How to prepare for PWK/OSCP, a noob-friendly guide

Few months ago, I didn’t know what Bash was, only heard of SSH tunneling, no practical knowledge. I also didn’t like paying for the PWK lab time without using it, so I went through a number of resources till I felt ready for starting the course.

Warning: Don’t expect to be spoon-fed if you’re doing OSCP, you’ll need to spend a lot of time researching, neither the admins or the other students will give you answers easily.

1. PWK Syllabus
1.1 *nix and Bash
1.2 Basic tools
1.3 Passive Recon
1.4 Active Recon
1.5 Buffer Overflow
1.6 Using public exploits
1.7 File Transfer
1.8 Privilege Escalation
1.9 Client-Side Attacks
1.10 Web Application Attacks
1.11 Password Attacks
1.12 Port Redirection/Tunneling
1.13 Metasploit Framework
1.14 Antivirus Bypassing
2. Wargames
2.1 Over The Wire: Bandit
2.2 Over The Wire: Natas
2.3 Root-me.org
3. Vulnerable VMs

1. PWK Syllabus:

Simply the most important reference in the list, it shows the course modules in a detailed way. Entire preparation I did was based on it. Can be found here.

1.1 *nix and Bash:

You don’t need to use Kali Linux right away, a good alternative is Ubuntu till you get comfortable with Linux.

1. Bash for Beginners: Best Bash reference IMO.
2. Bandit on Over The Wire: Great start for people who aren’t used to using a terminal, aren’t familiar with Bash or other *nix in general. Each challenge gives you hints on which commands you can use, you need to research them.
3.  Explainshell: Does NOT replace man pages, but breaks down commands easily for new comers.

1.2 Basic tools:

You will use these tools a lot. Make sure you understand what they do and how you can utilize them.

Netcat: Most important tool in the entire course. Understand what it does, what options you have, difference between a reverse shell and a bind shell. Experiment a lot with it.
Ncat: Netcat’s mature brother, supports SSL. Part of Nmap.
Wireshark: Network analysis tool, play with it while browsing the internet, connecting to FTP, read/write PCAP files.
TCPdump: Not all machines have that cute GUI, you could be stuck with a terminal.

1.3 Passive Recon:

Read about the following tools/techniques, experiment as much as possible.

1. Google dorks
2. Whois
3. Netcraft
4. Recon-ng: Make sure you check the Usage guide to know how it works.

1.4 Active Recon:

  • Understand what DNS is, how it works, how to perform forward and reverse lookup, what zone transfers are and how to perform them. Great resource here.
  • Nmap: One of the most used tools during the course (if not the most). I’d recommend to start by reading the man pages, understand different scanning techniques and other capabilities it has (scripts, OS detection, Service detection, …)
  • Services enumeration: SMTP, SNMP, SMB, and a lot others. Don’t just enumerate them, understand what they’re used for and how they work.
  • Great list for enumeration and tools.

1.5 Buffer Overflow:

Most fun part in my opinion. There are countless resources on how to get started, I’d recommend Corelan’s series. You probably need the first part only for PWK.

1.6 Using public exploits:

Occasionally, you’ll need to use a public exploit, maybe even modify the shellcode or other parts. Just go to Exploit-db and pick one of the older more reliable exploits (FTP ones for example). The vulnerable version is usually present with the exploit code.

1.7 File Transfer:

Not every machine has netcat installed, you’ll need to find a way around it to upload exploits or other tools you need. Great post on this is here.

1.8 Privilege Escalation:

A never ending topic, there are a lot of techniques, ranging from having an admin password to kernel exploits. Great way to practice this is by using Vulnhub VMs for practice. Check my OSCP-like VMs list here.

Windows:Elevating privileges by exploiting weak folder permissions
Windows: Privilege Escalation Fundamentals
Windows: Windows-Exploit-Suggester
Windows: Privilege Escalation Commands
Linux: Basic Linux Privilege Escalation
Linux: linuxprivchecker.py
Linux: LinEnum
Practical Windows Privilege Escalation
MySQL Root to System Root with UDF

1.9 Client Side Attacks:

Try out the techniques provided in Metasploit Unleashed or an IE client side exploit.

1.10 Web Application Attacks

Another lengthy subject, understand what XSS is, SQL injection, LFI, RFI, directory traversal, how to use a proxy like Burp Suite. Solve as much as you can from Natas on Over The Wire. It has great examples on Code Injection, Session hijacking and other web vulnerabilities.

Key is research till you feel comfortable.

1.11 Password Attacks:

Understand the basics of password attacks, difference between online and offline attacks. How to use Hydra, JTR, Medusa, what rainbow tables are, the list goes on. Excellent post on this topic here.

1.12 Port redirection/tunneling:

Not all machines are directly accessible, some are dual homed, connected to an internal network. You’ll use such techniques a lot in non-public networks. This post did a great job explaining it.

1.13 Metasploit Framework:

Decided to skip this part, but if you still want to study it, check out Metasploit Unleashed course.

 

1.14 Antivirus Bypassing:

Skipped this part too.

2. Wargames

Use them as a prep for vulnerable machines.

2.1 Over The Wire: Bandit

Great start for people who aren’t familiar with Linux or Bash.

2.2 Over The Wire: Natas

Focused on web application, many challenges aren’t required for OSCP, but it helps for sure.

2.3 Root-me.org

Has great challenges on privilege escalation, SQL injection, Javascript obfuscation, password cracking and analyzing PCAP files

3. Vulnerable Machines

Boot-to-root VMs are excellent for pentesting, you import a VM, run it and start enumerating from your attacking machine. Most of them result in getting root access. Check the post on which machines are the closest to OSCP, there is also the https://lab.pentestit.ru/ .

Blog posts regarding my journey through Pentestit.ru.:

Pentestit Lab v10 – Introduction & Setup
Pentestit Lab v10 – The Mail Token
Pentestit Lab v10 – The Site Token

Automate Specific Routine Tasks – LazyScripts

This is a set of bash shell functions to simplify and automate specific routine tasks, as well as some more specialized ones.

Compatibility

  • RedHat Enterprise Linux 5+
  • CentOS 5+
  • Ubuntu 10.04+

Installation

Run this bash function as root:

function lsgethelper() {
        local LZDIR=/root/.lazyscripts/tools;
        if command -v git 2>&1 1>/dev/null; then
            if [[ -d ${LZDIR} ]]; then
                    cd "${LZDIR}" \
                    && git reset --hard HEAD \
                    && git clean -f	\
                    && git pull git://github.com/hhoover/lazyscripts.git master; \
            else
                    cd \
                    && git clone git://github.com/hhoover/lazyscripts.git "${LZDIR}";
            fi
            cd;
            source ${LZDIR}/ls-init.sh;
        else
            rm -rf "${LZDIR}"/lazyscripts-master
            cd "${LZDIR}" \
            && curl -L https://github.com/hhover/lazyscripts/archive/master.tar.gz | tar xvz
            cd;
            source "${LZDIR}"/lazyscripts-master/ls-init.sh;
        fi
}
lsgethelper && lslogin

Throw this in your .bashrc for extra credit.

Functions

Function Description
lsinfo Display useful system information
lsbwprompt Switch to a plain prompt.
lscolorprompt Switch to a fancy colorized prompt.
lsbigfiles List the top 50 files based on disk usage.
lsmytuner MySQL Tuner.
lshighio Reports stats on processes in an uninterruptable sleep state.
lsmylogin Auto login to MySQL
lsmyengines List MySQL tables and their storage engine.
lsmyusers List MySQL users and grants.
lsmycreate Creates a MySQL DB and MySQL user
lsmycopy Copies an existing database to a new database.
lsap Show a virtual host listing.
lsapcheck Verify apache max client settings and memory usage.
lsapdocs Prints out Apache’s DocumentRoots
lsapproc Shows the memory used by each Apache process
lsrblcheck Server Email Blacklist Check
lscloudkick Installs the Cloudkick agent
lsvhost Add an Apache virtual host
lsvsftpd Installs/configures vsftpd
lspostfix Set up Postfix for relaying email
lsparsar Pretty sar output
lslsync Install lsyncd and configure this server as a master
lswordpress Install WordPress on this server
lsdrupal Install Drupal 7 on this server
lswebmin Install Webmin on this server
lsvarnish Installs Varnish 3.0
lsconcurchk Show concurrent connections
lscrtchk Check SSL Cert/Key to make sure they match
lsrpaf Install mod_rpaf to set correct client IP behind a proxy.
lspma Installs phpMyAdmin
lsnginx Replace Apache with nginx/php-fpm
lshaproxy Install HAProxy on this server
lshppool Adds a new pool to an existing HAProxy config
lswhatis Output the script that would be run with a specific command.
lsnodejs Installs Node.js and Node Package Manager
lsapitools Installs API tools for Rackspace Cloud
lsrecap Installs Recap – https://github.com/rackerlabs/recap
lsnova Nova Configuration generator

Enjoy!

 

credit: https://github.com/RedRum69/lazyscripts 

Shadow Brokers Release Attack Tool Archives

On April 9 and April 14, 2017, the Shadow Brokers threat group released archives of attack tools and other information that it claims originated from the National Security Agency (NSA). The contents included exploits against Windows, Solaris, and other software from as early as 2008, as well as information about a campaign targeting EastNets, a SWIFT (Society for Worldwide Interbank Financial Telecommunication) Service Bureau.

Despite some reports that the archives contain exploits for unpatched Windows vulnerabilities, SecureWorks(R) Counter Threat Unit(TM) (CTU) researchers determined that there are no functional exploits against fully patched, supported Microsoft software. Several of the vulnerabilities were addressed in Microsoft Security Bulletin MS17-10, which was released as part of March’s patch cycle. Three other exploits target Windows XP, Vista, Server 2003, Server 2008, and IIS 6.x, but Microsoft does not plan to provide patches for these exploits as the products are no longer supported.

Two attack tools target unpatched vulnerabilities in current Solaris versions:

– EBBISLAND is a remote buffer overflow exploit against XDR code that targets any running RPC service.
– EXTREMEPAAR is a local privilege escalation exploit.

Another buffer overflow exploit named VIOLENTSPIRIT targets the ttsession daemon in Solaris 2.6-2.9. The archives also included exploits targeting less-common software such as Lotus Domino versions 6 and 7, Lotus cc:mail, RedFlag Webmail 4, Avaya Media Server, and phpBB.

According to the Shadow Brokers’ April 14 release, the PLATINUM COLONY threat group (also known as Equation Group) gained access to the EastNets network, monitored SWIFT transactions from a select number of targeted financial services institutions between March 2013 and at least October 2013, and had persistent and wide-ranging access to the EastNets network. CTU(TM) researchers assess with high confidence that PLATINUM COLONY is operated by a United States intelligence agency. The group has been active since at least 2001 and likely uses its sophisticated toolset for military espionage and national security objectives, rather than for economic espionage activities.

PowerPoint and Excel documents within the leaked files list SWIFT Alliance Access servers run by EastNets, and several of the servers are marked as compromised for data collection. There is no indication that networks and hosts operated by EastNet customers outside the EastNet environment were compromised, but SWIFT transactions in 2013 could have been monitored by an unauthorized party as they traversed EastNets servers. EastNets released a public statement saying, “The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded.” However, the documentation provided in the Shadow Brokers leak strongly suggests a compromise.

 

Recommended actions:

CTU researchers recommend that clients ensure that the MS17-10 security updates have been applied. In addition, clients should upgrade unsupported Windows operating systems and IIS web servers to a supported version and should restrict external access to RPC services on Solaris servers.

SecureWorks actions:

The CTU research team is investigating the feasibility of countermeasures to detect the published exploits.

Questions:

If you have any questions or concerns, please submit a ticket via the SecureWorks Client Portal.

 

References:

https://portal.secureworks.com/intel/tips/5233

https://portal.secureworks.com/intel/tips/5835

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://www.eastnets.com/news_events/news/17-04-14/No_credibility_to_the_online_claim_of_a_compromise_of_EastNets_customer_information_on_its_SWIFT_service_bureau.aspx

How to Sniff a Network: Decoding the IP Layer

 

Following from previous post, which can be found at: How to Sniff a Network : Packet Sniffing on Windows and Linux and How to Sniff a Network : Raw Sockets and Sniffing.

Sniffing one packet is not overly useful, so let’s add some functionality to process more packets and decode their contents.

In its current form, our sniffer receives all of the IP headers along with any higher protocols such as TCP, UDP, or ICMP. The information is packed into binary form, and as shown above, is quite difficult to understand. We are now going to work on decoding the IP portion of a packet so that we can pull useful information out such as the protocol type (TCP, UDP, ICMP), and the source and destination IP addresses. This will be the foundation for you to start creating further protocol parsing later on. If we examine what an actual packet looks like on the network, you will have an understanding of how we need to decode the incoming packets. Refer to Figure 3-1 for the makeup of an IP header.

Figure 3-1 Typical IPv4 header structure
Figure 3-1: Typical IPv4 header structure

We will decode the entire IP header (except the Options field) and extract the protocol type, source, and destination IP address. Using the Python ctypes module to create a C-like structure will allow us to have a friendly format for handling the IP header and its member fields. First, let’s take a look at the C definition of what an IP header looks like.

struct ip {
u_char ip_hl:4;
u_char ip_v:4;
u_char ip_tos;
u_short ip_len;
u_short ip_id;
u_short ip_off;
u_char ip_ttl;
u_char ip_p;
u_short ip_sum;
u_long ip_src;
u_long ip_dst;
}

You now have an idea of how to map the C data types to the IP header values. Using C code as a reference when translating to Python objects can be useful because it makes it seamless to convert them to pure Python. Of note, the ip_hl and ip_v fields have a bit notation added to them (the :4 part). This indicates that these are bit fields, and they are 4 bits wide. We will use a pure Python solution to make sure these fields map correctly so we can avoid having to do any bit manipulation. Let’s implement our IP decoding routine into sniffer_ip_header_decode.py as shown below.

import socket


import os
import struct
from ctypes import *

# host to listen on
host = "192.168.0.187"


# our IP header
u class IP(Structure):
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_ulong),
("dst", c_ulong)
]


def __new__(self, socket_buffer=None):
return self.from_buffer_copy(socket_buffer)


def __init__(self, socket_buffer=None):


# map protocol constants to their names


self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"}


v # human readable IP addresses


self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst))


# human readable protocol
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num)


# this should look familiar from the previous example
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP


sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)


sniffer.bind((host, 0))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)


if os.name == "nt":


sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

try:


while True:


# read in a packet
w raw_buffer = sniffer.recvfrom(65565)[0]


# create an IP header from the first 20 bytes of the buffer
x ip_header = IP(raw_buffer[0:20])


# print out the protocol that was detected and the hosts
y print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_¬
address, ip_header.dst_address)


# handle CTRL-C
except KeyboardInterrupt:

# if we're using Windows, turn off promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

The first step is defining a Python ctypes structure u that will map the first 20 bytes of the received buffer into a friendly IP header. As you can see, all of the fields that we identified and the preceding C structure match up nicely. The __new__ method of the IP class simply takes in a raw buffer (in this case, what we receive on the network) and forms the structure from it. When the __init__ method is called, __new__ is already finished processing the buffer. Inside __init__, we are simply doing some housekeeping to give some human readable output for the protocol in use and the IP addresses v.
With our freshly minted IP structure, we now put in the logic to continually read in packets and parse their information. The first step is to read in the packet w and then pass the first 20 bytes x to initialize our IP structure. Next, we simply print out the information that we have captured y.
Let’s try it out.

Kicking the Tires

Let’s test out our previous code to see what kind of information we are extracting from the raw packets being sent. I definitely recommend that you do this test from your Windows machine, as you will be able to see TCP, UDP, and ICMP, which allows you to do some pretty neat testing (open up a browser, for example). If you are confined to Linux, then perform the previous ping test to see it in action.

Open a terminal and type:

python sniffer_ip_header_decode.py

Now, because Windows is pretty chatty, you’re likely to see output immediately.
I tested this script by opening Internet Explorer and going to www
.google.com, and here is the output from our script:

Protocol: UDP 192.168.0.190 -> 192.168.0.1
Protocol: UDP 192.168.0.1 -> 192.168.0.190
Protocol: UDP 192.168.0.190 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 74.125.225.183 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183

Because we aren’t doing any deep inspection on these packets, we can only guess what this stream is indicating. My guess is that the first couple of UDP packets are the DNS queries to determine where google.com lives, and the subsequent TCP sessions are my machine actually connecting and downloading content from their web server. To perform the same test on Linux, we can ping google.com, and the results will look something like this:

Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190

You can already see the limitation: we are only seeing the response and only for the ICMP protocol. But because we are purposefully building a host discovery scanner, this is completely acceptable. We will now apply the same techniques we used to decode the IP header to decode the ICMP messages. Stay tuned for the next post.

How to Sniff a Network: Packet Sniffing on Windows and Linux

Network sniffers allow you to see packets entering and exiting a target machine. As a result, they have many practical uses before and after exploitation. In some cases, you’ll be able to use Wireshark (https://wireshark.org/) to monitor traffic or use a Pythonic solution like Scapy (which we’ll explore in the later posts). Nevertheless, you can read more: How to Sniff a Network : Raw Sockets and Sniffing.

 

Accessing raw sockets in Windows is slightly different than on its Linux brethren, but we want to have the flexibility to deploy the same sniffer to multiple platforms. We will create our socket object and then determine which platform we are running on. Windows requires us to set some additional flags through a socket input/output control (IOCTL),1 which enables promiscuous mode on the network interface. In our first example, we simply set up our raw socket sniffer, read in a single packet, and then quit.

import socket
import os
# host to listen on
host = "192.168.0.196"

# create a raw socket and bind it to the public interface
if os.name == "nt":
u socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))

# we want the IP headers included in the capture
v sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

# if we're using Windows, we need to send an IOCTL
# to set up promiscuous mode
w if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

# read in a single packet
x print sniffer.recvfrom(65565)

# if we're using Windows, turn off promiscuous mode
y if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

We start by constructing our socket object with the parameters necessary for sniffing packets on our network interface u. The difference between Windows and Linux is that Windows will allow us to sniff all incoming packets regardless of protocol, whereas Linux forces us to specify that we are sniffing ICMP. Note that we are using promiscuous mode, which requires administrative privileges on Windows or root on Linux. Promiscuous mode allows us to sniff all packets that the network card sees, even those not destined for your specific host. Next we set a socket option that includes the IP headers in our captured packets. The next step w is to determine if we are using Windows, and if so, we perform the additional step of sending an IOCTL to the network card driver to enable promiscuous mode. If you’re running Windows in a virtual machine, you will likely get a notification that the guest operating system is enabling promiscuous mode; you, of course, will allow it. Now we are ready to actually perform some sniffing, and in this case we are simply printing out the entire raw packet x with no packet decoding. This is just to test to make sure we have the core of our sniffing code working. After a single packet is sniffed, we again test for Windows, and disable promiscuous mode y before exiting the script.

Kicking the Tires

Open up a fresh terminal or cmd.exe shell under Windows and run the
following:

python sniffer.py

In another terminal or shell window, you can simply pick a host to ping.
Here, we’ll ping nostarch.com:

ping nostarch.com

In your first window where you executed your sniffer, you should see
some garbled output that closely resembles the following:

('E\x00\x00:\x0f\x98\x00\x00\x80\x11\xa9\x0e\xc0\xa8\x00\xbb\xc0\xa8\x0
0\x01\x04\x01\x005\x00&\xd6d\n\xde\x01\x00\x00\x01\x00\x00\x00\x00\x00\
x00\x08nostarch\x03com\x00\x00\x01\x00\x01', ('192.168.0.187', 0))

You can see that we have captured the initial ICMP ping request destined for nostarch.com (based on the appearance of the string nostarch.com).
If you are running this example on Linux, then you would receive the response from nostarch.com. Sniffing one packet is not overly useful, so let’s add some functionality to process more packets and decode their contents in the following post.

 

How to Sniff a Network : Raw Sockets and Sniffing

Network sniffers allow you to see packets entering and exiting a target machine. As a result, they have many practical uses before and after exploitation. In some cases, you’ll be able to use Wireshark (https://wireshark.org/) to monitor traffic or use a Pythonic solution like Scapy (which we’ll explore in the later posts). Nevertheless, there’s an advantage to knowing how to throw together a quick sniffer to view and decode network traffic. Writing a tool like this will also give you a deep appreciation for the mature tools that can painlessly take care of the finer points with little effort on your part. You will also likely pick up some new Python techniques and perhaps a better understanding of how the low-level networking bits work.

In the previous chapter, we covered how to send and receive data using TCP and UDP, and arguably this is how you will interact with most network services. But underneath these higher-level protocols are the fundamental building blocks of how network packets are sent and received. You will use raw sockets to access lower-level networking information such as the raw IP and ICMP headers. In our case, we are only interested in the IP layer and higher so we won’t decode any Ethernet information. Of course, if you intend to perform any low-level attacks such as ARP poisoning or you are developing wireless assessment tools, you need to become intimately familiar with Ethernet frames and their use. Let’s begin with a brief walkthrough of how to discover active hosts on a
network segment.

 

Building a UDP Host Discovery Tool

The main goal of our sniffer is to perform UDP-based host discovery on a target network. Attackers want to be able to see all of the potential targets on a network so that they can focus their reconnaissance and exploitation attempts. We’ll use a known behavior of most operating systems when handling closed UDP ports to determine if there is an active host at a particular IP address. When you send a UDP datagram to a closed port on a host, that host typically sends back an ICMP message indicating that the port is unreachable. This ICMP message indicates that there is a host alive because we’d assume that there was no host if we didn’t receive a response to the UDP datagram. It is essential that we pick a UDP port that will not likely be used, and for maximum coverage, we can probe several ports to ensure we aren’t hitting an active UDP service. Why UDP? There’s no overhead in spraying the message across an entire subnet and waiting for the ICMP responses to arrive accordingly. This is quite a simple scanner to build with most of the work going into decoding and analyzing the various network protocol headers. We will implement this host scanner for both Windows and Linux to maximize the likelihood of being able to use it inside an enterprise environment. We could also build additional logic into our scanner to kick off full Nmap port scans on any hosts we discover to determine if they have a viable network attack surface. These are exercises left for the reader, and I look forward to hearing some of the creative ways you can expand this core concept.
Let’s get started.

 

Network sniffing

Additional Resources for Week 3 RITx: CYBER501x Cybersecurity Fundamentals

Kerckhoff’s Principle

Encryption

This video explains how the RSA public key and private key are created to be fully dependent on each other. The first part of the video explains the concepts with paint and colors. The second part contains heavy duty math, which may not be as easily understood:

Heartbleed

These links detail the Heartbleed bug from 2014. This vulnerability shows that even though data is protected both in transit and at rest with encryption, data that is being processed is not protected. The encrypted data needs to be decrypted before it’s processed, and therefore is vulnerable at this stage.

 

Week 3 Additional Resources

The Walking Dead: the Meaning Behind the Wooden Toy Soldier That Daryl Finds

The Walking Dead may have wrapped another season, but that doesn’t mean the zombie drama wasn’t going to raise a few more questions in the process. After a drawn-out season culminating with Rick and company finally facing off against Negan, we’re left with several Easter eggs that may or may not be significant later on.

Among them is the mysterious wooden soldier that Daryl comes across at the end of the episode. With the words “DIDN’T KNOW” written on the back, it’s pretty clear that this will have some importance later on. And since it looks identical to the one Dwight carved back in season six, it’s safe to assume that this figure also came from him. But what does that message mean? Is he trying to say he didn’t know Jadis and the Scavengers would betray Rick like that? Is he still on Rick’s side? What’s going on, Jon Snow wooden figure?

With season eight not arriving until Autumn, there’s plenty of time to speculate.

Microsoft Security Bulletin MS17-022

Security Update for Microsoft XML Core Services (4010321)

Published: March 14, 2017

Version: 1.0

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

This security update is rated Important for Microsoft XML Core Services 3.0 on all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The update addresses the vulnerability by changing how MSXML handles objects in memory For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 4010321.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

Note Please see the Security Update Guide for a new approach to consuming the security update information. You can customize your views and create affected software spreadsheets, as well as download data via a restful API. For more information, please see the Security Updates Guide FAQ. As a reminder, the Security Updates Guide will be replacing security bulletins. Please see our blog post, Furthering our commitment to security updates, for more details.

 

Operating System Component Microsoft XML Core Services Information Disclosure Vulnerability – CVE-2017-0022 Updates Replaced
Windows Vista
Windows Vista Service Pack 2 Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Vista x64 Edition Service Pack 2 Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows 7
Windows 7 for 32-bit Systems Service Pack 1
Security Only[1]
Microsoft XML Core Services 3.0
(4012212)
Important
Information Disclosure
None
Windows 7 for 32-bit Systems Service Pack 1
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012215)
Important
Information Disclosure
3212646
Windows 7 for x64-based Systems Service Pack 1
Security Only[1]
Microsoft XML Core Services 3.0
(4012212)
Important
Information Disclosure
None
Windows 7 for x64-based Systems Service Pack 1
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012215)
Important
Information Disclosure
3212646
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Security Only[1]
Microsoft XML Core Services 3.0
(4012212)
Important
Information Disclosure
None
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012215)
Important
Information Disclosure
3212646
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Security Only[1]
Microsoft XML Core Services 3.0
(4012212)
Important
Information Disclosure
None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012215)
Important
Information Disclosure
3212646
Windows 8.1
Windows 8.1 for 32-bit Systems
Security Only[1]
Microsoft XML Core Services 3.0
(4012213)
Important
Information Disclosure
None
Windows 8.1 for 32-bit Systems
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012216)
Important
Information Disclosure
3205401
Windows 8.1 for x64-based Systems
Security Only[1]
Microsoft XML Core Services 3.0
(4012213)
Important
Information Disclosure
None
Windows 8.1 for x64-based Systems
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012216)
Important
Information Disclosure
3205401
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012
Security Only[1]
Microsoft XML Core Services 3.0
(4012214)
Important
Information Disclosure
None
Windows Server 2012
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012217)
Important
Information Disclosure
3205409
Windows Server 2012 R2
Security Only[1]
Microsoft XML Core Services 3.0
(4012213)
Important
Information Disclosure
None
Windows Server 2012 R2
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012216)
Important
Information Disclosure
3205401
Windows RT 8.1
Windows RT 8.1[2]
Monthly Rollup
Microsoft XML Core Services 3.0
(4012216)
Important
Information Disclosure
3205401
Windows 10
Windows 10 for 32-bit Systems [3]
(4012606)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3210720
Windows 10 for x64-based Systems [3]
(4012606)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3210720
Windows 10 Version 1511 for 32-bit Systems [3]
(4013198)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3210721
Windows 10 Version 1511 for x64-based Systems[3]
(4013198)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3210721
Windows 10 Version 1607 for 32-bit Systems [3]
(4013429)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3213986
Windows 10 Version 1607 for x64-based Systems[3]
(4013429)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3213986
Windows Server 2016
Windows Server 2016 for x64-based Systems [3]
(4013429)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3213986
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Microsoft XML Core Services 3.0
(3216916)
Important
Information Disclosure
3146963 in MS16-040
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Security Only[1]
Microsoft XML Core Services 3.0
(4012212)
Important
Information Disclosure
None
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Server Core installation)
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012215)
Important
Information Disclosure
3212646
Windows Server 2012 (Server Core installation)
Security Only[1]
Microsoft XML Core Services 3.0
(4012214)
Important
Information Disclosure
None
Windows Server 2012 (Server Core installation)
Monthly Rollup[1]
Microsoft XML Core Services 3.0
(4012217)
Important
Information Disclosure
3205409
Windows Server 2012 R2 (Server Core installation)
Security Only[1]
Microsoft XML Core Services 3.0
(4012213)
Important
Information Disclosure
None
Windows Server 2012 R2 (Server Core installation) Monthly Rollup[1] Microsoft XML Core Services 3.0
(4012216)
Important
Information Disclosure
3205401
Windows Server 2016 for x64-based Systems [3](Server Core installation)
(4013429)
Microsoft XML Core Services 3.0 Important
Information Disclosure
3213986

[1]Beginning with the October 2016 release, Microsoft has changed the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For more information, please see this Microsoft TechNet article.

[2]This update is only available via Windows Update.

[3]Windows 10 and Windows Server 2016 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. Please note that effective December 13, 2016, Windows 10 and Windows Server 2016 details for the Cumulative Updates will be documented in Release Notes. Please refer to the Release Notes for OS Build numbers, Known Issues, and affected file list information.

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

What version of Microsoft XML Core Services is installed on my system?

Some versions of Microsoft XML Core Services are included with Microsoft Windows; others are installed with non-operating system software from Microsoft or third-party providers. Some are also available as separate downloads. The following table shows which versions of Microsoft XML Core Services are included with Microsoft Windows and which are installed with the installation of additional Microsoft or third-party software.

Operating System MSXML 3.0
Windows Vista Shipped with operating system
Windows Server 2008 Shipped with operating system
Windows 7 Shipped with operating system
Windows Server 2008 R2 Shipped with operating system
Windows 8.1 Shipped with operating system
Windows Server 2012 and Windows Server 2012 R2 Shipped with operating system
Window10 (all releases) Shipped with operating system
Windows Server 2016 Shipped with operating system

Microsoft XML Core Services Information Disclosure Vulnerability – CVE-2017-0022

An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk.

To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website.

The update addresses the vulnerability by changing the way MSXML handles objects in memory.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly disclosed Exploited
Microsoft XML Core Services Information Disclosure Vulnerability CVE-2017-0022 No Yes

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (March 14, 2017): Bulletin published.