview.md#dictionary-attack) • test if router is using an [obselete OS](./security-threats-and-attacks.md#operating-system-attacks) +- E.g. • [phishing](./../10-social-engineering/social-engineering-types.md#phishing) • [testing authentication](./../13-web-applications/hacking-web-applications.md#authentication-attacks) using [dictionaries](./../06-system-hacking/cracking-passwords-overview.md#dictionary-attack) • test if router is using an [obsolete OS](./security-threats-and-attacks.md#operating-system-attacks) ## Purpose @@ -130,7 +130,7 @@ ## Security testing methodology - Approach to attempt to find vulnerabilities in the system's security mechanisms. -- Used during e.g. [security audit](#security-audit), [vulnerability assesment](#vulnerability-assessment) and [penetration test](#penetration-test). +- Used during e.g. [security audit](#security-audit), [vulnerability assessment](#vulnerability-assessment) and [penetration test](#penetration-test). - 💡 Using a good security testing methodology provides a repeatable framework ### Proprietary methodologies diff --git a/chapters/01-introduction/security-policies.md b/chapters/01-introduction/security-policies.md index 5c1c05f..6b00480 100644 --- a/chapters/01-introduction/security-policies.md +++ b/chapters/01-introduction/security-policies.md @@ -90,11 +90,11 @@ - Same as **Terms of Service** or **Terms of Use** - 📝 Description of what constitutes acceptable and unacceptable use of the Internet -- Code of conduct governing the behaviour of a user whilst connected to the network/Internet. +- Code of conduct governing the behavior of a user whilst connected to the network/Internet. - E.g. - ISP providers allows you to use unlimited bandwidth - In contract you see it says it's about "fair use" - - Fair use can be e.g. to not exceed 50% maximum potential bandwith that could be used with that bandwidth + - Fair use can be e.g. to not exceed 50% maximum potential bandwidth that could be used with that bandwidth - Prohibiting port scanning or security scanning - Never revealing a password diff --git a/chapters/02-footprinting/email-footprinting.md b/chapters/02-footprinting/email-footprinting.md index 09dfcc6..e1369cf 100644 --- a/chapters/02-footprinting/email-footprinting.md +++ b/chapters/02-footprinting/email-footprinting.md @@ -47,9 +47,9 @@ - Combination of two protocols SPF + DKIM - It builds on them and adds more policy -## Verifying email legitimity +## Verifying email legitimacy -- Double check FROM +- Double check `FROM` - Check the spelling in domain name so it's coming from the domain of the company - If it's random e-mail check if it's from one of the biggest domain providers or if something legit. - Check IP of the domain diff --git a/chapters/02-footprinting/footprinting-overview.md b/chapters/02-footprinting/footprinting-overview.md index d292df0..b626784 100644 --- a/chapters/02-footprinting/footprinting-overview.md +++ b/chapters/02-footprinting/footprinting-overview.md @@ -15,14 +15,14 @@ - 📝 No direct contact with target - Rely on information that is publicly available. - Most difficult to detect -- E.g. • News • job postings • [WHOIS](./whois-geoiplocation-and-dns-interogation.md#whois) databases • government records • document sifting • [dumpster diving | Social engineering](./../10-social-engineering/social-engineering-types.md#dumpster-diving) • [competitive analysis](#competitive-intelligence) • browser search • map lookup • DNS lookup • Facebook/Twitter search +- E.g. • News • job postings • [WHOIS](./whois-geoiplocation-and-dns-interrogation.md#whois) databases • government records • document sifting • [dumpster diving | Social engineering](./../10-social-engineering/social-engineering-types.md#dumpster-diving) • [competitive analysis](#competitive-intelligence) • browser search • map lookup • DNS lookup • Facebook/Twitter search #### Open-source intelligence (OSINT) - 📝 Collection and analysis of information that is gathered from public, or open, sources - ❗ "Open-source" is unrelated to open-source software or collective intelligence - Categories: • media • internet • public government data • professional and academic publications • commercial data • grey literature -- [awesome-osint | list of tools](https://github.com/jivoi/awesome-osint), [osintframework | graph of tools](https://osintframework.com/) +- [awesome-osint | list of tools](https://github.com/jivoi/awesome-osint), [OsintFramework | graph of tools](https://osintframework.com/) #### Competitive intelligence @@ -31,7 +31,7 @@ - Tools include - Traffic statistics: [Alexa](https://alexa.com) - News: [Google finance](https://finance.google.com) - - Company plans/financials: • [SEC Info](https://www.secinfo.com) • [Experian](https://experian.com) • [Market Watch](https://marketwatch.com) • [Wall Street Monitor](https://twst.com) • [Euromonitor](https://euromonitor.com) + - Company plans/finances: • [SEC Info](https://www.secinfo.com) • [experian](https://experian.com) • [Market Watch](https://marketwatch.com) • [Wall Street Monitor](https://twst.com) • [EuroMonitor](https://euromonitor.com) - Company origins and development: • [EDGAR Database](https://sec.gov/edgar.shtml) • [Hoovers](https://hoovers.com) • [LexisNexis](https://lexisnexis.com) • [Business Wire](https://businesswire.com) ### Active footprinting @@ -42,21 +42,21 @@ - Examples - Buying beers for company employees to see what you can extract. - Network mapping with `nmap`, perimeter mapping, port scanning, web profiling... - - • E-mail tracking • Phishing scheme with an email • Querying name servers • File metadata • Social engineering • Extracting DNS information • Ttraceroute analysis + - • E-mail tracking • Phishing scheme with an email • Querying name servers • File metadata • Social engineering • Extracting DNS information • [Traceroute](./network-footprinting.md#traceroute) analysis - 💡 Easier idea to start with passive footprinting by gathering all publicly available data - Then organizing it, and putting in one place. - Then use active footprinting with starting probing for ports, networks, possible vulnerabilities etc. - 💡Good to learn more about stuff (employees) of a company - through them you can learn a lot more and gain a lot more access - e.g. contact them through social media and start a conversation - - e.g. join a conference that you see the person is attending on Linkedin and meet him. + - e.g. join a conference that you see the person is attending on LinkedIn and meet him. ## Footprinting information - **Network information** - Domains, subdomains - IP addresses - - [Whois](./whois-geoiplocation-and-dns-interogation.md#whois) and DNS records + - [Whois](./whois-geoiplocation-and-dns-interrogation.md#whois) and DNS records - VPN firewalls using e.g. [ike-scan](https://github.com/royhills/ike-scan) - **System information** - Web server operating systems @@ -98,10 +98,10 @@ - **[Recon-dog](https://github.com/s0md3v/ReconDog)** - Open-source CLI tool self-claimed as Reconnaissance Swiss Army Knife - Can extracts targets from STDIN (piped input) and act upon them - - Passive reconnaissance tool extracting all information with APIs without any contact witht target -- **[Dmitry](https://github.com/jaygreig86/dmitry)** (Deepmagic Information Gathering Tool) + - Passive reconnaissance tool extracting all information with APIs without any contact with target +- **[Dmitry](https://github.com/jaygreig86/dmitry)** (DeepMagic Information Gathering Tool) - CLI tool to analyze a website e.g. `dmitry https://cloudarchitecture.io` - - • Performs [WHOIS](./whois-geoiplocation-and-dns-interogation.md#whois) lookup on IP and domain • Retrieves [Netcraft](./search-engines-and-online-resources.md#netcraft) information • Search for subdomains/email addresses • Performs TCP scanning • Grabs banner for each port + - • Performs [WHOIS](./whois-geoiplocation-and-dns-interrogation.md#whois) lookup on IP and domain • Retrieves [Netcraft](./search-engines-and-online-resources.md#netcraft) information • Search for subdomains/email addresses • Performs TCP scanning • Grabs banner for each port ## Footprinting reports diff --git a/chapters/02-footprinting/search-engines-and-online-resources.md b/chapters/02-footprinting/search-engines-and-online-resources.md index 2bd4374..c09ce8e 100644 --- a/chapters/02-footprinting/search-engines-and-online-resources.md +++ b/chapters/02-footprinting/search-engines-and-online-resources.md @@ -27,7 +27,7 @@ | **`AND`** | Results related to both X and Y, google default. | `jobs AND gates` | | **`-`** | Exclude a term or phrase | `jobs ‑apple` | | **`*`** | Wildcard that will match any word or phrase. | `"Google * my life"` > google changed my life, google runs my life... | - | **`(`**, **`)`** | Group multiple terms | `(ipad OR iphone) apple` | + | **`(`**, **`)`** | Group multiple terms | `(iPad OR iPhone) apple` | - E.g. finding passwords: `intext:"please change your" password | code | login file:pdf | doc | txt | docx -github` - **`intext`**: in the text of the website @@ -58,7 +58,7 @@ 1. Queries Google for different filetypes that may have metadata - Combining `site:` and `filetype` dorks 2. Downloads the documents to disk and extracts the metadata of the file - 3. Parses files using different libraries for metadata (e.g. Hachoir, Pdfminer) + 3. Parses files using different libraries for metadata (e.g. Hachoir, pdfminer) ## Online services @@ -76,7 +76,7 @@ ### Video search engines - Search video related to target and extract video information -- E.g. • Youtube • Google Videos +- E.g. • YouTube • Google Videos - Video analysis tools include • YouTube DataViewer • EZGif • VideoReverser.com, ### Meta data engines diff --git a/chapters/02-footprinting/website-footprinting.md b/chapters/02-footprinting/website-footprinting.md index 16573d2..cb2ae1d 100644 --- a/chapters/02-footprinting/website-footprinting.md +++ b/chapters/02-footprinting/website-footprinting.md @@ -43,9 +43,9 @@ - In most of browsers you can right click and how source - Walkthrough - In almost any browser: Right click => Show source - - Check for HTML `` or JavaScript `// comment` comments. - - They are kipped by interpretors and compilers, only for human eyes - - They can be instructions for other devs, notes for themselves. + - Check for HTML `` or JavaScript `// comment` comments + - They are skipped by interpreters and compilers, only for human eyes + - They can be instructions for other developers, notes for themselves - E.g. this library won't work as this element is not supported - Gives you clues about what technology (frameworks, languages) they use in the background diff --git a/chapters/02-footprinting/whois-geoiplocation-and-dns-interogation.md b/chapters/02-footprinting/whois-geoiplocation-and-dns-interrogation.md similarity index 92% rename from chapters/02-footprinting/whois-geoiplocation-and-dns-interogation.md rename to chapters/02-footprinting/whois-geoiplocation-and-dns-interrogation.md index 00ea3b7..ee84f7b 100644 --- a/chapters/02-footprinting/whois-geoiplocation-and-dns-interogation.md +++ b/chapters/02-footprinting/whois-geoiplocation-and-dns-interrogation.md @@ -23,7 +23,7 @@ - Emails are usually still redirected to the owner. - 💡 Allows for e-mail phishing to learn who the actual owner is. - Domain server - - Who it's registered with e.g. [namecheap](https://www.namecheap.com), [gandi](https://www.gandi.net) + - Who it's registered with e.g. [NameCheap.com](https://www.namecheap.com), [Gandi.net](https://www.gandi.net) - 💡 Site owner might have account in the server, and you can test passwords there. - Net range - Domain expiration @@ -36,7 +36,7 @@ - **ARIN**: American Registry for Internet Numbers - **AFRINIC**: African Network Information Center - **APNIC**: Asia Pacific Network Information Center - - **RIPE**: Reseaux IP Europeens Network Coordination Centre + - **RIPE**: Réseaux IP Européens Network Coordination Centre - **LACNIC**: Latin American and Caribbean Network Information Center - 🤗 Every ISP, hosting company etc. must be member of one of the registries to get IP addresses. @@ -46,7 +46,7 @@ - Includes country, city, postal code, ISP, and so on - Country is mostly accurate but city, coordinates are not but approximated - Helps with social engineering attacks -- E.g. [geoiptool.com](https://geoiptool.com) +- E.g. [GeoIpTool.com](https://geoiptool.com) ### DNS interrogation @@ -63,7 +63,7 @@ ``` - A records returns multiple IP addresses to increase speed and availability e.g. when hosting same content in multiple continents. -- See also [DNS enumeration](./../04-enumaration/dns-enumeration.md#dns-records) +- See also [DNS enumeration](./../04-enumeration/dns-enumeration.md#dns-records) #### Reverse DNS lookup diff --git a/chapters/03-scanning-networks/bypassing-ids-and-firewall.md b/chapters/03-scanning-networks/bypassing-ids-and-firewall.md index 6b4a78c..628a164 100644 --- a/chapters/03-scanning-networks/bypassing-ids-and-firewall.md +++ b/chapters/03-scanning-networks/bypassing-ids-and-firewall.md @@ -8,7 +8,7 @@ - Also known as ***IP fragment scanning*** or ***IP fragmentation*** - 📝 Splitting up TCP header to several smaller (fragmented) packets when sending - Server then reassembles them once all packets are received. -- Usually ignored by IDSs as processing them requires a lot of computer resources +- Usually ignored by IDSes as processing them requires a lot of computer resources - Any IP datagram can be fragmented: including UDP, TCP, ICMP, etc. - See also [session splicing](./../11-firewalls-ids-and-honeypots/evading-ids.md#session-splicing) for HTTP header variant. - Tools @@ -75,7 +75,7 @@ - Allows packets to arrive out of order - Window size field in TCP header - Tells maximum amount of data sender can transmit without waiting for `ACK` - - **Windows update packet** is used to negotatiate a different window size. + - **Windows update packet** is used to negotiate a different window size. - Attacker that uses spoof IPs do not receive window size information - If victims receives data packets beyond the window size, they are spoofed packets @@ -98,7 +98,7 @@ - Egress filtering against insider attacks - Blocking outcoming traffic - Good against insider attacks where e.g. malware can send information -- [SYN flooding countermasures](./../13-web-applications/denial-of-service.md#syn-flood-countermeasures) +- [SYN flooding countermeasures](./../13-web-applications/denial-of-service.md#syn-flood-countermeasures) ## Encryption diff --git a/chapters/03-scanning-networks/scanning-networks-overview.md b/chapters/03-scanning-networks/scanning-networks-overview.md index b73dd89..4cdd013 100644 --- a/chapters/03-scanning-networks/scanning-networks-overview.md +++ b/chapters/03-scanning-networks/scanning-networks-overview.md @@ -33,10 +33,10 @@ | 21 | TCP | [FTP (File Transfer Protocol)](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) | | 22 | TCP | [SSH (Secure Shell)](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell) | | 23 | TCP | [Telnet](banner-grabbing.md#telnet) | - | 25 | TCP | [SMTP (Simple Mail Transfer Protocol)](./../04-enumaration/enumeration-overview.md#smtp) | - | 53 | TCP/UDP | [DNS (Domain Name Server)](./../04-enumaration/dns-enumeration.md#dns) | + | 25 | TCP | [SMTP (Simple Mail Transfer Protocol)](./../04-enumeration/enumeration-overview.md#smtp) | + | 53 | TCP/UDP | [DNS (Domain Name Server)](./../04-enumeration/dns-enumeration.md#dns) | | 80 | TCP | HTTP (Hypertext Transfer Protocol) ❗ HTTP/3 will run over UDP | - | 123 | TCP | [NTP (Network Time Protocol)](./../04-enumaration/enumeration-overview.md#ntp) | + | 123 | TCP | [NTP (Network Time Protocol)](./../04-enumeration/enumeration-overview.md#ntp) | | 443 | TCP/UDP | HTTPS | Hypertext Transfer Protocol Secure (HTTPS) | | 500 | TCP/UDP | [IKE/IPSec (Internet Key Exchange / IPSec)](./../15-cryptography/tunneling-protocols.md#ipsec) | | 631 | TCP/UDP | IPP (Internet Printing Protocol) | @@ -44,12 +44,12 @@ | 9100 | TCP/UDP | AppSocket/JetDirect (HP JetDirect, Printer PDL Data Stream) | - Read more on [IANA ports list](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) -- See also • [Port monitoring | Malware analysis](./../07-malware/malware-analysis.md#port-monitoring) • [Common ports and services to enumerate | Enumeration](./../04-enumaration/enumeration-overview.md#common-ports-and-services-to-enumerate) +- See also • [Port monitoring | Malware analysis](./../07-malware/malware-analysis.md#port-monitoring) • [Common ports and services to enumerate | Enumeration](./../04-enumeration/enumeration-overview.md#common-ports-and-services-to-enumerate) ## Drawing and mapping out network topologies - Useful for identifying and understanding the topology of the target network. - - The diagram can tell the attacker how firewalls, IDSs, routers, and other devices are arranged in the network + - The diagram can tell the attacker how firewalls, IDSes, routers, and other devices are arranged in the network - Information can be used for vulnerability discovery and exploit. - A popular tool is *`zenmap`*: A GUI for [`nmap`](./scanning-tools.md#nmap) - ![zenmap screenshot](img/zenmap.png) diff --git a/chapters/03-scanning-networks/scanning-tools.md b/chapters/03-scanning-networks/scanning-tools.md index 45d48ff..838b1b9 100644 --- a/chapters/03-scanning-networks/scanning-tools.md +++ b/chapters/03-scanning-networks/scanning-tools.md @@ -74,7 +74,7 @@ #### `-o*`: output options - `-oX` for XML output. -- `-oG` for grepable output to be able to use linux `grep` command to search in text. +- `-oG` for `grep`able output to be able to use linux [`grep` command](../06-system-hacking/linux-basics.md) to search in text - ❗ Not to be confused with `-O` (OS fingerprinting) #### Faster scans diff --git a/chapters/03-scanning-networks/tcpip-basics.md b/chapters/03-scanning-networks/tcpip-basics.md index f466634..783276e 100644 --- a/chapters/03-scanning-networks/tcpip-basics.md +++ b/chapters/03-scanning-networks/tcpip-basics.md @@ -119,7 +119,7 @@ ## OSI model -- Conceptual model that characterises and standardises the communication functions +- Conceptual model that characterizes and standardizes the communication functions - 📝 Uses seven abstraction layers: 1. **Physical** (bits) - Media, signal & binary transmission @@ -142,7 +142,7 @@ - E.g. • [SSL/TLS](./../15-cryptography/encrypting-communication.md#ssltls) (not entirely) • [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell) • IMAP • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • MPEG • JPEG 7. **Application** (data) - End User Layer: network process to application - - E.g. • HTTP • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • IRC • [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell) • [DNS](./../04-enumaration/dns-enumeration.md#dns) • [SMTP](./../04-enumaration/enumeration-overview.md#smtp) + - E.g. • HTTP • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • IRC • [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell) • [DNS](./../04-enumeration/dns-enumeration.md#dns) • [SMTP](./../04-enumeration/enumeration-overview.md#smtp) - See also • [Firewall types per OSI Layer | Firewall](./../11-firewalls-ids-and-honeypots/firewall-overview.md#firewall-types-per-osi-layer) • [Vulnerability stack | Hacking web applications](./../13-web-applications/hacking-web-applications.md#vulnerability-stack) • [Encryption types per OSI layer | Encryption algorithms](./../15-cryptography/encryption-algorithms.md#encryption-types-per-osi-layer) ## TCP/IP model @@ -151,7 +151,7 @@ 1. **Link layer**: • [ARP](./../08-sniffing/arp-poisoning.md#arp) • [PPP](./../15-cryptography/tunneling-protocols.md#ppp-point-to-point-protocol) • [MAC](./../08-sniffing/sniffing-attacks-overview.md#mac) 2. **Internet layer**: • TCP • UDP • DCCP • SCTP ... 3. **Transport layer**: • IP • ICMP • ECN • [IPSec](./../15-cryptography/tunneling-protocols.md#ipsec) ... - 4. **Application layer**: • [DNS](./../04-enumaration/dns-enumeration.md#dns) • HTTP • HTTPS • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell)) • SMTP ... + 4. **Application layer**: • [DNS](./../04-enumeration/dns-enumeration.md#dns) • HTTP • HTTPS • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell)) • SMTP ... - ❗ OSI model does not match well TCP/IP - [RFC 3439](https://tools.ietf.org/html/rfc3439) considers layering "harmful" - ❗ E.g. SSL/TLS does not fit in any of OSI or TCP/IP layers @@ -160,9 +160,9 @@ ## TCP/IP vs OSI model -| TCP/IP | Procotols and services | OSI model | +| TCP/IP | Protocols and services | OSI model | | ------ |:----------------------:| --------- | -| Application | • HTTP • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • Telnet • [NTP](./../04-enumaration/enumeration-overview.md#ntp) • DHCP • PING | • Application • Presentation • Session | +| Application | • HTTP • [FTP](./../15-cryptography/encrypting-communication.md#ftp-file-transfer-protocol) • Telnet • [NTP](./../04-enumeration/enumeration-overview.md#ntp) • DHCP • PING | • Application • Presentation • Session | | Transport | • TCP • UDP | Transport | | Network | • IP • [ARP](./../08-sniffing/arp-poisoning.md#arp) • [ICMP](./scanning-techniques.md#scanning-icmp) • IGMP | Network | | Network interface | • Ethernet • PPTP | • Data Link • Physical | diff --git a/chapters/04-enumaration/dns-enumeration.md b/chapters/04-enumeration/dns-enumeration.md similarity index 95% rename from chapters/04-enumaration/dns-enumeration.md rename to chapters/04-enumeration/dns-enumeration.md index ff06989..f6b951a 100644 --- a/chapters/04-enumaration/dns-enumeration.md +++ b/chapters/04-enumeration/dns-enumeration.md @@ -21,7 +21,7 @@ - Points a domain to an IPv6 address, such as `FE80::0202:B3FF:FE1E:8329`. - **`MX`** - Mail eXchange records are used to direct emails sent to domain - - See also [MX records | Whois, GeoIpLocation and DNS interrogation](./../02-footprinting/whois-geoiplocation-and-dns-interogation.md#mx-records) + - See also [MX records | Whois, GeoIpLocation and DNS interrogation](./../02-footprinting/whois-geoiplocation-and-dns-interrogation.md#mx-records) - **`NS`** - Used to delegate a domain or subdomain to a set of name servers - **`SOA`** @@ -53,16 +53,16 @@ ## DNS enumeration techniques -- Check all NS Records for [zone Ttransfers](#zone-transfers). +- Check all NS Records for [zone transfers](#zone-transfers). - Enumerate general [DNS records](#dns-records) for a given domain. - Perform common SRV Record Enumeration. - Service records contain the hostname, port and priority of servers for a given service. - - Enumerates e.g. • LDAP • Exchange Autodiscovery • Kerberos... + - Enumerates e.g. • LDAP • Autodiscover for Exchange • Kerberos... - E.g. by `nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='google.com'"` - Brute force subdomain and host A and AAAA records discovery with given top domain and wordlist. - DNS PTR lookup given a IP range CIDR range - Querying dns for PTR record of each IP in subnet -- See also [DNS interrogation](./../02-footprinting/whois-geoiplocation-and-dns-interogation.md#dns-interrogation) +- See also [DNS interrogation](./../02-footprinting/whois-geoiplocation-and-dns-interrogation.md#dns-interrogation) ### DNS cache snooping diff --git a/chapters/04-enumaration/enumeration-overview.md b/chapters/04-enumeration/enumeration-overview.md similarity index 98% rename from chapters/04-enumaration/enumeration-overview.md rename to chapters/04-enumeration/enumeration-overview.md index 1c0608d..2040973 100644 --- a/chapters/04-enumaration/enumeration-overview.md +++ b/chapters/04-enumeration/enumeration-overview.md @@ -42,7 +42,7 @@ ### Windows enumeration - **Enumerating all shares** - - `net share` or `net view \\servername /all` + - `net share` or `net view \\serverName /all` - **Enumerating machine configuration through null sessions** - Null sessions allow for enumeration of Windows machines to access information about the machine configuration. - E.g. `net use \\target\ipc$ "" /user: "` @@ -147,7 +147,7 @@ - Text-file that translates numerical OIDs to word-based OIDs. - E.g. `SYNOLOGY-SYSTEM-MIB::temperature.0` - You can collect information CPU usage level, disk usage level, network settings using vendor-specific OIDs. -- Version 1, 2: (unsecure) No encryption, only "community string" and no encryption +- Version 1, 2: (❗️ insecure) No encryption, only "community string" and no encryption - Version 3: Username + password and encryption #### SNMP enumeration tools @@ -217,7 +217,7 @@ #### NTP enumeration tools - [`ntptrace`](https://www.eecis.udel.edu/~mills/ntp/html/ntptrace.html): traces NTP servers back to the primary source. -- [`ntpdc`](http://doc.ntp.org/4.1.2/ntpdc.htm): monitors operation of the NTP deamon, ntpd +- [`ntpdc`](http://doc.ntp.org/4.1.2/ntpdc.htm): monitors operation of the NTP daemon, ntpd - [`ntpq`](http://doc.ntp.org/4.1.0/ntpq.htm): monitors NTP daemon ntpd operations and determines performance. - Other tools include: • NTP Time Server Monitor • NTP server Scanner • Nmap • Wireshark • AtomSync • NTPQuery, • PresenTense NTP Auditor • PresenTense Time Server • PresenTense Time Client • Lan Time Analyser... @@ -247,7 +247,7 @@ - `VRFY`: validates e-mail address that actually exists - `EXPN`: tells the actual delivery address of aliases and mailing lists - `RCPT TO`: Defines recipients of the messages -- ❗ Some admins may turn off `VRFY` and `EXPN`, but not `RCPT TO` (or no one can recieve e-mail) +- ❗ Some admins may turn off `VRFY` and `EXPN`, but not `RCPT TO` (or no one can receive e-mail) #### SMTP enumeration through tools diff --git a/chapters/04-enumaration/img/smtp-user-enum.png b/chapters/04-enumeration/img/smtp-user-enum.png similarity index 100% rename from chapters/04-enumaration/img/smtp-user-enum.png rename to chapters/04-enumeration/img/smtp-user-enum.png diff --git a/chapters/06-system-hacking/escalating-privileges.md b/chapters/06-system-hacking/escalating-privileges.md index 2b3c980..429d13e 100644 --- a/chapters/06-system-hacking/escalating-privileges.md +++ b/chapters/06-system-hacking/escalating-privileges.md @@ -68,7 +68,7 @@ #### OS X applications dynamic library vulnerability - **Behavior**: OS X looks for dynamic libraries (`dylib`) in multiple directories when loading them. -- **Vulnerability**: Injecting malicious `dylibs` into one of the primary directories, which will then be loaded instead of the original one. +- **Vulnerability**: Injecting malicious `dylib`s into one of the primary directories, which will then be loaded instead of the original one. #### Launch Daemon diff --git a/chapters/06-system-hacking/executing-applications.md b/chapters/06-system-hacking/executing-applications.md index e9efc25..6cb9f7f 100644 --- a/chapters/06-system-hacking/executing-applications.md +++ b/chapters/06-system-hacking/executing-applications.md @@ -23,7 +23,7 @@ - ![Hardware keylogger](img/hardware-keylogger.jpg) - Look like USB drives and are designed to record keystrokes, which are stored on the device. - Placed between a keyboard plug and USB socket -- Cannot be detected by antispyware or antivirus programs. +- Cannot be detected by anti-spyware or antivirus programs. - Discoverable as they have to be physically placed onto a target's machine #### Hardware keylogger types @@ -51,12 +51,15 @@ - **Kernel keylogger** - Designed to exist on a kernel level and act as a keyboard device driver - Allows it to record everything that is typed on the keyboard -- **Rootkit keylogger**: forged Windows device driver which records keystrokes +- **Rootkit keylogger** + - Forged Windows device driver which records keystrokes - **Device driver keylogger** - Designed to replace the driver that has the keylogging functionality - Logs the keystrokes, and send the file to a remote location -- **Hypervisor-based keylogger**: designed to work within a malware hypervisor that is operating on the OS -- **Form grabbing based keylogger**: designed to record web browsing when the Submit event is triggered. +- **Hypervisor-based keylogger** + - Designed to work within a malware hypervisor that is operating on the OS +- **Form grabbing based keylogger** + - Designed to record web browsing when the Submit event is triggered ## Spyware diff --git a/chapters/06-system-hacking/hiding-files.md b/chapters/06-system-hacking/hiding-files.md index fe13ecd..a07bace 100644 --- a/chapters/06-system-hacking/hiding-files.md +++ b/chapters/06-system-hacking/hiding-files.md @@ -43,7 +43,7 @@ - **Horse Pill**, [slides](https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf), [code](https://github.com/r00tkillah/HORSEPILL) - Linux rootkit that: - 1. Infects systems via the initial ramdisk + 1. Infects systems via the initial RAM disk (drive) 2. Deceives system owners using container primitives. - **GrayFish** - Rootkit suspectedly used by NSA in USA in attacks against e.g. Iran. @@ -55,14 +55,14 @@ - Downloads other malware on an infected machine from a P2P botnet. - **Necurs** - Infector and rootkit with worlds largest P2P botnet - - Distributes many malwares, including [Locky](https://en.wikipedia.org/wiki/Locky) ransomware. + - Distributes many malware, including [Locky](https://en.wikipedia.org/wiki/Locky) ransomware. - [Taken down](https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/) by Microsoft and its partners in 2019 - **Grayfish** - Developed by Equation Group that's considered to be part of the NSA. ### Bootkit -- Kernel-mode rootkit that runs everytime computer runs +- Kernel-mode rootkit that runs every time computer runs - Can bypass code signing (kernel-level) in Windows by attaching itself to the master boot record (MBR) of a hard drive - Then the rootkit is able to modify boot sequences and other options - Allows rootkit to be loaded before the Windows kernel is loaded @@ -135,7 +135,7 @@ #### `steghide` - [Tool](http://steghide.sourceforge.net/index.php) to embed and extract data from JPEG, BMP, WAV and AU. -- `steghide embed -cf test.jpg -ef hideme.txt` +- `steghide embed -cf test.jpg -ef hide-me.txt` - `-cf`: target file where the data will be hid - `-ef`: file to be embedded - Asks you for passphrase to encrypt the data diff --git a/chapters/06-system-hacking/linux-basics.md b/chapters/06-system-hacking/linux-basics.md index 10fb669..eba4fc4 100644 --- a/chapters/06-system-hacking/linux-basics.md +++ b/chapters/06-system-hacking/linux-basics.md @@ -43,7 +43,7 @@ - Using `&` will cause the program to run in the background. - Makes it only useful for programs that do not need input. - The program will terminate if you log out -- Program can be brought to foreground using `fg ` +- Program can be brought to foreground using `fg ` ## 📝 Common linux commands @@ -130,7 +130,7 @@ - `passwd`: used for changing passwords for user accounts. - `paste`: merges lines of files - `pidof`: gives the process ID of a running program/process. -- `ping`: check swhether or not a system is up and responding. +- `ping`: checks whether or not a system is up and responding. - `ps`: displays information (in the form of a snapshot) about the currently active processes. - `pstree`: produces information about running processes in the form of a tree. - `pwd`: displays the name of current/working directory. @@ -182,7 +182,7 @@ - `which`: locates a command - the file and the path of the file that gets executed. - `who`: shows who is logged on. - `whereis`: shows in output locations of the binary, source, and manual page files for a command. -- `whoami`: prints effective userid of the current user. +- `whoami`: prints effective `userid` of the current user. - `xargs`: builds and executes command lines from standard input. - `yes`: outputs a string repeatedly until killed. - `zcat`: displays the content of gzip compressed files. diff --git a/chapters/07-malware/malware-analysis.md b/chapters/07-malware/malware-analysis.md index 1954bf9..cd19dc9 100644 --- a/chapters/07-malware/malware-analysis.md +++ b/chapters/07-malware/malware-analysis.md @@ -36,7 +36,7 @@ - Refreshes automatically - [CurrPorts](https://www.nirsoft.net/utils/cports.html) (GUI) - View open ports and connections per process on Windows -- See also • [Common ports to scan | Scanning networks](./03-scanning-networks/../../03-scanning-networks/scanning-networks-overview.md#common-ports-to-scan) • [Common ports and services to enumerate](./../04-enumaration/enumeration-overview.md#common-ports-and-services-to-enumerate) +- See also • [Common ports to scan | Scanning networks](./03-scanning-networks/../../03-scanning-networks/scanning-networks-overview.md#common-ports-to-scan) • [Common ports and services to enumerate](./../04-enumeration/enumeration-overview.md#common-ports-and-services-to-enumerate) ##### Process monitoring @@ -48,20 +48,20 @@ - Registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. - Malware modifies registry including keys such as `Run`, `RunServices`, `RunOnce`, `RunServicesOnce`, `HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %*.` -- Use native regedit or e.g. [RegScanner](https://www.nirsoft.net/utils/regscanner.html), [Registry Viewer](https://accessdata.com/product-download/registry-viewer-2-0-0), [Active Registry Monitor](https://www.devicelock.com/arm/) to monitor registry changes. +- Use native `regedit` or e.g. [RegScanner](https://www.nirsoft.net/utils/regscanner.html), [Registry Viewer](https://accessdata.com/product-download/registry-viewer-2-0-0), [Active Registry Monitor](https://www.devicelock.com/arm/) to monitor registry changes. ##### Windows services monitoring -- Malwares usually install and run themselves as services. +- Malware usually install and run themselves as services. - Use e.g. [Windows Service Manager (SrvMan)](https://sysprogs.com/legacy/tools/srvman/), [Process Hacker](https://processhacker.sourceforge.io/), [AnVir Task manager](https://www.anvir.com/) to monitor services ##### Startup programs monitoring -- Malwares modify startup settings to execute themselves when system starts +- Malware modify startup settings to execute themselves when system starts - Check: - Startup registry keys - Automatically loaded drivers - - `boot.ini` or `bcd` (bootmgr) entries + - `boot.ini` or `bcd` (`bootmgr`) entries - Services that starts automatically in `services.msc` - Startup folder - Tools include [Autoruns for Windows](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns), [Autorun Organizer](https://www.chemtable.com/autorun-organizer.htm), [WinTools.net: Startup Manager](http://wintools.net/startup/index.html) @@ -81,7 +81,7 @@ - Scan system files for suspicious files and folders - Tools include: - - Sigverif + - `Sigverif` - Built-in Windows tool - Identifies unsigned drivers - [Tripwire File Integrity Manager](https://www.tripwire.com/products/tripwire-file-integrity-manager) @@ -105,7 +105,7 @@ ##### API calls monitoring -- Malwares use Windows APIs to perform malicious task +- Malware use Windows APIs to perform malicious task - API call monitoring tools include [API Monitor](http://www.rohitab.com/apimonitor), [Runscope](https://www.runscope.com/) ##### System baselining @@ -133,7 +133,7 @@ - One or more processes are assigned to run scripts of each site. - Each Chrome extension and app runs in its own process - **Virtual machines** - - Good for testing / reverse engineering malwares + - Good for testing / reverse engineering malware - E.g. YouTubers messing with scammers utilizes virtual machines, [video](https://www.youtube.com/watch?v=BQ3FD26Bv8c), [video](https://www.youtube.com/watch?v=vgYeDMwteZo) - 💡 Good hypervisor is important to ensure nothing goes out of the environment. - E.g. KVM (used by AWS) is good on AWS, and Hyper-V in Windows @@ -146,8 +146,8 @@ ## Anti-malware software -- Includes e.g. antiviruses, anti-spyware, anti-trojans, anti-spamware, anti-phishing, and email scanners. -- Helps detecting, mitigating, preventing and repearing any damage by malware. +- Includes e.g. antivirus, anti-spyware, anti-trojans, anti-spamware, anti-phishing, and email scanners. +- Helps detecting, mitigating, preventing and repairing any damage by malware. - Looks for behavior typical to viruses and give warnings. - Looks for already known virus signatures and warns the user if a threat is found. - E.g. Kaspersky, McAffee, AVG, Norton, Avira, Bitdefender @@ -177,7 +177,7 @@ - Intercepts the virus if it detect suspicious behavior (e.g. network access) and asks user if the user wants to continue. - Useful for logic bombs (only executed if certain conditions are met) or trojans - **Code emulation** - - Executes a virtual machine mimicing CPU and memory + - Executes a virtual machine mimicking CPU and memory - Useful against encrypted, polymorphic or metamorphic viruses - **Heuristic analysis** - Helps in detecting new or unknown viruses diff --git a/chapters/07-malware/malware-overview.md b/chapters/07-malware/malware-overview.md index 5abacc9..86d74a0 100644 --- a/chapters/07-malware/malware-overview.md +++ b/chapters/07-malware/malware-overview.md @@ -8,10 +8,10 @@ ## Malware sources - **Instant messenger applications** - - E.g. WhatsApp, Linkedin, Google Hangout etc. + - E.g. WhatsApp, LinkedIn, Google Hangout etc. - **Portable hardware media / removable devices** - E.g. flash drives, CDs/DVDs etc. - - Autorun (Autostart) + - AutoRun (Autostart) - Windows Windows to run executable when a device is plugged in - Exploited by malware to run malicious code - 💡 Best practice to disable @@ -40,7 +40,7 @@ - Turn off file and printer sharing - **Installation by other malware** - **Bluetooth and wireless networks** - - Attackers set-up open Blueetooth and Wi-Fi networks to attract users + - Attackers set-up open Bluetooth and Wi-Fi networks to attract users - Allows attackers to inspect network traffic and find e.g. username and passwords ## Malware distribution techniques @@ -144,7 +144,7 @@ - Hackers restrict access to files and folders on the target system until a payment is made. - Victims are usually required to pay money to access their files. - Often encrypts own files and sells decryption key. -- An indicator is that your CPU runs on higher frequences. +- An indicator is that your CPU runs on higher frequencies. - 💡 Best practices - Do not pay as there's no guarantee that you'll get the key - Keep back-ups somewhere offsite e.g. in cloud diff --git a/chapters/07-malware/trojans.md b/chapters/07-malware/trojans.md index 4203271..fad4c33 100644 --- a/chapters/07-malware/trojans.md +++ b/chapters/07-malware/trojans.md @@ -60,9 +60,9 @@ 3. Create a wrapper to bind trojan into legitimate files 4. Propagate the trojan -## Techniques for evading antiviruses +## Techniques for evading antivirus -- Do not use a known trojan, it'll be known by antiviruses +- Do not use a known trojan, it'll be known by antivirus - Write your own trojan instead - 📝 Distribute trojan as e.g. `.doc.exe` or `.pdf.exe` - Because Windows hides "known extensions" by default so they appear as `.doc` or `.pdf` diff --git a/chapters/07-malware/viruses.md b/chapters/07-malware/viruses.md index 6e8dc5e..74ff46c 100644 --- a/chapters/07-malware/viruses.md +++ b/chapters/07-malware/viruses.md @@ -4,7 +4,7 @@ ### Stealth virus -- Virus takes active steps to conceal infection from antiviruses +- Virus takes active steps to conceal infection from antivirus - 📝 Characteristic behaviors - Restores original file timestamp - Intercepts system calls to play back original information of file to e.g. diff --git a/chapters/08-sniffing/sniffing-overview.md b/chapters/08-sniffing/sniffing-overview.md index 08654d7..5f4490d 100644 --- a/chapters/08-sniffing/sniffing-overview.md +++ b/chapters/08-sniffing/sniffing-overview.md @@ -52,8 +52,8 @@ - Sends copy of network packets seen on one switch port (or an entire VLAN) to another port - Often used in [Intrusion Detection System](./../11-firewalls-ids-and-honeypots/intrusion-detection-system-(ids)-overview.md)s. - Also known as **span port** - - In Cisco system, it's commonly refered as Switched Port Analyzer (SPAN) -- See also [STP attack](./spoofing-attacks.md#stp-spoofing-attack) for an exploatition + - In Cisco system, it's commonly referred as Switched Port Analyzer (SPAN) +- See also [STP attack](./spoofing-attacks.md#stp-spoofing-attack) for an exploitation ## Sniffer diff --git a/chapters/08-sniffing/sniffing-tools.md b/chapters/08-sniffing/sniffing-tools.md index 314280c..092c795 100644 --- a/chapters/08-sniffing/sniffing-tools.md +++ b/chapters/08-sniffing/sniffing-tools.md @@ -49,7 +49,7 @@ - 📝 On Windows a driver is required: - `npcap`: Driver from Nmap developers - `WinPcap`: Discontinued driver - - [AirPcap](https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html): Obselete, propriety USB dongle used when there was no open-source Windows driver + - [AirPcap](https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html): Obsolete, propriety USB dongle used when there was no open-source Windows driver ### Wireshark non-root installation @@ -97,7 +97,7 @@ - Control which packets are displayed - Uses search and match operators such as `contains` and `matches` - E.g. `http contains hello`: TCP packets containing string "hello" -- Uses search comparisions +- Uses search comparisons - Such as - Equal: `eq` | `==` - Not equal: `ne` | `!=` diff --git a/chapters/08-sniffing/spoofing-attacks.md b/chapters/08-sniffing/spoofing-attacks.md index a7a6fdd..d20e403 100644 --- a/chapters/08-sniffing/spoofing-attacks.md +++ b/chapters/08-sniffing/spoofing-attacks.md @@ -32,7 +32,7 @@ - New hardware for existing Internet Service Providers (ISP) where ISP charges per device. - Fulfilling software requirements where one software can only be installed on a single device. -- Identity masking for pushing responsiblity for other users. +- Identity masking for pushing responsibility for other users. - **MAC address randomization**: Implemented in Android, Linux, iOS, and Windows to prevent third parties from using the MAC address to track devices ### MAC spoofing attack @@ -81,7 +81,7 @@ - Enable **Root Guard** to not forward traffic to port with superior BPDUs - Enable **BPDU Guard** to enforce the STP domain borders -## IRDP Spoofing +## IRDP spoofing - **IRDP**: ICMP Router Discovery Protocol - Protocol for computer hosts to discover routers on their IPv4 local area network. diff --git a/chapters/09-wireless-networks/aaa-protocols.md b/chapters/09-wireless-networks/aaa-protocols.md index 8b4111b..551ef21 100644 --- a/chapters/09-wireless-networks/aaa-protocols.md +++ b/chapters/09-wireless-networks/aaa-protocols.md @@ -6,7 +6,7 @@ - [Point-to-Point Protocol (PPP)](./../15-cryptography/tunneling-protocols.md#ppp-point-to-point-protocol) - [Extensible Authentication Protocol (EAP)](#extensible-authentication-protocol-eap) - Protected Extensible Authentication Protocol (PEAP) - - [Lightweight Directory Access Protocol (LDAP)](./../04-enumaration/enumeration-overview.md#ldap) + - [Lightweight Directory Access Protocol (LDAP)](./../04-enumeration/enumeration-overview.md#ldap) - Most commonly used protocol is [RADIUS](#radius) and then [Diameter](#diameter), meanwhile older systems use [TACACS](#tacacs) and [TACACS+](#tacacs-tacacs-plus) ## RADIUS diff --git a/chapters/09-wireless-networks/wireless-networks-overview.md b/chapters/09-wireless-networks/wireless-networks-overview.md index b626ffa..be04d64 100644 --- a/chapters/09-wireless-networks/wireless-networks-overview.md +++ b/chapters/09-wireless-networks/wireless-networks-overview.md @@ -131,7 +131,7 @@ - Low-power, low-data-rate, and close-proximity wireless ad hoc networks. - Popular IoT connection protocol - **802.16 - WiMAX** - - Wireless on "stereoids" + - Wireless on "steroids" - Written for global development of broadband wireless metropolitan area networks. - Big range and fast. - **Comparing wireless standards** diff --git a/chapters/09-wireless-networks/wireless-security-tools.md b/chapters/09-wireless-networks/wireless-security-tools.md index 6f734a4..e2b83da 100644 --- a/chapters/09-wireless-networks/wireless-security-tools.md +++ b/chapters/09-wireless-networks/wireless-security-tools.md @@ -20,7 +20,7 @@ - Real-time analysis of 802.11a/b/g/n/ac wireless networks - [RFProtect Wireless Intrusion Protection](https://www.arubanetworks.com/products/security/wireless-intrusion-protection/) - Prevents denial-of-service and man-in-the-middle attacks and mitigates over-the-air security threats. -- [FruityWifi](http://www.fruitywifi.com) +- [FruityWiFi](http://www.fruitywifi.com) - Open source tool to audit wireless networks - Allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. - [Fern Wifi Cracker](https://github.com/savio-code/fern-wifi-cracker) diff --git a/chapters/09-wireless-networks/wireless-threats-and-attacks.md b/chapters/09-wireless-networks/wireless-threats-and-attacks.md index a56648a..0d45a03 100644 --- a/chapters/09-wireless-networks/wireless-threats-and-attacks.md +++ b/chapters/09-wireless-networks/wireless-threats-and-attacks.md @@ -133,7 +133,7 @@ #### Sniffing 4-way handshake -- 4-way handshake is the ceronomy between AP and the device +- 4-way handshake is the ceremony between AP and the device - Vulnerability in WPA and WPA-Personal (WPA-PSK, pre-shared key) - During WPA handshake, password is shared in encrypted form (called **PMK (pairwise master key)**) - Flow: diff --git a/chapters/10-social-engineering/social-engineering-overview.md b/chapters/10-social-engineering/social-engineering-overview.md index f672fda..b10d37e 100644 --- a/chapters/10-social-engineering/social-engineering-overview.md +++ b/chapters/10-social-engineering/social-engineering-overview.md @@ -23,7 +23,7 @@ 2. **Select target** - Choose a target employee - Some employees are more vulnerable than others - - Easy targets also known as **Rebecca** and **Jessica** mean a person who is an easy target for social engineering such as the receptionist of a companyengineering, such as + - Easy targets also known as **Rebecca** and **Jessica** mean a person who is an easy target for social engineering such as the receptionist of a company - E.g. receptionists, help-desk personnel, tech support, system administrators, clients. - A frustrated target is more willing to reveal information 3. **Relationship** @@ -62,7 +62,7 @@ - Information is used for spear phishing, impersonation, and identity theft. - Can e.g. create a fake user group "Employees of the company" in **Facebook** - Invite people to group and collect credentials such as birth date, employment/education backgrounds. -- Can scan profile pages in **Linkedin** and **Twitter**. +- Can scan profile pages in **LinkedIn** and **Twitter**. ### Steps of social media impersonation @@ -83,7 +83,7 @@ - **Physical measures** - E.g. air quality, power concerns, humidity-control systems - **Technical measures** - - E.g. smartcards and biometrics + - E.g. smart cards and biometrics - **Operational measures** - E.g. policies and procedures to enforce a security-minded operation. - **Access control** diff --git a/chapters/10-social-engineering/social-engineering-types.md b/chapters/10-social-engineering/social-engineering-types.md index ad7f9f4..269af6c 100644 --- a/chapters/10-social-engineering/social-engineering-types.md +++ b/chapters/10-social-engineering/social-engineering-types.md @@ -91,7 +91,7 @@ - 📝 Redirect a website's traffic to a malicious one - Can be done through - - Exploiting DNS vulnerabilities such as [DNS posioning](./../08-sniffing/sniffing-attacks-overview.md#dns-poisoning) + - Exploiting DNS vulnerabilities such as [DNS poisoning](./../08-sniffing/sniffing-attacks-overview.md#dns-poisoning) - Host file modification - Windows location: `C:\Windows\System32\drivers\etc\hosts` - Linux location: `/etc/hosts` @@ -179,7 +179,7 @@ - **Malicious insiders** - Privileged users to inflict harm - E.g. dissatisfied or former employees that wants to take revenge -- **Careless and gegligent insiders** +- **Careless and negligent insiders** - Make errors and disregard policies - E.g. uneducated employees - **Infiltrators** diff --git a/chapters/11-firewalls-ids-and-honeypots/evading-ids.md b/chapters/11-firewalls-ids-and-honeypots/evading-ids.md index 32316ad..1ffe285 100644 --- a/chapters/11-firewalls-ids-and-honeypots/evading-ids.md +++ b/chapters/11-firewalls-ids-and-honeypots/evading-ids.md @@ -36,7 +36,7 @@ #### Unicode encoding attack - Also known as **UTF-8 encoding** -- Presenting information in an unusal way to confuse the signature-based IDS +- Presenting information in an unusual way to confuse the signature-based IDS - 📝 A very common way to evade IDS - E.g. instead of `http://vulneapplication/../../appusers.txt` using `http://vulneapplication/%C0AE%C0AE%C0AF%C0AE%C0AE%C0AFappusers.txt` @@ -49,8 +49,8 @@ ### Polymorphism - Using polymorphic shellcode to create unique network patterns to evade signature detection -- E.g. by encoding payload by XORing and putting the decoder in the start of the payload where the target runs the decoder when it executes the code. -- Tools include [ADMMutate](https://github.com/K2/ADMMutate): A shellcode mutation engine, can evade NIDS. +- E.g. by encoding payload by XORing and putting the decoder in the start of the payload where the target runs the decoder when it executes the code +- Tools include [ADMMutate](https://github.com/K2/ADMMutate): A shellcode mutation engine, can evade NIDS ## Denial of service diff --git a/chapters/11-firewalls-ids-and-honeypots/firewall-overview.md b/chapters/11-firewalls-ids-and-honeypots/firewall-overview.md index b0bfe41..07a43dd 100644 --- a/chapters/11-firewalls-ids-and-honeypots/firewall-overview.md +++ b/chapters/11-firewalls-ids-and-honeypots/firewall-overview.md @@ -108,7 +108,7 @@ - E.g. on [Cisco routers](https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html) using `access-list 101 deny tcp any host 100.100.100.1 eq 22` - where `101` is sequence number that helps with ordering of the rules - the lower the number is the higher priority it gets in the ordering - - ACL are prossesed in top down meaning if a condition is met all processing is stopped. + - ACL are processed in top down meaning if a condition is met all processing is stopped. #### Packet inspection @@ -263,4 +263,4 @@ - A network which enables a secure connection to a private network through the Internet. - Information is protected by encryption and integrity checks. -- Can use e.g. [IPSec](./../15-cryptography/tunneling-protocols.md#ipsec) or [OpenVPN](./../15-cryptography/tunneling-protocols.md#openvpn) tunelling protocol. +- Can use e.g. [IPSec](./../15-cryptography/tunneling-protocols.md#ipsec) or [OpenVPN](./../15-cryptography/tunneling-protocols.md#openvpn) tunnelling protocol. diff --git a/chapters/11-firewalls-ids-and-honeypots/intrusion-detection-system-(ids)-overview.md b/chapters/11-firewalls-ids-and-honeypots/intrusion-detection-system-(ids)-overview.md index f81397e..cf1455d 100644 --- a/chapters/11-firewalls-ids-and-honeypots/intrusion-detection-system-(ids)-overview.md +++ b/chapters/11-firewalls-ids-and-honeypots/intrusion-detection-system-(ids)-overview.md @@ -33,7 +33,7 @@ | Strength | Sensing attacks from outside | Sensing attacks from inside that NIDS cannot examine | | Packet headers | Examines | Does not understand | | Host | Independent | Dependent | - | Bandwith | In need of | Does not require | + | Bandwidth | In need of | Does not require | | Performance | Slows down networks where it's installed | Slow down hosts where it's installed | | Attack types | Senses network attacks as payload is analyzed | Senses local attacks before they hit the network | | False positive rate | High | Low | diff --git a/chapters/12-web-servers/hacking-web-servers.md b/chapters/12-web-servers/hacking-web-servers.md index 2769838..adaf103 100644 --- a/chapters/12-web-servers/hacking-web-servers.md +++ b/chapters/12-web-servers/hacking-web-servers.md @@ -72,7 +72,7 @@ - See also [Encrypting communication | Cryptography](./../15-cryptography/encrypting-communication.md) - Enforce code access security policy - Monitor logs -- Use weebsite change detection System +- Use website change detection system - Check server files with hash comparison and alert if any modifications has happened. - Filter traffic to [SSH](./../15-cryptography/tunneling-protocols.md#ssh-secure-shell) server - Default passwords and unused default accounts should be changed and disabled respectively. diff --git a/chapters/12-web-servers/web-server-threats-and-attacks.md b/chapters/12-web-servers/web-server-threats-and-attacks.md index 53fd86c..5969118 100644 --- a/chapters/12-web-servers/web-server-threats-and-attacks.md +++ b/chapters/12-web-servers/web-server-threats-and-attacks.md @@ -15,7 +15,7 @@ - DNS (Domain Name System) - Resolves a domain name to its corresponding IP address when queried. - - See also [DNS | DNS enumeration](./../04-enumaration/dns-enumeration.md#dns) + - See also [DNS | DNS enumeration](./../04-enumeration/dns-enumeration.md#dns) - Attacker compromises a DNS server and change its DNS server to redirect clients to a malicious website. - E.g. by configuring DNS server to redirect requests to a rogue DNS server. - E.g. user types in legitimate URL in a browser but browser redirects to a fake banking site. @@ -79,7 +79,7 @@ - [SQL injection](./../14-sql-injection/sql-injection-overview.md) - [Cross-site scripting (XSS)](./../13-web-applications/owasp-top-10-threats.md#cross-site-scripting-xss) - [Malware infection](./../07-malware/malware-overview.md) - - [DNS cache posioning](./../08-sniffing/sniffing-attacks-overview.md#dns-poisoning) + - [DNS cache poisoning](./../08-sniffing/sniffing-attacks-overview.md#dns-poisoning) - ... ## Web server misconfiguration @@ -144,12 +144,12 @@ - E.g. GET request where encoded URI does the splitting ```txt - GET http://testsite.com/redir.php?site=%0d%0aContent- + GET http://cloudarchitecture.io/redir.php?site=%0d%0aContent- Length: %200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast- Modified: %20Mon,%2027%20Oct%202009%2014:50:18%20GMT%0d%0aConte nt-Length: %2020%0d%0aContent- Type: %20text/html%0d%0a%0d%0adeface! HTTP/1.1 - Host: testsite.com + Host: cloudarchitecture.io ... ``` diff --git a/chapters/13-web-applications/denial-of-service.md b/chapters/13-web-applications/denial-of-service.md index fb60229..6223a73 100644 --- a/chapters/13-web-applications/denial-of-service.md +++ b/chapters/13-web-applications/denial-of-service.md @@ -101,7 +101,7 @@ - Overloading a server with TCP ACK packets - TCP ACK packet is any TCP packet with the ACK flag set in the header. -- ACK is short for "acknowledgement." +- ACK is short for "acknowledgement" - TCP protocol requires that connected devices acknowledge they have received all packets in order - E.g. when all packets for an image is sent, ACK packet is required otherwise image is sent again. @@ -186,7 +186,7 @@ - **Slowloris** - Floods HTTP with headers for each request without actually completing them. - - 🤗 [Slowlaris presentation](https://samsclass.info/seminars/slowloris.pdf) + - 🤗 [Slowloris presentation](https://samsclass.info/seminars/slowloris.pdf) - 📝 **[R-U-Dead-Yet](https://sourceforge.net/projects/r-u-dead-yet/)** - Also known as ***RUDY***, ***R.U.D.Y.*** or ***R U Dead yet*** - Submits long form fields using HTTP posts to the target server. @@ -222,9 +222,9 @@ - **Activity Profiling**: Detect Increases in activity levels, distinct clusters, average packet rate etc. - **Changepoint detection**: Stores and presents graph of traffic flow rate vs time for each IP/port. -- **Wavelet-based signal analysis**: Devides incoming signal into various frequences as spectral components. +- **Wavelet-based signal analysis**: Divides incoming signal into various frequencies as spectral components. -### DoS prevention Strategies +### DoS prevention strategies - Absorb the attack with additional resources e.g. through using a CDN. - Degrade or shut down services (start with non-critical services) diff --git a/chapters/13-web-applications/owasp-top-10-threats.md b/chapters/13-web-applications/owasp-top-10-threats.md index 7fa287f..a212948 100644 --- a/chapters/13-web-applications/owasp-top-10-threats.md +++ b/chapters/13-web-applications/owasp-top-10-threats.md @@ -60,7 +60,7 @@ - E.g. using **`&`** to end to query - Application code: `String filter = "(&(USER = " + user_name + ") (PASSWORD = " + user_password + "))";` - Attacker enters appends `)(&)` after user name like: `johnDoe)(&)` - - Attacker gets access as `&` ends the query and always evulates to true. + - Attacker gets access as `&` ends the query and always evaluates to `true`. #### SOAP injection @@ -72,7 +72,7 @@ #### Command injection - **Shell injection** - - Applies to web applications that programetically execute a command line + - Applies to web applications that programmatically execute a command line - **File injection** - E.g. exploiting by causing an application to run/show a malicious remote file - **HTML embedding** @@ -171,12 +171,12 @@ ### Insecure direct object references (IDOR) - 📝 Direct access to internal objects through URL without authorization checks -- E.g. `cloudarchitecture.io/change_password.php?userid=victimusername` to reset victims password +- E.g. `cloudarchitecture.io/change_password.php?userId=victimUsername` to reset victims password #### Missing Function Level Access Control - Bypassing access control checks by modifying the URL -- E.g. reaching admin panel by modifying `cloudarchitecture.io/appinfo` to `cloudarchitecture.io/adminAppInfo`s +- E.g. reaching admin panel by modifying `cloudarchitecture.io/appInfo` to `cloudarchitecture.io/adminAppInfo`s ### Countermeasures for broken access control @@ -232,7 +232,7 @@ ## Cross-Site Scripting (XSS) - Also known as **cross site scripting** -- 📝 Taking untrusted data and sending it without input validation or escaping. +- 📝 Taking untrusted data and sending it without input validation or escaping - 📝 Type of client-side [code injection](#code-injection) - Used to - hijack user sessions @@ -266,7 +266,7 @@ - Application sets value of an HTML parameter to an input without proper validation/sanitization ```html - page += ""; ``` @@ -283,7 +283,6 @@ foo='+document.cookie'.` - Only allows executing scripts from permitted domains. - Filter input on arrival - Set `HttpOnly` flag set for session cookies so they cannot be reached through JavaScript. - - 📝 Escape HTML code - Escape untrusted HTTP request data based on the context in the HTML output - Use frameworks that automatically escape XSS by design diff --git a/chapters/13-web-applications/session-hijacking.md b/chapters/13-web-applications/session-hijacking.md index 2bf3f4e..3620871 100644 --- a/chapters/13-web-applications/session-hijacking.md +++ b/chapters/13-web-applications/session-hijacking.md @@ -86,14 +86,17 @@ - **Similarities** - Both are client-side attacks - - Both require need some action of the end user, such as clicking on a link or visiting a website. + - Both require need some action of the end user + - E.g. clicking on a link or visiting a website - **Examples** - - CSRF: `https://cloudarchitecture.io/account?new_password=abc123` to involuntarily change password using victim's already logged cookie/session - - XSS: `https://cloudarchitecture.io/search?q=">` to involuntarily execute client-side code + - CSRF: Involuntarily change password using victim's already logged cookie/session + - Through `https://cloudarchitecture.io/account?new_password=abc123` + - XSS: Involuntarily execute client-side code + - `https://cloudarchitecture.io/search?q=">` - **Differences** - XSS executes a malicious script in victims browser - - CSRF sends a malicious request on victims behalf. - - XSS is generally more serious vulenrability than CSRF + - CSRF sends a malicious request on victims behalf + - XSS is generally more serious vulnerability than CSRF - CSRF often only applies to a subset of actions that a user is able to perform - XSS exploit can normally induce a user to perform any action that the user is able to perform - CSRF is "one-way" while an attacker can induce the victim to issue an HTTP request without retrieving response @@ -149,15 +152,16 @@ - Prevents client to proceed its communication with the server. - Easier than TCP/HTTP as no need to worry about sequence numbers or session cookies. - Example use-cases - - **UDP**: Control victims clock (using [NTP](./../04-enumaration/enumeration-overview.md#ntp) UDP packet) to make a certificate/session invalid + - **UDP**: Control victims clock (using [NTP](./../04-enumeration/enumeration-overview.md#ntp) UDP packet) to make a certificate/session invalid - **DNS**: Send a false response to DNS lookup to fool the victim into resolving a domain into a malicious IP address (does not work with HTTPs) #### Network level MITM attack - Changes the clients default gateway to reroute the sent packets to go through the attacker. - Done by either - - **ARP spoofing**: where IP address to MAC mapping table (ARP) is altered. - - Using **Forged Internet Control Message Protocol (ICMP)** + - **ARP spoofing** + - Through altering IP address to MAC mapping table (ARP) + - **Forged Internet Control Message Protocol (ICMP)** - ICMP is an extension of IP to send error messages - Attacker sends error messages indicating indicate problems in processing packets through the original connection. - Fools the server and client into routing through its path instead. diff --git a/chapters/14-sql-injection/sql-injection-overview.md b/chapters/14-sql-injection/sql-injection-overview.md index de3eb49..2a2bd63 100644 --- a/chapters/14-sql-injection/sql-injection-overview.md +++ b/chapters/14-sql-injection/sql-injection-overview.md @@ -135,7 +135,7 @@ - `GET parameter id is 'Generic UNION query (NULL) - 1 to 20 columns' injectable` - `--dbs` parameter gets database names e.g. `mysql, phpmyadmin...` - `-D --tables` parameters lists tables from given tabase name.. - - `-T --columns` gives colums names + - `-T --columns` gives column names - `-C --dump` to get columns - Can also crack hashes (not as fast as `hashcat`) - [jSQL Injection](https://github.com/ron190/jsql-injection) @@ -153,7 +153,7 @@ - **Weakness**: The database server runs OS commands - Run database with minimal rights - Disable OS commands like `xp_cmdshell` (for shell access) - - Invoking `xp_cmdshell` spwans a Windows command shell with input string passed to it for execution + - Invoking `xp_cmdshell` spawns a Windows command shell with input string passed to it for execution - Providing local system level access to the server. - **Weakness**: Using privileged account to connect to the database - Monitor DB traffic using an IDS diff --git a/chapters/14-sql-injection/sql-injection-types.md b/chapters/14-sql-injection/sql-injection-types.md index 3c13449..4f22b85 100644 --- a/chapters/14-sql-injection/sql-injection-types.md +++ b/chapters/14-sql-injection/sql-injection-types.md @@ -8,7 +8,7 @@ - **Database management system-specific SQL injection** - Using specific SQL statements to certain database engine. - **Compounded SQL injection** - - Combining SQL injection with other web applciation attacks such as • insufficient authentication • DDoS attacks • DNS hijacking • XSS. + - Combining SQL injection with other web application attacks such as • insufficient authentication • DDoS attacks • DNS hijacking • XSS. - E.g. DDoSing through `http://cloudarchitecture.io/azure?id=2 and WAITFOR DELAY '0:0:50'` - **Second-order SQL injection** - When user-supplied data is stored by the application and later incorporated into SQL queries in an unsafe way. diff --git a/chapters/15-cryptography/cryptanalysis.md b/chapters/15-cryptography/cryptanalysis.md index 3ff3f52..b2ec9e5 100644 --- a/chapters/15-cryptography/cryptanalysis.md +++ b/chapters/15-cryptography/cryptanalysis.md @@ -11,7 +11,7 @@ - Applicable to block ciphers and stream ciphers. - Given enough pairs of plaintext and corresponding ciphertext, key can be obtained - Discovered by By Matsui and Yamagishi in 1992 -- Attacker indentifies the linear relation between some bits of the plaintext, some bits of the ciphertext and some bits of the unknown key. +- Attacker identifies the linear relation between some bits of the plaintext, some bits of the ciphertext and some bits of the unknown key. ### Differential cryptanalysis diff --git a/chapters/15-cryptography/encrypting-communication.md b/chapters/15-cryptography/encrypting-communication.md index 91c2e73..84a0783 100644 --- a/chapters/15-cryptography/encrypting-communication.md +++ b/chapters/15-cryptography/encrypting-communication.md @@ -65,7 +65,7 @@ ### Secure options - **Encrypting files before using FTP** - - Does not protect user password, or prevent man in the middle from downloanding encrypted files. + - Does not protect user password, or prevent man in the middle from downloading encrypted files - **SFTP (SSH File Transfer Program)** | port: 22 - Uses [SSH](/tunneling-protocols.md#ssh-secure-shell) for authentication and data transport mechanism - **FTP over SSH** diff --git a/chapters/15-cryptography/encrypting-disk.md b/chapters/15-cryptography/encrypting-disk.md index ca55718..7349f41 100644 --- a/chapters/15-cryptography/encrypting-disk.md +++ b/chapters/15-cryptography/encrypting-disk.md @@ -2,9 +2,9 @@ - Encryption of all data stored on a disk. - Data-at-rest protection -- Protect the data stored in the disk and ensure its confidentiality. +- Protect the data stored in the disk and ensure its confidentiality - 📝 Protects against someone who gains physical access to your device - - ❗ But does not protect from malwares or from being attacked by hackers over the internet + - ❗ But does not protect from malware or from being attacked by hackers over the internet ## Full Disk Encryption (FDE) diff --git a/chapters/15-cryptography/hashing-algorithms.md b/chapters/15-cryptography/hashing-algorithms.md index c000442..94969d8 100644 --- a/chapters/15-cryptography/hashing-algorithms.md +++ b/chapters/15-cryptography/hashing-algorithms.md @@ -58,7 +58,7 @@ - Uses a combination of a cryptographic key and hash function such as SHA-1 or MD5. - Used for authentication and integrity checks. - E.g. `HMAC_SHA256("key", "The quick brown fox jumps over the lazy dog") = f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8` -- Uses **keyed hashing** to genarate hashed-based MACs (HMAC). +- Uses **keyed hashing** to generate hashed-based MACs (HMAC). - Involves hashing a message with a • hash function and • a secret key. - Message authentication codes (MACs) - Cryptographic checksums @@ -90,5 +90,5 @@ - Converting a key (e.g. password) to a longer and more random key to e.g. use as encryption. - Makes encryption stronger as it increases the time and resources for brute-force attacks. -- Usely done by re-hashing multiple (e.g. a few million) times +- Usually done by re-hashing multiple (e.g. a few million) times - E.g. using slow key derivation functions such as PBKDF2 diff --git a/chapters/15-cryptography/tunneling-protocols.md b/chapters/15-cryptography/tunneling-protocols.md index 9fce806..7b91be3 100644 --- a/chapters/15-cryptography/tunneling-protocols.md +++ b/chapters/15-cryptography/tunneling-protocols.md @@ -1,4 +1,4 @@ -# Tunelling protocols +# Tunneling protocols - Allows for the movement of data from one network to another - Involves repackaging the traffic data into a different form, usually using encryption @@ -17,7 +17,7 @@ - Cryptographic network protocol for operating network services securely over an unsecured network. - Usually used for remote command-line, login, and remote command execution. -- Replaces unsecure [Telnet](./../03-scanning-networks/banner-grabbing.md#telnet) +- Replaces insecure [Telnet](./../03-scanning-networks/banner-grabbing.md#telnet) - Introduces **SSH file transfer (SFTP)** or **secure copy (SCP)** protocols for secure file access,transfer and management. - **SSH handshake** 1. [TCP three-way handshake](./../03-scanning-networks/tcpip-basics.md#three-way-handshake) @@ -31,8 +31,8 @@ - 📝 Part of IPv4 suite so it runs on layer 3 (internet layer) in [TCP/IP model](./../03-scanning-networks/tcpip-basics.md#tcpip-model) or layer 3 (transport) in [OSI model](./../03-scanning-networks/tcpip-basics.md#osi-model) - 📝 Provides security through - **Authentication** through authenticating both parts - - **Integrity** through using ahash algorithm to ensure that data is not tampered with. - - **Nonrepudiation** through using public key digital signatures to prove message origin. + - **Integrity** through using a hash algorithm to ensure that data is not tampered with. + - **Non-repudiation** through using public key digital signatures to prove message origin. - **Confidentiality** through encryption ### IKE (Internet Key Exchange) @@ -87,5 +87,5 @@ ### Point-to-Point Tunneling Protocol (PPTP) -- Insecure/obselete method for implementing virtual private networks +- Insecure/obsolete method for implementing virtual private networks - Uses a TCP control channel and a Generic Routing Encapsulation tunnel to encapsulate PPP packets. diff --git a/chapters/16-cloud-computing/cloud-computing.md b/chapters/16-cloud-computing/cloud-computing.md index 2b1d714..496a0ef 100644 --- a/chapters/16-cloud-computing/cloud-computing.md +++ b/chapters/16-cloud-computing/cloud-computing.md @@ -141,7 +141,7 @@ ## Pros and cons of cloud computing -### Advantages of Cloud Computing +### Advantages of cloud computing - **Economical**: Less infrastructure cost, less cost of ownership, fewer capital expenses - **Operational**: cost efficient, elastic, quick provisioning, automatic updates, backup and recovery... @@ -149,14 +149,14 @@ - **Security**: Patch application and updates, less cost on security configurations, better disaster recovery, audit and monitoring on providers side, better management of security systems. - **Innovation**: Quick access to innovation -### Disadvantages of Cloud Computing +### Disadvantages of cloud computing - Organizations have limited control and flexibility - Prone to outages and other technical issues - Security, privacy, and compliance issues - Contracts and lock-ins - Depends on network connections -- Can be hard to migrae from one to another +- Can be hard to migrate from one to another ## Cloud regulations diff --git a/chapters/16-cloud-computing/container-security.md b/chapters/16-cloud-computing/container-security.md index 7b8c9d4..b3849d3 100644 --- a/chapters/16-cloud-computing/container-security.md +++ b/chapters/16-cloud-computing/container-security.md @@ -49,7 +49,7 @@ 2. **Patch management strategy** - Bugs on container/orchestration tools or OS images needs to be patched. 3. **Network segmentation and firewalling** - - Design your network upfront providing netowkr level protection for + - Design your network upfront providing network level protection for - management interfaces from the orchestration too - network services from the host - Expose microservices to only legitimate consumers @@ -70,7 +70,7 @@ 9. **Follow immutable paradigm** - Start containers on read-only mode if no file access is needed 10. **Logging** - - Log on application, container image and orchestraction tool + - Log on application, container image and orchestration tool - Both related events and API level - Ensure logs are stored on remote with timestamps and are tamper proof @@ -92,7 +92,7 @@ ## Container advantages over VM -- **Often no SSHs enabled into containers** +- **Often no SSH enabled into containers** - No SSH attacks - **Often no user access expected** - No need for credentials or tools to support users @@ -103,7 +103,7 @@ - **Immutable designs make it difficult to inject malware** - As persistance is usually separated away from the container - **Automatic generation makes it faster to pick up and promote security patches** - - Automated CI/CD pipelines make updaying libraries/OS much quicker than manual. + - Automated CI/CD pipelines make updating libraries/OS much quicker than manual - **Well-defined APIs enables easier anomaly detection** - Developers often create APIs to communicate with containers - Makes it easy to create a reference model for what is normal inside an application, so anything outside of that is an anomaly. We can automatically detect any anomalies @@ -117,7 +117,7 @@ - Limit capabilities (Grant only specific capabilities, needed by a container)¶ - Add –no-new-privileges flag - Disable inter-container communication (--icc=false) - - Use Linux Security Module (seccomp, AppArmor, or SELinux)¶ + - Use Linux Security Module (seccomp, AppArmor, or SELinux) - Limit resources (memory, CPU, file descriptors, processes, restarts) - Set filesystem and volumes to read-only - Use static analysis tools diff --git a/chapters/17-mobile-platforms/mobile-attacks.md b/chapters/17-mobile-platforms/mobile-attacks.md index 94adb5b..afc4918 100644 --- a/chapters/17-mobile-platforms/mobile-attacks.md +++ b/chapters/17-mobile-platforms/mobile-attacks.md @@ -56,8 +56,8 @@ - E.g. through external configuration files - Dynamic runtime injection - E.g. stealing data in memory -- Unintented permissions -- Escalated priviliges +- Unintended permissions +- Escalated privileges - Access to device and User info - Third-party code - Intent hijacking diff --git a/chapters/17-mobile-platforms/mobile-hacking.md b/chapters/17-mobile-platforms/mobile-hacking.md index 074a144..a087991 100644 --- a/chapters/17-mobile-platforms/mobile-hacking.md +++ b/chapters/17-mobile-platforms/mobile-hacking.md @@ -4,7 +4,7 @@ - **Surveillance**: • Audio • Camera • Call logs • Location • SMS messages - **Financial**: • sending high rate SMS • stealing transaction authentication numbers (TANs) • extortion via ransomware • fake antivirus • making expensive calls -- **Data theft**: • Account details • Contacts • Call logs • hone number • stealing IMEI +- **Data theft**: • Account details • Contacts • Call logs • phone number • stealing IMEI - **Botnet activity**: • launching DDoS attacks • click fraud • sending SMS - **Impersonation**: • SMS redirection, sending e-mail messages, posting to social media @@ -67,8 +67,8 @@ - Easy through e.g. using prepaid SMS card using fake identity - Usually not checked by antiviruses - Users are not familiar -- E.g. "Paypal - your account has been locked" +- E.g. "PayPal - your account has been locked" ## Pairing -- Pairing with malicious devices may enable e.g. [Bluesnarfing](./../09-wireless-networks/bluetooth.md#bluesnarfing) and [BlueBugging](./../09-wireless-networks/bluetooth.md#bluebugging) +- Pairing with malicious devices may enable e.g. [BlueSnarfing](./../09-wireless-networks/bluetooth.md#bluesnarfing) and [BlueBugging](./../09-wireless-networks/bluetooth.md#bluebugging) diff --git a/chapters/18-iot-and-ot/iot-hacking.md b/chapters/18-iot-and-ot/iot-hacking.md index 5d04e86..1dd4416 100644 --- a/chapters/18-iot-and-ot/iot-hacking.md +++ b/chapters/18-iot-and-ot/iot-hacking.md @@ -94,7 +94,7 @@ - **Key security components**: key security layer, secure cloud computing, antivirus - **Vulnerabilities** - Exhaustion: Can disturb memory, battery e.g. after effect of a DoS - - Malwares + - Malware ### Network (transport) layer @@ -125,17 +125,17 @@ | Approx. range up to | Connectivity | Speed | |:-------------------:| ------------ | ----- | -| 10 cm | NFC | 424 Kbit/s | +| 10 cm | NFC | 424 kbit/s | | 1 m | RFID | 300 tags per second | -| 10 m | Li-Fi | 100 Gbit/s | -| 60 m | Bluetooth low energi (BLE) | 1 or 2 Mbit/s | -| 100 m | WiFi | 1300 Mbit/s | -| 1 km | Wi-Fi HaLow | 78 Mbit/s | -| 2 km | 5G | 20 Gbit/s | -| 30 km | LTE-Advanced | 300 Mbit/s | +| 10 m | Li-Fi | 100 gbit/s | +| 60 m | Bluetooth low energi (BLE) | 1 or 2 mbit/s | +| 100 m | WiFi | 1300 mbit/s | +| 1 km | Wi-Fi HaLow | 78 mbit/s | +| 2 km | 5G | 20 gbit/s | +| 30 km | LTE-Advanced | 300 mbit/s | | 70 km | Celullar | - (depends on 4g etc.) | -| 1000 km | LPWAN | 200 Kbit/s | -| World-wide | VSAT | 16 Mbit/s | +| 1000 km | LPWAN | 200 kbit/s | +| World-wide | VSAT | 16 mbit/s | #### Short-range wireless communication @@ -160,7 +160,7 @@ - **LTE-Advanced**: Formally submitted as a candidate 4G, often being described as 3.9G. - **Wi-Fi HaLow**: low power, long-range, also known as "WiFi for Internet of Things" -- **5G**: Introduced in 2019, highest with minimum of 10 GBPS +- **5G**: Introduced in 2019, highest with minimum of 10 Gbps #### Long Range Wireless Communication diff --git a/chapters/18-iot-and-ot/iot-security.md b/chapters/18-iot-and-ot/iot-security.md index 463fdb4..717d7e9 100644 --- a/chapters/18-iot-and-ot/iot-security.md +++ b/chapters/18-iot-and-ot/iot-security.md @@ -25,7 +25,7 @@ - OWASP Internet of Things Top Ten was introduced in 2004 and updated in [2018](https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf) 1. **Weak, guessable, or hardcoded passwords** - - Use of easily bruteforced, publicly available, or unchangeable credentials + - Use of easily brute forced, publicly available, or unchangeable credentials - Including [backdoor](./../07-malware/malware-overview.md#backdoor)s in firmware or client software that grants unauthorized access to deployed systems 2. **Insecure network services** - Unneeded or insecure network services running on the device itself