From feb98f4cbc5482be16302a4ebc7b6a359a68bc22 Mon Sep 17 00:00:00 2001 From: ErdemOzgen <14043035+ErdemOzgen@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:40:35 +0300 Subject: [PATCH] Add Cyber section --- content/AI&DATA/Prompt Engineering.md | 2 + .../Checklist - Linux Privilege Escalation.md | 137 ++++++++++++++++++ .../CyberSecurity/Enumeration Techniques.md | 60 ++++++++ content/CyberSecurity/Exfiltrate Data.md | 8 + content/CyberSecurity/Folder shm.md | 99 +++++++++++++ content/CyberSecurity/Thread Modeling.md | 45 ++++++ content/CyberSecurity/Untitled.md | 0 content/Ideas.md | 4 + 8 files changed, 355 insertions(+) create mode 100644 content/AI&DATA/Prompt Engineering.md create mode 100644 content/CyberSecurity/Checklist - Linux Privilege Escalation.md create mode 100644 content/CyberSecurity/Enumeration Techniques.md create mode 100644 content/CyberSecurity/Exfiltrate Data.md create mode 100644 content/CyberSecurity/Folder shm.md create mode 100644 content/CyberSecurity/Thread Modeling.md delete mode 100644 content/CyberSecurity/Untitled.md create mode 100644 content/Ideas.md diff --git a/content/AI&DATA/Prompt Engineering.md b/content/AI&DATA/Prompt Engineering.md new file mode 100644 index 000000000..0613d4d93 --- /dev/null +++ b/content/AI&DATA/Prompt Engineering.md @@ -0,0 +1,2 @@ +https://learnprompting.org + diff --git a/content/CyberSecurity/Checklist - Linux Privilege Escalation.md b/content/CyberSecurity/Checklist - Linux Privilege Escalation.md new file mode 100644 index 000000000..305146069 --- /dev/null +++ b/content/CyberSecurity/Checklist - Linux Privilege Escalation.md @@ -0,0 +1,137 @@ +### [**Best tool to look for Linux local privilege escalation vectors:**](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#best-tool-to-look-for-linux-local-privilege-escalation-vectors-linpeas) [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#system-information)[System Information](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#system-information) + +- [ ]  Get **OS information** +- [ ]  Check the [**PATH**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#path), any **writable folder**? +- [ ]  Check [**env variables**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#env-info), any sensitive detail? +- [ ]  Search for [**kernel exploits**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits) **using scripts** (DirtyCow?) +- [ ]  **Check** if the [**sudo version** is vulnerable](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version) +- [ ]  [**Dmesg** signature verification failed](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed) +- [ ]  More system enum ([date, system stats, cpu info, printers](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#more-system-enumeration)) +- [ ]  [Enumerate more defenses](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#enumerate-possible-defenses) + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#drives)[Drives](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#drives) + +- [ ]  **List mounted** drives +- [ ]  **Any unmounted drive?** +- [ ]  **Any creds in fstab?** + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#installed-software)[**Installed Software**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#installed-software) + +- [ ]  **Check for** [**useful software**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#useful-software) **installed** +- [ ]  **Check for** [**vulnerable software**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#vulnerable-software-installed) **installed** + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#processes)[Processes](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes) + +- [ ]  Is any **unknown software running**? +- [ ]  Is any software running with **more privileges than it should have**? +- [ ]  Search for **exploits of running processes** (especially the version running). +- [ ]  Can you **modify the binary** of any running process? +- [ ]  **Monitor processes** and check if any interesting process is running frequently. +- [ ]  Can you **read** some interesting **process memory** (where passwords could be saved)? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#scheduledcron-jobs)[Scheduled/Cron jobs?](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduled-jobs) + +- [ ]  Is the [**PATH**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#cron-path) being modified by some cron and you can **write** in it? +- [ ]  Any [**wildcard**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#cron-using-a-script-with-a-wildcard-wildcard-injection) in a cron job? +- [ ]  Some [**modifiable script**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#cron-script-overwriting-and-symlink) is being **executed** or is inside **modifiable folder**? +- [ ]  Have you detected that some **script** could be or are being [**executed** very **frequently**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs)? (every 1, 2 or 5 minutes) + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#services)[Services](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services) + +- [ ]  Any **writable .service** file? +- [ ]  Any **writable binary** executed by a **service**? +- [ ]  Any **writable folder in systemd PATH**? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#timers)[Timers](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers) + +- [ ]  Any **writable timer**? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#sockets)[Sockets](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets) + +- [ ]  Any **writable .socket** file? +- [ ]  Can you **communicate with any socket**? +- [ ]  **HTTP sockets** with interesting info? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#d-bus)[D-Bus](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus) + +- [ ]  Can you **communicate with any D-Bus**? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#network)[Network](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#network) + +- [ ]  Enumerate the network to know where you are +- [ ]  **Open ports you couldn't access before** getting a shell inside the machine? +- [ ]  Can you **sniff traffic** using `tcpdump`? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#users)[Users](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users) + +- [ ]  Generic users/groups **enumeration** +- [ ]  Do you have a **very big UID**? Is the **machine** **vulnerable**? +- [ ]  Can you [**escalate privileges thanks to a group**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html) you belong to? +- [ ]  **Clipboard** data? +- [ ]  Password Policy? +- [ ]  Try to **use** every **known password** that you have discovered previously to login **with each**possible **user**. Try to login also without a password. + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#writable-path)[Writable PATH](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses) + +- [ ]  If you have **write privileges over some folder in PATH** you may be able to escalate privileges + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#sudo-and-suid-commands)[SUDO and SUID commands](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid) + +- [ ]  Can you execute **any command with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io/)) +- [ ]  Is any **exploitable SUID binary**? ([**GTFOBins**](https://gtfobins.github.io/)) +- [ ]  Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-execution-bypassing-paths)? +- [ ]  [**Sudo/SUID binary without path indicated**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-command-suid-binary-without-command-path)? +- [ ]  [**SUID binary specifying path**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#suid-binary-with-command-path)? Bypass +- [ ]  [**LD_PRELOAD vuln**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ld_preload) +- [ ]  [**Lack of .so library in SUID binary**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#suid-binary-so-injection) from a writable folder? +- [ ]  [**SUDO tokens available**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens)? [**Can you create a SUDO token**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#var-run-sudo-ts-less-than-username-greater-than)? +- [ ]  Can you [**read or modify sudoers files**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#etc-sudoers-etc-sudoers-d)? +- [ ]  Can you [**modify /etc/ld.so.conf.d/**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#etc-ld-so-conf-d)? +- [ ]  [**OpenBSD DOAS**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#doas) command + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#capabilities)[Capabilities](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities) + +- [ ]  Has any binary any **unexpected capability**? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#acls)[ACLs](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls) + +- [ ]  Has any file any **unexpected ACL**? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#open-shell-sessions)[Open Shell sessions](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-shell-sessions) + +- [ ]  **screen** +- [ ]  **tmux** + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#ssh)[SSH](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ssh) + +- [ ]  **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#debian-openssl-predictable-prng-cve-2008-0166) +- [ ]  [**SSH Interesting configuration values**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#ssh-interesting-configuration-values) + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#interesting-files)[Interesting Files](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#interesting-files) + +- [ ]  **Profile files** - Read sensitive data? Write to privesc? +- [ ]  **passwd/shadow files** - Read sensitive data? Write to privesc? +- [ ]  **Check commonly interesting folders** for sensitive data +- [ ]  **Weird Location/Owned files,** you may have access to or alter executable files +- [ ]  **Modified** in last mins +- [ ]  **Sqlite DB files** +- [ ]  **Hidden files** +- [ ]  **Script/Binaries in PATH** +- [ ]  **Web files** (passwords?) +- [ ]  **Backups**? +- [ ]  **Known files that contains passwords**: Use **Linpeas** and **LaZagne** +- [ ]  **Generic search** + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#writable-files)[**Writable Files**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files) + +- [ ]  **Modify python library** to execute arbitrary commands? +- [ ]  Can you **modify log files**? **Logtotten** exploit +- [ ]  Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit +- [ ]  Can you [**write in ini, int.d, systemd or rc.d files**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#init-init-d-systemd-and-rc-d)? + +### [](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html#other-tricks)[**Other tricks**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#other-tricks) + +- [ ]  Can you [**abuse NFS to escalate privileges**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#nfs-privilege-escalation)? +- [ ]  Do you need to [**escape from a restrictive shell**](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#escaping-from-restricted-shells)? \ No newline at end of file diff --git a/content/CyberSecurity/Enumeration Techniques.md b/content/CyberSecurity/Enumeration Techniques.md new file mode 100644 index 000000000..8f59f3584 --- /dev/null +++ b/content/CyberSecurity/Enumeration Techniques.md @@ -0,0 +1,60 @@ +### [**Trackers**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/external-recon-methodology/index.html#trackers) + +If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**. +For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages. + +There are some pages and tools that let you search by these trackers and more: + +- [**Udon**](https://github.com/dhn/udon) +- [**BuiltWith**](https://builtwith.com/) +- [**Sitesleuth**](https://www.sitesleuth.io/) +- [**Publicwww**](https://publicwww.com/) +- [**SpyOnWeb**](http://spyonweb.com/) + + +### [**Favicon**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/external-recon-methodology/index.html#favicon) + +Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it: + +bash + +`cat my_targets.txt | xargs -I %% bash -c 'echo "http://%%/favicon.ico"' > targets.txt python3 favihash.py -f https://target/favicon.ico -t targets.txt -s` + +![favihash - discover domains with the same favicon icon hash](https://www.infosecmatter.com/wp-content/uploads/2020/07/favihash.jpg) + +Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. + +Moreover, you can also search technologies using the favicon hash as explained in [**this blog post**](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139). That means that if you know the **hash of the favicon of a vulnerable version of a web tech** you can search if in shodan and **find more vulnerable places**: + +bash + +`shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'` + +This is how you can **calculate the favicon hash** of a web: + +python + +`import mmh3 import requests import codecs def fav_hash(url): response = requests.get(url) favicon = codecs.encode(response.content,"base64") fhash = mmh3.hash(favicon) print(f"{url} : {fhash}") return fhash` + +### [**Copyright / Uniq string**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/external-recon-methodology/index.html#copyright--uniq-string) + +Search inside the web pages **strings that could be shared across different webs in the same organisation**. The **copyright string** could be a good example. Then search for that string in **google**, in other **browsers** or even in **shodan**: `shodan search http.html:"Copyright string"` + + +So you have already: + +1. Found all the **companies** inside the scope +2. Found all the **assets** belonging to the companies (and perform some vuln scan if in scope) +3. Found all the **domains** belonging to the companies +4. Found all the **subdomains** of the domains (any subdomain takeover?) +5. Found all the **IPs** (from and **not from CDNs**) inside the scope. +6. Found all the **web servers** and took a **screenshot** of them (anything weird worth a deeper look?) +7. Found all the **potential public cloud assets** belonging to the company. +8. **Emails**, **credentials leaks**, and **secret leaks** that could give you a **big win very easily**. +9. **Pentesting all the webs you found** + + + +- [**https://github.com/yogeshojha/rengine**](https://github.com/yogeshojha/rengine) +- [**https://github.com/j3ssie/Osmedeus**](https://github.com/j3ssie/Osmedeus) +- [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw) diff --git a/content/CyberSecurity/Exfiltrate Data.md b/content/CyberSecurity/Exfiltrate Data.md new file mode 100644 index 000000000..505521404 --- /dev/null +++ b/content/CyberSecurity/Exfiltrate Data.md @@ -0,0 +1,8 @@ +## [Commonly whitelisted domains to exfiltrate information](https://book.hacktricks.wiki/en/generic-hacking/exfiltration.html#commonly-whitelisted-domains-to-exfiltrate-information) + +Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains that can be abused. + +https://book.hacktricks.wiki/en/generic-hacking/exfiltration.html + +https://attack.mitre.org/tactics/TA0010/ + diff --git a/content/CyberSecurity/Folder shm.md b/content/CyberSecurity/Folder shm.md new file mode 100644 index 000000000..1a1804293 --- /dev/null +++ b/content/CyberSecurity/Folder shm.md @@ -0,0 +1,99 @@ +/dev/shm/ + +`/dev/shm` is not a single file but rather a directory found in Unix-like operating systems (such as Linux). It stands for "shared memory" and is used to provide a temporary file storage filesystem (typically mounted as a `tmpfs`). Here's a detailed explanation of what `/dev/shm` is and how it functions: + +### What is `/dev/shm`? + +- **Shared Memory Filesystem (`tmpfs`):** + - `/dev/shm` is mounted as a `tmpfs`, which is a temporary file storage paradigm that uses volatile memory (RAM) for storage. + - Being in RAM, data stored in `/dev/shm` is fast to read and write compared to disk-based storage. + +- **Purpose:** + - It facilitates inter-process communication (IPC) by allowing processes to share data through memory-mapped files. + - Commonly used by applications that require high-speed data access and sharing, such as databases, multimedia processing, and scientific computations. + +### How `/dev/shm` Works + +- **Mounting:** + - On most Linux systems, `/dev/shm` is automatically mounted at boot time. + - You can check if it's mounted by running: + ```bash + df -h /dev/shm + ``` + +- **Usage:** + - Applications can create files or directories within `/dev/shm` just like any other filesystem. + - These files are treated as temporary and exist only in memory; they are cleared when the system is rebooted or when unmounted. + +- **Access Permissions:** + - By default, `/dev/shm` is accessible to all users, but permissions can be restricted to enhance security. + - It's typically owned by the `root` user with permissions set to `1777` (read, write, and execute permissions for everyone, with the sticky bit set). + +### Common Use Cases + +1. **Inter-Process Communication (IPC):** + - Processes can communicate by reading and writing to shared memory segments within `/dev/shm`, allowing for efficient data exchange without the overhead of disk I/O. + +2. **Temporary Storage for Applications:** + - Applications that require fast access to temporary data can use `/dev/shm` to store intermediate results or cache data. + +3. **Performance Optimization:** + - Storing frequently accessed data in `/dev/shm` can significantly speed up applications by reducing access latency. + +### Managing `/dev/shm` + +- **Size Configuration:** + - The size of `/dev/shm` is typically set to half of the system's physical RAM by default, but it can be adjusted by modifying system settings. + - To change the size, you can edit the `/etc/fstab` file. For example: + ``` + tmpfs /dev/shm tmpfs defaults,size=2G 0 0 + ``` + This sets `/dev/shm` to 2 GB. + +- **Monitoring Usage:** + - You can monitor the usage of `/dev/shm` using standard disk usage tools like `df` or `du`. + ```bash + df -h /dev/shm + du -sh /dev/shm/* + ``` + +### Security Considerations + +- **Data Volatility:** + - Since `/dev/shm` resides in RAM, data is lost on reboot or if the system crashes. It's not suitable for storing persistent data. + +- **Access Control:** + - Ensure proper permissions are set to prevent unauthorized access to sensitive data stored in `/dev/shm`. + - Regularly audit the contents of `/dev/shm` to detect any unusual or suspicious files. + +- **Potential Risks:** + - If an attacker gains write access to `/dev/shm`, they might exploit it to execute malicious code or perform unauthorized actions. Therefore, securing `/dev/shm` is crucial. + +### Example Usage + +Creating and using a file in `/dev/shm` for quick data storage: + +```bash +# Create a file in /dev/shm +echo "Temporary data" > /dev/shm/tempfile.txt + +# Read the file +cat /dev/shm/tempfile.txt + +# Remove the file +rm /dev/shm/tempfile.txt +``` + +### Alternatives and Related Directories + +- **`/tmp`:** + - Another temporary storage directory, usually backed by disk storage rather than RAM. Slower compared to `/dev/shm` but suitable for larger files that don't fit in memory. + +- **`/run`:** + - A temporary filesystem for storing runtime data, often used for system and application state information during boot and operation. + +### Conclusion + +`/dev/shm` is a powerful feature in Unix-like systems that leverages shared memory for efficient inter-process communication and temporary data storage. By utilizing RAM for storage, it provides high-speed access, which can significantly enhance the performance of applications that require rapid data exchange. However, it’s essential to manage and secure `/dev/shm` appropriately to prevent potential security vulnerabilities and ensure that data integrity is maintained. + +If you have specific questions or need guidance on using `/dev/shm` for a particular application, feel free to ask! \ No newline at end of file diff --git a/content/CyberSecurity/Thread Modeling.md b/content/CyberSecurity/Thread Modeling.md new file mode 100644 index 000000000..1b3ad6d41 --- /dev/null +++ b/content/CyberSecurity/Thread Modeling.md @@ -0,0 +1,45 @@ + +**STRIDE** is a model for identifying [computer security](https://en.wikipedia.org/wiki/Computer_security "Computer security") [threats](https://en.wikipedia.org/wiki/Threat_(computer) "Threat (computer)")[[1]](https://en.wikipedia.org/wiki/STRIDE_model#cite_note-1) developed by Praerit Garg and [Loren Kohnfelder](https://en.wikipedia.org/wiki/Loren_Kohnfelder "Loren Kohnfelder") at [Microsoft](https://en.wikipedia.org/wiki/Microsoft "Microsoft").[[2]](https://en.wikipedia.org/wiki/STRIDE_model#cite_note-2) It provides a [mnemonic](https://en.wikipedia.org/wiki/Mnemonic "Mnemonic") for security threats in six categories.[[3]](https://en.wikipedia.org/wiki/STRIDE_model#cite_note-3) + +The threats are: + +- [**S**poofing](https://en.wikipedia.org/wiki/Spoofing_attack "Spoofing attack") +- [**T**ampering](https://en.wikipedia.org/wiki/Tampering_(crime) "Tampering (crime)") +- [**R**epudiation](https://en.wikipedia.org/wiki/Non-repudiation "Non-repudiation") +- **I**nformation disclosure ([privacy breach](https://en.wikipedia.org/wiki/Data_privacy "Data privacy") or [data leak](https://en.wikipedia.org/wiki/Data_leak "Data leak")) +- [**D**enial of service](https://en.wikipedia.org/wiki/Denial-of-service_attack "Denial-of-service attack") +- [**E**levation of privilege](https://en.wikipedia.org/wiki/Privilege_escalation "Privilege escalation")[[4]](https://en.wikipedia.org/wiki/STRIDE_model#cite_note-4) + +Each threat is a violation of a desirable property for a system: + +|Threat|Desired property|Threat Definition| +|---|---|---| +|Spoofing|[Authenticity](https://en.wikipedia.org/wiki/Message_authentication "Message authentication")|Pretending to be something or someone other than yourself| +|Tampering|[Integrity](https://en.wikipedia.org/wiki/Data_integrity "Data integrity")|Modifying something on disk, network, memory, or elsewhere| +|Repudiation|[Non-repudiability](https://en.wikipedia.org/wiki/Non-repudiation "Non-repudiation")|Claiming that you didn't do something or were not responsible; can be honest or false| +|Information disclosure|[Confidentiality](https://en.wikipedia.org/wiki/Confidentiality "Confidentiality")|Someone obtaining information they are not authorized to access| +|Denial of service|[Availability](https://en.wikipedia.org/wiki/Availability "Availability")|Exhausting resources needed to provide service| +|Elevation of privilege|[Authorization](https://en.wikipedia.org/wiki/Authorization "Authorization")|Allowing someone to do something they are not authorized to do| + + + +### [The CIA Triad](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/threat-modeling.html#the-cia-triad) + +The CIA Triad is a widely recognized model in the field of information security, standing for Confidentiality, Integrity, and Availability. These three pillars form the foundation upon which many security measures and policies are built, including threat modeling methodologies. + +1. **Confidentiality**: Ensuring that the data or system is not accessed by unauthorized individuals. This is a central aspect of security, requiring appropriate access controls, encryption, and other measures to prevent data breaches. +2. **Integrity**: The accuracy, consistency, and trustworthiness of the data over its lifecycle. This principle ensures that the data is not altered or tampered with by unauthorized parties. It often involves checksums, hashing, and other data verification methods. +3. **Availability**: This ensures that data and services are accessible to authorized users when needed. This often involves redundancy, fault tolerance, and high-availability configurations to keep systems running even in the face of disruptions. + + + + +### [Threat Modeling Methodlogies](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/threat-modeling.html#threat-modeling-methodlogies) + +1. **STRIDE**: Developed by Microsoft, STRIDE is an acronym for **Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege**. Each category represents a type of threat, and this methodology is commonly used in the design phase of a program or system to identify potential threats. +2. **DREAD**: This is another methodology from Microsoft used for risk assessment of identified threats. DREAD stands for **Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability**. Each of these factors is scored, and the result is used to prioritize identified threats. +3. **PASTA** (Process for Attack Simulation and Threat Analysis): This is a seven-step, **risk-centric**methodology. It includes defining and identifying security objectives, creating a technical scope, application decomposition, threat analysis, vulnerability analysis, and risk/triage assessment. +4. **Trike**: This is a risk-based methodology that focuses on defending assets. It starts from a **risk management** perspective and looks at threats and vulnerabilities in that context. +5. **VAST** (Visual, Agile, and Simple Threat modeling): This approach aims to be more accessible and integrates into Agile development environments. It combines elements from the other methodologies and focuses on **visual representations of threats**. +6. **OCTAVE** (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by the CERT Coordination Center, this framework is geared toward **organizational risk assessment rather than specific systems or software**. + diff --git a/content/CyberSecurity/Untitled.md b/content/CyberSecurity/Untitled.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/content/Ideas.md b/content/Ideas.md new file mode 100644 index 000000000..ecc1861e7 --- /dev/null +++ b/content/Ideas.md @@ -0,0 +1,4 @@ + + +* Creating Custom Dictionary Attacks with LLMs which has been feed by user information +* \ No newline at end of file