diff --git a/Cryptography/glossary.md b/Cryptography/glossary.md new file mode 100644 index 0000000..c72b129 --- /dev/null +++ b/Cryptography/glossary.md @@ -0,0 +1,26 @@ + +# Cryptography Glossary + +* Block Chaining (CBC): the only appropriate fixed-block cipher in use. If performs an XOR operation with the previous block of data. + +* Stream Ciphers: block ciphers can run in modes that allow them to operate arbitrary size chunks of data. The counter CTR mode cipher is the best choice for a stream cipher. + +* Initialization Vector: is a dummy block used to start a block cipher. It's necessary to force the cipher to produce a unique stream of output. It doesn't need to be kept private but it must be different for every new cipher initialization with the same key. + +* Standard key exchange protocol: RSA, Diffie-Hellman, El Gamal. + +* Symmetric encryption (shared key encryption): all authorized parties have the same key. It has no means for verifying the sender of a message among any group of shared key users. + +* Asymmetric encryption (public key encryption): each party has a different set of keys for accessing the same encrypted data. + +* Hash functions: accepts a variable-length input and generates a fixed-sized output. It must be non-reversible and should have no collisions. The simplest forms are the cyclic redundancy check (CRC) and the cryptographic hash functions (SHA-1, SHA-256, MD5). + +* Salt: random value added to a message so that two messages don't generate the same hash value. It must not be duplicated between messages. It must be stored in addition to the hash so that the digest can be reconstructed. It must be protected. A salt of 23 buts increase of the password pre-computation dictionary by 4bi times (2^32). + +* Rainbow tables: example of how a lack of salt value leaves password hashes vulnerable to pre-computation attacks. + +* Hash-based message authentication code (HMAC): It's an originator validation, it validates the source of a message by incorporating some form of private key into the hash operation. Same weakness of any shared key system. + +* Cryptographic signature: associating a message digest with a specific public key by encrypting the message digest with the sender's public and private key. + +* Bait-and-switch attack: weakness found in an aging hash function. The attacker takes advantage of a weak hash function's tendency to generate collisions over certain ranges of input. By doing this, an attacker can create two inputs that generate the same value. diff --git a/Linux_Hacking/unix_exploits.md b/Linux_Hacking/unix_exploits.md new file mode 100644 index 0000000..66240ea --- /dev/null +++ b/Linux_Hacking/unix_exploits.md @@ -0,0 +1,10 @@ +# UNIX + +### RPC Daemons + +* rexd (remote execution): remote user runs a program on the system as a local user. + +* rshd, rlogind, sshd: honor trust relationship established with the source's IP address. + + + diff --git a/PenTesting/threat_modeling.md b/PenTesting/threat_modeling.md new file mode 100644 index 0000000..d3b84ad --- /dev/null +++ b/PenTesting/threat_modeling.md @@ -0,0 +1,39 @@ +# Threat Modeling (Design Review) + +1. Information Collection: + * Assets + * Entry points + * External entities + * External trust levels + * Major components + * User Scenarios + + - Developer interviews + - Developer documentation + - Standards documentation + - Sources profiling + - System profiling: File system layout, code reuse, import/exports, sandboxing, scanning. + +2. Application architecture modeling: + - UML + - Data flow diagrams (DFD) + +3. Threat identification: + - Attack trees: each subnode states an attack methodology that could be used to achieve the goal in the root node. Arc between nodes are AND connectors. Circular nodes are mitigation. Dashed lines indicated unlikely attack vector. + - Textual representation. + +4. Documentation of findings: + - Thread, Affected Component, Description, Result, Mitigation strategy. + - DREAD Risk Ratings (damage potential, reproducibility, exploitability, affected users, discoverability), with scores from 1 to 10. + + +5. Prioritizing the implementation review + + +### Application access: +* Source only (static analysis) +* Binary only (live analysis and reverse engineering) +* Both source and binary access +* Checked build: an binary with no source code but with debugging information. +* Source black box: black box and fuzz testing (example: web applications). Example: auditing a web server with entry point at TCP port 80, you use a HTTP protocol fuzzer. + diff --git a/Vulnerabilities_and_Exploits/exploits_and_attacks_gloassary.md b/Vulnerabilities_and_Exploits/exploits_and_attacks_gloassary.md new file mode 100644 index 0000000..d78f1ee --- /dev/null +++ b/Vulnerabilities_and_Exploits/exploits_and_attacks_gloassary.md @@ -0,0 +1,5 @@ +# Exploits and Attacks Glossary + +* Denial of Service (DoS): occurs when an attacker can make a system unavailable by performing some unanticipated action. + +* Attack surface: the collection of all entry points that provide access to an asset. Operational vulnerabilities occur when the attack surface is exposed unnecessarily. Minimizing the attack surface is referred to *host hardening*. diff --git a/Vulnerabilities_and_Exploits/overall_protective_measures.md b/Vulnerabilities_and_Exploits/overall_protective_measures.md new file mode 100644 index 0000000..a0aca44 --- /dev/null +++ b/Vulnerabilities_and_Exploits/overall_protective_measures.md @@ -0,0 +1,66 @@ +# Overall Protective Measures: + +### Development Measures + +* Nonexecutable Stack: nonexecutable protection on memory pages (does not protect against patching a stack variable or return to libc). + +* Stack protection: prevents the exploit to overwrite the instruction pointer by placing a random value, the *canary*, between stack variables and instruction pointers. When the function returns, the canary is checked. It doesn't protect against stack variable patching. It might presents some issues with code that perform some dynamic stack manipulation. + +* Heap protection: heap are doubly linked lists of memory chunks. A generic heap exploit attempts to overwrite the list pointers so that arbitrary data can be written somewhere in the memory space. The simplest form of protection involves checking that list pointers reference valid cheap chunks before performing any list management. + +* Address Space Layout Randomization (ASLR): randomizes where different program components are loaded at in memory each times the application runs. It is limited by a range of valid address, so it is possible for an attacker to perform a repeated sequence of exploit attempts. + +* Registered Function Pointers: Applications might have long-lived functions pointers at consistent locations in a process's address space. Sometimes these pointers are defined at compile time and never change for a given binary, for example, exception handlers. These proprieties make long-lived function pointers an ideal target for exploiting certain classes of vulnerabilities. Function pointer registration is one attempt at preventing this kind of exploits. + +* Virtual Machines: Java and .NET Common Language Runtime (CLR) are two popular VM environments. Scripting languages such as Perl, Python, and PHP compile first to bytecode that is interpreted by a VM. VMs in general provide sized buffers and strings, preventing most memory management attacks. They might also provide code access security (CAS). VM usually have no additional protections against exploiting vulnerabilities such as race conditions, formatted data manipulation, and script injection. + +### Host-based Measures + +* Object and File system permissions. + +* Restricted accounts. + +* Chroot jails: UNIX systems use *chroot* to change the root directory of a newly executed commands. This command has a useful security application: a nonroot process can be ailed to a selected portion of the file system. However, any process running under root privileges can escape the jail by using another system mechanisms such as PTRACE debugging API, setting system variables with *sysctl*, or other means to allow the system to run a new arbitrary process that is not jailled. Also, chroot jail does not restrict network access beyond normal account permissions, which could still allow enough attack surface for a follow-on attack targeted at daemons listening on the localhost address. + +* System virtualization: it allows multiple isolated operational systems to share a single host computer. + +* Enhanced Kernel protections: applications talk to the OS Kernel via system call gateway. SELinux is a popular module for Linux and BSD, and Core Force, for Windows. + +* Host-based firewalls: allow fine-grained control of network traffic, including per-process and per-user configuration. + +* Antimalware applications: antivirus and antispyware software. + +* File and Object change monitoring: such as configuration files, system binaries, and sensitive registry keys. + +* Host-based IDSs/IPSs: intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) might include features such as firewalls and antimalwares. + + +### Network-based Measures + +Network segmentation is a method of enforcing trust boundaries. + +* The OSI Model: + +1 - Physical: keep door locks, run cables through conduits. Problems with the advent of wireless. + +2 - Data Link: preventing spoofing (impersonating) hosts and sniffing traffic (captured transmitted data). Systems at this layer are identified via MAC (Media Address Control) addresses. The ARP (Address Resolution Protocol) is used to identify MAC addresses associated to their hosts. Switching is used to route traffic to the appropriate host. This can be vulnerable to ARP spoofing attacks. Address filtering can be used to improve security at this layer. Wireless media is a concert of this layer too. WEP is vulnerable to cryptoanalytic attacks. WPA (Wifi protected access) is more robust, however WAP2 retains the essential key-handling improvements with a stronger encryption and digest capabilities. + +3 - Network: security and segmentation are handled via IP filtering (IPSec) protocol. It's a component of IPv6 specifications that has been back-ported to IPv4. It provides automatic encryption and authentication for TCP/IP connections. IP filtering is a method of allowing or denying packets based only on the protocols, addresses, and ports: the traffic is segmented by function, not only source/destination. Disadvantage is that IP Filtering maintains no connection state: it can't discriminate based on which side is establishing the connection, or whether the communication is associated with an active connection. + +4. Transport: this layer is low enough to be common to all TCP/IP applications but high enough that you can determine connection state. The addition of state allows a firewall to determine which side is initiating the connection and to define internal and external network. Firewalls are devices that filter traffic at the network and transport layers. The simplest rule is deny all inbound traffic and allow all outbound traffic. + +Demilitarized Zone (DMZ): uses a third interface from the firewall containing its own set or rules. + +5, 6 - Session and Presentation: platform-specific features such as RPC interfaces and named pipes are generally accepted as session and presentation layers. Security is addressed by the platform's access control. Secure Socket Layer/Transport Layer Security is the protocol in these layers. + +7 - Application: application layer gateways add extra network diversity, such as HTTP reverse proxies. Web application gateway have capabilities such as sitewide authentication, exploit detection, and fine-grained rule sets. + + +* Network Address Translation (NAT): provides a method of mapping set of internal addresses against a different set of external addresses. A NAT is configured with implicit rules to forward inbound connections, this configuration causes inbound connectivity to be implicitly denied. NAT conceals the internal address space from the external network, ensuring some security against internal network mapping. + +* VPN (Virtual Private Networks): provides a virtual network interface connected to a remote network over an encrypted tunnel. The disavantage is that the client side is outside the network's administraor. VPN must to be monitored closely. Precautions can include: denying VPN clients to access to their local network (split tunneling) and restricting access to certain internal resources. + +* Network IDSs/IPSs: identify malicious network traffice and terminate or deny connectivity based on detected hostile activity. + + + diff --git a/Vulnerabilities_and_Exploits/vulnerability_glossary.md b/Vulnerabilities_and_Exploits/vulnerability_glossary.md new file mode 100644 index 0000000..fd5082e --- /dev/null +++ b/Vulnerabilities_and_Exploits/vulnerability_glossary.md @@ -0,0 +1,22 @@ +## Vulnerabilities Glossary + +* LD_PRELOAD: hijacking functions to a shared library: you can set this enviroment variable direct to the linker to load a library of your choice. + +### Common Vulnerabilities: + +* Authentication: to not require authentication in a situation that warrants it; information isn't trustworthy (authentication in the client side). + +* Authorization: there are several formal designs for access control: discretionary access control, mandatory access control, role-based access control. Vulnerabilities: missing authorization (webpages). + +* Accountability: expectation that a system can identify and log users' activities. Vulnerabilities: system's failure to log operations in sensitive data; system doesn't protect its data. + +* Confidentiality: expectation that only authorized parties can view data. Vulnerabilities: failure/lack in encryption, homemade encryption, storing sensitive data unnecessarily. + +* Integrity: the expectation that only authorized parties are able to modify the data. Vulnerabilities: failure in access control, failure in confidentiality, bail-and-switch attack. + +* Availability: capability to use a resource when expected. Vulnerability: DoS. + + + + +