Lecture 4-2.txt
Document Details
Uploaded by LegendaryDecagon
Tags
Related
- Certified Cybersecurity Technician Exam 212-82 PDF
- Network-Level Attacks: Certified Cybersecurity Technician Exam Prep PDF
- Pie Lesson 5 (Overview Edit) PDF
- CompTIA Security+ Guide to Network Security Fundamentals PDF
- Introduction To Information Security Terminology PDF
- CompTIA Security+ Exam Mastery Guide PDF
Full Transcript
vulnerabilities based on location: remote - an attacker does not have any prior access to the system but can trigger the execution of a code over the internet(network). This way, the attacker can gain remote access to the system without having to deal with physical or local contacts. -\> related to...
vulnerabilities based on location: remote - an attacker does not have any prior access to the system but can trigger the execution of a code over the internet(network). This way, the attacker can gain remote access to the system without having to deal with physical or local contacts. -\> related to outsider attack local - vulnerability that needs local access to be exploited. This is when an attacker already has the ability to execute code with limited permission and wants to enhance his privileges to gain unrestricted access(privilege escalation). -\> related to insider attack. The code in this context refers to payload. vulnerabilities based on software lifecycle design vulnerabilities - from the defender's pov, this is the worst type. To fix these, changes must be introduced into the security requirements. However, this means changing the design and implementation can take a lot of time and effort. implementation vulnerabilities - technical security glitches found in the code of a system. operational vulnerabilities - improper settings and options chosen for software, hardware or systems during setup or development. Software Settings: Such as user permissions, network settings, and security policies. Hardware Settings: Including device configurations like firewalls, routers, and servers. System Settings: Such as environment variables, logging options, and access controls. Common Vulnerabilities and Exposures (CVE) is a system that provides a reference catalog of publicly known cybersecurity vulnerabilities and exposures. Each entry in the CVE list, known as a "CVE ID," represents a specific security vulnerability or exposure, such as a flaw in software or a misconfiguration that could be exploited by an attacker. The CVE system helps standardize the identification and naming of vulnerabilities, making it easier for organizations and security professionals to share and access information about security risks. Each entry in the CVE database consists of this CVE-ID: the general syntax of CVE-ID is CVE + Year + Arbitrary Digits. Example: CVE-2012-2234. Description: text description of the issue (or a placeholder when the issue is current under temporary restriction from the public) References: URLs and other information for the issue. Date the entry was created. Phase: state of the CVE entry. It could be "Reserved" (reserved for future use) to "Public" (fully published with details). / Votes: CVE entries may undergo review by a group of experts or organizations (known as the CVE Editorial Board). "Votes" refer to their approval or disapproval of the information's accuracy and completeness./ Comments: This section includes additional information or feedback provided by the CVE Editorial Board or other contributors. Proposed: This label might be used for entries that are suggested or proposed but not yet finalized. It indicates that the details of the vulnerability are still being reviewed or validated before becoming a formal CVE entry. Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools and technologies in the field of web application security. getting the IP is tricky if the target is a personal computer. Obtaining the IP may be useless if the target is accessing the internet through a router that assigns local(private) IPs to connected devices. The IP that is visible may be the router's IP. Client side attacks are more effective if reverse connection can be used. Reverse connection: client initiates connection with server. Why? because bypassing security can be hard as they block incoming connections but allow out going connections. So by making the client(target) connect the attacker's server, it makes it so much easier. Also it is harder to trace the attacker and the attacker can gain control over the victim's machine, allowing them to execute commands or transfer data. server-side attack: does not have any user interaction. (It's rather attack on machines). Targets include web, application, computing servers etc., which were configured and run automatically. The basic information the attacker should obtain is the IP address of the target server. Involves the operating system that the target server runs and the applications installed on it. Well-known types of server-side attacks include SQL injection attacks, buffer overflow and denial-of-service attacks. Server Attacking the Target: The server itself is compromised or malicious, and it performs attacks on other systems or clients. For example, a compromised web server might use its privileges to launch attacks on users who visit the server. Information gathering and scanning are crucial because they will provide us with the following information: üthe operating system of the target, üthe installed programs, üthe running services on the target and üthe ports associated with these services. nmap --O : This is to gather information about target server's operation system. nmap --sV : This is to gather information about version number of the programs the target server is running. A shell is a software that acts as an intermediary between user and the kernel. Hacker's version : A shell is a console-like interface that provides you with access to a remote target. A bind shell is a type of server-side attack where the attacker gains control of a target server by having the server itself open a network port and listen for incoming connections from the attacker. A reverse shell is a type of client-side attack where the victim's machine initiates a connection to the attacker's machine, providing the attacker with a shell or command-line interface on the victim's system. Trojan can do Ølogging keystrokes Øadding the user's system to a botnet Øgiving the attacker full access to the victim's computer (backdoor) ØTrojans cannot spread themselves; they rely on some social engineering tactics. ØSpread through various media like email, website, event-driven download, physical access (CD, USB, etc) It is difficult to hide trojans due to user-awareness and effective anti-virus software. Recently, attackers use multiple layers of techniques to obfuscate(to make confusing code) code, make hostile undetectable from antivirus software and prevent others from examining the code. The techniques include packers and crypters. Three types of payload ØSingles: Payloads that are self-contained and standalone. (Singles do not depend on other programs to run.) ØStagers: Stagers are small programs that establish and maintain communication between the attacker and victim. ØStages: Stages are payload components that are downloaded by the Stagers. (The size is bigger than stagers.) Client-Side Attack Using Metasploit ØInfect a victim's machine in such a way that it connects to the attacker's machine without being aware of to create a reverse shell. ØTo infect the target machine, the attacker needs to deliver a piece of malware called "Trojan" to the target machine. ØThe Trojan will act as a backdoor to establish a connection to the attacker's machine. ØOnce the victim activates the Trojan, the victim's machine can be accessed and exploited by a target machine using the Meterpreter payload provided by Metasploit. (The reverse shell is established.)