Quick & Easy Way to Get 1 Year Free Google AI Pro:

References

root@guacserverdeb12:~# dpkg -l | grep freerdp

ii  freerdp2-dev                         2.10.0+dfsg1-1                 amd64        Free Remote Desktop Protocol library (development files)

ii  libfreerdp-client2-2:amd64           2.10.0+dfsg1-1                 amd64        Free Remote Desktop Protocol library (client library)

ii  libfreerdp-server2-2:amd64           2.10.0+dfsg1-1                 amd64        Free Remote Desktop Protocol library (server library)

ii  libfreerdp-shadow-subsystem2-2:amd64 2.10.0+dfsg1-1                 amd64        FreeRDP Remote Desktop Protocol shadow subsystem libraries

ii  libfreerdp-shadow2-2:amd64           2.10.0+dfsg1-1                 amd64        FreeRDP Remote Desktop Protocol shadow libraries

ii  libfreerdp2-2:amd64                  2.10.0+dfsg1-1                 amd64        Free Remote Desktop Protocol library (core library)

root@guacserverdeb12:~# dpkg -l | grep freerdp
ii  freerdp2-dev                         2.11.7+dfsg1-6~deb12u1         amd64        Free Remote Desktop Protocol library (development files)
ii  libfreerdp-client2-2:amd64           2.11.7+dfsg1-6~deb12u1         amd64        Free Remote Desktop Protocol library (client library)
ii  libfreerdp-server2-2:amd64           2.11.7+dfsg1-6~deb12u1         amd64        Free Remote Desktop Protocol library (server library)
ii  libfreerdp-shadow-subsystem2-2:amd64 2.11.7+dfsg1-6~deb12u1         amd64        FreeRDP Remote Desktop Protocol shadow subsystem libraries
ii  libfreerdp-shadow2-2:amd64           2.11.7+dfsg1-6~deb12u1         amd64        FreeRDP Remote Desktop Protocol shadow libraries
ii  libfreerdp2-2:amd64                  2.11.7+dfsg1-6~deb12u1         amd64        Free Remote Desktop Protocol library (core library)

1. Download the binaries for amd64 from the Debian pool directory, including at least freerdp2-dev_2.11.7+dfsg1-6~deb12u1_amd64.deb and its runtime dependencies such as libfreerdp2-2, libwinpr2-2, etc., from:

   • http://ftp.debian.org/debian/pool/main/f/freerdp2/.​

2. Install with dpkg and fix dependencies with APT:

   • sudo dpkg -i freerdp2-*2.11.7+dfsg1-6~deb12u1_amd64.deb

   • sudo apt -f install
     This will pull any missing dependencies from your configured repositories where versions are compatible.

• This version is targeted at bookworm as an oldstable-proposed-updates security/bugfix update, so ABI should remain compatible with packages built against 2.10.0, including Guacamole’s guacd on Debian 12.​

• To revert, you can downgrade back to the archive version:

  • sudo apt install freerdp2-dev=2.10.0+dfsg1-1 and the matching library versions, or use apt install freerdp2-dev/bookworm to pull the default bookworm release.

root@debian12:~# cat /etc/issue

Debian GNU/Linux 12 \n \l

root@debian12:~# cat /etc/os-release

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"

NAME="Debian GNU/Linux"

VERSION_ID="12"

VERSION="12 (bookworm)"

VERSION_CODENAME=bookworm

ID=debian

HOME_URL="https://www.debian.org/"

SUPPORT_URL="https://www.debian.org/support"

BUG_REPORT_URL="https://bugs.debian.org/"

root@debian12:~#

root@debian12:~# apt update

Ign:1 cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm InRelease

Err:2 cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm Release

  Please use apt-cdrom to make this CD-ROM recognized by APT. apt-get update cannot be used to add new CD-ROMs

Reading package lists... Done

E: The repository 'cdrom://[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05] bookworm Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

root@debian12:~# nano /etc/apt/sources.list

  GNU nano 7.2                                                                                     /etc/apt/sources.list

deb cdrom:[Debian GNU/Linux 12.12.0 _Bookworm_ - Official amd64 DVD Binary-1 with firmware 20250906-15:05]/ bookworm contrib main non-free-firmware

https://guacamole.apache.org/doc/gug/guacamole-native.html

Configure Guacamole.properties & user-mapping.xml

 

To define how Guacamole connects to guacd, create the guacamole.properties file under /etc/guacamole directory with the following content.

vim /etc/guacamole/guacamole.properties

guacd-hostname: localhost
guacd-port:     4822
user-mapping:   /etc/guacamole/user-mapping.xml
auth-provider:  net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

After that, save the configuration file and link the Guacamole configurations directory to Tomcat servlet directory as shown below.

ln -s /etc/guacamole /usr/share/tomcat9/.guacamole

Configure Guacamole Authentication Method

Guacamole’s default authentication method reads all users and connections from a single file called user-mapping.xml. In this file,you need to define the users allowed to access Guacamole web UI, the servers to connect to and the method of connection.

Therefore, run the command below to create this file with the following contents.

vim /etc/guacamole/user-mapping.xml

Be sure to replace password with your strong password.

<user-mapping>
        
    <!-- Per-user authentication and config information -->

    <!-- A user using md5 to hash the password
         guacadmin user and its md5 hashed password below is used to 
             login to Guacamole Web UI-->
    <authorize 
            username="guacadmin"
            password="5f4dcc3b5aa765d61d8327deb882cf99"
            encoding="md5">

        <!-- First authorized Remote connection -->
        <connection name="CentOS-Server">
            <protocol>ssh</protocol>
            <param name="hostname">192.168.56.156</param>
            <param name="port">22</param>
        </connection>

        <!-- Second authorized remote connection -->
        <connection name="Windows 7">
            <protocol>rdp</protocol>
            <param name="hostname">192.168.56.122</param>
            <param name="port">3389</param>
            <param name="username">netsec</param>
            <param name="ignore-cert">true</param>
        </connection>

    </authorize>

</user-mapping>

Generate the MD5 hash of passwords for the user used for logging into Guacamole web user interface. Replace you password accordingly;

echo -n password | openssl md5

printf '%s' password | md5sum

You should get following md5 value for your password string:

5f4dcc3b5aa765d61d8327deb882cf99

If you need to explicitly define usernames and passwords, add the parameters;

<param name="username">USERNAME</param>
<param name="password">PASSWORD</param>

Save and exit the configuration file.

You can check how to enable Guacamole OpenLDAP Authentication;

Setup Apache Guacamole OpenLDAP Authentication

Restart both Tomcat and guacd to effect the changes.

systemctl restart tomcat9 guacd

Be sure to check the syslog, /var/log/syslog or /var/log/tomcat9/CATALINA-* for any issues.

References

Using the basic payload (<script>alert("Your Site is Hacked")</script>), you should be able to get an alert box.

• http://192.168.2.186/xss/example1.php?name=<script>f</script> <input onfocus=f autofocus>
• http://192.168.2.186/xss/example1.php?name=<script>alert("Your Site is Hacked")</script>
• http://192.168.2.186/xss/example1.php?name=%3Cscript%3Ef%3C/script%3E%3Cinput%20onfocus=f%20autofocus%3E

Online Free Lab for Pentester

Fuzzing directories

When accessing a new webserver, it often pays off to brute force directories. To do this, you can use many tools like patator, FFUF or WFuzz (amongst many others).

Directory Traversals

Directory traversals come from a lack of filtering/encoding of information used as part of a path by an application.

As with other vulnerabilities, you can use the "same-value technique" to test for this type of issue.

For example, if the path used by the application inside a parameter is /images/photo.jpg. You can try to access:

• /images/./photo.jpg: you should see the same file.
• /images/../photo.jpg: you should get an error.
• /images/../images/photo.jpg: you should see the same file again.
• /images/../IMAGES/photo.jpg: you should get an error (depending on the file system), or something weird is going on.

If you don't have the value images and the legitimate path looks like photo.jpg, you will need to work out what the parent repository is.

Once you have tested that, you can try to retrieve other files.

On Linux/Unix the most common test case is the /etc/passwd.

You can test: images/../../../../../../../../../../../etc/passwd

If you get the passwd file, the application is vulnerable. The good news is that you don't need to know the number of ... If you put too many, it will still work.

Another interesting thing to know is that if you have a directory traversal in Windows, you will be able to access test/../../../file.txt, even if the directory test does not exist.

This is not the case on Linux.

This can be really useful where the code concatenates user-controlled data, to create a file name.

For example, the following PHP code is supposed to add the parameter id to get a file name (example_1.txt for example).

On Linux, you won't be able to exploit this vulnerability if there is no directory starting with example_, whereas on Windows, you will be able to exploit it, even if there is no such directory.

$file = "/var/files/example_".$_GET['id'].".txt";Copy

In these exercises, the vulnerabilities are illustrated by a script used inside an <img tag.

You will need to read the HTML source (or use "Copy image URL") to find the correct link, and start exploiting the issue.

The first example is a really simple directory traversal. You just need to go up in the file system, and then back down, to get any files you want. In this instance, you will be restricted by the file system permissions, and won't be able to access /etc/shadow, for example.

In this example, based on the header sent by the server, your browser will display the content of the response. Sometimes the server will send the response with a header Content-Disposition: attachment, and your browser will not display the file directly. You can open the file to see the content. This method will take you some time for every test.

Using a Linux/Unix system, you can do this more quickly, by using wget or curl.

The objective of this exercise is to find the directory traversal and retrieve the key in the following file: /pentesterlab.key




For example, you find a file or image url is 

• https://i.51sec.org/2025/chrome_fMjzra75Wa.png

• https://i.51sec.org/././2025/chrome_fMjzra75Wa.png
• https://i.51sec.org/../../../../../2025/chrome_fMjzra75Wa.png

If this vulnerability exists on the website, we should be able to construct a url like this to get the key:

• https://i.51sec.org/../../../../../pentesterlab.key

In this exercise, you can use existing file.php to view this php file's content by right clicking page and viewing  source since it will show an empty page.

It is also possible to use a new constructed url to view /etc/passwd as show from following screenshot in Linux:

• https://netsec.libcurl.me/file.php?file=../../../../../../../../../etc/passwd

On windows, you might be able to get the file boot.ini from c:/ drive. 

References

$ snmpwalk -v1 -c public 192.168.8.1

$snmpwalk -v2c -c public 127.0.0.1

C:\Users\Laptop> snmpwalk -v:1 -r:192.168.8.1 -c:”public”

$ snmpwalk -v1 -c public 192.168.8.1 .1.3.6.1.4.1.318

C:\Users\Laptop> snmpwalk -r:192.168.8.1 -os:.1.3.6.1.4.1.318

The Paessler Free SNMP Testing Tool is a good utility to use for checking on the community string on your network devices. This program runs on Windows and can be downloaded for free.

Run online snmpwalk in free Ubuntu online, free Fedora online, free Windows online emulator or free MACOS online emulator by OnWorks.

https://www.onworks.net/programs/snmpwalk-online

References

The security of a system is attacked through one of several means. It can be via the disclosure of secret data, alteration of data, or destruction of data.

• Disclosure is the opposite of confidentiality. In other words, disclosure of confidential data would be an attack on confidentiality.
• Alteration is the opposite of Integrity. For example, the integrity of a cheque is indispensable.
• Destruction/Denial is the opposite of Availability.

The opposite of the CIA Triad would be the DAD Triad: Disclosure, Alteration, and Destruction.

Consider the previous example of patient records and related systems:

• Disclosure: As in most modern countries, healthcare providers must maintain medical records’ confidentiality. As a result, if an attacker succeeds in stealing some of these medical records and dumping them online to be viewed publicly, the health care provider will incur a loss due to this data disclosure attack.
• Alteration: Consider the gravity of the situation if the attacker manages to modify patient medical records. This alteration attack might lead to the wrong treatment being administered, and consequently, this alteration attack could be life-threatening.
• Destruction/Denial: Consider the case where a medical facility has gone completely paperless. If an attacker manages to make the database systems unavailable, the facility will not be able to function properly. They can go back to paper temporarily; however, the patient records won’t be available. This denial attack would stall the whole facility.

Protecting against disclosure, alteration, and destruction/denial is of utter significance. This protection is equivalent to working to maintain confidentiality, integrity and availability.

Protecting confidentiality and integrity to an extreme can restrict availability, and increasing availability to an extreme can result in losing confidentiality and integrity. Good security principles implementation requires a balance between the three.

ISO/IEC 19249

ISO/IEC 19249:2017 Information technology - Security techniques - Catalogue of architectural and design principles for secure products, systems and applications

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have created the ISO/IEC 19249. The purpose is to have a better idea of what international organizations would teach regarding security principles.

ISO/IEC 19249 lists five architectural principles:

1. Domain Separation: Every set of related components is grouped as a single entity; components can be applications, data, or other resources. Each entity will have its own domain and be assigned a common set of security attributes. For example, consider the x86 processor privilege levels: the operating system kernel can run in ring 0 (the most privileged level). In contrast, user-mode applications can run in ring 3 (the least privileged level). Domain separation is included in the Goguen-Meseguer Model.
2. Layering: When a system is structured into many abstract levels or layers, it becomes possible to impose security policies at different levels; moreover, it would be feasible to validate the operation. Let’s consider the OSI (Open Systems Interconnection) model with its seven layers in networking. Each layer in the OSI model provides specific services to the layer above it. This layering makes it possible to impose security policies and easily validate that the system is working as intended. Another example from the programming world is disk operations; a programmer usually uses the disk read and write functions provided by the chosen high-level programming language. The programming language hides the low-level system calls and presents them as more user-friendly methods. Layering relates to Defence in Depth.
3. Encapsulation: In object-oriented programming (OOP), we hide low-level implementations and prevent direct manipulation of the data in an object by providing specific methods for that purpose. For example, if you have a clock object, you would provide a method increment() instead of giving the user direct access to the seconds variable. The aim is to prevent invalid values for your variables. Similarly, in larger systems, you would use (or even design) a proper Application Programming Interface (API) that your application would use to access the database.
4. Redundancy: This principle ensures availability and integrity. There are many examples related to redundancy. Consider the case of a hardware server with two built-in power supplies: if one power supply fails, the system continues to function. Consider a RAID 5 configuration with three drives: if one drive fails, data remains available using the remaining two drives. Moreover, if data is improperly changed on one of the disks, it would be detected via the parity, ensuring the data’s integrity.
5. Virtualization: With the advent of cloud services, virtualization has become more common and popular. The concept of virtualization is sharing a single set of hardware among multiple operating systems. Virtualization provides sandboxing capabilities that improve security boundaries, secure detonation, and observance of malicious programs.

ISO/IEC 19249 teaches five design principles:

1. Least Privilege: You can also phrase it informally as “need-to basis” or “need-to-know basis” as you answer the question, “who can access what?” The principle of least privilege teaches that you should provide the least amount of permissions for someone to carry out their task and nothing more. For example, if a user needs to be able to view a document, you should give them read rights without write rights.
2. Attack Surface Minimisation: Every system has vulnerabilities that an attacker might use to compromise a system. Some vulnerabilities are known, while others are yet to be discovered. These vulnerabilities represent risks that we should aim to minimize. For example, in one of the steps to harden a Linux system, we would disable any service we don’t need.
3. Centralized Parameter Validation: Many threats are due to the system receiving input, especially from users. Invalid inputs can be used to exploit vulnerabilities in the system, such as denial of service and remote code execution. Therefore, parameter validation is a necessary step to ensure the correct system state. Considering the number of parameters a system handles, the validation of the parameters should be centralized within one library or system.
4. Centralized General Security Services: As a security principle, we should aim to centralize all security services. For example, we would create a centralized server for authentication. Of course, you might take proper measures to ensure availability and prevent creating a single point of failure.
5. Preparing for Error and Exception Handling: Whenever we build a system, we should take into account that errors and exceptions do and will occur. For instance, in a shopping application, a customer might try to place an order for an out-of-stock item. A database might get overloaded and stop responding to a web application. This principle teaches that the systems should be designed to fail safe; for example, if a firewall crashes, it should block all traffic instead of allowing all traffic. Moreover, we should be careful that error messages don’t leak information that we consider confidential, such as dumping memory content that contains information related to other customers.

Trust is a very complex topic; in reality, we cannot function without trust. If one were to think that the laptop vendor has installed spyware on the laptop, they would most likely end up rebuilding the system. If one were to mistrust the hardware vendor, they would stop using it completely. If we think of trust on a business level, things only become more sophisticated; however, we need some guiding security principles. Two security principles that are of interest to us regarding trust:

• Trust but Verify
• Zero Trust

Trust but Verify: This principle teaches that we should always verify even when we trust an entity and its behaviour. An entity might be a user or a system. Verifying usually requires setting up proper logging mechanisms; verifying indicates going through the logs to ensure everything is normal. In reality, it is not feasible to verify everything; just think of the work it takes to review all the actions taken by a single entity, such as Internet pages browsed by a single user. This requires automated security mechanisms, such as proxy, intrusion detection, and intrusion prevention systems.

Zero Trust: This principle treats trust as a vulnerability, and consequently, it caters to insider-related threats. After considering trust as a vulnerability, zero trust tries to eliminate it. It is teaching indirectly, “never trust, always verify.” In other words, every entity is considered adversarial until proven otherwise. Zero trust does not grant trust to a device based on its location or ownership. This approach contrasts with older models that would trust internal networks or enterprise-owned devices. Authentication and authorization are required before accessing any resource. As a result, if any breach occurs, the damage would be more contained if a zero trust architecture had been implemented.

Microsegmentation is one of the implementations used for Zero Trust. It refers to the design where a network segment can be as small as a single host. Moreover, communication between segments requires authentication, access control list checks, and other security requirements.

There is a limit to how much we can apply zero trust without negatively impacting a business; however, this does not mean that we should not apply it as long as it is feasible.

Vulnerability vs Threat vs Risk

There are three terms that we need to take note of to avoid any confusion.

• Vulnerability: Vulnerable means susceptible to attack or damage. In information security, a vulnerability is a weakness.
• Threat: A threat is a potential danger associated with this weakness or vulnerability.
• Risk: The risk is concerned with the likelihood of a threat actor exploiting a vulnerability and the consequent impact on the business.

Away from information systems, a showroom with doors and windows made of standard glass suffers a weakness, or vulnerability, due to the nature of glass. Consequently, there is a threat that the glass doors and windows can be broken. The showroom owners should contemplate the risk, i.e. the likelihood that a glass door or window gets broken and the resulting impact on the business.

Consider another example directly related to information systems. You work for a hospital that uses a particular database system to store all the medical records. One day, you are following the latest security news, and you learn that the used database system is not only vulnerable but also a proof-of-concept working exploit code has been released; the released exploit code indicates that the threat is real. With this knowledge, you must consider the resulting risk and decide the next steps.

Fundamental Concepts of Security Models

We have learned that the security triad is represented by Confidentiality, Integrity, and Availability (CIA). One might ask, how can we create a system that ensures one or more security functions? The answer would be in using security models. In this task, we will introduce three foundational security models:

• Bell-LaPadula Model
• The Biba Integrity Model
• The Clark-Wilson Model

Bell-LaPadula Model

The Bell-LaPadula Model aims to achieve confidentiality by specifying three rules:

• Simple Security Property : This property is referred to as “no read up”; it states that a subject at a lower security level cannot read an object at a higher security level. This rule prevents access to sensitive information above the authorized level.
• Star Security Property : This property is referred to as “no write down”; it states that a subject at a higher security level cannot write to an object at a lower security level. This rule prevents the disclosure of sensitive information to a subject of lower security level.
• Discretionary-Security Property : This property uses an access matrix to allow read and write operations. An example access matrix is shown in the table below and used in conjunction with the first two properties.

Subjects	Object A	Object B
Subject 1	Write	No access
Subject 2	Read/Write	Read

The first two properties can be summarized as “write up, read down.” You can share confidential information with people of higher security clearance (write up), and you can receive confidential information from people with lower security clearance (read down).

There are certain limitations to the Bell-LaPadula model. For example, it was not designed to handle file-sharing.

Biba Model

The Biba Model aims to achieve integrity by specifying two main rules:

• Simple Integrity Property : This property is referred to as “no read down”; a higher integrity subject should not read from a lower integrity object.
• Star Integrity Property : This property is referred to as “no write up”; a lower integrity subject should not write to a higher integrity object.

These two properties can be summarized as “read up, write down.” This rule is in contrast with the Bell-LaPadula Model, and this should not be surprising as one is concerned with confidentiality while the other is with integrity.

Biba Model suffers from various limitations. One example is that it does not handle internal threats (insider threat).

Clark-Wilson Model

The Clark-Wilson Model also aims to achieve integrity by using the following concepts:

• Constrained Data Item (CDI) : This refers to the data type whose integrity we want to preserve.
• Unconstrained Data Item (UDI) : This refers to all data types beyond CDI, such as user and system input.
• Transformation Procedures (TPs) : These procedures are programmed operations, such as read and write, and should maintain the integrity of CDIs.
• Integrity Verification Procedures (IVPs) : These procedures check and ensure the validity of CDIs.

We covered only three security models. The reader can explore many additional security models. Examples include:

• Brewer and Nash model
• Goguen-Meseguer model
• Sutherland model
• Graham-Denning model
• Harrison-Ruzzo-Ullman model

Examples of Secure By Design

 

Secure By Default

 

References

• https://www.securitymagazine.com/ - Security Magazine