504.2 Flashcards
Breakout time
from initial compromise to privilege escalation on additional internal network targets.
MITRE ATTACK
Framework knowledge base for mapping adversary tactics, techniques, and procedures. Based on real world observation
Reconnaissance
building intel, looking for opportunities. usually begins with OSINT collection.
OSINT
collective representation of planned and unplanned shared online data.
Certificate Transparency
Certificate Authority requirement where they must publish logs of all issued certificates. Can be useful to an attacker for revealing hosts that may not be public yet.
SpiderFoot
open source data collection and analysis tool. collects data from hundreds of online sources, using the collected data to seed additional searches.
DNS
Attackers use dns to discover IPs associated with target domain.
nslookup
used to interact with a DNS server to get domain info.
DNS Zone Trasnfer
Allows an attacker to connect to your DNS server and grab records associated with a particular domain. They can then determine which machines in that domain are public facing.
NMAP dns-brute
leverages a list of common hostnames and a target domain name to determine if the DNS name is present on the DNS server.
exiftool
perl script that extracts metadata from many different file types. can view things like operating system, document software version, etc.
CeWL
custom wordlist generator that crawls a target website and collects all web pages and common document formats to extract metadata. Data can then be used to build a wordlist for password attacks, host enumeration, etc.
NMAP Network Sweeping
Sweep through address space to identify active hosts on the network.
Port Scanning
help identify openings on a system and allow an attacker to focus their attack on specific services
Nmap Scripting Engine (NSE)
nmap scripts to conduct additional interrogation on a target system. NSE scripts can be used for enhanced host interrogation, but also for vulnerability discovery and several attacks as well.
JQ
lightweight tool and programming language for parsing, interrogating, and editing JSON data
masscan
network scanning tool separates the syn send code from the awk receive code into different functionality which allows for sending tcp syn packets at a very fast rate and scan many more hosts than nmap can.
TLS Scanner
tool that reads from a list of IP addresses, one per line, and extracts certificate information from the identified TLS server on a given port
EyeWitness
tool that takes a screenshot of every web server it detects to quickly identify the purpose of multiple websites simply by reviewing the pictures included in an HTML report
builtwith.com
website tool, search for a domain name to disclose several characteristics of the target website including the cloud providers
SMB
Application layer protocol that implements file and printer sharing, domain auth, remote admin, and other features. Uses port 445
SharpView
tool used to enumerate many different WIndows domain and server settings.
Bloodhound
A tool that graphs the quickest way to get domain admin privileges
DeepBlueCLI
Powershell script that parses windows event logs and searches for unusual behaviors and characteristics
whois
cli tool that collects domain registrant info. not very useful anymore because of data protection laws and replaced by certificate transparency.
Split DNS
External name information in external server, internal name information in internal server
Google Dorks
Google searches that can reveal vulnerable sites or other useful information to an attacker
