Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Sec+ > Lesson 3 > Flashcards

Lesson 3 Flashcards

1
Q

Footprinting

A

Scanning the network layout and roque system detection. Scanning for hosts, IP ranges and routes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ipconfig ifconfig

A

IPconfig (windows) ifconfig (linux)

Reports on local IP configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ping

A

Uses Internet control measure protocol (ICMP)

  • Test connectivity with a host
  • Use a ping sweep to detect live hosts on a subnet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

subnet

A

locl network segment. All hosts ona subnet will have similar ip address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

arp

A

Address Resolution Protocol (ARP) cache

Shows IP to Media Access Control (MAC) address mapping
• Detect spoofing (validate MAC of default gateway)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

route

A

*If the host is not a router, additional entries in teh routing table could be suspicious

  • Show the local routing table
  • Identify default route and local subnet
  • Check for suspicious entries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

tracert/ traceroute

A

tracert (windows) traceroute (linux)

Test the path to a remote host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

route vs tracert/traceroute vs pathping/mtr

A

route - local routing table

tracert/traceroute - path to remote host

pathping/mtr - measures latency and packet loss along a route

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

pathping/ mtr

A

pathping = windows mtr = linux

measures latency and packet loss along a route

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Nmap

A

network mapper - type of IP scanner

host discovery => port scan => service discovery

Host discovery
• Test whether host in
IP range responds to
probes

Port scan
• Test whether TCP or
UDP port allows connections and are open

Service discovery
• Scan custom TCP/UDP
port ranges

Service and version 
detection
• Fingerprinting each port
• Protocol (tenet, http, ftp, etc)
• Application/version
• OS type
• Device type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

netstat & nslookup(dig)

A

Basic service discovery tasks can also be performed using tools built into the Windows
and Linux operating systems:

netstat

• Report TCP/UDP port status on local machine
4

nslookup (windows) dig (linux
nslookup/dig—query name records for a given domain using a particular DNSresolver under Windows (nslookup) or Linux (dig). An attacker may test a
network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the
way the network is configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

theHarvester

A

Collate open source intelligence (OSINT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

dnsenum

A

• Collate DNS hosting information, name records, and IP schemas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

scanless

A

• Collate results from third-party port scanning sites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

curl

A

• Craft and submit protocol requests

curl is a command-line client for performing data transfers over many types of
protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT
requests as part of web application vulnerability testing. curl supports many other
data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Nessus

A

• Perform automated vulnerability scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

• Packet analysis versus protocol analysis

A

• Packet analysis refers to deep-down frame-by-frame scrutiny of captured frames.

• Protocol analysis means using statistical tools to analyze a sequence of packets, or
packet trace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Sniffer

A

tool for capturing network frames. Can identify malicious traffice that got past the firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

tcpdump

A

is a command-line packet capture utility for Linux

  • Write to pcap
  • Read from pcap
  • Filters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Wireshark

A

Packet analyzer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

• Packet injection

A
  • Crafting spoofed packets

* Dsniff, Ettercap, Scapy, hping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

hping

A

Packet injection tool for pen testers. also does a lot of stuff that nmap does

  • Host/port detection and firewall testing
  • Traceroute
  • Denial of service (DoS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

tcpreplay

A

tcpreplay - takes packet previously captured traffic that has been saved to a pcap file and replays it
• Stream a packet capture through an interface
• Sandbox analysis and intrusion detection testin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Exploitatoin Frameworks

A

Simulate adversary tools for
exploitation and backdoor access

Examples

  • Metasploit
  • Sn1Per
25
Q

Metasploit

A

Exploitatoin Framework

Modules to exploit known code
vulnerabilities
• Couple exploit module with payload
• Obfuscate code to evade detection

26
Q

Sn1Per

A

• Penetration test reporting and
evidence gathering
• Run automated suites of tests

27
Q

Netcat

A

simple toll for testing network connectivity.

CAn be used for port scanning and fingerprinting

Port scan - scans a port and determins what services is runs

Fingerprinting - detailed anlayis sof services on a host

28
Q

Zero-day

A
  • Vulnerability is unknown to the vendor
  • Threat actor develops an exploit for which there is no patch
  • Likely to be used against high value targets
29
Q

• Legacy platform

A

• Vendor no longer releases security patches

30
Q

Weak Host Configurations

A
  • Default settings
  • Vendor may not release product in a default-secure configuration
  • Unsecured root accounts
  • Threat actor will gain complete control
  • Limit ability to login as superuser
  • Open permissions
  • Configuration errors allowing unauthenticated access
  • Allowing write access when only read access is appropriate
  • Open ports and services
  • Restrict using an access control list
  • Disable unnecessary services or block ports
  • Block at network perimeter

• Unsecure protocols
• Cleartext data transmissions are vulnerable to snooping and
eavesdropping

  • Weak encryption
  • Storage and transport encryption
  • Key is generated from a weak password
  • Cipher has weaknesses
  • Key distribution is not secure
  • Errors
  • Error messages that reveal too much information
31
Q

• Unsecured root accounts

A

Threat actor will gain complete control

• Limit ability to login as superuser

32
Q

• Open permissions

A
  • Configuration errors allowing unauthenticated access

* Allowing write access when only read access is appropriate

33
Q

• Open ports and services

A
  • Restrict using an access control list
  • Disable unnecessary services or block ports
  • Block at network perimeter
34
Q

• Unsecure protocols

A

Cleartext data transmissions are vulnerable to snooping and

eavesdropping

35
Q

• Weak encryption

A
  • Storage and transport encryption
  • Key is generated from a weak password
  • Cipher has weaknesses
  • Key distribution is not secure
36
Q

Errors

A

• Error messages that reveal too much information

37
Q

Data breach vs exfiltration

A

Data breach is where confidential data is read or transferred without
authorization
• Data exfiltration is the methods and tools by which an attacker transfers data
without authorization

38
Q

Security Assessment Frameworks

A

• Methodology and scope for security assessments

39
Q

• NIST SP 800-115

A

NIST’s Technical Guide to Information Security Testing and Assessment

Security Assessment Framework

  • Testing
  • Examining
  • Interviewing
40
Q

• Vulnerability assessment versus threat hunting and penetration testing

A

Vulnerability assessment - evaluation of system security and ability to meet compliance

Threat Hunting - acitivley looking for threats

Penn Testing - inserting threats

41
Q

Vulnerability Scan Types

A

Automated scanners configured
with list of known vulnerabilities

  1. • Network vulnerability scanner
  2. Application and web application
    scanners
42
Q

Network vulnerability scanner

A 
• Configured with tests for most 
types of network hosts
• Focused on scanning OS plus 
some desktop and server 
applications
43
Q

Application and web application

scanners

A

• Configured with applicationspecific tests

44
Q

SCAP

A 
Security Content Automation 
Protocol (SCAP)
• Mechanism for updating scanner 
via feed
• Common identifiers (cve)
45
Q

cve

A

Common Vulnerabilities and

Exposures (CVE)

46
Q

CVSS

A

Common Vulnerability Scoring

System

47
Q

Intrusive versus non-intrusive scanning

A

• Non-intrusive scanning (CONSUMES LESS RESOURCES)
• Passively test security controls
• Scanners attach to network and only sniff traffic
• Possibly some low-interaction with hosts (port scanning/banner
grabbing)

  • Intrusive/active scanning (CONSUMES MORE RESOURCES)
  • Establish network session
  • ***Agent-based scan
48
Q

Credentialed vs non credentialed scanning

A

Non-credentialed
• Anonymous or guest
access to host only
• Might test default passwords

 Credentialed
• Scan configured with logon
• Can allow privileged access to configuration 
settings/logs/registry
• Use dedicated account for scanning
49
Q

False positive and false negative

A

you know this

50
Q

Configuration Templates

A 
??
 Driven by templates of configuration 
settings
• Open Vulnerability and Assessment 
Language (OVAL)
• Extensible Configuration Checklist 
Description Format (XCCDF)
51
Q

Threat Hunting

A

• Use log and threat data to search for IoCs

  • Advisories and bulletins
  • Plan threat hunting project in response to newly discovered threat

• Intelligence fusion and threat data
• Use security information and event management (SIEM) and threat data feed to
automate searches

Maneuver
• Consider possibility of alerting adversary to the search
• Use techniques that will give positional advantage

52
Q

Penetration Testing

A

• Pen test or ethical hacking
• Verify threat
Identify vulnerability and the vector by which it could be exploited
• Bypass security controls
Identify lack of controls or ways to circumvent existing controls
• Actively test security controls
Examine weaknesses that render controls ineffective
• Exploit vulnerabilities to prove threat exists (“pwned”)
• Active and highly intrusive techniques, compared to vulnerability
assessment

53
Q

Black box vs white box vs gray box

A

Black box (unknown environment)
• White box (known environment)
• Gray box (partially known environment—to model insider threat agents, for
instance)

54
Q

Red team, blue tam, white team, purple team

A

Red team
• Performs the offensive role

  • Blue team
  • Performs the defensive role
  • White team
  • Sets the rules of engagement and monitors the exercise
  • Purple team
  • Exercise set up to encourage collaboration
  • Red and blue teams share information and debrief regularly
  • Might be assisted by a facilitator
55
Q

War driving

A

mapping wireless networks

56
Q

Pen Test Attack Life Cycle

A
  • Initial exploitation
  • Obtain a foothold via an exploit
  • Persistence
  • Establish a command & control backdoor
  • Reconnect across host shut down/user log off events
  • Privilege escalation
  • Internal reconnaissance
  • Gain additional credentials and compromise higher privilege accounts
  • Lateral movement
  • Compromise other hosts
  • Pivoting
  • Access hosts with no direct remote connection via a pivot host
  • Actions on objectives
  • Cleanup
57
Q

service discovery

A

Having identified active IP hosts on the network and gained an idea of the network
topology, the next step in network reconnaissance is to work out which operating
systems are in use, which network services each host is running, and, if possible,
which application software is underpinning those services. This process is described as
service discovery. Service discovery can also be used defensively, to probe potential
rogue systems and identify the presence of unauthorized network service ports.

58
Q

Reconisance, ==> footprinting, route, service discovery

A

type of assessment activity that maps the potential attack surface by identifying the nodes and connections that make up the network.

Footprinting - (or topology discovery) scanning for hosts, IP ranges, and routesbetween networks to map out the structure of the target network ipconfig, ifconfig, ping, arp (for mac addresses) (nmap)

routes - testing routes and configuration (Tracert, tracertout, path ping)

Service discover - the next step in network reconnaissance is to work out which operating
systems are in use, which network services each host is running, and, if possible,which application software is underpinning those services. This process is described as service discovery - netstat, nslookup, nmap

59
Q

What tools to footprinting (topology discovery)

A

ipconfig, ifconfig, ping, arp (for mac addresses)

Sec+ (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions