Practical 02 JCUS .... PDF

Preview

Summary

a query that displays the first and last name of every pa...

Description

Practical 2 - Application and Networking Based Attacks

Part I – Short answer questions 1. What does a networked computer system consist of? Explain each of its elements. 2. Explain server- and client-side attacks. 3. What is the difference between HTML and XML, how can attackers make use of XML to attack a server? 4. What is the relationship between “directory traversal” and “command injection”? 5. What is SQL injection? 6. Explain the term “drive-by download”. How can attackers perform the attack? 7. Explain how attackers can make use of HTTP header of the “referrer” field. 8. What are cookies? How many types of cookies are there? Explain each of the cookie types. 9. What is a session token? What is it used for? 10. What is Session Hijacking? Why would the attacker want to hijack a session token? 11. What is the difference between add-ons and plug-ins? 12. Explain a. Buffer overflow attack b. Integer overflow attack c. Heap Spray 13. What is Denial of Service (DoS)? What is the difference between DoS and Distributed Denial of Service (DDoS)? 14. Explain a. Ping flood attack b. Smurf attack c. SYN flood attack 15. What is the difference between “Man-in-the-middle” attack and “replay” attack? 16. Explain a. ARP poisoning b. DNS poisoning 17. What is privilege escalation? What is the difference between horizontal and vertical privilege escalation? 18. What is transitive access? Can you prevent transitive access from occurring? How?

Part II – Hand on activity We’re very much familiar with Google search. The Google search engine found at www.google.com offers many different features including web and image search, language translation, currency converter, and news searches and many more. These features offer obvious benefits to even the most uninitiated web surfer, but these same features allow for far more nefarious possibilities to the most malicious Internet users including hackers, computer criminals, identity thieves and even terrorists. We will explore applications of the Google search engine, techniques that have collectively been termed Google hacking.

Bear in mind that hacking activity is criminal action and illegal like entering somebody’s house without permission. The intent of this activity is to educate student in the hopes of eventually securing the form of information leakage.

Basic Google Searches 1. Basic Google searches comprises of one or more words in the Google input field without any quotation. In this way, Google will crawl its database to find every word in the list of terms individually. 2. Search social media Put @ in front of a word to search social media. For example: @twitter. 3. Search for a price Put $ in front of a number. For example: camera $400. 4. Search hashtags Put # in front of a word. For example: #throwbackthursday 5. Exclude words from your search. Excluding a term from a search query is as simple as placing a minus sign (-) before the term. Do not use a space between the minus sign and the search Term. Put - in front of a word you want to leave out. For example, jaguar speed -car 6. Search for an exact match Put a word or phrase inside quotes. For example, "tallest building". 7. Search within a range of numbers Put .. between two numbers. For example, camera $50..$100. 8. Combine searches Put "OR" between each search query. For example, marathon OR race.

Advanced Google Searches Google allows the use of certain operators to help refine searches. The use of advanced operators is very simple as long as attention is given to the syntax. The basic format is: operator:search_term.

Notice that there is no space between the operator, the colon and the search term. If a space is used after a colon, Google will display an error message. If a space is used before the colon, Google will use your intended operator as a search term. Some advanced operators can be used as a standalone query. For example ‘cache:www.google.com’ can be submitted to Google as a valid search query. The ‘site’ operator, by contrast, must be used along with a search term, such as site:www.google.com help’. List of Google operator can be seen in the following Table. Google Operator Operator site: filetype: link: cache: intitle: inurl: allintext:

Description find search term only on site specified by search_term (required additional argument) search documents of type search_term (required additional argument) find sites containing search_term as a link display the cached version of page specified by search_term find sites containing search_term in the title of a page find sites containing search_term in the URL of the page searches for specific text contained on any web page

Now, try to do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. 1. Operator site: site:jcu.edu.au OR site:jcu.edu.sg scholarship

2. Operator filetype: network security essentials filetype:pdf

3. Operator link: link:jcu.edu.au

4. Operator cache: cache:jcu.edu.au

5. Operator intitle: intitle:scholarship

6. Operator inurl: inurl:”dan brown”

7. Operator allintext: allintext:”hacking tools”

Google Hacking 1. Domain searches using the site operator. The site operator can be expanded to search out entire domains with security sensitive argument, for example: site:gov.sg secret

This query searches every web site in the .gov.sg domain for the word ‘secret’. If you’re lucky you might able to find several secret documents. But, if you really find it, a good hacker will inform the leaked information to the authorized administrator to fix it. Journalists, snoops and busybodies in general can use this technique to find interesting ‘dirt’ about a group of websites owned by organizations such as a government or non-profit organization. Remember that top-level domain names are often very descriptive and can include interesting groups such as: the U.S. Government (.gov or .us). Hackers searching for targets. If a hacker harbors a grudge against a specific country or organization, he can use this type of search to find sensitive targets. Try to do Google search using the above operator for different security sensitive argument. Screenshot the output of your Google search command and explain detail information you got related to the operator. 2. Finding directory listing Directory listings provide a list of files and directories in a browser window instead of the typical text-and graphics associated with web pages. Directory listings are often placed on web servers purposely to allow visitors to browse and download files from a directory tree. Many times, however, directory listings are not intentional. A misconfigured web server may produce a directory listing if an index, or main web page file is missing. In some cases, directory listings are setup as a temporarily storage location for files. Either way, there’s a good chance that an attacker may find something interesting inside a directory listing. For example: intitle:index.of intitle:index.of "parent directory" intitle:index.of Server.at

Try to do Google search using the above operator for different security sensitive argument. Screenshot the output of your Google search command and explain detail information you got related to the operator. Do you find the name of web server application that are currently used by a particular website, its version, and its port number? What does that information mean to you? 3. Finding log files

Log files are very important that record all activities of server that it sometimes contains sensitive information can be found within any website. Error logs, access logs and other types of application logs are often discovered inside the public HTTP space of websites. This can help attackers find the PHP version you’re running, as well as the critical system path of your CMS or frameworks. For this kind of Google hacking, you can combine two Google operators, allintext and filetype, for example: allintext:username filetype:log

This will show a lot of results that include username inside all *.log files. Try to do Google search using the above operator for different security sensitive argument. Screenshot the output of your Google search command and explain detail information you got related to the operator. Do you find some interesting information from it? 4. Finding vulnerable web servers Google hacking can be used to detect vulnerable or hacked servers that allow appending “/proc/self/cwd/” directly to the URL of your website. For example: inurl:/proc/self/cwd

Do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. What does the directory “/proc/self/cwd/” means for a webserver? 5. Finding SSH private keys SSH private keys are used to decrypt information that is exchanged in the SSH protocol. As a general security rule, private keys must always remain on the system being used to access the remote SSH server and shouldn’t be shared with anyone. With the following Google search, you will be able to find SSH private keys: intitle:index.of id_rsa -id_rsa.pub

You can also use a simple Google search to fetch SSH usernames from PUTTY logs as follows, if you’re lucky you might find very interesting information. filetype:log username putty

Do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. 6. Finding email list Let’s now find email list using Google search. One way to fetch email list is shown in the following example by searching any Excel file that may contain several email addresses. filetype:xls inurl:"email.xls"

Do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. Do you find important information as what you expect? 7. Finding live cameras In 2017, FBI sent a warning to parents: Your children’s new internet-connected toy could be secretly spying on them. “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities — including speech recognition and GPS options,” the agency wrote in its advisory on Monday, warning that these high-tech toys can be hacked to record video and audio of children unbeknownst to parents. The following Google search techniques can help you fetch live camera web pages that are not restricted by IP. inurl:top.htm inurl:currenttime

To find WebcamXP-based transmissions: intitle:"webcamXP 5"

And another one for general live cameras: inurl:"lvappl.htm"

There are a lot of live camera dorks that can let you watch any part of the world, live. You can find education, government, and even military cameras without IP restrictions. Do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. Do you find important information as what you expect? 8. Finding cPanel password reset A cPanel is a common interface that is used by a web administrator to manage a website, email, and etc. Google search can be used as the first step in foot-printing process to explore the cPanel and then exploit various weaknesses in password resets to take over the cPanel (along with all the websites hosted on it). For example: inurl:_cpanel/forgotpwd

Do Google search using the above operator. Screenshot the output of your Google search command and explain detail information you got related to the operator. Do you find important information as what you expect?...