AIA Final exam notes

Five characteristics of high quality information are accuracy, completeness, consistency, uniqueness,
and timeliness.

Pentest is practice of testing a computer system, network or Web application to find vulnerabilities that
could exploit

Pentest strategies (targeted, internal, external, blind, double blind testing)

Data spoliation - intentional or negligent withholding, hiding, alteration or destruction of data

Reconnaissance is the process of gathering the personal or sensitive information about the target

Types of Reconnaissance – (foot printing, scanning, enumerating)

Scanning is the process of gathering more information about the target like open ports vulnerable active
users and various services running on the ports using various information gathering tools

Enumeration – use the information which gathered from scanning and foot printing to gain access to the
target

Google hacking queries

Password list - inurl:"standalone.xml" intext:"password>"

Unprotected directories in courseweb -inurl(html|htm|php) intitle:”index of/courseweb” +”last
modified” +”parent directory” +description +size
Video results of stepen hawking in Unprotected directories in courseweb -inurl(html|htm|php)
intitle:(index of|Stephen Hawking) +”last modified” +”parent directory” +description +size +(wmv|avi|
mp4)
Login portals - intitle:Login inurl:login.php intext:admin/admin

Search free pdf books with "Game of thrones" in the title -inurl(htm|html) intitle:"index of" +
("/ebooks"|"/book") +(pdf) +"game of thrones"

Display web pages of sliit domain - site:sliit.lk

Search goggle cache for information on sliit -cache:URL(https://www.sliit.lk/)

Proxy – act as a gateway between user and the internet. Can act as a firewall and a web filter. Hide users
IP address and encrypt the transmitted data. Can block web pages based on IP

Phishing – Acquire sensitive information (username, password) by pretending as a trustworthy entity

through an electronic medium, for malicious reasons.

Spear phishing – Specifically target an organization or a user. Tailored the victim by representing
information unique to the victim

Information need before choose exploit - ip adress, running services and possible vulnerable services
bypass an anomaly-based IDPS – If I can place the attack before the traffic training process get complete
in the IPS, I will be able to bypass the IDS. But it would be hard since the way I could get to know the
training process of the IDS is hard. As the second approach I need to try to use this training mechanism
to my advantage to bypass the IDS by using polymathic blending attack. I can encode the data using a
tool and pass it in a way that IDS won’t flag it. The malicious code will get executed at the endpoint and
retrieve the required data from the target, by bypassing the IDS by using the same mechanism, encoding
the data.

/etc/passwd file – stores information which requires during login. Contains a system account list and
details like UID, GID, username, password

/etc/shadow file – stores secure user account information. Hash value of the password has been saved
in this file.

Setuid (set user ID on execution) – A special type of file permission used in UNIX OS. The user will be get
provided access level that matches the user who owns the file

Chroot – creates a separate root directory separate from the os

Bug – When system does not behave as it intended, it’s known as a bug

Vulnerability – implementation or design flaw

Difference of nmap –sS and nmap –sT

namp –sS nmap –sT

 need privilege access doesn’t need privilege access

 doesn’t establish full TCP connection need to establish full TCP

connection

 faster scans slower than SYN scans

nmap –sV 192.168.56.99 – Use to scan for running services. This is equivalent to namp –A

nc 192.168.56.99 80 – Use to connect to a web server on port 80. This establish a TCP connection

nc –l –p 80 – Use to listen to inbound connections from port 80

nc 192.168.56.99 80

HEAD /HTTP/1.0 - Use to identify the web server software of the target

theharvester –d sliit.lk –l 10 –b google – use to search for email addresses from a domain by limiting
results to 10 using google as search engine

--dnsserver – use this option to translate the web address to IP address

--noreverce – Skip the operation of IP address to domain name translation

dnsenum --dnsserver 8.8.8.8 --enum sliit.lk – scan for name servers and mail servers of the scanned
domain

dnsenum --dnsserver 8.8.8.8 --enum –f /usr/share/dnsenum/dns.txt --subfile

/home/viraj/Documents/AIA_Lab2.txt sliit.lk – saving the scan results to a log

Zone transfer – Use to replicate DNS databases across s set of DNS servers, by administrators

Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible
for patching or otherwise fixing the flaw

Nessus can be used to scan the target host for vulnerabilities, but this tool cannot be used to exploit the
vulnerability. Metasploit can be used for both vulnerability scanning and vulnerability exploitation.
Nessus only provides a graphical user interface and Metasploit can be used in both command line and
GUI view.

CVE (Common vulnerability exposure) – Catalog of known vulnerabilities.

CVE ID - common identifiers for publicly known information security vulnerabilities. This includes CVE id
number, brief description of vulnerability. Information security vendor use CVE ID to as a standard
method of identifying vulnerabilities.

differences between Common Vulnerabilities and Exposures (CVE) database and the Exploit-db – cve
database contains Score Distribution for All Vulnerabilities, and exploit db contains Exploits, Shellcode,
and Security Papers. Cve db provides vulnerability information in more detail. Explot db provide the
exploitation code for the vulnerability

Encrypted virus – A virus that use encryption to hide the payload, is known as an encrypted virus. The
encrypted virus consists of decryption key and the encrypted program. It automatically encodes itself
when each time it infects. By detecting the loader, or by detecting the key and encrypted area can be
decrypt to identify the virus.

•Passive reconnice- obtain information from the target without affecting the integrity and availability of
the data. Thehaester, Nessus wage tools use karanne passive information gathering walata. Mekedi
pentester, target ekai connection ekak hadanne na.

•Active reconnice- interact with the target and gather information. Target ekata connect wela
information gather karanawanam eka active information gathering. Nmap, metasploit tool use karanne
active information gathering walata

Facebook account hijack, 30 million users accounts were hacked. unknown group of hackers to steal
secret access tokens for millions of accounts by taking advantage of a flaw in the 'View As' feature. The
CEO of FB has published details about the attack within 24 hours and took immediate actions to mitigate
and recover from the attack.
nmap 192.168.56.99/24 – this command scans a subnet

nmap 192.168.56.99-120 – This command scans a range of IPs

nmap –p 80 192.168.56.99 – Scans a single port

nmap –sS 192.168.56.99 (TCP SYN scan) – Determine whether the port is listening using the technique
called half-open scanning. Privilege level access will be needed to run this command (stealth scan – scan
without getting detected)

nmap –O 192.168.56.99 – use to detect the operating system of the target host

nmap –sV 192.168.56.99 – Use to scan for running services. This is equivalent to namp –A

nc 192.168.56.99 80 – Use to connect to a web server on port 80

nc –l –p 80 – Use to listen to inbound connections from port 80

nc 192.168.56.99 80
HEAD /HTTP/1.0 - Use to identify the web server software of the target

theharvester –d sliit.lk –l 10 –b google – use to search for email addresses from a domain by limiting
results to 10 using google as search engine

dnsenum --dnsserver 8.8.8.8 --enum sliit.lk - shows the details of Name servers, Mail servers of the
scanned domain

Footprinting - process of collecting as much as information as possible about the target system to find
ways to penetrate into the system