Domain 2: Info Gathering and Vulnerability Identification Flashcards
What is Domain 2 of the Pentest+?
This domain covers information gathering and vulnerability identification
What are the five main functions of Domain 2?
- Conduct information gathering
- Perform Vulnerability Scanning
- Analyzing Results of Vuln Scan
- Leveraging Information for Exploitation
- Weaknesses in specialized systems
What is information gathering also known as?
This is also know as Reconnaissance or foot printing
What are some techniques of foot printing?
These are all techniques of this:
- Internet or open-source research
- Social Engineering
- Dumpster Diving
- Email Harvesting
What kind of information are we looking for during reconnaissance?
During this step,we are looking for:
- Phone numbers
- Contact Names
- Email Addresses
- security-related information
- information systems used (windows, linux, apache, etc)
- jobs postings
- Resumes
What are some reconnaissance tools?
These are tools for this step in the pentesting process:
- nslookup
- traceroute
- ping
- whois
- Domain Dossier
- Email Dossier
- Social Networking (FB, Linkedin, etc)
- Discover.sh
- Maltego
What tools does centralops.net provide?
This website provides:
- Email Dossiers
- Domain Dossiers
- Owner of the domain name
- Technical Details
- Network Ranges for the domain
What is to be done after footprinting & reconnaissance?
Scanning and enumeration is done after this step.
What is scanning?
When we actively connect to a system and get a response. Identify open ports and services.
What are the types of scanning?
These are types of this:
- Hosts
- Systems
- Networks
- Computers
- Mobile Devices
- Applications
- Printers
What is enumeration?
Actively connecting to the systems to determine open shares, user accounts, software versions, and other detailed info.
What types of enumerations are there?
There are types:
- hosts
- Networks
- Domains
- Users/Groups
- Network Shares
- Web Pages
- Application
- Services
- Tokens
- Social Networks
What is fingerprinting?
This is identifying an operating system, server, service that is being used by a particular service or network.
What is Banner Grabbing?
This is manual enumeration and fingerprinting. Using program such as telnet or netcat to connect to a target host. Commonly used for FTP, SSH, Telnet, & HTTP
What is packet crafting also known as?
This is also known as packet manipulation
What is packet crafting?
This entails sending modified packet headers to gather information from a system or host
What is packet inspection?
This is manual enumeration performed by analyzing the captured packets to determine information
When using nmap/zenmap, where do you typically want to start?
With these tools you’ll typically want to start with the least intrusive scan.
What is one of the least intrusive scans you can perform?
This type of scan would be a ping scan.
When scanning a network w/ nmap/zenmap, how would you list out a network with a /24? How about /16?
- 168.52.0/24
192. 168.52.0/16
When scanning a network with nmap/zenmap, how would scan a list of addresses?
- 168.52.0-254
192. 168.52.0-224
What would be the nmap command to run a simple ping scan on a network?
nmap -sn [network address]
nmap -sn 192.168.52.0
What information will a ping scan provide?
This type of scan will provide information on what machines are up or down on a given network. Provides IP addresses and MAC addresses.
We have two machines with the following IP addresses:
- 168.52.100
- 168.52.101
What would be the nmap command to run a quick scan?
nmap -T4 -F 192.168.52.100-101
What does it mean to have ports filtered?
This means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
With Nmap, what would be an intrusive scan?
With this tool this would be considered an intense scan.
We have two machines with the following IP addresses:
- 168.52.100
- 168.52.101
What would be the nmap command to run an intense scan?
nmap -T4 -A -v 192.168.52.100-101
What is cryptographic Inspection?
This determines the indentification of the type of encryption being used by machines/hosts/services/etc during information gathering.
What is certificate inspection?
Identify what type of encryption a web server is using. ie. SSL 2.0, TLS? Tools exist for this.
Eavesdropping is considered what?
This is considered a method of information gathering
How can you eavesdrop on a network?
You can do this by sniffing network traffic.
What does it mean to sniff network traffic?
Intercepting and logging network traffic that can be seen via the wired or wireless network interface.
Can you capture network information about other parts of a network if you gain access to a particular host?
Yes, if you can sniff additional network information by doing this.
What are two commonly known tools to capture packets from a network & hosts?
Wireshark and TCP are this.
When using Wireshark to capture packet, what type of file can be created to log the information?
This is a pcap file.
What is decompiling?
This is the process of reverse engineering software using a decompiler.
What is an issue with a Decompiler?
This tool will not always turn executables back into their source code, but can turn it back to Byte code or assembly.
In pentesing, when can a decompiler be helpful?
This can be helpful during a pentest when you’re testing custom built tools or applications.
What does CERT stand for?
Computer Emergency Response Team
What are some open source resources that can be used for info gathering?
These resources can be used for this:
- CERT
- JPCERT
- NIST
- CVEs (mitre)
- CWE (mitre)
- CAPEC (mitre)
- Full Disclosure (nmap)
When you see ‘CVE-2018-11232’, what does that mean?
This means that it is the 11232nd vulnerability of 2018.
Who submits their Common Vulns into the CVE database?
All major vendors submit these to this location.
What does CAPEC stand for?
Common Attack Pattern Enumeration & Classification
What does -sC mean in Nmap?
This option is the default script scan
What does -sV mean in Nmap?
This option probes open ports to determine service/version info
What is a vulnerability scan?
This is a scan of a host, system, or network to determine what vulnerabilities exist.
What is the primary thing to keep in mind in regards to vulnerabilities scanning?
The tools used to do this are only as good as their configurations.
What types of vuln scans are there?
For this, there are two types of scans:
- Credentialed
- non-credentialed
What are the four types of vuln scans?
For this, there are four types:
- Discovery Scan
- Full Scan
- Stealth Scan
- Compliance Scan
What is the least intrusive type of vuln scan? What does it do?
This is a discovery scan. Used to create a network map to show connected devices on architecture.
what would be the nmap command to run a simple discovery command?
This type of scan would be:
-nmap -sn 192.168.52.0
What does a full scan vuln scan do?
This type of in-depth vuln scan includes ports, services, and vulns.
What needs to be considered when running a full scan?
This type of scan is likely to set off alarms (IDS, NDS, etc).
What is the purpose of a stealth scan? What does it do?
This type of scan is designed to not get picked up by the IDS. Sends SYN packets and then analyzes responses. If SYN/ACK response received, packet with RST is sent to attempt to connect on a port.
What is the intent of a compliance scan? Where can this be done easily?
This type of scan is used to identify vulnerabilities that may affect compliance with regulations or policies. Commonly set up as a scanning template in your vulnerability scanner (PCI-DSS within Nessus)
What are some common vuln scanners?
These are types of this:
- QualysGuard
- OpenVAS
- Nessus
- Nexpose
- Nikto (Web Application Scanner)
What are some important scanning considerations?
These are…:
- When do you run the scan?
- What protocols will be used?
- Where do you scan from?
- How much bandwidth is dedicated to the scan?
- Should we scan or exempt these (systems)?
How do you throttle a query in nmap?
To do this, you’ll use the ‘-T’ option within Nmap.
What are the two types of application scanning?
The two types of this are:
- Dynamic
- Static
What is dynamic application scanning?
This is a type of scan that occurs while application is running. Program is run in sandbox and changes noted.
What is static application scanning?
This type of scan occurs in a non-runtime environment for applications. It inspects programming code; can be doen line-by-line.
What are containers similar to?
These are similar to mini virtual machines
What are some examples of containers?
These are examples of this:
- Docker
- Puppet
- Vagrant
Do Containers require security? What could be a major issue?
Yes, these still require security. They all run on a single, standardized OS. A flaw in this OS would mean vulnerabilities across multiple containers.
What are some ways to analyze your vulnerability scans?
These are ways to do this:
- Asset Categorization
- Adjudication
- Prioritize Vulnerabilities
When categorizing assets, what do we typically want to categorize first?
When doing this, we want to identify high-value assets first. Domain controllers, Web Servers, Databases, etc
What does Adjudication mean with respect to pentesting?
This is the process of considering which vulnerabilities to attack.
What is a false positive relative to a vuln scan? What should be done with them?
This is a vulnerability that shows up in your scan, but is not an actual vuln on the system. False positives should filtered out of scan results.
When scanning for vulns, what is important to find?
During this, it is important to find common themes. Common vulns, common lack of best (weak) practices, Observations.
What is an important step after a vuln is found and has been categorized? What is a good question to ask?
Researching that particular vulnerability and find any/all exploits that exist. Does metasploit or nmap already have known exploits for this vuln?
What are some examples of common attack techniques (vectors)?
These are some examples:
- cross-compiled code
- exploit modification
- exploit chaining
- proof-of-concept dev
- social engineering
- credential brute forcing
- dictionary attacks
- Rainbow tables
- Deception
How can you create windows binary on a linux system?
This can be done with tools like Mingw-w64.
What is an example of an exploit chain?
These are examples of this:
- Exploit to break past firewall
- Gain access to user system
- Escalate the privileges
What does it mean to have a proof-of-concept development?
This involves building out and attacking a virtual environment that mimics the real system/environment.
What does ICS stand for?
Industrial Control System
What does SCADA Stand for?
Supervisory Control and Data Acquisition
What does PLC stand for?
Programmable Logic Controller
What does ICS, SCADA, & PLC all work together with?
These three work together with HVAC, Factories, pumps, etc. These three are old technologies that are integrated with old operating systems.
Where are ICS, SCADA, & PLC often located?
These three things are often located off of and separate of a network.
What items contain embedded devices? What do embedded devices contain?
Cars, ICS/SCADA contain These. These contain a special purpose computing system.
What is an RTOS? Where are they found?
This is a Real-Time Operating system. These are often found in embedded devices. Usually stripped down version of linux.
