4.1 - Given a scenario, use the appropriate tool to assess organizational security. Flashcards

1
Q

tracert/traceroute (Network reconnaissance and discovery)

A

-Determine route a packet takes to a destination
-Map the entire path
-record hops along the way
USE CASE = find where packet is getting hung up

tracert = windows
traceroute = mac/posix/linux

-Takes advantage of ICMP Time to Live Exceeded error msg
->Not all devices will reply with
ICMP Time Exceeded msgs
–>Some firewalls filter ICMP -> ICMP is low-priority for many devices
- time in TTL refers to hops, not seconds or minutes
-TTL=1 is the first router, TTL=2 is the second router,etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

nslookup/dig (Network reconnaissance and discovery)

A

both;
-Lookup information from DNS servers
-Canonical names, IP addresses, cache timers, etc.
-queries DNS serv to check if correct info is in the zone database
USE CASE: troubleshoots DNS database

nslookup = windows
-Lookup names and IP addresses
-Deprecated (use dig instead)

dig (domain information groper) = linux/mac
-More advanced domain information
-probs ur 1st choice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ipconfig/ifconfig (Network reconnaissance and discovery)

A

-Most of your troubleshooting starts with your IP address
->Ping your local router/gateway
-Determine TCP/IP and network adapter info/config
->And additional IP details
-interfaces that exist on sys, IPv4, IPv6, MAC address, connection speeds, net masks, broadcast domains, other connection details
-both cmds can be used to enable/disable interfaces, refresh/drop DHCP addresses + ctrl net interfaces

ipconfig = Windows TCP/IP config

ifconfig = Linux interface config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

nmap (Network reconnaissance and discovery)

A

-network mapper
->find + learn more about net devices
-locating net hosts
-detecting OS
-identifying services
-USE CASE: sec. auditing, routine admin tasks (monitoring host uptime/host inventory

-port scan
->find devices + identify open ports

-OS scan
-discover the OS wthout logging into device

-service scan
->what service is available on device?
->name, version, details

-more scripts
->NSE (nmap scripting engine) = extends capabilities + vuln. scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ping/pathping (Network reconnaissance and discovery)

A

ping
-Test reachability
-Determine round-trip time
-Uses ICMP (Internet Control Message Protocol)

pathping - windows
-Combine ping and traceroute
-traces route to destination
-provides info about latency + packet loss
-can be slower b/c each hop given 25 sec to gather stat data

->First phase runs a traceroute
– Build a map
-Second phase
->Measure round trip time and packet loss at each hop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

hping (Network reconnaissance and discovery)

A

-TCP/IP packet assembler/analyzer
->A ping that can send almost anything

-Ping a device
->ICMP, TCP, UDP
-> #hping3 –destport 80 10.1.10.1

-Send crafted frames
->Modify all IP, TCP, UDP, and ICMP values

-powerful tool
->easy to accidentally flood + DoS (Be careful!)

-can provide info such as;
->OS fingerprinting
->guess how long sys has been online based on packet details
-available 4 both Windows + Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

netstat (-a, -b, -n) (Network reconnaissance and discovery)

A

-Network statistics
-Many different OSs
-> netstat -a = Show all active connections
-> netstat -b = Show binaries
-> netstat -n = Do not resolve names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

netcat (Network reconnaissance and discovery)

A

-Read/write to the net
->Open a port and send or receive some traffic

-Listen on a port #

-Transfer data

-Scan ports + send data to a port

-Become a backdoor
->Run a shell from remote device

-can act as listener and a client
-> allowing shells/transfer files

nc [hostname] [port]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IP scanners (Network reconnaissance and discovery)

A

-Search net 4 IPs
-Locate active devices
-Avoid doing work on an IP address that isn’t there
-dif techniques
->ARP (if on the local subnet)
->ICMP requests (ping)
->TCP ACK
->ICMP timestamp requests
-A response means more recon can be done
->Keep gathering info (Nmap, hping, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

arp (Network reconnaissance and discovery)

A

-address resolution protocol
-determine a MAC address based on IP
-u need the hardware address to comm.
-add/remove hosts from ARP table
-provides info about;
->local address
->remote address 4 each connection
->state of TCP connections

  • arp -a = View local ARP table
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

route (Network reconnaissance and discovery)

A

-view device’s routing table
->find out which way packets will go
-display + modify sys routing table

route print = Windows

netstat -r = Linux and macOS:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

curl (Network reconnaissance and discovery)

A

-LINUX
-client URL
->Retrieve data using a URL
->Uniform Resource Locator
->Web pages, FTP, emails, databases, etc.
-Grab the raw data
->Search
->Parse
->Automate

-freq used to manually perform HTTP cmds such as;
->HTTP get
->or to fetch HTTP headers
-file transfer via FTP, FTPS, SFTP

curl –request GET https://example.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

theHarvester (Network reconnaissance and discovery)

A

-Gather OSINT
-Scrape info from Google/Bing
->Find associated IP addresses
-List of people from LinkedIn
->Names + titles
-Find PGP keys by email domain
->list of email contacts
-DNS brute force
->Find those unknown hosts; vpn, chat, mail, partner, etc.

-retrieve info
->email accts
->domains
->usernames
->details using LinkedIn/search engines
-can be run from cmd line + provided wth domain/URL + search engine to use

-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

sn1per (Network reconnaissance and discovery)

A

-Combine many recon tools into a single framework
->dnsenum, metasploit, nmap, theHarvester, and much more
-Both non-intrusive + v intrusive scanning options
->u choose the volume
-Another tool that can cause problems
->Brute force, server scanning, etc
->Make sure you know what ur doing
-automated scanning tool that combines multiple tools 4 pen testers
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

scanless (Network reconnaissance and discovery)

A

-run port scans from dif host
->port scan proxy
-dif services
->choose the option 4 scan origination
->ur IP is hidden as the scan source

scanless -s [chosen scanning site] -t target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

dnsenum (Network reconnaissance and discovery)

A

-Enumerate DNS information
->Find host names
-View host info from DNS servers
->Many services + hosts r listed in DNS
-Find host names in Google
->More hosts can probs be found in the index

~# dnsenum example.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Nessus (Network reconnaissance and discovery)

A

-vuln scanning
-Extensive support
-Free + commercial options
-Identify known vulnerabilities
-Find systems b4 they can be exploited
-Extensive reporting
->A checklist of issues
->Filter out false positives

18
Q

Cuckoo (Network reconnaissance and discovery)

A

-A sandbox for malware
->Test a file in a safe environment

-A virtualized environment
->Windows, Linux, macOS, Android
-Track and trace
->API calls, network traffic, memory analysis
->Traffic captures
->Screenshots

19
Q

head (File manipulation)

A

-View the first part of a file
->The head, or beginning, of the file
->head [OPTION] … [FILE] …

  • Use -n to specify the number of lines
    -> head -n 5 syslog
20
Q

tail (File manipulation)

A

-View the last part of a file
->The tail, or end, or the file
-> tail [OPTION] … [FILE] …

-Use -n to specify the number of lines
-> tail -n 5 syslog

21
Q

cat (File manipulation)

A

-Concatenate
->Link together in a series

-Copy a file/files to the screen
-> cat file1.txt file2.txt

-Copy a file/files to another file
->cat file1.txt file2.txt > both.txt

22
Q

grep (File manipulation)

A

-Find text in a file
->Search through many files at a time

-grep PATTERN [FILE]
-> grep failed auth.log

23
Q

chmod (File manipulation)

A

-Change mode of a file system object
-> r=read, w=write, x=execute
->Can also use octal notation
->Set for the file owner (u), the group(g), others(o), or all(a)
->chmod mode FILE
->chmod 744 script.sh

-chmod 744 first.txt
->User; read, write execute
->Group; read only
->Other; read only

-chmod a-w first.txt
->All users, no writing to first.txt

-chmod u+x script.sh
->The owner of script.sh can execute the file

24
Q

logger (File manipulation)

A

-Add entries to the system log
->syslog

-Adding to the local syslog file
->logger “This information is added to syslog”

-Useful for including information in a local or remote syslog file
->Include as part of an automation script
->Log an important event

25
Q

SSH

A

-secure shell

-Encrypted console communication - tcp/22

-Looks and acts the same as Telnet

26
Q

PowerShell

A

-windows powershell

-Command line 4 system administrators
-> .ps1 file extension
-> Included with Windows 8/8.1 + 10

-Extend command-line functions
->Uses cmdlets (command-lets)
->PowerShell scripts and functions
->Standalone executables

-Automate and integrate
->System administration
->Active Domain administration

27
Q

Python

A

-General-purpose scripting language
-> .py file extension

-Popular in many technologies
-> Broad appeal and support

28
Q

OpenSSL

A

-A toolkit + crypto library 4 SSL/TLS
->Build certificates, manage SSL/TLS comm

-Create X.509 certificates
->Manage certificate signing requests (CSRs) + cert revocation lists (CRLs)

-Message digests
->Support 4 many hashing protocols

-Encryption + Decryption
->SSL/TLS 4 services

29
Q

Tcpreplay (Packet capture and replay)

A

-A suite of packet replay utilities
->Replay + edit packet captures
->Open source

-Test security devices
->Check IPS signatures + firewall rules

-Test + tune IP Flow/NetFlow devices
->Send hundreds of thousands of traffic flows per second

-Evaluate the performance of sec device

30
Q

Tcpdump (Packet capture and replay)

A

-Capture packets from the cmd line
->Display packets on the screen
->Write packets to a file

31
Q

Wireshark (Packet capture and replay)

A

-Graphical packet analyzer
->Get into details

-Gathers frames on the net/in the air

-Sometimes built into device
->View traffic patterns
->Identify unknown traffic
->Verify packet filtering + sec ctrls

-Extensive decodes
->View the app traffic

32
Q

dd (Forensics)

A

A reference to the DD command in
->IBM mainframe JCL (Job Control Language)
->Data Definition (ASCII to EBCDIC converter)

-Create a bit-by-bit copy of a drive
->Used by many forensics tools

-Create a disk image
-> dd if=/dev/sda of=/tmp/sda-image.img

-Restore from an image
-> dd if=/tmp/sda-image.img of=/dev/sda

33
Q

Memdump (Forensics)

A

-Copy info in system mem to the standard output stream
->Everything that happens is in mem
->Many third-party tools can read a mem dump

-Copy to another host across the net
->Use netcat, stunnel, openssl, etc.

34
Q

WinHex (Forensics)

A

-universal hexadecimal editor 4 Windows

-Edit disks, files, RAM
->Includes data recovery features
-Disk cloning -> Drive replication

-Secure wipe
->Hard drive cleaning

-Much more
->A full-featured forensics tool

35
Q

FTK imager (Forensics)

A

-AccessData forensic drive imaging tool
->Includes file utilities + read-only image mounting
->Windows executable
-Widely supported in many forensics tools
->Third-party analysis
-Support for many different file systems + full disk encryption methods
-Investigator still needs the password
-Can also import other image forma

36
Q

Autopsy (Forensics)

A

-Perform digital forensics of hard drives, smartphones

-View + recover data from storage devices

-Extract many different data types
->Downloaded files
->Browser history and cache
->Email messages
->Databases
->Much more

37
Q

Exploitation frameworks

A

-pre-built toolkit 4 exploitations
->Build custom attacks
->Add more tools as vulns r found
->Increasingly powerful utilities

Metasploit
->Attack known vulnerabilities

The Social-Engineer Toolkit (SET)
->Spear phishing, Infectious media generator

38
Q

Password crackers

A

-keys to the kingdom
->Find the passwords

Online cracking
-Try username/password combinations

Offline cracking
-Brute force a hash file

Limitations
->Password complexity / strength (entropy)
->Hashing method + CPU power
->Graphics processors are useful hardware tools

39
Q

Data sanitization

A

-Completely remove data

-No usable info left

-dif use cases;
->Clean a hard drive 4 future use
->Permanently delete a single file

-one-way trip
->Once it’s gone, it’s really gone
->No recovery with forensics tools

40
Q

Metasploit

A
  • Metasploit
    – Attack known vulnerabilities

Exploitation frameworks
* A pre-built toolkit for exploitations
– Build custom attacks
– Add more tools as vulnerabilities are found – Increasingly powerful utilities