EJPTv1

Some notes while studying EJPTv1 with AhmedSultan

root: maximum privileges (linux)

Dos attack : make sys or service unavailable

vulnarability + exploit(shellcode) = attack

vpn (tunnel) : virtual private network

wireshark : packet sniffer

packet contain : Header (ip,destination,protocol type) Payload (actual info)

OSI MODEL (OLD) now we use TCP/IP CREATED BY DOD

IP/Mask :specific for ip adress 192.168.5.100 / 24 (1 num of bits ) 1pv4 : 32 bit - 4 section-octal " . " subnet mask 255.255.255.0 ipv6 : 128 bit-8 section -hexa " : "

first 3 section must be the same in the same network (192.168.10)

Router: difrrent network (has a routing table ) work with ip شايف كل الشبكة(ربط شبكات) metric : unit (choose the least metric for fast connection)

switch :work with mac address مش شايف كل الشبكة (ربط اجهزة)

Mac address cant be the same but ip can be the same in diffrent network

Router can segment a network to two networks

ARP : PROTOCOL TO GET MAC ADDRESS arp /a

Transport layer protocols [ TCP , UDP ]

TCP :- Gurantee packet delivery (most used) - connection oriented[3 Way Handshake] (outherwise UDP is faster than TCP [better throughput (num of packets per s)])

Port : IP as the street name and port num as the block num : 192.168.1.1:80

0-1023 (servers) of 65432 (Deamon to change the port numper to fake it to the attacker)

netstat -ano (TCP,UDP) or TCPView [online site]

Firewalls : filter packets (work in diffrent layers) not like antivirus .Action :[Allow,Drop,Deny"as drop but with explain why no"] DSL routers have also packet filter as option Firewalls just look for the header of packets Application Firewalls more advanced as it search for the whole packet [header,payload] IDS : detect ongonig intrusions (have the signatures of viruses to detect it [vendors provide it]) [NIDS,HIDS(more secure)] IPS : take action after detect it from IDS NAT , IP Masqurading : give you an IP to get to public network from your private IP

make a Route manualy : 1- sudo -s 2- route [to show the common gateway of the network ] 3- ip route add [my ip "/24"] via [the common gateway]

DNS : if [resolver] dont have the ip go to [root] (we usually go when the DNS is brand new)

nslookup : to get the ip address of a domain name(facebook)

EXfilteration Methode :

1-rdesktop "ip" 2-search for any important files.txt [dir /s /b "name of text file"] 3-is there python or powershell [python--version , powershell ls] 4- (kali):launch a server as {wep server} [python -m simpleHTTPserver 8080 (py2), python -m http.server 8080 (py3)] 5-copy IP:PORT (if this open so its open port)

DNS (53 UDP) //change the dns of my ethernet to the IP of kali to make request and then open (google) to send the request to kali, now go to wireshark in kali and see if there is connection between them [info section]

PacketWhisper {manually} git clone http://github.com/TryCatchHCF/PacketWhisper.git wget clone http://github.com/TryCatchHCF/PacketWhisper/archive/master.zip

Egresscheck {automated} git clone https://github.com/stufus/egresscheck-framework.git [launch : cd egresscheck-framework/ , ./ecf.py] 1-set port 8500-9500 2-set TARGETIP [kali IP] 3-set SOURCEIP [Machine IP] 3-set PROTOCOL [TCP] We get file.bat cp it to tmp to show in http.server Tip: statistics [taskbar] == conversations to know ports

EXfilteration Methode (updated) :

wepshell : RCE [remote control exploitation] allow you to execute command in server by the wep page // ... 8000?[cmd=command]

wep application :dynamic wep site :static [MS IIS , Apache HTTP Server]:program to make wep server A Server can contain a lot of sites [server-->choose the site] [GET , POST] requests

cookies :textual info made by Netspace [make it statfull] to rememper you (storaged in wep browser) cookie = domain + path

session :keep the bandwidth usage low [تحمل بسرعة بعد كدا] (storaged in wep server)

SOP(same orgin policy) :to access must be [protocol,hostname,port] common between wep apps

Burb suite 1-wep analysis --> proxy --> cp the host ip to the manual wep browser 2-cheack intercept is ON to start listening

burb reapeter : manually send request to expliot by using a code in request content

intruder attack : site map(target) : show the content of the wep app scope (target) : filter proxy to a specfic domain

Information gathering

widen attack [human is weakest chain ] crunsh base.com OSINT.com shodan.io whois

supdomain : most companies focus in [the domain] and ignore supdomains dork:(site:google.com) to get supdomains [dnsdumpster,suplister]

Footprinting and scaning

ping sweeping : to know which devices has IP [echo request ,echo reply] (fping -a -g IP/RANGE) 2>/dev/null : dont show unreachable nmap : MORE detalis [nmap cheat sheet.pdf] [nmap -sn IP/]as a ping OS :to know the operating system [nmap -o IP/]

port scan :nmap -sT IP ,nmap -p 200-2000 IP (syn+ack :open ,rst+syn:closed) tcp syn scan : to not be recoreded as a complete connection [nmap -sS IP] version -sV

Vulnerablity Assessment

it can be enough than a full pentest [freash business]

Vulnerablity scanner : using database of Vulnerablities signature [Nessus]

WEP Application attack

dirbuster: enumeration of hidden files in the http.server signup.php-->account of mysql database --> [search tables ;]command in mysql --> get from table admin account

google dorks : specific result google hacking : ready database exploits [pastebin :hacked leak info]

XSS : for vulnerable wep application [not validated input as script code] ... find it in comment/search bar ... if code executed then its vulnarable xss [walid] 1)reflected : using malicious link [only if search show in browser bar URL [search.php]] 2)presistent :occurs when a malicious script is injected directly into a vulnerable web application. 3)DOM based [complex]

sql injection : SELECT name,description FROM products WHERE id=9 ; [UNION :two statment]

System AttackMalware

malicious software1.1 virous : run every time in infected program 1.2 Trojan hourse : seemingly harmless file[pdf , doc] ,executable milcious file [backdoors] 1.3 rootkit : post exploitation 1.4 bootkit : complete control over machine 1.5 adware : advertisment 1.6 spyware : visited wepsites , passwords, camera 1.7 greyware : adware,spyware 1.8 Dialer : free calls for hacker 1.9 keylogger : record every keystokes [need access] 1.10 bots : botnet 1.11 ransomware : encrypt files by key [ransom فدية] 1.12 Worm : spread over the networkpassword attack : passwords not stored in clear-text but in encrypted form [ hash {one-way}]2.1 Brute force : try them ALL{a,1,!} john the ripper 2.2 Dictionary : common password3)buffer overflow : using code to make crash in application in RAM

PreviousECIRNextLinux Commandus

Last updated