• security
• l1
• topic-pack
• offensive-security-basics --- Portal | Level: L1: Foundations | Topics: Offensive Security Basics | Domain: Security

Offensive Security Basics — Primer

Know how attacks work so you can defend against them. This is a defensive-minded primer for ops engineers, not a pentesting guide.

---

Why ops engineers need this

You can't defend what you don't understand. Every misconfigured firewall rule, every default password left on a switch, every unpatched service — attackers know about these. You should too.

The goal isn't to become a pentester. The goal is to stop thinking like a builder and start thinking like an attacker for 10 minutes a day. That shift catches things checklists miss.

---

Password attacks

Brute force. Try every possible combination. Slow against long passwords, fast against short ones. A 6-character password falls in hours. 12+ characters with mixed case takes centuries (with current hardware).

Dictionary attacks. Try common words and known passwords. The RockYou list has 14 million real passwords from a 2009 breach. Most people pick from a depressingly small pool.

Credential stuffing. Take username/password pairs leaked from Site A, try them on Site B. Works because people reuse passwords. Automated tools like Hydra can test thousands of sites.

Rainbow tables. Precomputed hash-to-plaintext lookup tables. If you hashed passwords without a salt, an attacker just looks up the hash. Instant crack.

Pass-the-hash. Steal the password hash from memory or disk, use it directly to authenticate — never need the actual password. Common in Windows/AD environments via tools like Mimikatz.

Password defense

• bcrypt / argon2 — slow-by-design hashing. Makes brute force expensive.
• Salting — unique random value per password. Kills rainbow tables.
• Rate limiting — lock accounts or add delays after N failed attempts.
• MFA — even if the password is compromised, attacker needs a second factor.
• Password policies — enforce length (12+ chars), check against breach lists (Have I Been Pwned API), stop requiring special characters (users just do P@ssw0rd!).

---

Web application attacks

SQL injection (SQLi)

Attacker injects SQL into input fields. The classic:

Username: admin' OR '1'='1' --
Password: anything

If the backend does string concatenation:

SELECT * FROM users WHERE name='admin' OR '1'='1' --' AND pass='anything'

The OR '1'='1' is always true. The -- comments out the rest. Attacker is in.

Cross-site scripting (XSS)

Reflected. Attacker crafts a URL with malicious JavaScript in a query parameter. Victim clicks it, script runs in their browser in the context of your site. Steals cookies, session tokens.

Stored. Attacker saves malicious JavaScript in your database (comment field, profile bio). Every user who views that content executes the script.

CSRF (Cross-Site Request Forgery)

Victim is logged into your app. Attacker tricks them into clicking a link that makes a state-changing request (transfer money, change email) using the victim's existing session.

SSRF (Server-Side Request Forgery)

Attacker makes your server fetch a URL of their choosing. Used to hit internal services, cloud metadata endpoints (169.254.169.254), or scan internal networks from inside your perimeter.

Web defense

• Parameterized queries — never concatenate user input into SQL. Use prepared statements. This is the #1 fix for SQLi.
• Input validation — whitelist expected formats. Reject, don't sanitize.
• CSP headers — Content-Security-Policy tells browsers which scripts are allowed to run. Kills most XSS.
• CORS — restrict which origins can make requests to your API.
• CSRF tokens — unique per-session token in forms. Attacker can't guess it.
• WAFs — Web Application Firewalls (Cloudflare, AWS WAF, ModSecurity). Layer of defense, not a replacement for secure code.

---

OWASP Top 10 (2021)

Timeline: The OWASP (Open Web Application Security Project) Top 10 was first published in 2003. It has been updated in 2004, 2007, 2010, 2013, 2017, and 2021. The biggest shift over time: "Injection" held the #1 spot from 2010-2017 but dropped to #3 in 2021, while "Broken Access Control" rose to #1 — reflecting a shift from input validation bugs to authorization logic errors as frameworks got better at parameterized queries.

The industry-standard list of critical web application security risks:

1. Broken Access Control — users accessing things they shouldn't
2. Cryptographic Failures — weak crypto, plaintext storage, missing TLS
3. Injection — SQLi, command injection, LDAP injection
4. Insecure Design — missing threat modeling, flawed architecture
5. Security Misconfiguration — defaults, open cloud buckets, verbose errors
6. Vulnerable Components — unpatched libraries, known CVEs in dependencies
7. Authentication Failures — weak passwords, missing MFA, broken session mgmt
8. Software & Data Integrity Failures — unsigned updates, poisoned CI/CD
9. Logging & Monitoring Failures — breaches undetected for months
10. SSRF — server-side request forgery (described above)

---

Network attacks

Remember: The OWASP Top 10 mnemonic for the top 5: "Broken Crypto Injection Insecure Security" — Broken access control, Cryptographic failures, Injection, Insecure design, Security misconfiguration. The first three alone cover the vast majority of critical web vulnerabilities.

DDoS (Distributed Denial of Service)

Volumetric. Flood the pipe. UDP floods, DNS amplification, NTP amplification. Measured in Gbps. Goal: saturate bandwidth.

Protocol. Exhaust server/firewall state tables. SYN floods, fragmented packets. Measured in packets per second.

Application layer. Slow, targeted requests designed to exhaust application resources. HTTP floods, Slowloris (holds connections open). Hard to distinguish from legitimate traffic.

ARP spoofing

Attacker sends fake ARP replies to associate their MAC address with another host's IP. Redirects traffic through attacker's machine. Works on local network segments. Defense: static ARP entries, DAI (Dynamic ARP Inspection).

DNS poisoning

Corrupt DNS cache to redirect a domain to an attacker-controlled IP. Victim types bank.com, gets sent to attacker's lookalike. Defense: DNSSEC, DNS-over-HTTPS/TLS, short TTLs for sensitive records.

MITM (Man-in-the-Middle)

Attacker positions themselves between two parties. Intercepts, possibly modifies traffic. Often combines ARP spoofing or rogue Wi-Fi with SSL stripping. Defense: TLS everywhere, HSTS headers, certificate pinning.

DDoS mitigation

• Rate limiting — cap requests per IP/session at the application and infra level.
• CDN/edge filtering — Cloudflare, AWS CloudFront absorb traffic at the edge.
• Anycast — distribute traffic across multiple data centers geographically.
• Blackhole routing — drop all traffic to a targeted IP as last resort (sacrifices availability).
• Cloud WAF — Cloudflare, AWS Shield Advanced, Akamai Prolexic. They've seen every attack pattern before; you haven't.

---

Ransomware

How it works

1. Attacker gains access (phishing email, exposed RDP, compromised supply chain).
2. Moves laterally, escalates privileges, maps the network.
3. Encrypts data, deletes/encrypts backups if reachable.
4. Demands payment (usually crypto) for decryption key.
5. Modern variants also exfiltrate data and threaten to publish it (double extortion).

Common vectors

• Phishing — malicious attachments or links. Still #1 initial access method.
• Exposed RDP — brute force or credential stuffing against internet-facing RDP.
• Supply chain — compromised software update (SolarWinds, Kaseya).
• Vulnerable services — unpatched Exchange, VPN appliances, etc.

Ransomware defense

• Immutable backups — backups that cannot be modified or deleted after creation (S3 Object Lock, immutable ZFS snapshots).
• Air-gapped copies — physically disconnected backup media. Ransomware can't encrypt what it can't reach.
• Network segmentation — limit lateral movement. Backup networks should be isolated from production.
• Endpoint detection (EDR) — CrowdStrike, SentinelOne, Carbon Black. Detects suspicious encryption behavior.
• Patch management — known exploits are the easy way in. Patch fast.

---

SSH attacks

Brute force. Automated tools hammer SSH with username/password combos. Defense: key-only auth, fail2ban, non-standard port (minor), rate limiting.

Key theft. Attacker steals private keys from compromised workstations, backups, or repos. Defense: passphrase-protected keys, hardware tokens (YubiKey), rotate keys.

Default trap: SSH servers ship with PasswordAuthentication yes and often PermitRootLogin yes by default. A fresh cloud VM with these defaults will see brute-force login attempts within minutes of getting a public IP. Always disable password auth (PasswordAuthentication no) and root login (PermitRootLogin no) in /etc/ssh/sshd_config as part of your base image build.

Agent forwarding abuse. If you ssh -A into a compromised host, the attacker can use your forwarded agent to authenticate to other systems as you. Defense: use ProxyJump instead of agent forwarding. Never forward your agent to untrusted hosts.

---

Key tools to know about

You don't need to master these offensively. Know what they do so you understand what attackers (and your security team) are working with.

Tool	What it does
nmap	Network scanner. Finds open ports, identifies services, detects OS
Burp Suite	Web app security testing proxy. Intercepts/modifies HTTP requests
hashcat	GPU-accelerated password hash cracker. Tests hash strength
Metasploit	Exploitation framework. Known exploit modules for thousands of CVEs
Wireshark	Packet capture and analysis. See exactly what's on the wire

---

CTF and lab environments

Practice safely. Never run attack tools against systems you don't own.

• HackTheBox — realistic machines to hack. Teaches methodology.
• TryHackMe — guided rooms from beginner to advanced. Good starting point.
• OWASP WebGoat — intentionally vulnerable web app. Teaches web attacks hands-on in a safe sandbox.
• VulnHub — downloadable vulnerable VMs for local practice.
• SANS Holiday Hack — annual free CTF challenge with good learning curve.

---

Fun fact: The RockYou password breach (2009) exposed 32 million passwords stored in plain text. Analysis showed the most common password was "123456" (used by ~290,000 accounts), followed by "12345", "123456789", "password", and "iloveyou". The RockYou wordlist (rockyou.txt) is still the default dictionary for password cracking tools like hashcat and John the Ripper.

Mental model

Think of security as layers:

[Perimeter] → [Network] → [Host] → [Application] → [Data]

Attackers only need one path through. Defenders need to cover all of them. Understanding offensive techniques tells you which layers are actually thin.

Pages that link here

• Anti-Primer: Offensive Security Basics
• Master Curriculum: 40 Weeks
• Offensive Security Basics