Lesson 3 Flashcards
Footprinting
Scanning the network layout and roque system detection. Scanning for hosts, IP ranges and routes.
Ipconfig ifconfig
IPconfig (windows) ifconfig (linux)
Reports on local IP configuration
ping
Uses Internet control measure protocol (ICMP)
- Test connectivity with a host
- Use a ping sweep to detect live hosts on a subnet
subnet
locl network segment. All hosts ona subnet will have similar ip address
arp
Address Resolution Protocol (ARP) cache
Shows IP to Media Access Control (MAC) address mapping
• Detect spoofing (validate MAC of default gateway)
route
*If the host is not a router, additional entries in teh routing table could be suspicious
- Show the local routing table
- Identify default route and local subnet
- Check for suspicious entries
tracert/ traceroute
tracert (windows) traceroute (linux)
Test the path to a remote host
route vs tracert/traceroute vs pathping/mtr
route - local routing table
tracert/traceroute - path to remote host
pathping/mtr - measures latency and packet loss along a route
pathping/ mtr
pathping = windows mtr = linux
measures latency and packet loss along a route
Nmap
network mapper - type of IP scanner
host discovery => port scan => service discovery
Host discovery
• Test whether host in
IP range responds to
probes
Port scan
• Test whether TCP or
UDP port allows connections and are open
Service discovery
• Scan custom TCP/UDP
port ranges
Service and version detection • Fingerprinting each port • Protocol (tenet, http, ftp, etc) • Application/version • OS type • Device type
netstat & nslookup(dig)
Basic service discovery tasks can also be performed using tools built into the Windows
and Linux operating systems:
netstat
• Report TCP/UDP port status on local machine
4
nslookup (windows) dig (linux
nslookup/dig—query name records for a given domain using a particular DNSresolver under Windows (nslookup) or Linux (dig). An attacker may test a
network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the
way the network is configured.
theHarvester
Collate open source intelligence (OSINT)
dnsenum
• Collate DNS hosting information, name records, and IP schemas
scanless
• Collate results from third-party port scanning sites
curl
• Craft and submit protocol requests
curl is a command-line client for performing data transfers over many types of
protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT
requests as part of web application vulnerability testing. curl supports many other
data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.
Nessus
• Perform automated vulnerability scanning
• Packet analysis versus protocol analysis
• Packet analysis refers to deep-down frame-by-frame scrutiny of captured frames.
• Protocol analysis means using statistical tools to analyze a sequence of packets, or
packet trace.
Sniffer
tool for capturing network frames. Can identify malicious traffice that got past the firewall
tcpdump
is a command-line packet capture utility for Linux
- Write to pcap
- Read from pcap
- Filters
Wireshark
Packet analyzer
• Packet injection
- Crafting spoofed packets
* Dsniff, Ettercap, Scapy, hping
hping
Packet injection tool for pen testers. also does a lot of stuff that nmap does
- Host/port detection and firewall testing
- Traceroute
- Denial of service (DoS)
tcpreplay
tcpreplay - takes packet previously captured traffic that has been saved to a pcap file and replays it
• Stream a packet capture through an interface
• Sandbox analysis and intrusion detection testin
Exploitatoin Frameworks
Simulate adversary tools for
exploitation and backdoor access
Examples
- Metasploit
- Sn1Per
Metasploit
Exploitatoin Framework
Modules to exploit known code
vulnerabilities
• Couple exploit module with payload
• Obfuscate code to evade detection
Sn1Per
• Penetration test reporting and
evidence gathering
• Run automated suites of tests
Netcat
simple toll for testing network connectivity.
CAn be used for port scanning and fingerprinting
Port scan - scans a port and determins what services is runs
Fingerprinting - detailed anlayis sof services on a host
Zero-day
- Vulnerability is unknown to the vendor
- Threat actor develops an exploit for which there is no patch
- Likely to be used against high value targets
• Legacy platform
• Vendor no longer releases security patches
Weak Host Configurations
- Default settings
- Vendor may not release product in a default-secure configuration
- Unsecured root accounts
- Threat actor will gain complete control
- Limit ability to login as superuser
- Open permissions
- Configuration errors allowing unauthenticated access
- Allowing write access when only read access is appropriate
- Open ports and services
- Restrict using an access control list
- Disable unnecessary services or block ports
- Block at network perimeter
• Unsecure protocols
• Cleartext data transmissions are vulnerable to snooping and
eavesdropping
- Weak encryption
- Storage and transport encryption
- Key is generated from a weak password
- Cipher has weaknesses
- Key distribution is not secure
- Errors
- Error messages that reveal too much information
• Unsecured root accounts
Threat actor will gain complete control
• Limit ability to login as superuser
• Open permissions
- Configuration errors allowing unauthenticated access
* Allowing write access when only read access is appropriate
• Open ports and services
- Restrict using an access control list
- Disable unnecessary services or block ports
- Block at network perimeter
• Unsecure protocols
Cleartext data transmissions are vulnerable to snooping and
eavesdropping
• Weak encryption
- Storage and transport encryption
- Key is generated from a weak password
- Cipher has weaknesses
- Key distribution is not secure
Errors
• Error messages that reveal too much information
Data breach vs exfiltration
Data breach is where confidential data is read or transferred without
authorization
• Data exfiltration is the methods and tools by which an attacker transfers data
without authorization
Security Assessment Frameworks
• Methodology and scope for security assessments
• NIST SP 800-115
NIST’s Technical Guide to Information Security Testing and Assessment
Security Assessment Framework
- Testing
- Examining
- Interviewing
• Vulnerability assessment versus threat hunting and penetration testing
Vulnerability assessment - evaluation of system security and ability to meet compliance
Threat Hunting - acitivley looking for threats
Penn Testing - inserting threats
Vulnerability Scan Types
Automated scanners configured
with list of known vulnerabilities
- • Network vulnerability scanner
- Application and web application
scanners
Network vulnerability scanner
• Configured with tests for most types of network hosts • Focused on scanning OS plus some desktop and server applications
Application and web application
scanners
• Configured with applicationspecific tests
SCAP
Security Content Automation Protocol (SCAP) • Mechanism for updating scanner via feed • Common identifiers (cve)
cve
Common Vulnerabilities and
Exposures (CVE)
CVSS
Common Vulnerability Scoring
System
Intrusive versus non-intrusive scanning
• Non-intrusive scanning (CONSUMES LESS RESOURCES)
• Passively test security controls
• Scanners attach to network and only sniff traffic
• Possibly some low-interaction with hosts (port scanning/banner
grabbing)
- Intrusive/active scanning (CONSUMES MORE RESOURCES)
- Establish network session
- ***Agent-based scan
Credentialed vs non credentialed scanning
Non-credentialed
• Anonymous or guest
access to host only
• Might test default passwords
Credentialed • Scan configured with logon • Can allow privileged access to configuration settings/logs/registry • Use dedicated account for scanning
False positive and false negative
you know this
Configuration Templates
?? Driven by templates of configuration settings • Open Vulnerability and Assessment Language (OVAL) • Extensible Configuration Checklist Description Format (XCCDF)
Threat Hunting
• Use log and threat data to search for IoCs
- Advisories and bulletins
- Plan threat hunting project in response to newly discovered threat
• Intelligence fusion and threat data
• Use security information and event management (SIEM) and threat data feed to
automate searches
•
Maneuver
• Consider possibility of alerting adversary to the search
• Use techniques that will give positional advantage
Penetration Testing
• Pen test or ethical hacking
• Verify threat
Identify vulnerability and the vector by which it could be exploited
• Bypass security controls
Identify lack of controls or ways to circumvent existing controls
• Actively test security controls
Examine weaknesses that render controls ineffective
• Exploit vulnerabilities to prove threat exists (“pwned”)
• Active and highly intrusive techniques, compared to vulnerability
assessment
Black box vs white box vs gray box
Black box (unknown environment)
• White box (known environment)
• Gray box (partially known environment—to model insider threat agents, for
instance)
Red team, blue tam, white team, purple team
Red team
• Performs the offensive role
- Blue team
- Performs the defensive role
- White team
- Sets the rules of engagement and monitors the exercise
- Purple team
- Exercise set up to encourage collaboration
- Red and blue teams share information and debrief regularly
- Might be assisted by a facilitator
War driving
mapping wireless networks
Pen Test Attack Life Cycle
- Initial exploitation
- Obtain a foothold via an exploit
- Persistence
- Establish a command & control backdoor
- Reconnect across host shut down/user log off events
- Privilege escalation
- Internal reconnaissance
- Gain additional credentials and compromise higher privilege accounts
- Lateral movement
- Compromise other hosts
- Pivoting
- Access hosts with no direct remote connection via a pivot host
- Actions on objectives
- Cleanup
service discovery
Having identified active IP hosts on the network and gained an idea of the network
topology, the next step in network reconnaissance is to work out which operating
systems are in use, which network services each host is running, and, if possible,
which application software is underpinning those services. This process is described as
service discovery. Service discovery can also be used defensively, to probe potential
rogue systems and identify the presence of unauthorized network service ports.
Reconisance, ==> footprinting, route, service discovery
type of assessment activity that maps the potential attack surface by identifying the nodes and connections that make up the network.
Footprinting - (or topology discovery) scanning for hosts, IP ranges, and routesbetween networks to map out the structure of the target network ipconfig, ifconfig, ping, arp (for mac addresses) (nmap)
routes - testing routes and configuration (Tracert, tracertout, path ping)
Service discover - the next step in network reconnaissance is to work out which operating
systems are in use, which network services each host is running, and, if possible,which application software is underpinning those services. This process is described as service discovery - netstat, nslookup, nmap
What tools to footprinting (topology discovery)
ipconfig, ifconfig, ping, arp (for mac addresses)
