Chapter 4 Objective 4.1 Security Information and Event Management (SIEM) NOTES Event Parsing → Event parsing is the process of interpreting and normalizing raw event data from various sources into a consistent format. Scenario: An organization receives logs from various devices (e.g., firewalls, routers, servers). Action: Use a SIEM tool to parse and normalize these logs into a standardized format for easier analysis. Event Duplication → Event duplication occurs when identical or similar events are recorded multiple times, leading to redundant data and potential alert fatigue....

Chapter 1 Objective 1.1 Phishing → Practice of sending email to trick users to submit personal information or click a link Can be done to install malware, validate email address, get money Smishing → SMS Phishing Vishing → Phone Phishing → Phishing over Voice over IP (VoIP) Spam → Unwanted / Solicited Email SPIM → Unwanted messages over Instant Messaging Channels Spear Phishing → Phishing target on specific group of people or even a single user Mitigation → Use digital signatures Dumpster diving → Practice of searching through trash & recycling to gain info from discarded items Mitigation → Shredding or Burning Paper instead of throwing it away Shoulder surfing → Looking over shoulder of someone to gain information Mitigation → Use screen filters Pharming → Manipulates DNS server or client to redirect users to different websites Changes DNS entries on a local PC or on a trusted local DNS server Tailgating → Practice of one person following closely behind another person without showing credentials Mitigation → Access Control Vestibules (Mantraps) → Allows only single person to pass at a time Eliciting information → Act of getting information without asking for it directly Active Listening → Target is encouraged to keep talking Reflective Questioning → Repeat statements as a question & encourages to talk more False Statement → Give false info hoping that the target corrects it Bracketing → Try to get specific info by stating a specific number or range of numbers Whaling → Phishing targeted on high level executives Prepending → Add something to the beginning of something else....

Chapter 2 Objective 2.1 Configuration Management It helps organizations to deploy systems with secure configurations Diagrams → Some organizations use diagrams to show processes in config management These sometimes use flowchart to document decision-making process involving in modifying a configuration. Naming Conventions → Large organizations use naming conventions to identify standard configuration Ex. department or location, and the version → Desktop_Sales_3.0 Baseline Configuration → A baseline is a known starting point & organizations commonly use secure baseline to provide known starting points for systems....

Chapter 3 Objective 3.1 Insecure Protocols Telnet → Port 23 → Telnet transmits data in plaintext, vulnerable to MITM & Eavesdropping Secure Alternative → SSH → Port 22 → SSH provides encrypted communication FTP → Port 21 → FTP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → FTPS (FTP Secure) → Port 990 / 989 → Uses SSL / TLS for encryption SFTP (SSH File Transfer Protocol) → Port 22 → Uses SSH for file transfer HTTP → Port 80 → HTTP transmits data in plaintext Secure Alternative → HTTPS → HTTP Secure → Port 443 → Uses SSL / TLS SMTP → Port 25 → SMTP transmits emails in plaintext, vulnerable to interception & unauthorized access Secure Alternative → SMTPS → SMTP Secure → Port 465 → use SSL/TLS to encrypt email communications SMTP with STARTTLS → Port 587 → use SSL/TLS to encrypt email communications POP3 → Port 110 → POP3 transmits emails in plaintext, vulnerable to eavesdropping Secure Alternative → POP3S → POP3 Secure → Port 995 → uses SSL/TLS IMAP → Port 143 → IMAP transmits data in plaintext, vulnerable to interception Secure Alternative → IMAPS (IMAP Secure) → Port 993 → uses SSL / TLS SNMP v1/v2 → Port 161/162 → Lacks encryption, vulnerable to interception & tampering Secure Alternative → SNMPv3 → Port 161/162 → Adds encryption, authentication & integrity protection to data LDAP → Port 389 → LDAP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → LDAPS (LDAP Secure) → Port 636 → Uses SSL/TLS for encrypt directory service Protocols DNS Security Extensions (DNSSEC) → Provides validation for DNS responses It adds Resource Record Signature (RRSIG) (Digital Signature) to each record RRSIG provides data integrity & authentication for DNS replies Helps to prevent DNS poisoning attack S/MIME → Secure/Multipurpose Internet Mail Extensions Used to digitally sign & encrypt an email Uses both asymmetric & symmetric encryption SRTP → Secure Real Time Protocol → Uses port 5004 RTP → Real Time Protocol → Delivers audio & video over IP networks SRTP provides encryption, message authentication & integrity for RTP LDAPS → LDAP over TLS uses port 636 FTPS → FTP, Secure → uses TLS to encrypt FTP traffic SNMPv3 → Simple Network Management Protocol → Monitors & manages network devices such as routers & switches Uses port 161/162 Can modify devices’ configuration & can check device report status SNMPv3 agents installed on devices send information to SNMP manager via notifications known as traps Flood guard sends SNMP trap messages in response to an alert SNMP Usage → Commonly used to gather information from routers, switches, and other network devices → It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device IPSec → Used to encrypt IP traffic Authentication Header → IPSec uses AH to allow each conversation hosts to authenticate with each other before exchanging the data AH provides authentication & integrity Encryption → IPSec includes Encapsulating Security Payload (ESP) to encrypt data & provide confidentiality IPSec uses Internet Key Exchange (IKE) to authenticate clients in the IPSec conversation → Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel....

Chapter 4 Objective 4.1 Network Reconnaissance and Discovery pathping → Combines ping & tracert command Admins use it to locate potential problems between two systems hping → This command is similar to ping command but it can send the ping using TCP, UDP & ICMP packets Useful to identify if firewall is blocking ICMP traffic theHarvester → Passive recon CLI tool → Uses OSINT methods to gather data such as emails, employee names, host IPs, & URLs It uses popular search engine for queries & give you a report sn1per → Automated scanner used for vulnerability assessment & to gather info on targets during penetration test scanless → Python based CLI tool used to scan ports dnsenum → Enumerate DNS records for domains It can perform many Domain Name System (DNS)-related functions, including querying A records, nameservers, and MX records, as well as performing zone transfers, Google searches for hosts and subdomains, and net range reverse lookups....

Chapter 5 Objective 5.1 Category Managerial Controls → Primarily administrative in function & are typically documented in an organization’s written security policy They use planning & assessment methods to provide an ongoing review of the organization’s ability to reduce & mange risk Administrative controls dictate how security policies should be executed to accomplish the company’s security goals Ex. Risk Assessments, Vulnerability Assessments Operational Controls → Ensures that the day-to-day operations of an organization comply with their overall security plan Primarily implemented & executed by people instead of systems Ex....

Implicit Deny → It ensures that anything not specifically allowed in the rules is blocked Private IP Addresses 10.x.x.x → 10.0.0.0/8 → 255.0.0.0 → Class A 172.16.x.x to 172.31.x.x → 172.16.0.0/12 → 255.240.0.0 → Class B 192.168.x.x → 192.168.0.0/16 → 255.255.0.0 → Class C Difference between Dictionary & Rainbow table Dictionary → List of potential passwords (words) Rainbow Table → Precomputed table containing hash of potential passwords Skimming vs Card Cloning Skimming → Capturing credit card data at Point of Sale (POS) Card Cloning → Making a copy of credit card STIX & TAXII → Threat Feed Refer Notes Difference between SOAR & SIEM Security orchestration, automation, and response (SOAR) services are designed to integrate with a broader range of both internal and external applications....

Intro Hi everyone, I have passed my Comptia Security+ 601 exam recently. In this blog, I will share my notes(objective-wise) & insights about this exam. Resources CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide: Link Professor Messer’s SY0-601 CompTIA Security+ Practice Exams: Link Passmall Security+ Practice Exams: Link Jason Dion - CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: Link Outro Please forgive if you find any spelling mistakes or grammatical mistakes....

Intro Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. In this writeup, I will be exploiting DVWA vulnerabilities in different severities. Setup docker run --rm -it -p 8000:80 kaakaww/dvwa-docker:latest Walkthrough 1. I found a login page after opening the site. Bruteforce Password 1. Capture login & analyze behavior username=admin&password=zap&Login=Login&user_token=6cd51b8a24a524b9349dd75c09c0cfb3 2. Reflecting Login failed after incorrect creds 3. To automatically handle CSRF Tokens ZAP -> Tools -> Options -> Anti-CSRF -> Add `user_token` 4....

Challenge: Protecting Camp I made a small site to keep a list of things I need to buy to keep me safe before I go camping, maybe it’s keeping some other things safe too! Attachment: protecting_camp.zip Walkthrough This challenge shows a Camping Checklist on main page. Solve 1. Reviewing the code Found a snippet that could be vulnerable to SSRF app.get('/api/flag', (req, res) => { var url = req.protocol + '://' + req....