Hashcat is a password cracker used to crack password hashes. A hash is a one-way function that takes a word or string of words and turns them into a fixed length of random characters. This is a much more secure method of storing passwords rather than storing them in plain text. It is not reversible.


Hashcat attempts to crack these passwords by guessing a password, hashing it, and then comparing the resulting hash to the one it’s trying to crack.


Hash Analyzer Tunnelsup.com Hash Analyser allows you to stick a hash into there site and will give you there best guess at what the hash is. This was all i used for the Crack the hash challenge and was pretty much spot on until some of the later tasks.


Hash-Identifier can be found pre-installed in Kali Linux and will tell you the possible hashing algorithm for the hash you enter. The Nice thing about this other then it already being installed in kali is that it gives you a few alternatives which can help finding finding the right mode in hashcat.


HashID This is a python based hash identifying tool which needs to be downloaded from there GitHub Repo. The cool thing about this tool is not only does it identify the hashes but also can give you the corresponding hashcat mode as part of the output.


 

hashcat -h | grep sha256
hashcat -h | grep md5
hashcat -h | grep salt
hashcat -h | grep sha
hashcat --help

In this lab, we will create a set of hashes and then use a dictionary to crack these hashes. The first step is to create the hashes. Open a terminal and use the following command to create a new txt document filled with some hashes: 

echo "dc647eb65e6711e155375218212b3964
eb61eead90e3b899c6bcbe27ac581660
958152288f2d2303ae045cffc43a02cd
2c9341ca4cf3d87b9e4eb905d6a3ec45
75b71aa6842e450f12aca00fdf54c51d
031cbcccd3ba6bd4d1556330995b8d08
b5af0b804ff7238bce48adef1e0c213f" > target-hashes.txt

These hashes comprise 7 different password which we will attempt to crack.

The next step is to choose the wordlist we will use for cracking the hashes. We will be using the “rockyou.txt” file. Type the following to locate the file:

locate rockyou.txt

Navigate back to the home directory by typing cd. We are now ready to begin the attack.

We will use the following command to crack the password hashes:

hashcat -m 0 -a 0 -o cracked.txt target-hashes.txt /home/hackerboy/Dcouments/rockyou.txt


Let’s break down each of these options.


# The -m 0 option tells hashcat that we are attempting to crack MD5 hash types
# The -a 0 option tells hashcat we are using a dictionary attack
# The -o cracked.txt option is creating the output file for the cracked passwords
# The target_hashes.txt is the file containing the hashes
# The /home/hackerboy/Dcouments/rockyou.txt is the wordlist we will use for this dictionary attack

 

If you want to more cracking hashes, follow below the article on TryHackMe Cracking Hashes.

Click Here 

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Intercept client-side requests 

Burp Suite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing. Throughout this room, we'll take a look at the basics of installing and using this tool as well as it's various major components. Reference links to the associated documentation per section have been provided at the bottom of most tasks throughout this room. full tutorial of burp suite

we will learn how to use Burp to intercept browser network traffic.

Once the web browser opens, navigate to the following site:

http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F

 

Once there, go back to Burp and turn ON intercept mode. Then, enter any username and password combination into the site and click “Login”. As you will see, the page will remain in a loading state. This is because Burp has now intercepted the request we sent to the server, and is holding it for us to manipulate.

Now, we will start FoxyProxy in our browser.

Go back to Burp and you will find the intercepted request, along with the username and password data that we entered. To navigate through the different requests Burp is intercepting, simply press the “Forward” button to send the request to the server and view the next request.

Full Tutorial of Burp Suite

  to you by Hacking Truth

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Get started with Cyber Security in 25 days, by learning the basics and completing a new, beginner friendly security exercise every day leading up until Christmas; an advent calendar but with security challenges and not chocolate.


Hey Guys! Sorry for the delay but, we are back with Day 6 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 5 challenge click here.


This challenge is again based on Web Exploitation and the task is named

Patch Management is Hard

DAY 6

Story


During a routine security audit before the Incident, McSkidy discovered some recovery passwords on an old server. She created a ticket to decommission this server to reduce this security vulnerability. The Elf assigned to fix this vulnerability kept pushing off the task, and this never got done. Luckily, some of those recovery keys can be used to save some systems.

Unfortunately, the only way to access the server is through an old web application. See if you can pull out those recovery keys to help McSkidy with her pursuit to save Christmas.



Learning Objectives of the day

1.     What is LFI?
2.     How to perform LFI?
3.     How to elevate from LFI to RCE?

Let us understand the concepts targeted for today first!

What is LFI?

An LFI vulnerability is found in various web applications. As an example, in the PHP, the following functions cause this kind of vulnerability:

1.     include
2.     require
3.     include_once
4.     require_once

    
    

It is a web application vulnerability that allows the attacker to include and read local files on the server. These files could contain sensitive data such as cryptographic keys, databases that contain passwords, and other private data. An LFI vulnerability happens due to a developer’s lack of security awareness. In some cases, developers need to include the content of other local files within a specific page. Suppose a developer includes files without proper input validation. In that case, the LFI vulnerability will exist as a developer should never trust user input and keep all inputs from users to be filtered and sanitized. The main issue of these vulnerabilities is the lack of input validation, in which the user inputs are not sanitized or validated, and the user controls them.


You should read the content given with the challenge for the best understanding of LFI



Q1.Deploy the attached VM and look around. What is the entry point for our web application?

Ans :- err

Q2.Use the entry point to perform LFI to read the /etc/flag file. What is the flag?

We first go to our entry point and replace the error.txt file with ‘/etc/passwd’ file just to check if we can get it!

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false 

Yes we have access, but normally we shouldn’t have that!

Now we check for /etc/flag and voila!

Ans :- THM{d29e08941cf7fe41df55f1a7da6c4c06}

Q3.Use the PHP filter technique to read the source code of the index.php. What is the $flag variable’s value?

We use the PHP filter technique to read the code for index.php by using :

php://filter/convert.base64-encode/resource=

https://10-10-247-133.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=index.php

Once we find the base64 encoding for it, we go to https://www.base64decode.org/ and decode it for our answer!

Or

You can use the base64 command in terminal...


echo "aplhanumeric character" | base64 -d

echo "PD9waHAgc2Vzc2lvbl9zdGFydCgpOwokZmxhZyA9ICJUSE17NzkxZDQzZDQ2MDE4YTBkODkzNjFkYmY2MGQ1ZDllYjh9IjsKaW5jbHVkZSgiLi9pbmNsdWRlcy9jcmVkcy5waHAiKTsKaWYoJF9TRVNTSU9OWyd1c2VybmFtZSddID09PSAkVVNFUil7ICAgICAgICAgICAgICAgICAgICAgICAgCgloZWFkZXIoICdMb2NhdGlvbjogbWFuYWdlLnBocCcgKTsKCWRpZSgpOwp9IGVsc2UgewoJJGxhYk51bSA9ICIiOwogIHJlcXVpcmUgIi4vaW5jbHVkZXMvaGVhZGVyLnBocCI7Cj8+CjxkaXYgY2xhc3M9InJvdyI+CiAgPGRpdiBjbGFzcz0iY29sLWxnLTEyIj4KICA8L2Rpdj4KICA8ZGl2IGNsYXNzPSJjb2wtbGctOCBjb2wtb2Zmc2V0LTEiPgogICAgICA8P3BocCBpZiAoaXNzZXQoJGVycm9yKSkgeyA/PgogICAgICAgICAgPHNwYW4gY2xhc3M9InRleHQgdGV4dC1kYW5nZXIiPjxiPjw/cGhwIGVjaG8gJGVycm9yOyA/PjwvYj48L3NwYW4+CiAgICAgIDw/cGhwIH0KCj8+CiA8cD5XZWxjb21lIDw/cGhwIGVjaG8gZ2V0VXNlck5hbWUoKTsgPz48L3A+Cgk8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1kYW5nZXIiIHJvbGU9ImFsZXJ0Ij5UaGlzIHNlcnZlciBoYXMgc2Vuc2l0aXZlIGluZm9ybWF0aW9uLiBOb3RlIEFsbCBhY3Rpb25zIHRvIHRoaXMgc2VydmVyIGFyZSBsb2dnZWQgaW4hPC9kaXY+IAoJPC9kaXY+Cjw/cGhwIGlmKCRlcnJJbmNsdWRlKXsgaW5jbHVkZSgkX0dFVFsnZXJyJ10pO30gPz4KPC9kaXY+Cgo8P3BocAp9Cj8+</div>" | base64 -d

Answer :-  THM{791d43d46018a0d89361dbf60d5d9eb8}

Q4.McSkidy forgot his login credential. Can you help him to login in order to recover one of the server’s passwords?

Now that you read the index.php, there is a login credential PHP file’s path. Use the PHP filter technique to read its content. What are the username and password?

Using the same base64 encoding of index.php file, we also see that there is ./includes/creds.php which has the credentials.

https://10-10-231-193.p.thmlabs.com/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php

We do the same process and use the PHP filter process to go to this file and then decode it and get the credentials!

Answer:- McSkidy:A0C315Aw3s0m

Q5.Use the credentials to login into the web application. Help McSkidy to recover the server’s password. What is the password of the flag.thm.aoc server?

We have the username and password, we login and we see a fe options!

We know we have to recover the password, so we go on password recovery

Answer:- THM{552f313b52e3c3dbf5257d8c6db7f6f1}

Q6.The web application logs all users’ requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log.

We send in a CURL command in order to test the logs and see how it shows.


curl -A "TESTIN TESTING" http://10-10-88-123.p.thmlabs.com/login.php

the “-A” option helps us set the User Agent and we see TESTIN TESTING as user agent


Now, we do the same, instead with a little php payload to display the phpinfo!

Now to check the log file we need to go to “./includes/logs/app_access.log”, but, for that, we need to go to another window where we a re not logged in to actually check it!

And we see the PHP info file in the logs!!!!!

We can see the hostname directly in the phpinfo in the System column

Answer:- lfi-aoc-awesome-59aedca683fff9261263bb084880c965


The question does ask for RCE, but the this task can be completed without RCE!

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

We are back with Day 5 of the “ Advent of Cyber” event by TryHackMe. If you haven’t solved the Previous Day challenge click here.

This challenge is again based on Web Exploitation and the task is named Pesky Elf Forum. TryHackMe Web Exploitation Pesky Elf Forum XSS

Learning Objectives:

• What is an XSS vulnerability?
• What Types of XSS vulnerabilities are there?
• Challenge Walkthrough.

What is an XSS vulnerability?


Cross-Site Scripting, better known as XSS in the cybersecurity community, is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.


If you can get JavaScript to run on a victim’s computer, there are numerous things you can achieve. This can range from stealing the victim’s cookies to take over their session, running a keylogger that will log every key the user presses on their keyboard while visiting the website, redirecting the user to a totally different website altogether or performing some kind of action on the website such as placing an order, or resetting their password etc.

What types of XSS vulnerabilities are there?

1. DOM
2. Reflected
3. Stored
4. Blind

Let’s Get Started..

1. What flag did you get when you disabled the plugin?

Login using Username: McSkidy Password: password

Leave a comment on any post as Follow <a href="https://www.kumaratuljaiswal.in">kumaratuljaiswal.in</a>


 

Once your comment is posted, you’ll see that the word ‘kumaratuljaiswal.in’ has been underlined.

This means the comment is reflected as you wrote it without the underline HTML tags being stripped out. As this isn’t being stripped out, you can try the HTML script tags instead to see if the website will run any JavaScript that is entered.



Using the URL, you found earlier for changing the user’s password, you can try the following payload:


<script>fetch('/settings?new_password=pass123');</script>

 

The <script> tag tells the browser we want to run some JavaScript, and the fetch command makes a network request to the specified URL.

After posting the above as a comment, you could view the webpage source to see whether it has been shown correctly. The screenshot below shows us that the script tags aren’t being stripped out or disabled and, in fact, are working:


 

Now that we have this XSS running on the forum, it means that any logged in users viewing the thread will automatically have their password changed to pass123. So let’s log out and see if the Grinch has visited the thread by trying to log in as them (It may take up to a minute before the Grinch visits the page and their password changes).

Username: grinch

Password: pass123

Once logged in, go to the settings page again, and this time, you’ll discover another feature with the option to disable the Christmas to Buttmas plugin.


 

Disable the plugin, and you’ll be awarded a flag.

Done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSysAdmin managed to reset everyone’s access except Santa’s! Santa’s expected some urgent travel itinerary for his route over Christmas. Rumour has it that Santa never followed the password security recommendations. Can you use bruteforcing to help him access his accounts?
Learning Objectives of the day

1. Understanding authentication and where it is used
2. Understanding what fuzzing is
3. Understanding what Burp Suite is and how we can use it for fuzzing a login form to gain access
4. Apply this knowledge to retrieve Santa’s travel itinerary

Let us understand the concepts targeted for today first!


What is authentication, and where is it Used?

Authentication is the process of verifying a user’s identity, establishing that they are who they say they are. Authentication can be proven using a variety of authentication means, including:

• A known set of credentials to the server and user such as a username and password
• Token authentication (these are unique pieces of encrypted text)
• Biometric authentication (fingerprints, retina data, etc.)

Authentication is often used interchangeably with authorisation, but it is very different. Authorisation is a term for the rules defining what an authenticated user can and cannot access.

What is Fuzzing?

Put simply, fuzzing is an automated means of testing an element of a web application until the application gives a vulnerability or valuable information. When we are fuzzing, we provide information as we would typically when interacting with it, just at a much faster rate. This means that we can use extensive lists known as wordlists to test a web application’s response to various information.
 

Steps to Fuzz with Burp Suite

Let’s launch FireFox by navigating to “Applications -> Internet-> Firefox”

avigate to the login form in the web browser using the vulnerable IP address (http://MACHINE_IP) (note that the IP address in the screenshots is only an example, you will need to replace this with the MACHINE_IP)

And press “Intercept On” in “Proxy -> Intercept”

Now we will need to return to our Firefox Browser and enable the FoxyProxy extension in Firefox. You can do this by pressing the “FoxyProxy” extension and pressing “Burp”

Submit some dummy data on the login form

Let’s launch Burp Suite by navigating to “Applications -> Other -> Burp Suite”

Navigate to the “Proxy” tab

We will need to return to Burp Suite, where we will see some data has now been returned to us. Right-click the window containing the data and press “Send to Intruder”
    
    

 
Navigate to the “Intruder” tab

10.1. Click the “Positions” tab and clear the pre-selected positions by pressing “Clear $”

10.2. Add the value of the “username” parameter as the first position, sometimes we will already know the username, other times we will not. We can tell Burp to use a wordlist of usernames for this position as well. However, as the username is already known (i.e. cmnatic), we are just brute-forcing the password. (this can be done by highlighting the password parameter and clicking “Add $”)

10.3. Add the “password” value as the position (i.e. password123) (this can be done by highlighting the value in the password parameter and clicking “Add $”)

 
10.4. Select “Cluster Bomb” in the Attack type in the dropdown menu.

10.5. We will now need to provide some values for Burp Suite to fuzz the login form with passwords. We can provide a list manually, or we can provide a wordlist. I will be providing a wordlist.

11. Now after selecting our wordlist, we can see that some passwords have filled the “Payload Options” window

12. Now let’s press the “Start Attack” button, this will begin fuzzing the login form. Look at the results and sort by “Length”. Unsuccessful passwords will return a certain length, and successful passwords will return another length.

Now that we understand how to use Burp Suite, we can create our own attacks and complete the challenge!

Q1. What valid password can you use to access the “santa” account?

Follow the steps mentioned above and create your own attack.

If you read the challenge properly, the link for the wordlist is given there already.

Use this wordlist for your attack and select the Cluster attack for this challenge.

Navigate to the vulnerable login form at http://10.10.205.31/ and apply the material for

today's task to login to Santa's itinerary, using the username as "santa" and the password

list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download

it from here for your payload.

Q2. What is the flag in Santa’s itinerary?

Once you have logged in from the login panel, you get the flag!!

Answer - THM{SANTA_DELIVERS}


 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Story

McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?



Learning Objectives of Day 2:
 

• Understanding the underlying technology of web servers and how the web communicates.
• Understand what cookies are and their purpose.
• Learn how to manipulate and manage cookies for malicious use.

Let us understand the concepts targeted for today first!

HTTP(S)

he HTTP protocol is a client-server protocol to provide communication between a client and a webserver. HTTP requests are similar to a standard TCP network request; however, HTTP adds specific headers to the request to identify the protocol and other information.

When an HTTP request is crafted, the method and target header will always be included. The target header will specify what to retrieve from the server, and the method header will specify how.

When retrieving information from a web server, it is common to use the GET method, such as loading a picture.

When sending data to a web server, it is common to use the POST method, such as sending login information.

Example Request

GET / HTTP/1.1
Host: tryhackme.com
User-Agent: Mozilla/5.0 Firefox/87.0
Referer: https://tryhackme.com/

Example Response

HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wednesday, 24 Nov 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

Cookies

Cookies are tiny pieces of data (metadata) or information locally stored on your computer that are sent to the server when you make a request.

Cookies can be assigned any name and any value allowing the webserver to store any information it wants. Today we will be focusing on authentication cookies, also known as session cookies. Authentication or session cookies are used to identify you and what access level is attached to your session.

Cookie Manipulation

Cookie manipulation is taking a cookie and modifying it to obtain unintended behavior determined by the web developer. Cookie manipulation is possible because cookies are stored locally on your host system, meaning you have complete control over them and modify them as you please.

To begin modifying and manipulating cookies, we need to open our developer tools. In Google Chrome, developer tools are known as the “Chrome Developer Tools,” and in Mozilla Firefox, they are known as the “Firefox Developer Tools.”

Developer tools can be accessed by pressing F12 or Ctrl+Shift+I. Once developer tools are open, to access your cookies, navigate to the Storage tab in Firefox or Application tab in Chrome/Edge; select the Cookies dropdown on the left-hand side of the console.

Now that we understand these basic terms and concepts! Lets Enumerate!!

Q1. What is the name of the new cookie that was created for your account?

Once you open the website from the given link, you have to register an account.

    


    Welcome To Advent of Cyber!

 

Then open the developer options and check for the cookie and find out the cookie name

Answer: user-auth

Q2. What encoding type was used for the cookie value?

If you notice the value of the cookie that was generated,it is alphanumeric with more of numbers and less of alphabets.

Mostly all these alphabets are between “a” and “f” and we know only kind of encoding that is this way which is


Answer: Hexadeciaml

Q3. What object format is the data of the cookie stored in?

We can see that the value of the cookie is encoded so we need to go and get the value decoded.

We can do this by going onto CyberChef and inputting our cookie value. We convert it from hex so we get our output

From the image we can clearly see that the data is stored in key-value pairs and that is why it is called

Answer: JSON

Now we need to manipulate the cookie to get Admin access!!

Now copy the json output and set it as the input for this conversion in CyberChef tool. Select the option of “ To Hex” and set the delimiter as none so as to avoid all the spaces that come with it.

Once we do that, we have the value of the same json with user as “admin”

Q4. What is the value of the administrator cookie? (username = admin)


Ans :-

 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

You can also decode this hex value via terminal through this command 

echo " 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d" | xxd -r -p

We have the value of the admin login cookie, so we go back to our page and edit the value of the cookie into this new value for admin login.

and Voila!!

We are now Admin!!

Q5. What team environment is not responding?


Ans :- HR



Q6. What team environment has a network warning?


Ans :- Application

All answer done :-)

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Windows Security

Per Microsoft, "Windows Security is your home to manage the tools that protect your device and your data".

In case you missed it, Windows Security is also available in Settings.

 

 In the above image, focus your attention on Protection areas.

• Virus & threat protection
• Firewall & network protection
• App & browser control
• Device security

Each following task will briefly touch on these areas.


Before proceeding, let's provide a quick comment on the status icons.

• Green means your device is sufficiently protected, and there aren't any recommended actions.
• Yellow means there is a safety recommendation for you to review.
• Red is a warning that something needs your immediate attention.

    

Click on Open Windows Security.

Note: Since the attached VM is a Windows Server 2019 edition, it looks different from a Windows 10 Home or Professional edition.

The below image is from a Windows 10 device.

1) In the above image, which area needs immediate attention?

Ans - Virus and Threat Protection


 

Virus & threat protection

Virus & threat protection is divided into two parts:

• Current threats
• Virus & threat protection settings

The image below only focuses on Current threats. 

Current threats

• Quick scan - Checks folders in your system where threats are commonly found.
• Full scan - Checks all files and running programs on your hard disk. This scan could take longer than one hour.
• Custom scan - Choose which files and locations you want to check.

Threat history

• Last scan - Windows Defender Antivirus automatically scans your device for viruses and other threats to help keep it safe.
• Quarantined threats - Quarantined threats have been isolated and prevented from running on your device. They will be periodically removed.
• Allowed threats - Allowed threats are items identified as threats, which you allowed to run on your device.

Virus & threat protection settings

Manage settings

• Real-time protection - Locates and stops malware from installing or running on your device.
• Cloud-delivered protection - Provides increased and faster protection with access to the latest protection data in the cloud.
• Automatic sample submission - Send sample files to Microsoft to help protect you and others from potential threats.
• Controlled folder access - Protect files, folders, and memory areas on your device from unauthorized changes by unfriendly applications.
• Notifications - Windows Defender Antivirus will send notifications with critical information about the health and security of your device.

Warning: Excluded items could contain threats that make your device vulnerable. Only use this option if you are 100% sure of what you are doing.

Virus & threat protection updates

Check for updates - Manually check for updates to update Windows Defender Antivirus definitions.  

Ransomware protection

Controlled folder access - Ransomware protection requires this feature to be enabled, which in turn requires Real-time protection to be enabled.



Note: Real-time protection is turned off in the attached VM to decrease the chances of performance issues. Since the VM can't reach the Internet and there aren't any threats in the VM, this is safe to do. Real-time protection should definitely be enabled in your personal Windows devices unless you have a 3rd party product that provides the same protection. Ensure it's always up-to-date and enabled.  

Tip: You can perform on-demand scans on any file/folder by right-clicking the item and selecting 'Scan with Microsoft Defender'.


The below image was taken from another Windows device to show this feature.



1) Specifically, what is turned off that Windows is notifying you to turn on?

Ans - Real-time protection

Firewall & network protection

What is a firewall?

Per Microsoft, "Traffic flows into and out of devices via what we call ports. A firewall is what controls what is - and more importantly isn't - allowed to pass through those ports. You can think of it like a security guard standing at the door, checking the ID of everything that tries to enter or exit".

The below image will reflect what you will see when you navigate to Firewall & network protection.

Note: Each network may have different status icons for you.

What is the difference between the 3 (Domain, Private, and Public)?

Per Microsoft, "Windows Firewall offers three firewall profiles: domain, private and public".

• Domain - The domain profile applies to networks where the host system can authenticate to a domain controller.
• Private - The private profile is a user-assigned profile and is used to designate private or home networks.
• Public - The default profile is the public profile, used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.

If you click on any firewall profile, another screen will appear with two options: turn the firewall on/off and block all incoming connections.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave your Windows Defender Firewall enabled.

Allow an app through firewall

You can view what the current settings for any firewall profile are. In the above image, several apps have access in the Private and/or Public firewall profile. Some of the apps will provide additional information if it's available via the Details  button. 

Advance Setting

Configuring the Windows Defender Firewall is for advanced Windows users. Refer to the following Microsoft documentation on best practices here.

Tip: Command to open the Windows Defender Firewall is WF.msc.


1) If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?

Ans - public network

App & browser control

In this section, you can change the settings for the Microsoft Defender SmartScreen.

Per Microsoft, "Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files".

Refer to the official Microsoft document for more information on Microsoft Defender SmartScreen here.

Check apps and file

Windows Defender SmartScreen helps protect your device by checking for unrecognized apps and files from the web.

Exploit protection

Exploit protection is built into Windows 10 (and, in our case, Windows Server 2019) to help protect your device against attacks.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.

Device security

Even though you'll probably never change any of these settings, for completion's sake, it will be covered briefly.

Core isolation
 

Memory Integrity - Prevents attacks from inserting malicious code into high-security processes.

Warning: Unless you are 100% confident in what you are doing, it is recommended that you leave the default settings.

The below images are from another machine to show another security feature that should be available in a personal Windows 10 device.

Security processor

Below are the Security processor details.

What is the Trusted Platform Module (TPM)?

Per Microsoft, "Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM".

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.