Chapter 03: Information Gathering Flashcards

Question

Service and Version Identification

Answer 1

Service identification is done in one of two ways: 1. Connecting and grabbing the banner or connection information provided by the service 2. Comparing its responses to the signatures of known services

Answer 2

The ability to identify an OS based on the network traffic that it sends Typically done using TCP/IP stack fingerprinting techniques that focus on comparing responses to TCP and UDP packets sent to remote hosts The difference in how OS respond, what TCP options they support, the order in which they send packets, etc can often provide a solid guess at what OS you're probing

Answer 3

CLI flags for nmap: * -sS: TCP SYN * -sT: TCP connect / Full connect * -sU: UDP-only scan * -sA: TCP ACK (tests firewall rulesets) * -p: number ranges (1-65535) or names (http) * -T0 to -T5: slow to aggressive speeds * -sV: service version * -O: OS version * -Pn: disabling ping * -iL: input from a target file * -oX: XML output * -oN: normal output * -oG: greppable output (deprecated, XML replaced) * -oA: all output | Page 82-84 for all of them

Answer 4

Understanding the topology or layout of the network helps you design your scanning and attack process Topology maps can provide information about what systems and devices are likely to be accessible, and help you make decisions about when to pivot to a different target to bypass security controls Zenmap GUI for nmap can show topology, but not always accurate

Answer 5

Pentesters often attempt to determine the infrastructure and technical defenses that an org has in place This means using detection techniques during scans and testing and combining that information with OSINT where possible There are four types of detection needed for the exam: **Load Balancer Detection** * Uses tools like lbd (load balancer detector) to determine if there is a DNS or HTTP based load balancer in place * These tools analyze differences in headers and responses from servers to determine if there's a load balancer * Possible to perform a DNS query or even ping to see if multiple IPs resolve for a website and if TTL is different * WAFs can be detected by reviewing cookies, headers, and HTTP responses, and by looking at behaviors like the use of FIN/RST packets to end unwanted connections **Antivirus Detection** * Challenging since these tools don't provide a remotely visible signature or response * AV can be problematic for pentesters since it can detect and remove useful tools * BeEF (Browser Exploitation Framework) provides AV detection modules that can detect AV signatures on a target once access is gained **Firewall Detection** * Traceroutes can show where traffic no longer passes, but more detailed info takes more complex tools * nmap scans can test for firewalls, but firewall devices may prevent scanners from detecting them * Firewall detection pays attention to responses that may provide clues about what type of device is responding * Once a firewall is identified, the next step is to map the devices behind it with a tool like Firewalk * READ ME: https://www.kali.org/tools/firewalk/ **IDS/IPS and WAF Detection** * nmap has a NSE script that will attempt to determine if the target is proected by an IDS, IPS, or WAF * http-waf-detect * Tools like wafw00f and WhatWaf can also sometimes detect

Answer 6

Pentesters use Wireshark or TCPDump to gather info about a network including IPs, MACs, TTL, and data about services and the content of traffic when it's unencrypted **Kismet** * Kismet provides added features when sniffing wireless networks * Can find hidden SSIDs, passive association of wireless clients and APs, and tools that help decrypt encrypted traffic **Bluetooth** * The most common non-WiFi wireless implementation that pentesters encounter * Short range makes it challenging to intercept without getting close to target * Relatively insecure, makes it easier to gather info if you can get within range or gain access to a system that can provide that access

Answer 7

Usually requires internal access to a network and may not be in the first round of active recon activities Requires you to acquire the community string used by the network devices, and a lack of a response from a system doesn't mean that there isn't a system at the IP Four possible reasons a lack of response could occur: * Wrong community string * System may be unreachable * SNMP server may not be running * SNMP is using UDP and response wasn't received yet (maybe not ever)

Answer 8

Pentesters sometimes need to interact with packets and traffic directly to gather the information they need Manual or tool-assisted packet creation can allow you to send packets that otherwise wouldn't exist You can also modify legitimate packets with your own paylods There are four tasks that packet crafting and inspection involve: * Packet review and decoding * Assembling packets from scratch * Editing existing packets to modify their content * Replaying packets Wireshark is helpful for packet analysis, but pentesters use other tools for packet crafting like Hping, which lets you create custom packets EX: Sending SYN packets to a remote system with Hping * hping -S -V targetsite.com -p 8080 Other popular tools aside from Hping are Scapy, Yersinia, and Netcat **DION NOTES** You may want to craft packets when: * Trying to set unusual TCP flags to see how a firewall responds to that, and whether if you can get a packet through defenses *EX: Some legacy firewalls with strict TCP interpretation will allow Christmas Tree attack packets through* * If you want to fragment packets, breaking them up in order to sneak them by a sensor on an IPS * Additionally, fragmented packets can be made so they don't reassemble, which starts consuming up the resources on a given system or service which can lead to DoS *The Goal* * Use as few packets as possible to reach our desired objective * We want to be silent, sneaky, and evade detection

Answer 9

Address Resolution Protocol traffic Used to determine which host has what IP address ARP request and response that's captured with Wireshark looks like: "who has IP?" "Tell IP"

Answer 10

The most common way to do this through exposed services are SMB and SNMP Once you gain access to systems, you can also directly enumerate users from files, directories, and sometimes directory services In many orgs, user accounts are the same as email accounts which makes email user enumeration crucial

Answer 11

**theHarvester** * Program that gathers information about targets: * Emails * Emplyee names * Subdomains * Host information * Open ports * Banners from search enines (including Shodan) **Metasploit** * Also includes similar functionality with email harvesting tool * /auxiliary/gather/search_ email _collector

Answer 12

Groups come in many forms like AD groups in a domain to group management tools built into identity management suites Groups also exist in apps and service management infrastructure Understand what groups exist and what rights, roles, or permissions are associated with them Pentesters often target group management interfaces and tools because adding an unprivileged user to a privileged group can provide an easy way to gain additional privileges without having the user directly monitored EX: If your target supports SNMP, and you have the right community string, you can use snmpwalk to enumerate users

Answer 13

Shows focal points and interconnections between social media users Helps understand how users relate to each other

Answer 14

Enumerating Samba (SMB) shares seeks to find all shares, which are readable and writable, and any additional information about the shares that can be gathered SMB scanners are built into a varity of vulnerability scanning tools Purpose-built SMB scanners as well, like SMBMap nmap includes the smb-enum-shares and smb-enum-users NSE scripts

Answer 15

**Web Crawling** Uses tools, called spiders, follow links defined by scoping settings that determine if they can go to other domains, subdomains, or websites, and how deep through links they go This can help you identify web content and directories, and reveal where useful information is or where it's accessible but not linked **Web Scraping** Similar but it captures the information, web pages, and other data found on a site Pentesters can gather data and search through it for information like emails, directories, filenames, etc Scraping social media sites can reveal important contacts, job responsibilities, tech the org uses, ad details of job postings that hit about the org infrastructure and skills

Answer 16

A robots.txt file tells serach engines and outher automated crawlers to ignore specific files, directories, or other materials on a site Since these files aren't intended to be indexed, they're potentailly useful for pentesters—manual validation of the contents of those files and directories is a common practice Pentesters also review web links to check for interesting directories If files are stored on a directory, you can see if it has indexing turned on by visiting that directory manually or check for common filesnames by guessing based on other links elsewhere

Answer 17

Sites like Glassdoor can show the overall tone for a workplace and employee satisfaction Place to target social engineering attack victims News sites, PRs, and articles can provide info about the org's reputation as well

Answer 18

Enumerating all of an org's applications can be challenging, especially in a secure environment Pentesters can often only connect to public apps in the early phases of a pentest and then must continually reassess what apps and services are accessible as they go deeper

Answer 19

Application assessments rely on knowing information about the apps, like name, version number, underlying web server and app stack, host OS, etc Fingerprinting applications usually starts with banner grabbing with Netcat EX: nc 10.0.2.5 80 GET / HTTP/3.0 nmap can also provide similar answers with -sV flag **DION NOTES** * Banner grabbing uses a program like netcat, wget, or telnet to connect to a given port that's running a service * When you connect to that port, the service responds in a particular way, like providing what service is running on the port, what version of the service is being run, etc * netcat gives responses as plain text and interact with service * EX: nc diontraining[.]com 80 GET /HTTP/1.1 * This will display the server name and version * You can determine the version of the Apache web server that's being run, which gives info to identify vulns * EX: wget [domain or IP] -S * Zenmap, nmap, and metasploit will automate this with packet crafting and manipulation

Answer 20

The certs that an org's website present can be useful nmap can gather this information with ssl-cert NSE script, and all major vulnerability scanners have the ability to grab and validate cert information Web app vulnerability scanners also specifically build in this capability Knowing what certs are in use, if they're expired, revoked, or otherwise problemactic is big because it points to cryptographic flaws or other admin or support issues that can be exploited Certs are also used for users and services, and may be acquired during later stages of the pentest—user and service certs and keys are typically tracked as they are acquired rather than directly enumerated

Answer 21

Tokens are used many places, like between Windows systems, for web app access, and throughout infrastructure where systems and devices need to communicate They're a prime target for pentesters who want to acquire legitimate tokens that they can use or to forge legitimate tokens for their own purposes The exam focuses on three key areas for tokens: **Scoping Tokens** * Tokens may specifically identify a user and then limit the actions that user can take based on their scope * They may identify an app and limit the actions it can take in a given scope * Set of limitations and conditions on a token that determines what it can do and where it can do it * Acquiring a token without scoping limitations, or with limitations that allow you to perform desired actions, is a pentesters goal **Issuing A Token** * Use the token-issuing system to issue arbitrary tokens that match your needs * Obtain the ability to sign your own tokens * Targeting the issuing server or process as well as the secret signing key are both common in token-based pentesting **Revocation of Tokens** * If tokens are revoked, you may not be able to keep using it * Understand how tokens can be revoked, if the app or service properly handles token revocation, and if you can avoid having a token that you issued or acquired be revoked

Answer 22

Assets like apps, servers, or other elements of an infrastructure can be challenging to discover You have to be careful you don't inadvertantly probe assets outside your scope and RoE Pentesters need to confgure their tools to limit IPs, domains, or depth of links that they scan or test There's still a clear cut need to test third party hosted assets though, so take these design elements into account

Answer 23

Tools like CloudBrute can help you discover a target's cloud infrastructure for IaaS providers like Amazon, Google, and Microsoft These tools attempt to discover cloud apps and storage Discovering storage buckets and apps can provide you with additional targets or even direct access to data / security keys if the storage buckets are unsecured

Answer 24

The most accessible code is often found in scripts and other interpreted code Most scripts and interpreted code may not be accessible during the initial active recon phase, but once you've bypassed outer layers you're likely to recover code that you can analyze

Answer 25

Compiled code must be decompiled before it can be analyzed, so you need a decompiler to pull it apart and provide readable source code

Answer 26

If you have the source code for a program, you can also use a debugger to review it Like with decompilation, you're unlikely to get this code in the early phases of a pentest but analyzing souce code is still a common way to gather additional information Debuggers are built into the same tools you'd use for manual code review: Eclipse, Visual Studio, etc

Answer 27

Typically relies on a few common defenses: * Limit external exposure of services to those that absolutely must be exposed * Use an IPS or similar defensive tech that can limit or stop probes to prevent scanning * Use monitoring and alerting systems to alarm on events that continue despite these preventative measures

Answer 28

This is more challenging than active recon prevention because it relies on controlling the information that they release

Answer 29

Figuring out exactly what types of systems the org uses to be able to attack them in the next phase of the pentest (attacks and exploits)

Answer 30

**Metagoofil** * Linux based tool that can search the metadata associated with public documents located on a target's website * Relies on Python to locate metadata within different files like Excel, Word, PowerPoint, OpenOffice Writer, Calc, and BASE * Metadata like author, company who created it, title, subject, words in document, how long you spent editing it, etc * Can run on any system because it's running on Python interpreter **FOCA** * Fingerprinting Organizations with Collected Archives * Used to find metadata and hidden information in collected documents from an org * Take all Word, Excel, and ppt docs that a company created on Google (by dorking) and then run it through FOCA * Uses GUI vs Metagoofil CLI * Has to run on Windows, won't work on Linux **The Harvester** * Program for gathering emails, subdomains, hosts, employee names, email addresses, PGP key entries, open ports, and service banners from servers **Shodan** * A website search engine for web cameras, routers, servers, and other devices that are considered part of the IoT * It will show you webcams that are public-facing, but shouldn't be, or it will show you devices with default passwords, etc * Think of it like Google for devices **Maltego** * Commercial software used for conducting OSINT that visually helps connect relationships between pieces of information * You can map emails, job titles, etc to find paths to specific people at an organization * Chaining from one person, machine, or network to the next one * Can also automate the querying of public sources of data and then compare it with other information from various sources **Recon-ng** * Uses a system of modules to add additional features and functions for your use * EX: Module that can conduct WHOIS queries to identify admin and technical points of contact * EX: Module that conducts PGP key searches * EX: Module for social media profile searching * File crawling, DNS enum, have I been pwned breach, etc * Python script for x-platform * A complete tool like metasploit **Censys** * Website search engine used for finding hosts and networks across the internet with data about their configurations * Similar to Shodan in that it's a website

Answer 31

metagoofil -d udemy[.]com -t doc,ppt,pdf -l 50 -n 25 -o UdemyFiles -f **Meaning** * -d = domain * -t = file type * -l = limit the number of searches * -n = number of downloads * -o = output directory * -f = create a file in one combined html file

Answer 32

theHarvester -d udemy[.]com -l 5 -b google **Meaning** * -d = domain * -l = limit number of results * -b = search engine to use

Answer 33

**Address (A) Record** * Links a hostname to an IPv4 address **AAAA Record** * Links a hostname to an IPv6 address **Canonical Name (CNAME) Record** * Points a domain to another domain or subdomain * Maps an alias name to a true or canonical domain name **Mail Exchange (MX) Record** * Directs emails to a mail server **Start of Authority (SOA) Record** * Stores important information about a domain or zone * A zone is all of the information about a given domain name, including A, CNAME, MX, etc **Pointer (PTR) Record** * Correlates an IP with a domain name * Opposite of an A record * Always stored under .arpa, which is the top level domain used when dealing with PTR records **Text (TXT) Record** * Adds text into the DNS * Allows us to have machine readable data that's added into records * Used for different reasons, including to say that this domain is authored by someone **Service (SVR) Record** * Specifies a host and port for a specific service * You can set up something for chat services, or VoIP with this SVR record **Nameserver (NS) Record** * Indicates which DNS nameserver has the authority * If you buy a blog domain from GoDaddy, they're the NS * If you want to switch from GoDaddy to Google Domains, you have to change the NS record to show Google is the new NS **DION NOTES** * As a pentester, you want to pull up all the DNS records to check for relevant information * EX: If you look up a domain, you can see what type of web server, email server, record server for domains, servers for third party, etc * Focus on MX, TXT, and SRV records to check for email and third-party SaaS solutions * This will show you many targets you may not have discovered otherwise

Answer 34

**nslookup** * Name Server Lookup * X-platform tool used to query the DNS to provide the mapping between domain names and IPs or other DNS records * Alt tools are dig and host **WHOIS** * CLI tool on Linux, also a website, that's a query and response protocol for internet resources * Shows who registerd the domain * Name and address of who owns the domain * Email and phone for person who registered * Billing POC, tech POC, other admin POC * See domain registrat which can be used for phishing (pretend to be registrar) * Also find the status of the domain (when up for renewal, etc) * NS records to possibly zone transfer

Answer 35

Google Hacking Database * Provids a database of search strings optimized for locating vulnerable websites and services * Pairs with Google dorking (hacking)

Answer 36

Checks the validity of certs or potential vulnerabilities to exploit within target servers If you look at the cryptographic information for a web server, you should be able to determine if they're using SSL 2, SSL 3, TLS 1.0, 1.1, 1.2, or 1.3

Answer 37

Defines the algorithm supported by the client and server when requesting to use encryption and hashing **TLS 1.2** ECDHE RSA AES128 GCM SHA256 * Elliptic curve diffie hellman ephemeral mode to negotiate the session key agreement * RSA for digital signatures * AES with Galois/Counter Mode with 128 bit block size for symmetric bulk encryption * SHA256 hashing algorithm to conduct message autentication **TLS 1.3** TLS AES 256 GCM SHA384 * TLS 1.3 protocol will use an ephemeral key agreement since it's the only one supported by the protocol * AES Galaois/Counter Mode with a 256 block is used for symmetric bulk encryption * SHA384 is used to support cryptographic hashing functions for us **DION NOTES** * As a pentester, understand how to read cipher suites because you may be looking at a vuln scan report and ID which one is most vulnerable because it's using an insecure suite * To test, go to ssllabs[.]com and enter the website—it will display all the cipher suite information * EXAM NOTE: You don't need to know the ciphers themselves, but you should know that cipher suites are made up inside these protocols and as you negotiate those protocols you can downgrade to a lower protocol as part of an attack

Answer 38

When doing cryptographic inspection during recon, always inspect digital certificates to identify other potential targets or servers in digital certificate fields For example, there is the Subject Alternate Name (SAN) Field: * Allows the use of digital certificates with other domains in addition to the main domain * AKA multi-domain certificate because it can spport multiple different domain names with one cert * Doesn't support subdomains, that needs to have a wildcard cert **DION NOTES** * As a pentester, look at the SAN field or wildcard field to check for other domains or subdomains to investigate as part of your scope

Answer 39

**Certificate Pinning** * A method of trusting digital certificates that bypass the CA hierarchy and chain of trust in order to minimize on-path attacks * Without this, when establishing a TLS encrypted tunnel, attackers can attempt to substitute a malicous but trusted cert into the chain of trust that includes the client, the server, and the intermediate or root CA in an on-path attack * This allows attackers to eavesdrop on supposedly secure comms between client and server * This is considered insecure and not used **Certificate Stapling** * Allows a web server to perform certificate status checks instead of using the browser * The server checks the status of the certificate and provides the browser with a digitally signed response from the OCSP responder * This allows the cert holder to get the OCSP record from the server at regular intervals, and then include it as part of the SSL/TLS handshake * Eliminates the need for additional connection at the time of the request **HSTS** * HTTP Strict Transport Security * Allows a web server to notify web browsers to only request using HTTPS and not HTTP * You have to use an encrypted tunnel to connect **DION NOTES** **Eight Phases of Certificate Management** 1. Generate 2. Provision 3. Discover 4. Inventory 5. Revoke 6. Renew 7. Protect 8. Monitor **OCSP** Online Certificate Status Protocol * Determines the revocation status of a digital certificate using its serial number * If you don't use OCSP you can have the server check the full CRL **Certificate Pinning** A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust * Deprecated **Certificate Stapling** Allows a web server to perform certificate status checks instead of the browser * Server obtains a OCSP timestamp from the CA **HSTS** HTTP Strict Transport Security * Allows a web server to notify web browsers to only request using HTTPS and not HTTP * Strict-Transport-Security header with an expiration date and time

Answer 40

If you're inside the network, you can use living off the land techniques and use the tools already on the host to enumerate **net** * net view = shows a list of all network shares available from that workstation that are being served by other hosts on the network **arp -a** * Displays the ARP cache * ARP cache is a list of all the other machine's MAC addresses that have recently communicated with the host you're currently on **ipconfig** * Determines the IP of the current machine you're on * ipconfig /displaydns to see all the DNS names that have recently been resolved on that computer **Bash on Linux** * finger = show home user's directory, login name, current idle time * uname -a = OSS name, version, and other relevant details * env = environmental variables on a Linux system

Answer 41

Conducting an intensive scan with nmap returns information about the services running on a host's open ports For example, you can see that port 80 is open which means a web server is there—but you're not done enumerating that port because there are many web servies that can run on port 80 HTTP like: * Apache * Microsoft IIS * ngix * LiteSpeed * and others

Answer 42

Windows domains, not website domains or DNS entries In Windows, everything is done with AD: * The database that stores, organizes, and enables access to other objects under its control * Connects all hosts to servers and those server's resources via Kerberos Domains: * Contains Organizational Units (OU), and these domains can be consolidated into a tree, and multiple trees can become part of a forest (in larger orgs) * Considered the core of a Windows network * First domain is always considered the root domain * All other domains underneath the root domain (aka subdomains) are called children * By default there's an inherent trust relationship between children and the root domain that created them, which can be exploited by a skilled attacker OU: * Used within a domain to group together simimlar objects (computers, groups, users, etc) **When Enumerating a Domain** * If living off the land, you'll use PowerShell * If not LOTL, use nmap or metasploit *PowerShell* * Get-NetDomain = List the current logged in user's domain * Get-NetLoggedon = Get a list of all the users who are logged into a given computer (helpful if you get access to a server)

Answer 43

When enumerating users, you can also enumerate groups because many users are also part of a group as part of their access rights and permissions **PowerShell Example** * Assume you have gained initial access and logged in as a user with their creds * Get-NetGroupMember = Gets a list of domain members belonging to a given group * Once you know what group they're a part of, you can figure out what resources like servers and file shares you now have access to **What If No PS1 Access?** * net user = lists all the users on a given machine * net groups = lists all the groups on a given machine

Answer 44

Once you have a list of value URLs, you can use tools to gain more details about a web server or apps running on those URLs **nmap Example** * nmap --script=http-enum [target URL] * This will return information about about the services as well as the apps running the server like the CMS like Drupal, Joomla, or WordPress * Once you identify these you can link them to CVE to plan attacks and exploits

Answer 45

Seek to discover the resources used as well as any hidden information. To do so, you need to determine: * Software used to run the org's website * OS the server is using * If the server is hosted by the org under a first-party model or third-party CSP When alayzing a websites code, you'll find it's: * Created by a programmer or team using HTML, CSS, JS, etc * The site is built on top of a CMS (WordPress) or page builder (SquareSpace) *IF CMS BUILT* * Find CVE for the verions of software they're using to build and host *IF CUSTOM BUILT* * You need to identify your own vulnerabilities like SQL injection, XSS, caching server attacks When enumerating websites, you must find every page that exists on the website because any one page can hold a vulnerability—this can be done with website crawling and forced browsing **Website Crawling** * The process of systematicaly attempting to find every page on a given website * robots.txt tells web crawlers (aka spiders) what pages not to index—this is a good recon target for pentesters because it's areas the web devs don't want the public to see * DirBuster is how you can brute force all these pages **Web Scraping / Harvesting / Data Extraction** * Technique used for extracting data from websites performed using automation or through manual processes *CeWL (Custom World List Generator)* * A Ruby app that can crawl a given URL up to a specified depth and return a list of words that can be used with a password cracker *cewl -d 1 -m 6 -w wordlist.txt hxxps://diontraiing[.]com* * Check main page of diontraining * Scan down to a depth of one level below top directory structure * Find all words at least 6 letters long * Add words to wordlist.txt file

Answer 46

**Load Balancer** * Not a security device, but can cause trouble for pentesters scanning, enumerating, and attacking networks * Used to distribute traffic across multiple servers inside a server farm * Network scans might get sent to different servers as the requests come in which gives different answers and responses * Creates false positives or negatives, you need to know if there is a load balancer *LBD (Load Balancing Detector)* * lbd [domain you want to test] **Firewall** * One of the easiest ways to detect if an org is using a firewall is to use traceroute (tracert) * If you see an asterisk where responses should be it indicates a security device like firewall, UTM, etc * You can use tools to map out firewalls *Firewalk* * firewalk -S[ports you want to use] i [interface] -n -pTCP [target] * Helps you map out the ACL on a firewall * With firewalking, you can move through the firewall and identify the rule sets **WAF** * Layer 7 firewall that uses specific rule sets to prevent common attacks against web apps like XSS and SQL inject * To get through WAF, you have to use obfuscation techniques to confuse the web apps, so they can't see data as easily * To detect a WAF, there are a few key givewaways: *Personalized Cookes in HTTP Packets* * Most WAF will add a personalized cookie in the HTTP packet that get sent back to someone scanning them, or someone trying to send data through the WAF * Looking at the cookies in the HTTP packets, you can identify if there's a WAF *Header Alterations* * Changes the original response header to confuse the attacker * If you start seeing abnormal header responses, there might be a WAF in place *WAF Notifications* * Sometimes the WAS is blatant in the fact that it's there and sends a page or header that says request blocked because protected by WAF **Antivirus** * Used to precent, scan, detect, and delete viruses or malware * Once installed, runs automatically in the background to prevent attacks * When doing scanning it's not a big deal, but when you move into attack and exploit it's a problem * To bypass AV you can: *Create a Metamorphic Virus* * Transforms the virus as it propagates through the network, hard for AV to detect *Signature Obfuscation* * Obfuscate a known signature with specialized tools and change the code for the exploit * One-time change, not metamorphic *Fileless Malware* * Use tools or paylaods that use fileless malware * A lot of OS embedded functions can be used to conduct malicious activities for you—PS1 scripts, cmdlets, bash utilities, etc * Challenging to detect, form of LOTL *Encryption* * Can eliminate the ability for the AV program to detect the malware through signatures alone * Pentesters will often encrypt their malicious payload and attach a stub that decrypts once it's on the victim machine (process injection and hollowing)

Answer 47

Open-source CLI spoofing tool that provides a pentester with the abilty to craft network packets in order to exploit vulnerable firewalls and IDS/IPS It can do many different functions like: * Host and port detection * Firewall testing * Timestamping * Traceroute * Fragmentation * DoS **Host and Port Detection / Firewall Testing** * Sends a SYN or ACK packet to conduct detection and testing hping3 -S -p80 -c1 192.168.1.1 * Send 1 SYN packet to port 80 * Stealthy because you're only sending one packet out to see if a machine is online hping3 -A -p80 -c1 192.168.1.1 * Send 1 ACK packet to port 80 **Timestamping** * Allows us to determine a system's uptime and how long the host has been online * If a server has been online for over a year, it's possible that they haven't installed all the patches or upgrades because you usually have to reboot servers when you do hping3 -c2 -S p80 --tcp-timestamp 192.168.1.1 * Sends 2 SYN packets to port 80 to determine uptime * 2 SYN is more effective than 1 when doing timestamp **Traceroute** * Uses arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces when ICMP is blocked on a given network hping3 --traceroute -V -1 [domain] **Fragmentation** * Attempts to evade detection from IDS/IPS and firewalls by sending fragmented packets across the network for later reassembly * Because you're using TCP you can send packets in any order you want, and the system will put them back together once it receives * In most modern systems, these are going to be caught **DoS** * Can be used to perform flood-based DoS attacks from randomized source IPs * Not likely to be effective against most modern OS and network appliances * But if you're going against legacy systems this can still work though, so it's still valid to try as a pentester (IF IN SCOPE) **READ ME**: https://cheatography.com/myke670/cheat-sheets/hping3/

Answer 48

Python-based interactive packet manipulation tool, packet generator, network scanner, network discovery, packet sniffer, and more all in one script It can replace most of what hping can do, a lot of what nmap can do, and other tools like ARP spoofing, ARPing, TCP dub, Enthrill, and PLF When using Scapy: * Define a set of packets * Send those packets * Receive the answers * Match requests with answers * Return a list of packet couples * Return a list of unmatched packets **EXAM NOTE** Usage of Scapy is not covered on the exam, but know that it's a packet crafting tool