ITPro.TV: CompTIA Security+ (SY0-601) & TryHackMe: Jr. Penetration Tester
author: Nathan Acks
CompTIA Security+ Exam Cram
My favorite quip is here! “Unnecessary complexity” as a security vulnerability!
Elements of weak configurations:
- Open permissions
- Unsecured root/system accounts
- Weak encryption
- Insecure protocols
- Default settings (IMHO, depends on the defaults)
- (Improperly) Open (or unneeded) ports/services
Another gem that parallels something I like to repeat:
“An organization should never try to create its own cryptographic algorithms within systems.”
- CompTIA Security+ SY0-601 Exam Cram, 6/e
The Exam Cram implies that leaving all services enabled will seldom be the correct answer when presented with a device configuration scenario on the Security+ exam.
Improper of Weak Patch Management
Types of updates:
- Hotfix: A targeted update that alters the target application or operating system in a limited way. Generally small and out-of-band.
- Service Pack: A bundle all hotfixes and updates (security or not) up to a certain point. Mostly a Windows thing.
- Update: A non-critical, non-security bugfix.
Microsoft divides updates into “security updates” (which address security issues), “critical updates” (non-security updates that fix high-impact bugs), and just plain “updates” (everything else).
Exam Cram indicates that the Security+ exam will likely ask about the dangers of end-of-life systems.
Type of potential incident impacts:
- Data loss (deletion, in this case)
- Data breach
- Identity theft
- Financial losses
- Reputational losses
- Physical danger and loss of life
ITPro.TV: CompTIA Security+ (SY0-601)
Vulnerability: Any weakness that creates an avenue for attack.
Some specifics that the Security+ exam targets:
- Weak configurations (default, weak or non-exsistent encryption, insecure protocols, wide permissions)
- Cloud vs. on-prem
- Third-party risks
There are lots of third-party risks. Everything that might go wrong in-house can also go wrong with a vendor.
Many times the reason organizations will attempt to refactor third-party applications or drivers (see yesterday’s notes) is because of lack of current vendor support (and occasionally lack of vendor entirely).
TryHackMe: Jr. Penetration Tester
Viewing the Page Source
Who tries to hide secret links on their web page? But apparently, this is something more than one org does, and is a good reason to view source and/or inspect the DOM.
Also, another good reminder to look for indexable directories.
Developer Tools: Debugger
Manual Discovery: Favicon
Quickly match a favicon to its framework!
Start by getting the favicon MD5 hash:
curl $URL_OF_FAVICON | md5sum
The look it up:
OSINT: Google Hacking / Dorking
Useful Google search modifiers:
- site: - Search only within the specified domain
- inurl: - Require term to be present in the URL
- filetype: - Only return results with the specified extension
- intitle: - Require term to be present in the page title
OSINT: S3 Buckets
It can often be fruitful to just attempt to guess an organization’s S3 buckets. Common variants:
I’ll bet dollars to donuts that “dev” and “prod” are also common suffixes.
There’s also dirbuster, but I kinda prefer gobuster.
Note that the SecLists web discovery
common.txt wordlist lives in /usr/share/wordlists/dirb/common.txt on Kali Linux.
OSINT: SSL/TLS Certificates
Certificate transparency logs can be used to find subdomains with specially provisioned SSL certificates. The main option (given that the Google search tool is being taken down in a few months:
OSINT: Search Enginers
A google search for subdomain enumeration:
*.example.com searches subdomains of
DNS Brute Forcing
The dnsrecon tool actually allows us to (attempt) to brute force subdomains from a wordlist:
dnsrecon --type brt \ --domain $DOMAIN \ --dictionary /usr/share/wordlists/metasploit/namelist.txt
Alternative to dnsrecon (above), though not installed on Kali by default.
# Install Sublist3r # sudo apt install sublist3r
It turns out that ffuf can fuzz HTTP headers, which can be used to try to brute force virtual host entries.
ffuf -w /usr/share/wordlists/metasploit/namelist.txt \ -H "Host: FUZZ.$DOMAIN" \ -u https://$IP
-fs $SIZE to remove results of a particular size from the list (which you’ll probably need to do in most cases).