Dead Packets

21/06/2012

GWAPT Study Notes

Filed under: certificação,segurança — drak @ 11:45 PM

Ano passado fiz a certificação GWAPT (GIAC Web Application Penetration Tester), uma certificação oferecida pela SANS/GIAC. Compartilho abaixo o guia de estudo que elaborei durante o processo de estudo para a certificação, que é baseado no ótimo curso da própria SANS.

Recon

  • Whois, DNS (dig, nslookup, fierce)
  • Google hacking, newsgroups, mailing, social nets (gpscan, reconnoiter)
  • Maltego

Mapping

  • Port scan, service versioning (nmap)
  • Spidering (webscarab, paros, burp, wget, cewl)
  • Application flowchart (dirbuster)
  • Relationship Analysis (maltego)
  • Discover hidden pages (nikto)
  • Session Analysis (webscarab, burp)

Discovery

  • Automated scanner (grendel, w3af, burp)
  • Manual checks (info leak, dir browsing, username, comm. Inject, sql inject, xss, csrf)
  • Client-side
    • AJAX (logic, api, data, sprajax, ratproxy)
    • Web Services (WSDL, UDDI, SOAP, ext. entity, xpath)
    • Flash (ratproxy, crossdomain, flare, swfscan, swfintruder)
    • Java (class, jad)
    • PHP

Exploitation

  • auth bypass
  • injection (sql, command, code, csrf, xss, response splitting)
    • sql (sqlmap, phpshell, ajaxshell, laudanum)
    • xss (post to get, evasion, durzosploit, attackAPI, beef)
    • limiting (client+java, client+pen, server+target, server+pen, pen infra)
  • session (hijack, fixation, xsrf, monkeyfist)

Referências
Certification:GWAPT
SANS

Anúncios

07/07/2011

CCSE Study Notes

Filed under: certificação,checkpoint — drak @ 3:38 PM

Recentemente obtive a certificação CCSE da Checkpoint, abaixo seguem as minhas notas de estudo. Usei os simulados existentes no próprio site da Checkpoint tanto para R70 quanto R71, na prova encontrei algumas questões idênticas de ambos.

Sugiro a quem for fazer a prova a também ler os Admin Guides dos respectivos produtos, assim como realizar todos os labs sugeridos no curso.

# Smart Portal / Management Portal: Facilitate remote management of corporate security gateways
porta padrão TCP/4433
smartportalstart / smartportalstop
/opt/CPportal-R70/portal/
hosts.allow
cp_httpd_admin.conf

# SmartWorkflow: Process a change request with SmartWorkflow

# SmartProvisioning: Implement provisioning deployment scenarios
SmartProvisioning indicators: OK, Needs Attention, Agent is in local mode, Uninitialized, Unknown
Backup local fica em /var/CPbackup/backups
LSMenabler -r
LSMcli

# SSL VPN: Configure and test VPN in a clustered environment

# SecureXL & CoreXL
fwaccell on / stat / conns -s
máximo de 8 cores
Client e Session Auth são sincronizadas no cluster, User Auth não
sim affinity / fw ctl affinity
Não acelera tráfego com ANY no serviço
Não acelera FTP

# Management HA

# ClusterXL
cphaprobe state
clusterXL_admin down / up
FIBMgr (TCP/2010) – Sincroniza rotas entre membros do cluster, NextHop GateD process
CCP (UDP/8116), Checkpoint Cluster Protocol
$FWDIR/boot/modules/fwkern.conf
fwha_mac_magic=0x_
fwha_mac_forward_magic=0x_
fw ctl get int fwha
Sticky Decision

# Dynamic Routing
router enable / config
no-flush-at-exit
write mem
vpn shell
interface add numbered
show interface summary all
show interface detailed all
IGMP Snooping não é habilitado por default

# Load Balancing / ConnectControl
Agente se comunica na UDP/18212

# QoS
WFRED (manages packet buffers, protege buffer de conn. agressivas) / RDED (elimina retransmits da queue)
ToS byte -> Differentiated Services
Low Latency Queuing for delay sensitive applications
Weighted Fair Queuing is used for relative allocation
fgate

# IPS: Modify IPS policy to improve bandwidth and protection

# DLP: Deploy and manage data loss prevention
DLP deve ser instalado isolado

# SmartEvent
windowEventToCPLog
-l log_server
-a windows_host
-s (credenciais)
$FWDIR/conf/syslog/CPdefined syslog files

# SmartReporter: Chart events into meaningful data
UpdateMySQLConfig -R
$RTDIR/Database/conf/my.conf
evstop -reporter

# Advanced Troubleshooting & Debugging: Apply advanced troubleshooting and debugging techniques

30/06/2010

SNAF Lab Notes

Filed under: certificação,cisco — drak @ 11:02 AM

Seguindo o mesmo espírito do CCNA Security Lab Notes, seguem algumas anotações utilizadas durante o estudo. Para este exame utilizei como principais recursos:

– Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition)
– Material do curso Securing Networks with ASA Fundamentals (SNAF)
– Labs em equipamentos reais

wr erase
reload
sh mem
sh ver
sh hist
sh bootvar
dir
boot system disk0:/asa822-k8.bin
asdm image disk0:/asdm-631.bin
wr mem
logging enable
logging host inside 10.1.1.1
logging trap debugging

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd enable inside
dhcpd dns 192.189.10.10 interface inside
dhcpd wins 192.189.10.10 interface inside
dhcpd lease 80000 int inside

! Modular Policy Framework

access-l INTERNET_ACL permit tcp any object-group WEBSERVERS object-group HTTP_SVC
access-l VOIP_ACL permit object-group VOIP_Protocols 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0

class-map VOICE_MAP
match access-l VOIP_ACL
class-map INTERNET_MAP
match access-l INTERNET_ACL
policy-map OUTSIDE_POL
class VOICE_MAP
priority
class INTERNET_MAP
ips inline fail-open
service-policy OUTSIDE_POL interface outside

class-map type management MANAGEMENT
match port tcp eq https
policy-map outside-policy
class MANAGEMENT
set connection conn-max 10 embryonic-conn-max 8

sh service-policy

class-map 8080_INSPECT_TRAFFIC
match port tcp eq 8080
policy-map global_policy
class 8080_INSPECT_TRAFFIC
inspect http

! Threat detection

threat-detection basic-threat
threat-detection rate
threat-detection rate dos-drop rate-interval 600 average-rate 50 burst-rate 100
sh threat-detection scanning-threat attacker
sh threat-detection shun
sh threat-detection statistics

! VPN

crypto isakmp enable outside

crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

tunnel-group 192.168.11.2 type ipsec-l2l
tunnel-group 192.168.11.2 ipsec-attributes
pre-shared-key CHAVE
isakmp keepalive threshold 10 retry 2

access-l outside_1_cryptomap line 1 extended permit ip 10.0.1.0 255.255.255.0 10.0.11.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 192.168.11.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 interface outside

access-l inside_nat0_outbound line 1 extended permit ip 10.0.1.0 255.255.255.0 10.0.11.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound tcp 0 0 udp 0

sh run access-l
sh run isakmp
sh run tunnel-group
sh run ipsec
sh run crypto map

sh crypto isakmp sa
sh crypto ipsec sa

crypto isakmp enable outside

crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

ip local pool MYPOOL 10.0.21.1-10.0.21.254 mask 255.255.255.0

tunnel-group REMOTE type remote-access
tunnel-group REMOTE ipsec-attributes
pre-shared-key CHAVE
tunnel-group REMOTE general-attributes
default-group-policy POL_REMOTE
address-pool MYPOOL
group-policy POL_REMOTE internal
group-policy REMOTE attributes
vpn-tunnel-protocol IPSec
dns-server value 10.0.1.15 172.30.1.15
wins-server value 10.0.1.16 172.30.1.16
default-domain value remote.com
username CarterB attributes vpn-group-policy MYGROUP

webvpn
enable outside
import webvpn url-list URL disk0:/tmpAsdmImportFile128451205
delete /noconfirm disk0:/tmpAsdmImportFile128451205
username usuario1 password LBc0wsr7MhAKY5C5 encrypted privilege 0
username usuario1 attributes
vpn-group-policy Grp_Pol_VPN1
group-policy Grp_Pol_VPN1 internal
group-policy Grp_Pol_VPN1 attributes
vpn-tunnel-protocol webvpn
webvpn
rl-list value URL
tunnel-group AUSTIN type remote-access
tunnel-group AUSTIN general-attributes
default-group-policy Grp_Pol_VPN1

sh import webvpn url-list

! Firewall virtualization

sh mode
sh context
mode multiple

class MEDIUM-RESOURCE-SET
limit-resource conns 20%
limit-resource ASDM 4
limit-resource telnet 5
limit-resource ssh 5

context CLIENT1
member MEDIUM-RESOURCE-SET
allocate-interface Ethernet0/0 invisible
config-url disk0:/client1.cfg
mac-address auto
changeto system
chanteto context CLIENT1
sh cpu usage context all

redundant-interface redundant1 active member

01/05/2010

CCNA Security Lab Notes

Filed under: certificação,cisco — drak @ 10:23 AM

Recentemente passei na prova 640-553 (IINS) e obtive a certificação CCNA Security, deixo registrado aqui uma trilha do que estudei na forma de comandos utilizados durante o estudo para a prova, apenas lembrando que esses notes são apenas um GUIA para o estudo teórico, o que é mais cobrado na prova é o ASDM e os conceitos portanto não utilize isto aqui como única referência ou você vai se dar mal.

Como recursos de estudo utilizei:

CCNA Security Official Exam Certification Guide
– CCNA Security Lab Manual
– CBT Nuggets Cisco CCNA Security – Exam-Pack 640-553: IINS
– Simulações no GNS3

! CCNA Security Lab Notes

security passwords min-length 10
enable secret hardtoguesspass

! Configuracao console
line con 0
password ciscocon
exec-timeout 5 0
login
logg syn

! Configuracao telnet
line vty 0 4
password ciscovtypass
exec-timeout 5 0
login

! Criptografa as senhas que estao em plain-text
service password-encryption

banner motd $get off$

username admin secret hardpassadmin priv 15

! Melhorias no login
login block-for 60 attempts 2 within 30
login on-sucess log
login on-failure log every 2

! Preparacao para ssh
ip domain-name security.lab

! Limpa e gera chaves RSA para acesso ssh
crypto key zeroize rsa
crypto key generate rsa general-keys modulus 1024

! Ajusta configuracao de SSH
ip ssh time-out 90
ip ssh authentication-retries 2

! Configura SSH ao inves de telnet
line vty 0 4
priv level 15
login local
transport input ssh
exit

! Views
aaa new-model
exit
enable view

parser view TECH
secret techpass
commands exec include all show
commands exec include all config terminal

enable view TECH
sh parser view

! Boot resilience
sh flash
secure boot-image
secure boot-config
sh secure bootset
sh flash

! NTP
ntp master 3
ntp server 10.1.1.1
ntp update-calendar
sh ntp associations

! Logs
logging 10.0.0.1
logging trap critical
logging userinfo

! SNMP
snmp-server community secretSNMP ro

! Inicia lockdown generico
auto secure

! AAA
aaa new-model
aaa authentication login default local none
aaa authentication enable default enable
aaa authentication login TELNET_LINE local
line vty 0 4
login authentication TELNET_LINE
debug aaa authentication
aaa authentication login default group radius none
radius-server host 10.1.1.1 key chaveSECRETA auth-port 1645 acct-port 1646
aaa accounting exec default start-stop tacacs+

! ACL
ip access-list NOME_DA_ACL
	15 permit tcp 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq http

! CBAC - Classic firewall
ip inspect NOME_DA_REGRA telnet
ip inspect NOME_DA_REGRA realaudio
ip inspect autosec inspect out

sh ip inspect all

! Restricao em telnet e snmp com ACLs
access-list 50 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 50 in

snmp-server community secretSNMP ro 50

! Stateful rudimentar
ip access-list extended INTERNET_FILTER
permit tcp any any established

! Reorganiza ACLs
ip access-list resequence INTERNET FILTER 5 10

! L2 Security
spanning-tree vlan 1 priority 0

! Protecao contra VLAN Hopping
int f0/0
switchport mode trunk
switchport trunk native vlan 99
switchport nonegotiate
storm-control broadcast level 50
sh int f0/0 trunk
sh int f0/0 switchport

! Protecao contra CAM Overflow
int f0/5
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
sh spanning-tree int f0/5 detail
spanning-tree guard root
shut
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address aaaa.bbbb.cccc
switchport port-security mac-address sticky
switchport port-security aging time 120
no shut
sh port-security int f0/5

! Desabilita portas nao utilizadas
int range f0/2 - 4
shut

! Utilizacao de VLANs
vlan 20
name users
int f0/5 - 10
switchport access vlan 20

! SPAN Port - Monitora trafego
monitor session 1 source interface f0/5 both
monitor session 1 destination interface f0/5
sh monitor session 1

! VPN site-to-site

! Fase 1
crypto isakmp enable
crypto isakmp policy 10
crypto isakmp key cisco123 address 10.1.1.1
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
sh crypto isakmp policy

! Fase 2
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
! Proxy ID
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

crypto map NOME_DO_CMAP 10 ipsec-isakmp
match address 101
set peer 10.1.1.1
set pfs group 5
set transform-set 50

int f0/0
crypto map NOME_DO_CMAP

sh crypto ipsec transform-set
sh crypto map
sh crypto isakmp sa
sh crypto ipsec sa

31/08/2009

Certificação Juniper com 100% de desconto

Filed under: certificação — drak @ 10:00 AM

A Juniper tomou uma iniciativa que pretende popularizar suas certificações no mercado, principalmente entre aqueles que já são certificados CISCO. É o programa Juniper FastTrack, em que você assiste algumas apresentações explicando o JunOS, faz uma provinha para validar seu aprendizado e ganha um voucher de 100% para realizar a prova na Prometric.

A promoção é válida até Dez/2009 e as certificações disponíveis são de Routing, Switching e Security (Enhanced Services).

Crie um website ou blog gratuito no WordPress.com.