Domain 4 Flashcards
A network security analyst for a large company is testing system vulnerabilities by capturing system memory live while simultaneously attempting different methods of penetration and simulated attacks. The network consists of both Windows and Linux machines. Assess the tools that the analyst could employ in this process for capturing system memory on either OS
The Linux-based tool memdump can run against the /dev/mem device file provided a kernel driver, such as pmem or fmem, is installed.
WinHex is a hex and disk editor for Windows that, when preinstalled on the host system, allows live capture of system memory.
The common Linux tool dd is a file conversion and copying tool that can copy entire disks, including hard disk images and memory dump files such as the /dev/mem device file. This makes it useful for easily and simply obtaining captures of a system’s memory.
A hacker has scanned the network for vulnerabilities and plans to inject malicious software into an unprotected server. The hacker wants to use this server as a jump server to gain access to the network and execute more code in the future. However, the hacker does not want to leave any trace behind, if caught. Which of the following tools would the hacker most likely use?
Meterpreter is a very advanced and dynamic exploit module (or payload) that uses in-memory DLL injection stagers. Stagers create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.
Nexpose
Managed by Rapid7 along with Metasploit, Nexpose is a vulnerability scanner that is similar to Nessus. and can find open ports
Kali
or Kali Linux is a Debian-derived Linux distribution designed for system forensics and penetration testing. The Metasploit framework is included in this operating system image.
Nessus
is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack.
-t
switch pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.
-n
switch sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.
-S
switch, which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.
-r
switch records the route for count hops. This is for IPv4 addresses.
-O flag
following the target IP is the standard method of enabling OS detection in the scan.
-A flag
following the target IP will enable OS detection as well as version detection, script scanning, and traceroute.
-T0 flag
is a timing switch that enables ‘paranoid’ intrusion detection system evasion, attempting to evade detection by the host.
-oG - flag
following the target IP and followed by a filename will enable Nmap to output ‘grepable’ scan results to the screen. While this can be used alongside OS detection flags, it will not by itself perform OS detection by default.
hping
is an open-source tool that has packet sniffing and injection as well as Denial of Service (DoS) testing features built right in. It does not gather OSINT data.
netstat
is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics.
netcat
is a computer networking utility for reading from and writing to network connections using TCP or UDP.
Active KillDisk
is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.
FTK Imager
is a commercial suite of Windows-compatible forensic investigation software and includes the capability for live memory capture and saves the data in a proprietary .eo1 file format.
A public key infrastructure (PKI) is being set up for a logistics company, utilizing OpenSSL. Which of the following commands can the team use, when setting up the PKI, to create an encrypted RSA key pair?
The openssl genrsa -out server.key 1024 command generates an RSA key and will output as server.key. 1024 represents the key size.
The openssl rsa -in server.key -pubout
command will only print the public key of server.key, if it already exists.
The openssl rsa -check -in server.key
command checks the private RSA key and prompts for the passphrase if one exists. This assumes a private RSA key already exists.
The openssl x509 -x509toreq -in cert.pem -out server.csr -signkey server.key
command outputs a certificate signing request (CSR) from an existing certificate and private key. This assumes a private RSA key and certificate already exist.