4.1 - Given a scenario, use the appropriate tool to assess organizational security. Flashcards by Isabelle S

tracert/traceroute (Network reconnaissance and discovery)

-Determine route a packet takes to a destination
-Map the entire path
-record hops along the way
USE CASE = find where packet is getting hung up

tracert = windows
traceroute = mac/posix/linux

-Takes advantage of ICMP Time to Live Exceeded error msg
->Not all devices will reply with
ICMP Time Exceeded msgs
–>Some firewalls filter ICMP -> ICMP is low-priority for many devices
- time in TTL refers to hops, not seconds or minutes
-TTL=1 is the first router, TTL=2 is the second router,etc

How well did you know this?

Not at all

Perfectly

nslookup/dig (Network reconnaissance and discovery)

both;
-Lookup information from DNS servers
-Canonical names, IP addresses, cache timers, etc.
-queries DNS serv to check if correct info is in the zone database
USE CASE: troubleshoots DNS database

nslookup = windows
-Lookup names and IP addresses
-Deprecated (use dig instead)

dig (domain information groper) = linux/mac
-More advanced domain information
-probs ur 1st choice

How well did you know this?

Not at all

Perfectly

ipconfig/ifconfig (Network reconnaissance and discovery)

-Most of your troubleshooting starts with your IP address
->Ping your local router/gateway
-Determine TCP/IP and network adapter info/config
->And additional IP details
-interfaces that exist on sys, IPv4, IPv6, MAC address, connection speeds, net masks, broadcast domains, other connection details
-both cmds can be used to enable/disable interfaces, refresh/drop DHCP addresses + ctrl net interfaces

ipconfig = Windows TCP/IP config

ifconfig = Linux interface config

How well did you know this?

Not at all

Perfectly

nmap (Network reconnaissance and discovery)

-network mapper
->find + learn more about net devices
-locating net hosts
-detecting OS
-identifying services
-USE CASE: sec. auditing, routine admin tasks (monitoring host uptime/host inventory

-port scan
->find devices + identify open ports

-OS scan
-discover the OS wthout logging into device

-service scan
->what service is available on device?
->name, version, details

-more scripts
->NSE (nmap scripting engine) = extends capabilities + vuln. scans

How well did you know this?

Not at all

Perfectly

ping/pathping (Network reconnaissance and discovery)

ping
-Test reachability
-Determine round-trip time
-Uses ICMP (Internet Control Message Protocol)

pathping - windows
-Combine ping and traceroute
-traces route to destination
-provides info about latency + packet loss
-can be slower b/c each hop given 25 sec to gather stat data

->First phase runs a traceroute
– Build a map
-Second phase
->Measure round trip time and packet loss at each hop

How well did you know this?

Not at all

Perfectly

hping (Network reconnaissance and discovery)

-TCP/IP packet assembler/analyzer
->A ping that can send almost anything

-Ping a device
->ICMP, TCP, UDP
-> #hping3 –destport 80 10.1.10.1

-Send crafted frames
->Modify all IP, TCP, UDP, and ICMP values

-powerful tool
->easy to accidentally flood + DoS (Be careful!)

-can provide info such as;
->OS fingerprinting
->guess how long sys has been online based on packet details
-available 4 both Windows + Linux

How well did you know this?

Not at all

Perfectly

netstat (-a, -b, -n) (Network reconnaissance and discovery)

-Network statistics
-Many different OSs
-> netstat -a = Show all active connections
-> netstat -b = Show binaries
-> netstat -n = Do not resolve names

How well did you know this?

Not at all

Perfectly

netcat (Network reconnaissance and discovery)

-Read/write to the net
->Open a port and send or receive some traffic

-Listen on a port #

-Transfer data

-Scan ports + send data to a port

-Become a backdoor
->Run a shell from remote device

-can act as listener and a client
-> allowing shells/transfer files

nc [hostname] [port]

How well did you know this?

Not at all

Perfectly

IP scanners (Network reconnaissance and discovery)

-Search net 4 IPs
-Locate active devices
-Avoid doing work on an IP address that isn’t there
-dif techniques
->ARP (if on the local subnet)
->ICMP requests (ping)
->TCP ACK
->ICMP timestamp requests
-A response means more recon can be done
->Keep gathering info (Nmap, hping, etc.)

How well did you know this?

Not at all

Perfectly

arp (Network reconnaissance and discovery)

-address resolution protocol
-determine a MAC address based on IP
-u need the hardware address to comm.
-add/remove hosts from ARP table
-provides info about;
->local address
->remote address 4 each connection
->state of TCP connections

arp -a = View local ARP table

How well did you know this?

Not at all

Perfectly

route (Network reconnaissance and discovery)

-view device’s routing table
->find out which way packets will go
-display + modify sys routing table

route print = Windows

netstat -r = Linux and macOS:

How well did you know this?

Not at all

Perfectly

curl (Network reconnaissance and discovery)

-LINUX
-client URL
->Retrieve data using a URL
->Uniform Resource Locator
->Web pages, FTP, emails, databases, etc.
-Grab the raw data
->Search
->Parse
->Automate

-freq used to manually perform HTTP cmds such as;
->HTTP get
->or to fetch HTTP headers
-file transfer via FTP, FTPS, SFTP

curl –request GET https://example.com

How well did you know this?

Not at all

Perfectly

theHarvester (Network reconnaissance and discovery)

-Gather OSINT
-Scrape info from Google/Bing
->Find associated IP addresses
-List of people from LinkedIn
->Names + titles
-Find PGP keys by email domain
->list of email contacts
-DNS brute force
->Find those unknown hosts; vpn, chat, mail, partner, etc.

-retrieve info
->email accts
->domains
->usernames
->details using LinkedIn/search engines
-can be run from cmd line + provided wth domain/URL + search engine to use

-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing

How well did you know this?

Not at all

Perfectly

sn1per (Network reconnaissance and discovery)

-Combine many recon tools into a single framework
->dnsenum, metasploit, nmap, theHarvester, and much more
-Both non-intrusive + v intrusive scanning options
->u choose the volume
-Another tool that can cause problems
->Brute force, server scanning, etc
->Make sure you know what ur doing
-automated scanning tool that combines multiple tools 4 pen testers
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing

How well did you know this?

Not at all

Perfectly

scanless (Network reconnaissance and discovery)

-run port scans from dif host
->port scan proxy
-dif services
->choose the option 4 scan origination
->ur IP is hidden as the scan source

scanless -s [chosen scanning site] -t target

How well did you know this?

Not at all

Perfectly

dnsenum (Network reconnaissance and discovery)

-Enumerate DNS information
->Find host names
-View host info from DNS servers
->Many services + hosts r listed in DNS
-Find host names in Google
->More hosts can probs be found in the index

~# dnsenum example.com

How well did you know this?

Not at all

Perfectly

Nessus (Network reconnaissance and discovery)

-vuln scanning
-Extensive support
-Free + commercial options
-Identify known vulnerabilities
-Find systems b4 they can be exploited
-Extensive reporting
->A checklist of issues
->Filter out false positives

Cuckoo (Network reconnaissance and discovery)

-A sandbox for malware
->Test a file in a safe environment

-A virtualized environment
->Windows, Linux, macOS, Android
-Track and trace
->API calls, network traffic, memory analysis
->Traffic captures
->Screenshots

head (File manipulation)

-View the first part of a file
->The head, or beginning, of the file
->head [OPTION] … [FILE] …

Use -n to specify the number of lines
-> head -n 5 syslog

tail (File manipulation)

-View the last part of a file
->The tail, or end, or the file
-> tail [OPTION] … [FILE] …

-Use -n to specify the number of lines
-> tail -n 5 syslog

cat (File manipulation)

-Concatenate
->Link together in a series

-Copy a file/files to the screen
-> cat file1.txt file2.txt

-Copy a file/files to another file
->cat file1.txt file2.txt > both.txt

grep (File manipulation)

-Find text in a file
->Search through many files at a time

-grep PATTERN [FILE]
-> grep failed auth.log

chmod (File manipulation)

-Change mode of a file system object
-> r=read, w=write, x=execute
->Can also use octal notation
->Set for the file owner (u), the group(g), others(o), or all(a)
->chmod mode FILE
->chmod 744 script.sh

-chmod 744 first.txt
->User; read, write execute
->Group; read only
->Other; read only

-chmod a-w first.txt
->All users, no writing to first.txt

-chmod u+x script.sh
->The owner of script.sh can execute the file

logger (File manipulation)

-Add entries to the system log
->syslog

-Adding to the local syslog file
->logger “This information is added to syslog”

-Useful for including information in a local or remote syslog file
->Include as part of an automation script
->Log an important event

SSH

-secure shell -Encrypted console communication - tcp/22 -Looks and acts the same as Telnet

PowerShell

-windows powershell -Command line 4 system administrators -> .ps1 file extension -> Included with Windows 8/8.1 + 10 -Extend command-line functions ->Uses cmdlets (command-lets) ->PowerShell scripts and functions ->Standalone executables -Automate and integrate ->System administration ->Active Domain administration

Python

-General-purpose scripting language -> .py file extension -Popular in many technologies -> Broad appeal and support

OpenSSL

-A toolkit + crypto library 4 SSL/TLS ->Build certificates, manage SSL/TLS comm -Create X.509 certificates ->Manage certificate signing requests (CSRs) + cert revocation lists (CRLs) -Message digests ->Support 4 many hashing protocols -Encryption + Decryption ->SSL/TLS 4 services

Tcpreplay (Packet capture and replay)

-A suite of packet replay utilities ->Replay + edit packet captures ->Open source -Test security devices ->Check IPS signatures + firewall rules -Test + tune IP Flow/NetFlow devices ->Send hundreds of thousands of traffic flows per second -Evaluate the performance of sec device

Tcpdump (Packet capture and replay)

-Capture packets from the cmd line ->Display packets on the screen ->Write packets to a file

Wireshark (Packet capture and replay)

-Graphical packet analyzer ->Get into details -Gathers frames on the net/in the air -Sometimes built into device ->View traffic patterns ->Identify unknown traffic ->Verify packet filtering + sec ctrls -Extensive decodes ->View the app traffic

dd (Forensics)

A reference to the DD command in ->IBM mainframe JCL (Job Control Language) ->Data Definition (ASCII to EBCDIC converter) -Create a bit-by-bit copy of a drive ->Used by many forensics tools -Create a disk image -> dd if=/dev/sda of=/tmp/sda-image.img -Restore from an image -> dd if=/tmp/sda-image.img of=/dev/sda

Memdump (Forensics)

-Copy info in system mem to the standard output stream ->Everything that happens is in mem ->Many third-party tools can read a mem dump -Copy to another host across the net ->Use netcat, stunnel, openssl, etc.

WinHex (Forensics)

-universal hexadecimal editor 4 Windows -Edit disks, files, RAM ->Includes data recovery features -Disk cloning -> Drive replication -Secure wipe ->Hard drive cleaning -Much more ->A full-featured forensics tool

FTK imager (Forensics)

-AccessData forensic drive imaging tool ->Includes file utilities + read-only image mounting ->Windows executable -Widely supported in many forensics tools ->Third-party analysis -Support for many different file systems + full disk encryption methods -Investigator still needs the password -Can also import other image forma

Autopsy (Forensics)

-Perform digital forensics of hard drives, smartphones -View + recover data from storage devices -Extract many different data types ->Downloaded files ->Browser history and cache ->Email messages ->Databases ->Much more

Exploitation frameworks

-pre-built toolkit 4 exploitations ->Build custom attacks ->Add more tools as vulns r found ->Increasingly powerful utilities Metasploit ->Attack known vulnerabilities The Social-Engineer Toolkit (SET) ->Spear phishing, Infectious media generator

Password crackers

-keys to the kingdom ->Find the passwords Online cracking -Try username/password combinations Offline cracking -Brute force a hash file Limitations ->Password complexity / strength (entropy) ->Hashing method + CPU power ->Graphics processors are useful hardware tools

Data sanitization

-Completely remove data -No usable info left -dif use cases; ->Clean a hard drive 4 future use ->Permanently delete a single file -one-way trip ->Once it’s gone, it’s really gone ->No recovery with forensics tools

Metasploit

* Metasploit – Attack known vulnerabilities Exploitation frameworks * A pre-built toolkit for exploitations – Build custom attacks – Add more tools as vulnerabilities are found – Increasingly powerful utilities