Hacking stuff

Nmap

##Nmap sends SYN packet from the TCP 3-way handshake and waits for SYN-ACK reply but never completes handshake afterwards. used for network reconnaissance, vulnerability assessment, and security auditing. Nmap –6 ##tells to use IPv6

port types:

sudo nmap [ ...] [ ] { }
Scan Type Description
-sS Syn Scan: Default when sudo is not used. It sends raw TCP SYN packets and expects SYN/ACK or RST responses. It's stealthy but slower than other scan types.
-sT Connect Scan: Works for systems that follow RFC rules (mostly UNIX). It establishes full TCP connections, which makes it more detectable but provides accurate results.
-sN Null Scan: Sends TCP packets with no flags set. It relies on the behavior of the target system to determine port status. Effective against some systems but not all.
-sF FIN Scan: Sends TCP packets with only the FIN flag set. It relies on the behavior of the target system to determine port status. Effective against some systems but not all.
-sX XMAS Scan: Sends TCP packets with the FIN, PSH, and URG flags set. It relies on the behavior of the target system to determine port status. Effective against some systems but not all.
-sU UDP Scan: Used to scan UDP ports. It sends UDP packets to target ports and waits for responses. Slower than TCP scans and less reliable due to the connectionless nature of UDP.
-sn No Port Scan: Tells Nmap not to scan any ports. It only performs host discovery using ICMP echo packets or ARP requests on a local network.
Metasploit

Exploit: piece of code that uses a vulnerability present on the target system

Vulnerability: flaw of the system in code design or logic flow

Payload: more specific only code that you want to execute on target software

Basic info:

Denial of Service Attack

There are 5 main tools to conduct DOS attack

  1. LOIC (Low Orbit Ion Cannon)
  2. HOIC (High Orbit Ion Cannon)
  3. HULK denial of service engine
  4. ByteDOS newer developed in 2021
  5. Pyloris -- HTTP DOS TOOL

2 Teqnicues for DOS attack

  1. Slow LORIS
  2. Rudy are you dead yet.
Wireless Security
Term Explanation
SSID Network Name
ESSID Network name for multiple routers
BSSID Access point's (router's) MAC address
WPA2-PSK Normal Wi-Fi where you provide a password
WPA-EAP Needs Username & Password that is sent to a Radius server. Radius server is a server for authenticating clients not just for Wi-Fi (like in a hotel).

Wi-Fi Configuration

Just checking Wi-Fi config: iwconfig

Aircrack app for cracking

To start monitoring, you have to kill the following processes:

Vulnerabilities

OWASP Top 10 Explanations

The OWASP Top 10 represents the ten most critical web application security risks, providing insights into common vulnerabilities and threats that developers and security professionals need to address.

  1. Broken Access Control:

    Gaining access to something that you should not have to have.

  2. Insecure Direct Object Reference (IDOR):

    When you can change the ID of a web page link and thereby move to different user profiles. The problem arises when the object ID is directly linked to the user, and the system allows access to different users by changing the ID.

  3. Cryptographic Failures:

    Not encrypting data in transit, leading to HTTPS man-in-the-middle attacks. Also, having files like emails encrypted so the mail owner cannot read it.

    To process database files to acquire useful information, you can use SQLite3:

    • SQLite3 <databasename.db> - This will open the database in SQLite format.
    • .tables - This will display all the tables available in a database.
    • PRAGMA table_info(tablename); - Here, we input the tablename obtained from step 2 to acquire more info on that table.
    • SELECT * FROM tablename; - Again, we enter the tablename from step 2 to get all the data/inputs inside the tables.

    You can use crackstation.net to crack hashes acquired from tables.

  4. Injection:

    Injection happens when an application interprets user input as commands or parameters. There are two main types:

    • SQL Injection: When an attacker can manipulate queries to the database, allowing access, modification, or deletion of information.
    • Command Injection: When user/attacker input is seen as system commands, typically interacting with the server's console (server CLI) directly.

    $(whoami) will be interpreted as a console command in very basic situations, due to inline vulnerability.

    Defense against injection involves ensuring user input is not interpreted as queries or commands by:

    • Using allow lists: When input is sent to server, it is compared to safe inputs and characters. If input is marked safe, it is processed; otherwise, it is rejected.
    • Stripping input: If input contains dangerous characters, it is removed before processing.
  5. Insecure Design:

    Occurs, for example, when there are unlimited password reset attempts possible or when a secure software development cycle is not used, and risks are not properly assessed from the start.

  6. Security Misconfigurations:

    These include:

    • Poorly configured permissions on cloud services, like S3 buckets.
    • Having unnecessary features enabled, like services, pages, accounts, or privileges.
    • Default accounts with unchanged passwords.
    • Error messages that are overly detailed and allow attackers to find out more about the system.
    • Not using HTTP security headers.
  7. Vulnerable and Outdated Components:

    Occurs when old versions of apps with known security vulnerabilities are used.

  8. Identification and Authentication Failures:

    Three main ways of attack:

    • Weak authentication: When it is possible to register on a website by having space in front of the name and thereby gaining authorization to a different account.
    • Brute force attacks: If a website allows multiple authentication attempts using passwords and usernames.
    • Websites allowing the use of weak passwords.
    • Weak session cookies: When session cookies contain predictable values, attackers can guess and take over sessions of other users.

    The best solution to these issues is for websites to enforce strong passwords, use MFA, and lock out accounts with multiple login attempts.

  9. Software and Data Integrity Failures:

    File integrity failures occur when what you download is modified, and you get a forged version on your PC. To verify the integrity of downloaded files, DSA signature verification is used.

    How to verify data integrity:

    • Make sure that the file was not tampered with during download. The website should have hashes to compare, so create a hash by:
    • MD5: md5sum path/to/file
    • SHA1: sha1sum path/to/file
    • SHA256: sha256sum path/to/file

    Software integrity failures occur when websites use third-party libraries. Instead of directly linking to these libraries, hash the website contents using a link such as SRI Hash.

    Wrong method:

    <script src="https://code.jquery.com/jquery-3.6.1.min.js"></script>

    Right method:

    <script src="https://code.jquery.com/jquery-3.6.1.min.js" integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ=" crossorigin="anonymous"></script>
  1. Server-Side Request Forgery (SSRF):

    Occurs when a hacker tells the server to forward stuff it receives to them, thereby gaining confidential information.

    Bullying servers in the middle to send you information.

    Using Burp Suite proxy, we can intercept outgoing requests and modify them so that instead of sending stuff to another server, it is sent to our own IP address.