4.1 - Given a scenario, use the appropriate tool to assess organizational security. Flashcards
tracert/traceroute (Network reconnaissance and discovery)
-Determine route a packet takes to a destination
-Map the entire path
-record hops along the way
USE CASE = find where packet is getting hung up
tracert = windows
traceroute = mac/posix/linux
-Takes advantage of ICMP Time to Live Exceeded error msg
->Not all devices will reply with
ICMP Time Exceeded msgs
–>Some firewalls filter ICMP -> ICMP is low-priority for many devices
- time in TTL refers to hops, not seconds or minutes
-TTL=1 is the first router, TTL=2 is the second router,etc
nslookup/dig (Network reconnaissance and discovery)
both;
-Lookup information from DNS servers
-Canonical names, IP addresses, cache timers, etc.
-queries DNS serv to check if correct info is in the zone database
USE CASE: troubleshoots DNS database
nslookup = windows
-Lookup names and IP addresses
-Deprecated (use dig instead)
dig (domain information groper) = linux/mac
-More advanced domain information
-probs ur 1st choice
ipconfig/ifconfig (Network reconnaissance and discovery)
-Most of your troubleshooting starts with your IP address
->Ping your local router/gateway
-Determine TCP/IP and network adapter info/config
->And additional IP details
-interfaces that exist on sys, IPv4, IPv6, MAC address, connection speeds, net masks, broadcast domains, other connection details
-both cmds can be used to enable/disable interfaces, refresh/drop DHCP addresses + ctrl net interfaces
ipconfig = Windows TCP/IP config
ifconfig = Linux interface config
nmap (Network reconnaissance and discovery)
-network mapper
->find + learn more about net devices
-locating net hosts
-detecting OS
-identifying services
-USE CASE: sec. auditing, routine admin tasks (monitoring host uptime/host inventory
-port scan
->find devices + identify open ports
-OS scan
-discover the OS wthout logging into device
-service scan
->what service is available on device?
->name, version, details
-more scripts
->NSE (nmap scripting engine) = extends capabilities + vuln. scans
ping/pathping (Network reconnaissance and discovery)
ping
-Test reachability
-Determine round-trip time
-Uses ICMP (Internet Control Message Protocol)
pathping - windows
-Combine ping and traceroute
-traces route to destination
-provides info about latency + packet loss
-can be slower b/c each hop given 25 sec to gather stat data
->First phase runs a traceroute
– Build a map
-Second phase
->Measure round trip time and packet loss at each hop
hping (Network reconnaissance and discovery)
-TCP/IP packet assembler/analyzer
->A ping that can send almost anything
-Ping a device
->ICMP, TCP, UDP
-> #hping3 –destport 80 10.1.10.1
-Send crafted frames
->Modify all IP, TCP, UDP, and ICMP values
-powerful tool
->easy to accidentally flood + DoS (Be careful!)
-can provide info such as;
->OS fingerprinting
->guess how long sys has been online based on packet details
-available 4 both Windows + Linux
netstat (-a, -b, -n) (Network reconnaissance and discovery)
-Network statistics
-Many different OSs
-> netstat -a = Show all active connections
-> netstat -b = Show binaries
-> netstat -n = Do not resolve names
netcat (Network reconnaissance and discovery)
-Read/write to the net
->Open a port and send or receive some traffic
-Listen on a port #
-Transfer data
-Scan ports + send data to a port
-Become a backdoor
->Run a shell from remote device
-can act as listener and a client
-> allowing shells/transfer files
nc [hostname] [port]
IP scanners (Network reconnaissance and discovery)
-Search net 4 IPs
-Locate active devices
-Avoid doing work on an IP address that isn’t there
-dif techniques
->ARP (if on the local subnet)
->ICMP requests (ping)
->TCP ACK
->ICMP timestamp requests
-A response means more recon can be done
->Keep gathering info (Nmap, hping, etc.)
arp (Network reconnaissance and discovery)
-address resolution protocol
-determine a MAC address based on IP
-u need the hardware address to comm.
-add/remove hosts from ARP table
-provides info about;
->local address
->remote address 4 each connection
->state of TCP connections
- arp -a = View local ARP table
route (Network reconnaissance and discovery)
-view device’s routing table
->find out which way packets will go
-display + modify sys routing table
route print = Windows
netstat -r = Linux and macOS:
curl (Network reconnaissance and discovery)
-LINUX
-client URL
->Retrieve data using a URL
->Uniform Resource Locator
->Web pages, FTP, emails, databases, etc.
-Grab the raw data
->Search
->Parse
->Automate
-freq used to manually perform HTTP cmds such as;
->HTTP get
->or to fetch HTTP headers
-file transfer via FTP, FTPS, SFTP
curl –request GET https://example.com
theHarvester (Network reconnaissance and discovery)
-Gather OSINT
-Scrape info from Google/Bing
->Find associated IP addresses
-List of people from LinkedIn
->Names + titles
-Find PGP keys by email domain
->list of email contacts
-DNS brute force
->Find those unknown hosts; vpn, chat, mail, partner, etc.
-retrieve info
->email accts
->domains
->usernames
->details using LinkedIn/search engines
-can be run from cmd line + provided wth domain/URL + search engine to use
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing
sn1per (Network reconnaissance and discovery)
-Combine many recon tools into a single framework
->dnsenum, metasploit, nmap, theHarvester, and much more
-Both non-intrusive + v intrusive scanning options
->u choose the volume
-Another tool that can cause problems
->Brute force, server scanning, etc
->Make sure you know what ur doing
-automated scanning tool that combines multiple tools 4 pen testers
-theHarvester focuses on OSINT while Sn1per is intended to perform automated pen testing
scanless (Network reconnaissance and discovery)
-run port scans from dif host
->port scan proxy
-dif services
->choose the option 4 scan origination
->ur IP is hidden as the scan source
scanless -s [chosen scanning site] -t target
dnsenum (Network reconnaissance and discovery)
-Enumerate DNS information
->Find host names
-View host info from DNS servers
->Many services + hosts r listed in DNS
-Find host names in Google
->More hosts can probs be found in the index
~# dnsenum example.com