(5) Service/Version ID, Common Tools Flashcards
Why is service identification important?
Service identification is important because it provides information about potential vulnerabilities and helps verify that the service that is responding on a particular port matches the service that normally is used on that port.
What are the two typical ways that service identification is done?
Service identification is normally done via connection and through grabbing the banner or connection information provided by the service or by comparing responses to the signatures of known services
What is maltego?
Maltego is open sourced, it focuses on open source intelligence gathering and connecting data points together via a graphical user interface (GUI).
It is a good way to understand, document, correlate and discover the hierarchies of the network you are looking at.
Describe how maltego uses the concepts of transforms
Transforms are actions taken by a server that provide more data or processing about objects and entities
What is recon-ng?
it is a module reconnaissance tool. Uses a CLI with search and module selection and install abilities that allow you to customize it to your liking
What is passive analysis?
Passive analysis is about getting information that is available about the organization, system, or network without performing any probes
What is passive fingerprinting?
Passive fingerprinting is about logs and certain other existing data, which might not provide enough data. The data may also be out of date
How useful are log files when it comes to passive discovery/analysis?
If you can get to local system configuration data and logs, you can use this information to build a map of how systems work together, what users and systems are there, and how they are set up.
When it comes to passive discovery and analysis, what type of data can one get from network devices?
Network devices contain data such as
-logs
-status and events
-traffic patterns and usage
-network device configuration files
-network flows
In general, how do network devices generate log messages?
Many network devices log messages directly to their console ports, meaning only a user logged in at the console can get to them
When it comes to managed networks, how do managed networks send network logs?
Most managed networks send network logs to a central log server using the syslog utility.
Many network logs level Simple Network Management Protocol (SNMP) to send device information to a central control system
What do network device log files have associated with them?
network device log files often have a log level associated with them. The definitions vary from device to device
Name Cisco system log levels from level 0-3
Level 0 is emergencies such as device shutdowns due to failure
Level 1 is alerts, such as Temperature issues
Level 2 is for critical, such as if software has issues
Level 3 is for errors such as if interfaces are having trouble
Name Cisco log levels from 4-7
Level 4 is for warnings such as if configurations have been changed without approval
Level 5 is for notifications such as if a line protocol is working or not working
Level 6 is for information perhaps is an ACL is being violated
Level 7 is for debugging, like for debugging messages
Compared to network device logs, what type of information is even more useful?
Network device logs are actually not as useful as device config data when it comes to intelligence gathering, it can provide topology discovery data though
