Hackathon Workshop – Day 02

Agenda for Day 02

Types of Operating Systems
Securing Operating Systems (Best Practices & CIS Benchmarks)
Defence in Depth Model

Introduction
Kali Linux & Built in tools
Web Applications (Architecture, Common Vulnerabilities & Attack Types)
Web Security
OSINT Tools
Mobile Attack Vectors & Mobile Security
 Operating Systems
An operating system is system software that manages computer hardware and
software resources, and provides common services for computer programs.
 Types of Operating Systems
There are approx. 150 Known Operating Systems being used for different
purposes at the moment. Few Examples are:
Open Source Unix Based OS such as DNIX, Free BSD, Linux, Open BSD, Solaris etc.
Proprietary OS such as:

Introduction
Fire OS - Developed by Amazon
macOS, Apple DOS & iOS – Developed by Apple
Chromium OS & Android – Developed by Google
Harmony OS & Lite OS – Developed by Huawei
AIX & TPF – Developed by IBM
Xenix, MS DOS & Windows OS – Developed by Microsoft
Play Station System Software – Developed by Sony
Operating Systems Security

Introduction
 CIS Benchmarks
CIS Benchmarks from the Center for Internet Security (CIS) are a set of globally
recognized and consensus-driven best practices to help security practitioners
implement and manage their cybersecurity defenses.
Applicable on:
Operating Systems

Introduction
Cloud Infrastructure & Services
Server Software
Desktop Software
Mobile Devices
Network Devices
Multi-function Print Devices
 CIS Benchmarks - Levels
Level 1: Configuration recommendations for the Level 1 profile are basic
security recommendations for configuring IT systems. They are easy to follow
and do not impact business functionality or uptime.
Level 2: Level 2 profile configuration recommendations work best for highly
sensitive data where security is a priority. Implementing these

Introduction
recommendations requires professional expertise and diligent planning to
achieve comprehensive security with minimal disruptions.
STIG Profile: The Security Technical Implementation Guide (STIG) is a set of
configuration baselines from the Defense Information Systems Agency (DISA).
The US Department of Defense publishes and maintains these security
standards.
 Tools for OS Configuration
Review
Microsoft Security Compliance Toolkit (SCT): Contains security baselines for all
Windows based Operating Systems with special considerations for Active
Directory

Introduction
Nessus/Nipper: Useful for performing offline configuration review of network
devices against CIS benchmarks through exported configuration files
Nessus/Nexpose: Performs online configuration review of Linux & other
operating systems against CIS Benchmarks.
Scuba Database Scanner: Scan enterprise databases for vulnerabilities and
misconfiguration
Defence in Depth Model

Introduction
 Kali Linux
Kali Linux is a Linux distribution designed for digital forensics and penetration
testing. It is maintained and funded by Offensive Security.

System Requirements:

requires at least 20GB. Introduction

A minimum of 20GB hard disk space for installation, depending on the version. Version 2020.2

A minimum of 2GB RAM for i386 and AMD64 architectures.

A bootable CD-DVD drive or a USB stick.
A minimum of an Intel Core i3 or an AMD E1 processor for good performance.
 Kali Linux Tools
Information Gathering Tools Exploitation Frameworks
Nmap for network scanning and discovery Metasploit for exploit development and
execution
Recon-ng for OSINT and reconnaissance
TheHarvester for email and domain harvesting Armitage for graphical Metasploit
interface
Maltego for link analysis and data visualization
Cobalt Strike for advanced penetration
Vulnerability Assessment (VA) Tools testing
Nessus for comprehensive vulnerability Canvas for custom exploit development
scanning
OpenVAS for open-source vulnerability
Wireless Security Tools
assessment Aircrack-ng suite for wireless network
auditing
Burp Suite for web application testing
OWASP ZAP for automated web application Kismet for passive wireless network
security testing detection
Wash and reaver for WPS pin cracking
Wifite for automated wireless attacks
 Kali Linux Tools
Apart from offensive security, there are built-in tools in Kali Linux that are used
for Forensics purposes as well. Some of them are as follows:
Wireshark for network protocol analysis
Volatility for memory forensics
Autopsy and Sleuth Kit for digital forensics
Binwalk for firmware analysis
Web Application
Architecture
 Uniform Resource Locator
(URL)
Scheme:
HTTP
File
Example HTTP URLs:
http://<sub.domain.tld>:<port>/
http://<user>:<pass>@<sub.domain.tld>/path1/path2
http://<user>:<pass>@<sub.domain.tld>/path?q1=a&q2=b
http://<user>:<pass>@<sub.domain.tld>/path?q1=a&q2=b#URL Fragment
Example File URL
file:///etc/passwd
file:///c:/WINDOWS/win.ini
Uniform Resource Locator
(URL)
 HTTP
Try using curl >> curl -v http://your-ip/
Emulate Simple Browser
Emulate your simple Server Page
 HTTP Verb (Methods)
HTTP Verb (Methods) indicate the desired action to be performed for a given
resource.
GET –Mainly used to request resources (Parameters in URL )
POST –Form submissions, data in message body
OPTIONS –List of methods supported for URL
HEAD –Response for GET but no message body
TRACE –Echo client request back for diagnoses
PUT –Store in URI
DELETE –Delete resource
 HTTP Response Codes
1XX: informational, The client SHOULD continue with its request
2XX: Successful, The client’s request was successfully received, understood, and
accepted.
3XX: Redirection, Further action needs to be taken by the user agent in order to
fulfill the request
4XX: Client Error.
5XX: Server Error, The server is aware that it is incapable of performing the
request
HTTP Response Code
Examples
 Cookies
Small piece of data sent from a website to offer a reliable mechanism for
websites to remember stateful information.
Cookies are very important in HTTP Header and can have important data and
entry points
 Cookies vs Session
Cookies Session
Stored on client side Stored on server side
Live longer even if the Expire when browser is
browser is closed closed
Less secure More secure
Can only store strings Can store objects
 Common Web Application
Vulnerabilities
Cross-Site Request Forgery (CSRF)
Injection Vulnerabilities
Frontend (Client) Security Misconfiguration
Rendering Attacks => HTML Injection Broken Authentication & Access
Code Execution => JS Injection (XSS) Control
Backend (Server) Sensitive Data Exposure
Command Injection & Code injection Server Side Request Forgery
• SQL Injection etc.
Weak User Password
Cross-Site Scripting (XSS)
 Common Web Attacks – Server
Side Request Forgery (SSRF)
Server-side request forgery is a web security vulnerability that allows an attacker to
cause the server-side application to make requests to an unintended location.
Attacker might cause the server to make a connection to internal-only services
within the organization's infrastructure
Forcing back-end server to connect to arbitrary external systems. This could leak
sensitive data, such as authorization credentials.
Attack Types:
SSRF Attack against the Server
SSRF Attack against other back-end systems
Reference Link: https://portswigger.net/web-security/ssrf
 Common Web Attacks - Directory
Brute Force Attack
Guessing attacks are very common attacks used against websites and web servers. They are
used to find hidden and often forgotten directories on a site to try to compromise.
One of the useful tools for this attack is dirb / dirbuster. => it uses a wordlist
You can find wordlists in /usr/share/wordlists/
 Common Web Attacks –
Robots.txt
Search engines always spider/crawl the web to index the web content.
Websites use robots.txt to engines what shall be indexed
"User-agent:" means this section applies to all robots.
"Disallow: /" tells the robot that it should not visit any pages on the site.
This information pinpoints to important files, specially if there is no clues
 Common Web Attacks – Directory
Traversal
Also known as AKA Path Traversal to gain unauthorized Access
Vulnerability that allows an attacker to read arbitrary files on the server. This
might include application code and data, credentials for back-end systems, and
sensitive operating system files
Jump from published pages to files on the server
Example: http://www.vulnerable.com/../../../etc/passwd
 Common Web Attacks –
Command Injection
Vulnerability that allows an attacker to execute arbitrary operating system (OS)
commands on the server that is running an application
Examples are: ls / echo / whoami / cat ,etc.
Request
http://example.com/delete.php?filename=tom.txt;id
 Common Web Attacks – Code
Injection
Vulnerability that allows an attacker to execute code into an application .
It differs from Command Injection. Here an attacker is only limited by the
functionality of the injected language itself.
For example: if an attacker was able to inject PHP code into an application and
have it executed, he is only limited by what PHP is capable of.
Sample Example:
 Common Web Attacks – Filters &
Escaping Add-Ons
Developers try to sanitize input by Replace or Ban arguments such as:
; && ‘..etc
Others try to add escaping characters \
Others uses filtering functions such as escapeshellarg or escapeshellcmd
Similarly, Testers try to escapes validation by bypassing validation functions
(through logic or limitations)
&&
||
Null Characters and Brake Line (%0A)
 Common Web Attacks – SQL
Injection
Website depends on a backend database for storing sensitive Data ($$$)
Websites that accepts user input (access forms) pass the input to the database,
which can manipulate to pass other SQL Statements such as:
Select → SELECT * FROM flag where 1=1; (* All Column , ‘flag’ tablename, where to add
condition)
Insert,Delete,Update
Union → SELECT * FROM username UNION SELECT * FROM flag; (will show both tables under
each others)
Count,Avg...etc → SELECT * FROM flag UNION SELECT COUNT(names) FROM Userpass
Limit, Orderby → SELECT * FROM userpass ORDER BY id LIMIT 1
 SQL Injection – Attack Types
Retrieving hidden data - where you can modify an SQL query to return additional results.
Subverting application logic - where you can change a query to interfere with the
application's logic.
UNION attacks - where you can retrieve data from different database tables.
Examining the database - where you can extract information about the version and
structure of the database.
Blind SQL injection - where the results of a query you control are not returned in the
application's responses.
SQL Injection – Database Version
& Comments
 Web Application Security
Controls
Input validation and sanitization
Output encoding
Secure session management
Secure communication (HTTPS)
Secure Configuration
Secure Storage
Error Handling
Securing Code
Authentication & Authorization
 Web Security – Standards &
Regulations
OWASP Top 10
SANS Top 25 Software Errors
PCI DSS for web applications
Secure by Designs
ISO27001: 2022
NIST CSF
Vulnerability Assessment
Penetration Testing
Types of Pentest
Red Teaming Operations
 Pentesting Frameworks
OWASP WSTG (Web Security Testing Guide)
Information System Security Assessment Framework (ISSAF)
MITRE ATT&CK Framework
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
Open Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing Execution Standard (PTES) framework
Open Source Intelligence
(OSINT)
Use of OSINT
Governments Law Enforcement
(National Security, National Cyber
Security, Counter-Terrorism,
Agencies
Directing Misinformation) (Preventing Crimes, Tracking
Criminal Networks)

Cybersecurity
(Pen testing, Bug Bounty Hunting,
Cyber Defence)
Use of OSINT
 OSINT Tools
OSINT Framework
Google Dorks
MISP
Dark Owl
The Harvester (included in Kali
Linux Distribution)
Security Trails API
BGP View
Shodan
CVE DB
Mikata
Threats to Mobile Security
Cyber Crimes related to
Mobile
 Mobile Attack Vectors &
Techniques
Exploiting mobile OS vulnerabilities
Abusing permissions and access rights
Attacking mobile app communication protocols
Leveraging mobile device management (MDM) weaknesses
Social engineering attacks targeting mobile users
Mobile Security – Best
Practices
THANK YOU