ITPro.TV: CompTIA Security+ (SY0-601) & TryHackMe: Jr. Penetration Tester

author: Nathan Acks
date: 2022-04-02

CompTIA Security+ Exam Cram

Today I’ll be covering Chapter 22 of the Security+ Exam Cram, “Cloud Cybersecurity Solutions”.

Introduction

Cloud platform security controls: A wall of toggle. So many toggles…

Cloud Workloads

Key security concerns:

In AWS, both servers and users are assigned permissions.

Regions and Availability Zones

Region = Geographic area

Availability Zone = Locations within a region

Regions provide control over pricing, local regulations, and (gross) latency.

Availability zones allow for redundancy.

Virtual Private Cloud (VPC)

This is basically the private internal networks used to connect cloud resources. “VPC endpoints” allow connections to other cloud resources, but are generally one-way (requests must be initiated by resources within the VPC).

Security best practices for a VPC are basically the same as those for a regular network, except that there’s often finer-grained control via security groups and cloud platform policies. API monitoring also needs to be taken into account.

Security Groups

Security groups can be thought of as firewalls, as they determine what traffic may be sent/received by resources within the group. General properties (seems AWS-specific):

Network ACLs basically function as stateless firewalls.

Policies

Policies are bundles of permissions. Two general categories:

The symmetry here can make things a little muddy. General rules:

So, the way to think of composite policies is basically to sum up the explicitly allowed actions in all policies and then remove the explicitly denied actions. The resulting set should be the actual permissions of a given user/account.

Note that on all (most?) cloud systems, policies only apply to actions, not network traffic.

Managing Secrets

Basically, use the built-in secrets management functionality of your platform.

Central Logging

Basically, log all the things. But if you can’t log all the things, then log:

Third-Party Cloud Security Solutions

CASB = Cloud Access Security Broker

The use case I’m familiar with for CASBs is controlling SaaS access from corporate networks/devices. This can be extended to the management interface for cloud services. Similar functionality is apparently enabled by services known as “secure web gateways” (SWGs) and “software defined perimeters” (SDPs). Exam Cram is implying here that at least some of these technologies can be layered in front of the relevant application / management interface on the vendor side or via a proxy (in which case the application / management interface would be restricted to only talk to the relevant application IPs)

AWS apparently has a “marketplace” (sounds a bit like the Google Workspace add-ons “marketplace) that specifically offers integrations with security tools.

“Structural awareness” solutions (protections applied directly to resources/objects):

“Situational awareness” solutions (monitor and respond to events):

TryHackMe: Jr. Penetration Tester

TCP and UDP Ports

Six nmap port states:

Reference:

TCP Flags

Available TCP flags:

Reference:

TCP Connect Scan

TCP connect scans attempt to perform the full three-way handshake for each port, but then immediately tears down the connection using RST/ACK.

Specified using -sT. Slow.

The only scan available for unprivileged users.

Unless -p is specified, only the 1000 most common ports are scanned. If -F is specified, then only the 100 more common ports are scanned.

Nmap normally scans ports in a random order. However, ports are often brought up consecutively, so for freshly booted targets the -r flag (which removes this randomization) can be advisable.

TCP SYN Scan

TCP SYN scans (-sS) are nmap’s default; sends a RST instead of a ACK at the end of the three-way handshake.

Fast. Limited to privileged users.

UDP Scan

UDP scans are specified using -sU.

There is no UDP handshake, but a UDP packet sent to a closed port will generate an ICMP port unreachable packet unless either the UDP packet or ICMP response is blocked by a firewall.

Unfortunately, a UDP packet sent to an open port isn’t guaranteed to generate a reply. Nmap tries to work around this by sending packet that are likely to elicit a response for common protocols, but this is an inexact thing.

Note that -sS and -sU can be specified simultaneously, in which case nmap will perform both scans in parallel.

Fine-Tuning Scope and Performance

Use --top-ports 10 to scan only the ten most common ports.

Timing can be specified with the -T flag, which takes a template number 0 - 5.

-T0 waits 5 minutes between port scans, and is thus not something you’d want to use when scanning a full port range (doing so would take over 7 months!). It is very unlikely to trigger IDS alerts.

-T1 is also slow (but not nearly as slow as T0!), and is typically used in real engagements.

-T3 is nmap’s default.

-T4 is generally used during CTFs and learning exercises.

-T5 is not recommended, as it scans so fast that packet loss is a distinct possibility.

Packet rate can also be bounded using --min-rate and --max-rate (single numbers representing packets-per-second). The number of parallel probes that nmap will have running at any one time can be bounded using --min-parallelism and --max-parallelism.

TCP Null Scan, FIN Scan, and Xmas Scan

TCP Maimon Scan

-sM - Maimon scan (named after Uriel Maimon); the FIN and ACK TCP flags are set. Should always receive a RST, but some older BSD systems drop the packet on open ports. Of limited modern utility.

TCP Ack, Windows, and Custom Scan

Reference:

Spoofing and Decoys

Fragmented Packets

Reference:

Idle/Zombie Scan

Reference:

Getting More Details

Summary of Nmap Advanced Port Scans

Service Detection

OS Detection and Traceroute

Nmap Scripting Engine (NSE)

Nmap script categories:

Saving the Output

Summary of Nmap Post Port Scans

Telnet

The default port for telnetd is TCP 23.

Hypertext Transfer Protocol (HTTP)

Minimal valid HTTP request:

GET / HTTP/1.1
host: something

(Note the blank line at the end.)

File Transfer Protocol (FTP)

FTP commands:

Note that you cannot receive files using FTP with telnet/netcat, as file transfers are conducted over a separate channel (either a channel originating from port 20 on the server for “active” mode or a random port above 1023 on the client for “passive” mode).

Simple Mail Transfer Protocol (SMTP)

A set of commands to send an email:

HELO somehostname
MAIL FROM:fromaddress@host1.tld
RCPT TO:toaddress@host2.tld
DATA
To: "To Address" <toaddress@host2.tld>
From: "From Address" <fromaddress@host1.tld>
Subject: An Email
This is content.

Here is another line.
.
QUIT

Note that MAIL FROM / From and RCPT TO / To are not actually required to match, though failure to fill in the MAIL FROM / RCPT TO commands may result in the message being rejected. The commands above are not case-sensitive, and the message ends with a . on a single line.

Post Office Protocol 3 (POP3)

POP3 commands:

Internet Message Access Protocol (IMAP)

IMAP commands are much more complicated than POP3. Some examples:

Here prefix is a random prefix we provide to track server replies to various commands. IMAP accepts a lot of different user authentication methods; LOGIN is just the simplest (and least secure).

Introduction to Attacking Protocols and Servers

The CIA triad has an attacker’s counterpart:

Sniffing Attack

# Quick-n-dirty packet capture
#
sudo tcpdump port $PORT_TO_FILTER_ON -A

The -A flag prints packet contents in ASCII. Wireshark is obviously nicer.

Transport Layer Security (TLS)

SSL/TLS operate on the OSI presentation layer (layer 6).

DoT = DNS-over-TLS

Password Attack

# Generic Hydra invocation
#
hydra -l $USERNAME -P $WORDLIST $SERVER $SERVICE

# For example...
#
hydra -l john \
      -P ~/.local/share/red-team/wordlists/rockyou.txt \
         10.10.10.100 ssh

Additional Hydra options:

Note that Hydra doesn’t stop automatically after a password is found.

Summary of Attacking Protocols and Servers

FTPS uses TCP 990 by default.