https://nets.ec/api.php?action=feedcontributions&user=MargeryLeddy&feedformat=atomNetSec - User contributions [en]2024-03-29T11:28:49ZUser contributionsMediaWiki 1.25.1https://nets.ec/index.php?title=Spanish/Pagina_Principal&diff=9614Spanish/Pagina Principal2012-11-07T04:10:17Z<p>MargeryLeddy: Changed "Main Page" to "Pagina Principal"</p>
<hr />
<div>{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Articulo Destacado'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Herramienta Destacada'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articulos'''</big><br />
<br />
----<br />
''[[Shellcode]] &bull; [[countermeasures|Contramedidas]] &bull; [[administration|Administración]] &bull; [[exploitation|Explotación]] &bull; [[programming|Programación]]''<br />
<br />
<br />
'''[[Lenguajes Compilados]]'''<br />
<br />
[[assembly|Ensamblado]] &bull; [[linux assembly|Ensamblado de Linux]] &bull; [[C]] &bull; [[CPP|C++]] <br />
<br />
<br />
'''[[exploit|Explotación de Software]]'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[null-free shellcode|Shellcode libre de nulos]] &bull; 32-bit [[ascii shellcode|Shellcode de Ascii]] &bull; 64-bit [[alphanumeric shellcode|Shellcode Alfanumerico]] &bull; [[unsafe string replacement|Sustitución Insegura de Cadenas]]<br />
<br />
<br />
'''[[Interpreted languages|Lenguajes Interpretados]]'''<br />
<br />
[[Perl]] &bull; [[Python]] &bull; [[PHP]] &bull; [[Ruby]] &bull; [[LUA]] &bull; [[Bash book|El libro de Bash]] &bull; [[SQL Orientation]] &bull; [[Polymorphic|Ejemplos de Polimorfismo]]<br />
<br />
<br />
'''[[Explotación de la Web]]'''<br />
<br />
[[SQL injection|Inyección SQL]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion|Inclusión de Archivos]] &bull; [[Command Injection|Inyeccion de Comandos]] &bull; [[CSRF]] &bull; [[XSRF]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Hacking de Coldfusion]] &bull; [[SQL Backdoors|Puertas Traseras de SQL]]<br />
<br />
<br />
<small>([[:Category:Indexing|Indice]]) ([[:Category:Requested_maintenance|Contribuir]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Herramientas</big><br />
----<br />
|-<br />
|valign="top"|'''[[Vanguard|Vanguard]]'''<br />
|valign="top"|''Motor de pruebas de [[Web Exploitation|Vulnerabilidades de Aplicaciones Web]] escrito en [[perl]] con soporte a LibWhisker2 ''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Versión 2.0 del clasico [[LD_Preload]], rootkit de ambiente de usuario escrito en [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''Paquete de exploits de [[buffer overflow]] para browser, en [[PHP]] y [[MySQL]]''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Scanner configurable, hecho en [[perl]], que analiza [[cryptography|checksums]] para recoger fingerprints en aplicaciones web con análisis estático de archivos''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Escarbador de Google escrito en [[perl]] para la identificación rápida de sitios vulnerables, generando estadisticas''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Dada una vulnerabilidad de [[File inclusion|inclusión de archivo]], este script de [[Perl]] va a generar un shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Enumerador MySQL 5]]'''<br />
|valign="top"|''Mapear contenido automaticamente o consultar una base de datos remota dado un URL vulnerable a [[SQL injection|Inyecciones SQL]] mediante este script de [[perl]]''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Utilidad de Redireccionamiento para Redes Sociales]'''<br />
|valign="top"|''Rickrollea a tus amigos a travez de imagenes redireccionadas con [[XSCF|manipulacion de contenido]]''<br />
<br />
|}</div>MargeryLeddyhttps://nets.ec/index.php?title=Spanish&diff=9613Spanish2012-11-07T04:08:47Z<p>MargeryLeddy: </p>
<hr />
<div>[[Pagina Principal]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Main_page&diff=9612Main page2012-11-07T04:07:36Z<p>MargeryLeddy: Traduccion de la pagina principal</p>
<hr />
<div>{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Articulo Destacado'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Herramienta Destacada'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articulos'''</big><br />
<br />
----<br />
''[[Shellcode]] &bull; [[countermeasures|Contramedidas]] &bull; [[administration|Administración]] &bull; [[exploitation|Explotación]] &bull; [[programming|Programación]]''<br />
<br />
<br />
'''[[Lenguajes Compilados]]'''<br />
<br />
[[assembly|Ensamblado]] &bull; [[linux assembly|Ensamblado de Linux]] &bull; [[C]] &bull; [[CPP|C++]] <br />
<br />
<br />
'''[[exploit|Explotación de Software]]'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[null-free shellcode|Shellcode libre de nulos]] &bull; 32-bit [[ascii shellcode|Shellcode de Ascii]] &bull; 64-bit [[alphanumeric shellcode|Shellcode Alfanumerico]] &bull; [[unsafe string replacement|Sustitución Insegura de Cadenas]]<br />
<br />
<br />
'''[[Interpreted languages|Lenguajes Interpretados]]'''<br />
<br />
[[Perl]] &bull; [[Python]] &bull; [[PHP]] &bull; [[Ruby]] &bull; [[LUA]] &bull; [[Bash book|El libro de Bash]] &bull; [[SQL Orientation]] &bull; [[Polymorphic|Ejemplos de Polimorfismo]]<br />
<br />
<br />
'''[[Explotación de la Web]]'''<br />
<br />
[[SQL injection|Inyección SQL]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion|Inclusión de Archivos]] &bull; [[Command Injection|Inyeccion de Comandos]] &bull; [[CSRF]] &bull; [[XSRF]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Hacking de Coldfusion]] &bull; [[SQL Backdoors|Puertas Traseras de SQL]]<br />
<br />
<br />
<small>([[:Category:Indexing|Indice]]) ([[:Category:Requested_maintenance|Contribuir]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Herramientas</big><br />
----<br />
|-<br />
|valign="top"|'''[[Vanguard|Vanguard]]'''<br />
|valign="top"|''Motor de pruebas de [[Web Exploitation|Vulnerabilidades de Aplicaciones Web]] escrito en [[perl]] con soporte a LibWhisker2 ''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Versión 2.0 del clasico [[LD_Preload]], rootkit de ambiente de usuario escrito en [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''Paquete de exploits de [[buffer overflow]] para browser, en [[PHP]] y [[MySQL]]''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Scanner configurable, hecho en [[perl]], que analiza [[cryptography|checksums]] para recoger fingerprints en aplicaciones web con análisis estático de archivos''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Escarbador de Google escrito en [[perl]] para la identificación rápida de sitios vulnerables, generando estadisticas''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Dada una vulnerabilidad de [[File inclusion|inclusión de archivo]], este script de [[Perl]] va a generar un shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Enumerador MySQL 5]]'''<br />
|valign="top"|''Mapear contenido automaticamente o consultar una base de datos remota dado un URL vulnerable a [[SQL injection|Inyecciones SQL]] mediante este script de [[perl]]''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Utilidad de Redireccionamiento para Redes Sociales]'''<br />
|valign="top"|''Rickrollea a tus amigos a travez de imagenes redireccionadas con [[XSCF|manipulacion de contenido]]''<br />
<br />
|}</div>MargeryLeddyhttps://nets.ec/index.php?title=Spanish&diff=9611Spanish2012-11-07T03:36:11Z<p>MargeryLeddy: Testing on creating a spanish site</p>
<hr />
<div>[[Main page]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Shellcode&diff=3634Shellcode2012-03-23T02:49:05Z<p>MargeryLeddy: adding link for shellcode obfuscation</p>
<hr />
<div>Shellcode, bytecode, or [[machine code]] is represented in [http://www.blackhatacademy.org/security101/index.php?title=Assembly_Basics#Binary_.26_Hexadecimal hexadecimal]. Every [[programming language]] eventually becomes [[binary]]. [[Assembly Basics|Assembly]] translates to [[binary]] [[machine code]]. When writing a [[Buffer Overflows|buffer overflow]] there are many obstructions from [[Network Security|network security]], such as [[DEP]], [[ASLR]], [[firewall|firewalls]], or [[SIM|SIMS]].<br />
<br />
{{info|This is just one of many shellcoding concepts. Ultimately, the most important concepts are [[anti-heuristics]], [[shellcode obfuscation]], and [[IDS]]/[[IPS]]/[[Firewall]] evasion.}}<br />
<br />
'''[[Anti-heuristics]]''':<br />
* Evading heuristics - evading debuggers, tricking the [[Programmer|programmers]], attacking debuggers, and evading/attacking virtual machines are all part of this technique. [[Anti-heuristics]] rely on the code's ability to protect itself from user, administrator, or even [[programmer]] and debugger intervention.<br />
<br />
'''[[Shellcode obfuscation |Obfuscation]]''':<br />
* "Uglifying" one's code - obfuscation includes utilization of polymorphism and metamorphism, and describes anything that makes the code appear to do one thing or hold certain data when in fact the code does something else or holds different data.<br />
<br />
'''[[IDS]]/[[IPS]]/[[Firewall]] Evasion''':<br />
* Evading detection engines is currently best done by using alphanumeric shellcode. Alphanumeric and [[ascii shellcode]] appear within standard user-printable data, making your arbitrary code appear as standard user inputted data in stead of malicious [[machine code]]. Generally it is hard for an admin to detect that this is actually a payload to begin with.<br />
<br />
{{info|[[Machine code]] can be used by a [[programmer]] to write any application with an [[Assembly Basics|assembly]] approach because it is just as powerful as any other [[programming language]]. }}<br />
{{cleanup}}<br />
{{expand}}</div>MargeryLeddyhttps://nets.ec/index.php?title=Forensic_chain_of_custody&diff=1970Forensic chain of custody2011-11-11T14:42:05Z<p>MargeryLeddy: creating wiki page for this log ---> http://pastebin.com/aqerakvm</p>
<hr />
<div>Everything you take, date and time, condition, who or where you got it from, whether it was packaged or not. <br />
<br />
In rare cases where a crime is actually going down (actual DDoSing or a real time malcious attack), chain of custody is second to preventing a crime from occuring, and depending on your legal standing (warrant, court orders, etc), you may even legally be able to actively fight the attacks. That's pretty much the only legal way you're going to be able to compromise a remote system, if it is being used as an attack machine or is a victim machine and you have a court order to do so. <br />
<br />
Many times you'll receive a computer from an end user, other times you'll be receiving a package. Usually packages arrive via a courier service, in fact, federal mail is not used and should not be used because it can damage the disks. Packages that arrive via couriers are usually sealed in some special fashion, depending on the country you are in. Typically it is a tamper evident seal of some sort. You'll also want a receipt from the courier service to ensure your itemid/shipmentid matches the outbound one (to ensure packages arent switched mid transit). <br />
<br />
The sender will have taken pictures of the sealed evidence to preserve chain of custody, you'll want to take pictures of it from every angle before opening it as well as after opening it. <br />
<br />
When you receive a machine, you'll want to document how long it has been since the machine has been shut down. If that information is unknown, simply putting unknown is acceptable.<br />
<br />
There should be a security camera in place everywhere that the evidence goes once it has entered your custody until it leaves your custody. Witnesses are very important, and cameras can be a huge help with that. At any rate, you'll want to document each changing of hands with the evidence.<br />
<br />
Any time you are not examining or acquiring evidence, the evidence should be locked in an evidence room. Requirements for the room are obvviously a lock, security cameras, and a sign in/sign out form.<br />
<br />
Any time you hand evidence to another examiner, even in your own facility, you will ant to fill out an evidence custodial transfer form of some type. Additionally, the evidence room or box that the evidence is kept in inside of the room will need to be fireproof.<br />
Different countries and states have different standards for fireproofing, typically evidence rooms are locked and usually have biometrics on some form or fashion, security cameras, and then on top of that the evidence will go in a lock box. The lock box will need to be both fireproof and waterproof, so in the case of a fire ,if a sprinkler or gas flame retardant system is activated. <br />
<br />
With forensic evidence, backups of the hdd's will be also stored in off-site datacentres due to the volatile nature of computers.<br />
<br />
<br />
Once evidence has been acquired or imaged, it should never be touched again. Reason for not touching evidence once its been acquired or imaged, is because you can ensure that you can re-image it later that way. Additionally, because you'll probably wind up giving an expert witness testimony at some point, you'll need it for when you show a chain of the evidence examination (checksums etc).<br />
<br />
In the united states, they recently passed some precedents that require multiple forms of hashing/digest algorithms for checksums. The reasoning for this is because you can cause a hash collision with only one algorithm, but then it will change the other algorithms hash. You can't defeat both algorithm's simultaneously (essentially, checksumming a checksum).<br />
<br />
Any examination, imaging or acquisition needs to have a log. Even if all you're doing is a dd image, you need to include the start and stop time, exact commands used, and even write the checksums down. All of this wlil be considered as part of your expert witness testimony. If you break any of this stuff at all, an offender/attacker can easily slip through the cracks.<br />
<br />
If you receive frozen ram, you'll want to document how long its been on ice, how long it was between it being shutdown and going on ice, etc.<br />
<br />
<br />
''' Active Memory Snapshots''' <br />
<br />
There is a question of admissibility in court for active volatile forensics. e.g.: I walk up to your machine while its turned on and ramdump it. Admissability in court is completely questionable, because there's no proof you didn't tamper with it.<br />
When imaging a hard drive, you use physical and hardware write blockers. But volatile ram memory, you could write to that all day, so, its admissability is questionable.<br />
However, anything from a ramdump that can be validated via hard drive evidence is fair game. e.g. <br />
<br />
* Passwords in plaintext found from the keyboard buffer, encryption keys. If you can use the drive image to validate the volatile evidence, those parts of volatile evidence become admissible. <br />
* 100gb of encrypted home drive on HDD, you get the key from the ram for encryption, its all admissible.<br />
* If you get a password for say a windows account, you can pull that sam file later and show that it hashes out to the same NTLM hash <br />
<br />
because its not the ram's admissability that holds up, its the data's on the harddrive.</div>MargeryLeddyhttps://nets.ec/index.php?title=HIDS&diff=1435HIDS2011-09-19T06:18:10Z<p>MargeryLeddy: </p>
<hr />
<div>A <b>H</b>ost-based <b>I</b>ntrusion <b>D</b>etection <b>S</b>ystem (HIDS) focuses on performing several intrusion detection mechanisms in a single [[host]] or computer, ensuring the integrity of it by searching for malicious or anomalous activity. It's an agent that monitors and reports on the system status, its stored information, and application activity. Some common features of HIDS systems include log analysis, real-time alerting, event correlation, integrity checking, policy enforcement, and rootkit detection.<br />
<br />
<br />
== External Links ==<br />
* http://www.sans.org/security-resources/idfaq/what_is_hips.php<br />
* http://www.ossec.net/<br />
* http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system<br />
<br />
[[Category:Countermeasures]]</div>MargeryLeddyhttps://nets.ec/index.php?title=IDS&diff=1434IDS2011-09-19T04:50:07Z<p>MargeryLeddy: Reverted edits by Zekiel (talk) to last revision by vorst</p>
<hr />
<div><b>I</b>ntrusion <b>D</b>etection <b>S</b>ystems <br />
<br />
IDS are used to detect attacks aimed at a network or host. See Also: [[IPS]], [[NIDS]], and [[HIDS]].<br />
<br />
Tools:<br />
<br />
[http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml Cisco IDS] [[NIDS]]<br />
[[Cisco IDS]] - A network layer intrusion detection system based off of tcpdump with signature support.<br />
<br />
[http://www.snort.org Snort] [[NIDS]]<br />
[[Snort]] - A network layer intrusion detection system based off of libpcap with signature support and preprocessor support.<br />
<br />
[http://www.ossec.net OSSEC] [[HIDS]]<br />
OSSEC - A host-based intrusion detection system that utilizies log analysis combined with integrity checksums and rootkit detection engines.<br />
<br />
[http://www.la-samhna.de/samhain/ Samhain] [[HIDS]]<br />
Samhain - A file integrity checking application similar to OSSEC<br />
<br />
[http://nepenthes.carnivore.it/Nepenthes Nepenthes] [[HIDS]] <br />
Nepenthes - A malware connection utility similar to HoneyD<br />
<br />
[http://www.honeyd.org/ HoneyD] [[HIDS]]<br />
HoneyD - A tool for collecting malware and tricking attackers into thinking they've performed a successful attack.<br />
<br />
[[Category:Countermeasures]]</div>MargeryLeddyhttps://nets.ec/index.php?title=IDS&diff=1433IDS2011-09-19T04:49:17Z<p>MargeryLeddy: </p>
<hr />
<div><b>I</b>ntrusion <b>D</b>etection <b>S</b>ystems, or IDS, are defense mechanisms focused on analyzing the network traffic to detect anomalies or suspicious behavior, generating alerts when any of these situations occurs.<br />
<br />
IDS are used to detect attacks aimed either to a network or to a specific host. See Also: [[IPS]], [[NIDS]], and [[HIDS]].<br />
<br />
Tools:<br />
<br />
[http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml Cisco IDS] [[NIDS]]<br />
[[Cisco IDS]] - A network layer intrusion detection system based off of tcpdump with signature support.<br />
<br />
[http://www.snort.org Snort] [[NIDS]]<br />
[[Snort]] - A network layer intrusion detection system based off of libpcap with signature support and preprocessor support.<br />
<br />
[http://www.ossec.net OSSEC] [[HIDS]]<br />
OSSEC - A host-based intrusion detection system that utilizies log analysis combined with integrity checksums and rootkit detection engines.<br />
<br />
[http://www.la-samhna.de/samhain/ Samhain] [[HIDS]]<br />
Samhain - A file integrity checking [[applications|application]] similar to OSSEC<br />
<br />
[http://nepenthes.carnivore.it/Nepenthes Nepenthes] [[HIDS]] <br />
Nepenthes - A malware connection utility similar to HoneyD<br />
<br />
[http://www.honeyd.org/ HoneyD] [[HIDS]]<br />
HoneyD - A tool for collecting malware and tricking attackers into thinking they've performed a successful attack.<br />
<br />
[[Category:Countermeasures]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Bash&diff=1431Bash2011-09-13T04:55:05Z<p>MargeryLeddy: </p>
<hr />
<div>=Getting Started=<br />
Bash, (bourne-again shell) is the [[linux]] command line utility similar to [[MS-DOS]]. <br />
<br />
You will need some version of [[Linux]] to run this.<br />
<br />
Usually the [[applications|application]] you are looking for is `xterm' or `terminal' in the desktop, or you can access this via [[Protocols|ssh]]. It will be easier to learn all of this if you have the root [[password]], or if you are listed in the sudoers file. The two most important commands are `info' and `man'. Many tutorials will teach you about the `man' pages. You can access any command's manual by typing `man commandname'. <br />
What many tutorials do not tell you about is `info coreutils'. Here's a small snippet of `info coreutils' listing:<br />
<br />
* Introduction:: Caveats, overview, and authors<br />
* Common options:: Common options<br />
* Output of entire files:: cat tac nl od base64<br />
* Formatting file contents:: fmt pr fold<br />
* Output of parts of files:: head tail split csplit<br />
* Summarizing files:: wc sum cksum md5sum sha1sum sha2<br />
<br />
The info command will let you move with pageup and pagedown, as well as use errors to select words and hit enter to follow the link kind of in a wiki like format.<br />
<br />
=File System=<br />
You will also have to understand the basic file structure on Linux is different than that of windows.<br />
<br />
df -h<br />
<br />
Your partitions are not formatted into drive letters. In stead they can be found in:<br />
*/proc/mounts<br />
*/etc/fstab<br />
*/etc/mtab<br />
<br />
You can also view these with the following commands:<br />
* mount<br />
* fdisk<br />
* cfdisk<br />
<br />
==Directories==<br />
You can change directory the same way you can in [[MS-DOS]] with the cd command. Listing directories is done with the `ls' command, rather than the `dir' command. On certain systems, the `dir' command has been setup as a shortcut to `ls' to help new linux users. Example:<br />
<br />
cd /etc/<br />
<br />
xplicit@ubuntu:~$ ls -at [Enter]<br />
.gconfd .sudo_as_admin_successful Pictures<br />
.xsession-errors .cache Public<br />
.gconf .pulse Templates<br />
.config .nautilus Videos<br />
.gnome2 .gtk-bookmarks Desktop<br />
.thumbnails .esd_auth Downloads<br />
<br />
Another way of displaying files is using the `-lash' flags with `ls'. As an example:<br />
<br />
xplicit@ubuntu:/proc$ ls -lash<br />
total 4.0K<br />
0 dr-xr-xr-x 207 root root 0 2010-12-01 20:35 .<br />
0 drwxr-xr-x 22 root root 4.0K 2010-12-02 20:03 ..<br />
0 dr-xr-xr-x 10 root root 0 2010-12-01 20:35 acpi<br />
0 dr-xr-xr-x 4 root root 0 2010-12-02 20:50 asound<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 buddyinfo<br />
0 dr-xr-xr-x 4 root root 0 2010-12-02 20:50 bus<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 cgroups<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 cmdline<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 cpuinfo<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 crypto<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 devices<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 diskstats<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 dma<br />
0 dr-xr-xr-x 3 root root 0 2010-12-02 20:50 driver<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 execdomains<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 fb<br />
0 -r--r--r-- 1 root root 0 2010-12-02 20:50 filesystems<br />
0 dr-xr-xr-x 8 root root 0 2010-12-01 20:38 fs<br />
<br />
Using the `-lash' argument will display all files and file permission which we'll discuss later on. <br />
<br />
You can also list only directories by using '''grep''':<br />
<br />
21:54:40-zach@ninja:~/Downloads$ ls -la | grep ^d<br />
drwxr-xr-x 2 zach zach 4096 2010-10-29 01:24 .<br />
drwx------ 102 zach zach 425984 2010-12-02 21:14 ..<br />
<br />
<div style="text-align:center;">'''For the purpose of this wiki, files have been omitted to make the above shorter and readable.'''</div> <br />
<br />
===/proc===<br />
Properties:<toggledisplay><br />
* Filesystem Type: '''procfs'''<br />
* Does not support ext3 attributes ([[chattr]])<br />
* Recommended additional mount flags: '''nosuid'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0555''' (dr-xr-xr-x)<br />
</toggledisplay><br />
Using this virtual filesystem you can obtain active statistics about the local host.<br />
The following files contain a bit of hardware specs:<br />
*/proc/cpuinfo<br />
*/proc/meminfo<br />
<br />
/proc/mounts contains all of the things you see when you invoke the `mount' command.<br />
<br />
/proc/PID/environ contains all of the environment variables for the associated PID.<br />
<br />
/proc/PID/maps contains an index of all loaded files by the associated PID in memory.<br />
<br />
===/etc===<br />
Properties: <toggledisplay><br />
* Filesystem Type: '''ext2/ext3'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0711''' (drwx--x--x)<br />
</toggledisplay><br />
This partition is usually used to store configuration files.<br />
<br />
===/bin===<br />
Properties:<toggledisplay><br />
* Filesystem Type: '''ext2/ext3'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0755''' (drwxr-xr-x)<br />
</toggledisplay><br />
This directory contains commands accessible to all bash users.<br />
<br />
===/sbin===<br />
<toggledisplay><br />
* Filesystem Type: '''ext2/ext3'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0711''' (drwx--x--x)<br />
</toggledisplay><br />
===/var===<br />
<toggledisplay><br />
* Filesystem Type: '''ext2/ext3'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0711''' (drwx--x--x)<br />
</toggledisplay><br />
===/home===<br />
<toggledisplay><br />
* Filesystem Type: '''ext2/ext3'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''0711''' (drwx--x--x)<br />
</toggledisplay><br />
===/tmp===<br />
<toggledisplay><br />
* Filesystem Type: '''tmpfs'''<br />
* Recommended additional mount flags: '''nosuid,noexec,nodev'''<br />
<br />
Should be owned by '''root''' for user and group<br />
Should have permissions: '''1777''' (drwxrwxrwt)<br />
</toggledisplay><br />
<br />
==Files==<br />
<br />
You can view files for now using the commands:<br />
<br />
* cat<br />
* less<br />
* more<br />
<br />
You can exit `more' or `less' by typing `q'. You can search for text by pressing `/' and go to a specific line number by typing `:'.<br />
<br />
The syntax is simply [command] [filename]. You can edit files with:<br />
<br />
* nano<br />
* pico<br />
* vi<br />
* vim<br />
* emacs<br />
<br />
Nano and pico are the easiest to use. To learn to vim, use the `vimtutor' command.<br />
<br />
You can search for things inside of files using the '''grep''' command. <br />
<br />
You can delete files using the '''rm''' command.<br />
<br />
===.bashrc===<br />
<br />
===.ssh/known_hosts===<br />
<br />
===/etc/motd===<br />
<br />
==Partitioning & Formatting==<br />
<br />
'''fdisk'''<br />
<br />
*fdisk is the command-line utility that provides disk partitioning functions for almost all operating systems.<br />
<br />
fidsk is a very powerful tool, it can allow you to look at something as little as a list of drives and all the information gathered about those drives, or it can be used to format almost seemingly broken hard drives into perfectly working machines once again. fdisk is a very powerful tool that has been around for many years and will not be going anywhere anytime soon. <br />
<br />
The fdisk commands can be found by going into your command-line interface (CLI), and typing fdisk. It will spit out this onto your screen.<br />
<br />
Example:<br />
<br />
livecd ~ # fdisk<br />
<br />
Usage:<br />
fdisk [options] <disk> change partition table<br />
fdisk [options] -l <disk> list partition table(s)<br />
fdisk -s <partition> give partition size(s) in blocks<br />
<br />
Options:<br />
-b <size> sector size (512, 1024, 2048 or 4096)<br />
-c switch off DOS-compatible mode<br />
-h print help<br />
-u <size> give sizes in sectors instead of cylinders<br />
-v print version<br />
-C <number> specify the number of cylinders<br />
-H <number> specify the number of heads<br />
-S <number> specify the number of sectors per track<br />
<br />
cfdisk,mkfs<br />
<br />
=Commands=<br />
<br />
==Text Manipulation==<br />
`cat',`tac',`head',`tail',`sed',`awk',`grep'<br />
<br />
==File Manipulation==<br />
>, >> , &>, touch, rm<br />
<br />
==Process Manipulation==<br />
ps, top, kill, skill, pkill, killall<br />
<br />
==Debugging==<br />
strace ptrace gdb kgdb <br />
<br />
==Network Manipulation==<br />
ifconfig, dhcp clients, packet injectors, sniffers<br />
<br />
==Firewall Manipulation==<br />
iptables nufw<br />
<br />
==FileSystem Manipulation==<br />
mount, umount, losetup<br />
<br />
==Pipes & Golfing in Bash==<br />
piping to sh</div>MargeryLeddyhttps://nets.ec/index.php?title=IDS&diff=1430IDS2011-09-13T04:48:41Z<p>MargeryLeddy: </p>
<hr />
<div><b>I</b>ntrusion <b>D</b>etection <b>S</b>ystems <br />
<br />
IDS are used to detect attacks aimed at a network or host. See Also: [[IPS]], [[NIDS]], and [[HIDS]].<br />
<br />
Tools:<br />
<br />
[http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml Cisco IDS] [[NIDS]]<br />
[[Cisco IDS]] - A network layer intrusion detection system based off of tcpdump with signature support.<br />
<br />
[http://www.snort.org Snort] [[NIDS]]<br />
[[Snort]] - A network layer intrusion detection system based off of libpcap with signature support and preprocessor support.<br />
<br />
[http://www.ossec.net OSSEC] [[HIDS]]<br />
OSSEC - A host-based intrusion detection system that utilizies log analysis combined with integrity checksums and rootkit detection engines.<br />
<br />
[http://www.la-samhna.de/samhain/ Samhain] [[HIDS]]<br />
Samhain - A file integrity checking [[applications|application]] similar to OSSEC<br />
<br />
[http://nepenthes.carnivore.it/Nepenthes Nepenthes] [[HIDS]] <br />
Nepenthes - A malware connection utility similar to HoneyD<br />
<br />
[http://www.honeyd.org/ HoneyD] [[HIDS]]<br />
HoneyD - A tool for collecting malware and tricking attackers into thinking they've performed a successful attack.<br />
<br />
[[Category:Countermeasures]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Input&diff=1429Input2011-09-13T04:47:57Z<p>MargeryLeddy: </p>
<hr />
<div>Inputs are anything read by the application included but not limited to :<br />
<br />
*Command-line options<br />
*User input<br />
*Files<br />
*[[Database]]<br />
*Socket Data<br />
<br />
That are [[parse|parsed]] or used as a [[variable]] by the [[applications|application]].<br />
[[Category:Information]]</div>MargeryLeddyhttps://nets.ec/index.php?title=RoR_Patching&diff=1428RoR Patching2011-09-13T04:45:40Z<p>MargeryLeddy: /* RoR Patching */</p>
<hr />
<div>=RoR Patching=<br />
==Vulnerabilities==<br />
<br />
[[XSS]], [[SQL injection]], [[session hijacking]], and [[data tampering]], standard [[web applications|web-application]] [[vulnerability|vulnerabilities]] afflict [[Ruby on Rails]]. One more less commonly known or used [[vulnerability]] is called Mass Assignment Abuse.<br />
<br />
<br />
== XSS ==<br />
<br />
<br />
Standard [[XSS]] is possible. [[session hijacking]] via [[cookies]] is possible. Be sure to [[sanitize]] your [[database]] [[Input|inputs]] as well as your [[cookies]] for [[XSS]].<br />
<br />
[[vulnerability|vulnerable]] code :<br />
<br />
<syntaxhighlight lang="ruby"><br />
<%= comment.content %><br />
<%= sanitize(comment.content) %> <br />
</syntaxhighlight><br />
<br />
[[patched]] code :<br />
<br />
<br />
<br />
<syntaxhighlight lang="ruby"><br />
<%= h(comment.content) %> <br />
</syntaxhighlight><br />
<br />
<br />
on [[output]] OR<br />
<br />
<br />
<syntaxhighlight lang="ruby"><br />
[[CGI]]::escapeHTML(user_input) <br />
</syntaxhighlight><br />
<br />
<br />
on [[input]].<br />
<br />
The code below :<br />
<syntaxhighlight lang="ruby"><br />
<%= comment.content %><br />
<%= sanitize(comment.content) %> <br />
</syntaxhighlight><br />
<br />
Is [[vulnerability|vulnerable]] because it only strips [[HTML]] tags. It does not save your program from [[XSS#XSS_Exploitation|javascript injection]]. The h() function does.<br />
<br />
== Params Injection & Mass Assignment Abuse ==<br />
<br />
<br />
Params can't be trusted, [[SQL injection]] may take place still, but is rare in [[Ruby on Rails]]. It can be [[Fuzzing|fuzzed]] for just like any other [[SQL injection]] [[vulnerability]]. <br />
<br />
params injection : curl can be used for posting and can specify params.<br />
example hash manipulation :<br />
<br />
curl -d "user[name]=hacker&user[admin]=1" server:port/users<br />
<br />
[[vulnerability|vulnerable]] code : <br />
<br />
<syntaxhighlight lang="ruby"><br />
@user=User.new(params[:user])<br />
</syntaxhighlight><br />
<br />
<br />
[[patched]] code :<br />
<br />
<syntaxhighlight lang="ruby"><br />
attr_protected :admin<br />
</syntaxhighlight><br />
<br />
<br />
<br />
Best [[patch]] :<br />
<br />
<syntaxhighlight lang="ruby"><br />
attr_accessible :user<br />
</syntaxhighlight><br />
<br />
<br />
<br />
More [[vulnerability|vulnerable]] code:<br />
<br />
<syntaxhighlight lang="ruby"><br />
has_many :comments<br />
</syntaxhighlight><br />
<br />
<br />
<br />
use curl to repossess comments or posts. example :<br />
curl -d "user[name]=hacker&user[admin]=1&user[comment_ids][]=1&user[comment_ids][]=2" server:port/users<br />
<br />
best fix is white-listed [[input]]. To make it so that only the user[name] param is read by <br />
ActiveRecord, change :<br />
<br />
<syntaxhighlight lang="ruby"><br />
attr_protected :admin <br />
</syntaxhighlight><br />
<br />
<br />
<br />
To:<br />
<br />
<syntaxhighlight lang="ruby"><br />
attr_accessible :name<br />
</syntaxhighlight><br />
<br />
<br />
<br />
This will make it so that only the name attribute matters to activerecord when params is passed to <br />
the sql query. Now, activerecord will not pay attention to any other values set inside of the <br />
params[] hash.<br />
<br />
[[Category:Patching]]</div>MargeryLeddyhttps://nets.ec/index.php?title=HTTP&diff=1427HTTP2011-09-13T04:44:59Z<p>MargeryLeddy: </p>
<hr />
<div><b>H</b>yper<b>t</b>ext <b>T</b>ransfer <b>P</b>rotocol<br />
<br />
HTTP is an [[Plaintext]] [[applications|application]] level [[Protocols]]. It is used for distributing, collaborative, hyper media information. More information about HTTP can be found in [[Protocols]].<br />
<br />
[[Category:Protocols]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Fuzzing&diff=1426Fuzzing2011-09-13T04:34:28Z<p>MargeryLeddy: </p>
<hr />
<div>{{cleanup}}<br />
<br />
Fuzzing is the process of [[testing]] an application for [[security]] related [[bug|bugs]]. Two types of fuzzing currently exist:<br />
<br />
[[Automated Fuzzing]]<br />
<br />
[[Manual Fuzzing]]<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=MS-DOS&diff=1425MS-DOS2011-09-13T04:32:58Z<p>MargeryLeddy: </p>
<hr />
<div><b>M</b>icro<b>S</b>oft <b>D</b>isk <b>O</b>perating <b>S</b>ystem<br />
<br />
This is just a brief overview of a few commands that can be used in MS-DOS. It is good to be familiar with all of these. In any case, further information on any command can be found by typing [command] /? or [command] –help from the command line, which can be accessed by clicking on the start menu, going to the “Run” dialogue, and typing cmd.exe or command.com and hitting enter.<br />
<br />
<br />
<tab class=wikitable sep=comma head=top><br />
Command, Explanation<br />
net, This command allows a user to perform any networking function that the windows user interface is capable of. It has a variety of options and should be inspected more thoroughly<br />
shutdown, This system-level process enables a user or administrator to shut down a computer remotely or locally with different options and different notification settings. When the host shuts down the shutdown is initiated by “NT AUTHORITY\SYSTEM”<br />
attrib, This command line utility is used to set file attributes and permissions settings.<br />
at, This command is used to schedule tasks for the computer to perform automatically. When this utility is used to execute an [[applications|application]] the application is owned by “NT AUTHORITY\SYSTEM”.<br />
ipconfig, This command is used to configure networking. Using ipconfig /release will release the current [[IP address]] while using ipconfig /renew will renew the current [[IP address]]. ipconfig /all can be used to view full network configuration settings including DHCP servers and [[DNS]] servers.<br />
netstat, This command is used to view all network connections and has a variety of options.<br />
ping, This is a network connectivity and troubleshooting utility. This utility is used to verify connectivity between two machines and rates connectivity speed by latency or the amount of time it takes to send a signal to the remote machine and for the same signal to return to the local machine.<br />
nslookup, This command is used to look up the [[IP address]] of a remote host.<br />
tracert, This command will trace the network route from the local machine to the remote host specifying latency for each hop between the local host and the remote host. This command has a variety of options.<br />
finger, This command will show all users logged into a local or remote host assuming the finger service is running on the target machine.<br />
nbtstat, This command can be used to access the [[NetBIOS]] table on a remote or local machine. The output will contain the [[NetBIOS]] name and all available shares.<br />
telnet, This command can be used to manually craft a TCP/IP connection from the local machine to a remote machine. This command does not come in Windows Vista’s MS-DOS version.<br />
copy, Copies a file<br />
xcopy, Moves a file<br />
del, Deletes a file<br />
deltree, Deletes a directory<br />
cd, Changes working directories<br />
[[FTP|ftp]], An [[FTP]] client<br />
dir, Displays directory listings<br />
prompt, Sets a new prompt reverts to old prompt or toggles prompt on or off<br />
echo, Prints the text in the command line<br />
edit, Edits a file<br />
[[ARP|arp]], Controls the [[ARP|Address Resolution Protocol]] table and cache<br />
cacls, Sets permissions settings per user to the registry and alters group policy<br />
</tab><br />
[[Category:Information]]</div>MargeryLeddyhttps://nets.ec/index.php?title=MS-DOS&diff=1424MS-DOS2011-09-13T04:32:41Z<p>MargeryLeddy: </p>
<hr />
<div><b>M</b>icro<b>S</b>oft <b>D</b>isk <b>O</b>perating <b>S</b>ystem<br />
<br />
This is just a brief overview of a few commands that can be used in MS-DOS. It is good to be familiar with all of these. In any case, further information on any command can be found by typing [command] /? or [command] –help from the command line, which can be accessed by clicking on the start menu, going to the “Run” dialogue, and typing cmd.exe or command.com and hitting enter.<br />
<br />
<br />
<tab class=wikitable sep=comma head=top><br />
Command, Explanation<br />
net, This command allows a user to perform any networking function that the windows user interface is capable of. It has a variety of options and should be inspected more thoroughly<br />
shutdown, This system-level process enables a user or administrator to shut down a computer remotely or locally with different options and different notification settings. When the host shuts down the shutdown is initiated by “NT AUTHORITY\SYSTEM”<br />
attrib, This command line utility is used to set file attributes and permissions settings.<br />
at, This command is used to schedule tasks for the computer to perform automatically. When this utility is used to execute an [[application|application]] the application is owned by “NT AUTHORITY\SYSTEM”.<br />
ipconfig, This command is used to configure networking. Using ipconfig /release will release the current [[IP address]] while using ipconfig /renew will renew the current [[IP address]]. ipconfig /all can be used to view full network configuration settings including DHCP servers and [[DNS]] servers.<br />
netstat, This command is used to view all network connections and has a variety of options.<br />
ping, This is a network connectivity and troubleshooting utility. This utility is used to verify connectivity between two machines and rates connectivity speed by latency or the amount of time it takes to send a signal to the remote machine and for the same signal to return to the local machine.<br />
nslookup, This command is used to look up the [[IP address]] of a remote host.<br />
tracert, This command will trace the network route from the local machine to the remote host specifying latency for each hop between the local host and the remote host. This command has a variety of options.<br />
finger, This command will show all users logged into a local or remote host assuming the finger service is running on the target machine.<br />
nbtstat, This command can be used to access the [[NetBIOS]] table on a remote or local machine. The output will contain the [[NetBIOS]] name and all available shares.<br />
telnet, This command can be used to manually craft a TCP/IP connection from the local machine to a remote machine. This command does not come in Windows Vista’s MS-DOS version.<br />
copy, Copies a file<br />
xcopy, Moves a file<br />
del, Deletes a file<br />
deltree, Deletes a directory<br />
cd, Changes working directories<br />
[[FTP|ftp]], An [[FTP]] client<br />
dir, Displays directory listings<br />
prompt, Sets a new prompt reverts to old prompt or toggles prompt on or off<br />
echo, Prints the text in the command line<br />
edit, Edits a file<br />
[[ARP|arp]], Controls the [[ARP|Address Resolution Protocol]] table and cache<br />
cacls, Sets permissions settings per user to the registry and alters group policy<br />
</tab><br />
[[Category:Information]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Network_Recon&diff=1423Network Recon2011-09-13T04:31:27Z<p>MargeryLeddy: /* Tools */</p>
<hr />
<div>=Intro=<br />
One of the first phases of an attack is network surveillance. There are tools are publicly available, although many auditors and penetration testers choose to hand-roll their own. First we'll step a little bit back into network topography in general and explain the basic concepts of [[IP address|ip addressing]], [[subnetting]], and some fundamentals about how the internet works. This is a lot of information, do not become upset if you become frustrated.<br />
You may want to start with a little bit of hex. Hex being short for [[Assembly_Basics#Counting|hexadecimal]].<br />
==IP Addressing==<br />
An [[IP address]] is 32 bits, or four bytes. Because the highest value a [[byte|Byte]] can be is 255 and the lowest is 0, this is the range of any [[Octet]]. Because an [[IP address]] contains four bytes, there are four octets in an [[IP address]]. The '0' value is reserved for the network, and the '255' value is reserved for what is called a broadcast. That means that [[IP address|IP addresses]] will typically not end in 0 or 255, because those numbers are reserved for other things. There are also certain "reserved" addressing ranges :<br />
<br />
<br />
127.*.*.* - This is reserved in RFC 1918 for the local host. If you ever do anything to an IP address starting in 127, you will be performing these actions to your local machine.<br />
<br />
192.168.*.* - This is reserved in RFC 1918 for the local network. If you come across this type of IP address, it is not a machine out there on the internet, but one likely in your own house or another computer at the coffee shop you're hanging out in.<br />
<br />
172.*.*.* - This is reserved in RFC 1918 for the same as above<br />
<br />
169.254.*.* - Same as above<br />
<br />
10.*.*.* - Same as above<br />
<br />
==Ports==<br />
Any computer with an IP address has up to 65355 ports. A port is kind of like a phone line, and an IP address is kind of like an address. The [[HTTP]] protocol, for example, runs on port 80 on the [[server]]. So, when you go to a site (e.g.) google.com, first your web browser looks up google.com's [[IP address]] using a service called [[DNS]] (dynamic name server) and then connects to that [[IP address]] on port 80. The reason for the [[DNS]] service is that computers talk to each other through [[IP address|IP addresses]] and domain names e.g. google.com are an easier way for us humans to remember how to get from place to place.<br />
<br />
==Routing==<br />
Any computer on the internet has something called a '[[gateway]]' or 'border [[router]]'. This [[router]] is the upstream [[router]] that connects it and its peers to the rest of the internet. By compromizing this [[router]], attackers are able to monitor traffic between the target host and the rest of the internet, kind of like a phone bug. The act of monitoring traffic in such a way is called [[sniffing]].<br />
<br />
==Theory==<br />
The important things to an attacker when first running surveillance are going to be the open ports and the network information and the upstream router, from a technical standpoint. [[Password]] wordlists can be made from content within the target site, assuming there is one, as well as any information that can be gleaned about any employees. <br />
<br />
In order to determine the border router, we'll use a utility called [[traceroute]]. On windows the command is `tracert' and on [[linux]] the command is `[[traceroute]]'. This command-line tool allows you to follow your traffic from your own machine to another host. Sometimes the remote host has network-layer attempts to prevent the [[traceroute]] from completing. There are methods to evade this as well.<br />
<br />
Alternatively, you can use the [[traceroute]] engine here on our free services page. I recommend using tracert with the -d flag on windows since it will avoid hostname lookups (making it run faster). If [[Protocols|ICMP]]/[[Protocols|UDP]] [[traceroute]] seems to be ineffective, you can use a [[TCP traceroute]]. When tracerouting a web [[server]], you can trace to [[Protocols|TCP]] port 80; and when tracerouting a [[DNS]] server, you can trace to [[Protocols|UDP]] port 53. Many times methods like this are used when there is no other choice. You will always be able to identify the border [[router]] (and potentially a [[firewall]]) because it will be the next-to-last hop before the target host. <br />
<br />
For port scanning, which scans for open ports on a system, the [[nmap]] utility is virtually unparralelled. While you can write your own port scanner, nmap has every option anyone could think of already. No point in re-inventing the wheel. Nmap is available from nmap.org, or, you can use the port scan on our free services page.<br />
<br />
Lastly, we'll go over obtaining additional network information. Additional network information, such as mailserver information and [[DNS]] information can be utilized in an attack as well. By running a `[[whois]]' on the target domain, you can obtain the [[DNS]] server addresses as well as the domain's registrar. Using the [[linux]] command line utility called `[[dig]]', you can obtain [[MX records]] (dig -t MX domain.tld), which will point you in the direction of the mailserver. <br />
<br />
You can type any of the commands in this tutorial by themselves on the correct operating system and they should appropriately greet you with some sort of help screen indicating the different options and their uses.<br />
<br />
==Tools==<br />
<br />
[http://blackhatacademy.org/free-services.php Free Services]<br />
<br />
As far as what tools to use, [[nikto]] and [[nmap]] are good for [[web applications|web application]] and [[server]] scanning, respectively. Some common strings (with the example : target.net) are as follows :<br />
<br />
user@host# nmap -sS -A -sV -O -P0 --defeat-rst-ratelimit target.net<br />
user@host# ./nikto.pl -evasion 9 -host target.net<br />
<br />
<br />
Nmap is a good tool for mapping out what [[daemons]] are running on the server. This is important, because each daemon could be a chink in the armor of the site. [[Command Injection]], [[Buffer Overflows]], and null-byte/escape string vulnerabilities may plague any of these daemons and so generally after scanning a machine and getting a decent version print I try to google for vulnerabilities in any/all of the running daemons unless I know one off of the top of my head. Keep in mind that if target.net is running an application called "Port Sentry", nmap may come back thinking that every port is open. If this is the case, you may want to try running:<br />
<br />
user@host# nmap -sS -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net<br />
<br />
or even<br />
<br />
user@host# nmap -sX -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net<br />
<br />
As it stands, nikto does a great job mentioning CVE references for any vulnerabilities it discovers. Just remember that sometimes you can get a lot of false positives. If nikto doesn't mention a URL for a reference but lists a CVE reference, just [http://lmgtfy.com/?q=CVE+References&l=1 ask google about it]! :)<br />
<br />
[[Category:Network Security]]</div>MargeryLeddyhttps://nets.ec/index.php?title=DEP&diff=1422DEP2011-09-13T04:24:40Z<p>MargeryLeddy: /* Magic Numbers and ASLR */</p>
<hr />
<div><b>D</b>ata <b>E</b>xecution <b>P</b>revention.<br />
<br />
Microsoft's Windows XP SP2 Operating System was Microsoft's first real attempt at data execution prevention. While the attempt was in fact a feeble one, it laid the ground work for later innovations, for example [[ASLR]], or [[ASLR|Address Space Layout Randomization]] employed by Microsoft's Windows Vista Operating System.<br />
<br />
<br />
==Ret-2-Libc/Ret-2-Shared-Lib==<br />
Windows XP Service Pack 2 will not allow a ret instruction to return to a location inside of a data or bss segment. Needless to say, this is an improvement however is not a sure-fire fix. For example, say we have found a stack overflow that allows us not only to overwrite the return address for the function, but also allows us to overwrite the value of the eax register. While the return pointer cannot be set to a location within the buffer, the return pointer CAN be set to the location of a jmp eax instruction. So if we put the location of our code in the overwritten eax register and then the location of jmp eax into the return pointer, we have successfully bypassed Windows XP Service Pack 2's data execution prevention system. Some good [[memory addresses]] from research can be found as follows :<br />
<br />
Windows XP Service Pack 2 Professional English Edition<br />
<br />
'''ntdll.dll''':<br />
Mem Address Instruction<br />
'''0x7c9556d8''' jmp eax<br />
'''0x7c901231''' ret<br />
'''0x7c90eac5''' call eax<br />
'''0x7c93ee57''' call ebx<br />
'''0x7c9037bd''' call ecx<br />
'''0x7c961819''' call edi<br />
<br />
'''kernel32.dll''':<br />
Mem Address Instruction<br />
'''0x7c8106f8''' jmp ecx<br />
<br />
==Magic Numbers and ASLR==<br />
I'm sure that this list will be constantly updated and/or rewritten as versions and the years go by. This is the simple DEP bypass for Windows XP SP2. As mentioned before, Windows Vista employs something called [[ASLR|Address Space Layout Randomization]]. To bypass this runtime data execution prevention, one must overwrite what is called the SEH frame, or the Structured Exception Handler frame. This frame is located near the bottom of the stack and is used to define whether the [[applications|application]] uses windows' exception handler or if the application has its own exception handler. Generally speaking, exploitation is much more successful when the attacker writes his or her own exception handler for the vulnerable application. An overwritten exception handler allows for what is called a "magic number attack", or an attack where the attacker no longer needs to know the location of his [[shellcode]], in stead the attacker uses the exception handler to find out the location and jump to it during the exception handling execution cycle, not only bypassing data execution prevention but also making his or her exploitation cross-version compatible as no absolute pointers are needed for this type of exploitation.<br />
<br />
[[Category:Buffer Overflows]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Web_Exploitation&diff=1421Web Exploitation2011-09-13T04:23:21Z<p>MargeryLeddy: </p>
<hr />
<div>Web exploitation is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web applications|web application]]. There are numerous ways to exploit [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. Any of the topics covered below by themselves can be dangerous enough to cripple an entire server or website, gaining enough access to even remotely take over daemons and services enough to "spawn a shell," or gain enough access to gain system or root level access.<br />
<br />
<br />
<br />
====Escape Strings====<br />
Null [[Byte|bytes]], escape strings, and [[SQL injection]] all work the same way. When a computer sees a combination of characters as user [[input]], it is called a string. In many languages strings are truncated by null [[Byte|bytes]], or by other escape sequences. In other words, if the computer sees a null [[byte|Byte]] in a combination of user [[input]], the computer assumes that the null [[byte|Byte]] is the end of the [[input]], allowing an attacker to inject malicious code into the space between the real end of the [[input]] and what the computer believes to be the end of the [[input]]. So for example, sometimes null [[[Byte|bytes]] are used to perform directory transversal. IIS web servers hold all of their information for their web serving in C:\InetPub; however the attacker wants to see just the C drive. As a result, the attacker requests: <br />
/%00../<br />
<br />
<br />
====Directory Transversal & Null Bytes====<br />
The “%00” is a null [[byte|Byte]]. The string of characters "../" is a request for a higher level directory. Ordinarily, the [[HTTP]] server would never show you the higher level directory, however because it doesn't realize that the higher level directory was asked for, the attacker is able to look at a higher level directory. The web server only sees the domain because the %00 blinds it to the %00 and everything after it, however when it processes the request to retrieve the file, the request is to view “../”, which is the higher level directory.<br />
<br />
<br />
====Other Escape Strings====<br />
A null [[byte|Byte]] is a small example of an "escape string". An escape string is any character or combination thereof that a program will recognize as the end of user [[input]]. For example, the escape string used in [[SQL injection]] is usually an apostrophe ('), or %27, which is the bytecode representation of an apostrophe. Remote [[SQL injection]] vulnerabilities affect [[Database|databases]]. [[SQL]] is widely used by things like shopping carts, forums, dynamic web sites like MySpace, deviantart, facebook, and the like, as well as banks, credit unions, and other financial institutions. When [[SQL injection]] can be successfully exploited it is a critical [[vulnerability]] in the affected site and should be [[patched]] immediately, because it may lead to compromise or loss of customer data, employee data, financial data, or anything else stored in the [[SQL]] [[database]]. [[SQL injection]] has two attack vectors, one in a URL, the other in a web based form.<br />
<br />
When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising the [[web applications|web application]] layer sometimes the server can be compromised, and sometimes by compromising the server, the web application layer can be compromised. <br />
<br />
<br />
====Web Applications====<br />
Another few steps back. Many web sites run [[web applications]] for the purpose of dynamic content. Usually this would include an [[SQL]] [[database]] backend of some sort, and web [[applications]] (like forums, talkboards, content management systems, and blogs) are generally written in (but not limited to) [[PHP]], [[python]], [[perl]], [[ASP]], [[ASPX (.NET 2.0+)]], [[ruby]], or other form of [[CGI]]. Other web exploitation includes [[XSS]], [[CSRF]], and [[file inclusion]].<br />
<br />
<br />
====Tools====<br />
*Nikto<br />
*Wikto<br />
*Absinthe<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Web_Exploitation&diff=1420Web Exploitation2011-09-13T04:22:59Z<p>MargeryLeddy: </p>
<hr />
<div>Web exploitation is the attacking and taking advantage of a [[vulnerability]] in a computer system through a [[web application]]. There are numerous ways to exploit [[vulnerability|vulnerabilities]] so only some of the basics will be covered here. Any of the topics covered below by themselves can be dangerous enough to cripple an entire server or website, gaining enough access to even remotely take over daemons and services enough to "spawn a shell," or gain enough access to gain system or root level access.<br />
<br />
<br />
<br />
====Escape Strings====<br />
Null [[Byte|bytes]], escape strings, and [[SQL injection]] all work the same way. When a computer sees a combination of characters as user [[input]], it is called a string. In many languages strings are truncated by null [[Byte|bytes]], or by other escape sequences. In other words, if the computer sees a null [[byte|Byte]] in a combination of user [[input]], the computer assumes that the null [[byte|Byte]] is the end of the [[input]], allowing an attacker to inject malicious code into the space between the real end of the [[input]] and what the computer believes to be the end of the [[input]]. So for example, sometimes null [[[Byte|bytes]] are used to perform directory transversal. IIS web servers hold all of their information for their web serving in C:\InetPub; however the attacker wants to see just the C drive. As a result, the attacker requests: <br />
/%00../<br />
<br />
<br />
====Directory Transversal & Null Bytes====<br />
The “%00” is a null [[byte|Byte]]. The string of characters "../" is a request for a higher level directory. Ordinarily, the [[HTTP]] server would never show you the higher level directory, however because it doesn't realize that the higher level directory was asked for, the attacker is able to look at a higher level directory. The web server only sees the domain because the %00 blinds it to the %00 and everything after it, however when it processes the request to retrieve the file, the request is to view “../”, which is the higher level directory.<br />
<br />
<br />
====Other Escape Strings====<br />
A null [[byte|Byte]] is a small example of an "escape string". An escape string is any character or combination thereof that a program will recognize as the end of user [[input]]. For example, the escape string used in [[SQL injection]] is usually an apostrophe ('), or %27, which is the bytecode representation of an apostrophe. Remote [[SQL injection]] vulnerabilities affect [[Database|databases]]. [[SQL]] is widely used by things like shopping carts, forums, dynamic web sites like MySpace, deviantart, facebook, and the like, as well as banks, credit unions, and other financial institutions. When [[SQL injection]] can be successfully exploited it is a critical [[vulnerability]] in the affected site and should be [[patched]] immediately, because it may lead to compromise or loss of customer data, employee data, financial data, or anything else stored in the [[SQL]] [[database]]. [[SQL injection]] has two attack vectors, one in a URL, the other in a web based form.<br />
<br />
When penetration testing a site, it is different than penetration testing a network, and different than penetration testing a server. However, it is good to point out, that by compromising the [[web applications|web application]] layer sometimes the server can be compromised, and sometimes by compromising the server, the web application layer can be compromised. <br />
<br />
<br />
====Web Applications====<br />
Another few steps back. Many web sites run [[web applications]] for the purpose of dynamic content. Usually this would include an [[SQL]] [[database]] backend of some sort, and web [[applications]] (like forums, talkboards, content management systems, and blogs) are generally written in (but not limited to) [[PHP]], [[python]], [[perl]], [[ASP]], [[ASPX (.NET 2.0+)]], [[ruby]], or other form of [[CGI]]. Other web exploitation includes [[XSS]], [[CSRF]], and [[file inclusion]].<br />
<br />
<br />
====Tools====<br />
*Nikto<br />
*Wikto<br />
*Absinthe<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Buffer_overflow&diff=1419Buffer overflow2011-09-13T04:18:50Z<p>MargeryLeddy: /* Defenses */</p>
<hr />
<div>'''Buffer overflow''', or '''Buffer Overrun''' is a software error triggered when a program doesn't adequately control the amount of data that is copied over the [[buffer]], so if this amount exceeds the preassigned capacity, remaining bytes are stored in adjacent memory areas by overwriting its original content. This may lead to arbitrary code execution and allow access to a vulnerable system. <br />
<br />
{{cleanup}}<br />
<br />
==Description==<br />
For example, when an Alzheimer's patient is confronted with a particular set of circumstances, s/he may try to remember what s/he should do in that situation. When the patient tries to remember what to do, the patient may remember the wrong thing - and therefore do something different. If a psychologist had inserted false memories, so that the patient remembered what the psychologist wanted them to and acted according to the psychologist's instructions, the psychologist has then controlled the Alzheimer’s patient. The same follows for a computer. A computer receives [[input]], remembers what to do with the [[input]], and then does it. If an attacker on the internet could control the memory of a computer, the computer would remember the wrong thing to do, and do it because it doesn't know any better. This is what happens during a buffer overflow attack.<br />
<br />
The memory of a computer is much like a post office. Each piece of mail goes to a mailbox or a P.O. box, and each P.O. box can only hold one piece of mail at a time. Suppose for a moment that the post office that represents the computer's memory has 500 P.O. boxes. Boxes 1-200 are for data that the user sends into the computer, and boxes 201-500 hold instructions for what to do with that data. Now what happens if a user sends in 300 pieces of data or mail? Well a secure program would tell the user "I can only hold 200 pieces, I'm not taking any more mail", but an insecure program would simply take all the data into boxes 1-300. So now, when the computer remembers what to do, it lands on P.O. box 201. If the user was an attacker, couldn't s/he put malicious instructions inside of P.O. box 201? Of course! This is why the buffer overflow is such a dangerous [[vulnerability]]. Though it is a dying attack vector, the buffer overflow is still very prominent today.<br />
<br />
In all actuality, there is a [[return address]] that the computer uses to remember where its instructions are. So if an attacker filled up P.O. boxes 1-201, and 201 contained the return address, and the attacker changed the return address to P.O. box 1, the computer would execute the data instead of just keeping it in memory. This means that the attacker has to know enough about the system to know what address the malicious instructions are going to, because otherwise the attacker will not know the correct return address to put into P.O. Box 201. This means that the attacker has to have precise aim, or the attack will be unsuccessful.<br />
<br />
==Defenses==<br />
There are multiple defenses that have been incorporated into runtime in an attempt to fight buffer overflows and prevent them from taking place. One of the most recent defense mechanisms is called [[ASLR]], which stands for [[ASLR|Address Space Layout Randomization]]. It makes it so every time the computer reboots and every time a program runs, the address space that it lives in changes. In other words, following our mailbox analogy, the return address will never be in the same mailbox. The point of this is to try to prevent an attacker from performing a buffer overflow exploit because the attacker can never aim properly. Unfortunately, attackers have discovered something called "Magic Numbers", which tricks the error handler for programs and allows an attacker to aim his attack correctly without having to know a return address.<br />
<br />
Another defense mechanism that has been implemented is called [[DEP]], which stands for [[DEP|Data Execution Prevention]]. This is an attempt to prevent the return address from being changed into something in the same memory space as the data, and also prevent [[machine code]] (the code that buffer overflows are crafted in) from being placed into data segments. To combat this defense mechanism, attackers have developed ASCII and [[ascii shellcode|polymorphic ASCII]] [[machine code]]. ASCII and Polymorphic ASCII code looks like normal user [[input]] instead of [[machine code]].<br />
<br />
An even further defense mechanism is called a StackGuard, which is another layer of [[DEP|Data Execution Prevention]]. The stackguard attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the [[applications|application]] from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or [[CSA]].<br />
<br />
So with [[CSA]], [[ASLR]], and Operating-System supplied [[DEP]], successfully performing a buffer overflow exploit against a system running with [[CSA]] is extremely difficult. Any attacker who makes it to the point where [[CSA]] catches it is already very advanced. To successfully subvert [[ASLR]], [[DEP]] and StackGuard one must use [[polymorphic]] [[ascii shellcode|ASCII shellcode]], in other words, [[machine code]] that self-modifies as well as looks like standard user [[input]] and has all of its own functions built into its own code. The return address must always be specified in normal hexadecimal format, so it will usually look like some really funny characters, like squares or like strange symbols. The [[IDS]] or [[HIDS]] Context Buffer will show four squares or symbols on the end in a real buffer overflow exploit attempt on 32-bit systems, and eight squares or symbols on the end on a 64-bit system.<br />
<br />
==Maximum Effectiveness==<br />
Sometimes attackers and pen-testers alike use what is called [[Second Stage Shellcode]]. Many times [[firewall]] rules will prevent any connections outgoing from a server machine and prevent all incoming connections except for connections on the specified server port. Because of this, attackers use what is called [[Second Stage Shellcode]] to first find the connection that the exploit originated from, and then send the output of the arbitrary functions back along the first connection. This is done to circumvent [[Firewall|firewalls]] and prevent a [[firewall]] from blocking a connection.<br />
<br />
Buffer overflows can be used remotely to gain partial or total systems access, or they can be used locally to escalate privileges and permissions segments inside of the operating system in order to gain system or root level access. The real threat that a buffer overflow causes is what is called the "[[Zero-Day attack]]", also known as a buffer overflow that the [[security]] world has never seen before. [[Zero-Day attack|Zero-Day]] or [[Zero-Day attack|0day]] attacks are the most devastating to the [[security industry]], causing [[worms]], [[viruses]], and sometimes even hundreds of thousands of systems to be compromised in a single day.<br />
<br />
==Causes==<br />
Buffer overflows exist because a combination of insecure language [[Compiler|compilers]], insecure [[Programmer|programmers]] and bad cpu architectures that keep [[return address]] from a function call in the stack. A [[programmer]] should be able to check [[input]] to the data segment with relative ease, however often times coders are either ignorant of the problem, overlook the flaw, or sometimes even a disgruntled employee might code the [[vulnerability]] into an application himself for his own personal gain after the application goes [[production]] level.<br />
<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Network_Recon&diff=1418Network Recon2011-09-13T04:13:17Z<p>MargeryLeddy: /* Intro */</p>
<hr />
<div>=Intro=<br />
One of the first phases of an attack is network surveillance. There are tools are publicly available, although many auditors and penetration testers choose to hand-roll their own. First we'll step a little bit back into network topography in general and explain the basic concepts of [[IP address|ip addressing]], [[subnetting]], and some fundamentals about how the internet works. This is a lot of information, do not become upset if you become frustrated.<br />
You may want to start with a little bit of hex. Hex being short for [[Assembly_Basics#Counting|hexadecimal]].<br />
==IP Addressing==<br />
An [[IP address]] is 32 bits, or four bytes. Because the highest value a [[byte|Byte]] can be is 255 and the lowest is 0, this is the range of any [[Octet]]. Because an [[IP address]] contains four bytes, there are four octets in an [[IP address]]. The '0' value is reserved for the network, and the '255' value is reserved for what is called a broadcast. That means that [[IP address|IP addresses]] will typically not end in 0 or 255, because those numbers are reserved for other things. There are also certain "reserved" addressing ranges :<br />
<br />
<br />
127.*.*.* - This is reserved in RFC 1918 for the local host. If you ever do anything to an IP address starting in 127, you will be performing these actions to your local machine.<br />
<br />
192.168.*.* - This is reserved in RFC 1918 for the local network. If you come across this type of IP address, it is not a machine out there on the internet, but one likely in your own house or another computer at the coffee shop you're hanging out in.<br />
<br />
172.*.*.* - This is reserved in RFC 1918 for the same as above<br />
<br />
169.254.*.* - Same as above<br />
<br />
10.*.*.* - Same as above<br />
<br />
==Ports==<br />
Any computer with an IP address has up to 65355 ports. A port is kind of like a phone line, and an IP address is kind of like an address. The [[HTTP]] protocol, for example, runs on port 80 on the [[server]]. So, when you go to a site (e.g.) google.com, first your web browser looks up google.com's [[IP address]] using a service called [[DNS]] (dynamic name server) and then connects to that [[IP address]] on port 80. The reason for the [[DNS]] service is that computers talk to each other through [[IP address|IP addresses]] and domain names e.g. google.com are an easier way for us humans to remember how to get from place to place.<br />
<br />
==Routing==<br />
Any computer on the internet has something called a '[[gateway]]' or 'border [[router]]'. This [[router]] is the upstream [[router]] that connects it and its peers to the rest of the internet. By compromizing this [[router]], attackers are able to monitor traffic between the target host and the rest of the internet, kind of like a phone bug. The act of monitoring traffic in such a way is called [[sniffing]].<br />
<br />
==Theory==<br />
The important things to an attacker when first running surveillance are going to be the open ports and the network information and the upstream router, from a technical standpoint. [[Password]] wordlists can be made from content within the target site, assuming there is one, as well as any information that can be gleaned about any employees. <br />
<br />
In order to determine the border router, we'll use a utility called [[traceroute]]. On windows the command is `tracert' and on [[linux]] the command is `[[traceroute]]'. This command-line tool allows you to follow your traffic from your own machine to another host. Sometimes the remote host has network-layer attempts to prevent the [[traceroute]] from completing. There are methods to evade this as well.<br />
<br />
Alternatively, you can use the [[traceroute]] engine here on our free services page. I recommend using tracert with the -d flag on windows since it will avoid hostname lookups (making it run faster). If [[Protocols|ICMP]]/[[Protocols|UDP]] [[traceroute]] seems to be ineffective, you can use a [[TCP traceroute]]. When tracerouting a web [[server]], you can trace to [[Protocols|TCP]] port 80; and when tracerouting a [[DNS]] server, you can trace to [[Protocols|UDP]] port 53. Many times methods like this are used when there is no other choice. You will always be able to identify the border [[router]] (and potentially a [[firewall]]) because it will be the next-to-last hop before the target host. <br />
<br />
For port scanning, which scans for open ports on a system, the [[nmap]] utility is virtually unparralelled. While you can write your own port scanner, nmap has every option anyone could think of already. No point in re-inventing the wheel. Nmap is available from nmap.org, or, you can use the port scan on our free services page.<br />
<br />
Lastly, we'll go over obtaining additional network information. Additional network information, such as mailserver information and [[DNS]] information can be utilized in an attack as well. By running a `[[whois]]' on the target domain, you can obtain the [[DNS]] server addresses as well as the domain's registrar. Using the [[linux]] command line utility called `[[dig]]', you can obtain [[MX records]] (dig -t MX domain.tld), which will point you in the direction of the mailserver. <br />
<br />
You can type any of the commands in this tutorial by themselves on the correct operating system and they should appropriately greet you with some sort of help screen indicating the different options and their uses.<br />
<br />
==Tools==<br />
<br />
[http://blackhatacademy.org/free-services.php Free Services]<br />
<br />
As far as what tools to use, nikto and nmap are good for web application and server scanning, respectively. Some common strings (with the example : target.net) are as follows :<br />
<br />
user@host# nmap -sS -A -sV -O -P0 --defeat-rst-ratelimit target.net<br />
user@host# ./nikto.pl -evasion 9 -host target.net<br />
<br />
<br />
Nmap is a good tool for mapping out what daemons are running on the server. This is important, because each daemon could be a chink in the armor of the site. [[Command Injection]], [[Buffer Overflows]], and null-byte/escape string vulnerabilities may plague any of these daemons and so generally after scanning a machine and getting a decent version print I try to google for vulnerabilities in any/all of the running daemons unless I know one off of the top of my head. Keep in mind that if target.net is running an application called "Port Sentry", nmap may come back thinking that every port is open. If this is the case, you may want to try running:<br />
<br />
user@host# nmap -sS -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net<br />
<br />
or even<br />
<br />
user@host# nmap -sX -A -sV -O -P0 -T paranoid --defeat-rst-ratelimit target.net<br />
<br />
As it stands, nikto does a great job mentioning CVE references for any vulnerabilities it discovers. Just remember that sometimes you can get a lot of false positives. If nikto doesn't mention a URL for a reference but lists a CVE reference, just [http://lmgtfy.com/?q=CVE+References&l=1 ask google about it]! :)<br />
<br />
[[Category:Network Security]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Segmentation_fault&diff=1370Segmentation fault2011-09-06T10:25:02Z<p>MargeryLeddy: Created page with "'''Segmentation fault''' (segfault) or '''access violation''' is when an application tries to access a wrong or unauthorized memory location, and its stopped by the [[operative s..."</p>
<hr />
<div>'''Segmentation fault''' (segfault) or '''access violation''' is when an application tries to access a wrong or unauthorized memory location, and its stopped by the [[operative system]], generating an error.<br />
<br />
<br />
== Overview ==<br />
<br />
With current operative systems, each process has one or more segments of the system memory which can store and retrieve information. Each process can request more or less memory (as needed), and the request will be recognized by the operating system and compared with the given memory section for the process. Generally, the process that requested memory is the only one who can read or modify it.<br />
<br />
A segmentation fault occurs when a process attempts to access a portion of memory allocated into another application, or an unused area of memory, without permission. It usually occurs as a result of a programming error, for example, a pointer astray. Another way to get a "segmentation fault" is a physically broken memory, because a program written to memory would try to access that data, but since it has memory fails, it is possible that the data has been erased, thus the program will consider that memory address as empty, or unused, so it will trigger the error.</div>MargeryLeddyhttps://nets.ec/index.php?title=Lisp&diff=1356Lisp2011-09-05T08:25:46Z<p>MargeryLeddy: </p>
<hr />
<div>'''Lisp''' or '''LISP''' (''Locator/Identifier Separation Protocol'') is one of the oldest group of programming languages, characterized by its strengt, dynamism, and parenthesized syntax.<br />
<br />
<br />
== Lesson ==<br />
<br />
In the information security business, one tends to hear more about the low-level aspects of programming than the elegant, academic ones. Lisp is an example of something that has fallen by the wayside. Lisp is a computer programming language, but it is vastly different than most languages you are most likely familiar with. Instead of using 2 + 2 for addition, it would be written as (+ 2 2). While this can seem complicated at the smaller level, this syntax can allow for elegance at a larger scale. For example, it is easier to write (+ 1 2 3 4 5 6 7 8 9 10) than to write each number with an operator between it and the next one. It also makes order of operations confusions which are common in C hard to come by. you know for a fact that each groupings or parenthesis evaluates before the enclosing one. (* (+ 1 2) (-5 2)) is much clearer than the alternative. <br />
<br />
Learning about lisp isn't going to make you a better exploit researcher, but it can make you a better tool-writer to leverage the exploits that you find. Lisp's syntactic power comes from macros. Imagine that you have a program which involves repetitive code, such as database probing, xml parsing, or something similar. Macros allow you to say "Every time I say something like this, interpret it like this." It is the C preprocessor on steroids For example, if you code up a script which connects to a server on a port, executes a piece of code, and transmits the return value to the server. With a macro, you could just wrap that up in a send(function operand1 operand2) notation. Also, lisp allows for functional programming, lazy evaluation, and object-oriented programming with the Common Lisp Object System. Lisp is truly a gentleman's language. Grasping lisp will make you a better programmer, even if you primarily code in another language.<br />
<br />
A wiki page can only scratch the surface of Lisp's elegance. Anyone interested needs to read Paul Grahm's (now free) book, which is available [http://lib.store.yahoo.net/lib/paulgraham/onlisp.pdf/ here].</div>MargeryLeddyhttps://nets.ec/index.php?title=JQuery&diff=1354JQuery2011-09-05T08:10:12Z<p>MargeryLeddy: </p>
<hr />
<div>'''jQuery''' is a [[JavaScript]] library that simplifies [[HTML]] document traversing, event handling, animating, and [[Ajax]] interactions.<br />
<br />
==Example==<br />
Here is an example piece of code written in jQuery:<br />
<br />
<nowiki>$('div.container').html('hello world');</nowiki><br />
<br />
<b>$('div.container')</b><br />
<br />
This is a selector which is selecting all <b>div</b>'s with the class name <b>container</b>. The period (<b>.</b>) that detonates them means that you want to select the div with the class name <b>container</b>. You can use as hash mark (<b>#</b>) to select the div containing the <b>id</b> container as well.<br />
<br />
<b>.html('hello world')</b><br />
<br />
Because you have selected your element, now you will have to do something with it. In this case, you would be using the html function. Every function takes in different parameters to utilize different functionalities; in this case, if you specify a first argument for the html function ('hello world'), you will <b>change the contents of the inner HTML</b> of the selected element. If you wanted to just get the contents of the inner HTML (the data between the &lt;div&gt; tags), you would simply call the html function without any arguments.<br />
<br />
<br />
== External Links ==<br />
<br />
* [http://jquery.com/ jQuery Homepage]</div>MargeryLeddyhttps://nets.ec/index.php?title=ARP&diff=1329ARP2011-09-04T20:57:57Z<p>MargeryLeddy: </p>
<hr />
<div><b>A</b>ddress <b>R</b>esolution <b>P</b>rotocol<br />
<br />
{{cleanup}}<br />
<br />
ARP is used to map [[MAC addresses]] to [[IP address|IP addresses]] on a [[LAN]]. For information on protecting this protocol, see [[static ARP configuration]] for your appropriate [[Operating System|OS]]. For information regarding the auditing or attacking of this protocol, please see [[arp poisoning|ARP poisoning]]. <br />
<br />
In linux your ARP table is available by typing :<br />
arp -a<br />
<br />
In the console. Example output:<br />
<br />
root@example:~# arp -a<br />
? (192.168.1.1) at c0:c1:c0:f7:34:a6 [ether] on wlan0<br />
<br />
You can delete an entry with '''arp -d''' or add an entry with '''arp -s IP_ADDRESS MAC'''.<br />
<br />
More information available in the [[protocols]] section.<br />
<br />
[[Category:Protocols]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Buffer_overflow&diff=1327Buffer overflow2011-09-04T20:50:53Z<p>MargeryLeddy: /* Causes */</p>
<hr />
<div>'''Buffer overflow''', or '''Buffer Overrun''' is a software error triggered when a program doesn't adequately control the amount of data that is copied over the [[buffer]], so if this amount exceeds the preassigned capacity, remaining bytes are stored in adjacent memory areas by overwriting its original content. This may lead to arbitrary code execution and allow access to a vulnerable system. <br />
<br />
{{cleanup}}<br />
<br />
==Description==<br />
For example, when an Alzheimer's patient is confronted with a particular set of circumstances, s/he may try to remember what s/he should do in that situation. When the patient tries to remember what to do, the patient may remember the wrong thing - and therefore do something different. If a psychologist had inserted false memories, so that the patient remembered what the psychologist wanted them to and acted according to the psychologist's instructions, the psychologist has then controlled the Alzheimer’s patient. The same follows for a computer. A computer receives [[input]], remembers what to do with the [[input]], and then does it. If an attacker on the internet could control the memory of a computer, the computer would remember the wrong thing to do, and do it because it doesn't know any better. This is what happens during a buffer overflow attack.<br />
<br />
The memory of a computer is much like a post office. Each piece of mail goes to a mailbox or a P.O. box, and each P.O. box can only hold one piece of mail at a time. Suppose for a moment that the post office that represents the computer's memory has 500 P.O. boxes. Boxes 1-200 are for data that the user sends into the computer, and boxes 201-500 hold instructions for what to do with that data. Now what happens if a user sends in 300 pieces of data or mail? Well a secure program would tell the user "I can only hold 200 pieces, I'm not taking any more mail", but an insecure program would simply take all the data into boxes 1-300. So now, when the computer remembers what to do, it lands on P.O. box 201. If the user was an attacker, couldn't s/he put malicious instructions inside of P.O. box 201? Of course! This is why the buffer overflow is such a dangerous [[vulnerability]]. Though it is a dying attack vector, the buffer overflow is still very prominent today.<br />
<br />
In all actuality, there is a [[return address]] that the computer uses to remember where its instructions are. So if an attacker filled up P.O. boxes 1-201, and 201 contained the return address, and the attacker changed the return address to P.O. box 1, the computer would execute the data instead of just keeping it in memory. This means that the attacker has to know enough about the system to know what address the malicious instructions are going to, because otherwise the attacker will not know the correct return address to put into P.O. Box 201. This means that the attacker has to have precise aim, or the attack will be unsuccessful.<br />
<br />
==Defenses==<br />
There are multiple defenses that have been incorporated into runtime in an attempt to fight buffer overflows and prevent them from taking place. One of the most recent defense mechanisms is called [[ASLR]], which stands for [[ASLR|Address Space Layout Randomization]]. It makes it so every time the computer reboots and every time a program runs, the address space that it lives in changes. In other words, following our mailbox analogy, the return address will never be in the same mailbox. The point of this is to try to prevent an attacker from performing a buffer overflow exploit because the attacker can never aim properly. Unfortunately, attackers have discovered something called "Magic Numbers", which tricks the error handler for programs and allows an attacker to aim his attack correctly without having to know a return address.<br />
<br />
Another defense mechanism that has been implemented is called [[DEP]], which stands for [[DEP|Data Execution Prevention]]. This is an attempt to prevent the return address from being changed into something in the same memory space as the data, and also prevent [[machine code]] (the code that buffer overflows are crafted in) from being placed into data segments. To combat this defense mechanism, attackers have developed ASCII and [[ascii shellcode|polymorphic ASCII]] [[machine code]]. ASCII and Polymorphic ASCII code looks like normal user [[input]] instead of [[machine code]].<br />
<br />
An even further defense mechanism is called a StackGuard, which is another layer of [[DEP|Data Execution Prevention]]. The stackguard attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the application from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or [[CSA]].<br />
<br />
So with [[CSA]], [[ASLR]], and Operating-System supplied [[DEP]], successfully performing a buffer overflow exploit against a system running with [[CSA]] is extremely difficult. Any attacker who makes it to the point where [[CSA]] catches it is already very advanced. To successfully subvert [[ASLR]], [[DEP]] and StackGuard one must use [[polymorphic]] [[ascii shellcode|ASCII shellcode]], in other words, [[machine code]] that self-modifies as well as looks like standard user [[input]] and has all of its own functions built into its own code. The return address must always be specified in normal hexadecimal format, so it will usually look like some really funny characters, like squares or like strange symbols. The [[IDS]] or [[HIDS]] Context Buffer will show four squares or symbols on the end in a real buffer overflow exploit attempt on 32-bit systems, and eight squares or symbols on the end on a 64-bit system.<br />
<br />
==Maximum Effectiveness==<br />
Sometimes attackers and pen-testers alike use what is called [[Second Stage Shellcode]]. Many times [[firewall]] rules will prevent any connections outgoing from a server machine and prevent all incoming connections except for connections on the specified server port. Because of this, attackers use what is called [[Second Stage Shellcode]] to first find the connection that the exploit originated from, and then send the output of the arbitrary functions back along the first connection. This is done to circumvent [[Firewall|firewalls]] and prevent a [[firewall]] from blocking a connection.<br />
<br />
Buffer overflows can be used remotely to gain partial or total systems access, or they can be used locally to escalate privileges and permissions segments inside of the operating system in order to gain system or root level access. The real threat that a buffer overflow causes is what is called the "[[Zero-Day attack]]", also known as a buffer overflow that the [[security]] world has never seen before. [[Zero-Day attack|Zero-Day]] or [[Zero-Day attack|0day]] attacks are the most devastating to the [[security industry]], causing [[worms]], [[viruses]], and sometimes even hundreds of thousands of systems to be compromised in a single day.<br />
<br />
==Causes==<br />
Buffer overflows exist because a combination of insecure language [[Compiler|compilers]], insecure [[Programmer|programmers]] and bad cpu architectures that keep [[return address]] from a function call in the stack. A [[programmer]] should be able to check [[input]] to the data segment with relative ease, however often times coders are either ignorant of the problem, overlook the flaw, or sometimes even a disgruntled employee might code the [[vulnerability]] into an application himself for his own personal gain after the application goes [[production]] level.<br />
<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Social_Engineering&diff=1322Social Engineering2011-09-04T20:15:44Z<p>MargeryLeddy: </p>
<hr />
<div>Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.<br />
<br />
<br />
=Methods=<br />
==Email==<br />
Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.<br />
<br />
See [[E-mail_Spoofing|email spoofing]] for more information on this topic.<br />
<br />
==Telephone==<br />
There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from [[security]] threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.<br />
<br />
==Examples==<br />
An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a [[security]] hole in which his configuration is [[Vulnerability|vulnerable]] and providing a website or link providing a malicious piece of software that the engineer will call the "[[Patch|patch]]" to the [[vulnerability]].<br />
<br />
Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current [[password]] to "verify identity". This is followed by a story of a problem and that the employee's [[password]] is being reset, followed by giving the employee a new [[password]]. At the same time the attacker may have called in to the employer requesting a [[password]] reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the [[password]] was reset but eventual discovery of the compromised account by the corporation has been delayed.<br />
<br />
Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets. <br />
<br />
The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.<br />
<br />
<br />
==Lesson 1==<br />
Social Engineering - By Impact<br />
<br />
<br />
=== - Preface by Wikipedia ===<br />
<br />
<br />
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.<br />
<br />
<br />
<br />
=== - Outline of Social Engineering===<br />
<br />
<br />
This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.<br />
<br />
Questions you should ask yourself include:<br />
# ''Where do you want to go?''<br />
# ''What are the milestones in between?''<br />
# ''How do you reach them?''<br />
# ''How do you look like finishing the milestone/target?''<br />
<br />
If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.<br />
<br />
<br />
<br />
=== - Analysing and Creating Milestones===<br />
<br />
<br />
Questions to aid in the creation of milestones:<br />
# ''What do you have to do?''<br />
# ''Who is going to help you?''<br />
# ''Who are you going to exploit?''<br />
# ''Who are you pretending to be?''<br />
<br />
<br />
<br />
=== - Mantras for Social Engineering===<br />
<br />
<br />
- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out<br />
- Partition them into milestones<br />
- Recruit people, who will help you reaching these targets<br />
- Motivate yourself daily<br />
- Visualize yourself while running over the finish line thats the theory<br />
<br />
<br />
<br />
=== - Example===<br />
<br />
<br />
Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.<br />
<br />
<br />
<br />
=== - Other Uses===<br />
<br />
<br />
When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.<br />
<br />
<br />
<br />
==Lesson 2 - Politeness==<br />
<br />
Social Engineering - The Power of Politeness - By Laurelai<br />
<br />
<br />
=== - Introduction===<br />
<br />
<br />
This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.<br />
<br />
To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.<br />
<br />
The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.<br />
<br />
<br />
=== - Things To Keep in Mind===<br />
<br />
<br />
With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.<br />
<br />
<br />
=== - Putting Social Engineering to Work===<br />
<br />
<br />
Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)<br />
<br />
Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.<br />
<br />
This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".<br />
<br />
Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard<br />
<br />
<br />
=== - Protecting Yourself From Social Engineering===<br />
<br />
<br />
Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Social_Engineering&diff=1321Social Engineering2011-09-04T20:13:59Z<p>MargeryLeddy: /* Lesson 1 */</p>
<hr />
<div>Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.<br />
<br />
<br />
=Methods=<br />
==Email==<br />
Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.<br />
<br />
See [[E-mail_Spoofing|email spoofing]] for more information on this topic.<br />
<br />
==Telephone==<br />
There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from [[security]] threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.<br />
<br />
==Examples==<br />
An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a [[security]] hole in which his configuration is [[Vulnerability|vulnerable]] and providing a website or link providing a malicious piece of software that the engineer will call the "[[Patch|patch]]" to the [[vulnerability]].<br />
<br />
Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current [[password]] to "verify identity". This is followed by a story of a problem and that the employee's [[password]] is being reset, followed by giving the employee a new [[password]]. At the same time the attacker may have called in to the employer requesting a [[password]] reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the [[password]] was reset but eventual discovery of the compromised account by the corporation has been delayed.<br />
<br />
Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets. <br />
<br />
The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.<br />
<br />
==Lesson 1==<br />
Social Engineering - By Impact<br />
<br />
<br />
=== - Preface by Wikipedia ===<br />
<br />
<br />
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.<br />
<br />
<br />
<br />
=== - Outline of Social Engineering===<br />
<br />
<br />
This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.<br />
<br />
Questions you should ask yourself include:<br />
# ''Where do you want to go?''<br />
# ''What are the milestones in between?''<br />
# ''How do you reach them?''<br />
# ''How do you look like finishing the milestone/target?''<br />
<br />
If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.<br />
<br />
<br />
<br />
=== - Analysing and Creating Milestones===<br />
<br />
<br />
Questions to aid in the creation of milestones:<br />
# ''What do you have to do?''<br />
# ''Who is going to help you?''<br />
# ''Who are you going to exploit?''<br />
# ''Who are you pretending to be?''<br />
<br />
<br />
<br />
=== - Mantras for Social Engineering===<br />
<br />
<br />
- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out<br />
- Partition them into milestones<br />
- Recruit people, who will help you reaching these targets<br />
- Motivate yourself daily<br />
- Visualize yourself while running over the finish line thats the theory<br />
<br />
<br />
<br />
=== - Example===<br />
<br />
<br />
Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.<br />
<br />
<br />
<br />
=== - Other Uses===<br />
<br />
<br />
When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.<br />
<br />
==Lesson 2 - Politeness==<br />
<br />
Social Engineering - The Power of Politeness - By Laurelai<br />
<br />
<br />
=== - Introduction===<br />
<br />
<br />
This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.<br />
<br />
To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.<br />
<br />
The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.<br />
<br />
<br />
=== - Things To Keep in Mind===<br />
<br />
<br />
With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.<br />
<br />
<br />
=== - Putting Social Engineering to Work===<br />
<br />
<br />
Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)<br />
<br />
Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.<br />
<br />
This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".<br />
<br />
Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard<br />
<br />
<br />
=== - Protecting Yourself From Social Engineering===<br />
<br />
<br />
Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Social_Engineering&diff=1319Social Engineering2011-09-04T20:13:09Z<p>MargeryLeddy: /* - Analysing and Creating Milestones */</p>
<hr />
<div>Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.<br />
<br />
<br />
=Methods=<br />
==Email==<br />
Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.<br />
<br />
See [[E-mail_Spoofing|email spoofing]] for more information on this topic.<br />
<br />
==Telephone==<br />
There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from [[security]] threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.<br />
<br />
==Examples==<br />
An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a [[security]] hole in which his configuration is [[Vulnerability|vulnerable]] and providing a website or link providing a malicious piece of software that the engineer will call the "[[Patch|patch]]" to the [[vulnerability]].<br />
<br />
Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current [[password]] to "verify identity". This is followed by a story of a problem and that the employee's [[password]] is being reset, followed by giving the employee a new [[password]]. At the same time the attacker may have called in to the employer requesting a [[password]] reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the [[password]] was reset but eventual discovery of the compromised account by the corporation has been delayed.<br />
<br />
Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets. <br />
<br />
The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.<br />
<br />
==Lesson 1==<br />
Social Engineering - By Impact<br />
<br />
<br />
<br />
=== - Preface by Wikipedia ===<br />
<br />
<br />
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.<br />
<br />
<br />
=== - Outline of Social Engineering===<br />
<br />
<br />
This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.<br />
<br />
Questions you should ask yourself include:<br />
# ''Where do you want to go?''<br />
# ''What are the milestones in between?''<br />
# ''How do you reach them?''<br />
# ''How do you look like finishing the milestone/target?''<br />
<br />
If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.<br />
<br />
=== - Analysing and Creating Milestones===<br />
<br />
<br />
Questions to aid in the creation of milestones:<br />
# ''What do you have to do?''<br />
# ''Who is going to help you?''<br />
# ''Who are you going to exploit?''<br />
# ''Who are you pretending to be?''<br />
<br />
=== - Mantras for Social Engineering===<br />
<br />
<br />
- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out<br />
- Partition them into milestones<br />
- Recruit people, who will help you reaching these targets<br />
- Motivate yourself daily<br />
- Visualize yourself while running over the finish line thats the theory<br />
<br />
<br />
=== - Example===<br />
<br />
<br />
Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.<br />
<br />
<br />
=== - Other Uses===<br />
<br />
<br />
When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.<br />
<br />
==Lesson 2 - Politeness==<br />
<br />
Social Engineering - The Power of Politeness - By Laurelai<br />
<br />
<br />
=== - Introduction===<br />
<br />
<br />
This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.<br />
<br />
To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.<br />
<br />
The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.<br />
<br />
<br />
=== - Things To Keep in Mind===<br />
<br />
<br />
With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.<br />
<br />
<br />
=== - Putting Social Engineering to Work===<br />
<br />
<br />
Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)<br />
<br />
Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.<br />
<br />
This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".<br />
<br />
Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard<br />
<br />
<br />
=== - Protecting Yourself From Social Engineering===<br />
<br />
<br />
Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Social_Engineering&diff=1317Social Engineering2011-09-04T20:10:27Z<p>MargeryLeddy: /* - Outline of Social Engineering */</p>
<hr />
<div>Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.<br />
<br />
<br />
=Methods=<br />
==Email==<br />
Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.<br />
<br />
See [[E-mail_Spoofing|email spoofing]] for more information on this topic.<br />
<br />
==Telephone==<br />
There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from [[security]] threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.<br />
<br />
==Examples==<br />
An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a [[security]] hole in which his configuration is [[Vulnerability|vulnerable]] and providing a website or link providing a malicious piece of software that the engineer will call the "[[Patch|patch]]" to the [[vulnerability]].<br />
<br />
Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current [[password]] to "verify identity". This is followed by a story of a problem and that the employee's [[password]] is being reset, followed by giving the employee a new [[password]]. At the same time the attacker may have called in to the employer requesting a [[password]] reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the [[password]] was reset but eventual discovery of the compromised account by the corporation has been delayed.<br />
<br />
Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets. <br />
<br />
The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.<br />
<br />
==Lesson 1==<br />
Social Engineering - By Impact<br />
<br />
<br />
<br />
=== - Preface by Wikipedia ===<br />
<br />
<br />
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.<br />
<br />
<br />
=== - Outline of Social Engineering===<br />
<br />
<br />
This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.<br />
<br />
Questions you should ask yourself include:<br />
# ''Where do you want to go?''<br />
# ''What are the milestones in between?''<br />
# ''How do you reach them?''<br />
# ''How do you look like finishing the milestone/target?''<br />
<br />
If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.<br />
<br />
=== - Analysing and Creating Milestones===<br />
<br />
<br />
Questions to aid in the creation of milestones:<br />
1. What do you have to do?<br />
2. Who is going to help you?<br />
3. Who are you going to exploit?<br />
4. Who are you pretending to be? <br />
<br />
<br />
=== - Mantras for Social Engineering===<br />
<br />
<br />
- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out<br />
- Partition them into milestones<br />
- Recruit people, who will help you reaching these targets<br />
- Motivate yourself daily<br />
- Visualize yourself while running over the finish line thats the theory<br />
<br />
<br />
=== - Example===<br />
<br />
<br />
Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.<br />
<br />
<br />
=== - Other Uses===<br />
<br />
<br />
When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.<br />
<br />
==Lesson 2 - Politeness==<br />
<br />
Social Engineering - The Power of Politeness - By Laurelai<br />
<br />
<br />
=== - Introduction===<br />
<br />
<br />
This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.<br />
<br />
To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.<br />
<br />
The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.<br />
<br />
<br />
=== - Things To Keep in Mind===<br />
<br />
<br />
With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.<br />
<br />
<br />
=== - Putting Social Engineering to Work===<br />
<br />
<br />
Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)<br />
<br />
Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.<br />
<br />
This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".<br />
<br />
Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard<br />
<br />
<br />
=== - Protecting Yourself From Social Engineering===<br />
<br />
<br />
Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Social_Engineering&diff=1316Social Engineering2011-09-04T20:07:00Z<p>MargeryLeddy: </p>
<hr />
<div>Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.<br />
<br />
<br />
=Methods=<br />
==Email==<br />
Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.<br />
<br />
See [[E-mail_Spoofing|email spoofing]] for more information on this topic.<br />
<br />
==Telephone==<br />
There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from [[security]] threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.<br />
<br />
==Examples==<br />
An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a [[security]] hole in which his configuration is [[Vulnerability|vulnerable]] and providing a website or link providing a malicious piece of software that the engineer will call the "[[Patch|patch]]" to the [[vulnerability]].<br />
<br />
Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current [[password]] to "verify identity". This is followed by a story of a problem and that the employee's [[password]] is being reset, followed by giving the employee a new [[password]]. At the same time the attacker may have called in to the employer requesting a [[password]] reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the [[password]] was reset but eventual discovery of the compromised account by the corporation has been delayed.<br />
<br />
Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets. <br />
<br />
The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.<br />
<br />
==Lesson 1==<br />
Social Engineering - By Impact<br />
<br />
<br />
<br />
=== - Preface by Wikipedia ===<br />
<br />
<br />
Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.<br />
<br />
<br />
=== - Outline of Social Engineering===<br />
<br />
<br />
This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.<br />
<br />
Questions you should ask yourself include:<br />
1. Where do you want to go?<br />
2. What are the milestones in between?<br />
3. How do you reach them?<br />
4. How do you look like finishing the milestone/target?<br />
<br />
If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza. <br />
<br />
<br />
=== - Analysing and Creating Milestones===<br />
<br />
<br />
Questions to aid in the creation of milestones:<br />
1. What do you have to do?<br />
2. Who is going to help you?<br />
3. Who are you going to exploit?<br />
4. Who are you pretending to be? <br />
<br />
<br />
=== - Mantras for Social Engineering===<br />
<br />
<br />
- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out<br />
- Partition them into milestones<br />
- Recruit people, who will help you reaching these targets<br />
- Motivate yourself daily<br />
- Visualize yourself while running over the finish line thats the theory<br />
<br />
<br />
=== - Example===<br />
<br />
<br />
Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.<br />
<br />
<br />
=== - Other Uses===<br />
<br />
<br />
When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.<br />
<br />
==Lesson 2 - Politeness==<br />
<br />
Social Engineering - The Power of Politeness - By Laurelai<br />
<br />
<br />
=== - Introduction===<br />
<br />
<br />
This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.<br />
<br />
To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.<br />
<br />
The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.<br />
<br />
<br />
=== - Things To Keep in Mind===<br />
<br />
<br />
With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.<br />
<br />
<br />
=== - Putting Social Engineering to Work===<br />
<br />
<br />
Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)<br />
<br />
Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.<br />
<br />
This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".<br />
<br />
Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard<br />
<br />
<br />
=== - Protecting Yourself From Social Engineering===<br />
<br />
<br />
Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Buffer_overflow&diff=1314Buffer overflow2011-09-04T20:00:10Z<p>MargeryLeddy: </p>
<hr />
<div>'''Buffer overflow''', or '''Buffer Overrun''' is a software error triggered when a program doesn't adequately control the amount of data that is copied over the [[buffer]], so if this amount exceeds the preassigned capacity, remaining bytes are stored in adjacent memory areas by overwriting its original content. This may lead to arbitrary code execution and allow access to a vulnerable system. <br />
<br />
==Description==<br />
For example, when an Alzheimer's patient is confronted with a particular set of circumstances, s/he may try to remember what s/he should do in that situation. When the patient tries to remember what to do, the patient may remember the wrong thing - and therefore do something different. If a psychologist had inserted false memories, so that the patient remembered what the psychologist wanted them to and acted according to the psychologist's instructions, the psychologist has then controlled the Alzheimer’s patient. The same follows for a computer. A computer receives [[input]], remembers what to do with the [[input]], and then does it. If an attacker on the internet could control the memory of a computer, the computer would remember the wrong thing to do, and do it because it doesn't know any better. This is what happens during a buffer overflow attack.<br />
<br />
The memory of a computer is much like a post office. Each piece of mail goes to a mailbox or a P.O. box, and each P.O. box can only hold one piece of mail at a time. Suppose for a moment that the post office that represents the computer's memory has 500 P.O. boxes. Boxes 1-200 are for data that the user sends into the computer, and boxes 201-500 hold instructions for what to do with that data. Now what happens if a user sends in 300 pieces of data or mail? Well a secure program would tell the user "I can only hold 200 pieces, I'm not taking any more mail", but an insecure program would simply take all the data into boxes 1-300. So now, when the computer remembers what to do, it lands on P.O. box 201. If the user was an attacker, couldn't s/he put malicious instructions inside of P.O. box 201? Of course! This is why the buffer overflow is such a dangerous [[vulnerability]]. Though it is a dying attack vector, the buffer overflow is still very prominent today.<br />
<br />
In all actuality, there is a [[return address]] that the computer uses to remember where its instructions are. So if an attacker filled up P.O. boxes 1-201, and 201 contained the return address, and the attacker changed the return address to P.O. box 1, the computer would execute the data instead of just keeping it in memory. This means that the attacker has to know enough about the system to know what address the malicious instructions are going to, because otherwise the attacker will not know the correct return address to put into P.O. Box 201. This means that the attacker has to have precise aim, or the attack will be unsuccessful.<br />
<br />
==Defenses==<br />
There are multiple defenses that have been incorporated into runtime in an attempt to fight buffer overflows and prevent them from taking place. One of the most recent defense mechanisms is called [[ASLR]], which stands for [[ASLR|Address Space Layout Randomization]]. It makes it so every time the computer reboots and every time a program runs, the address space that it lives in changes. In other words, following our mailbox analogy, the return address will never be in the same mailbox. The point of this is to try to prevent an attacker from performing a buffer overflow exploit because the attacker can never aim properly. Unfortunately, attackers have discovered something called "Magic Numbers", which tricks the error handler for programs and allows an attacker to aim his attack correctly without having to know a return address.<br />
<br />
Another defense mechanism that has been implemented is called [[DEP]], which stands for [[DEP|Data Execution Prevention]]. This is an attempt to prevent the return address from being changed into something in the same memory space as the data, and also prevent [[machine code]] (the code that buffer overflows are crafted in) from being placed into data segments. To combat this defense mechanism, attackers have developed ASCII and [[ascii shellcode|polymorphic ASCII]] [[machine code]]. ASCII and Polymorphic ASCII code looks like normal user [[input]] instead of [[machine code]].<br />
<br />
An even further defense mechanism is called a StackGuard, which is another layer of [[DEP|Data Execution Prevention]]. The stackguard attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the application from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or [[CSA]].<br />
<br />
So with [[CSA]], [[ASLR]], and Operating-System supplied [[DEP]], successfully performing a buffer overflow exploit against a system running with [[CSA]] is extremely difficult. Any attacker who makes it to the point where [[CSA]] catches it is already very advanced. To successfully subvert [[ASLR]], [[DEP]] and StackGuard one must use [[polymorphic]] [[ascii shellcode|ASCII shellcode]], in other words, [[machine code]] that self-modifies as well as looks like standard user [[input]] and has all of its own functions built into its own code. The return address must always be specified in normal hexadecimal format, so it will usually look like some really funny characters, like squares or like strange symbols. The [[IDS]] or [[HIDS]] Context Buffer will show four squares or symbols on the end in a real buffer overflow exploit attempt on 32-bit systems, and eight squares or symbols on the end on a 64-bit system.<br />
<br />
==Maximum Effectiveness==<br />
Sometimes attackers and pen-testers alike use what is called [[Second Stage Shellcode]]. Many times [[firewall]] rules will prevent any connections outgoing from a server machine and prevent all incoming connections except for connections on the specified server port. Because of this, attackers use what is called [[Second Stage Shellcode]] to first find the connection that the exploit originated from, and then send the output of the arbitrary functions back along the first connection. This is done to circumvent [[Firewall|firewalls]] and prevent a [[firewall]] from blocking a connection.<br />
<br />
Buffer overflows can be used remotely to gain partial or total systems access, or they can be used locally to escalate privileges and permissions segments inside of the operating system in order to gain system or root level access. The real threat that a buffer overflow causes is what is called the "[[Zero-Day attack]]", also known as a buffer overflow that the [[security]] world has never seen before. [[Zero-Day attack|Zero-Day]] or [[Zero-Day attack|0day]] attacks are the most devastating to the [[security industry]], causing [[worms]], [[viruses]], and sometimes even hundreds of thousands of systems to be compromised in a single day.<br />
<br />
==Causes==<br />
Buffer overflows exist because of insecure [[Programmer|programmers]]. A [[programmer]] should be able to check [[input]] to the data segment with relative ease, however often times coders are either ignorant of the problem, overlook the flaw, or sometimes even a disgruntled employee might code the [[vulnerability]] into an application himself for his own personal gain after the application goes [[production]] level.<br />
<br />
<br />
[[Category:Attacks]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Bcrypt&diff=1303Bcrypt2011-09-04T12:13:57Z<p>MargeryLeddy: </p>
<hr />
<div>== Lesson ==<br />
<br />
<br />
<br />
== 1.0 - Introduction ==<br />
<br />
Bcrypt is a hash function derived from blowfish. it is designed to be computationally hard to do (instead of easy, like sha or md5).<br />
<br />
It allows a parameter that specifies the hard-ness of the output hash, so it can scale when newer hardware arrives. Hashes should only be able to be broken via brute force, it shouldn't be reversible (the definition of a hashing function). With SHA and MD5, brute forcing is relatively easy, because todays hardware is _fast_.<br />
<br />
You can accelerate the process with rainbow tables, but you still have to generate a fuckton of hashes. When MD5 was first made, everybody said "oh shit a super fast hash function, lushhh". With security, you want the opposite. If it takes longer to generate the hash, it takes longer to brute force it. bcrypt is also immune to collision attacks, which is effective on md5 and sha.<br />
<br />
Sidenote: A collision is when different pieces of data crate the same hash mathemetically, which makes major issues.<br />
<br />
<br />
== 2.0 - Running bcrypt ==<br />
<br />
bcrypt can be setup to run through an arbitrary number of "rounds", think of them like "hash loops" (not quite the same but a good metaphor) which you can use to make it take arbitrarily longer. We're talking super small scales, it may take 30ms to convert a password to an md5 hash.<br />
<br />
With bcrypt, say a factor of four longer, 200ms. That is huge when you are brute forcing something and you can make it arbitrarily longer as well, put it through a couple hundred rounds and get the count even higher.<br />
<br />
This is a problem if you are using hashes for something that requires checksumming large data sets but with passwords, the slower the better. Users will never notice the difference, and it requires very little effort on the cpu's part but it becomes much more difficult to break.<br />
<br />
A student asked about the definition of breaking a hash. Hashes, by nature, should not be reversible. Given a hash, there is no way to apply fancy maths to it and get the original plaintext. The two practical attacks on hashes are brute forcing and collisions.<br />
<br />
Brute forcing involves taking a wordlist or generating words, and then converting them through the same hashing function. You then compare the hash you have to your list of plaintext:hash combinations. This is one of the reasons you always salt sensitive hashes rather than storing the hash of "password1", you store the hash of "password1" + "blahblahrandomstuff". So I may have a huge collection of md5 plaintext:hash tables, but I don't have a set with that particular salt, so we're starting all over again.<br />
<br />
Collisions work by understanding that if the information being hashed is longer than the length of the hash, there is a possibility for a "collision" to occur (it can happen even if it's shorter, but the proof uses that as an example). Say your password is "abc", which generates hash "123". Maybe we don't get around to brute forcing abc, but it turns out "xyz" ALSO has the same hash of "123", it knocks down the time it takes to break the hash considerably.<br />
<br />
So, when you are storing passwords or other small bits of sensitive data, a slower hash, thats computationally inefficient, is actually better.<br />
<br />
<br />
== 3.0 - General Talk ==<br />
<br />
If you have the md5 and the salt you can reverse the salted hash back to md5 by bruteforcing. You would need to find the plaintext, then put that through md5. You would then need to find the plaintext+salt, then strip the salt.<br />
<br />
The idea of a salt is to fight pregenerated tables of hashes. If every account has a unique salt, cool beans, but most folks just use a constant salt for everything.<br />
<br />
<br />
== 4.0 - Further Reading ==<br />
<br />
* http://bcrypt.sourceforge.net/<br />
* http://codahale.com/how-to-safely-store-a-password/<br />
* http://en.wikipedia.org/wiki/Hash_function<br />
* http://en.wikipedia.org/wiki/Bcrypt</div>MargeryLeddyhttps://nets.ec/index.php?title=Buffer&diff=1302Buffer2011-09-04T11:36:21Z<p>MargeryLeddy: </p>
<hr />
<div>{{cleanup}}<br />
<br />
A '''Data Buffer''' is a space in computer memory, where data are stored to prevent the program or resource that requires either hardware or software, run out of data during a transfer. With the proper management, it could be misused to trigger the exploit known as [[Buffer Overflows | Buffer Overflow]]</div>MargeryLeddyhttps://nets.ec/index.php?title=Buffer_overflow&diff=1297Buffer overflow2011-09-04T11:18:43Z<p>MargeryLeddy: </p>
<hr />
<div>{{cleanup}}<br />
<br />
'''Buffer overflow''', or '''Buffer Overrun''' is a software error triggered when a program doesn't adequately control the amount of data that is copied over the [[buffer]], so if this amount exceeds the preassigned capacity, remaining bytes are stored in adjacent memory areas by overwriting its original content. This may lead to arbitrary code execution and allow access to a vulnerable system. <br />
<br />
==Description==<br />
For example, when an Alzheimer's patient is confronted with a particular set of circumstances, s/he may try to remember what s/he should do in that situation. When the patient tries to remember what to do, the patient may remember the wrong thing - and therefore do something different. If a psychologist had inserted false memories, so that the patient remembered what the psychologist wanted them to and acted according to the psychologist's instructions, the psychologist has then controlled the Alzheimer’s patient. The same follows for a computer. A computer receives [[input]], remembers what to do with the [[input]], and then does it. If an attacker on the internet could control the memory of a computer, the computer would remember the wrong thing to do, and do it because it doesn't know any better. This is what happens during a buffer overflow attack.<br />
<br />
The memory of a computer is much like a post office. Each piece of mail goes to a mailbox or a P.O. box, and each P.O. box can only hold one piece of mail at a time. Suppose for a moment that the post office that represents the computer's memory has 500 P.O. boxes. Boxes 1-200 are for data that the user sends into the computer, and boxes 201-500 hold instructions for what to do with that data. Now what happens if a user sends in 300 pieces of data or mail? Well a secure program would tell the user "I can only hold 200 pieces, I'm not taking any more mail", but an insecure program would simply take all the data into boxes 1-300. So now, when the computer remembers what to do, it lands on P.O. box 201. If the user was an attacker, couldn't s/he put malicious instructions inside of P.O. box 201? Of course! This is why the buffer overflow is such a dangerous [[vulnerability]]. Though it is a dying attack vector, the buffer overflow is still very prominent today.<br />
<br />
In all actuality, there is a [[return address]] that the computer uses to remember where its instructions are. So if an attacker filled up P.O. boxes 1-201, and 201 contained the return address, and the attacker changed the return address to P.O. box 1, the computer would execute the data instead of just keeping it in memory. This means that the attacker has to know enough about the system to know what address the malicious instructions are going to, because otherwise the attacker will not know the correct return address to put into P.O. Box 201. This means that the attacker has to have precise aim, or the attack will be unsuccessful.<br />
<br />
==Defenses==<br />
There are multiple defenses that have been incorporated into runtime in an attempt to fight buffer overflows and prevent them from taking place. One of the most recent defense mechanisms is called [[ASLR]], which stands for [[ASLR|Address Space Layout Randomization]]. It makes it so every time the computer reboots and every time a program runs, the address space that it lives in changes. In other words, following our mailbox analogy, the return address will never be in the same mailbox. The point of this is to try to prevent an attacker from performing a buffer overflow exploit because the attacker can never aim properly. Unfortunately, attackers have discovered something called "Magic Numbers", which tricks the error handler for programs and allows an attacker to aim his attack correctly without having to know a return address.<br />
<br />
Another defense mechanism that has been implemented is called [[DEP]], which stands for [[DEP|Data Execution Prevention]]. This is an attempt to prevent the return address from being changed into something in the same memory space as the data, and also prevent [[machine code]] (the code that buffer overflows are crafted in) from being placed into data segments. To combat this defense mechanism, attackers have developed ASCII and [[ascii shellcode|polymorphic ASCII]] [[machine code]]. ASCII and Polymorphic ASCII code looks like normal user [[input]] instead of [[machine code]].<br />
<br />
An even further defense mechanism is called a StackGuard, which is another layer of [[DEP|Data Execution Prevention]]. The stackguard attempts to identify all possible results of code from data within the buffer (or the data segment) and then prevent the application from calling external functions in shared objects from the inside of the buffer. A version of this has been implemented in Cisco Security Agent, or [[CSA]].<br />
<br />
So with [[CSA]], [[ASLR]], and Operating-System supplied [[DEP]], successfully performing a buffer overflow exploit against a system running with [[CSA]] is extremely difficult. Any attacker who makes it to the point where [[CSA]] catches it is already very advanced. To successfully subvert [[ASLR]], [[DEP]] and StackGuard one must use [[polymorphic]] [[ascii shellcode|ASCII shellcode]], in other words, [[machine code]] that self-modifies as well as looks like standard user [[input]] and has all of its own functions built into its own code. The return address must always be specified in normal hexadecimal format, so it will usually look like some really funny characters, like squares or like strange symbols. The [[IDS]] or [[HIDS]] Context Buffer will show four squares or symbols on the end in a real buffer overflow exploit attempt on 32-bit systems, and eight squares or symbols on the end on a 64-bit system.<br />
<br />
==Maximum Effectiveness==<br />
Sometimes attackers and pen-testers alike use what is called [[Second Stage Shellcode]]. Many times [[firewall]] rules will prevent any connections outgoing from a server machine and prevent all incoming connections except for connections on the specified server port. Because of this, attackers use what is called [[Second Stage Shellcode]] to first find the connection that the exploit originated from, and then send the output of the arbitrary functions back along the first connection. This is done to circumvent [[Firewall|firewalls]] and prevent a [[firewall]] from blocking a connection.<br />
<br />
Buffer overflows can be used remotely to gain partial or total systems access, or they can be used locally to escalate privileges and permissions segments inside of the operating system in order to gain system or root level access. The real threat that a buffer overflow causes is what is called the "[[Zero-Day attack]]", also known as a buffer overflow that the [[security]] world has never seen before. [[Zero-Day attack|Zero-Day]] or [[Zero-Day attack|0day]] attacks are the most devastating to the [[security industry]], causing [[worms]], [[viruses]], and sometimes even hundreds of thousands of systems to be compromised in a single day.<br />
<br />
==Causes==<br />
Buffer overflows exist because of insecure [[Programmer|programmers]]. A [[programmer]] should be able to check [[input]] to the data segment with relative ease, however often times coders are either ignorant of the problem, overlook the flaw, or sometimes even a disgruntled employee might code the [[vulnerability]] into an application himself for his own personal gain after the application goes [[production]] level.<br />
<br />
<br />
[[Category:Attacks]]</div>MargeryLeddy