4.1 Given a scenario, use the appropriate tool to assess organizational security.

Question 1

traceroute

Answer 1

determines a route a packet takes to a destination
- maps the entire path
tracert(windows) or traceroute(Unix,Linux.macOS
It uses ICMP Time to Live exceed the error message. TTL=0 means TTL exceeded error is sent back to the sender and gives the IP address on the hop it failed on until the final hop is used on the destination.
Not all devices will reply with ICMP time exceeded messages
Windows Sends an ICMP echo request
IOS - sends UDP datagrams over port 33434

Question 2

Give two common ways to query or lookup information from DNS server.

Answer 2

nslookup and dig

Question 3

nslookup

Answer 3

Used to Query a DNS server to find names and IP addresses.
Could be depracated.

Question 4

Dig command

Answer 4

Domain information groper
More advanced DNS query than nslookup.
1st choice to use. can install it in windows.

Question 5

ipconfig/ifconfig

Answer 5

Gather ip address details
ipconfig=Windows
ifconfig=Linux

Question 6

ping

Answer 6

test reachability
determines round trip time
uses ICMP

Question 7

Netstat

Answer 7

network statistics
netstat -a : shows all active connections on that device
netstat - b shows binaries(windows)
netstat -n shows just the IP addresses, does not resolve the names

Question 8

ARP

Answer 8

Address resolution protocol
Has arp table that shows us the mac addresses per each IP

command:
arp -a
route print : shows route tables

Question 9

pathping

Answer 9

combines ping and traceroute
1st phase - runs a traceroute to build a map
2nd Phase - measures round tip time and packet loss at each hop.
It takes a few minutes to run.

Question 10

curl

Answer 10

client URL ( uniform resource locator)
retreives data using url
can grab info from web [ages, FTP, emails databases
Grabs the raw data, search, parse and automate

Question 11

What do IP scanners do?

Answer 11

Search a network Ipaddress
Locate active devices
Avoid doing work on the IP address that isn’t there

Techniques:
ARP( if on local subnet)
ICMP request (ping)
TCP ACK
ICMP timestamp request

Question 12

hping

Answer 12

TCP/IP Packet assembler/analyzer
It is a ping that can send almost anything.
You can send crafted frames. You can modify all IP, TCP, UDP and ICMP values.
Easy to DOS accidently.

Question 13

nmap

Answer 13

network mapper:
finds and learns more about network devices.

Port Scan:
Finds devices and identify open ports

OS scan:
Discover the OS without logging into the device

Service Scan:
What service is available on a device, name, version details.

Additional scripts:
Nmap scripting engine can extend capabilities and vulnerability scans.

Question 14

theHarvester

Answer 14

Gather OSINT
Open source intelligence
The harvester cam scrape info from google or bing
Like a list of people from LinkedIn,
DNS brute forces, find unknown host like VPN or chat or email servers.

Question 15

sn1per

Answer 15

Combine many recon tools into a single framework
- dnsenum,metasploit,nmap,theHarvester and much more.

Options can be intrusive or non-intrusive

This tool could lead to DDOS so be careful. This tool is available on kali linux.

Question 16

scanless

Answer 16

It runs a port scan from a different host. It is a proxy so that you are not the source of the scan.

Question 17

dnsenum

Answer 17

Enumerates DNS information - finds host names
View host info from DNS Servers - many services and host are listed in DNS

Question 18

Nessus

Answer 18

Industry-leading vulnerability scanning.
Extensive support
Free and commercial options

Identity known vulnerabilities
- Find systems before they can be exploited

Extensive reporting
- checklist of issues
- filter out false positives.

Question 19

Cuckoo

Answer 19

A sandbox for malware
- Test a file in a safe environment

Virtualized environment in Windows, macos, linux and android

• Track and trace things like API calls, network traffic, memory analysis, traffic captures and screenshots.

Question 20

Cat

Answer 20

Concatenate
Link together in a series.
To copy files to screen:
cat files1.txt file2.txt

Copy files to another files :
cat file1.txt file2.txt > both.txt

Question 21

head

Answer 21

View the first part of the file
head [option] [file]

example
head -n 5 filename

This will view just the first 5 lines of the beginning of the file

Question 22

Tail

Answer 22

View last part of the file. Similar command patter to head

tail -n 5 filename to view last 5 lines of the file.

Question 23

grep

Answer 23

find a text in a file
Search through many files at a time.

Question 24

how to change permissions on a file in linux?

Answer 24

chmod
r=read, w=write, x=execute
owner, group, everyone

Read = 4
write= 2
execute=1

Question 25

How do you change the owner of a file in linux?

Answer 25

chown

Question 26

logger

Answer 26

The logger command will add additional entries to the system log. syslog.

example:
logger “this will be added to syslog”

Usefull for logging an automation script. you can add it to syslog.
log important events.

Question 27

SSH

Answer 27

Secure shell
Encrypted comm channel.
Uses port 22
Looks like telnet but just secure.

Question 28

Windows Powershell

Answer 28

Command line for system administrators
.ps1 file extension.
Included in windows 8, 8.1 or 10.
Uses cmdlets(command-lets)
Powershell scripts and functions
Standalone executables.
Able to automate and integrate.

Question 29

Python

Answer 29

general purpose scripting language
.py file extension

Question 30

OpenSSL

Answer 30

A toolkit and crypto library for SSL/TLS
Build certificates, manage SSL/TLS communications

Creates x.509 certificates
Manage certificate singing request (CSR)
and certificate revocation list (CRL)

Message Digest supports many hashing protocols.

Encryption and decryption.

Question 31

Wireshark

Answer 31

Graphical Packet analyzer
Gather frames on the network or in the air.
View traffic patterns

Question 32

TCP Dump

Answer 32

Capture packets from the command line
display packets on the screen.
Writes packets to a file

Question 33

TCPreplay

Answer 33

A suite of packet replay utilities
- replay and edit packet captures
- open source
Test security devices
- Checks IPS signatures and firewall rules.

Test and tune IP flow/NetFlow devices

Can perform stress testing with this.

Question 34

memdump

Answer 34

copy info in system memory to the standard output stream

Everything that happens is in memory.

Question 35

FTK Imager

Answer 35

AccessData forensic drive imaging tool
includes file utilities and read-only image mounting
Windows executables

Able to read encrypted drives ( still need the password to read it)

Question 36

Autopsy

Answer 36

Perform digital forensics of hard drives, smartphones
View and recover data from storage devices.
Extracts many different data types:
- downloaded files
-browser history and cache
- email messages
- databases
- much more

Question 37

ping -t

Answer 37

The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

Question 38

ping -n

Answer 38

The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

Question 39

ping -S

Answer 39

The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from

Question 40

ping -r

Answer 40

The -r switch records the route for count hops. This is for IPv4 addresses.

Question 41

Active KillDisk

Answer 41

Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.

Question 42

DoD 5220.22-M

Answer 42

The DoD 5220.22-M wipe method involves a three-phased pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods. The systems admin must use this method before sending equipment to public schools.

Question 43

tshark

Answer 43

terminal version of wiresharl

Question 44

Volatility framework

Answer 44

The Volatility Framework is widely used for system memory analysis and can install the pmem kernel driver, allowing tools such as memdump or dd to access the /dev/mem device memory file on Linux.

Question 45

Zed attack proxy

Answer 45

The Zed Attack Proxy, developed by the Open Web Application Security Project (OWASP), provides scanning tools and scripts for web application and mobile app security testing.

Question 46

dd

Answer 46

The common Linux tool dd is a file conversion and copying tool that can copy entire disks, including hard disk images and memory dump files such as the /dev/mem device file. This makes it useful for easily and simply obtaining captures of a system’s memory.

Question 47

what is stored here: %SystemRoot%\NTDS\NTDS.DIT

Answer 47

Stores domain user passwords and credentials.

Question 48

Meterpreter

Answer 48

Meterpreter is an exploit module that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.