4.1 - Given a scenario, use the appropriate tool to assess organizational security. Flashcards
tracert/traceroute (Network reconnaissance and discovery)
-Determine route a packet takes to a destination
-Map the entire path
-record hops along the way
USE CASE = find where packet is getting hung up
tracert = windows
traceroute = mac/posix/linux
-Takes advantage of ICMP Time to Live Exceeded error msg
->Not all devices will reply with
ICMP Time Exceeded msgs
–>Some firewalls filter ICMP -> ICMP is low-priority for many devices
- time in TTL refers to hops, not seconds or minutes
-TTL=1 is the first router, TTL=2 is the second router,etc
nslookup/dig (Network reconnaissance and discovery)
both;
-Lookup information from DNS servers
-Canonical names, IP addresses, cache timers, etc.
-queries DNS serv to check if correct info is in the zone database
USE CASE: troubleshoots DNS database
nslookup = windows
-Lookup names and IP addresses
-Deprecated (use dig instead)
dig (domain information groper) = linux/mac
-More advanced domain information
-probs ur 1st choice
ipconfig/ifconfig (Network reconnaissance and discovery)
-Most of your troubleshooting starts with your IP address
->Ping your local router/gateway
-Determine TCP/IP and network adapter info/config
->And additional IP details
-interfaces that exist on sys, IPv4, IPv6, MAC address, connection speeds, net masks, broadcast domains, other connection details
-both cmds can be used to enable/disable interfaces, refresh/drop DHCP addresses + ctrl net interfaces
ipconfig = Windows TCP/IP config
ifconfig = Linux interface config
nmap (Network reconnaissance and discovery)
-network mapper
->find + learn more about net devices
-locating net hosts
-detecting OS
-identifying services
-USE CASE: sec. auditing, routine admin tasks (monitoring host uptime/host inventory
-port scan
->find devices + identify open ports
-OS scan
-discover the OS wthout logging into device
-service scan
->what service is available on device?
->name, version, details
-more scripts
->NSE (nmap scripting engine) = extends capabilities + vuln. scans
ping/pathping (Network reconnaissance and discovery)
ping
-Test reachability
-Determine round-trip time
-Uses ICMP (Internet Control Message Protocol)
pathping - windows
-Combine ping and traceroute
-traces route to destination
-provides info about latency + packet loss
-can be slower b/c each hop given 25 sec to gather stat data
->First phase runs a traceroute
– Build a map
-Second phase
->Measure round trip time and packet loss at each hop
hping (Network reconnaissance and discovery)
-TCP/IP packet assembler/analyzer
->A ping that can send almost anything
-Ping a device
->ICMP, TCP, UDP
-> #hping3 –destport 80 10.1.10.1
-Send crafted frames
->Modify all IP, TCP, UDP, and ICMP values
-powerful tool
->easy to accidentally flood + DoS (Be careful!)
-can provide info such as;
->OS fingerprinting
->guess how long sys has been online based on packet details
-available 4 both Windows + Linux
netstat (-a, -b, -n) (Network reconnaissance and discovery)
-Network statistics
-Many different OSs
-> netstat -a = Show all active connections
-> netstat -b = Show binaries
-> netstat -n = Do not resolve names
netcat (Network reconnaissance and discovery)
-Read/write to the net
->Open a port and send or receive some traffic
-Listen on a port #
-Transfer data
-Scan ports + send data to a port
-Become a backdoor
->Run a shell from remote device
-can act as listener and a client
-> allowing shells/transfer files
nc [hostname] [port]
IP scanners (Network reconnaissance and discovery)
-Search net 4 IPs
-Locate active devices
-Avoid doing work on an IP address that isn’t there
-dif techniques
->ARP (if on the local subnet)
->ICMP requests (ping)
->TCP ACK
->ICMP timestamp requests
-A response means more recon can be done
->Keep gathering info (Nmap, hping, etc.)
arp (Network reconnaissance and discovery)
-address resolution protocol
-determine a MAC address based on IP
-u need the hardware address to comm.
-add/remove hosts from ARP table
-provides info about;
->local address
->remote address 4 each connection
->state of TCP connections
- arp -a = View local ARP table
route (Network reconnaissance and discovery)
-view device’s routing table
->find out which way packets will go
-display + modify sys routing table
route print = Windows
netstat -r = Linux and macOS:
curl (Network reconnaissance and discovery)
-LINUX
-client URL
->Retrieve data using a URL
->Uniform Resource Locator
->Web pages, FTP, emails, databases, etc.
-Grab the raw data
->Search
->Parse
->Automate
-freq used to manually perform HTTP cmds such as;
->HTTP get
->or to fetch HTTP headers
-file transfer via FTP, FTPS, SFTP
curl –request GET https://example.com
theHarvester (Network reconnaissance and discovery)
-Gather OSINT
-Scrape info from Google/Bing
->Find associated IP addresses
-List of people from LinkedIn
->Names + titles
-Find PGP keys by email domain
->list of email contacts
-DNS brute force
->Find those unknown hosts; vpn, chat, mail, partner, etc.
-retrieve info
->email accts
->domains
->usernames
->details using LinkedIn/search engines
-can be run from cmd line + provided wth domain/URL + search engine to use
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing
sn1per (Network reconnaissance and discovery)
-Combine many recon tools into a single framework
->dnsenum, metasploit, nmap, theHarvester, and much more
-Both non-intrusive + v intrusive scanning options
->u choose the volume
-Another tool that can cause problems
->Brute force, server scanning, etc
->Make sure you know what ur doing
-automated scanning tool that combines multiple tools 4 pen testers
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing
scanless (Network reconnaissance and discovery)
-run port scans from dif host
->port scan proxy
-dif services
->choose the option 4 scan origination
->ur IP is hidden as the scan source
scanless -s [chosen scanning site] -t target
dnsenum (Network reconnaissance and discovery)
-Enumerate DNS information
->Find host names
-View host info from DNS servers
->Many services + hosts r listed in DNS
-Find host names in Google
->More hosts can probs be found in the index
~# dnsenum example.com
Nessus (Network reconnaissance and discovery)
-vuln scanning
-Extensive support
-Free + commercial options
-Identify known vulnerabilities
-Find systems b4 they can be exploited
-Extensive reporting
->A checklist of issues
->Filter out false positives
Cuckoo (Network reconnaissance and discovery)
-A sandbox for malware
->Test a file in a safe environment
-A virtualized environment
->Windows, Linux, macOS, Android
-Track and trace
->API calls, network traffic, memory analysis
->Traffic captures
->Screenshots
head (File manipulation)
-View the first part of a file
->The head, or beginning, of the file
->head [OPTION] … [FILE] …
- Use -n to specify the number of lines
-> head -n 5 syslog
tail (File manipulation)
-View the last part of a file
->The tail, or end, or the file
-> tail [OPTION] … [FILE] …
-Use -n to specify the number of lines
-> tail -n 5 syslog
cat (File manipulation)
-Concatenate
->Link together in a series
-Copy a file/files to the screen
-> cat file1.txt file2.txt
-Copy a file/files to another file
->cat file1.txt file2.txt > both.txt
grep (File manipulation)
-Find text in a file
->Search through many files at a time
-grep PATTERN [FILE]
-> grep failed auth.log
chmod (File manipulation)
-Change mode of a file system object
-> r=read, w=write, x=execute
->Can also use octal notation
->Set for the file owner (u), the group(g), others(o), or all(a)
->chmod mode FILE
->chmod 744 script.sh
-chmod 744 first.txt
->User; read, write execute
->Group; read only
->Other; read only
-chmod a-w first.txt
->All users, no writing to first.txt
-chmod u+x script.sh
->The owner of script.sh can execute the file
logger (File manipulation)
-Add entries to the system log
->syslog
-Adding to the local syslog file
->logger “This information is added to syslog”
-Useful for including information in a local or remote syslog file
->Include as part of an automation script
->Log an important event
SSH
-secure shell
-Encrypted console communication - tcp/22
-Looks and acts the same as Telnet
PowerShell
-windows powershell
-Command line 4 system administrators
-> .ps1 file extension
-> Included with Windows 8/8.1 + 10
-Extend command-line functions
->Uses cmdlets (command-lets)
->PowerShell scripts and functions
->Standalone executables
-Automate and integrate
->System administration
->Active Domain administration
Python
-General-purpose scripting language
-> .py file extension
-Popular in many technologies
-> Broad appeal and support
OpenSSL
-A toolkit + crypto library 4 SSL/TLS
->Build certificates, manage SSL/TLS comm
-Create X.509 certificates
->Manage certificate signing requests (CSRs) + cert revocation lists (CRLs)
-Message digests
->Support 4 many hashing protocols
-Encryption + Decryption
->SSL/TLS 4 services
Tcpreplay (Packet capture and replay)
-A suite of packet replay utilities
->Replay + edit packet captures
->Open source
-Test security devices
->Check IPS signatures + firewall rules
-Test + tune IP Flow/NetFlow devices
->Send hundreds of thousands of traffic flows per second
-Evaluate the performance of sec device
Tcpdump (Packet capture and replay)
-Capture packets from the cmd line
->Display packets on the screen
->Write packets to a file
Wireshark (Packet capture and replay)
-Graphical packet analyzer
->Get into details
-Gathers frames on the net/in the air
-Sometimes built into device
->View traffic patterns
->Identify unknown traffic
->Verify packet filtering + sec ctrls
-Extensive decodes
->View the app traffic
dd (Forensics)
A reference to the DD command in
->IBM mainframe JCL (Job Control Language)
->Data Definition (ASCII to EBCDIC converter)
-Create a bit-by-bit copy of a drive
->Used by many forensics tools
-Create a disk image
-> dd if=/dev/sda of=/tmp/sda-image.img
-Restore from an image
-> dd if=/tmp/sda-image.img of=/dev/sda
Memdump (Forensics)
-Copy info in system mem to the standard output stream
->Everything that happens is in mem
->Many third-party tools can read a mem dump
-Copy to another host across the net
->Use netcat, stunnel, openssl, etc.
WinHex (Forensics)
-universal hexadecimal editor 4 Windows
-Edit disks, files, RAM
->Includes data recovery features
-Disk cloning -> Drive replication
-Secure wipe
->Hard drive cleaning
-Much more
->A full-featured forensics tool
FTK imager (Forensics)
-AccessData forensic drive imaging tool
->Includes file utilities + read-only image mounting
->Windows executable
-Widely supported in many forensics tools
->Third-party analysis
-Support for many different file systems + full disk encryption methods
-Investigator still needs the password
-Can also import other image forma
Autopsy (Forensics)
-Perform digital forensics of hard drives, smartphones
-View + recover data from storage devices
-Extract many different data types
->Downloaded files
->Browser history and cache
->Email messages
->Databases
->Much more
Exploitation frameworks
-pre-built toolkit 4 exploitations
->Build custom attacks
->Add more tools as vulns r found
->Increasingly powerful utilities
Metasploit
->Attack known vulnerabilities
The Social-Engineer Toolkit (SET)
->Spear phishing, Infectious media generator
Password crackers
-keys to the kingdom
->Find the passwords
Online cracking
-Try username/password combinations
Offline cracking
-Brute force a hash file
Limitations
->Password complexity / strength (entropy)
->Hashing method + CPU power
->Graphics processors are useful hardware tools
Data sanitization
-Completely remove data
-No usable info left
-dif use cases;
->Clean a hard drive 4 future use
->Permanently delete a single file
-one-way trip
->Once it’s gone, it’s really gone
->No recovery with forensics tools
Metasploit
- Metasploit
– Attack known vulnerabilities
Exploitation frameworks
* A pre-built toolkit for exploitations
– Build custom attacks
– Add more tools as vulnerabilities are found – Increasingly powerful utilities
