Here are some keywords I’ve come across when studying various information security topics.
CVSS
I refer to CVSS v3.1 here.
Environmental metric group
This considers the impact of a user’s environment on the vulnerability. Consider an application that is used by an organization with specific needs in terms of CIA (confidentiality, integrity, availability).
By default, it is assumed that the impact on CIA is medium, and this can be adjusted to either decrease or increase the score, by giving any single one in CIA a low or high score.
Brute-forcing tools
thc-hydra
It worked well for fuzzing basic SMB and HTTP. For better SMB support, it needs
to be configured and compiled to use samba on Linux, and used with the smb2
module.
Unfortunately, it does not work well with HTTP forms that require submitting a hidden field such as a CSRF token, and can only send cookies next to the actual POST form submit.
Links:
patator
This works well for brute-forcing HTML forms that require CSRF tokens to be submitted as well. There is a flag to instruct it to fetch a separate page and grep for a field inside, for example a field like the following:
<input type="hidden" name="csrf-token" value="foobar" />
The value foobar
is then extracted and can be referred in the HTTP POST body
generation.
Links:
John the Ripper
A feature that surprised me a lot in John is the ability to create custom formats using dynamic formats. If a specific password hash uses a very obscure “hash, then salt, then hash, then add constant”-type method, it can be defined quite easily using a domain specific language (DSL).
I have had tremendous success using this in combination with the d3ad0ne
rule
to crack leetspeak-like passwords when extracting slightly obscure
PostgreSQL MD5 password hashes.
from PostgreSQL. MD5 is very dangerous indeed.
Links:
- Website: https://www.openwall.com/john/
- Dynamic format docs: https://github.com/openwall/john/blob/bleeding-jumbo/doc/DYNAMIC
- GitHub: https://github.com/openwall/john