4.1 Operations and Incident Response (IR) Flashcards
a Reconnaissance Tool-
provides a map of how data on the internet travels from its source to its destination. [this] differs in that it examines how the data moves through the internet.
• Determine the route a packet takes to a destination
– Map the entire path
• tracert (Windows) or traceroute (POSIX)
• Takes advantage of ICMP Time to Live Exceeded error
message
– The time in TTL refers to hops, not seconds or minutes
– TTL=1 is the first router, TTL=2 is the second router,
etc.
• Not all devices will reply with
ICMP Time Exceeded messages
– Some firewalls filter ICMP
– ICMP is low-priority for many devices
traceroute
a Reconnaissance Tool- • Lookup information from DNS servers – Canonical names, IP addresses, cache timers, etc. • nslookup -Both Windows and POSIX-based – Lookup names and IP addresses – Deprecated (use dig instead) • dig or DiG (Domain Information Groper) – More advanced domain information – Probably your first choice – Install in Windows: https://professormesser.link/ digwin
nslookup and dig
a Reconnaissance Tool-
• Most of your troubleshooting starts with your IP address
– Ping your local router/gateway
• Determine TCP/IP and network adapter information
– And some additional IP details
• ipconfig – Windows TCP/IP configuration
• ifconfig – Linux interface configuration
ipconfig and ifconfig
a Reconnaissance Tool- • Network mapper – Find and learn more about network devices • Port scan – Find devices and identify open ports • Operating system scan – Discover the OS without logging in to a device • Service scan – What service is available on a device? Name, version, details • Additional scripts – Nmap Scripting Engine (NSE) • Extend capabilities, vulnerability scans
Nmap
a Reconnaissance Tool-
• Test reachability
– Determine round-trip time
– Uses Internet Control Message Protocol (ICMP)
• One of your primary troubleshooting tools
– Can you ping the host?
• Written by Mike Muuss in 1983
– The sound made by sonar
– Not an acronym for Packet INternet Groper
– A backronym
ping
a Reconnaissance Tool- • Combine ping and traceroute – Included with Windows NT and later • First phase runs a traceroute – Build a map • Second phase – Measure round trip time and packet loss at each hop
pathping
a Reconnaissance Tool- • TCP/IP packet assembler/analyzer – A ping that can send almost anything • Ping a device – ICMP, TCP, UDP – #hping3 --destport 80 10.1.10.1 • Send crafted frames – Modify all IP, TCP, UDP, and ICMP values • A powerful tool – It’s easy to accidentally flood and DoS – Be careful!
hping
a Reconnaissance Tool- • Network statistics – Many different operating systems • netstat -a – Show all active connections • netstat -b – Show binaries • netstat -n – Do not resolve names
netstat
a Reconnaissance Tool- • “Read” or “write” to the network – Open a port and send or receive some traffic • Many different functions – Listen on a port number – Transfer data – Scan ports and send data to a port • Become a backdoor – Run a shell from a remote device • Other alternatives and OSes - Ncat
netcat
a Reconnaissance Tool-
• Search a network for IP addresses
– Locate active devices
– Avoid doing work on an IP address that isn’t there
• Many different techniques
– ARP (if on the local subnet)
– ICMP requests (ping)
– TCP ACK
– ICMP timestamp requests
• A response means more recon can be done
– Keep gathering information - Nmap, hping, etc.
IP scanners
a Reconnaissance Tool-
• Determine a MAC address based on an IP address
– You need the hardware address to communicate
• arp -a
– View local ARP table
Address Resolution Protocol
a Reconnaissance Tool- • View the device’s routing table – Find out which way the packets will go • Windows: route print • Linux and macOS: netstat -r curl • Client URL – Retrieve data using a URL – Uniform Resource Locator – Web pages, FTP, emails, databases, etc. • Grab the raw data – Search – Parse – Automate
route
a Reconnaissance Tool- • Gather OSINT – Open-Source Intelligence • Scrape information from Google or Bing – Find associated IP addresses • List of people from LinkedIn – Names and titles • Find PGP keys by email domain – A list of email contacts • DNS brute force – Find those unknown hosts; vpn, chat, mail, partner, etc.
theHarvester
a Reconnaissance Tool-
• Combine many recon tools into a single framework
– dnsenum, metasploit, nmap, theHarvester, and much more
• Both non-intrusive and very intrusive scanning options
– You choose the volume
• Another tool that can cause problems
– Brute force, server scanning, etc
– Make sure you know what you’re doing
sn1per
a Reconnaissance Tool- • Run port scans from a different host – Port scan proxy • Many different services – Choose the option for scan origination – Your IP is hidden as the scan source
scanless
a Reconnaissance Tool-
• Enumerate DNS information
– Find host names
• View host information from DNS servers
– Many services and hosts are listed in DNS
• Find host names in Google
– More hosts can probably be found in the index
dnsenum
a Reconnaissance Tool- • Industry leader in vulnerability scanning – Extensive support – Free and commercial options • Identify known vulnerabilities – Find systems before they can be exploited • Extensive reporting – A checklist of issues – Filter out the false positives
Nessus
a Reconnaissance Tool- • A sandbox for malware – Test a file in a safe environment • A virtualized environment – Windows, Linux, macOS, Android • Track and trace – API calls, network traffic, memory analysis – Traffic captures – Screenshots
Cuckoo
a File Manipulation Tools- • View the first part of a file – The head, or beginning, of the file – head [OPTION] … [FILE] … • Use -n to specify the number of lines – head -n 5 syslog
head
a File Manipulation Tools- • View the last part of a file – The tail, or end, or the file – tail [OPTION] … [FILE] … • Use -n to specify the number of lines – tail -n 5 syslog
tail
a File Manipulation Tools- • Concatenate – Link together in a series • Copy a file/files to the screen – cat file1.txt file2.txt • Copy a file/files to another file – cat file1.txt file2.txt > both.txt
cat
a File Manipulation Tools- • Find text in a file – Search through many files at a time • grep PATTERN [FILE] – grep failed auth.log
grep
a File Manipulation Tools- • Change mode of a file system object – r=read, w=write, x=execute – Can also use octal notation – Set for the file owner (u), the group(g), others(o), or all(a) – chmod mode FILE – chmod 744 script.sh • chmod 744 first.txt – User; read, write execute – Group; read only – Other; read only • chmod a-w first.txt – All users, no writing to first.txt • chmod u+x script.sh – The owner of script.sh can execute the file
chmod
a File Manipulation Tools-
• Add entries to the system log
– syslog
• Adding to the local syslog file
– logger “This information is added to syslog”
• Useful for including information in a local or remote syslog file
– Include as part of an automation script
– Log an important event
logger
network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
• Encrypted console communication - tcp/22
• Looks and acts the same as Telnet
SSH (Secure Shell)
a powerful tool for automating tasks and simplifying configuration and can be used to automate almost any task in the Windows ecosystem, including active directory and exchange. • Command line for system administrators – .ps1 file extension – Included with Windows 8/8.1 and 10 • Extend command-line functions – Uses cmdlets (command-lets) – PowerShell scripts and functions – Standalone executables • Automate and integrate – System administration – Active Domain administration
Windows PowerShell
a computer programming language often used to build websites and software, automate tasks, and conduct data analysis. [this] is a general-purpose language, meaning it can be used to create a variety of different programs and isn't specialized for any specific problems. • General-purpose scripting language – .py file extension • Popular in many technologies – Broad appeal and support
Python
general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
• A toolkit and crypto library for SSL/TLS
– Build certificates, manage SSL/TLS communication
• Create X.509 certificates
– Manage certificate signing requests (CSRs) and
certificate revocation lists (CRLs)
• Message digests
– Support for many hashing protocols
• Encryption and Decryption
– SSL/TLS for services
• Much more
OpenSSL
a Packet Tool-
a suite of free Open Source utilities for editing and replaying previously captured network traffic.
• A suite of packet replay utilities
– Replay and edit packet captures
– Open source
• Test security devices
– Check IPS signatures and firewall rules
• Test and tune IP Flow/NetFlow devices
– Send hundreds of thousands of traffic flows
per second
• Evaluate the performance of security devices
– Test throughput and flows per second
Tcpreplay
a Packet Tool- an open source command-line tool for monitoring (sniffing) network traffic. • Capture packets from the command line – Display packets on the screen – Write packets to a file
tcpdump
a Packet Tool an open source tool for profiling network traffic and analyzing packets. packet sniffer and analysis tool. • Graphical packet analyzer – Get into the details • Gathers frames on the network – Or in the air • Sometimes built into the device – View traffic patterns – Identify unknown traffic – Verify packet filtering and security controls • Extensive decodes – View the application traffic
Wireshark
a forensic tool -
a command-line tool primarily used in Unix Operating Systems. It serves a very simple, yet useful purpose; to copy data from a specified source to a specified destination.
• A reference to the DD command in
– IBM mainframe JCL (Job Control Language)
– Data Definition (ASCII to EBCDIC converter)
• Create a bit-by-bit copy of a drive
– Used by many forensics tools
• Create a disk image
– dd if=/dev/sda of=/tmp/sda-image.img
• Restore from an image
– dd if=/tmp/sda-image.img of=/dev/sda
dd (data dump/definition/duplication)
a forensic tool -
a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise.
• Copy information in system memory to the standard
output stream
– Everything that happens is in memory
– Many third-party tools can read a memory dump
• Copy to another host across the network
– Use netcat, stunnel, openssl, etc.
memdump
a forensic tool - an advanced hex editor, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering. • A universal hexadecimal editor for Windows OS • Edit disks, files, RAM – Includes data recovery features • Disk cloning – Drive replication • Secure wipe – Hard drive cleaning • Much more – A full-featured forensics tool
Winhex
a forensic tool -
a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.
a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space.
• AccessData forensic drive imaging tool
– Includes file utilities and read-only image mounting
– Windows executable
• Widely supported in many forensics tools
– Third-party analysis
• Support for many different file systems and full disk
encryption methods
– Investigator still needs the password
• Can also import other image formats
– dd, Ghost, Expert Witness, etc.
FTK imager
a forensic tool -
• Perform digital forensics of hard drives, smartphones – View and recover data from storage devices • Extract many different data types – Downloaded files – Browser history and cache – Email messages – Databases – Much more
Autopsy
a forensic tool -
supported software packages that contain reliable exploit modules and other useful features, such as agents used for successful repositioning.
• A pre-built toolkit for exploitations
– Build custom attacks
– Add more tools as vulnerabilities are found
– Increasingly powerful utilities
• Metasploit
– Attack known vulnerabilities
• The Social-Engineer Toolkit (SET)
– Spear phishing, Infectious media generator
Exploitation frameworks
a forensic tool - recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password. • The keys to the kingdom – Find the passwords • Online cracking – Try username/password combinations • Offline cracking – Brute force a hash file • Limitations – Password complexity / strength (entropy) – Hashing method and CPU power – Graphics processors are useful hardware tools
Password crackers
a forensic tool - the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form. • Completely remove data – No usable information remains • Many different use cases – Clean a hard drive for future use – Permanently delete a single file • A one-way trip – Once it’s gone, it’s really gone – No recovery with forensics tools
Data sanitization
