Certified Ethical Hacker. Ch 1 - 3 Flashcards
What are the 5 phases in hacking?
Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks
Information Assurance includes
Confidentiality,
Integrity,
Availability,
Authenticity
Set of requirements, processes, principles, and models that determines the structure and behavior of an organization’s information systems
EISA (Enterprise Information Security Architecture)
Risk Management Phases
Risk Identification Risk Assessment Risk Treatment Risk Tracking Risk Review
What is a risk assessment approach for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application
Threat Modeling
What is User Behavior Analytics (UBA)
The process of tracking user behavior to detect malicious attacks, potential threats, and financial frauds
IAM Component 1, Includes single sign on, session management, password services, strong authentication and multi factor
Authentication
IAM Component 2, Provides access control to various organizational resources
Authorization
IAM Component 3, Performs user life cycle management and password management
User Management
IAM Component 4, Provides central user repository that stores user identity information and enables other components and services of IAM
Enterprise Directory Services
Protocols used by Enterprise Directory Services
- LDAP, Lightweight Directory Access Protocol
- SCIM, Simple Cloud Identity Management
Protects the penetration tester / agency from any legal or financial liabilities, in case the penetration test results in loss or damage to the assets of the organization
Indemnification Clause
An open source application security project that assists the organizations to purchase, develop and maintain software tools, software applications, and knowledge-based documentation for Web application security
OWASP, Open Web Application Security Project
A peer-reviewed methodology for performing high quality security tests such as methodology tests: data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls and various security processes
OSSTMM, Open Source Security Testing Methodology Manual
An open source project aimed to provide a security assistance for professionals. The mission is to research, develop, publish, and promote a complete and practical generally accepted information systems security assessment.
ISSAF, Information System Security Assessment Framework
The federal technology agency that works with industry to develop and apply technology, measurements, and standards
NIST
What clause specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization?
ISO/IEC 27001:2013
Protects investors and the public by increasing the accuracy and reliability of corporate disclosures
Sarbanes Oxley Act
A comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets
FISMA
Google Hacking Database (GHDB) is?
An index of search querys used to find publicly available information used in pentesting.
What tool is used on Linkedin to find people based on job title, company, or email address?
InSpy
Tool to determine the operating system (or top level domains) used by a target
Netcraft
Search engine to find connected devices (routers, servers, IoT,) used by a target
SHODAN
Search engine used to ask questions about the hosts and networks that compose the Internet
Censys
What does an attacker examine to determine the software running and its behavior
Cookies
What do attackers use to perform automated searches on a target website
Web Spiders
What is a common Web Spidering Tool
Web Data Extractor
The process of creating an exact replica or clone of the original website to browse offline
Website Mirroring
Common Website Mirroring Tool
HTTrack Web Site Copier
Website used to find archived versions of websites
archive.org
Tool to extract metadata of public documents belonging to a target company
Metagoofil
Tool to check websites for updates and changes
WebSite-Watcher
What is a common email tracking tool
eMailTrackerPro
What tool provides social media monitoring across many different platforms?
Trackur
What is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name?
Whois
What is a common Geolocation Lookup tool?
IP2Location
What tool is used to find the network range of the target network?
ARIN Whois database
What is a web reconnaissance framework with modules, databases, and more that provides an environment in which open source web-based reconn can be conducted
Recon-ng
What is an open-source intell and forensics app used to deliver a clear threat picture to the environment that an organization owns (uses graphs and link analysis)
Maltego
What is a tool used to scan word and PDF docs for metadata
FOCA
What is the first step in pentesting?
Footprinting
ISO 27002 outlines
Guidelines and practices for security controls
What does CSIRT provide?
Incident response services
What helps to avoid information leakage
Configure Web Servers
What filters are used for defense in depth?
TCP/IP and IPSec
What tool should a hacker use to find a company’s internal URLs?
Sublist3r
What will searching ‘site:target.com -site:Marketing.target.com accounting’ return?
Results matching “accounting” in domain target.com but not on the site Marketing.target.com … The reason is because adding [-] tells Google to search for anything but that particular text
If you want to find all Wikipedia pages on SQL injection attacks what will you search?
SQL injection site:Wikipedia.org
What command does an attacker use for nslookup interactive mode?
Set type=ns
What tool would you use to find the location of routers, servers, and IP devices in a network?
Traceroute
Which flags do SYN scans deal with?
SYN, ACK, RST
What tool allows an attacker to create custom network packets
Colasoft Packet Builder
What type of packets can bypass network firewalls and IDS
fragmented
What is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests?
Hping2 / Hping3
What scanning searches for a firewall and its rule sets?
ACK Scanning on Port 80
What does -Q accomplish in an hping3?
Collects all the TCP sequence numbers
What is a tool for troubleshooting, monitoring, and detecting devices on your network?
NetScan Tools Pro
What type of device does IP Scanner scan?
Mobile
What does an ICMP query or ICMPush send from a UNIX system to learn the target system time zone?
ICMP type 13
What is ICMP type 17
Address Mark Request
What is used to determine live hosts from a range of IP addresses?
Ping Sweep
What scan do you use to identify active devices and determine if ICMP can pass through a firewall?
ICMP Scanning
What do you use to map active devices and calculate subnet masks?
Ping Sweep
What ICMP scan determines which hosts are active in a target network by pinging all machines in the network?
ICMP Echo Scanning
What do you do to make a TCP connection half open? (Stealth)
Send a RST right before the handshake is complete
What flags are set in an XMAS probe?
FIN, URG, PUSH
What is a disadvantage of Inverse TCP flag scanning?
Requires super-user privileges
What is the boundary value (TTL) of a RST packet that determines if a port is open
TTL Less than 64
A Window size on RST packet that is not 0 means what?
That port is open
If the TTL value for all packets in an ACK flag probe are the same what type of scan do you need to do?
WINDOW based
What does a RST response from a target in an ACK flag probe tell you?
No firewall is present (Port is not filtered)
What type of ports do Spyware and Trojan Horses use?
UDP Ports
What two protocols detect plug and play devices?
SSDP
UPnP
What outbound ICMP message type should be blocked
type-3 unreachable
What rule set blocks IP fragmentation in Linux?
CONFIG_IP_ALWAYS_DEFRAG
What is the nmap command for random decoy scan?
nmap -D RND:10 [Target IP]
What is the nmap command for manual decoy scan?
nmap -D decoy1,decoy2,decoy3,…real IP,…[Target IP]
What would you check to see if a packet is spoofed?
TTL of reply to source IP and see if it matches
If an attacker is sending spoofed packets on the same subnet what would you view next to see if the source IP is spoofed?
IP Identification number
What is a common proxy tool for mobile devices?
Shadowsocks
What is the Linux TTL
64
What is the Windows 7 TTL
128
What are the Pen Test steps?
- Host Discovery (Live Hosts)
- Port Scanning
- Scan Beyond IDS and Firewall
- Perform Banner Grabbing (Find OS)
- Draw Network Diagram
- Document Findings
In which phase does an attacker use steganography and tunneling?
Clearing Tracks
What is the difference between OWASP and OSSTMM?
OSSTMM addresses controls and OWASP does not
Low humidity in a data center can cause what?
Static Electricity
What is true regarding N-Tier architecture?
> Each layer must be able to exist on a physically independent system
> Each layer should exchange information only with the layers above and below it
When does PCI-DSS require organizations to perform external and internal penetration testing?
At least once a year and after any significant upgrade or modification
What is the best type of vulnerability assessment for smartphones?
Host-Based Assessment
Is Querying published name servers of a target passive or active footprinting?
Active
If an attacker is attempting to get information about sub-domains to learn about different departments and business units what should they do?
Use online services such as netcraft.com
What database is used to delete the history of a target website?
archive.org
What technique is used to create complex search engine queries?
Google Hacking
What is not an objective of network scanning?
Discovering usernames and passwords
What relies on sending an abnormally large packet size that exceeds TCP/IP specifications? (This exploits the fragmentation and reassembly implementation
Ping of Death
What is the most likely cause of ICMP Code 3 reply?
UDP Port is closed
What would an attacker use to get a response using TCP?
Hping
If an attacker is attempting to scan an internal corporate network from the internet without alerting the border sensor what will they use?
Tunneling scan over SSH
What is a routing protocol that allows the host to discover the IP addresses of active routers on their subnet by listening to router advertisement and soliciting messages on their network?
IRDP (ICMP Routing Discovery Protocol)
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response? (active or passive)
Active
What tool is designed to find potential exploits in Windows?
Microsoft Baseline Security Analyzer
What feature can you implement with NMAP to avoid detection by an IDS?
Timing options to slow the speed that the port scan is conducted
If stealth is not an issue with an NMAP scan what would you use for the most reliable results?
Connect scan (TCP Connect Scan)
What port does TCP and UDP use to interact with printers?
515 and 631
What are the five zones?
Internet Internet DMZ Production (Restricted) Intranet Management
Mandatory rules used to achieve consistency
Standards
What provides the minimum security level necessary
Baselines
Flexible, recommended actions users are to take in the event there is no standard to follow
Guidelines
Detailed step-by-step instructions for accomplishing a task or goal
Procedures
What framework enables clear policy development, good practice, and emphasizes regulatory compliance. It also categorizes control objectives into domains.
COBIT
What makes conspiracy to commit hacking a crime
Computer Fraud and Abuse Act
(Operator) Searches only for files of a specific type (DOC, XLS, and so on)
Filetype:type
Ex: filetype:doc
(Operator) Displays pages with directory browsing enabled, usually used with another operator.
Index of /string
Ex: “intitle:index of” passwd
(Operator) Displays information Google stores about the page itself
Info:string
Ex: info:www.example.com
(Operator) Searches for pages that contain the string in the title.
Intitle:string
Ex: intitle: login
(Operator) Displays pages with the string in the URL.
Inurl:string
Ex: inurl:passwd
(Operator) Displays linked pages based on a search term
Link:string
(Operator) Shows web pages similar to webpagename
Related:webpagename
(Operator) Displays pages for a specific website or domain holding the search term.
Site:domain or web page string
Ex: site:anywhere.com passwds
What can be used to check web pages for changes, automatically notifying you when there’s an update
Website Watch (aignes.com)
DNS Record, defines the hostname and port number of servers providing specific services, such as a Directory Services server
SRV (Service)
DNS Record, identifies the primary name server for the zone.
SOA (Start of Authority)
DNS Record, maps an IP address to a hostname for reverse DNS lookup
PTR (Pointer)
DNS Record, identifies your e-mail servers within your domain
MX (Mail Exchange)
DNS Record, maps a domain to an IP address
A Record
Manage North American IPs
ARIN
Manage Asia Pacific IPs
APNIC
Manage Europe IPs
RIPE
Manage Latin America’s IPs
LACNIC
Manage African IPs
AfriNIC
NSLookup syntaxt
Nslookup [-options] {hostname | [-server] }
NSLookup command for a zone transfer (to list all records in the DNS domain)
ls -d Or
ls -t ANY
Dig syntax
Dig @server name type
What are the three options in Colasoft Packet Builder
Packet List
Decode Editor
Hex Editor
RPC Port Number
TCP 135
NetBIOS Port Number
TCP / UDP 137 - 139
IMAP Port Number
TCP 143
SMB Port Number
TCP 445
What is a tool that displays a list of all currently opened TCP/IP and UDP ports on your computer
CurrPorts
ICMP Message Types
0: Echo Reply
3: Destination Unreachable
4: Source Quench
5: Redirect
8: Echo Request
11: Time Exceeded
What is the first type of ping sent?
Type 8: Echo Request
ICMP Type 3 Codes
0 - Network Unreachable
1 - Destination Unreachable
2 - Protocol Unreachable
3 - Port Unreachable
6 - Network Unknown
7 - Host Unknown
9 - Network administratively prohibited
10 - Host administratively prohibited
13 - Communication administratively prohibited
Scan. Runs through a full connection on ports, tearing it down with a RST at the end. Open ports will respond with a SYN / ACK and closed ports will respond with a RST
Full Connect Scan (TCP Connect)
Scan. Only SYN packets are sent to ports. Open ports respond with a SYN/ACK
Stealth Scan (Half Open Scan)
Scan. Uses FIN, URG, or PSH to poke at system ports. If the port is open there will be no response. If the port is closed there will be a RST/ACK
Inverse TCP Flag Scan
Null Scan
Scan. Attacker sends the ACK flag and looks at the return header
Ack Flag Probe
In Ack flag probe what two things tell that the port is open?
> TTL is less than 64
> Window size on the RST packet has a value other than zero
What does it mean if an ACK flag probe does not receive a response
There is a stateful firewall between the attacker and the host
Scan. Uses a spoofed IP address to elicit port responses during a scan. Then reviews the IPID to see if it increases by 2
IDLE Scan
Nmap ACK scan switch
-sA
Nmap FIN scan switch
-sF
Nmap IDLE scan switch
-sI
Nmap DNS scan switch
-sL
Nmap NULL scan swith
-sN
Nmap Protocol scan switch
-sO
Nmap disable port scan. Host discovery only.
-sn
Nmap RPC scan switch
-sR
Nmap SYN scan switch
-sS
Nmap TCP Connect scan switch
-sT
Nmap Window scan switch
-sW
Nmap XMAS scan switch
-sX
Nmap ICMP ping scan switch
-PI
Nmap No ping scan switch
-Po
Nmap SYN ping scan switch
-PS
Nmap TCP ping scan switch
-PT
Nmap Normal output scan switch
-oN
Nmap XML output scan switch
-oX
Nmap Serial, slowest scan switch (paranoid)
-T0
Nmap Serial, normal speed scan switch (Polite)
-T2
Nmap Parallel, normal speed scan switch
-T3
Nmap Parallel, fast scan switch (Aggressive)
-T4
Hping switch to ICMP ping
-1
Hping switch to UDP scan
-2
Hping switch to scan multiple ports
-8
Hping switch for listening mode
-9
Hping switch to send packets as fast as possible
–flood
NetBios, Domain Master Browser
1B
NetBios, Domain Controller
1C
NetBios, Master Browser for the subnet
1D (Group)
NetBios Hostname
00
NetBios Domain Name
00 (Group)
NetBios Service Running on the system
03
NetBios server service running
20
What are the 3 SMTP commands
VRFY (Validates Users) EXPN (Provides actual delivery addresses of mailing lists and aliases) RCPT TO (defines recipients)
Windows driver for NIC to act promiscuous
WinPcap
Linux driver for NIC to act promiscuous
Libpcap
IPv6 address reserved for link-local addressing
Fe80::/10
What is the process of legally intercepting communications between two or more parties
Lawful Interception
What does the US government use to collect foreign intelligence coming into U.S IPs
PRISM
Planning Tool for Resource Integration, Synchronization, and Management
What do you configure to get a switch to send a packet to your device and the intended device simultaneously (sniffing the packet)
Span Port or Port Mirroring
What is it called to send so many MAC addresses to the CAM table it can’t keep up, effectively turning it into a hub
MAC flooding
What is it called to flood a CAM table with unsolicited ARPs creating a race condition between a bad MAC and the real one
Switch Port Stealing
Wireshark string to say “Exactly This”
==
Wireshark string to say both of these must be true
&&
Wireshark string to say either or
Or
Wireshark string for IP source
Ip.src
Wireshark string for IP destination
Ip.dst
What are the Wireshark flag numbers
Fin = 1 Syn = 2 RST = 4 PSH = 8 ACK = 16 Urg = 32
TCPdump switch for listening mode
-i
TCPdump switch to write to a file
-w
Wireshark string for TCP packets containing (name)
TCP contains (name)
What command is used to query the ntpd daemon about its current state
Ntpdc
What command collects the number of time samples from a number of time sources
Ntpdate
What command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source
Ntptrace
What command monitors NTP daemon ntpd operations and determines performance
Ntpg
In Windows, what command could be used to list active (running) services
Sc query
What information is collected using enumeration?
Network resources Network shares Machine Names Routing Tables SNMP and FQDN details Users and Groups Applications and banners Audit and service settings
What enumeration technique is used to replicate DNS data across many DNS servers
DNS Zone Transfer
What step in enumeration serves as an input to many of the ping sweep and port scanning tools
Calculate the subnet mask
What step in enumeration extracts information about encryption and hashing
IPsec enumeration
What protocol provides reliable multi-process communication service in a multi network environment
TCP
What windows utility allows an attacker to perform NetBIOS enumeration
Nbtstat
What are the NetBIOS enumeration tools?
Hyena
Netscan Tools Pro
SuperScan
What are common SNMP enumeration tools
OpUtils
SNScan
What protocol enables an attacker to enumerate user accounts and devices on a target system?
SNMP
What protocol is responsible for accessing distributed directories and access information such as valid usernames, addresses, departmental details, and so on
LDAP
What SMTP command tells the actual delivery addresses of aliases and mailing lists?
EXPN
What SMTP command defines the recipients of the message
RCPT To
What port is Global Catalog Service
TCP / UDP 3268
What port is IKE
UDP 500
What ports are SIP
TCP / UDP 5060 / 5061
What port is RPC endpoint Mapper?
TCP / UDP 135
What port is NBNS (Network BIOS Naming Service)
137
Why would an attacker use NetBIOS enumeration?
> Find a list of computers that belong to a domain
> Find policies and passwords
What command line tool would you use to display NetBIOS information
Nbtstat
What is the first step in enumerating a Windows system
Take advantage of the NetBIOS API
What command line tool would you use to display a list of computer or network resources in a specified workgroup or shared resources available on the specified computer
Net View
SNMP command to request information from SNMP agent?
GetRequest
SNMP command to continuously retrieve data stored in the array or table?
GetNextRequest
SNMP command to satisfy a request from the SNMP manager
GetResponse
SNMP command to modify a value in a parameter within the SNMP agent’s MIB
SetRequest
SNMP command to inform a SNMP manager of a certain event
Trap
What is a common LDAP enumeration tool
Softerra
JXplorer
What is a common NTP Enumeration tool
PRTG Network Monitor
What does RPC Enumeration tell an attacker?
Vulnerable services on a service port
What is the first step in enumeration and the tool used?
Find the network range - Whois
2nd step in enumeration
Calculate the subnet mask
Where does Microsoft store password hashes?
SAM File
C:\windows\system32\config folder
What represents the root directory in Linux
/
What Linux directory hold numerous basic Linux commands
/bin
What Linux folder contains the pointer locations to the various storage and input/output systems you will need to mount if you want to use them, such as optical drives
/dev
What Linux folder contains all the administration files and passwords
/etc
What Linux folder holds the user home directories
/home
What Linux folder holds the access locations you’ve actually mounted
/mnt
What Linux folder is the repository for most of the routines Linux runs (known as daemons)
/sbin
What Linux folder holds almost all of the information, commands, and files unique to users
/usr
What occurs in each hacking step
- Reconnaissance -> Reconnaissance
- Scanning -> Discovery and Port Scanning, Enumeration
- Gaining Access -> Cracking Passwords, Escalating Privileges
- Maintaining Access -> Executing Applications, Hiding Files
- Clearing Tracks -> Clearing Logs
What are the four password cracking types
> Non-electronic
Active Online - include dictionary, brute force, hash injection, phishing, trojans, password guessing, etc.
Passive Online
Offline
In Linux, what provides information on the user and host machine
Finger
What is a split horizon DNS
Using an internal DNS for your end users and a separate external DNS to make your site routeable
What port is BGP
179
What port is Syslog
514
What defines a user identity and authentication information in Windows
Security Context
What do Access Control Lists utilize in Windows
Security Context
In Windows, what identifies users, groups, and computer accounts
Windows Security Identifier (SID)
In Windows, what is a portion of SID that identifies a specific user, computer, or domain?
Windows Resource Identifier (RID)
What RID number shows the admin?
500
What RID shows the first user?
1000
What Linux command provides information on the RPC in the environment?
Rpcinfo
What Linux command displays all the shared directories on the machine
Showmount
What are small GUI containers for specific tools in Windows
Microsoft Management Consoles (MMC)
Linux command, adds a user to the system
adduser
Linux command displays the contents of a file
cat
Linux command to make copies
cp
Linux command that display network configuration information (Like IPconfig)
Ifconfig
Linux command to kill a running process
kill
Linux command to display the contents of a folder.
ls (L S not I S)
Linux command to display the manual page for a command (like a help file)
man
Linux command to change your password
passwd
Process status command in Linux
ps
Linux command to remove files
rm
Linux command to perform functions as another user
su
Linux command to make a process run in the background
&
Linux command to make a process persistent after a user logs out
nohup
Linux command to see current security settings for the contents of the directory you are in
ls -l
what do d and - indicate in Linux when placed behind rwx
d = a folder - = a file
Linux command to change read, write, execute permissions
chmod
Where are Linux passwords stored if not in a shadow file (encrypted file)
/etc/passwd
What is a type of virus that is designed to hide itself, often through encryption, from antivirus
Crypter
What is a type of virus is stored permanently in RAM
Resident
What is the most common medium for transporting malware?
What tool attempts to get higher search engine ranking for malware pages
Blackhat SEO (Search Engine Optimization)
What is a type of Trojan that downloads other malware or malicious code and files.
Downloader
What program allows malware to be downloaded covertly
Dropper
What tool injects exploits or malicious code into other vulnerable running processes
Injector
What is a program designed to conceal malicious code
Obfuscator
What program compresses malicious code to make it unreadable
Packer
What is the difference between payload and exploit?
Exploit takes advantage of a vulnerability to allow the attacker to use a malicious payload that then does the harm
What state does a port go into after it has been infected with a trojan?
Listening
What binds a Trojan to a legitimate file (often .exe)
Wrapper
What is a common Trojan Construction kit
DarkHorse Trojan Virus Maker
What is a common Wrapper
IExpress Wizard
What is a common Crypter?
BitCrypter
What is a common Exploit Kit?
RIG Exploit Kit
What is a common RAT that is capable of accessing a camera, stealing credentials stored in browsers, and more?
njRAT
What is a tool to monitor subnets for MAC address changes to detect MAC spoofing?
XArp
How can you protect yourself against DNS spoofing
Use Infrastructure ACLS to filter DNS requests
What occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization (A1 on OWASP)
Injection Flaws (A1 on OWASP)
What is a flaw allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other user’s identities? (A2 on OWASP)
Broken Authentication and Session Management (A2 on OWASP)
What is A3 in OWASP
Sensitive Data Exposure (credit cards, tax IDs, and authentication credentials)
What flaw can be used to extract data, execute a remote request from the server, scan internal systems, perform a denial-of-service attack, and more (#4 on OWASP)
XML External Entities (XXE) (A4 on OWASP)
What is this attack? Attacker uploads XML or includes hostile content in an XML document, exploiting vulnerable code, dependencies, or integrations.
XML External Entities
What tools can detect a lack of absence control?
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
What is Broken Access Control in OWASP
A5
What is Security Misconfiguration in OWASP
A6
What is XSS (Cross Site Scripting) in OWASP
A7
What is Insecure Deserialization in OWASP
A8
What is Using Components with Known Vulnerabilities in OWASP
A9
