MITRE CVEs
Exam Cram calls out TTP, IOC, and AIS as three acronyms to know for the exam.
Threat Intelligence: The gathering and analysis of data for the purpose of identifying, preventing, and remediating potential attacks.
One reason to go through the exercise of information classification is to ensure that proper controls are in place to prevent the disclosure of potentially sensitive data (which could then be used by attackers in their OSINT efforts!).
Useful tools:
Both Maltego and recon-ng require a large number of API keys to function
Threat Map: A real- (or near-real-) time map of identified threats/attacks, normally visualized geographically.
Threat Feed: A real- (or near-real-) time stream (often in the form of an RSS feed) containing information about threats, attacks, and threat actors.
Things that often go into a threat feed:
VirusTotal is a little bit like a threat feed.
STIX and TAXII together define a common (low-level) language for talking about IOCs and transmitting them between systems. STIX and TAXII come together in the Automated Indicator Sharing (AIS) system, which is CISA’s IOC clearinghouse mentioned by Exam Cram.
I’m a little skeptical about the overall utility of threat maps, though they do look cool.
Vulnerability Database: A collection of information about security flaws (and sometimes information about how to exploit them).
Examples:
NVD includes a number of components:
A vulnerability feed is like a threat feed, but for vulnerabilities. MITRE and NVD both maintain vulnerability feeds.
Common threat actors that are important to know for the Security+ exam:
Threat Vector: An avenue of attack.
Use ffuf to enumerate potential users based on a wordlist (assumes that the form we’re hitting is not AJAX-y):
ffuf -w /usr/share/wordlists/wfuzz/others/names.txt \
-X POST -d "$POST_VARS" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u $FORM_URL -mr "$ERROR_MEESAGE_SUBSTRING"
Here $POST_VARS
should look something like username=FUZZ&email=FUZZ@example.com&password=1234&cpassword=1234
(recall that FUZZ is the variable that ffuf will be fuzzing over). The -mr
flag instructs ffuf to filter on page text for a “successful hit”.
Note that ffuf is kind of noisy in its default output, so when generating user lists it may be useful to supply the -s
flag, which will suppress all lines except those matched with -mr
.
Ffuf can also be used as a simple brute-forcer:
ffuf -w /usr/share/wordlists/wfuzz/others/names.txt:W1,$HOME/.local/share/red-team/wordlists/rockyou.txt:W2 \
-X POST -d "$POST_VARS" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u $LOGIN_URL -fc 200
Here we assign W1 and W2 to take terms from the two supplied wordlists; $POST_VARS
then looks something like username=W1&password=W2
. This example assumes that a successful login will return an HTTP status code other than 200 (probably a 301 or 302).
Again, the -s
flag can be advisable here.
Note that ffuf will try every possible combination of elements between the two wordlists, which means that the number of combinations tried grows geometrically.
It’s worth experimenting with forms to check how GET and POST variables interact (and if one can be used to override the other.
Interesting; sometimes cookies are hashes, rather than plain strings. I’m guessing that the reason you’d do this is that you’re concatenating some values together and then check to see if the hash matches before granting certain privileges? This seems potentially much less secure than password hashing (even with a salt) though, as the number of terms that could reasonably be included in a permission string is much smaller than the number of character combinations in even a modest password…
CrackStation is an online database of hashes (basically a rainbow table).
I guess the reason you’d do this is to try to minimize the number of database hits?
On the other hand, seeing base64-encoded cookies is something I’m much more familiar with!
Remember that basenc
can be used to encode/decode a variety of encodings, including URL-safe base64 (which there don’t seem to be any other good command line tools to work with).
# Encode $STRING to base64.
#
echo "$STRING" | basenc --base64
# Encode $STRING to URL-safe base64.
#
echo "$STRING" | basenc --base64url
# Dencode $BASE64_STRING from base64.
#
echo "$BASE64_STRING" | basenc -d --base64
# Dencode $BASE64_STRING from URL-safe base64.
#
echo "$BASE64_STRING" | basenc -d --base64url