Directory Traversal Attack

 Directory Traversal Attack Examples

http://www.sample.com/../../../etc/passwd

http://www.sample.com%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

http://www.sample.com%2f..%2f..%2f..%2fetc%2fpasswd

http://www.sample.com2f..2f..2f..2fetc2fpasswd

C:\Users\JohnDoe\AppData\Local\Microsoft\Office

Some of these examples used percent encoding. 

%2E is a period "."

%2F is a "/."

 METADATA

Metadata is data about data, such as information about things you used on your mobile device, like taking a picture, the date and time, and the GPS location.

• GPS Tagging
• Photographs
• Video 

Files on your PC, smartphone, laptop, tablet, etc. Multiple attributes are recorded and attached to these files. If the person creating the document backdates the date on the document, you can see the date it was made.

• Date and time created.
• When it was modified
• When it was accessed

Metadata is recorded when you make a phone call or send a text.

• Incoming and outgoing phone numbers are involved.
• The date and time of the class.
• The duration of the calls.
• SMS text time

Protecting Passwords Against Offline Attacks

 Offline Password Attacks & Preventive Measures

Rainbow table attack

The best protection against this attack type is adding salt (random data) to the password before hashing.

Brute Force & Dictionary

The best method for slowing down the attacker from discovering the password is to use key stretching. This method uses thousands of rounds of hashing. This does not make the key stronger, but the attacker has to do a lot of processing to check each possible key to find the correct one. There are 2 methods on the exam:

PBKDF2 & bcrypt

Port Numbers to know for the exam

 Port Numbers - Associated Protocol

Port Number                      Protocol

21        TCP                 FTP (File Transfer Protocol)

22        TCP                 SSH (Secure Shell)

22        TCP                 SCP  (Secure Copy Protocol)

22        TCP                 SFTP (Secure File Transfer Protocol) 

23        TCP                 Telnet

25        TCP                 SMTP (Simple Mail Transfer Protocol)

53        TCP / UDP      DNS (Domain Name System)

67        UDP                DHCP (Dynamic Host Configuration Protocol - server) 

68        UDP                DHCP (Dynamic Host Configuration Protocol - client)    

69        UDP / TCP      TFTP (Trivial File Transfer Protocol)

80        TCP                 HTTP (Hypertext Transfer Protocol)

110      TCP                 POP (Post Office Protocol)

135      TCP /UDP       RPC (Remote Procedure Call)

139      TCP                 NetBIOS (MS file sharing port - legacy)

143      TCP                 IMAP (Internet Message Access Protocol)

161      UDP                SNMP (Simple Network Management Protocol)

443      TCP                 HTTPS (Hypertext Transfer Protocol Secure)

445      TCP                 SMB (Server Message Block)

587      TCP                 SMTPS (Simple Mail Transfer Protocol Secure)

1812    UDP                RADIUS (Remote Authentication Dial-in User Service)

3389    TCP                 RDP (Remote Desktop Protocol)

Brute Force, Dictionary, Spraying Attacks

 Password Discovery Methods

All of these attacks covered in the section are online attacks. 

BRUTE-FORCE:

• Uses an exhaustive list trying to guess the passwords.
• Password guessing programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. 
• Brute force attacks are run against a single username with multiple password guesses.

EXAMPLE:
cbgto1gpy

cbgto2gpy

cbgto3gpy

cbgto4gpy

cbgto5gpy

cbgto6gpy

In this example, the sixth character changes when the program has completed all possible combinations with the sixth character and has not discovered the password. Then, the fifth character changes to the letter "p" and continues the process. 

DICTIONARY:

• A dictionary attack will go through common words out of the dictionary and does not use complexity.
• Dictionary attacks are run against a single username with multiple password guesses. This is also an automated program.

SPRAYING ATTACK:

• A spraying attack is one password, normally simple or commonly used against multiple accounts (2 or more usernames). 
• The attacker waits a period such as 30 minutes or longer. 
• This is done to bypass account lockout. 
• Most account lockouts reset the failed login counter back to "0" at that point.

There are two primary ways to prevent brute-force or dictionary attacks:

• Account lockout after 3 to 5 failed login attempts
• The other is to use MFA (Multi-Factor Authentication)

Access Protocol by Network Type

 Kerberos, RADIUS, & SAML

Kerberos

• Inside a network such as an office
• Domain environment

RADIUS (AAA)

• VPNs
• Wireless (Enterprise mode)
• Keywords: AAA, PKI, 802.1x

SAML (Security Assertion Markup Language)

• Accessing a third-party website, web domain, webpage, CSP
• Uses federation for authentication
• Provides SSO (Single Sign-on)
• Uses username & password from a popular website such as Google as the identity provider

Pass the Hash Attack

 PtH (Pass the Hash Attack)

Attackers and penetration testers use the pass-the-hash attack. This allows them to achieve lateral movement or pivot to other systems in the network.

You do not have to crack the password, as the hash is the password.

One way to prevent this attack is to use group policy to prevent the caching of administrator passwords.

The other is to use the password-salting method. That way, the hashes will be completely different even if the admin uses the same local password for each system.