These study notes are provided for students of CompTIA Pentest+ exam. If you notice any problems with the notes, please let me know via email (joseph@ripplesoftware.ca).   General Pentesting Engagement Scoping Information Gathering Vulnerability Scanning Exploitation Process Pentest Tools Exploit Specifics Post Exploit Communication Processes

Read more

[ Introduction On July 10th, Apple released a “Rapid Security Response” to fix a code execution flaw in the Webkit browser component found in iOS, iPadOS, and macOS Ventura. Although this, update was pulled back the subsequent remediation, was released in quick succession on July 12th. In fact, Apple has long held a reputation as a leader in user privacy and security. Their commitment to protecting user data and maintaining robust defense mechanisms against cyber threats has made the tech giant synonymous with trust and reliability in an era of rapid digitization. After the release of their new VR wearable “Vision Pro”, Apple has also promised they won’t share eye focus movement due to security risks, marking another instance where Apple seems dedicated to their user’s security.  Admittedly, Apple’s products often carry a premium price tag, reflecting the advanced security and privacy features they offer. Yet, in the increasingly hostile…

Read more

A Comprehensive Technical Guide to Denial of Service (DoS) Attacks

Introduction What is a DoS attack? Do they have the potential to impact our organization negatively? If so, to what degree do we need to worry about DoS attacks, and how can an organization prevent or mitigate their impact? This pillar article is designed to equip you with a core understanding of what DoS attacks are, the motives of adversaries that launch them, and strategies for defending an organization against this increasingly common threat to IT security.  The “CIA Triad” stands for Confidentiality, Integrity, and Availability, which are the fundamental principles of information security that need to be protected. DoS attacks primarily disrupt the Availability of IT services – that is they prevent IT systems and services from functioning properly causing downtime. This can result in financial losses, negatively impact an organization’s operations and reputation, impose legal and regulatory liabilities, and cause data loss, reduced productivity, or loss of competitive…

Read more

Lessons From LastPass Breach

Password management firm LastPass admited to being PWNED by hackers.  If you are a customer, your data was potentially breached and so us “Paranoid Androids” will be spending a significant amount of the holidays changing passwords and double checking our MFA settings.  The bad guys apparently got away with a massive stash of customer data, including password vault data that could be compromised by brute-forcing or guessing master passwords.  So much for the “Zero Knowledge” strategy, or is this it working? Is this as bad as it could get in terms of password manager security? I guess the only thing that could compromise your passwords quicker would be an attacker literally looking over your shoulder (known as shoulder surfing) while you type your username and password in. But, well now, let’s look on the bright side, as long as you have diligently respected the power of keyspace and dutifully used…

Read more

What is a XSRF attack? XSRF, also known as Cross-Site Request Forgery, is a type of attack that involves tricking a user into making a malicious transaction with a website without their knowledge. This can occur when a user is logged into a website and visits a malicious website or clicks on a malicious link. The attacker can then use the user’s active logged in status on another website to make requests on the user’s behalf, potentially allowing the attacker to perform unauthorized actions or access sensitive information. XSRF attacks can be prevented by implementing proper authentication and authorization measures on the website, such as using unique tokens for each user session. What is a session hijacking attack? Session hijacking is a type of cyberattack where an attacker takes over a user’s active session on a website or application and gains unauthorized access to the user’s account. This can be…

Read more

What Is A Virtual Private Network (VPN)?

What is a VPN? A VPN, or Virtual Private Network, is a type of technology that allows a user to securely access a private network and share data remotely through public networks. VPNs use encryption and other security measures to protect the data being transmitted over the network and prevent unauthorized access to the private network. This allows individuals to securely access their organization’s network, access sensitive information.  Also, VPNs are used by internet user’s to browse the internet anonymously.  This is possible because the commercial VPNs will allow a user to change their source IP address which confounds website’s ability to track them. Additionally, companies can use VPNs to securely connect their internal networks with the networks of their partners or clients, allowing them to securely share data and other resources. This can improve collaboration and communication within and between organizations. What are the different types of VPNs? There…

Read more

Why is user awareness training important for IT security? Phishing operations represent 41% of cyber breach incidents according to the IBM X-Force report. Deloitte estimates phishing to be the initial attack vector in 91% of cyber breaches.   These estimates put phishing at the forefront of corporate attack surface because they identify phishing as the most successful method used by attackers to compromise a system and gain initial access to a victim’s network.  In response, organizations need to increase their resilience against phishing and other types of social engineering attacks. By testing their staff’s ability to effectively identify phishing attempts and malspam and providing educational material, an organization can identify potential weaknesses and reduce the chance that an employee will fall prey to an attack.  Of course, secondary cybersecurity measures should be in place to detect and respond to a successful phishing attack, user awareness training is a good practice…

Read more

@0x0SojalSec tweeted out a pure genius one-liner for automated SQL Injection pentesting and it while it was mind-blowing, it is also useful to dissect into the various elements.  Along the way we can learn some great tools for command line penetration testing! Check out the original tweet or the image below: This is a great example of how automated toolkits can provide do a lot of work that doesn’t cost a lot of time.  So, let’s disect the command and learn 5 great command line tools from @0x0SojalSec’s sorcery that will certainly prove useful on a pen-testing engagement. #1 – subfinder Subfinder is a command line tool from ProjectDiscovery.io  that accepts a top-level domain and will return a set of subdomains from historical DNS records.  Whenever relying on historical DNS records, the output is only as good as the service’s repository of historical data, but ProjectDiscovery’s service is top notch. …

Read more

Nessus is an enterprise vulnerability scanner that can perform external and internal credentialed scans and can support a continuous vulnerability management program.  Nessus favors ease of use as compared to granular control over scanning which allows quick and efficient scanning configuration.  Nessus comes with many pre-configured scans for PCI-DSS, compliance OVAL, and SCAP scanning, and many scans for novel threats such as Solarigate, CISA threat advisories, Log4Shell, Ransomware attacks, and more. Watch the video below to get the full scoop on how Nessus can support enterprise vulnerability management.    

Read more

What is Snyk and how does it contribute to DevSecOps?

What is Snyk?  It’s classified as an SCA (software composition analysis) security tool meaning it scans your source code for use of known vulnerabilities in functions, libraries, packages, and can also scan entire docker images, cloud servers, and IaC (Infrastructure as Code) deployments for vulnerabilities.  Watch the video below for a summary and demo on how Snyk’s can contribute to your DevSecOps program.

Read more

From the defender’s perspective ransomware is the biggest threat in the modern cybersecurity landscape. From a criminal perspective it’s a highly lucrative form of cybercrime, and perpetrators face only negligible chances of being prosecuted with less than 20 arrests reported in 2020 [1]. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars [2][3], however, the cost of a ransomware attack is not limited to ransom payments. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation [4]. One report estimates that 74% of ransomware payments go to Russian backed groups; more than $400 million USD in 2021 [5]. Another report from blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020 [6] [7]. Not all ransomware strains…

Read more