Posted in Microsoft

Active Directory 1

Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database.

The Active Directory structure is hierarchical framework the following components:

Component Description
Domain A domain is an administratively-defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.

  • Database information is replicated (shared or copied) within a domain.
  • Security settings are not shared between domains.
  • Each domain maintains its own set of relationships with other domains.
  • Domains are identified using DNS names. The common name is the domain name itself. The distinguished name includes the DNS context or additional portions of the name.

Depending on the network structure and requirements, the entire network might be represented by a single domain with millions of objects, or the network might require multiple domains.

Objects Within Active Directory, each resource is identified as an object. Common objects include:

  • Users
  • Groups
  • Computers
  • Shared folders

You should know the following about objects:

  • Each object contains attributes (i.e. information about the object such as a user’s name, phone number, and email address) which is used for locating and securing resources.
  • The schema identifies the object classes (the type of objects) that exist in the tree and the attributes (properties) of the object.
  • Active Directory uses DNS for locating and naming objects.
  • Container objects hold or group other objects, either other containers or leaf objects.
Organizational Unit (OU) An organizational unit is like a folder that subdivides and organizes network resources within a domain. An organizational unit:

  • Is a container object.
  • Can be used to logically organize network resources.
  • Simplifies security administration.

You should know the following about OUs:

  • First-level OUs can be called parents.
  • Second-level OUs can be called children.
  • OUs can contain other OUs or any type of leaf object (e.g. users, computers, and printers).
Generic Containers Like OUs, generic containers are used to organize Active Directory objects. Generic container objects:

  • Are created by default
  • Cannot be created, moved, renamed, or deleted
  • Have very few editable properties
Trees and Forests Multiple domains are grouped together in the following relationship:

  • A tree is a group of related domains that share the same contiguous DNS name space.
  • A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces.

Trees and forests have the following characteristics:

  • The forest root domain is the top-level domain in the top tree. It is the first domain created in the Active Directory forest.
  • The tree root domain is the highest level domain in a tree.
  • Each domain in the tree that is connected to the tree root domain is called a child domain.
  • A domain tree is a group of domains based on the same name space. Domains in a tree:
    • Are connected with a two-way transitive trust.
    • Share a common schema.
    • Have common global catalogs.
Domain Controller A domain controller is a server that holds a copy of the Active Directory database that can be written to. Replication is the process of copying changes to Active Directory between the domain controllers.
Sites and Subnets Active Directory uses the following two objects to represent the physical structure of the network.

  • A subnet represents a physical network segment. Each subnet possesses its own unique network address space.
  • A site represents a group of well-connected networks (networks that are connected with high-speed links).

You should know the following about sites and subnets:

  • Sites and subnets are used to manage Active Directory replication between locations.
  • All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur).
  • Site links are used by Active Directory to build the most efficient replication topology.
  • A site differs from a domain in that it represents the physical structure of your network, while a domain represents the logical structure of your organization.
  • Clients are assigned to sites dynamically according to their Internet Protocol (IP) address and subnet mask.
  • Domain controllers are assigned to sites according to the location of their associated server object in Active Directory.

The Active Directory database has a file called NTDS.dit. It is the physical database file in which all directory data is stored. This file consists of three internal tables:
• The data table contains all the information in the Active Directory data store: users, groups, application-specific data, and any other data that is stored in Active Directory after its installation.
• The link table contains data that represents linked attributes, which contain values that refer to other objects in Active Directory.
• The security descriptor (SD) table contains data that represents inherited security descriptors for each object.

Global Catalog The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
Operations Master Roles Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes. A domain controller that performs an operations master role is known as an operations master or operations master role owner.

The following roles are forest roles, meaning that one domain controller within the entire forest holds the role:

  • The schema master maintains the Active Directory schema for the forest.
  • The domain naming master adds new domains to and removes existing domains from the forest.

The following roles are domain roles, meaning that one domain controller in each domain holds the role:

  • The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts).
  • The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers.
  • The infrastructure master is responsible for updating changes made to objects.

As you install or remove domain controllers, you will need to be aware of which domain controllers hold these roles.

Functional Level A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines:

  • Which Active Directory Domain Services (AD DS) features are available to the domain or forest.
  • Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating systems you can run on workstations and servers that are joined to the domain or forest.

Windows Server 2008 supports the following domain functional levels:

  • Windows 2000 Native
  • Windows Server 2003
  • Windows Server 2008

Windows Server 2008 supports the following forest functional levels:

  • Windows 2000
  • Windows Server 2003
  • Windows Server 2008

Note: You cannot have Windows NT domain controllers and Windows Server 2008 domain controllers in the same forest.

Group Policy A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.

Group Policy is an important component of Active Directory because through Group Policy you can centrally manage and enforce desktop and other settings for users and computers within your organization. For example, with Group Policy you can:

  • Enforce a common desktop for users
  • Remove desktop components, such as preventing access to the Control Panel
  • Restricting what actions users can perform, such as preventing users from shutting down the system
  • Automatically installing software
  • Dynamically set registry settings required by applications

Active Directory Server Roles

An Active Directory server role is a logical grouping of features and services that are required to perform a specific function in the Active Directory environment. Prior to Windows Server 2008, some Active Directory server roles were not incorporated into the Active Directory, rather they were available as Microsoft downloads. Functionality and services are added to your server by adding the following:

  • A role is a set of software features that provides a specific server function. Examples of roles include DNS server, DHCP server, File Server, and Print Server.
  • Role services are specific programs that provide the functions of a role. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. You can think of a role as a group of programs, with each role service being a sub-component of the role.
  • A feature is a software program not directly related to a server role but which adds functionality to the entire server. Features include management tools, communication protocols or clients, and clustering support.

The Active Directory server roles are described in the following table:

Role Description
Active Directory Domain Services (AD DS) AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. The AD DS role:

  • Helps administrators securely manage information.
  • Facilitates resource sharing and collaboration between users.
  • Is required to be installed on the network to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies, such as Group Policy.
Active Directory Lightweight Directory Service (AD LDS) Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that you can use to create a directory store (database) for use by directory-enabled applications. AD LDS is very similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database.
Active Directory Federation Services (AD FS) AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. The AD FS role:

  • Provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account.
  • Securely federates (shares) user identities and access rights in the form of digital claims between partner organizations.
Active Directory Rights Management Service (AD RMS) AD RMS is a feature which safeguards digital information from unauthorized use. The AD RMS role:

  • Can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions.
  • Allows organizations to create custom usage rights templates (such as “Confidential – Read Only”) that can be applied directly to information such as product specifications, financial reports, e-mail messages, and customer data.
Active Directory Certificate Services (AD CS) AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. The AD CS role:

  • Provides customizable services for creating and managing public key certificates.
  • Enhances security by binding the identity of a person, device, or service to a corresponding private key.
  • Includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

AD CS supports:

  • Digital signatures
  • Encrypting File System (EFS)
  • Internet Protocol security (IPsec)
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
  • Secure Socket Layer/Transport Layer Security (SSL/TLS)
  • Secure wireless networks
  • Smart card logon
  • Virtual Private Networks (VPN)

Note: All roles except for AD FS are supported on the Standard, DataCenter, and Enterprise editions of 2008. AD FS requires the DataCenter or Enterprise editions for deployment.


Server core is a minimal server installation option which provides a low-maintenance version of Windows Server 2008. Be aware of the following when using server core:

  • The server core interface has limited GUI support, with most tasks being performed only from a command prompt.
  • You can only perform a clean installation of server core; you cannot upgrade to or from server core.
  • Server core can only run a limited set of server roles:
    • Active Directory
    • Active Directory Lightweight Directory Services (AD LDS)
    • Dynamic Host Configuration Protocol (DHCP) Server
    • DNS Server
    • File Server
    • Print Server
    • Media Services
    • Web Server (IIS)
  • Server core has the following limitations:
    • There is no Windows Shell.
    • There is no managed code support (no .NET framework). All code has to be native Windows API code.
    • There is only MSI support for unattended mode installs.
  • To manage a server core system:
    • Log on and use the command prompt.
    • Log on using Remote Desktop to gain access to the command prompt.
    • Use Windows Remote Shell (winrm).
    • Run Server Manager or another tool on another computer and connect to the server core system. This method allows you to use a GUI interface for managing the server core system.
  • Run oclist to see a list of roles, role services, and features that can be installed on server core.
  • Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.


Posted in Security

Catatan Security Analysis

Security Analysis

1. Need for Security Analysis
    * Confidentiality 
        - Data classification 
        - Encryption 
        - Equipment disposal 
    * Integrity    
        - Checksum 
        - Access Control 
    * Authentication 
    * Authorization 
    * Availability 
    * Non-repudiation 
    `    - Digital-signatures 
        - Confirmation services 
            ! Prone to phishing / MITM 
            ! Fake digital signature : Stolen private key 
    * Security Analysis 
    * Popularity Security Threats 
        ! Data loss 
        ! Theft 
        ! Fraud/Forgery 
        ! Unauthorized information access 
        ! Interception/Modification of Data 
    * New exploit are being discovered as frequently as every 4 hours 
    * Data breach risk calculator tool
    * Threat : Intentional / Accidental 
        Type : Physical damage, natural events, loos of essential services(electrical power/AC), Compromise of information (eavesdropping), technical failures(equipment, capacity), compromise of functions (error in use, denial of actions)
        Origin : Deliberate, Accidental, Environmental, Negligence 
        Human : Deliberate (Disgruntled employee), Accidental(lack of knowledge)
    * Risk : potential of losing something of value 
    * Threat : Function of enemy capability to attack 
        Threat = (Capability) X (Intent)
    * Risk : Function of the probability that you will be involved  in     a attack 
        Risk = (Probability) X (Harm)
        Risk (to an asset) = Threat x Vulnerability x impact / Consequence 
    * Asset 
    * Calculating Risk = Theat, Vulnerability, Risk 
    * Risk Assessment 
    * Information security awareness 
    * Security policies : a document / set of documents that describes the security controls that will be implemented by the company 
    * Promiscuous Policy : No restrictions on Internet / Remote Access 
    * Permissive Policy : Known dangerous services/attacks blocked, policy begins wide open, known holes plugged/known dangers stopped 
    * Prudent Policy : Provides MAX security while allowing known, but necessary, dangers, All sevices are blocked; nothing is allowed, everything is logged 
    * Paranoid Policy : Everthing is forbidden, No Internet connection
    * Acceptable use policy 
    * Data Classification Policy : High risk, confidential, public 
    * Intrusion Detection Policy 
    * Virus Prevention POlicy 
    * Other Policies 
    * FACTA & ISO 
        - Class Details 
            - FACTA/Fair & Accurate Credit Transactions Act of 2003 
                - FACTA continued 
                - FCRA act 
            - ISO 17799 
                - ISO 
            - Domains of ISO 17799 
        - FACTA : amendment to FCRA that was added, primarily, to protect consumers from identity theft 
        - The Act stipulates requirements for information privacy, accuracy and disposal and limits the ways consumer information can be shared 
        - FACTA is a US Federal Law 
        - Passwd by IS Congress on November 22, 2003 
        - Allows consumers to request and obtain free credit report once every twelve months 
        - FACTA cagegories 
            a. Data classification
            b. Preventiaon, as well as detection 
            c. Consumer request policies 
            d. Consumer notification 
            e. Employment policies and procedures 
            f. Data destruction policies 
    * ISO 17799 
        a set of recommendations organized into 10 major sections covering all facets of information sytems policies and procedures. Many organizations and consulting firms use ISO 17799 as the baseline for policy best practices 
        - Security policy 
            Input into security management from top down 
        - Organizational security 
            Focuses internal and external management 
        - Asset Classification and control 
            Focuses on organizations, prioritizing, and classifying information based on sensitivity 
        - Personnel security 
        - Physical and enviromental security 
        - Communications and operations management 
        - Access control 
        - System development and maintenance 
        - Business continuity management 
        - Compliance     
            Covers law and legislation from a state, local and federal standpoint 
    * US Legislation 
        - California SB 1386 
            Bill passed by California Legislature 
        - Sarbanes-Oxley 2002 
            - U.S Congress o protect shareholders and the general public form accounting errors and fraudulent practices in the enterprise
            - Introduced due to Enron Case 
            - Big Six accounting firms had on larger corporation 
        - Gramm-Leach-Bliley Act(GLBA)
            - Ease to transfer of financial information between institutions and banks 
            - Protecting consumers personal financial information 
        - Health Insurance Portability and Accountability Act (HIPPA)
            - Administrative safeguards to protect the integrity, availability, and confidentiality of health information 
        - Family Educational Rights and Privacy Act (FERPA)
            - Protect privacy of student education records
        - Payment Card Industry Data Security Standard (PCI DSS)
            - is a set of guidelines, measures and controls that were established to assist merchants
            - Implements strong security precautions to ensure safe credit card usage and secure information storage 
        - USA Patriot Act 2001 
            - Wiretap orders now can ben obtained 
            - ISP may volunteer information 
            - Mailbox information can be obtained by subpoena rather than wiretap order 
2. TCP IP Packet Analysis
        * TCP Protocol 
            - Defined by IETF in RFC 793
            - Connection-oriented 
            - Manages flow control (sliding windows)
            - Windowing is a flow control mechanism 
                - Simplex / Half-duplex / Full-duplex
            - Sequencing numbers and ack (reliable)
        * TCP/IP Layers 
            Application layer 
            Transport layer         -> Protocols | Tools 
            Internet layer (IP, ICMP, IGMP)
            network access layer (PPP, Ethernet, Interface drivers)
        * TCP Flags 
            - ACK(A)
                to ack the receipt of data from sender. "piggybacked" with other flags 
            - SYN(S)
                Session establishment request, first part of any TCP connection 
            - FIN(F)
                The sender's intention to gracefully terminate the sendig host's connection to the receiving host 
            - RESET(R)
                The sender's intention to immediately abort the existing connection with the receiving host 
            - PUSH(P)
                Immediately "pushes" data from the sending host to the receiving host's application software 
            - URGENT(U)
                Urgent data 
            - Placeholder 
                IF a connection does not have a SYN, FIN, RESET, / PUSH flag set, a placeholder(a period) will be found after destination port 
            - TCP port 6 and UDP port 17 
        * UDP : TFTP, SNMP, DHCP (67,68), DNS. RFC 1350 
            NMS: network management station 
        * Port number = 16 bit 
        * IPV4 Header : 32 bit stores IP header length information 
          Type of service(TOS):This provide network service parameters 
          Datagram size: Contains combined data & header length 
          Flags: this router fragment activity is controlled by three flags 
          Fragmentation offset: This is a fragment identification via offset value 
          TTL:Total number of routers allowing packet pass-through 
        * IPv6 Security issues 
            - Dual-stack related issues, Header manipulation(IPSec, flooding(Scanning IPv6)
        * Security Flaws in IPv6     
            - Trespassing : easy for an attacker to get information 
            - Bypassing filtering devices : chances of attackers hiding traffic
            - DOS : DOS attack using same links 
            - Anycast : Routing header 0 feauture of IPv6 can single out all instances of anycast service 
            - IPv6 puts IPv4 at risk : 
        * Security Vulnerable : 
            * Routing Header Type 0 (RH0)
            - IPv6 uses a minimalist standar packet header 
            - Potential DOS 
            * IPv6 Neighbor Discovery (ND)
            - Attackers who gain access to a target's LAN and lauch Rogue Router Advertisements (RAs)
            - Lauch DOS 
        * IPSec 1 
            - IETF 
            - Secure transmission 
            - Protect and authenticates IP packet 
                - Data confidentiality 
                - Data integrity 
                - Data origin authentication 
                - Anti replay 
            - Consist of header and payload 
            - Data di enkripsi 
            - 2 Modes of operation 
                1. Transport Mode 
                    - Source & Dest hosts must directly perform all cryptographic operations 
                    - Data sent thru single tunnel 
                    - Establishes end-to-end security 
                2. Tunnel Mode 
                    - Special gateways perform cryptographic processing 
                    - Many Tunnels to establish gateway-to-gateway security 
            - Data packet encodings (DPE)
                - AH & ESP 
            - Packet Filtering 
            - IPv6 firewalling 
            - SYN flooding = DOS 
            - TCP/IP Control Messages : Network congestion, 
            - ICMP redirect Type = 5 
              ICMP Time Exceeded Type = 11 
              ICMP Parameter problem Type = 12 
            * ICMP CODE 
              Type    Code        Desc                    Query/Error 
               0     0         Echo reply (PING)            Query 
               3     1         Host unreachable             Error 
               3     3        Port unreachable(TRACEROUTE)Query 
               8     0         Echo request(PING)            Query 
               11     0         Time to live equalls 0 during Error 
               12      0         Bad IP header                 Error 
               13     0         Timestamp request            Query 
               14      0        Timestamp reply                Query 
            * ICMP Messages 
                - Error-reporting message 
                    Type     Message 
                    3        Destination unreachable 
                    4        Source quench 
                    11        Time exceeded 
                    12        Parameter problem 
                    5        Redirection 
                - Query messages 
                    8 or 0     Echo request to reply 
                    13 or 14 Timestamp request or reply 
                    17 or 18 Address mask request or reply 
                    10 or 9  Router solicitation or advertisement 
3. Penetration Testing Methodologies
        * Need for Pen-Testing : To provide a better return on IT Security Investment (ROSI) by identifying and resolving vulnerabilities and weeknesses 
        * Pentest Techniques : 
            - Passive research : to gather information 
            - Open source monitoring : facilitates an org to take necessary steps to ensure its confidentiality and integrity 
            - Network mapping and OS fingerprinting 
            - Spoofing : using one machine to pretend to be another 
            - Network sniffing 
            - Trojan attacks 
            - a brute force attack 
            - vulnerabiltiy scanning 
        * App Security Assessment
            - To identify and access threats to the organization through bespoke, proprietary applications / systems 
            - This test check on application so that a malicious user cannot access, modify / destroy data / services within the system 
                a. Source code review 
                b. Authorizaion testing 
                c. Functionality testing 
                d. Web penetration testing 
        * Network Security Assessment 
        * Wireless / Remote Access Assessment
        * Telephony Security Assessment 
        * Social Engineering / People hacking 
        * Skill sets for pen-testing 
            - Windows, Unix, Linux 
            - C,C++,C#,Java,PHP,Perl,Python 
            - Networking tols (Nessus,nmap,burp)
            - Computer hardware and software 
            - Web-based applications 
            - Security frameworks (ISO 27001/27002,NIST,HIPPA,SOX)
            - Security tools (Fortify, AppScan)
            - Vulnerability analysis and reverse engineering 
            - Metasploit framework 
            - Forensic tools 
            - Cryptography principles 
            - Methodology : OSSTMM, CHECK, OWASP 
        * Pen-testing methodology 
            a. Network Security 
                - Network Surveying 
                - Port Scanning 
                - System identification 
                - Services Identification 
                - Vulnerabiltiy research & verification 
                - Application testing & code review 
                - Router testing 
                - Firewall testing 
                - IDS testing 
                - Trusted system testing 
                - password cracking 
                - DOS testing 
                - Containment measures testing 
            b. Information Security 
                - Document grinding 
                - Competitive intelligence scouting 
                - Privacy Review 
            c. Social Engineering 
                - Request Testing 
                - Guided Suggestion Testing 
                - Trust testing 
            d. Wireless Security 
                - Wireless networks testing 
                - Cordless Communications testing 
                - Privacy Review 
                - Infrared systems testing 
            e. Communications Security 
                - PBX Testing 
                - VOicemail testing 
                - FAX review 
                - Modem testing 
            f. Physical Security 
                - Access controls testing 
                - Perimeter review 
                - Monitoring review 
                - Alarm response testing 
                - Location review 
                - Environment review 
        * Pen Test Methodologies List 
            - IBM 
            - ISS
            - Found Stone 
            - Ec-council's LPT 
        * Open source and public 
            - OSSTIMM 
            - CISSP and CISA and CHECK 
            - OWASP 
        * Pen-Testing Roadmap 
            - Start 
            - Information gathering 
            - Vulnerability Analysis 
            - External Pen-Testing
            - Internal Pen-Testing 
            - Rouer and swithes pen-testing 
            - Firewall pen-testing 
            - IDS pen-testing 
            - Wireless network pen-testing 
            - DOS pen-testing 
            - Password cracking pen-testing 
            - social engineering pen-testing 
            - Stolen laptop,pdas and cell phones 
            - Application pen-testing 
            - Physical security pen-testing 
            - Database pen-testing 
            - VOP pen-testing 
            - VPN pen-testing 
            - War Dialing 
            - Virus & Trojan Detection 
            - Log Management Pen-testing 
            - File Integrity checking 
            - Blue Tooth & Hand held device pen-testing 
            - Telco & broadband communication 
            - Email security 
            - Security patches 
            - Data leakage 
        * ROI on Penetration Testing 
            - ROI : traditional financial measure based on historic data 
            - ROI metrics include : 
                - Payback period: The amount of time required for the benefits to pay back the cost of the project 
                - Net present value (NPV): The value of future benefits reported in terms of today's money 
                - Internal rate of return(IRR): The benefits reported as an interest rate 
4. Customer and Legal Agreements    
        *    Types of Pen- Testing 
                * Black Box Pen-Testing 
                    - No prior knowledge of infrasctructure to be tested 
                    - You will be given just a company name 
                    - Penetration test must be carried out after extensive information gathering and research 
                    - Time Consuming and expensive type of test 
                * White Box 
                    - You will be given company infrasctructure 
                    - Network type 
                    - Current security implementations 
                    - IP address / firewall / IDS details 
                    - Company polies do's and don'ts 
                * Gray Box 
                    - The tester has limited knowledge of information 
        * Legal Consequences 
        * Get out of jail free card 
            - For software review / decompiling, make sure that the copyright to the software permits(or does not prohibit) the reverse engineering or code review 
            - Get out of jail free card : a legal agreement signed by an authorized representative of the organization 
            - The agreement outlines the types of activities to be performed and indemnifying the tester against any loss / damage that may result from the testing 
            - Example: 
        * Confientiality and NDA Agreements 
        * NDA (Non-Disclosure and Secrecy Agreements)    
            - Protect an organizations confidential information during business dealings with customers, suppliers, employees 
        * Liability issues 
            Civil wrong(tort) : kesalahan, kerugian 
5. Rules of Engagement
        * Rules of Engagement 
            - Formal permissions to conduct a pen test 
            - Provide certain rights and restrictions to the best team 
            - Help testers to overcome legal, federal, and policy-related restrictions 
            - Defines how that testing is to occur
            - It's formal permission to conduct pen test before starting 
            - The rules of engagement template(ROE) will help you organize and prepare the penetration testing methodology
        * ROE key Elements 
            - Introduction 
                a. Purpose 
                b. Scope 
                c. Assmptions and Limitations 
                d. Risks 
                e. Document structure 
            - Logistics 
                a. Personnel 
                b. Test schedule 
                c. Test site 
                d. Test equipment 
            - Communications Strategy 
                a. General communication 
                b. Incident HAndling and response 
            - Target System / Network 
            - Testing Execution 
                a. Nontechnical test components 
                b. Technical test components 
                c. Data Handling 
            - Reporting 
            - Signature Page 
        * Clauses in ROE 
            - List of allowed and prohibited activities 
            - Explicitly prohibit some activities that might cause risk to the system 
            - ROE protect the penetration testing team 
            - Test scope, limitations and other activities for protecting the test team 
            - Authorization of penetration testers for systems and network testing 
            - Details about the level and reach of of the penetration test 
            - Definition of different types of allowed testing techiques 
            - ROE Activities : 
                a. Port and service identification 
                b. Vulnerability scanning 
                c. Security cofiguration review 
                d. Password cracking 
            - ROE Information 
                a. Data is treated throughout and after the test 
                b. How data should be transmitted during and after the test 
                c. Techniques for data exclusion from systems upon termination of the test 
                d. Clear guidance on incident handling 
6. Penetration Testing Planning and Scheduling
        * IEEE Standars 
        * IEEE STD. 829-1998 SECTION 
            a. Test plan identifier 
                - A unique label so you can refer to that document
            b. Introduction 
                - Outlines what is to be tested 
                - The top level test plan should point to related documents 
                - Lower-level plans should point to their parents 
            c. Test items 
                - What is to be tested 
                - Be explicit about version 
                - How to get the test items into the test environment 
                - Point to whatever documentation of the test items 
            d. Features to be tested 
            e. Features not to be tested 
            f. Approach 
            g. Item pass/fail criteria 
            h. Suspension criteria and resumption requirements 
            i. Test deliverables 
            j. Testing tasks 
            k. Test enviromental needs 
            l. Responsibilities 
            m. Staff and training needs 
            n. Schedule 
            o. Risk and contingencies 
            p. Approvals 
        * Tiger team 
            - CPO (Chief penetration tester)
            - DBA and App Expert 
            - Networking expert 
            - Ethical hacker 
            - Data analyst 
            - Project manager 
            - Report and documentation writer 
        * Pen test project scheduling tools 
            a. Easy schedule maker : 
            b. Fast track schedule : 
            c. : 
            d. ManagePro : 
            e. Microsoft Project : 
            f. Niku : 
            g. OpenAir : 
            h. Planview : 
7. Pre Penetration Testing Steps
        * NDA : an agreement that contains confidential information
        * Port scanner = nmap , firewalk, superscan 
          Vul scanner = NEssus, SAINTexploit, metasploit,x-scan 
          App scanner = appscan, webinsect 
          Firewall tools = firestarter, fwlogwatch 
          sniffer = wireshark, kismet 
          Fingerprint = queso, siphon-v.666, winfingerprint 
          Hijacking =, sw-mitm 
          HTML tools = websnake 
          IDS = AIDE, hostsentry, logcheck, portsentry, snort, swatch, tripwire 
          Misc = copernic, genius, ucd-snmp 
          Netbios = enum, nbnbs, netbios auditing tool 
          Network management = analyzer, cheops, ciscoconf,ip-watcher, ipaudit, iplog, netsaint, sting 
          NT-specific = eldump, netview, wsses 
          Password = chklock, makepwl, zippassword 
          Packet = isic, nemesis, neotrace,sendip 
          Phone = THC-PBX, toneloc 
          Ping = icmp query, sping, netping, visual route 
          Prosmicuous mode = commview, sentinel 
          Steganography = blindside, gifshuffle, hide4pgp, jphide, jpseek, steganoGifPaletteOrder, steganos,stego,wbstego           
8. Information Gathering
        * : Find out what websites are
Built With
        * intellious and EDGAR database 
        * Mirror the pages 
            - HTTrack Website copier offline browser 
            - Webcrawl 
            - cURL and Libcurl 
            - W2Mir 
            - Web copier 
            - Folder Synchronization tools 
            - File dog 
            - Blackwidow 
        * Mirror the FTP Site 
            - FTPCopy 
            - FTP Mirror Manager 
            - GetRight 
            - FTP Mirror Tracker 
            - Auto FTP Manager 
        * WHOIS Database 
            - WHOIS 
            - Sam spade
            - Net scan tools 
            - WhereisIP 
            - LOKBOX 
            - Active Whois 
            Email spider 
            Google search = "company name + partners + project + press release"
            Trade association directory 
        * Link populairty =, 
        * Price of product / service : shopbot, bizrate, yahoo shopping, pronto 
        * Geographical Location : MapQuest,, openstreetmap,mapquest,mapbox, wikimapia map, waze map 
        * / waybackmachine 
        * Job Posting : indeed, simply hired, glassdoor, careerbuilder, monster, flexjobs, dice 
        * : background check on company 
        * domainresearchtool 
        * EDgar database
        * -> business reports 
        * , 
        * dnsstuff 
        * ghdp.php OR 
9. Vulnerability Analysis
        * Vulnerability Assessment : the process of identifying, quantifying, and prioritizing/ranking the vulnerabilities in a system 
        * Vulnerability Classification : 
            - Misconfigurations 
            - Default installations 
            - Buffer overflows 
            - Unpached servers 
            - Default passwords 
            - Open services 
            - Application flaws 
        * Types of Vulnerability Assessment 
            a. Active Assessment : scans the network using any network scanner to find hosts, services, and vulnerabilities
            b. Passive Assessment : Technique that sniff the network traffic to find out active systems, network services, applications, and vul present 
            c. Internal Assessment : Technique that scan the internal infrastructure to find out the exploits and vulnerabilities
            d. Host-based Assessment : sort of security check that carries out a configuration level test through command line 
            e. External Assessment : 
            f. Application Assessment : tests the web server infrastructure for any mis-configuration, outdated content, and known vulnerabilites 
            g. Wireless Network Assessments : determine and track all the wireless network prevalent to the client's side 
            h. Network Assessments : 
        * Timeline : Gantt project 
        * Types of Vul Assessment Tools 
            a. Host Based VA Tools : OS running, common app and services 
            b. Application Layer VA Tools 
            c. Scope Assessment Tools : 
            d. Depth Assessment Tools : These tools find and identifies previously unknown vulnerabilities in a system / fuzzers 
            e. Active/Passive Tools : Active scan consumes resources on the network. Passive scan : only observer system data and performs data processing 
            f. Location/data examined Tools : 
                - Network based scanner 
                - Agent-based scanner 
                - Proxy scanner 
                - Cluster scanner 
        * TOOLS : 
            + Nessus 
                - Misconfiguration : open mail relay, missing patches
                - Default Passwords. Hydra to launch a dictionary attack 
                - DOS against the TCP/IP stack by using malformed packets 
                - Preparation for PCI DSS audits 
            + QualysGuard 
            - Cycorp Cycsecure 
            + eEye Retina Network 
            - Foundstone Professional Scanner 
            + GFI LANguard Network security scanner 
            - ISS Internet Scanner 
            - SAINT Vulnerability Scanner 
            - Symantec NetRecon Scanner 
            + Shadow secrity scanner 
            - Micsofot Baseline Security Analyzer(MBSA)
            - SPIKE Proxy 
            - NMAP 
            - Winfingerprint 
            - Security Auditor's Research Assistant (SARA)
            - Tiger analytical research assistant (TARA)
            - CIS Benchmarks/security tools 
        * Security Vulnerability report and summary report 
        * Standard report / Differential report 
        * Automated scanning server reports 
10.External Penetration Testing
        * Pen Tester -> Internet [DMZ:router,firewall,webserver,appserver,mailserver] -> [Internalserver:databaseserver,fileserver,dirserver]
        * - List open / closed ports 
          - Port scan every port (65536)
          - Use SYN scan 
          - Use connect scan 
          - Use XMAS scan 
          - Use FIN scan 
          - Use NULL scan 
          - Firewalk on the router's gateway 
          - Check ICMP (type 3, port unreachable)
          - Check ICMP (type 8, echo request)
          - Check ICMP (type 13, timestamp request)
          - Check ICMP (type 15, information request)
          - Check ICMP (type 17, subnet address request)
          - Test SNMP(port 161), LDAP(389), NetBIOS(135-139,445), SQL server(1433,1434), Citrix(1495), Oracle(1521),NFS(2049),RDP(3398), SIP(5060),VNC(5900/5800),X11(6000),kerberos-AD(TCP/UDP 88)          
        * Tools : NeoTrace, IP Address 2 Country, IP Prober 
        * TCP/UDP trace tools : IGI, pathChirp,Pathload,Pathrate,Tulip,tcptrace,netperf,scriptroute
        * Examine the use IPv6 : 46Bouncer 
        * Find IP block : SAM SPADE, ARiN DATABASE 
        * List Open Ports : Superscan, nmap,netscantoolspro 
        * List Closed Ports : 
            #nmap --script=firewalk --traceroute 
            - cerberus internet scanner
            - cypercob scanner : 
            - firealk : 
            - hackershield : 
            - hostscan : 
            - internet scaner : 
            - nessus : 
            - netscan : 
            - nmap : 
            - nmapNT : 
            - SAINT/SATAN : 
            - SARA : 
            - Strobe : 
            - Superscan/fscan : 
        * List port that are Half Open/Close : stealth ports - stealth port will not generate 
        * SYN scan = Half open scan 
        * XMAS scan = Only works OS system's TCP/IP RFC 793 
          - Ga bisa ke Misrosoft windows / show all ports on the host as being closed 
        * FIN scan = RFC 793 , Ga bisa ke Misrosoft windows / show all ports on the host as being closed 
        * NULL scan = RFC 793 , Ga bisa ke Misrosoft windows / show all ports on the host as being closed 
        * -f = use fragmentation scanning and examine the response 
        * Examine IP ID Sequence Number Prediction : 
        #hping2 -c 10 -i 1 -p 80 -S
        * Netcraft / Uptime 
        * Reverse engineer the binary code : 
            - IDA Pro 
            - JAva Engineer 
            - FlashSaver
            - REC Decompiler 
        * Examine the Session Variables : Session hijacking, grabbing URL 
        * Examine Cookies 
            - Cookies offer a way to check the identity of the user by means of stroing the CFID and CFTOKEN in client side cookies and using that information to uniquely identify the user 
        * Brute Force URL Injections and session tokens 
        * Attempt URL encodings on the web pages 
        * Try Buffer Overflow Attempts in Input Fields 
            - NTOMAX : 
            - Hailstorm : 
        * Attempt Escape Character Injection : Ex : $$ 
            - APS : 
            - G-Server : 
            - iBroker Secure Web : 
            - URLScan : 
        * Try Cross Site Scripting (XSS)
        * Record and replay the traffic to the target webb server and note the response 
            - CruiseControl 
            - Webload : 
            - e-Test Suite : 
        * Try Sql Injection : 
            - ' or 1 - 1 /* 
            - " or 1 = 1 --
            - or 1 = 1 --
            - ' or 'a'='a'
            - "or"a"="a 
            - ')or('a'='a
        * Examine Hidden Fields 
        * Examine Server Side Includes (SSI)
            - SSI : plaeholders in an HTML, web server will dynamically replace with data just before sending the response back to browser 
            <P>SSI bro</P>
            <!--#Include file = "copywrite.Inc"-->
            <!---#exec cmd="/bin/cat/etc/passwd" --->
            - Enable suexec utility 
            - SSI-enabled files should have extension other than .html / .htm 
        * Examine Welcome messages, error messages, and debug messages 
        * Probe the service by SMTP Mail Bouncing 
            - SMTP mail bouncing indicates that the user does not exist on that server 
            - Bounced mail carries information about SMTP server such as server name, version, and various services running on server 
        * Grab the Banner of HTTP Servers : httprint(web server fingerprinting)
        * Grab the Banner of SMTP Servers 
        - GNIt NT vul scanner capturesbanner messages from an SMTP server 
        - Install the following 
            - perl Makefile.PL 
            - make 
            - make test 
            - make install 
        - Required libraries 
        * Grab the Banner of FTP Server 
        C:\echo quit | nc -vv -w 5 20-40 
        * GNU freeware tunneling software 'HTTPTunnel'
        * OS Fingerprint : netscantoolspro, nmap 
        * Check for ICMP Responses (Type 3, Port Unreachable) 
            - SYN scan is the default and most popular scan option for good reasons 
            - The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10/13) is received 
        * Check ICMP Responses (Type 8, Echo request)
        * Check ICMP REsponses A(Type 13, Timestamp Request) : nmap -sS -p X x.x.x.x 
        * Check ICMP responses (Type 15, Information Request)
        * Check ICMP responses (Type 17, Subnet Address Mask Request)
        * -sU = UDP, -sS = SYN Scan 
        * Port Scan TFTP Server(port 69)
            - PortQry = help troubleshoot TCP/IP connectivity issues 
            - portqry -n -p udp -e 69 
        * Test for NTP ports (123)
            nmap -sU -p 123 x.x.x.x 
        * nmap -sU -p 161 x.x.x.x
          nmap -sU -p 162 x.x.x.x 
        * Test Telnet Ports (23)
            nmap x.x.x.x -p http*,ftp,telnet 
        * Test LDAP (389)
            portqry -n myserver -p udp -e 389 
        * Test for NetBIOS (135-139,445)
            nmap.exe -sS x.x.x.x -p 21,22,25,53,80,161,43 
        * Test NFS 
            nmap -v -sR -p 2049 x.x.x.x 
        * Test RDP 
            nmap -sT -p 3389 X.X.X.X 
        * Test SIP (5060) VOIP 
        * VNC : port 5900, Java Viewer port 5800 
        * Scan SSL : nmap -F --sV x.x.x.x 
          Scan SSH : nmap -sS -p 22 x.x.x.x 
11.Internal Network Penetration Testing
        * Scan the Network 
            - Angry IP 
            - Network Scanner
            - FreePortScanner 
        * Attempt to establish Null Sessions 
            - Verify if null sessions are enabled on the target machine 
            - C:\>nbtstat -a x.x.x.x 
                  net view \\x.x.x.x 
        * Enumerate Users 
            - Getacct 
            - Winfingerprint 
        * Sniff the Network 
            - Wireshark 
            - Tcpdump 
            - Etherpeek / Omnipeek
        * Sniff pop3/FTP/Telnet 
            - Dsniff 
            - Ace Password Sniffer 
        * Wireshark 
            ip.src == ip_address 
            ip.dst == ip_address 
            tcp.dstport == port_no 
            ip.addr == ip_address 
        * Sniff Email messages / VOIP traffic 
            - mailsnarf 
        * Attempt Replay Attacks / MITM
            - Sniff the LM Manager hashes off the wire and replay the same password on target machine 
            - l0phtcrack 
            - Rainbowcrack 
            - Cain & Abel 
        * Attempt ARP Poisoning / ARP spoofing / ARP Cache poisoning / ARP poison routing 
            a. ARPspoof 
            b. ARPoison 
            c. Ettercap 
            d. Parasite 
        * Attempt MAC Flooding 
            - ARP Cache poisioning 
                a. macOf Tool 
                    macof -i eth1 -n 10 
                    macof -i eth1 -d x.x.x.x 
        * MITM 
            1. DNS cache poisioning 
            2. ARP spoofing 
                a. DNSA 
                b. Dnsspoof 
                c. TinyDNS 
                d. DNSCache 
                e. Arpoison 
                f. Arpspoof 
                g. Ettercap 
                h. Parasite 
        * DNS Poisioning 
                a. DNSSpoof 
                b. DNSA 
        * Knoppix / Alternate OS and steal the SAM file 
            #mount -f vfat -o ro /dev/hda1 /mnt/hda1 
            #cp /mnt/hda1/windows/system32/config/sam 
            #cp sam /dev/fd0 
            #umount /dev/hda1 
        * Keylogger 
            a. KGB Spy 
            b. Realtime-Spy 
            c. SpyAgent 
            d. Elite Remote Keylogger 
        * Trojan 
            a. Netcat 
                C:\>nc -lvp 2222 
                #nc x.x.x.x 2222 
            b. Beast 
            c. E-Mailer 
        * Meterpreter kali linux 
        * Rootkit 
        * Hide Folder XP / 2012 
            a. AB Hide folder 
            b. Stealth folder 
            c. Folder security personal 
        * Steganography
            a. Image hide 
            b. Snow 
        * Escalate user privileges 
            $chmod 755 getRoot 
             whoami : customer 
             whoami : root 
             uname -a 
             id = root 
        * Capture HTTPS 
            HTTP Analyzer
        * Capture RDP 
            Wireshark, cain 
        * Wireshark 
            src host 
            dst host 
            ip proto \tcp OR tcp 
            ip proto \udp OR udp 
            ip proto \icmp OR icmp 
        * CoreImpact - Automated Tool 
          Canvas - Automated Tool 
          Internet Scanner - iss-internet-scanner 
          NetRecon : 
          CyberCop : 
          Cisco Secure Scanner 
          Retina : 
        * Document Everything 
12.Firewall Penetration Testing
        * Packet Filtering 
            - Data header is checked 
                a. Stateless packet filtering 
                b. Stateful packet filtering 
                c. Address filtering 
                d. Network filtering 
        * BlackICE PC Protection 
        * Types of Firewall
            a. Packet Filters 
                OSI layer 3 Internet protocol 
            b. Circuit level gateways 
                OSI layer 4 TCP
                monitor TCP handshaking 
            c. Application level gateways 
                OSI layer 5 Application 
            d. Stateful multilayer inspection firewalls 
                Combine 3 above 
            * Locate the firewall 
                hping2 -c2 -S -p23 -n 
                ICMP unreachable type 13 from 10 10 2 3 
            * tracert 
            * Port scan 
                nmap -n -vv -P0 -p256,1080 <>
            * Grab the Banner 
                C:\>nc -nvv 80 
            * Create custom packets 
                #hping -c 2 -S -p 23 -n 
            * Test Enumeration 
                nmap -sA x.x.x.x 
            * Test Firewall using firewalking     
                TTL exceeded error = firewall is open 
            * Test for Port Redirection 
                fpipe -l 80 -r 139 x.x.x.x 
                datapipe 80 139 x.x.x.x 
            * Test covert channels | install backdoor 
                WWW reverse shell 
            * Test HTTP Tunneling 
13.Intrusion Detection System Testing
        * Types of IDS 
            a. Network Based IDS (NIDS)
                are placed at a strategic point 
            b. Host Based IDS (HIDS)
        * IDS Testing Tool : IDS Informer 
            Firewall Informer 
14.Password Cracking Penetration Testing
        * Password Cracking Technique 
            - Social Engineering 
            - Shoulder surfing 
        * Type of PAssword Cracking Attacks 
            - Dictionary Attack 
            - Brute Force Attack 
            - Hybrid Attack : like a dictionary attack but adds some numbers and symbols 
            - Syllable Attack : Combination of both brute force attack and the dictionary attack 
            - Rule-Based Attack : the attacker gets some information about the password 
        * /etc/passwd and /etc/shadow 
            bisa juga di /etc/security/passwd
        * FILE SAM 
                Extraction Tools : 
                    - SAMDUMP
                    - PWDUMP
                    - L0phtcrack 
        * SMB 
            nat -u userlist.txt -p passlist.txt testing IP_ADDR 
        * Build a Dictionary of word lists 
            - Dictionary maker 
            - Pass list 
        * Brute Force Passwords 
            - Brutus : 
            - Cerberus Internet Scanner 
            - Crack : 
            - CyberCop Scanner : 
            - Inactive Account Scanner :  
            - L0phtcrack
            - Legion and NetBIOS Auditing Tool(NAT) : 
            - John the Ripper,SAMDump,PWDump,PWDump2,PWDump3 
            - SecurityAnalyst : 
            - TeeNet : 
            - WebCrack : 
            - Munga bunga 
            - Password cracker 
          Unix : NIS/yp 
         * Logon password 
             - HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
         * dsniff - SwitchSniffer v0.8.0 
         * Replay attack : Ethereal, TCP dump, WinDump 
         * SAMInside (pwdump)
         * Dictionary maker 
         * Password List Recovery - Anti-Secure Ultimate Password Recovery 
15.Social Engineering Penetration Testing
    * Social Engineering tricks 
        Phone scams, hoaxes, and email scams 
        A good social engineer will conduct some background research on a company 
    * SE by Vishing : pose as an employee of legitimate enterprise 
16.Web Application Penetration Testing
    * Test for parameter-tampering attacks on website 
    * Test for Cross Site Scripting 
        - TemperIE 
        - Paros proxy 
        - Fiddler 
        - Burp proxy 
    * Test Cookie Attack 
    * Bugtraq 
    * Blind SQL injection : attacker attempts to exploit an app rather then getting a useful error message
    * Session Hijacking 
        - Juggernaut 
        - Hunt 
        - TTY Watcher 
        - T-Sight 
    * Test for Xpath Injection Attack 
        - Xpath 1.0 is a language used to refer to parts of an XML document 
    * SSI Injection (Server-side include) : server-side exploit technique that allows an attacker to send code into a web application, which will lalter be executed locally by the web server 
    * Test for XML Content-Level 
        - webscarab tool (use it as a proxy to capture the HTTP traffic)
    * Test for malicious SOAP Attachments 
        - Search web service definition language(WSDL) which accpets attachment 
    * Testing Tools 
        - Acunetix 
        - SPIKE Proxy 
        - WebserverFP : HTTPD fingerprinting 
        - KSES 
        - Sleuth : 
        - Webgoat 
        - AppScan 
        - URL Scan 
17.SQL Penetration Testing
    * SQL Server port : 1433 
    * Absinthe tool : Blind sql injection 
    * osql utility : for default/common passwords 
    * Brute force SA account : HydraGTK 
    * Dict attack tool : cain and abel 
18.Penetration Testing Reports and Post Testing Ac
19.Database Penetration Testing        
    * Run WinSID to find instances of Oracle database 
    * Use tools such as Orabf to brute force password hashes 
        oracbfscript.cmd hacker.list -c default.txt 
    * Packet Sniffing tools 
        - EtherDetect 
        - Microsoft Network Monitor 
    * Port Scanning Basic 
        - TCP connect():
        - Strobe : only looking for those services the attacker knows how to exploit 
    * TNS Listener 
        - status -h IP-address 
 version -h IP-address 
        - $ORACLE_HOME/bin/lsnrctl (listener control program)
          $ORACLE_HOME/network/admin/listener.ora (tns config file)
          $ORACLE_HOME/bin/tnslnsr (listening process)
        - Oracle Password Guesser (opwg)
    * Havij = automated SQL Injection tool 
      SQLmap = opensource penetration testing tool 
20.Wireless Network Penetration Testing
    * WirelessMon (Wireless monitoring)
    * Discovering rogue AP : stumble/netstumbler 
    * PowerscanRF 
    * Airodump 
    * Airsnort 
        tar -xzf airsnort-xx.tar.gz 
        cd airsnort-xx
    * Aircrack 
    * Spoof MAC : Mac MakeUP 
    * Airplay / airreplay 
    * WEPWedgie to inject an encrypted packet : prgasnarf -c 1 
    * chopchop : tool that alllows to decrypt a single packet even without having knowledge of the WEP key 
        #airreplay-ng --chopchop -b 00:18:E7: -h F4:09:D8: mon0 
    * Tools : 
        - Airopeek 
        - Airmagnet 
        - Airsnort : recovers encryptions keys 
        - WirelessMon 
        - Dstumbler 
        - dwepdump 
        - Kismet 
        - NetStumbler 
        - Wireshark 
        - Sniffer wireless 
        - TCPDump 
        - WEPCrack 
        - aircrack-ng : airdump
        - KisMAC 
21.Mobile Devices Penetration Testing
    * Root an Android : SuperOneclick, superboot,universal androot,unrevoked 
    * AnDOSid : DOS 
    * ComDroid : detect app's communication vulnerabilities 
    * Jailbreak : Redsnow,absinthe, snowbreeze, pwnageTool 
    * msfcli -h 
    * BBProxy 
    * Elcomsoft phone password breaker 
22.Cloud Penetration Testing Methodology        
    * Public cloud and private cloud, hybrid cloud 
    * Infrasctructure as a Service (IaaS)
      Platform as a Service (PaaS) 
      Software as a Service (SaaS)
    * If you need milk, would you buy a cow?
Posted in Security

Catatan Threat Intelligence Researcher

1. Phase Overview 
    * Hunting 
        - Underground hacking forums 
        - DeepWeb hidden sites (via TOR)
        - Incident response 
        - Honeypots 
    * Feauture extraction(static)
        - Timestamp: data when the binary was created 
        - Digital certificate signing the malware 
            Either self-signed-certificate, legit, but expired / stolen (Stuxnet)
        - Exif metadata (Author, Languange, Mime Type)
        - Import table hash(imphash)
        - Sequence of identical bytes in the same order (ssdeep)
        - Strings: C2 IP, Mutex, PDB path, custom message 
    * Beavior Extraction (Dynamic)
        - Normally detected by running the sample in a sandbox 
        - Or by dumping the sample from memory 
        - Capturing malicious events 
            - Creating a file in suspicious location(AppData)
            - Injecting into other processes 
            - Download/execute from internet 
            - keystrokes interception 
            - anti-vm, anti-debugging checks 
            - delay techniques : sleep calls, junk loops, 
            - Persistence: Registry, service, schedule task 
        - Malicous events 
            - Desktop locked(ransomware)
            - Multiple files overwrite (file infector)
            - Dumping hashes from memory (hacktool)
        - Passive DNS (DNSDB)
    * Clustering and correlation & threat actor attribution 
        - Clustering: nodes 
            Timestamp, imphash, ssdeep, digital certs 
    * Tracking 
        - Passive DNS 
        - Internet port scan : finding new C2's proactively 
        - Lookups: Yara & snort scans 
        - OSINT: email addresses 
2. Hunting 
    * Virus total intelligence
    Deep web / invisible web / hidden web 
    hidden wiki 
    * Honeypot 
    * OSINT 
        - Information gathered from publicly available sources 
        - Search for documents in specific domains 
        - Samples based on Email address, usernames, IP's from internet 
        - OSINT framework metagoofil kali 
    * Open source intelligence (OSINT) : 
        + Maltego 
        + shodan 
        + metagoofil 
        + FOCA
        + EXIF data viewers
        + Social Engineer Toolkit
        + Passive Recon 2016
        + OSINT The harvester 
3. Features Extraction 
    * Hash / file integrity 
        - cannot revert the hash to get original content 
    * Imphash 
        - Import table: DLLs being used by the windows binary 
        - Mandiant creates a hash based on API names and their specific order 
        - Defines the bahavior of the malware 
        - Not applicable to packed files 
        - Can be used to find (hunt) similar malware 
    * Strings 
        - Low-cost simple check 
        - Can help to easily hunt for similar files 
        - Consider unicode strings 
        - No technical knowledge required 
        - PDB, API names, Mutex, custom error messages can help 
        - Yara can help to hunt based on strings! 
    * Lab extracting VBA Macros with Didier Stevens Tools 
        #ls 353462625626
        #vi 353462625626 -> MIME-version: 5.0 / Email versi 5 353462625626 -s 3 -d 353462625626 > ActiveMime 
         vi ActiveMime
        #hexdump -C A ActiveMime | less -s 3 -d 353462625626 | -s 3 -d 353462625626 | -s 20 -v > yfdjvsadf 
        #vi yfdjvsadf -s 3 -d 353462625626 | -s a -v > all_macros 
        #vi all_macros
    * Lab 2-C2 IP Pivoting -s 3 -d 353462625626 | -s a -d > all_content 
        #vi all_content 
4. Behavior Extraction 
    Based on Sandbox scans 
        Cuckoo sandbox 
    Unique Mutex: Groove:PathMutex 
    GetCursorPos API:Sandbox evasion technique 
    Detects suspicious mouse fast movement 
    Done by comparing two coordinates at close period of time 
    Really fast movement could be a sign of code running in sandbox 
    Anti-Sandbox: NtDelayExecution 
    Sandbox will time out and stop analyzing malware 
    Behaviour Detected : Malicious mutex, anti-sandbox 
    * Process Infector, Keylogger & Passive DNS 
        * PRocess Infector 
            - WriteProcessMEmory API:Inject code into processes 
            - NTSetContextThead: Points to entry point 
            - NtResumeThread: Resume execution remotely 
        * Keylogger
            - Common behaviour in ransomeware 
            - Hook identifier 2: keyboard 
            - Hook identifier 2: Mouse 
        * Passive DNS 
            DNSDB is a must-have resource for threat intelligence 
5. Clustering and Correlation
    * Clustering: Nodes 
        - Timestamp, imphash, ssdeep, digital certs 
        - Properies : part of group properties 
        - Correlation: Graph DB : 
            NoSql database, Collection of nodes and edges 
    * Graph DB     
        - Designed to store edges and properties for those edges 
        - Edges = Binaries / malicious program 
        - Properties: Features & Behaviors 
        - GraphDB solution to exploit the information 
        - Maltego 
        - Apache TinkerPop 
        - Neo4J 
6. Tracking 
    * Passive DNS & Internet Port Scan 
        - DNSDB Tracking 
        - Port 2007 : DarkComet RAT 
          Port 8025 : Reverse Shell Loader 
          Port 3098 : Keylogger repository 
    * OSINT (open source intelligence)
7. Taking Down 
    - Sinkhole : Technique to redirect a malicious C2 to researcher's analysis server 
    - Sinkhole Approaches : 
        - Take over C2 Domain 
            Change DNS configuration, Doable, MITM 
8. Attribution 
    TTPs : Tacktics, Techniquem and procedures 
        - Spear phishing, water hole attacks 
        - Zero days: Stuxnet, Duqu 
        - APT X5
Posted in Security

Catatan Netcat (TCP/IP Swiss Army Knife)

Netcat adalah sebuah utiliti tool yang digunakan untuk berbagai hal yang berkaitan
dengan protokol TCP atau UDP. Yang dapat membuka koneksi TCP,
mengirimkan file transfer, chatting, reverse shel, banner grabbing

  1. Melakukan Chatting 🙂
    Pada catatan kali ini penulis menggunakan 2 buah os yaitu os windows 7 dan juga linux
  2. File Transfer
    Siapkan file yang akan ditransfer
  3. Banner grabbing
  4. Buat iseng-iseng (Reverse shell) 🙂
    Maksudnya kita dapat masuk kedalam shell pada os yang dituju,
    misalkan seseorang dari os linux sudah bisa masuk kedalam command
    prompt windows atau vice versa (sebaliknya) maka dia akan dapat
    melakukan apa saja yang dia inginkan misalkan melihat
    resources yang ada didalam os tersebut. Berikut contoh user dari
    linux dapat menjalankan cmd windows di linux sesuai dengan help yang
    ada di netcat bahwa perintah ini adalah perintah yang “berbahaya!!!”


    Continue reading “Catatan Netcat (TCP/IP Swiss Army Knife)”