ECCouncil 312-50v12 - Certified Ethical Hacker Exam (CEHv12)

https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/

Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company’s website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

References:

Web Server Security- Beginner’s Guide - Astra Security Blog

Top 10 Web Server Security Best Practices | Liquid Web

21 Server Security Tips & Best Practices To Secure Your Server - phoenixNAP

A Cloud Access Security Broker (CASB) is a security policy enforcement point, either on-premises or in the cloud, that administers an organization’s enterprise security policies when users attempt to access its cloud-based resources. A CASB can provide unified security management across multiple cloud platforms, as it can monitor cloud activity, enforce security policies, identify and respond to threats, and maintain visibility of all cloud resources. A CASB can also integrate with other security tools, such as data loss prevention (DLP), encryption, malware detection, and identity and access management (IAM), to enhance the security posture of the organization.

The other options are not as effective or feasible as using a CASB. Using a hardware-based firewall to secure all cloud resources may not be compatible with the dynamic and scalable nature of the cloud, as it may introduce latency, complexity, and cost. Implementing separate security management tools for each cloud platform may create inconsistency, inefficiency, and confusion, as each tool may have different features, interfaces, and configurations. Relying on the built-in security features of each cloud platform may not be sufficient or comprehensive, as each platform may have different levels of security, compliance, and functionality. References:

What Is a Cloud Access Security Broker (CASB)? | Microsoft

What Is a CASB? - Cloud Access Security Broker - Cisco

What is a Cloud Access Security Broker (CASB)?

Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

For example, if the application uses the following query to display the username of a user based on the user ID:

SELECT username FROM users WHERE id = '$id'

The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

SELECT username FROM users WHERE id = '1'

The application might display an error message like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

References:

[CEHv12 Module 05: Sniffing]

Types of SQL Injection (SQLi) - GeeksforGeeks

Types of SQL Injection? - Acunetix

The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses3. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers.

The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall12. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

References:

1: Host Discovery in Nmap Network Scanning - GeeksforGeeks

2: nmap Host Discovery Techniques

3: TCP SYN Ping Scan - Nmap

: Ping Sweep - an overview | ScienceDirect Topics

: UDP Ping Scan - Nmap

: UDP Ping Scan - an overview | ScienceDirect Topics

: ICMP Ping Scan - Nmap

: ICMP Ping Scan - an overview | ScienceDirect Topics

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Using default settings on a web server is considered a security risk because it can reveal the server software type and version, which can help attackers identify potential vulnerabilities and launch targeted attacks. For example, if the default settings include a server signature that displays the name and version of the web server software, such as Apache 2.4.46, an attacker can search for known exploits or bugs that affect that specific software and version. Additionally, default settings may also include other insecure configurations, such as weak passwords, unnecessary services, or open ports, that can expose the web server to unauthorized access or compromise.

The best initial step to mitigate this risk is to change the default settings to hide or obscure the server software type and version, as well as to disable or remove any unnecessary or insecure features. For example, to hide the server signature, one can modify the ServerTokens and ServerSignature directives in the Apache configuration file1. Alternatively, one can use a web application firewall or a reverse proxy to mask the server information from the client requests2. Changing the default settings can reduce the attack surface and make it harder for attackers to exploit the web server.

References:

How to Hide Apache Version Number and Other Sensitive Info

How to hide server information from HTTP headers? - Stack Overflow