Free ECCouncil 312-50v12 Practice Exam with Questions & Answers | Set: 7

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.

In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.

Several counter-measures could be in place to avoid this vulnerability. Common defenses:

- SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.

- Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.

- Ask for the password user to authorise the action.

- Resolve a captcha

- Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with:

http://mal.net?orig=http://example.com (ends with the url)

http://example.com.mal.net (starts with the url)

- Modify the name of the parameters of the Post or Get request

- Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

Diagram Description automatically generated

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

References:

• bettercap: the Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks
• How the WPA2 Enterprise Wireless Security Protocol Works
• Cracking WPA/WPA2 Passwords with Bettercap and Hashcat

Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

• Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist1.
• By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization’s website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization12.

The other options are not as effective as option A for the following reasons:

• B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles, which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario3.
• C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization’s website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines4.
• D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario56.

References:

• 1: GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers
• 2: Subdomain Discovery in Cybersecurity with Kali Linux | Medium
• 3: LinkedIn - Wikipedia
• 4: The Harvester - Kali Linux Tools
• 5: Spokeo - Wikipedia
• 6: Intelius - Wikipedia

Triple DES is another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Stealth, you merely type within the entire 192-bit (24 character) key instead of entering each of the three keys individually. The Triple DES DLL then breaks the user-provided key into three subkeys, padding the keys if necessary in order that they are each 64 bits long. The procedure for encryption is strictly an equivalent as regular DES, but it’s repeated 3 times , hence the name Triple DES. the info is encrypted with the primary key, decrypted with the second key, and eventually encrypted again with the third key.Triple DES runs 3 times slower than DES, but is far safer if used properly. The procedure for decrypting something is that the same because the procedure for encryption, except it’s executed in reverse. Like DES, data is encrypted and decrypted in 64-bit chunks. Although the input key for DES is 64 bits long, the particular key employed by DES is merely 56 bits long . the smallest amount significant (right-most) bit in each byte may be a parity , and will be set in order that there are always an odd number of 1s in every byte. These parity bits are ignored, so only the seven most vital bits of every byte are used, leading to a key length of 56 bits. this suggests that the effective key strength for Triple DES is really 168 bits because each of the three keys contains 8 parity bits that aren’t used during the encryption process.Triple DES ModesTriple ECB (Electronic Code Book)• This variant of Triple DES works precisely the same way because the ECB mode of DES.• this is often the foremost commonly used mode of operation.Triple CBC (Cipher Block Chaining)• This method is extremely almost like the quality DES CBC mode.• like Triple ECB, the effective key length is 168 bits and keys are utilized in an equivalent manner, as described above, but the chaining features of CBC mode also are employed.• the primary 64-bit key acts because the Initialization Vector to DES.• Triple ECB is then executed for one 64-bit block of plaintext.• The resulting ciphertext is then XORed with subsequent plaintext block to be encrypted, and therefore the procedure is repeated.• This method adds an additional layer of security to Triple DES and is therefore safer than Triple ECB, although it’s not used as widely as Triple ECB.

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company’s website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

References:

• Web Server Security- Beginner’s Guide - Astra Security Blog
• Top 10 Web Server Security Best Practices | Liquid Web
• 21 Server Security Tips & Best Practices To Secure Your Server - phoenixNAP

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

https://nmap.org/book/scan-methods-maimon-scan.html

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered

related:This operator displays websites that are similar or related to the URL specified.

Regional Internet Registries (RIRs):

ARIN (American Registry for Internet Numbers)

AFRINIC (African Network Information Center)

APNIC (Asia Pacific Network Information Center)

RIPE (Réseaux IP Européens Network Coordination Centre)

LACNIC (Latin American and Caribbean Network Information Center)

https://ieeexplore.ieee.org/document/5567385

https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives-and-false-negatives/

False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.

flags –source-port and -g are equivalent and instruct nmap to send packets through a selected port. this option is used to try to cheat firewalls whitelisting traffic from specific ports. the following example can scan the target from the port twenty to ports eighty, 22, 21,23 and 25 sending fragmented packets to LinuxHint.

Implementing regular firmware updates for all IoT devices is the primary recommendation to prevent DDoS attacks on the smart city project. Firmware updates can fix security vulnerabilities, patch bugs, and improve performance of the IoT devices, making them less susceptible to malware infections and botnet recruitment12. Firmware updates can also enable new security features, such as encryption, authentication, and firewall, that can protect the IoT devices from unauthorized access and data theft3. Firmware updates should be done automatically or remotely, without requiring user intervention, to ensure timely and consistent security across the IoT network4.

The other options are not as effective or feasible as firmware updates for the following reasons:

• B. Deploying network intrusion detection systems (IDS) across the IoT network can help detect and alert DDoS attacks, but not prevent them. IDS can monitor network traffic and identify malicious patterns, such as high volume, spoofed IP addresses, or unusual protocols, that indicate a DDoS attack5. However, IDS cannot block or mitigate the attack, and may even be overwhelmed by the flood of traffic, resulting in false positives or missed alerts. Moreover, deploying IDS across a vast network of IoT devices can be costly, complex, and resource-intensive, as it requires dedicated hardware, software, and personnel.
• C. Establishing strong, unique passwords for each IoT device can prevent unauthorized access and brute-force attacks, but not DDoS attacks. Passwords can protect the IoT devices from being compromised by hackers who try to guess or crack the default or weak credentials. However, passwords cannot prevent DDoS attacks that exploit known or unknown vulnerabilities in the IoT devices, such as buffer overflows, command injections, or protocol flaws. Moreover, establishing and managing strong, unique passwords for each IoT device can be challenging and impractical, as it requires user awareness, memory, and effort.
• D. Implementing IP address whitelisting for all IoT devices can restrict network access and communication to trusted sources, but not DDoS attacks. IP address whitelisting can filter out unwanted or malicious traffic by allowing only the predefined IP addresses to connect to the IoT devices. However, IP address whitelisting cannot prevent DDoS attacks that use spoofed or legitimate IP addresses, such as reflection or amplification attacks, that bypass the whitelisting rules. Moreover, implementing IP address whitelisting for all IoT devices can be difficult and risky, as it requires constant updating, testing, and monitoring of the whitelist, and may block legitimate or emergency traffic by mistake.

References:

• 1: How to proactively protect IoT devices from DDoS attacks - Synopsys
• 2: IoT and DDoS: Cyberattacks on the Rise | A10 Networks
• 3: Detection and Prevention of DDoS Attacks on the IoT - MDPI
• 4: How to Secure IoT Devices: 5 Best Practices | IoT For All
• 5: Intrusion Detection Systems (IDS) Part 1 - Network Security | Coursera
• : DDoS Attacks: Detection and Mitigation - Cisco
• : The Challenges of IoT Security - Infosec Resources
• : IoT Security: How to Protect Connected Devices and the IoT Ecosystem | Kaspersky
• : IoT Security: Common Vulnerabilities and Attacks | IoT For All
• : The Password Problem: How to Use Passwords Effectively in 2021 | Dashlane Blog
• : What is IP Whitelisting? | Cloudflare
• : DDoS Attacks: Types, Techniques, and Protection | Cloudflare
• : IP Whitelisting: Pros and Cons | Imperva