Overview

• Include anything related to website on public Internet which cause to disclose information
• Hackers use these information in footprint process or social engineering attacks

Public source Examples

• Search engine such as Google and Bing
• Company website including contacts , job posting …
• Robots.txt
• View source or comments in HTML contents
• http://archive.org , can view history of archived website
• Social media websites like blogs and LinkedIn
• Trusting fake websites and people (fake opening job in LinkedIn)
• Geo location and addresses  (used with wireless attacks)
• https://www.shodan.io , search engine help for system banners
• Google hacking , review my whitepaper “Maximizing SharePoint Security” https://gallery.technet.microsoft.com/Maximizing-SharePoint-cf7f7efc
• Google Hacking Database (GHDB) https://www.exploit-db.com/google-hacking-database/ , search engine help in find vulnerabilities and exploits by search queries
• Document’s metadata , contains information like name of users , OS created the document …

FOCA tool

• Use search engines to find files on website and then analyze metadata of these files to find information like users , emails …
• Download it from https://www.elevenpaths.com/labstools/foca/index.html (also included in Kali)

How to use it

Create new project

Fill the fields and click Create

Click Search All

It will show list of files found it for this domain and metadata of these documents , you can then right click to Analyze Metadata in Metadata Summary node

Overview

• To clone/copy a website for analyzing the contents files offline
• Alos cloning the website help in phishing attacks
• For more options https://www.httrack.com/html/fcguide.html
• GUI version https://www.httrack.com/

How to use it

In Kali linux 2, run the following command:

httrack

Enter the name of the website , directory to save the result and the website to capture

Choose Action 1 and ignore the rest questions

Overview

• To analyze different web technologies used by the website
• It analyzes the website headers and JavaScript libraries

How to use it

In Kali linux 2, run the following command:

whatweb -v <website target>

The output result is easy to read and verify by testers

Overview

• http://tools.kali.org/web-applications/skipfish
• Web application scanner tool
• Used for reconnaissance and build sitemap for the target website by using a recursive crawl and prebuild dictionaries (wordlists)
  • To install latest version of wordlists or using custom wordlist https://code.google.com/archive/p/skipfish
• Generate graphical output as HTML file
• Display Number of packets and HTTP connections sent
• Help to identify common security risks like SQL injection and XSS flaws
• Check SSL certificate validity
• Can be used with Http authentication

How to use it

In Kali linux 2, run the following command:

Skipfish -h to lists its options

Skipfish -o <output location> <website target>

To end the scan before finish, type Ctrl+C

The output result in index.html file is easy to read and verify by testers

 

I published Presentation on Slideshare , talking about Static analysis for security.

I published Presentation on Slideshare , talking about Burp suite tool.

To prevent IIS Short File Name Disclosure , follow these fixes:

1. Disable OPTIONS method from IIS
   
2. Disable 8.3 file name https://support.microsoft.com/en-us/kb/121007

Web Applications become heavily based on JavaScript code especially Single Page applications. Here I will list some important security controls and vulnerabilities commonly exist within JavaScript applications to be avoided or considered during developing your web applications.

Security Risks and Controls

• Cross Site Scripting(CSS) with all different types (Persistent or non- Persistent types)
  • https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  • Fix:Don’t trust user input and perform validation in both client (escape reflected inputs) and server validation
  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

• Cross Site Request Forgery(CSRF)
  • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  • Fix:Use Anti-Forgery Tokens
  • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

• Same Origin Policy
  • https://en.wikipedia.org/wiki/Same-origin_policy
• Use Secure and HTTP Only cookies
  • https://www.owasp.org/index.php/SecureFlag
  • https://www.owasp.org/index.php/HttpOnly
• Consider user request as malicious input because client can modify hidden fields, cookies , Headers …
• Use HTTPs websites to avoid phishing and hijacking attacks
• Use updated browsers to get benefits from built-in security controls comes with the browsers like XSS protection or Anti-phishing websites
• Keep Your eyes against URL and be careful with the shorten URLs
• Avoid Popup windows
• Don’t use eval in JavaScript https://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet#Don.27t_use_eval

 

 

What is Microsoft Advanced Threat Analytics (ATA)?

ATA is an on-premises platform to identify advanced security attacks by automatically analyzing, learning, and identifying normal and abnormal entity behavior.

• It is part of Microsoft Enterprise Mobility Suite
• Help to detect attacks within a corporate network or especially for the compromised user credentials
• Help to reduce the cost/damage of cybercrime
• It’s extra layer of defense and you still need your other defenses like Firewall , IDS/IPS , Antivirus … etc
• Help to find out the back-doors or botnet inside your network
• Fast , Easy to install and No need to define rules with less false positives risks
• Help to detect passive attacks before active attacks
• ATA is based on UEBA
• Does not affect existing network topology
• It’s just listen and no extra traffic to introduce
• Store data in MongoDB
• Integrate with SIEM products seamlessly
• Learn by behavoir and patterns and it doesn’t based on specific signature or common hacking tools

What is User and Entity Behavior (UEBA) ?

• It’s a solution to monitor user behavior by using multiple data sources
• Based on machine learning algorithms
• Detect security breaches by evaluate the user activities

For example bank monitors your transactions behavior and if they see any suspicious transactions on your account then they will raise an alert , in the same way attacker can steal your account but it’s difficult to them to simulate your activities so ATA can address this situations.

UEBA has three components: data analytics , data integration and data presentation and result of these components to understand the normal/abnormal behavior and then identify the risks and take actions against them.

 

Good Resources for Microsoft Advanced Threat Analytics (ATA)

• How to configure Microsoft Advanced Threat Analytics
  http://social.technet.microsoft.com/wiki/contents/articles/32824.how-to-configure-microsoft-advanced-threat-analytics.aspx
• Enterprise Mobility Suite: Beyond “Bring Your Own Device”
  https://mva.microsoft.com/en-us/training-courses/enterprise-mobility-suite-beyond-bring-your-own-device-15707