Cybersecurity is the collected methods, technologies and processes to protect information, computer networks, and devices from damage, loss or unauthorized access.
Critical Infrastructure
Application Security
Network Security
Internet of Things Security
Cloud Security
CIA Triad
Confidentiality : Only authorized users should be able to access data
Integrity: Data should not be tampered with (modified) by unauthorized users
Availability: The network/systems should be operational and accessible to authorized users
AAA
It's a framework for controlling and monitoring users of a computer system (ie. a network)
Authentication - Is the process of verifying a user’s identity
Authorization - Is the process of granting the user the appropriate access and permissions
Accounting - Is the process of recording the user’s activities on the system
Enterprises typically use AAA server: Identity Service Engine (ISE) is Cisco’s AAA server
AAA servers support the following two protocols:
1.
TACACS+: A Cisco proprietary protocol
2.
RADIUS: An open standard protocol
The Threat Landscape
Bad Actors
Explorers, Hacktivists, Cyberterrorists, Cybercriminals, Cyberwarriors
Categories of Hackers
White Hat: Ethical authorized test of vulnerabilities
Black Hat: Malicious attack the network for profit or harm
White Hat: Not malicious, but not always ethical
Blue Hat: Ethical, hired third party
Vulnerability, Exploit, Threat, Mitigation
A vulnerability is any potential weakness that can compromise the CIA of a system. A potential weakness isn’t a problem on its own.
An exploit is something that can potentially be used to exploit the vulnerability. Something that can potentially be used as an exploit isn’t a problem on it’s own.
A threat is the potential of a vulnerability to be exploited. A hacker exploiting a vulnerability in your system is a threat.
A mitigation technique is something that can protect against threats. Should be implemented everywhere a vulnerability can be exploited: Client devices, servers, switches, routers, firewalls, etc.
First Line of Defense

Internal Security Program (People)

User awareness - Designed to make employees aware of potential security threats and risks
For example, a company might send out false phishing emails to make employees click a link and sign in with their credentials.
User training - More formal than user awareness programs
For example, dedicated training sessions which educate users on the corporate security policies, how to manage strong passwords, and how to avoid potential threats
Physical access control - Protecting the equipment by only allowing authorized users into network closets or data center floors
Locks can protect access to restricted areas
Zero Trust
Security policies + Security tools
ISO 27001
International standard for information security management systems (ISMS).
It provides a framework for organizations to identify and assess potential security risks, implement appropriate security controls, and establish processes for monitoring and managing information security on an ongoing basis. By achieving certification to ISO 27001, organizations can demonstrate to customers, partners, and other stakeholders that they have implemented effective information security practices and are committed to protecting their information assets.
OWASP Top 10 - 2021
Open Web Application Security Project
The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks:
A01:2021-Broken Access Control Access control enforces a policy such that users cannot act outside of their intended permissions.
A02:2021-Cryptographic Failures Many web applications and APIs do not properly protect sensitive data with strong encryption.
A03:2021-Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
A04:2021-Insecure Design Pre-coding activities are critical for the design of secure software.
A05:2021-Security Misconfiguration Your software is only as secure as you configure it to be.
A06:2021-Vulnerable and Outdated Components Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application.
A07:2021-Identification and Authentication Failures Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.
A08:2021-Software and Data Integrity Failures Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations.
A09:2021-Security Logging and Monitoring Failures Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
A10:2021-Server-Side Request Forgery Server-Side Request Forgery (SSRF) flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL.
Open Source Intelligence (OSINT)
The process of gathering publicly available information about a person, company or organization, from a variety of sources that are accessible for anyone to see.

OSINT Tools

Google Dorking - “Search target” filetype:pdf OR filetype:xlsx OR filetype:docx
IntelTechniques - Multi-tool for OSINT
Shodan - Search engine for Internet-connected devices (IoT)
URL Scan - Behavioural analysis
Spiderfoot - Data collection
Maltego - OSINT Framework (Entity link analysis)
Recon-ng - Automate collections
HaveIBeenPwned - Breached passwords and emails
images.google.com - Search by image (Reverse search)
PimEyes - Face recognition search engine
Epieos - Email and phone reverse search
Thatsthem - Email and phone reverse search
The Harvester - email address, usernames, subdomains, IPs and URLs
Social-Searcher - Search person on multiple social media platforms
Checkusername - Quick search of username in social networks
Tineye - Reverse image search
PicTriev - Age guesser
WayBack Machine - Archives
ZoomEye - Chinese version of Shodan
Backup Protection and Disaster Recovery Plan
Protection against loss of service due to hardware failure or natural disaster
Short-term protection against user and admin error (Recycle Bin, soft delete)
Hackers, ransomware, and other malware
Malicious insiders, departing employees
3-2-1 Backup Rule
Disaster Recovery Plan
It provides a structured approach for responding to unplanned incidents that threaten the IT infrastructure, including hardware, software, networks, processes and people.
1.
Assemble Plan
2.
Identify Scope
3.
Appoint Emergency Contacts
4.
Designate Disaster Recovery Team
5.
Assign Roles & Responsibilities
6.
Data & Back Ups Location
7.
Restore Technology Functionality
8.
Testing & Maintenance
Backup Software
Backup Image OS: (dedicated drive for the images)
macOS Time Machine
Windows Built-in Solution
Acronis Cloud Backup
On-Premise:
NAS (TrueNAS)
Veeam Agent for Windows
Acronis Cyber Protect
The Five Stages of Hacking (Web Application)
1.
Reconnaissance (Information gathering)
Passive Reconnaissance: Gather public information available using OSINT
Target Validation: WHOIS, nslookup, dnsrecon
Finding Subdomains: Google, dig, Sublist3r, Bluto, crt.sh
Active Reconnaissance: Gather private accessible information
Fingerprinting: Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat
Data Breaches: HaveIBeenPwned and similar lists
1.
Scanning and Enumeration
Look for vulnerabilities and enumerate them. Gather as much information as possible (Burp Suite, Nmap, Nikto, )
1.
Gaining Access
(Exploitation)
1.
Maintaining Access
2.
Covering Tracks
(Deleting log files)
The 11-Step Pen Test Plan
1.
Define Objectives and Scope
2.
Assemble the Testing Team
3.
Choose a Testing Methodology
4.
Design the Test
5.
Obtain Authorization
6.
Conduct Reconnaissance
7.
Perform an initial Vulnerability Assessment
8.
Execute the Pen Test
9.
Document and Analyze Findings
10.
Report and Remediate
11.
Retest and Validate

Pentesting Methodologies

Blackbox penetration tests are the closest thing to simulating a real-life attack on a digital asset, as the ethical hacker is given absolutely no information or credentials to access any part of the asset being tested.
White box testing helps identify vulnerabilities from an insider’s view.
In a Gray box penetration test, a limited amount of information is given to the pentesters conducting the pentest. A gray box test strikes a balance between a white box and a black box.
Pentesting Execution Plan for WordPress
1.
Outdated Software:
Use automated scanning tools like WPScan to identify the version of WordPress, themes, and plugins. WPScan can check for known vulnerabilities associated with specific versions.
Manually review the website's HTML source code and HTTP headers to find any indications of the WordPress version.
2.
Weak Passwords:
Perform password guessing or brute force attacks using tools like Hydra or Burp Suite Intruder to attempt multiple login combinations. This can be automated with a wordlist or dictionary attack.
Analyze login error messages for clues about the existence of weak usernames or passwords.
3.
Brute Force Attacks:
Use tools like Hydra, Medusa, or Burp Suite Intruder to launch brute force attacks on login forms, trying various combinations of usernames and passwords.
Monitor server logs for an unusual number of failed login attempts.
4.
Insecure Themes and Plugins:
Identify installed themes and plugins using tools or by inspecting the website's HTML and JavaScript files.
Use vulnerability scanners like OWASP ZAP or Nessus to check for known vulnerabilities associated with detected themes and plugins.
5.
File Upload Vulnerabilities:
Attempt to upload files containing malicious scripts using file upload forms.
Use tools like Burp Suite to intercept and modify file upload requests to include malicious content.
Test if uploaded files are executed or processed on the server.
6.
Cross-Site Scripting (XSS):
Input malicious scripts into various input fields and observe if the scripts are executed on the site.
Use tools like OWASP ZAP or Burp Suite to automate the process of injecting and detecting XSS vulnerabilities.
7.
SQL Injection (SQLi):
Input SQL injection payloads into user input fields to see if the application responds with unexpected behavior.
Utilize tools like SQLMap to automate SQL injection testing and identify potential vulnerabilities.
8.
Cross-Site Request Forgery (CSRF):
Create a malicious website with crafted requests and lure the victim into visiting it to perform unwanted actions on the target site.
Use tools like Burp Suite to capture and modify requests to test for CSRF vulnerabilities.
9.
Security Misconfigurations:
Manually inspect the application and server configurations for default settings, unnecessary services, or exposed sensitive information.
Use tools like Nikto or Nessus to automatically scan for common misconfigurations.
10.
Lack of HTTPS:
Manually check the website's URL to see if it uses "http://" or "https://".
Inspect the browser's address bar for the padlock symbol, indicating a secure connection.
Use tools like SSL Labs or Qualys SSL Labs to perform a detailed analysis of the SSL/TLS implementation.
11.
User Permissions:
Attempt to escalate privileges by exploiting vulnerabilities or manipulating user roles.
Test if regular users can access administrative functionality or sensitive information.
12.
XML-RPC Exploits:
Test for vulnerabilities in the XML-RPC functionality by sending crafted requests.
Use tools like Metasploit or custom scripts to automate testing for XML-RPC vulnerabilities.
Pentesting Tools
* Disclaimer: Some of the tools require the explicit consent of the network/application owner before analyzing the data. Please investigate further.

Wireshark

Wireshark is the de facto open-source application to capture and investigate network traffic. It is widely used for network troubleshooting, analysis, software development, and education.
Wireshark Common Capture Filters
host IP-address # This filter limits the captured traffic to and from the IP address net 192.168.0.0/24 # This filter captures all traffic on the subnet dst host IP-address # Capture packets sent to the specified host port 53 # Capture traffic on port 53 only port not 53 and not arp # Capture all traffic except DNS and ARP traffic
Wireshark Common Display Filters
ip.addr == 192.168.1.1 # IP Address Filter tcp.port == 80 # Port Filter http # Protocol Filter host www.example.com # Host Filter ip.src == 192.168.1.1 # Filter by Source ip.dst == 192.168.1.2 # Filter by Destination ip.addr == 192.168.1.0/24 # Filter by Subnet eth.addr == 001122334455 # Filter by MAC Address tcp.port == 443 && SSL # Filter by Protocol and Port http.request.method == "GET" # Filter by HTTP Method http.response.code == 200 # Filter by Response Code dns # Filter by DNS Queries icmp # Filter by ICMP (Ping) Traffic tcp.flags.syn == 1 && tcp.flags.ack == 0 # Filter by TCP Flags frame.len == 100 # Filter by Packet Length dns.qry.name == "example.com" # Filter by Specific Domain

Nmap

Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It is used by network administrators, security professionals, and ethical hackers to assess the security of computer networks.
Usage: nmap [Scan type(s)/Flags] [Options] {hostname/IP addresses/networks} $ sudo apt install nmap # Install Nmap in Ubuntu/Debian Linux % ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" % brew install nmap $ nmap --version # Check version of Nmap
Common Scan Types (Flags) and Examples:
Port Scanning
$ nmap target_ip # Default quick scan to map ports, state and protocol. $ nmap -sS target_ip # TCP SYN Scan sends TCP SYN packets to target and open ports respond with a SYN/ACK, while closed ports respond with a RST(reset) packet. $ nmap -sU target_ip # UDP Scan is used to identify open UDP ports on the target. $ nmap -sT target_ip # TCP Connect Scan simulates a full TCP connection. It connects to each port and determines if it is open, closed, or filtered. $ nmap -p 22 target_ip # Scan for specific port (22) in the target ip. $ nmap -p ssh target_ip # Scan for a specific protocol (ssh) $ nmap -p 1-100 target_ip # Custom Port Range allows to specify a custom range of ports to scan. For example, '-p 1-100' scans ports 1 through 100.
Host Discovery
$ nmap -sP 192.168.1.0/24 # Ping Scan is used for host discovery by sending ICMP echo request to determine which hosts are alive on the network. $ nmap -sn 192.168.1.1-254 # Same function than -sP
OS Fingerprinting
$ nmap -O -sV target_ip # To perform OS detection along with version detection
Acknowledge Filtering
$ nmap -sA target_ip # ACK Scan sends TCP ACK packets to determine how a firewall or intrusion detection system (IDS) is filtering ports. It doesn't reveal open or closed ports but helps understand the filtering policy.
Service Version Detection
$ nmap -sV target_ip # Service Version Detection Scan probes open ports to determine the version of the services (Applications) running on them. It can provide information about specific sofware (Applications) and versions. $ nmap -sV --version-intensity 0 target_ip # To perform a "stealthy" version detection scan.
Aggressive Scan
$ nmap -A target_ip # Aggressive Scan is a combination of All scan types. It is a comprehensive scan for detailed information but it is CPU intense in the machine performing the scan.
Scriptable Interaction
$ nmap --script vuln target_ip # Nmap Scripting Engine (NSE) allows users to execute custom scripts to automate various tasks, including vulnerability detection, exploitation, and more. $ nmap -sC vuln target_ip # To execute a specific NSE script (e.g., a script to detect common vulnerabilities) $ nmap --script-help vuln # To list available NSE scripts
Output Formats
$ nmap -oX output.xml target_ip # To save the scan results in XML format $ nmap -oN output.txt target_ip # To save the results in a human-readable format

WPscan

WPScan is an enterprise vulnerability database for WordPress. It provides a comprehensive set of features to assess the security posture of WordPress installations.
$ sudo apt install ruby-full # Install Ruby Ubuntu/Debian $ sudo dnf install ruby # Install Ruby Fedora $ sudo gem install wpscan # Install WPScan $ wpscan --version $ wpscan --url your-website.com
By default, WPscan will not provide Vulnerabilities in the result, and to get that we have to generate an API key. Go to the official website and select the free plan to register.
$ wpscan --url your-website.com --api-token your-api-key $ wpscan --url your-website.com --detection-mode aggressive --api-token your-api-key
Detection Modes (Passive, Aggressive, Mixed)
Passive Mode will send a few requests to the server and only scan to find out common security issues for the Homepage of a website. It is good to use if you think the server won’t be able to handle a large pool of requests.
Aggressive mode, in this, the intrusive scan run by WPscan will be more powerful and will send hundreds of requests to the server to find out vulnerabilities, if any, in all plugins of WordPress.
Mixed is the default on the WPScan tool is a combination of aggressive and passive mode to provide a balanced scan.
List all installed Plugins & Themes and scan for vulnerabilities
$ -e vp # Vulnerable plugins $ -e ap # All plugins $ -e p # Popular plugins $ -e vt # Vulnerable themes $ -e at # All themes $ -e t # Popular themes $ -e tt # Timthumbs $ -e cb # Config backups $ -e dbe # Db exports $ -e u # User IDs range. e.g: u1-5 $ -e m # Media IDs range. e.g m1-15 $ wpscan --url your-website.com -e vp --detection-mode mixed --api-token your-api-key ## Examples ## $ wpscan --url your-website -e u # Scan Users $ wpscan --url your-website -e vp --api-token my-token # Scan Vulnerable Plugins
Run WPscan to bypass the Web Application Firewall
--random-user-agent --stealthy

Burp Suite

Burp Suite is a leading set of security testing tools developed by PortSwigger, it is widely used for web application security testing.
Key features:
1.
Proxy: Burp Proxy acts as an intermediary between the user's browser and the target web application. It allows users to intercept and modify HTTP requests and responses, providing the ability to inspect and manipulate web traffic.
2.
Scanner: Burp Scanner automates the process of identifying security vulnerabilities in web applications. It can automatically scan for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and more. The results help security professionals prioritize and address potential issues.
3.
Spider: Burp Spider is a web crawler that explores the target application, discovering and mapping its content and functionality. This helps in creating a comprehensive list of pages and endpoints for further analysis.
4.
Intruder: Burp Intruder is a powerful tool for automating customized attacks against web applications. Users can define attack payloads and positions within the request to test for various vulnerabilities, including brute force attacks, parameter manipulation, and more.
5.
Repeater: Burp Repeater allows users to repeat and modify individual requests to the server. It is useful for testing and understanding how the application responds to different inputs or variations in requests.
6.
Sequencer: Burp Sequencer analyzes the quality of randomness in tokens or session identifiers generated by the web application. This is particularly useful for assessing the security of authentication mechanisms.
7.
Decoder: Burp Decoder helps in decoding and encoding various data formats, such as URL encoding, base64 encoding, and others. This is useful for analyzing and manipulating data within requests and responses.
8.
Comparer: Burp Comparer assists in identifying differences between two pieces of data, such as two HTTP responses. This can be helpful in detecting changes or inconsistencies that may indicate security issues.
9.
Collaborator: Burp Collaborator is a service that helps identify interactions between the target application and external systems. This is useful for detecting potential blind vulnerabilities, such as blind SQL injection or server-side request forgery.

Nessus

Nessus is a widely used vulnerability scanner and security assessment tool developed by Tenable, Inc. It is designed to identify and assess vulnerabilities in computer systems, networks, and applications.
Key features:
1.
Vulnerability Scanning: Nessus performs automated scans to identify security vulnerabilities in systems, networks, and applications. It can detect a wide range of issues, including software misconfigurations, missing patches, weak passwords, and known security vulnerabilities.
2.
Comprehensive Vulnerability Database: Nessus relies on a constantly updated vulnerability database that includes information on the latest security threats and vulnerabilities. This database helps Nessus accurately identify and assess the security posture of the target environment.
3.
Policy Compliance Checks: Nessus can assess systems against predefined security policies and compliance standards (such as CIS benchmarks, PCI DSS, and others). This feature helps organizations ensure that their systems adhere to specific security and regulatory requirements.
4.
Configuration Auditing: Nessus checks the configuration settings of various network devices, servers, and applications to identify potential security weaknesses resulting from misconfigurations.
5.
Credential-based Scanning: Nessus supports credential-based scanning, allowing it to log in to target systems and perform a more in-depth analysis. This is particularly useful for identifying vulnerabilities that may not be visible from an external perspective.
6.
Results Analysis and Reporting: After a scan is completed, Nessus provides detailed reports on identified vulnerabilities, including severity levels, recommendations for remediation, and other relevant information. Reports can be customized based on organizational requirements.
7.
Scalability: Nessus is scalable and can be used to scan both small and large networks. It supports distributed scanning, enabling the deployment of multiple Nessus scanners to cover large and complex environments.
8.
Integration with Other Tools: Nessus can be integrated into broader security workflows and toolchains. It supports integration with security information and event management (SIEM) systems, as well as ticketing and remediation platforms.

Dirbuster

DirBuster is a security tool used for performing directory brute-force attacks on web servers. The primary purpose of DirBuster is to discover hidden directories and files on a web server by systematically attempting to access different paths and analyzing the server's responses.

Other Tools

Sublist3r (Subdomain enumeration)
Wappalyzer (Web Technologies)
WHOIS
NSLookup
DNSrecon
Bluto
crt.sh
dig
WhatWeb
BuiltWith
Netcat
HaveIBeenPwned
Metasploit
Nikto
Domains (Whois lookup)
IPs (NSLookup)
SSL Certificate
Pentesting with Python or JavaScript
WordPress common vulnerabilities (wp-admin)
Check for open ports in the server (Firewall)
Network Exploitation (Protocols)
CTFs Cyber Security
Cybersecurity Reports