4.1 Operations and Incident Response (IR)

Question 1

a Reconnaissance Tool-
provides a map of how data on the internet travels from its source to its destination. [this] differs in that it examines how the data moves through the internet.
• Determine the route a packet takes to a destination
– Map the entire path
• tracert (Windows) or traceroute (POSIX)
• Takes advantage of ICMP Time to Live Exceeded error
message
– The time in TTL refers to hops, not seconds or minutes
– TTL=1 is the first router, TTL=2 is the second router,
etc.
• Not all devices will reply with
ICMP Time Exceeded messages
– Some firewalls filter ICMP
– ICMP is low-priority for many devices

Answer 1

traceroute

Question 2

a Reconnaissance Tool-
• Lookup information from DNS servers
– Canonical names, IP addresses, cache timers, etc.
• nslookup
-Both Windows and POSIX-based
– Lookup names and IP addresses
– Deprecated (use dig instead)
• dig or DiG (Domain Information Groper)
– More advanced domain information
– Probably your first choice
– Install in Windows: https://professormesser.link/
digwin

Answer 2

nslookup and dig

Question 3

a Reconnaissance Tool-
• Most of your troubleshooting starts with your IP address
– Ping your local router/gateway
• Determine TCP/IP and network adapter information
– And some additional IP details
• ipconfig – Windows TCP/IP configuration
• ifconfig – Linux interface configuration

Answer 3

ipconfig and ifconfig

Question 4

a Reconnaissance Tool-
• Network mapper
– Find and learn more about network devices
• Port scan
– Find devices and identify open ports
• Operating system scan
– Discover the OS without logging in to a device
• Service scan
– What service is available on a device?
Name, version, details
• Additional scripts
– Nmap Scripting Engine (NSE)
• Extend capabilities, vulnerability scans

Answer 4

Nmap

Question 5

a Reconnaissance Tool-
• Test reachability
– Determine round-trip time
– Uses Internet Control Message Protocol (ICMP)
• One of your primary troubleshooting tools
– Can you ping the host?
• Written by Mike Muuss in 1983
– The sound made by sonar
– Not an acronym for Packet INternet Groper
– A backronym

Answer 5

ping

Question 6

a Reconnaissance Tool-
• Combine ping and traceroute
– Included with Windows NT and later
• First phase runs a traceroute
– Build a map
• Second phase
– Measure round trip time and packet loss at each hop

Answer 6

pathping

Question 7

a Reconnaissance Tool-
• TCP/IP packet assembler/analyzer
– A ping that can send almost anything
• Ping a device
– ICMP, TCP, UDP
– #hping3 --destport 80 10.1.10.1
• Send crafted frames
– Modify all IP, TCP, UDP, and ICMP values
• A powerful tool
– It’s easy to accidentally flood and DoS
– Be careful!

Answer 7

hping

Question 8

a Reconnaissance Tool-
• Network statistics
– Many different operating systems
• netstat -a
– Show all active connections
• netstat -b
– Show binaries
• netstat -n
– Do not resolve names

Answer 8

netstat

Question 9

a Reconnaissance Tool-
• “Read” or “write” to the network
– Open a port and send or receive some traffic
• Many different functions
– Listen on a port number
– Transfer data
– Scan ports and send data to a port
• Become a backdoor
– Run a shell from a remote device
• Other alternatives and OSes - Ncat

Answer 9

netcat

Question 10

a Reconnaissance Tool-
• Search a network for IP addresses
– Locate active devices
– Avoid doing work on an IP address that isn’t there
• Many different techniques
– ARP (if on the local subnet)
– ICMP requests (ping)
– TCP ACK
– ICMP timestamp requests
• A response means more recon can be done
– Keep gathering information - Nmap, hping, etc.

Answer 10

IP scanners

Question 11

a Reconnaissance Tool-
• Determine a MAC address based on an IP address
– You need the hardware address to communicate
• arp -a
– View local ARP table

Answer 11

Address Resolution Protocol

Question 12

a Reconnaissance Tool-
• View the device’s routing table
– Find out which way the packets will go
• Windows: route print
• Linux and macOS: netstat -r
curl
• Client URL
– Retrieve data using a URL
– Uniform Resource Locator
– Web pages, FTP, emails, databases, etc.
• Grab the raw data
– Search
– Parse
– Automate

Answer 12

route

Question 13

a Reconnaissance Tool-
• Gather OSINT
– Open-Source Intelligence
• Scrape information from Google or Bing
– Find associated IP addresses
• List of people from LinkedIn
– Names and titles
• Find PGP keys by email domain
– A list of email contacts
• DNS brute force
– Find those unknown hosts; vpn, chat, mail, partner, etc.

Answer 13

theHarvester

Question 14

a Reconnaissance Tool-
• Combine many recon tools into a single framework
– dnsenum, metasploit, nmap, theHarvester, and much more
• Both non-intrusive and very intrusive scanning options
– You choose the volume
• Another tool that can cause problems
– Brute force, server scanning, etc
– Make sure you know what you’re doing

Answer 14

sn1per

Question 15

a Reconnaissance Tool-
• Run port scans from a different host
– Port scan proxy
• Many different services
– Choose the option for scan origination
– Your IP is hidden as the scan source

Answer 15

scanless

Question 16

a Reconnaissance Tool-
• Enumerate DNS information
– Find host names
• View host information from DNS servers
– Many services and hosts are listed in DNS
• Find host names in Google
– More hosts can probably be found in the index

Answer 16

dnsenum

Question 17

a Reconnaissance Tool-
• Industry leader in vulnerability scanning
– Extensive support
– Free and commercial options
• Identify known vulnerabilities
– Find systems before they can be exploited
• Extensive reporting
– A checklist of issues
– Filter out the false positives

Answer 17

Nessus

Question 18

a Reconnaissance Tool-
• A sandbox for malware
– Test a file in a safe environment
• A virtualized environment
– Windows, Linux, macOS, Android
• Track and trace
– API calls, network traffic, memory analysis
– Traffic captures
– Screenshots

Answer 18

Cuckoo

Question 19

a File Manipulation Tools-
• View the first part of a file
– The head, or beginning, of the file
– head [OPTION] … [FILE] …
• Use -n to specify the number of lines
– head -n 5 syslog

Answer 19

head

Question 20

a File Manipulation Tools-
• View the last part of a file
– The tail, or end, or the file
– tail [OPTION] … [FILE] …
• Use -n to specify the number of lines
– tail -n 5 syslog

Answer 20

tail

Question 21

a File Manipulation Tools-
• Concatenate
– Link together in a series
• Copy a file/files to the screen
– cat file1.txt file2.txt
• Copy a file/files to another file
– cat file1.txt file2.txt > both.txt

Answer 21

cat

Question 22

a File Manipulation Tools-
• Find text in a file
– Search through many files at a time
• grep PATTERN [FILE]
– grep failed auth.log

Answer 22

grep

Question 23

a File Manipulation Tools-
• Change mode of a file system object
– r=read, w=write, x=execute
– Can also use octal notation
– Set for the file owner (u), the group(g),
others(o), or all(a)
– chmod mode FILE
– chmod 744 script.sh
• chmod 744 first.txt
– User; read, write execute
– Group; read only
– Other; read only
• chmod a-w first.txt
– All users, no writing to first.txt
• chmod u+x script.sh
– The owner of script.sh can execute the file

Answer 23

chmod

Question 24

a File Manipulation Tools-
• Add entries to the system log
– syslog
• Adding to the local syslog file
– logger “This information is added to syslog”
• Useful for including information in a local or remote syslog file
– Include as part of an automation script
– Log an important event

Answer 24

logger

Question 25

network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
• Encrypted console communication - tcp/22
• Looks and acts the same as Telnet

Answer 25

SSH (Secure Shell)

Question 26

a powerful tool for automating tasks and simplifying configuration and can be used to automate almost any task in the Windows ecosystem, including active directory and exchange.
• Command line for system administrators
– .ps1 file extension
– Included with Windows 8/8.1 and 10
• Extend command-line functions
– Uses cmdlets (command-lets)
– PowerShell scripts and functions
– Standalone executables
• Automate and integrate
– System administration
– Active Domain administration

Answer 26

Windows PowerShell

Question 27

a computer programming language often used to build websites and software, automate tasks, and conduct data analysis. [this] is a general-purpose language, meaning it can be used to create a variety of different programs and isn't specialized for any specific problems.
• General-purpose scripting language
– .py file extension
• Popular in many technologies
– Broad appeal and support

Answer 27

Python

Question 28

general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
• A toolkit and crypto library for SSL/TLS
– Build certificates, manage SSL/TLS communication
• Create X.509 certificates
– Manage certificate signing requests (CSRs) and
certificate revocation lists (CRLs)
• Message digests
– Support for many hashing protocols
• Encryption and Decryption
– SSL/TLS for services
• Much more

Answer 28

OpenSSL

Question 29

a Packet Tool-
a suite of free Open Source utilities for editing and replaying previously captured network traffic.
• A suite of packet replay utilities
– Replay and edit packet captures
– Open source
• Test security devices
– Check IPS signatures and firewall rules
• Test and tune IP Flow/NetFlow devices
– Send hundreds of thousands of traffic flows
per second
• Evaluate the performance of security devices
– Test throughput and flows per second

Answer 29

Tcpreplay

Question 30

a Packet Tool-
an open source command-line tool for monitoring (sniffing) network traffic.
• Capture packets from the command line
– Display packets on the screen
– Write packets to a file

Answer 30

tcpdump

Question 31

a Packet Tool
an open source tool for profiling network traffic and analyzing packets. packet sniffer and analysis tool.
• Graphical packet analyzer
– Get into the details
• Gathers frames on the network
– Or in the air
• Sometimes built into the device
– View traffic patterns
– Identify unknown traffic
– Verify packet filtering and security controls
• Extensive decodes
– View the application traffic

Answer 31

Wireshark

Question 32

a forensic tool -
a command-line tool primarily used in Unix Operating Systems. It serves a very simple, yet useful purpose; to copy data from a specified source to a specified destination.
• A reference to the DD command in
– IBM mainframe JCL (Job Control Language)
– Data Definition (ASCII to EBCDIC converter)
• Create a bit-by-bit copy of a drive
– Used by many forensics tools
• Create a disk image
– dd if=/dev/sda of=/tmp/sda-image.img
• Restore from an image
– dd if=/tmp/sda-image.img of=/dev/sda

Answer 32

dd (data dump/definition/duplication)

Question 33

a forensic tool -
a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise.
• Copy information in system memory to the standard
output stream
– Everything that happens is in memory
– Many third-party tools can read a memory dump
• Copy to another host across the network
– Use netcat, stunnel, openssl, etc.

Answer 33

memdump

Question 34

a forensic tool - 
an advanced hex editor, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering.
• A universal hexadecimal editor for Windows OS
• Edit disks, files, RAM
– Includes data recovery features
• Disk cloning
– Drive replication
• Secure wipe
– Hard drive cleaning
• Much more
– A full-featured forensics tool

Answer 34

Winhex

Question 35

a forensic tool -
a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.
a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space.
• AccessData forensic drive imaging tool
– Includes file utilities and read-only image mounting
– Windows executable
• Widely supported in many forensics tools
– Third-party analysis
• Support for many different file systems and full disk
encryption methods
– Investigator still needs the password
• Can also import other image formats
– dd, Ghost, Expert Witness, etc.

Answer 35

FTK imager

Question 36

a forensic tool -

• Perform digital forensics of hard drives, smartphones
– View and recover data from storage devices
• Extract many different data types
– Downloaded files
– Browser history and cache
– Email messages
– Databases
– Much more

Answer 36

Autopsy

Question 37

a forensic tool -
supported software packages that contain reliable exploit modules and other useful features, such as agents used for successful repositioning.
• A pre-built toolkit for exploitations
– Build custom attacks
– Add more tools as vulnerabilities are found
– Increasingly powerful utilities
• Metasploit
– Attack known vulnerabilities
• The Social-Engineer Toolkit (SET)
– Spear phishing, Infectious media generator

Answer 37

Exploitation frameworks

Question 38

a forensic tool -
recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password.
• The keys to the kingdom
– Find the passwords
• Online cracking
– Try username/password combinations
• Offline cracking
– Brute force a hash file
• Limitations
– Password complexity / strength (entropy)
– Hashing method and CPU power
– Graphics processors are useful hardware tools

Answer 38

Password crackers

Question 39

a forensic tool -
the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form. 
• Completely remove data
– No usable information remains
• Many different use cases
– Clean a hard drive for future use
– Permanently delete a single file
• A one-way trip
– Once it’s gone, it’s really gone
– No recovery with forensics tools

Answer 39

Data sanitization