Saturday, November 3, 2018

deduplication


Company BOA’s SAN is nearing capacity, and will cause costly downtimes if servers run out disk
space. Which of the following is a more cost effective alternative to buying a new SAN?



A.Enable multipath to increase integrity

B.
Enable deduplication on the storage pools

C.
Implement snapshots to reduce virtual disk size

D.
Implement replication to offsite datacenter



Deduplication
A chunk is a collection of storage blocks. Deduplication works by analyzing files, locating the unique chunks of data that make up those files, and only storing one copy of each unique data chunk on the volume. Deduplication is able to reduce the amount of storage consumed on the volume because when analyzed, it turns out that a substantial number of data chunks stored on a volume are identical. Rather than store multiple copies of the same identical chunk, deduplication ensures that one copy of the chunk is stored with placeholders in other locations pointing at the single copy of the chunk, rather than storing the chunk itself.

Session Hijacking - Shijack and etterncap

shijack.tgz at packet storm security website

hijack

poisoning the network

etterncap -G
running in graphical mode

sniff
unified sniffing
eth0

host
scan for host


Add target 1
Add target 2

Click in Mitm
Sniff remote connections - to poison those two targets
OK

Putty to metasploitable2
msfadmin
msfasmin


cd /usr/share/shijack
./shijack eth0 IP port IP


LUN Masking


The LUN masking mechanism is used to configure required security policies to present the storage LUNs to only those systems and cloud storage devices that require access via the interfaces and configuration options provided by physical storage vendors.


Two storage administrators are discussing which SAN configurations will offer the MOST
confidentiality. Which of the following configurations would the administrators use? (Select TWO).

A. Deduplication
B. Zoning
C.Snapshots

D.Multipathing

E.LUN masking



LUN masking can control which LUNs are visible to each vSphere host. This is the opposite of zoning, where the storage array configuration determines which LUNs are visible to a host. This feature allows multiple vSphere hosts to be connected to a storage with multiple LUNs, while allowing only one vSphere host, which you specify, to see some particular LUNs. This feature is the same as EMC CLARiiON or VNX provide LUN masking in the storage group at the array level. You can add the host and LUNs to a storage group, and then the host will only be able to see those LUNs.

Which of the following protocols only facilitates access control?



A. XACML


Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. 




Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.





Extensible Access Control Markup Language (XACML) is a standard for an access control policy language using Extensible Markup Language (XML). Its goal is to create an attribute-based access control system that decouples the access decision from the application or the local machine. It provides for fine-grained control of activities based on criteria including:


Attributes of the user requesting access (for example, all division managers in London)


The protocol over which the request is made (for example, HTTPS)


The authentication mechanism (for example, requester must be authenticated with a certificate)

XACML uses several distributed components. Policy enforcement point (PEP): This entity is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Policy decision point (PDP): This entity retrieves all applicable policies in XACML and compares the request with the policies. It transmits an answer (access or no access) back to the PEP. XACML is valuable because it is able to function across application types. XACML is a good solution when disparate applications that use their own authorization logic are in use in the enterprise. By leveraging XACML, developers can remove authorization logic from an application and centrally manage access using policies that can be managed or modified based on business need without making any additional changes to the applications themselves.

confidentiality of data when using SOAP

A Security Administrator has some concerns about the confidentiality of data when using SOAP.
Which of the following BEST describes the Security Administrator’s concerns?
A. The SOAP header is not encrypted and allows intermediaries to view the header data. The
body can be partially or completely encrypted.
Explanation
XML defines a universal format for exchanging application data. The universal XML specification alone, however, is not enough to provide developers with the infrastructure they need to create easy and elegant web services. Although XML provides an efficient format for reading and writing program data, XML alone does not provide a standard format for structuring and interpreting that data. The SOAP specification fills that role. SOAP is a standard protocol for exchanging XML-based messages that pass between the web-service client and server.
SOAP is designed to support communication between so-called SOAP nodes. (A SOAP node is basically a computer or application that supports SOAP.) The SOAP specification defines the structure of a message that passes from the SOAP sender to the SOAP receiver. Along the way, the message might pass through intermediate nodes that process the information in some way. An intermediate node might provide logging, or it might modify the message somehow in transit to its final destination.
At the conceptual level, a SOAP message from the client says, “Here is some input. Process this and send me the output.” The functionality of the application derives from a series of these XML-based SOAP messages in which the endpoints send information and receive responses. The formal structure of the SOAP message allows the software developer to easily create a SOAP-based client application that interacts with the server. For instance, a rental company that provides car rental reservations through a web-based server application could easily make the specifications available for a developer to write a custom client application that could connect to the server and reserve a car.
The structure of a SOAP message consists of an optional header and a message body. The header contains callouts, definitions, and meta-information that will be used by any node along the message path. The body includes data intended for the message recipient. For example, in the case of the car reservation service, the message body might contain data from the client describing the car the customer would like to rent and the date the vehicle must be available.
Because the SOAP Header is an optional object, you might or might not find header information serialized in a given SOAP packet. But if there is header information, all of that information must be serialized within the SOAP Header object, which must be the first (XML) child of the Envelope element. That's where you'll find it, but what is it used for?
Well, in a nutshell, the SOAP Header is used to transmit auxiliary information relevant to the Web Service processing that isn't part of the method signature. For example, imagine that you have a Web Service that specifies the toppings and crust style of the pizza that you intend to order (in C#):
OrderInfo OrderPizza(int[] toppings, int[] crust, PaymentInfo pi);
For this example, assume that the OrderInfo structure contains delivery information such as order confirmation, delivery timeline, and so on. The integer arrays contain integers that enumerate the various toppings and crusts available to you. The payment information structure contains payment data, such as a credit card number.
The Web Service, in this case, accepts your pizza order (presumably, you called another Web Service before this to establish your identity and delivery information). But it isn't a stretch to believe that there should be some sort of encryption associated with this invocation. That is, as the customer, you probably want to see at least the payment information, if not the entire packet, encrypted.



  • Applied SOAP: Implementing .NET XML Web Services

  • By: Kenn Scribner; Mark Stiver
  • Publisher: Sams
  • Pub. Date: 

A new study finds potentially manipulative ads in apps for preschoolers

By Hamza Shaban October 30
Apps marketed to children 5 and younger deploy potentially manipulating tactics to deliver ads to children, raising questions about the ethics of child software design and consumer protection, according to a new study.

Researchers from the University of Michigan C.S. Mott Children’s Hospital looked at more than 100 apps, mostly from the Google Play app store, and found that nearly all of them had at least one type of ad, often interwoven into the apps’ activities and games. The apps, according to the researchers, used a variety of methods to deliver ads to children, including commercial characters, pop-up ads, in-app purchases, and, in some cases, distracting ads, hidden ads or ads that were posed as gameplay items.

The authors suggest that the deceptive and persuasive nature of the ads leaves children susceptible to them, because of their lack of mental development in controlling their impulses and attention.


“Our findings show that the early childhood app market is a Wild West, with a lot of apps appearing more focused on making money than the child’s play experience,” Jenny Radesky, a developmental behavioral expert and an author of the study, said in a statement. “This has important implications for advertising regulation, the ethics of child app design, as well as how parents discern which children’s apps are worth downloading.”

Children use mobile devices one hour every day, on average, highlighting the importance of researching what they encounter and how it may affect their health, Radesky added.

The study comes amid a broader backlash against technology giants and the popular apps that compete for users' time and attention. In response, some of the biggest names in tech have released “digital wellness” tools to help consumers track how much time they spend on their smartphone apps, a kind of new-age calorie counting to boost awareness of tech’s influence on people’s daily lives. But in recent months, the skepticism aimed at Silicon Valley has also focused on opposing the early adoption of digital technology.


The federal government has long regulated TV advertising to young children. But the authors say that ads found in digital media may be harder to quantify and regulate because they do not exist alongside predictable, linear TV segments, but are more immersive and personalized. According to the authors, their study is the first to examine the advertising practices used in children’s apps, finding “a high prevalence of advertising using distracting features, potentially manipulative approaches, and content that did not appear to be age-appropriate.”

The authors reviewed 135 apps and found that 95 percent of them contained at least one type of ad. They found that the prevalence of advertisements occurred at similar rates whether the apps were labeled “educational” or not.

The apps that the researchers reviewed came from another study on family mobile use and from the most-downloaded free and paid apps in the Google Play store, in the category for children 5 and younger.


A coalition of consumer groups and public interest organizations seized on the findings of the study, which is called “Advertising in Young Children’s Apps.” Led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy, the groups sent a letter to the Federal Trade Commission on Tuesday, calling on the agency to launch an investigation of apps that cater to young children. The coalition argued that preschool apps engage in unfair and deceptive practices — a violation of consumer protection law — through the use of false marketing and tactics that manipulate kids to watch ads and purchase upgrades.

“This groundbreaking study demonstrates that popular apps for preschoolers are rife with marketing that takes unfair advantage of children’s developmental vulnerabilities,” Josh Golin, executive director of the Campaign for a Commercial Free Childhood, said in a statement Tuesday. “Disguising ads as part of gameplay and using cartoon characters to manipulate children into making in-app purchases is not only unethical, but illegal."

Cartoon - Kids and video-game


Three radical paths to equality


pip and sn1per - Kali Basic Tools series

https://github.com/Ara2104/Sn1per


Basic checks

pip install --upgrade pip

Tuesday, October 30, 2018

PowerShell Troubleshooting commands

get-netIPConfiguration
get-netIPaddress

test-netconnection www.linkedin.com

resolve-dnsname www.linkedin.com

resolve-dnsname www.linkedin.com -type soa

route print - routing table

get-netroute -protocol Loal - destinaion prefix

Sunday, October 28, 2018

wpscan scanner

We will first enumerate the available WordPress logins using the enumerate user script. Enter the following command in the terminal:
wpscan -u https://<IP address>:12380/blogblog/ --enumerate u

Scanning SSL Kali Linux

sslscan website

heartbeat vulnerability


Another tool that performs a thorough sweep and analyzes the SSL/TLS configurations of a target service is SSLyze. To perform the majority of the basic tests in SSLyze, arguments should include the target server and the --regular argument. This includes tests for SSLv2, SSLv3, TLSv1, renegotiation, resumption, certificate information, HTTP GET response status codes, and compression support as follows:

root@KaliLinux:~# sslyze google.com --regular

Efficient technique using BurpSuite when spidering - Kali Linux

Proxy

Add the site to the scope


Spider tab - Options - application login - automatically submit these credentials

admin' or 1=1 --
password - NONE-blank

---

Target tab - activate spider

Target - site map tab
engagement tool - discover content - 
click session is not running button
brute force attack running


checks if a given domain uses laod-balancing

lbd website


wafw00f website - web application firewall attack commands

wafw00f website

WafW00f is a very useful Python script, capable of detecting the web application firewall (WAF). This tool is particularly useful when a penetration tester wants to inspect the target application server, and might get a fallback with certain vulnerability assessment techniques, for which the web application is actively protected by a firewall. Therefore, detecting the firewall sitting in between the application server and the Internet traffic not only improves a testing strategy, but also presents exceptional challenges for the penetration tester to develop advanced evasion techniques.

API Security Cheat Sheet - OWASP


Reverse shells - joke


Building security from scratch


OWASP, podcast

https://soundcloud.com/owasp-podcast/how-to-build-chapter-engagement-at-owasp

While at 2018 AppSec EU, I spoke with Sam Stepanyan and Grigorios Fragkos, chapter leaders of one of OWASP's largest chapters. The conversation centered around what does it take to grow a community, what does it take to lead a chapter.

Saturday, October 27, 2018

The registry - where to find where I was connected - Wireless

Alex wants to determine whether the user of a company-owned laptop accessed a malicious wireless access point. Where can he find the list of wireless networks that the system knows about?
  1. The registry
  2. The user profile directory
  3. The wireless adapter cache
  4. Wireless network lists are not stored after use.


The Windows registry stores a list of wireless networks the system has connected to in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This is not a user-specific setting and is stored for all users in LocalMachine.

NMAP syn scan - half-open scan - just send a syn packet

nmap -T4 -v -PN -n -sS --top-ports 100 --maxparallelism 10 -oA nmapSYN IP

T - speed
v - verbose
PN - not to ping or identity
-n - no dns resolution

sS - syn packet scan

--top-ports 100

--max-parallelism 10

-oA - output

--------


nmap -T4 -v -PN -n -sA --top-ports 100 --maxparallelism 10 -oA nmapSYN IP

-sA - it never determins open ports

it is uses to map firewall ports -


----
aggressive option

nmap -T5 -PN -v -A -oA nmapcomplete IP


Who What Where When Why How



Human job replaced by robot


Emerging security challenges


Every organization has to be a part of this never-ending race against cyber attackers. If you fail to keep yourself ahead of your adversaries, you are likely to become the victim of attacks. In the coming years, defenders have to prepare themselves for some of the most emerging security challenges and threats. These are the following:


Slow security adaptation: Unlike networking and cloud transformation, cyber security solutions are not evolving at the expected rate. The traditional network segmentation has been replaced with a simplified and flat architecture, removing lots of network complexity. However, security solutions still use the traditional zone-based approach to mitigate threats.
Human error: As per the IBM Security service report, more than 95 % of investigated cyber incidents occurred due to human errors, such as system misconfiguration and insufficient patch management.
Third-party vendor security risk: In the world of interconnected businesses, organizations have to let other organizations store and use their information for better business operations, however, this can also lead to a bigger risk. If a third-party gets compromised, the organization is at the risk of losing business data. Most supply-chain attacks use sophisticated attack vectors that manage to bypass existing security systems.

Thursday, October 25, 2018

In order, which set of Linux permissions are least permissive to most permissive?

In order, which set of Linux permissions are least permissive to most permissive?
  1. 777, 444, 111
  2. 544, 444, 545
  3. 711, 717, 117
  4. 111, 734, 747


Linux permissions are read numerically as “owner, group, other.”

The numbers stand for read: 4, write: 2, and execute: 1. Thus, a 7 provides that person, group, or other with read, write, and execute. A 4 means read-only, a 5 means read and execute, without write, and so on. 777 provides the broadest set of permissions, and 000 provides the least.

chkrootkit - finding rootkits on your Kali Linux

chkrootkit

checking if Kali Linux is clean


Activate tor and proxychains on your Kali Linux

apt-get install tor

leafpad /etc/proxychains.conf


disable strict_chain adding a pound sign

Enable the Dynamic_chain - deleting the pound before the concept

Add the socks5 at the end

socks4  127.0.0.1 9050
socks5  127.0.0.1 9050



service tor start
to verify - service tor status

iceweasel ww.whatismyip.com

Activating Proxychains
proxychains iceweasel ww.whatismyip.com






Configuring SSH on Kali Linux

cd /etc/ssh

mkdir keys_backup_ssh
mv ssh_host_* keys_backup_ssh
dpkg-reconfigure openssh-server


service ssh start
service ssh stop

netstat -antp
liste where?


Essential programs on Kali Linux - Penetration test - kit

apt-get install preload
Using preload to Speed up Linux

apt-get install bleachbit
total privacy cleaner
advance - wiping free space

apt-get install bum
system performance
disable unnecessary services

apt-get install gnome-do
execute key app using keyboard

apt-get install apt-file
command search apt - allow reading apt file

apt-get install scrub
security deleting program - complain

apt-get install shutter
captures images from your desktop

apt-get install figlet
console looks professianal

leafpad /root/.bashrc
write your personal message at the end






apt-get dist-upgrade -y - general commands



leafpad kali_update.sh #sh is a shell script

             apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

chmod +x kali_update.sh  #giving permition to the root


---
dpkg -l | grep zip 

apt- cache show zip


apt-get remove (package name)

leafpad /etc/

----



Install VMtools on Kali Linux - fixing an error

Install VMtools on Kali Linux

delete no auto
insert exec





Sunday, October 21, 2018

Jikto XSS

Jikto
In 2007, only a couple of years after the initial XSS propagation research, Hoffman demonstrated Jikto at ShmooCon. Jikto was a tool to demonstrate the impact of unmitigated XSS flaws, and what happens when you execute attacker-controlled code within a browser.
Advancing the methodology from earlier XSS self-propagation research and code, Jikto was designed to kick off a silent JavaScript loop that would either try to self-propagate, similar to Samy, or poll a central server for further commands. Although the code was constructed as an in-house demonstration, it was leaked and slowly found its way onto the broader Internet.
One of the more interesting enhancements found in Jikto was how it managed to bypass the SOP. It did this by loading both the Jikto code and the target origin content into the same-origin through a proxy (or cross-origin bridge). Initially Google Translate was used to proxy the separate requests, but Jikto could be modified to use other sites for proxying too.

Defense Against Session Hijacking

Session hijacking is tricky business, and IDS monitoring is only a calculated guess based on assumptions of traffic patterns. The Cisco IDS did a good job of monitoring T-Sight session hijacking, but in several cases, alarms were missed and a few attacks went completely unnoticed. For example, if the original client never communicated during the hijacking or if a client connection was reset before ACK storms occurred, the 3250 signature would never be triggered, and the attack would go through unnoticed. This is not the fault of IDS; it is just that not enough suspicious traffic is sent to provide a reliable detection. Prevention is the only true protection, and IDS or a super-human watching Ethereal packet sniffing traffic like the Matrix screen saver are too unreliable for all possibilities.


Session Hijacking, Session_Hijacking, example



The service controller (sccommand is a rich command you can use to start, stop, and manipulate services from the command line. This allows you to perform many of 
the same functions from the command line as you can do via the Services console.

CommandDescription
 C:\>sc query
SERVICE_NAME: Netlogon
DISPLAY_NAME: Netlogon
        TYPE               : 20  WIN32_
SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,
PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
Lists all running services and drivers. The result on the left shows the results for a single service (the netlogon service), but the actual output shows details on all running services and drivers. The output can be quite extensive. Of course, you can capture the entire output with the redirect (>) symbol assc query > services.txt
Tip
The servicename shows the name of the service that you can use in other commands.
sc query state= all | inactive
C:\>sc query state= all
C:\>sc query state= inactive
Lists all servicesincluding servicesstopped, running, or paused.
Note
There is no space between state and =(state=), and there is a space between = and all (= all).

You can use state= inactive to list only services that are stopped or state= allto list all services, including those that are running and those that are stopped.

tail -f filename




The tail command displays the bottom part of text data. By default, the last ten lines are displayed. Use the -n option to display a different number of lines:
OptionDescription
-fDisplay the bottom part of a file and follow changes means to continue to display any changes made to the file.
-n +xDisplay from line number x to the end of the file.

Sunday, October 14, 2018

NIST Flow chart to Incident eradication and recovery


Use after free



Joana, a hacker, has discovered he can specifically craft a webpage that when viewed in a browser crashes the browser and then allows him to gain remote code execution in the context of the victim’s privilege level. The browser crashes due to an exception error when a heap memory that is unused is accessed. Which of the following BEST describes the application issue?


A.Integer overflow


B.Click-jacking


C.Race condition


D.SQL injection


E.Use after free


F.Input validation








Pointer management vulnerabilities


In languages that encourage or require the use of raw memory pointers (chiefly C and C++), it is possible to use pointers that are either uninitialized or no longer valid (“dangling”), leading to vulnerabilities such as use after free, double free, and many more. These vulnerabilities will corrupt the internal state of the program and usually allow an attacker to execute attacker-supplied code.






Use After Free Vulnerabilities


Heap buffers are valid for a lifetime, from the time they are allocated to the time they are deallocated via free or a realloc of size zero. Any attempts to write to a heap buffer after it has been deallocated can lead to memory corruption and eventually arbitrary code execution.




Use after free vulnerabilities are most likely to occur when several pointers to a heap buffer are stored in different memory locations and one of them is freed, or where pointers to different offsets into a heap buffer are used and the original buffer is freed. This type of vulnerability can cause unexplained heap corruption and is usually rooted out in the development process. Use after free vulnerabilities that sneak into release versions of software are most likely in areas of code that are rarely exercised or that deal with uncommon error conditions. The Apache 2 psprintf vulnerability disclosed in May of 2003 was an example of a use after free vulnerability, in which the active memory node was accidentally freed and then subsequently handed out by Apache's malloc-like allocation routine.

Johari Window


SAML uses which? - Fiddler

To prevent a third party from identifying a specific user as having previously accessed a service
provider through an SSO operation, SAML uses which of the following?

A.Transient identifiers
B.SOAP calls
C.Discovery profiles
D.Security bindings

In an SSO operation using SAML, what is the transient identifier designed to prevent?
A. a third party from identifying a specific user as having previously accessed a service provider
B. a third party from capturing data en route
C. the identity provider from creating multiple IDs
D. the service provider from performing multiple authentications
Answer: A

Explanation: To prevent a third party from identifying a specific user as having previously accessed a service provider through an SSO operation, SAML uses transient identifiers (only valid for a single login session) that will be different each time the user authenticates again but will stay the same as long as the user is authenticated.

SAML entities can operate in a variety of different roles. Valid SAML roles include which of the
following?
A. Attribute authority and certificate authority
B. Certificate authority and attribute requestor
C. Identity provider and service provider
D. Service provider and administrator


--------
The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS.

----------------------
Fiddler
The most important tool for troubleshooting ADFS is a free one called Fiddler. Fiddler is an HTTP proxy that allows you to look at the HTTP traffic in a friendly GUI. If you’ve used Wireshark or Netmon before for network tracing, you can think of Fiddler as an application-layer version of those tools. Get a copy of Fiddler and install it on your workstation. Next, go to this link and install the add-ons for Fiddler that enable you to easily work with HTML, XML, and so forth.
Download the Fiddler federation inspector from this site. This add-on will enable Fiddler to decode WS-Federation and SAML markup. Extract the .zip file and browse to the bin\Debug folder. Copy Thinktecture.FederationInspector.dll to C:\Program Files (x86)\Fiddler2\Inspectors. or wherever you installed Fiddler on your machine.

In order to look at encrypted ADFS traffic, you’ll need to configure Fiddler to intercept HTTPS traffic. To do this, launch Fiddler and go to Tools→Fiddler Options. On the HTTPS tab, check “Capture HTTPS CONNECTs” and “Decrypt HTTPs traffic.” Next, you will be prompted to generate a certificate for Fiddler to intercept SSL traffic and to configure Windows to trust the certificate. You’ll receive another confirmation to import the certificate and then finally a final confirmation after a User Account Control (UAC) prompt. Answer Yes to all of these prompts.

Burp Suite's architecture


Drown vulnerability

DROWNing HTTPS

The DROWN (CVE-2016-0800) vulnerability identifies a server that is open to a non-trivial attack that relies on SSLv2 support, to which at least a third of all internet servers were vulnerable as of March 2016. Attackers will take advantage of SSLv2 supported by an application using the same keys as are used to salt or help randomize TLS (the more recent protocol versions). By initiating tens of thousands of SSLv2 messages,  they are able to glean the keys used in more robust and current versions of TLS, and thus break the higher-grade encryption with stolen private keys. Once thought to be impractical based on the sheer number of messages believed to be needed; they also call this the million message attack; it is now known to be achievable through commercially available resources in hours using tens of thousands of messages.
Detecting DROWN vulnerabilities is as simple as seeing if SSLv2 is supported on the target server or any other servers sharing the same keys. Another tool that can be used to identify the vulnerability is located on the http://test.drownattack.com website.


POODLE – all bark, no bite - command to use

nmap -sV ; version-light ; script ssl-poodle -p 443 <host>

Padding Oracle On Downgraded Legacy Encryption (POODLE)

POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE), as its name indicates, is a padding oracle attack that abuses the downgrading process from TLS to SSLv3.
Padding oracle attacks require the existence of an oracle, which means a way of identifying when the padding of a packet is correct. This could be as simple as a padding error response from the server. This occurs when an attacker alters the last byte of a valid message and the server responds with an error. When the message is altered and doesn't result in an error, the padding was accepted for the value of that byte. Along with the IV, this can reveal one byte of the keystream and, with that, the encrypted text can be decrypted. Let's remember that IVs need to be sent along with the packages so that the recipient knows how to decrypt the information. This works very much like a blind SQL injection attack.
To achieve this, the attacker would need to achieve a man-in-the-middle position between the client and server and have a mechanism to make the client send the malicious probes. This last requirement can be achieved by making the client open a page that contains JavaScript code that performs that work.
Kali Linux doesn't include an out-of-the-box tool to exploit POODLE, but there is a Proof of Concept(PoC) to do this by Thomas Patzke on GitHub: https://github.com/thomaspatzke/POODLEAttack. It is left to the reader to test this PoC as an exercise.
Most of the time during web application penetration testing, it will be enough for you to see the SSLScan, SSLyze, or Nmap output to know if SSLv3 is allowed, so that a server is vulnerable to POODLE; also that no more tests are required to prove this factor to convince your client to disable a protocol that has been superseded for nearly 20 years and most recently declared obsolete.
Although POODLE is a serious vulnerability for an encryption protocol such as TLS, the complexity of executing it in a real-world scenario makes it much more likely that an attacker will use techniques such as SSL Stripping (https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf) to force a victim to browse over unencrypted protocols.

  • Web Penetration Testing with Kali Linux - Third Edition

  • By: Gilberto Najera-Gutierrez; Juned Ahmed Ansari
  • Publisher: Packt Publishing
  • Pub. Date: 

Hack the vote cartoon



Remote Hybrid and Office work