1. What is SSL connection and SSL session?
Secure Sockets Layer (SSL) is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet.
How connection is established:
When a browser attempts to access a website that is secured by SSL, the browser and the web server establish an SSLconnection using a process called an “SSL Handshake”. Browser requests that the server identify itself. Server sends a copy of its SSL Certificate, including the server’s public key.
An SSL session is a process of maintaining a secured connection during the secured communication. Hence, when the connection dies, the SSLsession can reestablish the connection quickly using Cookies. The prime purpose of using the SSL Connection is to eliminate the security parameters during each connection.
2.What is Encoding and Enumeration?
In the Encoding method, data is transformed from one form to another. The main aim of encoding is to transform data into a form that is readable by most of the systems or that can be used by any external process. It can’t be used for securing data, various publicly available algorithms are used for encoding.Encoding can be used for reducingthesize of audio and video files.
Enumeration occurs after scanning and is the process of gathering and compiling usernames, machine names, network resources, shares, and services. It also refers to actively querying or connecting to a target system to acquire this information. Hackers need to be methodical in their approach to hacking.
3. Explain “URL manipulation”?
URL manipulation can be employed as a convenience by a Web server administrator, or for nefarious purposes by a hacker. An example of the constructive use of this technique is allowing an Internet user to access a Web site that has a complicated URL by entering a simpler URL into the address bar of a Web browser.
4. What are the three classes of intruders?
An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system.
Three classes of intruders:
- Masquerader – unauthorized user who penetrates a system exploiting a legitimate user’s account (outside)
- Misfeasor – legitimate user who makes unauthorized accesses or misuses his/her privileges (inside)
- Clandestine user– seizes supervisory control to evade auditing and access controls or suppress audit collection (inside/outside)
5. List the components used in SSL?
SSL session components can be summarized as follows:
Session identity– a given SSL session, with all of its components, has a unique session ID that can be used to identify and maintain the session as an unit, independent of any current client/server connection
Keys and certificates– the cryptographic keys and digital signatures that are used during SSL session are:
- Asymmetric keys
- Digital (public-key) certificates and store
- Master secret
- Symmetric keys
- MAC secrets
- Other values
Algorithms (ciphers)– among the algorithms specified for an SSL session include those for:
- Symmetric cryptography
- Message Authentication Code (MAC)
Session caching – by setting an option on the SSL server, it can cache the SSL session (identified by its session ID) for a specified period of time after a given connection between the SSL client and server has terminated.
6. Describe Network Intrusion Detection system?
Network Intrusion Detection Systems (NIDS) are set up at a planned point within the network to examine traffic from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the administrator.
An example of an NIDS is installing it on the subnet where firewalls are located in order to see if someone is trying crack the firewall.
7. Describe Host Intrusion Detection system?
Host Intrusion Detection Systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission critical machines, which are not expected to change their layout.
8. Explain the WSDL and SOAP.
A WSDL (Web Service Description Languages) is an XML document that describes a web service.
SOAP (Simple Object Access Protocol) is an XML-based protocol that lets you exchange info over a particular protocol between applications. It uses XML for its messaging format to relay the information.
9. What does CURL, ROCK SPIDER tools are used for?
CURL is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.
10. What is meant by Man in the Middle (MitM) attack? Does Burp suite acts as MitM?
A Man in the Middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.
Burp Suite then acts as a (sort of) Man in the Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points.
11. What is meant by Drive-by attack?
A Drive-by download refers to the unintentional download of malicious code to your computer or mobile device that leaves you open to a cyberattack. You don’t have to click on anything, press download, or open a malicious email attachment to become infected. A drive-by download can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates. Unlike many other types of cyberattack, a drive-by doesn’t rely on the user to do anything to actively enable the attack.
How does it works?
Drive-by download malware often uses small pieces of code designed to slip past simple defenses and go largely unnoticed. The code doesn’t need to be highly complex because it mainly has one job: to contact another computer to introduce the rest of the code it needs to access a mobile device or computer.
For example, you might get a link emailed to you or a post on your social media feed sources you trust that are designed to entice you to click and open. Once the website is open, the drive-by download installs itself on your computer or mobile device.
12. What is meant by Eavesdropping attack
An Eavesdropping attack, which are also known as a sniffing or snooping attack, is an incursion where someone tries to steal information that computers, smartphones, or other devices transmit over a network. An eavesdropping attack takes advantage of unsecured network communications to access the data being sent and received. Eavesdropping attacks are difficult to detect because they do not cause network transmissions to appear to be operating abnormally.
Breaking down Eavesdropping Attacks
Eavesdropping attacks involve a weakened connection between client and server that allows the attacker to send network traffic to itself. Attackers can install network monitoring software (a sniffer) on a computer or a server to carry out an eavesdropping attack and intercept data during transmission. Any device in the network between the transmitting device and the receiving device is a point of weakness, as are the initial and terminal devices themselves.
Knowing what devices are connected to a network and what software is installed on those devices is one way to protect against eavesdropping attacks. Using personal firewalls, updated antivirus software, and virtual private networks (VPN) and avoiding public networks, especially for sensitive transactions — can help prevent eavesdropping attacks as well.
13. What is API Access Token and how does it works?
An API token is a unique identifier of an application requesting access to your service. Your service would generate an APItoken for the application to use when requesting your service. Therefore a session id is created when a user is granted access to a resource.
In this method, tokens are generated for your users after they present verifiable credentials. The initial authentication could be by username/password credentials, API keys or even tokens from another service. Once generated, the token is attached to the user via a browser cookie or saved in local/session storage.
14. Is GITROB only used to scan only GITHUB repositories
Yes. Gitrob only scans GitHub repositories.
Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.
15. Difference between GITHUB and GITLAB
The main advantage of GitLab is its opensource nature, which allows you to run GitLab on your own servers. GitLab allows unlimited private repositories for free whereas for GitHub, it is not free. GitLab is newer than GitHub, so naturally it is a little less popular than GitHub.
16. What are the seven types of port scan? Explain them.
Port scanning is part of the “active reconnaissance” phase, a vital part of any penetration test.Enterprises, organizations or regular users use port scans to probe systems for open ports and their respective services. If you think of a computer as a hallway of doors, port scanning can be compared with walking through the hallway looking for open doors.
Ping Scans are used to sweep a whole network block or a single target to check to see if the target is alive. It sends an ICMP echo request to the target – if the response is an ICMP reply, then you know the target is alive. However, it is increasingly becoming more common that ICMP pings are being blocked by firewalls and routers that you will likely have to resort to other methods to accurately tell if the target is alive.
This is probably the most common type of port scan. This is a relatively quick scan that can potentially scan thousands of ports per second. It works this way because it does not complete the TCP handshake process. It simply sends a packet with the SYN flag set and waits for the SYN–ACK from the target and does not complete the connection. When you initiate a TCP connection you first send a packet with the SYN (synchronize) flag set to the destination. The destination then acknowledges this synchronize request with a packet with the SYN-ACK (synchronize-acknowledge) flag set. Finally, the sender acknowledges that it got the SYN-ACK response packet by sending the destination a packet with the ACK flag set. Now, a connection is established.
By not sending the final ACK packet to the target after receiving a SYN-ACK, a connection is not established; however, you now know if the target/port is available and listening.
This is essentially the same as the half-open scan above but instead, we finish the handshake process and establish a connection by sending the final ACK packet. This is a much slower means of port scanning as it takes more packets to finish.
UDP scans are most common to detect DNS, SNMP and DHCP services. UDP scans work by sending a packet, which is usually empty. This can be changed or even set to a random payload for each port.
If the target responds with an ICMP unreachable error (type 3, code 3) packet, you know the port is considered closed. If it responds with an ICMP unreachable error packet with other codes, the packet is considered filtered. If no response is received at all, the port is considered open or filtered. The reason why it might be filtered is that packet filters might be in use that are blocking the communication. Version enumeration could very well help in knowing if packet filters are involved.
STEALTH SCANNING – NULL, FIN, X-MAS
These scan types are known as stealth scanning because you are crafting the packets flags in such a way that you are trying to induce some type of response from the target without actually going through the handshaking process and establishing a connection.
The FIN scan sends a packet that would never occur in the real world. It sends a packet with the FIN flag set without first establishing a connection with the target. If a RST (reset) packet is received back from the target due to the way the RFC is written, the port is considered closed. If no packet is received at all, the port is considered open.
The X-MAS tree scan gets its name because it “lights up the packet light a Christmas tree.” It sets a TCP packet with URG, PUSH, FIN flags and fires it at the target. Again, if no packet is received, the port is considered open and if a RST packet is received, the port is considered closed.
Sends a packet that should never occur in the real world. It does not set any flags on the TCP packet and fires it at the target. Like above, a RST packet response means it’s a closed port – no response is considered an open port.
These scans are great because they are unlikely to appear in logs and are some of the most minimal port scanning techniques available. The bad thing is, though, the way Microsoft implements the TCP/IP stack, all ports will be considered closed. However, if you do receive an open port, you now know that the target is NOT running a Microsoft Operating System.