Chapter 5 Tools of the trade Flashcards
What is a GUI in the context of operating systems?
A GUI, or graphical user interface, allows users to interact with the system through graphical elements like windows, icons, and buttons.
Why might one need to use the command line interface (CLI) instead of a GUI?
The CLI allows for more advanced and detailed control over the system, which may be necessary for certain tasks that GUIs cannot handle.
What is CMD in Windows?
CMD, or Command Prompt, is the classic command shell in Windows for executing commands and running scripts.
What is PowerShell and how is it different from CMD?
PowerShell is a more advanced shell in Windows that allows for more complex commands and scripting compared to CMD.
What is a shell in the context of operating systems?
A shell is a user interface for accessing an operating system’s services, typically through a command-line interface.
What is a bash shell?
The bash shell is a Unix shell and command language that is the default shell on many Linux distributions and macOS.
What is SSH used for?
SSH, or Secure Shell, is used to securely connect to a remote system’s shell over a network.
How does the ping command help in network diagnostics?
Ping checks the connectivity to another system by sending packets and measuring the response time, verifying that the systems are physically connected and can communicate.
What is the purpose of the ping -t command in Windows?
The ping -t command sends continuous ping requests to a specified address until stopped, unlike the default four pings.
What does the ipconfig command do in Windows?
ipconfig displays network configuration details such as IP addresses, subnet masks, and default gateways for all network adapters.
What additional information does ipconfig /all provide?
ipconfig /all provides detailed network information, including the physical (MAC) address and DHCP details.
What is the difference between ipconfig and ifconfig?
ipconfig is used in Windows, while ifconfig is used in Unix-based systems like Linux and macOS to configure and display network interface parameters.
How do you release and renew a DHCP lease using ipconfig?
Use ipconfig /release to release the current DHCP lease and ipconfig /renew to request a new lease.
What does the ipconfig /flushdns command do?
ipconfig /flushdns clears the DNS resolver cache, which can help resolve DNS-related issues.
Why is ping considered a fundamental networking tool?
Ping is simple, widely available on all systems, and provides quick verification of network connectivity and basic troubleshooting.
What can cause ping to fail even if the target system is operational?
A firewall on the target system might block ping requests, preventing responses.
What command would you use to verify that DNS resolution is working?
Use ping followed by a domain name to see if it resolves to an IP address, indicating that DNS resolution is functioning.
What is a common use of the ping command for security professionals?
Security professionals use ping to verify connectivity and network paths, and to troubleshoot network issues.
What are the benefits of using a command line interface (CLI)?
The CLI allows for scripting and automation of repetitive tasks, providing more detailed control and efficiency compared to GUIs.
What are the common types of shells in Windows?
CMD (Command Prompt) and PowerShell.
What is the primary use of PowerShell?
PowerShell is used for advanced system administration tasks, automation, and configuration management in Windows.
Name some shells available in Linux.
Bash, Zsh, and other Unix-like shells.
What is the Python shell used for?
The Python shell is used for executing Python commands and scripts directly.
How can using shells benefit system administrators?
Shells enable system administrators to automate tasks, manage systems efficiently, and perform complex configurations.
What is a reverse shell?
A reverse shell allows an attacker to remotely access and control a victim’s machine by reversing the connection back to the attacker’s machine.
What tool is commonly used to create reverse shells?
Netcat (nc).
What is Netcat and how is it used in reverse shells?
Netcat is a networking utility used for reading and writing data across network connections. In reverse shells, it can be used to listen on a port and execute commands remotely.
How can attackers trick victims into executing a reverse shell?
Attackers may use phishing emails or other social engineering tactics to trick victims into downloading and running malicious scripts.
What are some methods to prevent reverse shell attacks?
Educating users about phishing, using antivirus and anti-malware tools, implementing strong network security measures, and monitoring network traffic.
What are advanced persistent threats (APTs)?
APTs are long-term targeted attacks where attackers maintain a persistent presence on a network, often using techniques like reverse shells and backdoors.
What are some tools that can be used for penetration testing and exploiting vulnerabilities?
Metasploit Framework and Cobalt Strike.
What are legitimate uses of shells in system administration?
Running system commands, scripting for automation, managing network configurations, and troubleshooting issues.
Why is scripting important in the context of shells?
Scripting allows for automation of repetitive tasks, ensuring consistency and saving time for system administrators.
How do you spawn the Windows command line interface?
By using cmd.exe.
How can you open the command prompt with administrative privileges?
Go to the Start menu, type cmd, right-click on the command prompt, and select “Run as administrator.”
What command returns the name of your computer in Windows?
hostname
What command shows the current user in the command prompt?
whoami
How can you create and run a simple batch file in Windows?
Use Notepad to write commands (e.g., hostname and whoami), save the file with a .bat extension, and run it from the command prompt.
What command displays all the environment variables and their values?
set
How do you set a new environment variable in the command prompt?
set FaveColor=”Yellow”
How can you start PowerShell from within the command prompt?
Type powershell and press Enter.
How do you return to the regular command prompt from PowerShell?
Type exit in PowerShell.
Why might you need to use the command line instead of the GUI?
For tasks that require elevated privileges or for scripting and automating repetitive tasks.
What is the prefix in Windows 10 that indicates you are in a PowerShell prompt?
PS
What is the benefit of creating batch files?
Batch files allow you to automate repetitive tasks and create complex scripts to manage the system more efficiently.
How can environment variables be useful?
They can be used to store configuration values that applications may need to reference.
Can you run PowerShell commands from the regular command prompt?
Yes, by starting PowerShell from within the command prompt
What is Microsoft PowerShell?
An object-oriented scripting language and command-line shell designed for system and network administrators
On which platforms can Microsoft PowerShell run?
Windows, macOS, and Linux.
What is the file extension for PowerShell scripts?
ps1
How do you start PowerShell with administrative privileges?
Type PowerShell in the Start menu, right-click, and select “Run as administrator.”
What does it mean that PowerShell is object-oriented?
Outputs in PowerShell are objects with properties and methods, unlike text-based outputs in older shells.
How can you list all the modules available in PowerShell?
Use Get-Module -ListAvailable.
How can you get a list of all physical disks in a machine using PowerShell?
Use the Get-PhysicalDisk cmdlet.
What does piping do in PowerShell?
Piping (|) passes the output of one cmdlet to another for further processing.
How do you filter a list of running services in PowerShell?
Get-Service | Where-Object { $_.Status -eq ‘Running’
How do you select specific properties of an object in PowerShell?
Use the Select-Object cmdlet, e.g., Get-PhysicalDisk | Select-Object FriendlyName, MediaType, Size.
What command retrieves the current execution policy in PowerShell?
Get-ExecutionPolicy
How do you change the execution policy in PowerShell?
Use the Set-ExecutionPolicy cmdlet.
Why is the execution policy important in PowerShell?
It controls whether PowerShell scripts can run, helping to prevent the execution of potentially malicious scripts.
How do you list all services on a machine using PowerShell?
Use the Get-Service cmdlet.
What is the difference between text-based output and object-based output in PowerShell?
Text-based output is simple text, while object-based output contains structured data with properties and methods.
What does the cmdlet Get-AzVM do?
It retrieves a list of Azure virtual machines.
What is a key difference between Linux and Windows command lines?
Linux is case sensitive, whereas Windows is not.
Name three common types of Linux shells.
C shell, Korn shell, and Bash (Bourne Again Shell).
What is a shell script in Linux?
A text file containing a series of commands to be executed by the shell.
How do you make a shell script executable in Linux?
Use the chmod command to change the script’s permissions.
Why is it a security risk to sign in as the root user in Linux?
The root user has unrestricted access to the system, which can lead to accidental or malicious system damage.
What command allows you to run a command with root privileges without logging in as root?
sudo
What tool is commonly used to make a remote SSH connection to a Linux host?
Putty
What port does SSH typically use?
TCP port 22
How do you generate a public and private key pair for SSH authentication?
Use the command ssh-keygen -t rsa.
Where should the private key be stored for SSH authentication?
: On the device you are using to connect to the Linux host.
Where should the public key be stored for SSH authentication?
On the Linux host, typically in the ~/.ssh/authorized_keys file.
How do you change to your home directory in Linux?
Type cd and press Enter.
How do you display hidden files and directories in Linux?
Use the ls -a command
What command is used to display the contents of a file in Linux?
cat
How do you clear the terminal screen in Linux?
Use the clear command.
How do you list the current directory’s contents in Linux?
Use the ls command.
What command in Linux is used to mount a disk or network share to a directory?
mount
What command displays network interface configuration in Linux?
ifconfig
How do you check if a network connection is working by sending ICMP echo requests?
Use the ping command.
How do you stop a running command in the terminal?
Press Ctrl+C.
What is the alternative command to ifconfig that also shows network interfaces and IP addresses?
ip a
What file must be edited to list users who can run sudo commands?
The /etc/sudoers file.
Why are log files important in network and host monitoring?
Log files help verify normal operations, detect indicators of compromise, and assist in reverse engineering attacks.
What should be done to secure log files in case a device gets compromised?
Forward log entries to a centralized logging host on a protected network.
Name two tools in Windows for working with logs.
Event Viewer and PowerShell cmdlets like Get-EventLog.
Where are most log files stored in Linux?
In the /var/log directory.
What is the standard system log file in Ubuntu Linux?
/var/log/syslog
What command in Linux can write log entries, often used in scripts?
logger
What command in Linux can be used to view system logs with journal control?
journalctl
How can log forwarding be beneficial
It ensures that log data is preserved even if the original device is compromised
How can you filter log entries in Windows Event Viewer to show only specific event IDs?
Use the Filter Current Log option and specify the event ID.
What is the default log file for kernel messages in Linux?
/var/log/kern.log
How can you view the first 10 lines of a log file in Linux?
Use the head command, e.g., head /var/log/kern.log.
How can you view the last 10 lines of a log file in Linux?
Use the tail command, e.g., tail /var/log/syslog.
How can you view the entire content of a log file in Linux?
Use the cat command, e.g., cat /var/log/syslog
How can you search for specific entries in a log file in Linux?
Use the grep command, e.g., cat /var/log/syslog | grep “Dan”
What type of logs can be found in the Windows Security log?
Logon failures, audit failures, and other security-related events
Why might it be important to centralize log collection?
To ensure logs are protected and available for analysis even if individual devices are compromised.
What Windows PowerShell cmdlet can retrieve event logs?
Get-EventLog
How do you clear the screen in a Linux terminal?
Use the clear command.
What is the purpose of centralized logging?
To collect log data from various devices and hosts on a network and store it in a protected central location for easier monitoring and analysis.
What protocol is commonly used to acquire information about devices over the network?
SNMP (Simple Network Management Protocol).
What is an MIB in SNMP?
MIB stands for Management Information Base, a database containing statistics and configuration settings for devices.
What are SNMP traps?
Alerts triggered by specific events, such as bandwidth thresholds being exceeded, sent to an SNMP management station.
What open-source tool can be used for log collection and often uses SNMP?
Nxlog.
What is syslog forwarding in Linux?
A method to send log files to a centralized log host, typically over UDP port 514
What does the wecutil qc command do in Windows?
It configures the Windows Event Collector utility for quick configuration, enabling WinRM traffic for log forwarding.
How can centralized logging be enabled in Windows?
By creating a subscription in Event Viewer to collect logs from various Windows hosts
What protocol is used for centralized logging in Windows?
WinRM (Windows Remote Management).
What is SIEM?
Security Information and Event Management, a solution for centralized log collection, analysis, and visualization
What are the main components of a SIEM solution?
Data inputs, log aggregation, analysis, and report/dashboard generation.
How does a SIEM solution help in detecting security incidents?
By using machine learning and big data analytics to identify trends and indicators of compromise that may not be obvious through manual analysis.
What types of data can be ingested by a SIEM solution?
Log files, alerts from intrusion detection/prevention systems, packet captures, and malware alerts.
Why is it important to use both centralized logging and SIEM?
To ensure comprehensive monitoring, quick detection of security incidents, and intelligent analysis of security data across the enterprise.
What type of data visualization does a SIEM solution provide?
Dashboards with charts, graphs, and alerts that offer insights into network security and potential incidents.
How does centralized logging improve security?
By ensuring log data is preserved even if individual devices are compromised and by providing a single location for comprehensive log analysis.
What company provides an open-source SIEM tool mentioned in the text?
AlienVault.
What is benchmarking in cybersecurity?
It’s the process of comparing your security performance against industry standards to identify areas of improvement and ensure compliance with security requirements.
What are benchmarks in cybersecurity?
Industry-leading security configuration standards that define a minimum level of security for systems to meet application security standards or regulatory requirements.
What does NIST stand for?
National Institute of Standards and Technology.
What is the purpose of the NIST cybersecurity framework?
To provide guidelines for improving the critical infrastructure of cybersecurity through five core functions: Identify, Protect, Detect, Respond, and Recover.
When was the NIST cybersecurity framework originally published and recently updated?
Originally published in 2014 and recently updated as of October.
: What are CIS benchmarks?
A set of practices for securely configuring systems, including Linux, Windows, Azure, AWS, Cisco, IBM, and Palo Alto platforms.
What does DoD Cyber Exchange provide?
Security Technical Implementation Guides (STIGs) for various systems, including Microsoft Windows and Linux.
What is SCAP?
Security Content Automation Protocol, a collection of standards used by organizations to automate and standardize security configurations and manage system vulnerabilities.
What are the two types of benchmarks widely used today?
Agent-based and agentless.
What are the pros of agent-based solutions?
They provide continuous surveillance and action, identify and handle security threats in real time, and ensure compliance with organizational security policies.
What are the pros of agentless solutions?
They are less intrusive, have less impact on system performance, and can scan vulnerabilities without needing direct access to the system.
What are the cons of agentless solutions?
They typically rely on network connections or flows, which may not provide as comprehensive monitoring as agent-based solutions.
How do NIST guidelines help organizations?
They offer technical guidelines for federal agencies and other organizations to improve their cybersecurity posture.
What is the purpose of security benchmarks and standards like those provided by CIS?
To help organizations securely configure systems and meet regulatory requirements and operational best practices.
What is the purpose of configuring syslog forwarding in Linux?
To send log entries from multiple Linux hosts to a centralized logging host for secure storage and analysis.
Which file needs to be edited on the centralized logging host to enable receiving syslog messages?
/etc/rsyslog.conf
How do you save and exit the nano text editor after editing the configuration file?
Press Ctrl+X, then Y to confirm saving changes, and press Enter to save the file.
What command is used to restart the rsyslog service on the centralized host?
sudo service rsyslog restart
How can you verify that the rsyslog service is running and listening on UDP port 514?
Use the command sudo netstat -nu | grep rsyslog
Which command shows the IP address of the centralized logging host?
ifconfig
What is the key configuration change needed on a log client to forward logs to the centralized host?
Add the line . @<centralized_host_IP> to the bottom of /etc/rsyslog.conf, where <centralized_host_IP> is the IP address of the centralized logging host.</centralized_host_IP></centralized_host_IP>
How do you restart the rsyslog service on the log client after making configuration changes?
sudo service rsyslog restart
How can you test log forwarding by creating a custom log entry on the log client?
: Use the logger command, e.g., logger “Test log forwarding”
How do you check for the custom log entry on the log client?
Use the command tail /var/log/syslog
How do you verify that the custom log entry has been forwarded to the centralized logging host?
Use the command tail /var/log/syslog on the centralized logging host to check for the log entry.
Why is centralized log forwarding important in cybersecurity?
It ensures log data is preserved and accessible even if individual devices are compromised, aiding in security monitoring and forensic analysis.
What protocol and port does syslog typically use for log forwarding?
UDP port 514
How can you clear the screen in a Linux terminal?
: Use the clear command.
