4.1 Given a scenario, use the appropriate tool to assess organizational security. Flashcards
traceroute
determines a route a packet takes to a destination
- maps the entire path
tracert(windows) or traceroute(Unix,Linux.macOS
It uses ICMP Time to Live exceed the error message. TTL=0 means TTL exceeded error is sent back to the sender and gives the IP address on the hop it failed on until the final hop is used on the destination.
Not all devices will reply with ICMP time exceeded messages
Windows Sends an ICMP echo request
IOS - sends UDP datagrams over port 33434
Give two common ways to query or lookup information from DNS server.
nslookup and dig
nslookup
Used to Query a DNS server to find names and IP addresses.
Could be depracated.
Dig command
Domain information groper
More advanced DNS query than nslookup.
1st choice to use. can install it in windows.
ipconfig/ifconfig
Gather ip address details
ipconfig=Windows
ifconfig=Linux
ping
test reachability
determines round trip time
uses ICMP
Netstat
network statistics
netstat -a : shows all active connections on that device
netstat - b shows binaries(windows)
netstat -n shows just the IP addresses, does not resolve the names
ARP
Address resolution protocol
Has arp table that shows us the mac addresses per each IP
command:
arp -a
route print : shows route tables
pathping
combines ping and traceroute
1st phase - runs a traceroute to build a map
2nd Phase - measures round tip time and packet loss at each hop.
It takes a few minutes to run.
curl
client URL ( uniform resource locator)
retreives data using url
can grab info from web [ages, FTP, emails databases
Grabs the raw data, search, parse and automate
What do IP scanners do?
Search a network Ipaddress
Locate active devices
Avoid doing work on the IP address that isn’t there
Techniques:
ARP( if on local subnet)
ICMP request (ping)
TCP ACK
ICMP timestamp request
hping
TCP/IP Packet assembler/analyzer
It is a ping that can send almost anything.
You can send crafted frames. You can modify all IP, TCP, UDP and ICMP values.
Easy to DOS accidently.
nmap
network mapper:
finds and learns more about network devices.
Port Scan:
Finds devices and identify open ports
OS scan:
Discover the OS without logging into the device
Service Scan:
What service is available on a device, name, version details.
Additional scripts:
Nmap scripting engine can extend capabilities and vulnerability scans.
theHarvester
Gather OSINT
Open source intelligence
The harvester cam scrape info from google or bing
Like a list of people from LinkedIn,
DNS brute forces, find unknown host like VPN or chat or email servers.
sn1per
Combine many recon tools into a single framework
- dnsenum,metasploit,nmap,theHarvester and much more.
Options can be intrusive or non-intrusive
This tool could lead to DDOS so be careful. This tool is available on kali linux.
scanless
It runs a port scan from a different host. It is a proxy so that you are not the source of the scan.
dnsenum
Enumerates DNS information - finds host names
View host info from DNS Servers - many services and host are listed in DNS
Nessus
Industry-leading vulnerability scanning.
Extensive support
Free and commercial options
Identity known vulnerabilities
- Find systems before they can be exploited
Extensive reporting
- checklist of issues
- filter out false positives.
Cuckoo
A sandbox for malware
- Test a file in a safe environment
Virtualized environment in Windows, macos, linux and android
- Track and trace things like API calls, network traffic, memory analysis, traffic captures and screenshots.
Cat
Concatenate
Link together in a series.
To copy files to screen:
cat files1.txt file2.txt
Copy files to another files :
cat file1.txt file2.txt > both.txt
head
View the first part of the file
head [option] [file]
example
head -n 5 filename
This will view just the first 5 lines of the beginning of the file
Tail
View last part of the file. Similar command patter to head
tail -n 5 filename to view last 5 lines of the file.
grep
find a text in a file
Search through many files at a time.
how to change permissions on a file in linux?
chmod
r=read, w=write, x=execute
owner, group, everyone
Read = 4
write= 2
execute=1
How do you change the owner of a file in linux?
chown
logger
The logger command will add additional entries to the system log. syslog.
example:
logger “this will be added to syslog”
Usefull for logging an automation script. you can add it to syslog.
log important events.
SSH
Secure shell
Encrypted comm channel.
Uses port 22
Looks like telnet but just secure.
Windows Powershell
Command line for system administrators
.ps1 file extension.
Included in windows 8, 8.1 or 10.
Uses cmdlets(command-lets)
Powershell scripts and functions
Standalone executables.
Able to automate and integrate.
Python
general purpose scripting language
.py file extension
OpenSSL
A toolkit and crypto library for SSL/TLS
Build certificates, manage SSL/TLS communications
Creates x.509 certificates
Manage certificate singing request (CSR)
and certificate revocation list (CRL)
Message Digest supports many hashing protocols.
Encryption and decryption.
Wireshark
Graphical Packet analyzer
Gather frames on the network or in the air.
View traffic patterns
TCP Dump
Capture packets from the command line
display packets on the screen.
Writes packets to a file
TCPreplay
A suite of packet replay utilities
- replay and edit packet captures
- open source
Test security devices
- Checks IPS signatures and firewall rules.
Test and tune IP flow/NetFlow devices
Can perform stress testing with this.
memdump
copy info in system memory to the standard output stream
Everything that happens is in memory.
FTK Imager
AccessData forensic drive imaging tool
includes file utilities and read-only image mounting
Windows executables
Able to read encrypted drives ( still need the password to read it)
Autopsy
Perform digital forensics of hard drives, smartphones
View and recover data from storage devices.
Extracts many different data types:
- downloaded files
-browser history and cache
- email messages
- databases
- much more
ping -t
The -t switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.
ping -n
The -n switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.
ping -S
The -S switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from
ping -r
The -r switch records the route for count hops. This is for IPv4 addresses.
Active KillDisk
Active KillDisk is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.
DoD 5220.22-M
The DoD 5220.22-M wipe method involves a three-phased pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods. The systems admin must use this method before sending equipment to public schools.
tshark
terminal version of wiresharl
Volatility framework
The Volatility Framework is widely used for system memory analysis and can install the pmem kernel driver, allowing tools such as memdump or dd to access the /dev/mem device memory file on Linux.
Zed attack proxy
The Zed Attack Proxy, developed by the Open Web Application Security Project (OWASP), provides scanning tools and scripts for web application and mobile app security testing.
dd
The common Linux tool dd is a file conversion and copying tool that can copy entire disks, including hard disk images and memory dump files such as the /dev/mem device file. This makes it useful for easily and simply obtaining captures of a system’s memory.
what is stored here: %SystemRoot%\NTDS\NTDS.DIT
Stores domain user passwords and credentials.
Meterpreter
Meterpreter is an exploit module that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.
