8 - OCO Flashcards
1
Q
Lockheed Martin’s Cyber Kill Chain
A
- Framework aimed to improve visibility and understanding of attacker’s TTPs
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions and Objectives
2
Q
Reconnaissance (Lockheed)
A
- Harvesting email addresses, conference information, etc
3
Q
Weaponization (Lockheed)
A
- Coupling exploit with backdoor into deliverable payload
4
Q
Delivery (Lockheed)
A
- Delivering weaponized bundle to a victim via email, web, etc
5
Q
Exploitation (Lockheed)
A
- Exploiting a vulnerability to execute code on victim’s system
6
Q
Installation (Lockheed)
A
- Installing malware on the asset
7
Q
Command and Control
A
- Command channel for remote manipulation of victim
8
Q
Actions on Objectives
A
- Intruders accomplish original goals
9
Q
MITRE ATT&CK for Enterprise
A
- Adversarial Tactics, Techniques, and Common Knowledge
– Describes actions an adversary would take against a target network - Last 4 stages of Lockheed Cyber Kill Chain broken down into:
– Initial Access
– Execution
– Persistence
– Privilege Escalation
– Defensive Evasion
– Credential Access
– Discovery
– Lateral Movement
– Collection
– Exfiltration
– Command and Control
10
Q
Hacker Methodology
A
- Footprinting
- Scanning
- Enumeration
- Gaining Access
- Escalating Privileges
- Pilfering Data
- Covering Tracks
- Creating Backdoors
- Actions on Objectives
11
Q
Footprinting (Hacker Methodology)
A
- Collecting data about your target
- Passive - no direct interaction
- Methods
– whois
– nslookup / dig
– Google
– Social Networking
12
Q
Scanning (Hacker Methodology)
A
- Bulk assessment and identification
- Active - direct interaction
- Methods
– Ping sweeps
– Trace route
– nmap (-sn also does ping sweep)
13
Q
Enumeration (Hacker Methodology)
A
- Looking for vulnerabilities
- Aggressive probing
- Methods
– Service version detection (-sV in nmap)
– OS detection (-O in nmap)
– Banner grabbing
14
Q
Gaining Access (Hacker Methodology)
A
- Establish a foothold on target system
- Methods
– default Username/passwords
– Brute force PW guessing
– Remote code execution (metasploit, phishing)
– Buffer overflow
15
Q
Escalating Privileges (Hacker Methodology)
A
- Take full control of system
- Elevate to higher system privileges
- Methods
– Hashdump
– PW Cracking
– Phishing (if from user-level)
16
Q
Pilfering Data (Hacker Methodology)
A
- Gather information from target system
- Copy, don’t move
- System configs
- Shares
- ARP tables
- Be careful of large data transfers
17
Q
Covering Tracks (Hacker Methodology)
A
- Make sure users/admins don’t know we are here
- Methods
– Log removal
– Restarting crashed services
– Timestomping
– Removing uploaded/installed malware
18
Q
Creating Backdoors (Hacker Methodology)
A
- Persist on the system
- Methods
– Rogue user accounts
– Meterpreter
– Netcat
– Cron Job/Scheduled Tasks
19
Q
Actions on Objectives (Hacker Methodology)
A
- Perform end-goal actions on target systems
- Denial of Service
– Encryption
– Password Changes
– Deleting critical system files - Installing Malware
– Spyware Ransomware - Stealing Information
– PII
– Financial
20
Q
Advanced Methods (Hacker Methodology)
A
- Post Exploitation Survey
- Tunneling
- Buffer overflows
- Rootkits
- Man in the Middle
- Triggering
- Obfuscation
- Social Engineering
21
Q
Post Exploitation Survey (Hacker Methodology)
A
- Target verification
- Information Gathering
- Look for:
– Host verification (IP, hostname, etc.)
– Host configuration (interfaces, firewall rules, installed programs, etc.)
– Situational Awareness (process list, network connections, antivirus, etc.)
– Useful Information (desktop, docs, dirwalk)
22
Q
Pivoting
A
- Using an already compromised host to further exploit deeper into a target network
23
Q
WEP
A
- Wired Equivalent Privacy
- Intended to provide data confidentiality like wired networks
- RC4 encryption
– Keys never used twice (24-bit IV)
– Reuse restriction not guaranteed on busy network, allowing WEP key crack
24
Q
WPA
A
- Wifi Protected Access
- Partial implementation in response to WEP weakness
- TKIP encryption
– Randomly generates 64 or 128 bit key per packet
– Message integrity check, replaced by CRC - Retained vulnerabilities of WEP
25
Q
WPA2
A
- Wifi Protected Access II
- AES-CCMP Encryption
- Prevents
– Frame forgeries
– Replay Attacks - Never re-uses encryption key
26
Q
WPS
A
- Wifi Protected Setup
- 2 Mandatory connection modes
– Push button
– PIN (8-digit pin, last digit is checksum, first 4 digits evaluated from last 3) - 2 Optional connection modes
– NFC
– USB - 11,000 possible combinations before gaining access to system
27
Q
WPA3
A
- Wifi Protected Access 3
- Simultaneous Authentication Equals (SAE)
– Replaces WPA2 pre-shared key - Uses forward secrecy
– Minimal data exposure if hacked - Easy Connect, Enhanced Open
28
Q
airmon-ng
A
- Modify or show status/mode of wireless interfaces and kill network managers
29
Q
airodump-ng
A
- Packet capture of raw 802.11 frames
- Suitable for collecting on WEP, WPA, and WPA2 networks
30
Q
aireplay-ng
A
- Used for injecting frames
– For WPA2, used for deauth
31
Q
aircrack-ng
A
- Used for cracking WPA2 pre-shared keys (like john-the-ripper for wifi)
– Requires packet capture of WPA2 handshake (with airodump-ng)
32
Q
Wireless Hacking Methodology
A
- Network identification and monitoring
- Client ID and deauth
- Handshake capture
- Password Cracking
- Connect to network
- Must
– Know SSID of network
– Be in footprint of AP
– Connect client to the AP
33
Q
Buffer
A
- Region of physical memory used to temporarily store data
34
Q
Buffer Overflow
A
- Entering data that exceeds the buffer size and spills over into other memory space, corrupting or overwriting data stored in that space
35
Q
Rootkit
A
- Malware which hides its presence from users/OS
– Can attach to security software to remain hidden
Types:
– Hardware/firmware
– Bootloader
– Memory
– Application
– Kernel Mode
36
Q
Man-in-the-Middle
A
- Attacker inserts his/herself into the communication between two devices
- Attacker impersonates both sides of the conversation
37
Q
Triggering
A
- Interact w/ a target to have a program perform a defined function for an attacker
- May be triggered through sending packets
- Functions include:
– Running a command
– Starting a listener
– Starting a reverse connection
38
Q
Obfuscation
A
- Making something obscure, unclear, or unintelligible
- Goal is to alter appearance of malware to evade antivirus
- Packers
– Compress malware
– Hides from AV; makes it difficult to reverse engineer - Crypters
– Encrypt, obfuscate, and manipulate software
– Make reverse engineering more difficult
39
Q
Types of Obfuscation
A
- Network Traffic
– Make network traffic appear to be something else (i.e. make beacon look like normal HTTP/HTTPS traffic) - Executables
– Use packers/obfuscation software to bypass defender programs or prevent reverse engineering - Text
– Multiple techniques; i.e. base64 encoding - Steganography
– Hiding information inside pictures (steghide on Kali)
40
Q
Social Engineering
A
- Goal: Convince a target to take actions they would normally not
- Types:
– Pretexting - Creating a believable story
– Baiting - Using targets greed/curiosity
– Tailgating - Attempting to gain access to restricted areas
– Phishing - Email campaigns
41
Q
SSH Tunnel
A
- Securely forward network traffic through an encrypted SSH connection
- Also known as SSH port forwarding
42
Q
Forward SSH Tunnel
A
- Forward local port to remote port, allowing the user to access a service running on the remote server as if it were running on the local machine
43
Q
Reverse SSH Tunnel
A
- Forward remote port to a local port, allowing the user to access a service running on local machine as if it were running on the remote server
44
Q
Dynamic SSH Tunnel
A
- Created dynamically
- Used when multiple ports are needed, such as in port scanning
45
Q
SSH Tunnel Options
A
-f - background after auth
-N - no need for remote commands
-C - request compression
46
Q
IPTables/Firewall Redirection
A
- Routes traffic through prerouting and postrouting chains without touching the local system
- Won’t show up on netstat
- Does not provide encryption (connection must do its own encrypting)
- System must be configured for routing
47
Q
Industrial Control System
A
- Computing systems that control and monitor industrial processes
48
Q
Programmable Logic Controllers (PLC)
A
- Devices that control and monitor industrial machinery
49
Q
Modbus
A
- Protocol used by PLCs
- Establishes communication between devices and facilitates transfer of data between them
- Port 500
- Can be used to:
– Change value of registers
– Read an I/O port
– Read values contained in registers
50
Q
nmap port states
A
- open
– Application listening on that port - closed
– Port is accessible but has no application listening - filtered
– Firewall or other network obstacle is blocking the port; nmap cannot tell if it is open or closed - unfiltered
– Port is accessible, but nmap is unable to determine state - open | filtered
– Used when nmap is unable to determine if port is open or filtered - closed | filtered
– Used when nmap is unable to determine if port is closed or filtered
51
Q
netcat flags
A
- -v - verbose
- -w - wait x seconds for a response
- -z - do not send data to a TCP connection and limited data to UDP
- -d - tells nc to detach from the console
- -L - keep listening for connections even after the first connection disconnects
- -p - port to listen on
- -e - execute the following command after connection is made
52
Q
Adobe_Geticon
A
- Exploit used to create a weaponized PDF
53
Q
A
