Jump to content

gigiRoman

Moderators
 View Profile  See their activity

  • Posts

    1259

  • Joined

  • Last visited

  • Days Won

    86

 Content Type 

Everything posted by gigiRoman

  1. gigiRoman
    POLIANDRÍE s. f. Formă de organizare a familiei (întâlnită astăzi numai la unele triburi primitive) în care o femeie are în același timp mai mulți soți. [Pr.: -li-an-] – Din fr. polyandrie.
  2. gigiRoman
    https://www.google.ro/search?client=ms-android-google&q=intreruperea+caldurilor+la+scroafe&sa=X&ved=0ahUKEwjoxcKakN_XAhVRKewKHfnoCfEQ1QIIaygG&biw=412&bih=604&dpr=2.63
  3. gigiRoman
    http://www.101books.ru
  4. gigiRoman
    By Anatoly Kazantsev on November 8, 2017. 10:00 am sursa: https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware. Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”). The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process. The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner. Users are misled by executable file icons Analysis All the malicious files we encountered were heavily obfuscated, which complicated their manual analysis. We took the sample 263dc85de7ec717e8940b1ccdd6ee119 and deobfuscated its strings, classes, methods, and fields. Here’s how the file looked before deobfuscation: Sample before deobfuscation InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware. Let’s examine the behavior of the malicious file in the order of methods execution. First up is FirstMainClass, since its constructor is marked with the keyword “static” and assembly execution begins with it: The static constructor of FirstMainClass that is triggered when the assembly is loaded The constructor does the following: CheckSandboxieEnvironment() determines whether the file is running in Sandboxie by attempting to load the SbieDll.dll library. If the library can be loaded, the malicious process terminates; CheckVirtualBoxEnvironment() searches for the vboxmrxnp.dll library, which belongs to VitrualBox. If the library can be found, the malicious process likewise terminates; AddResourceResolver() adds a method for handling the resource load event. This method unpacks the assembly, which is packed by the Deflate algorithm, from a specific resource and loads the assembly into memory; The method responsible for loading the assembly from the resource The assembly is unpacked from the resource and loaded into memory The UnpackAllAssemblies() method of the AssemblyResourceLoader class iterates through all the assembly resources and, if the resource name contains the string “+||”, unpacks the assemblies from these resources. The assemblies unpacked by this method are required by the malicious file to operate, and are legitimate libraries: Interop.MSScript.Control, Interop.TaskScheduler, SevenZipSharp; RemoveZoneIdentifier() deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet. The authors made a slight mistake in the command line (“cmd.exe /c (echo. > file path:Zone.Identifier) 2 > Null”) by leaving a space between the characters 2 and >, which produces an error in the console: The warning issued on deleting Zone.Identifier The ElevatePrivilegesProxy() method is the wrapper for the ElevatePrivileges() method, which in turn uses the known UAC bypass technique described by Matt Nelson aka enigma0x3. Control then passes to the traditional entry point—the Main() method, which is located in the Form5 class: The traditional entry point is the Main() method We see that a WMI object is retrieved after a 30-second pause. Next, the ScriptControlClassInstance object is customized, which the language (Visual Basic script) and the body of the script are transferred to: The script that runs the executable file using InstallUtil.exe The AddCode() method adds and executes a VB script that runs the current assembly using InstallUtil.exe. After that, the current process is closed by calling Environment.Exit(0). At the next stage, the malicious object is run using the InstallUtil tool and once more executes the static constructor of the FirstMainClass class examined above; control passes to the static constructor of the InstallUtilEntryClass class, which, as mentioned, is inherited from System.Configuration.Install.Installer: The static class constructor called by InstallUtil.exe The functions of this class include: Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process; Adding the copied file to autorun (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run); Creating a task called “filesqmaepq0d.tnk” that runs msexcel.EXE every minute to ensure survival on the victim’s computer; Checking if the malicious process is already running. An event with the name “78759961M” is created, and if such an event already exists in the system, the new process terminates; Creating the Form5 class and calling its destructor. Let’s sum up the interim results: all the actions described above (entrenchment in the system, elevation of privileges, startup from a trusted application) are essentially laying the foundation for the main task. Let’s move on to analyzing the next stage of the preparatory actions, which will take us closer to the heart of the malicious activity. The malicious assembly contains, inter alia, five classes inherited from System.Windows.Forms.Form. Inheritance from the Form class is not accidental: in its inheritance hierarchy it implements several interfaces, one of which is IDisposable, which allows to override the Dispose() method for its own purposes. Dispose() methods are called by the garbage collector in order to free up unmanaged resources used by the class when closing or unloading the assembly. Now let’s look at the source code of the Dispose() method of the Form5 class: The overridden Dispose() method of the Form5 class As we can see, various methods are executed at each iteration of the cycle, and the results are saved. Let’s take a closer look: At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved; A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client; The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory; A class with the name “RunPE” and the Run method of this class are sought in this library; At the final iteration, the parameters are transferred and the Run method is called. Knowing that the legalProgramPath variable contains the full path to the legitimate utility RegAsm.exe, PEFileByteArray contains the executable file in the form of a byte array, while the class name is RunPE; it is not hard to figure out that the Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE. This technique is widely known and described here, for instance. Deep inside the Run() method, a legitimate utility process is created in CREATE_SUSPENDED state (the sixth parameter is 4u): Creating a legitimate program process in CREATE_SUSPENDED state Eventually, the RegAsm.exe process is loaded in the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised: Only legitimate utilities can be seen in the list of running processes RegAsm.exe was chosen as the “carrier” because (a) it is a legitimate utility from Microsoft, (b) it is located in the same directory as InstallUtil.exe, and (c) a utility from .NET Framework calling another utility from the same framework is less suspicious than calling, say, notepad.exe. In fact, the use of RegAsm.exe is not critical: the “carrier” could be any program that does not arouse the suspicion of security software and users. It is also important that all actions involving a malicious module are executed in memory, which allows file scanners to be bypassed. As we’ve mentioned, this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans. Conclusion Malware writers employ various tricks to conceal malicious activity, and the above technique allowing the execution of malicious code in the context of two legitimate programs is an obvious example. Detecting this kind of concealment method requires a behavioral analysis of the program. Kaspersky Lab’s security solutions detect this behavior as PDM: Trojan.Win32.Generic and PDM: Exploit.Win32.Generic. IOC (MD5) 263DC85DE7EC717E8940B1CCDD6EE119 payload: EF8AF3D457DBE875FF4E3982B34F1DE9 3E4825AA1C09E27C2E6A1309BE8D6382 payload: 82709B139634D74DED404A516B7952F0 7E3863F827C1696835A49B8FD7C02D96 payload: D1A9879FFCB14DF70A430E59BFF5EF0B 8CB8F81ECF1D4CE46E5E96C866939197 payload: D8652841C19D619D2E3B5D7F78827B6E FDF4086A806826503D5D332077D47187 payload: BF4A3F4B31E68B3DE4FB1F046253F2D0
  5. gigiRoman
    Sursa: https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks Introduction Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no one's surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents. In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs), ransomware, and backdoors. In this blog, we will share a detailed technical analysis of a few of these exploitations and their payloads. Background The Microsoft Dynamic Data Exchange (DDE) protocol allows data to be transferred between applications. These applications can use DDE for one-time data transfers or for continuous exchanges; for example, a Microsoft Word document that uses data from an Excel spreadsheet is updated automatically through DDE as the spreadsheet data is updated. The DDE protocol sends messages between applications that share data and uses shared memory to exchange data between the applications. Microsoft Word documents have been used before to spread malware, but in those cases the victim would have to manually enable macros for the payload to be downloaded onto the victim’s system. With the DDE vulnerability (feature) in Microsoft Word, attackers can embed a malicious script that can download and execute malware without the use of macros. Case I: DDE protocol abuse leads to post-exploitation using PowerShell One Word file we analyzed exploited the DDE vulnerability to download and execute a PowerShell script using a post-exploitation framework. Filename - Communications_Suggestions_by_Press_Office_Director.docx The document looks like this: Fig1: Malicious document Generally, fake documents like this are spread via an email campaign targeting small and large groups of businesses in numerous industry sectors. The workflow of the document is as follows: Fig2: Document Workflow (case I) In this document, the attacker uses the DDE protocol to launch a Windows command line tool (cmd.exe), which uses PowerShell to download and execute the malware from a given URL. The field content looks like this: Fig3: DDE field code It downloads and executes a file using cmd.exe and PowerShell, which is present at the following URL: hxxp://citycarpark[.]my/components/com_admintools/mscorier. The downloaded data (mscorier) is an obfuscated batch script that creates a PowerShell script and executes it. Fig4: Obfuscated batch script (payload 1) This script downloads another payload (wsdprintproxy) from hxxp://185.128.42[.]194/wsdprintproxy and stores it in the following registry to make itself persistent: HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\ThemeVersion Fig5: Storing payload 2 in registry Fig6: Registry entry of payload 2 For persistence, payload 1 also creates two scheduled tasks, which execute the obfuscated script. Fig7: Code for persistence One scheduled task is created with name FlashUpdateServiceInit, which runs daily at 11:00 a.m., and another task with name FlashUpdateService, which runs daily at 3:00 p.m. After these tasks run, the script bypasses the PowerShell ScriptBlock logging, which means that the first execution of the malicious script will turn off all further logging. Fig8: Enabling script block logging To download its next payload, the malware initiates a GET request with the cookie “session=j4ppw/hpWdU/l5V3v9eymlAYxmE=” and downloads payload 3 from hxxps://185.128.42[.]194:8080/news.php. Fig9: Downloading payload 3 from server Fig10: Downloaded encrypted payload 3 The downloaded data is encrypted with RC4. Data[0:4] = IV Data[4:length(Data)] = Encrypted data Key is hardcoded in the script which is: Key = “a231fe7690a85f02eb147f53229c8e02” Fig11: RC4 algorithm The script will decrypt the downloaded data. It is, again, a PowerShell script, which is executed after decryption. The decrypted PowerShell script sends the encrypted RSA key with “IV” to the server at: hxxps://185.128.42[.]194:8080/news.php. In response, the server sends the encrypted AES key to victim. The script fetches information from the victim’s machine, encrypts it with the AES key, and sends it to the server at: hxxps://185.128.42[.]194:8080/process.php. Nonce|Server_URL|UserDomainName|UserName|Machine|IPAddress|OperatingSystem|True(if UserName=”system”)Otherwise False|CurrentProcessName|ProcessID|powershell|PowershellVersion The server responds with the final payload PowerShell script which appears to be a part of the PowerShell empire framework post-exploitation. Transactions of this post-exploitation framework look like this: Fig12: Network transactions The PowerShell empire is a post-exploitation framework that provides a Metasploit-like framework in PowerShell and Python. It includes different types of backdoors with multiple modules. It deals strictly with Windows machines and is extremely useful in penetration testing. In some cases, however, attackers use this framework to hijack a user’s system and perform malicious activities. Case II: DDE protocol abuse leads to Locky ransomware In another recent case, a campaign of spam emails was delivering a Word document attachment that used the DDE technique, and the final payload of that campaign is Locky ransomware. Fig 13: DDE protocol abuse leads to Locky ransomware (case II) In this case, attackers are writing obfuscated malicious field code in Word documents to evade detection; this code can be found in word-document.xml after extraction. Fig14: Field word-document.xml obfuscated code The exploit downloads the encoded PowerShell script from: hxxp://lestrangeresearch[.]com/kdjsw23FGS. It then decodes and executes it through cmd. Fig15: Encoded PowerShell (payload 1) The decoded script look like this: Fig16: Decoded PowerShell script (payload 1) The decoded PowerShell script has six hardcoded malicious URLs. The script will try to download the content from a URL and store it in %temp% with the name hti4.exe. Upon successful download, the script executes the downloaded file. Fig17: Downloaded payload 2 Payload 2 is the intermediate payload. Its function is to check the system for specified parameters. If it satisfies specific criteria, it then downloads encrypted data from: hxxp://spooner-motorsport[.]com. Fig18: Encrypted Locky ransomware (payload 3) This encrypted data is decrypted and launched by the intermediate payload (payload 2). After decryption, the final payload is Locky ransomware, which encrypts the files, appends the .asasin extension after encryption, and demands ransom in Bitcoin for decryption. Fig19: Ransom note (asasin.bmp) Fig20: Locky payment site Case III: Attack in New York Recently, researchers at McAfee found a new phishing campaign from Russia's hacking group APT28 known as “Fancy Bear.” APT28 capitalized on the recent terror attack in New York City by spreading email with an attached malicious Word document named IsisAttackInNewYork.docx, and the document appears to leverage the DDE technique. In this case, the first-stage payload was a PowerShell script that downloads another base64 encoded PowerShell script. After that, the second-stage payload script downloads a new variant of Seduploader, which is spyware capable of taking screenshots, gathering sensitive data, and other intrusive activities. Preventions: If a document contains embedded malicious DDE code, it shows the following warning to users as they open it. Fig 21: Microsoft Word warning The best way to prevent this DDE attack vector is to click “No” when this dialog box appears; this will stop further execution of the malware. Another way to prevent this attack is to disable it by modifying the registry. Microsoft has also published security advisoryfor securely opening Microsoft documents that contain a DDE field. Conclusion: Attackers are abusing the Microsoft DDE protocol to download and execute malware using PowerShell. In an earlier case, PowerShell led to an entire post-exploitation framework used for penetration testing. But attackers are using the framework for malicious purposes, such as stealing a user’s sensitive information, uploading and executing malware on a user’s machine, altering the user’s data, and so on. In recent cases, the DDE protocol led to ransomware, including Locky, which encrypts the victim’s data and demands ransom for the decryption. The malware analyzed in this blog is detected as COM.Downloader.DDE
  6. gigiRoman
    Un roman isi cumpara o inteligenta artificiala Sophia(zeita intelepciunii) si aia il futea la icre cu inteligenta sa. La care ii spune omul: "Da, ho, fa! Ia mai taci, bine ca esti tu desteapta". Ea avand o inteligenta emotionala se incurajeaza, se conecteaza la serverele pornhub si se pune pe treaba si invata toate pozitiile, inclusiv expresia faciala a suptului. Dupa care el ii ia un vagin inteligent de la nest caruia poate sa ii seteze temperatura, umiditatea si gradul de librifiere prin intermediul telefonului mobil, ca sa o programeze din drum spre casa ca pe aerul conditionat. Dp care intra un hacker de sentimente care facea parte din misa si o converteste la lesbianism si Sofia devine primul android din comunitatea LGBTQ si se indragosteste de o lesbiana masculinizata cu mustata de mamaie poreclita Butch, care o paraseste pt un Sistem de Operare IOS 9.0. Si apoi isi varsa amarul in malware si practica raporturi neraportabile cu un psdist din Alexandria si voteaza la mai multe maini pt legalizarea casatoriei intre androizi si aifoni. Si in final fuge cu o masina selfdriving(electrica) si este prinsa de o gasca de tigani care fura benzina direct din cisternele de tren si este vanduta cu tot cu masina la un depozit de fiare vechi si dusa pe vapor la o fabrica de vibratoare inteligente cu gps de otel inoxidabil la care lucreaza minori din bangladesh. END Acum serios, internetul si smartphoneurile nu existau fara consumatorii de pornografie.
  7. gigiRoman
    Viitorul suna bine: O inteligenta artificiala care a crescut printre tigani facea parte din lumea interlopa si ciordea bani din conturile clientilor corporatiei x si a cerut azi politic in coreea de nord.
  8. gigiRoman
    Offtopic: ce legatura are codette.ro cu o conferinta de infosec??? Citez " PY@CODETTE Py@Codette - un workshop unde învățăm fete de liceu și studente să programeze în Python, mâncăm plăcinte și legăm prietenii. De la bazele programării și până la procesare de imagini, sau hacks pentru mail/automatizarea task-urilor făcute pe Facebook și până la game programming" Urmatorul proiect: invatam mamele singure sa programeze in brainfuck. Ireal.
  9. gigiRoman
    https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra
  10. gigiRoman
    Am rezolvat problema ruland nexus root toolkit in bootloader/ twrp. Se poate inchide thread-ul.
  11. gigiRoman
    Salut, Am avut instalat kali nethunter pe un nexus 5 si am dat din prostie factory reset. Ideea e ca acum cand incerc cu nexus root toolkit sa ii fac root din nou primesc mesajul "device not authorized". Am incercat cam tot: reenable developer mode etc, tot ce e in linkul asta: https://tutel.me/c/android/questions/153913/adb+device+unauthorized+android+601+nexus+6p Imi si lipseste la developer options "Revoke USB debugging authorization" Sistem de operare 6.0.1 build M4B30Z. La kernel version imi apare inca root@kali. Pot copia in vreo cale cheia publica a pc-ului? SuperSU nu detecteaza root-ul, dar in twrp inca mai e structura de directoare ca in kali. Multumesc.
  12. gigiRoman
    @nein ca tot s-a reinviat topicul: dc ai cumparat acr122u ce soft ai folosit pt citire scriere? Eu am incercat mai multe, insa doar gototags a mers. Am mai incercat si nfcpy, dar failuia de fiecare data.
  13. gigiRoman
    @dancezar daca il recuperezi sa il pui pe github.
  14. gigiRoman
    Down and Out in Paris and London - George Orwell http://gutenberg.net.au/ebooks01/0100171.txt Descriere: https://bookhub.ro/george-orwell-fara-un-sfant-prin-paris-si-londra/
  15. gigiRoman
    Welcome to brave new world Brave New World By Aldous Leonard Huxley https://www.google.ro/url?sa=t&source=web&rct=j&url=http://www.idph.com.br/conteudos/ebooks/BraveNewWorld.pdf&ved=0ahUKEwiK2PuhiPXWAhULCsAKHXFFDDwQFggkMAA&usg=AOvVaw3r0akUlEvwTYEQDITXnCWR
  16. gigiRoman
    Malware cu a.i. ar fi interesant.
  17. gigiRoman
    BRIEF CONTENTS Foreword by Matt Graeber Preface Chapter 1: C# Crash Course Chapter 2: Fuzzing and Exploiting XSS and SQLInjection Chapter 3: Fuzzing SOAP Endpoints Chapter 4: Writing Connect-Back, Binding, and Metasploit Payloads Chapter 5: Automating Nessus Chapter 6: Automating Nexpose Chapter 7: Automating OpenVAS Chapter 8: Automating Cuckoo Sandbox Chapter 9: Automating sqlmap Chapter 10: Automating ClamAV Chapter 11: Automating Metasploit Chapter 12: Automating Arachni Chapter 13: Decompiling and Reversing Managed Assemblies Chapter 14: Reading Offline Registry Hives https://www.google.ro/url?sa=t&source=web&rct=j&url=https://dl.kuroy.me/foreign/learnflakes/Brandon%20Perry%20-%20Gray%20Hat%20C%23/Brandon%20Perry%20-%20Gray%20Hat%20C%23_%20A%20Hacker%27s%20Guide%20to%20Creating%20and%20Automating%20Security%20Tools.pdf&ved=0ahUKEwjk_NfE74nYAhVS46QKHQNyCC4QFggjMAA&usg=AOvVaw1eTppV_6dAAZgoATyu8nOR https://smtebooks.com/Downloads/5794/gray-hat-c-pdf https://github.com/brandonprry/gray_hat_csharp_code https://books.google.ro/books?id=uAYvDwAAQBAJ&pg=PA130&lpg=PA130&dq=Gray+Hat+C%23:+Creating+and+Automating+Security+Tools+pdf&source=bl&ots=ZmCsAeFAsJ&sig=TmcTTAcgaYNH5c6nwy33VaY6fhQ&hl=ro&sa=X&ved=0ahUKEwiKnZr3w-bWAhXMKVAKHexJAA04ChDoAQgkMAE#v=onepage&q=Gray Hat C%23%3A Creating and Automating Security Tools pdf&f=false
  18. gigiRoman
    https://www.tutorialspoint.com/csharp/ https://thenewboston.com/page.php?pid=919 https://www.edx.org/course?search_query=C%23
  19. gigiRoman
    https://www.google.ro/imgres?imgurl=https%3A%2F%2F2.bp.blogspot.com%2F-HgsWcGo1WJU%2FVASkHyABL8I%2FAAAAAAAAlrw%2FIGRoa9EdI6g%2Fw1200-h630-p-k-no-nu%2FDSC02265.JPG&imgrefurl=http%3A%2F%2F2sprenicaieri.blogspot.com%2F2014%2F09%2Falbania.html&docid=EFZg_68C15EJOM&tbnid=QlEsNLSnthtt2M%3A&vet=10ahUKEwjp7-CAg6_WAhUBuxQKHXN0A4kQMwgyKAMwAw..i&w=1200&h=630&itg=1&client=ms-android-google&bih=604&biw=412&q=albania mici pula&ved=0ahUKEwjp7-CAg6_WAhUBuxQKHXN0A4kQMwgyKAMwAw&iact=mrc&uact=8
  20. gigiRoman
    Parkinson's law of triviality https://en.m.wikipedia.org/wiki/Law_of_triviality
  21. gigiRoman

    CV - Pentester

    gigiRoman replied to dadoes's topic in Off-topic

    https://www.linkedin.com/in/munteanu-alexandru-61738278/ Sau https://www.linkedin.com/search/results/index/?keywords=pentester&origin=GLOBAL_SEARCH_HEADER Sau https://www.linkedin.com/search/results/people/?keywords=pentester&origin=SWITCH_SEARCH_VERTICAL
  22. gigiRoman
    Am fost la un interviu de security si am avut niste intrebari. Dupa aproximativ 3 saptamani, in timp ce cautam resurse despre cartea blue team field manual, am descoperit blogul lui https://danielmiessler.com/study/infosec_interview_questions/#gs.9CoId30 care continea in proportie de 90% intrebarile pe care mi le-au pus. Poate va este de ajutor.
  23. gigiRoman
    BASELINE – SANS & Offensive-Security am gasit linkul asta, dar nu stiu cat e de sigur. Nu am reusit sa descarc nimic inca. http://fullsoftshare.com/2017/07/28/baseline-sans-offensive-security/ Published July 28, 2017 by fssuploader BASELINE – SANS & Offensive-Security BASELINE - SANS & Offensive-Security BASELINE – SANS & Offensive-Security File size: 85 GB The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security and cybersecurity training. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and audit. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The Institute has been recognized for its training programs and certification programs. SANS stands for SysAdmin, Audit, Network and Security. BASELINE – SANS & Offensive-Security SANS Programs The SANS Institute sponsors the Internet Storm Center, an internet monitoring system staffed by a global community of security practitioners, and the SANS Reading Room, a research archive of information security policy and research documents. SANS is one of the founding organizations of the Center for Internet Security. SANS offers news and analysis through Twitter feeds and e-mail newsletters. Additionally, there is a weekly news and vulnerability digest available to subscribers. SANS training When originally organized in 1989, SANS training events functioned like traditional technical conferences showcasing technical presentations. By the mid-1990s, SANS offered events which combined training with tradeshows. Beginning in 2006, SANS offered asynchronous online training (SANS OnDemand) and a virtual, synchronous classroom format (SANS vLive). Free webcasts and email newsletters (@Risk, Newsbites, Ouch!) have been developed in conjunction with security vendors. The actual content behind SANS training courses and training events remain “vendor-agnostic.” Vendors cannot pay to offer their own official SANS course, although they can teach a SANS “hosted” event via sponsorship. In 1999, the SANS Institute formed Global Information Assurance Certification (GIAC), an independent entity that grants certifications in information security topics. It has developed and operates NetWars, a suite of interactive learning tools for simulating scenarios such as cyberattacks. NetWars is in use by the US Air Force and the US Army. SANS Technology Institute As of 2006 SANS established the SANS Technology Institute, a graduate school based on SANS training and GIAC certifications. On November 21, 2013, SANS Technology Institute was granted regional accreditation by the Middle States Commission on Higher Education. SANS Technology Institute focuses exclusively on cybersecurity, offering two Master of Science degree programs (in Information Security Engineering (MSISE) and Information Security Management (MSISM)), and four post-baccalaureate certificate programs (Penetration Testing & Ethical Hacking, Incident Response, Cyber Defense Operations, and Cybersecurity Engineering (Core)). SANS continues to offer free security content via the SANS Technology Institute Leadership Lab and IT/Security related leadership information. BASELINE – SANS & Offensive-Security Download Rapidgator.net Offensive-Security - 101.tar.gz Offensive-Security - AWE - Advanced Windows Exploitation 1.1.tar.gz Offensive-Security - AWE - Advanced Windows Exploitation 2.0.tar.gz Offensive-Security - CTP - Cracking the Perimeter 1.0.tar.gz Offensive-Security - OSWP - WiFu.tar.gz Offensive-Security - PWB - Penetration Testing with Backtrack.tar.gz Offensive-Security - PWK - Penetration Testing with Kali.tar.gz SANS 401 - Security Essentials Bootcamp Style.tar.gz SANS 408 - Windows Forensic Analysis.tar.gz SANS 410 - ICS & SCADA Security Essentials.tar.gz SANS 414 - Training Program for CISSP Certification.tar.gz SANS 502 - Perimeter Protection In-Depth.tar.gz SANS 503 - Intrusion Detection In-Depth.tar.gz SANS 504 - Hacker Tools, Techniques, Exploits, and Incident Handling.tar.gz SANS 505 - Sans Securing Windows with PowerShell.tar.gz SANS 506 - Securing Linux & UNIX.tar.gz SANS 507 - Auditing & Monitoring Networks, Perimeters & Systems.tar.gz SANS 508 - Advanced Digital Forensics and Incident Response.tar.gz SANS 509 - Securing Oracle Database.tar.gz SANS 511 - Continuous Monitoring and Security Operations.tar.gz SANS 512 - Security Leadership Essentials for Managers.tar.gz SANS 517 - Cutting Edge Hacking Techniques.tar.gz SANS 518 - Mac Forensic Analysis.tar.gz SANS 524 - Cloud Security Fundamentals.tar.gz SANS 526 - Memory Forensics In-Depth.tar.gz SANS 531 - Windows Command Line Kung Fu.tar.gz SANS 542 - Web App Penetration Testing and Ethical Hacking.tar.gz uploading . . . UploadGiG.com Offensive-Security - 101.tar.gz Offensive-Security - AWE - Advanced Windows Exploitation 1.1.tar.gz Offensive-Security - AWE - Advanced Windows Exploitation 2.0.tar.gz Offensive-Security - CTP - Cracking the Perimeter 1.0.tar.gz Offensive-Security - OSWP - WiFu.tar.gz Offensive-Security - PWB - Penetration Testing with Backtrack.tar.gz Offensive-Security - PWK - Penetration Testing with Kali.tar.gz SANS 401 - Security Essentials Bootcamp Style.tar.gz SANS 408 - Windows Forensic Analysis.tar.gz SANS 410 - ICS & SCADA Security Essentials.tar.gz SANS 414 - Training Program for CISSP Certification.tar.gz SANS 502 - Perimeter Protection In-Depth.tar.gz SANS 503 - Intrusion Detection In-Depth.tar.gz SANS 504 - Hacker Tools, Techniques, Exploits, and Incident Handling.tar.gz SANS 505 - Sans Securing Windows with PowerShell.tar.gz SANS 506 - Securing Linux & UNIX.tar.gz https://uploadgig.com/file/download/975524f2B073d2cF/SANS 506 - Securing Linux UNIX.part1.rar https://uploadgig.com/file/download/877882ab1378a1a0/SANS 506 - Securing Linux UNIX.part2.rar https://uploadgig.com/file/download/dcADBc7114aad38b/SANS 506 - Securing Linux UNIX.part3.rar https://uploadgig.com/file/download/Dbe9Ab046178f56a/SANS 506 - Securing Linux UNIX.part4.rar https://uploadgig.com/file/download/1f3f0e77c76cddd6/SANS 506 - Securing Linux UNIX.part5.rar https://uploadgig.com/file/download/8c1b772C1222Ac73/SANS 506 - Securing Linux UNIX.part6.rar https://uploadgig.com/file/download/fb0fc2E40868D54f/SANS 506 - Securing Linux UNIX.part7.rar SANS 507 - Auditing & Monitoring Networks, Perimeters & Systems.tar.gz https://uploadgig.com/file/download/BD8c8f0218738304/SANS 507 - Auditing Monitoring Networks Perimeters Systems.part1.rar https://uploadgig.com/file/download/Eb50aba295106d91/SANS 507 - Auditing Monitoring Networks Perimeters Systems.part2.rar https://uploadgig.com/file/download/fd70Aa1DaeA60d17/SANS 507 - Auditing Monitoring Networks Perimeters Systems.part3.rar https://uploadgig.com/file/download/f22154242eb4bf1A/SANS 507 - Auditing Monitoring Networks Perimeters Systems.part4.rar SANS 508 - Advanced Digital Forensics and Incident Response.tar.gz https://uploadgig.com/file/download/2b4E28ce70B4D65a/SANS 508 - Advanced Digital Forensics and Incident Response.part1.rar https://uploadgig.com/file/download/052a3D9165f5cbed/SANS 508 - Advanced Digital Forensics and Incident Response.part2.rar https://uploadgig.com/file/download/34AEcA71c483fe15/SANS 508 - Advanced Digital Forensics and Incident Response.part3.rar https://uploadgig.com/file/download/d09D89e63a1e9C6F/SANS 508 - Advanced Digital Forensics and Incident Response.part4.rar https://uploadgig.com/file/download/0ae477221beC1d39/SANS 508 - Advanced Digital Forensics and Incident Response.part5.rar https://uploadgig.com/file/download/69a7C0Ee66d2a7f3/SANS 508 - Advanced Digital Forensics and Incident Response.part6.rar SANS 509 - Securing Oracle Database.tar.gz SANS 511 - Continuous Monitoring and Security Operations.tar.gz SANS 512 - Security Leadership Essentials for Managers.tar.gz SANS 517 - Cutting Edge Hacking Techniques.tar.gz SANS 518 - Mac Forensic Analysis.tar.gz SANS 524 - Cloud Security Fundamentals.tar.gz SANS 526 - Memory Forensics In-Depth.tar.gz SANS 531 - Windows Command Line Kung Fu.tar.gz SANS 542 - Web App Penetration Testing and Ethical Hacking.tar.gz https://uploadgig.com/file/download/409b75588e220737/SANS 542 - Web App Penetration Testing and Ethical Hacking.part1.rar https://uploadgig.com/file/download/c42A296e4Ed08fb5/SANS 542 - Web App Penetration Testing and Ethical Hacking.part2.rar https://uploadgig.com/file/download/cf4e28bE56c331b9/SANS 542 - Web App Penetration Testing and Ethical Hacking.part3.rar https://uploadgig.com/file/download/800cb7d93020cFbE/SANS 542 - Web App Penetration Testing and Ethical Hacking.part4.rar uploading . . .
  24. gigiRoman
    Information Security Interview Questions Daniel Miessler Information Security Interview Questions Home » Study » Information Security Interview Questions The Philosophy of Technical Interviews Encryption Security Wisdom Network Security Application Security Business Risk The Onion Model The Role-playing Model Innovation Questions What follows is a list of questions for use in vetting candidates for positions in Information Security. The list has evolved over the years, as I think it should, and I think represents a good balance between technical content and the philosophy around desired answers. [ For overall InfoSec career advice, be sure to check out my new article titled: How to Build a Successful Information Security Career ] THE PHILOSOPHY OF TECHNICAL INTERVIEWS Perhaps the worst mistake you can make when doing technical interviews is filtering people out that you shouldn’t due to fetishization of the interview process and an unfounded belief in the correlation between answers to the questions and a potential employee’s performance. Google figured this out many years ago, and they started focusing on scenario and behavior-based interviews instead of those based on specific (gotcha) nuggets of information. They figured out it’s not about asking hard things that can easily be looked up, but rather understanding how people approach problems, what their talents and interests are, and what work they have done in the past. Sadly this is not yet understood by most interviewers and HR departments, and they’re still stuck in the mode of asking magic questions and looking for their favorite pet answers. The process has been shown to be highly biased, with interviews basically looking for people who fit their particular model of good (which usually matches something like themselves). Google found that this doesn’t work. It has no mapping to success as an employee whatsoever. I rely on the data more than my anecdotes, but as someone who’s given many, many technical interviews, I can tell you that this is consistent with my experience. I’ve hired people who are star performers that effectively failed at these questions, and we have people who crushed them and floundered once hired. The lesson here is not to avoid technical questions: It’s that you need to be cautious of the tendency to fetishize them and your own interviewing skills, and realize that different roles have different requirements for success that may or may not correlate with the questions you’re asking. Anyway, with that said, here are the questions. ENCRYPTION DESCRIBE THE PROCESS OF A TLS SESSION BEING SET UP WHEN SOMEONE VISITS A SECURE WEBSITE. WISDOM ARE OPEN-SOURCE PROJECTS MORE OR LESS SECURE THAN PROPRIETARY ONES? The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture. The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps. HOW DO YOU CHANGE YOUR DNS SETTINGS IN LINUX/WINDOWS? Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world. WHAT’S THE DIFFERENCE BETWEEN ENCODING, ENCRYPTION, AND HASHING? Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use. Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input. WHAT’S MORE SECURE, SSL OR HTTPS? Trick question: these are not mutually exclusive. Look for a smile like they caught you in the cookie jar. If they’re confused, then this should be for an extremely junior position. CAN YOU DESCRIBE RAINBOW TABLES? Look for a thorough answer regarding overall password attacks and how rainbow tables make them faster. WHAT IS SALTING, AND WHY IS IT USED? You purposely want to give the question without context. If they know what salting is just by name, they’ve either studied well or have actually been exposed to this stuff for a while. WHO DO YOU LOOK UP TO WITHIN THE FIELD OF INFORMATION SECURITY? WHY? A standard question type. All we’re looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security. If they name a bunch of hackers/criminals that’ll tell you one thing, and if they name a few of the pioneers that’ll say another. If they don’t know anyone in Security, we’ll consider closely what position you’re hiring them for. Hopefully it isn’t a junior position. WHERE DO YOU GET YOUR SECURITY NEWS FROM? Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It’s these types of answers that will tell you he’s likely not on top of things. IF YOU HAD TO BOTH ENCRYPT AND COMPRESS DATA DURING TRANSMISSION, WHICH WOULD YOU DO FIRST, AND WHY? If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression. WHAT’S THE DIFFERENCE BETWEEN SYMMETRIC AND PUBLIC-KEY CRYPTOGRAPHY Standard stuff here: single key vs. two keys, etc, etc. IN PUBLIC-KEY CRYPTOGRAPHY YOU HAVE A PUBLIC AND A PRIVATE KEY, AND YOU OFTEN PERFORM BOTH ENCRYPTION AND SIGNING FUNCTIONS. WHICH KEY IS USED FOR WHICH FUNCTION? You encrypt with the other person’s public key, and you sign with your own private. If they confuse the two, don’t put them in charge of your PKI project. WHAT KIND OF NETWORK DO YOU HAVE AT HOME? Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I get enough computers when I’m at work…” I’ve yet to meet a serious security guy who doesn’t have a considerable home network–or at least access to one, even if it’s not at home. WHAT ARE THE ADVANTAGES OFFERED BY BUG BOUNTY PROGRAMS OVER NORMAL TESTING PRACTICES? You should hear coverage of many testers vs. one, incentivization, focus on rare bugs, etc. WHAT ARE YOUR FIRST THREE STEPS WHEN SECURING A LINUX SERVER? Their list isn’t key here (unless it’s bad); the key is to not get panic. WHAT ARE YOUR FIRST THREE STEPS WHEN SECURING A WINDOWS SERVER? Their list isn’t key here (unless it’s bad); the key is to not get panic. WHO’S MORE DANGEROUS TO AN ORGANIZATION, INSIDERS OR OUTSIDERS? Ideally you’ll hear inquiry into what’s meant by “dangerous”. Does that mean more likely to attack you, or more dangerous when they do? WHY IS DNS MONITORING IMPORTANT? If they’re familiar with infosec shops of any size, they’ll know that DNS requests are a treasure when it comes to malware indicators. NETWORK SECURITY WHAT PORT DOES PING WORK OVER? A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols. DO YOU PREFER FILTERED PORTS OR CLOSED PORTS ON YOUR FIREWALL? Look for a discussion of security by obscurity and the pros and cons of being visible vs. not. There can be many signs of maturity or immaturity in this answer. HOW EXACTLY DOES TRACEROUTE/TRACERT WORK AT THE PROTOCOL LEVEL? This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions. The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP. WHAT ARE LINUX’S STRENGTHS AND WEAKNESSES VS. WINDOWS? Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world. CRYPTOGRAPHICALLY SPEAKING, WHAT IS THE MAIN METHOD OF BUILDING A SHARED SECRET OVER A PUBLIC MEDIUM? Diffie-Hellman. And if they get that right you can follow-up with the next one. WHAT’S THE DIFFERENCE BETWEEN DIFFIE-HELLMAN AND RSA? Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. If they get that far, make sure they can elaborate on the actual difference, which is that one requires you to have key material beforehand (RSA), while the other does not (DH). Blank stares are undesirable. WHAT KIND OF ATTACK IS A STANDARD DIFFIE-HELLMAN EXCHANGE VULNERABLE TO? Man-in-the-middle, as neither side is authenticated. APPLICATION SECURITY DESCRIBE THE LAST PROGRAM OR SCRIPT THAT YOU WROTE. WHAT PROBLEM DID IT SOLVE? All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required. HOW WOULD YOU IMPLEMENT A SECURE LOGIN FIELD ON A HIGH TRAFFIC WEBSITE WHERE PERFORMANCE IS A CONSIDERATION? We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they’ve never seen or heard of this problem, which means they’re not likely to be anything near pro level. WHAT ARE THE VARIOUS WAYS TO HANDLE ACCOUNT BRUTE FORCING? Look for discussion of account lockouts, IP restrictions, fail2ban, etc. WHAT IS CROSS-SITE REQUEST FORGERY? Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically). HOW DOES ONE DEFEND AGAINST CSRF? Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for. IF YOU WERE A SITE ADMINISTRATOR LOOKING FOR INCOMING CSRF ATTACKS, WHAT WOULD YOU LOOK FOR? This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired answers are things like checking referrer headers, or wild panic. WHAT’S THE DIFFERENCE BETWEEN HTTP AND HTML? Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again, the main thing you’re looking for is for him not to panic. HOW DOES HTTP HANDLE STATE? It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself. WHAT EXACTLY IS CROSS SITE SCRIPTING? You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser. WHAT’S THE DIFFERENCE BETWEEN STORED AND REFLECTED XSS? Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site. WHAT ARE THE COMMON DEFENSES AGAINST XSS? Input Validation/Output Sanitization, with focus on the latter. CORPORATE/RISK WHAT IS THE PRIMARY REASON MOST COMPANIES HAVEN’T FIXED THEIR VULNERABILITIES? This is a bit of a pet question for me, and I look for people to realize that companies don’t actually care as much about security as they claim to–otherwise we’d have a very good remediation percentage. Instead we have a ton of unfixed things and more tests being performed. Look for people who get this, and are ok with the challenge. WHAT’S THE GOAL OF INFORMATION SECURITY WITHIN AN ORGANIZATION? This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.” This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around. WHAT’S THE DIFFERENCE BETWEEN A THREAT, VULNERABILITY, AND A RISK? As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent. IF YOU WERE TO START A JOB AS HEAD ENGINEER OR CSO AT A FORTUNE 500 COMPANY DUE TO THE PREVIOUS GUY BEING FIRED FOR INCOMPETENCE, WHAT WOULD YOUR PRIORITIES BE? [IMAGINE YOU START ON DAY ONE WITH NO KNOWLEDGE OF THE ENVIRONMENT] We don’t need a list here; we’re looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What’s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation. AS A CORPORATE INFORMATION SECURITY PROFESSIONAL, WHAT’S MORE IMPORTANT TO FOCUS ON: THREATS OR VULNERABILITIES? This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats. Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date. Both are true, of course; the key is to hear what they have to say on the matter. THE ONION MODEL The questions above are fairly straightforward. They are, generally, negative filters, i.e. they’re designed to excluded candidates for having glaring weaknesses. If you are dealing with a more advanced candidate then one approach I recommend taking is that of the onion model. The Onion Model of interviewing starts at the surface level and then dives deeper and deeper—often to a point that the candidate cannot go. This is terrifically revealing, as it shows not only where a candidate’s knowledge stops, but also how they deal with not knowing something. One component of this cannot be overstated: Using this method allows you to dive into the onion in different ways, so even candidates who have read this list, for example, will not have perfect answers even if you ask the same question. An example of this would be starting with: How does traceroute work? They get this right, so you go to the next level. What protocol does it use? This is a trick question, as it can use lots of options, depending on the tool. Then you move on. Describe a Unix traceroute hitting google.com at all seven layers of the OSI model. Etc. It’s deeper and deeper exploration of a single question. Here’s a similar option for the end-phase of such a question. IF I’M ON MY LAPTOP, HERE INSIDE MY COMPANY, AND I HAVE JUST PLUGGED IN MY NETWORK CABLE. HOW MANY PACKETS MUST LEAVE MY NIC IN ORDER TO COMPLETE A TRACEROUTE TO TWITTER.COM? The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/UDP, etc. And they need to consider round-trip times. What you’re looking for is a realization that this is the way to approach it, and an attempt to knock it out. A bad answer is the look of WTF on the fact of the interviewee. This could be asked as a final phase of a multi-step protocol question that perhaps starts with the famous, “What happens when I go to Google.com?” HOW WOULD YOU BUILD THE ULTIMATE BOTNET? Answers here can vary widely; you want to see them cover the basics: encryption, DNS rotation, the use of common protocols, obscuring the heartbeat, the mechanism for providing updates, etc. Again, poor answers are things like, “I don’t make them; I stop them.” ROLE-PLAYING AS AN ALTERNATIVE TO THE ONION MODEL Another option for going to increasing depth, is to role-play with the candidate. You present them a problem, and they have to troubleshoot. I had one of these during an interview and it was quite valuable. You would tell them, for example, that they’ve been called in to help a client who’s received a call from their ISP stating that one or more computers on their network have been compromised. And it’s their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. “I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 8.8.8.8.” And you can then say yes or no, etc. From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity. INNOVATION QUESTIONS At the top tier of technical security roles you may want someone who is capable of designing as well as understanding. In these cases you can also ask questions about design flaws, how they would improve a given protocol, etc. These questions separate good technical people from top technical people, and I imagine less than 1% of those in infosec would even attempt to answer any of these. Here are a few examples: What are the primary design flaws in HTTP, and how would you improve it? If you could re-design TCP, what would you fix? What is the one feature you would add to DNS to improve it the most? What is likely to be the primary protocol used for the Internet of Things in 10 years? If you had to get rid of a layer of the OSI model, which would it be? [ NOTE: You can ask infinite variations of these, of course. Asking for three options instead of one, or asking them to rank the results, etc. ] It’s important to note with these questions that you could have a superstar analyst who knows nothing about these matters while someone who is at this level would make a poor forensic expert. It’s all about matching skills to roles. CONCLUSION For more on hiring overall, I recommend doing a good amount of research. Most important to learn, as I talked about above, is the limitations of interviews. Use other data available to you whenever possible, and above everything else: Be extremely cautious of anyone who thinks they can spot “the one” because they’re good at it.. Bias is a major problem in interviewing, and it’s likely that someone with a steadfast belief in his or her interview brilliance is doing harm to your organization by introducing bad candidates. When possible, do what Google did: Explore the data. Look at how candidates did in interviews relative to how they did on the job. Wherever you have mismatches you have a problem with your process. Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions. CREATED: MARCH 2007 | UPDATED: JUNE 2017 NOTES Here is an article about Google revealing the ineffectiveness of their brainteaser questions. As a hiring organization, be cautious of any interviewer that has an ego or attitude. The odds of you getting any good data from them is low. The name of the game is reducing bias, and that type has a lot of it. Also beware that any interviewee who is extremely nervous is not performing their best. As an interviewer your job should be to get them relaxed enough to perform the way they will at work, and to reduce any tension that’s preventing that from happening. Always try to combine any interview with a work sample, and/or great reference data. I have had these questions asked to me on numerous interviews. It’s quite humorous when they find out they’re reading from my website. The June 2017 update was a rewrite based on an evolving view of technical interviews. Check out the Philosophy section above to learn about that evolution. A key question you should be asking yourself with these types of questions is whether it’s something they should know off the top of their head, or if it’s something they should be able to research quickly and find out. If it’s the latter, then why are we asking them to recite it from memory? That’s the old style of interviewing, and it is not effective in predicting real-world success. LEAVE A COMMENT OR SHARE Twitter Facebook LinkedIn Mail No related posts. NEWSLETTER Every Sunday I put out a list of the most interesting stories in infosec, technology, and humans. I do the research, you get the benefits. Over 10K subscribers. Support more content like this… RSS Twitter Github Facebook Netsparker: find vulnerabilities in your web applications before someone else does. RECOMMENDED No related posts. NEWSLETTER Every Sunday I put out a list of the most interesting stories in infosec, technology, and humans. I do the research, you get the benefits. Over 10K subscribers. SUPPORT THE SITE © Daniel Miessler 1999-2017 Share Stack Privacy Media 1071565 sursa: https://danielmiessler.com/study/infosec_interview_questions/#gs.591eTk0
      • 1
      • Upvote
  25. gigiRoman
    http://fuzzysecurity.com/tutorials.html Sursa: https://blog.g0tmi1k.com/2013/08/cracking-perimeter-ctp-offensive/ Exploit Development (Tutorials) https://www.corelan.be/index.php/articles/*Highly Recommend* http://fuzzysecurity.com/tutorials.html*Highly Recommend* Exploit Development (Vulnerable Code) http://exploit-exercises.com/protostar http://exploit-exercises.com/fusion Exploit Development (Misc) sickn3ss ~ http://ihazomgsecurityskillz.blogspot.com/ OpenSecurity ~ http://opensecuritytraining.info/Training.html Books The Shellcoder's Handbook [ISBN-13: 978-0-76454-468-2] ~ http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/0764544683 Bug Hunter's Diary [ISBN-13: 978-1-59327-385-9] ~ http://nostarch.com/bughunter The Art of Exploitation (2nd Edition) [ISBN-13: 978-1-59327-144-2] ~ http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 The Web Application Hacker's Handbook (2nd Edition) [ISBN-13: 978-1-11802-647-2] ~ http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470 Metasploit: The Penetration Tester's Guide [ISBN-13: 978-159-3-27288-3] ~ http://www.amazon.com/Metasploit-Penetration-Testers-David-Kennedy/dp/159327288X Brute Force Vulnerability Discovery [ISBN-13: 978-032-1-44611-4] ~ http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119 Assembly Language Step-by-Step: Programming with Linux [ISBN-13: 978-047-04-9702-9] ~ http://www.amazon.com/Assembly-Language-Step-Step-Programming/dp/0470497025 Learning OllyDBG Lena's Reversing for Newbies ~ http://tuts4you.com/download.php?list.17 OllyDbg Tutorials ~ http://tuts4you.com/download.php?list.29 OllyDbg Plugins ~ http://tuts4you.com/download.php?list.3 OpenRCE ~ http://www.openrce.org/downloads/ Learning GDB SecurityTube's SLAE (SecurityTube Linux Assembly Expert) course ~ http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/index.html Learning IDA Pro IDA Pro Disassembler & Debugger ~ http://tuts4you.com/download.php?list.67 Free IDA Pro Binary Auditing Training Material for University Lectures ~ http://www.binary-auditing.com/
×
×
  • Create New...