4.0 Operations and Incident Response Flashcards
What is tcpdump?
tcpdump is a command-line packet capture utility built-in to most Linux distributions that output a description of the contents of each packet received on a network interface
Can help audit server’s security settings.
What is tshark?
Can it run on Windows?
tshark is a terminal version of Wireshark that also captures and displays packet information from any network interface. This can run on a Windows computer.
What is AirPcap?
AirPcap is a wireless adapter designed specifically for packet capture.
How does Python Script indicate a function?
What does it not initialize with?
What kind of “=” simple does it use?
The correct Python script correctly defines its variables, uses “def” to indicate a function is being defined, uses proper indentation, and calls the function after it has been defined.
The code block that does not initialize the ‘filename’ or ‘pattern’ variables becomes incomplete. Therefore, the code will halt with an exception NameError.
The code block that uses the ‘==’ operator to assign variables is using the wrong syntax; it should use a single ‘=’ operator. The same code block is also calling the search_file function before it is defined which will result in an error.
The code block that defines the search_file function with func is using the wrong syntax. Instead the function should be defined with def.
What is The DoD 5220.22-M?
The DoD 5220.22-M wipe method involves a three-phased pass of writing 1s, 0s, and random characters onto a hard drive.
This method will prevent the use of many software-based file recovery methods. The systems admin must use this method before sending equipment to public schools.
What is Degaussing or to Degauss?
Degaussing is a method of erasing data on a hard drive with a powerful magnet.
This is appropriate for preparing systems before use by public schools.
What is whireshark?
Does it provide replay?
Wireshark is both a sniffer and protocol analyzer tool. It is capable of parsing (interpreting) the headers of hundreds of network protocols and listing the contents of the data packets in plain view, if available. It can eavesdrop and scan open networks.
Does not provide replay
What is Nexpose?
Nexpose is a vulnerability scanner that is like Nessus.
What is “tcpreplay”
The tcpreplay tool can replay network traffic captured by another program, such as Wireshark, in the form of a .pcap file. This can be used to investigate suspicious traffic or test the effectiveness of intrusion detection rules.
What is The scanless tool?
Whats it’s main function?
What does it run on
What does it not check?
The scanless tool is a port scanner that runs its scans through third-party websites to evade detection.
Its main functionality is scanning ports, and it does not capture or replay network traffic.
Python-based command-line utility
It does not check hosting records or DNS services.
What is Cuckoo? What does it do?
What does it not do?
Where does it run?
what can it not be used for or what else or what else?
Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment. It does not scan for vulnerabilities.
it can not be used for Denial of Service attack
nor packet sniffing or injection.
What is FTK Imager?
What else is it capable of? what can of file format does it use?
FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if further analysis is required.
Includes the capability for live memory capture and saves the data in a proprietary .eo1 file format.
What is WinHex?
What can it do? What requirements for it need to do so?
What is it used for?
WinHex is a hex and disk editor for Windows that, when preinstalled on the host system, allows live capture of system memory.
often used for digital forensics and data recovery.
What os uses memdump?
What does it run agaisnt?
As long as what is installed?
Give 2 examples of such installation?
The Linux-based tool memdump can run against the /dev/mem device file provided a kernel driver, such as pmem or fmem, is installed.
However, it is not compatible with Windows machines.
What is dd?
What OS is it for?
The common Linux tool dd is a file conversion and copying tool that copies entire disks, including hard disk images and memory dump files such as the /dev/mem device file on Linux. It’s not compatible with Windows machines.
What is hping?
what are 3 of its capabilities?
The open-source tool, known as hping, has packet sniffing and injection capabilities, as well as Denial of Service (DoS) testing features built right in.
What is The Volatility Framework used for?
What can it install and tools can it use?
What would it access?
The Volatility Framework is widely used for system memory analysis and can install the pmem kernel driver, allowing tools such as memdump or dd to access the /dev/mem device memory file on Linux.
What is the Sn1per framework designed for?
What can it integrate?
Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.
Describe the Zed Attack Proxy?
Who was it developed by?
what does it provide?
The Zed Attack Proxy, developed by the Open Web Application Security Project (OWASP), provides scanning tools and scripts for web application and mobile app security testing.
What is The netstat command?
What OS is it compatible with?
What can an admin do with it?
The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux).
The admin may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
What is netcat
What does it do?
What OS does it work with?
What can be used as?
The netcat (or nc for short) is a remote access software that is available for both Windows and Linux. It can be used as a backdoor to other servers.
What OS the tool “pathping” toll for ?
What does it provide ?
What is it equivalent to?
The pathping tool for Windows provides statistics for latency and packet loss along a route over a longer measuring period.
The equivalent on Linux is mtr.
What is theHarvester?
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular domain or company name. It works by scanning multiple public data sources and gathering emails, names, subdomains, IPs, URLs, and other relevant data.
What is Active KillDisk?
Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s.
Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.
What does The “route” command do?
What would be a red flag?
The route command views and configures the host’s local routing table.
Entries that are unfamiliar or that are not routers can be considered suspicious.
What does The “tracert” command do?
The tracert command uses ICMP probes to report the round trip time (RTT) for hops between the local host and a host on a remote network on Windows.
What is The traceroute command?
The traceroute command performs route discovery from a Linux host using UDP probes rather than ICMP.
Example of command to gernarate RSA Key?
what will be the output?
openssl genrsa -out server.key 1024 command generates an RSA key.
It will output as server.key. 1024 represents the key size.
What is The dnsenum tool?
The dnsenum tool performs a number of tests in a single query and can retrieve hosting information, name records, and even work out IP address ranges currently in use.
What is i The %SystemRoot%\NTDS\NTDS.DIT file?
The %SystemRoot%\NTDS\NTDS.DIT
file stores domain user passwords and credentials.
Employees commonly use their domain credentials to login to do work and gain access to corporate information.
