Lesson 3: Assessing Security Posture with Software Tools Flashcards

1
Q

Reconnaissance

A

A necessary part of attacking a network is to gather information about it. This process of information gathering is referred to as reconnaissance. Reconnaissance techniques can also be used by security professionals to probe and test their own security systems, as part of a security posture assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security posture assessments

A

When information gathering is conducted by a “white hat,” assessments are usually classed as either vulnerability scanning or penetration testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NIST’s Technical Guide to Information Security Testing and Assessment identifies three principal activities within an assessment:

A
  • Testing the object under assessment to discover vulnerabilities or to prove the effectiveness of security controls.
  • Examining assessment objects to understand the security system and identify any logical weaknesses. This might highlight a lack of security controls or a common misconfiguration.
  • Interviewing personnel to gather information and probe attitudes toward and understanding of security.

Planning an audit will start with a determination of the scope of the assessment and a methodology. The next phase will be to put in place the resources to carry it out (qualified staff, tools, budget, and so on).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Vulnerability scanning

A

process of auditing a network (or application) for known vulnerabilities. Recall that a vulnerability is a weakness that could be triggered accidentally or exploited maliciously by a threat actor to cause a security breach. An unpatched software application, a host with no anti-virus software, and an administrator account with a weak password are examples of vulnerabilities. Vulnerability scanning generally uses passive reconnaissance techniques. A vulnerability scanner would probe the network or application to try to discover issues but would not attempt to exploit any vulnerabilities found. Performing Open Source Intelligence (OSINT) searches represents another type of passive reconnaissance.

Note: Vulnerability scanning can be described as “passive” in terms of comparing it to penetration testing, but note that there is an active component to host-based vulnerability scans. Many types of vulnerability scanners establish a network connection with the target host and exchange data with it. A purely passive test would use only network traffic analysis gathered by a tap or port mirror, but this method does not return very reliable or detailed results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

penetration test (pen test) or ethical hacking

A

essentially involves thinking like an attacker and trying to penetrate the target’s security systems. A pen test might involve the following steps:

  • Verify a threat exists—use surveillance, social engineering, network scanners, and vulnerability assessment tools to identify vulnerabilities that could be exploited.
  • Bypass security controls—look for easy ways to attack the system. For example, if the network is strongly protected by a firewall, is it possible to gain physical access to a computer in the building and run malware from a USB stick?
  • Actively test security controls—probe controls for configuration weaknesses and errors, such as weak passwords or software vulnerabilities.
  • Exploit vulnerabilities—prove that a vulnerability is high risk by exploiting it to gain access to data or install malware.

The key difference from passive vulnerability scanning is that an attempt is made to actively test security controls and exploit any vulnerabilities discovered. Pen testing is an active reconnaissance technique.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Ground rules (rules of engagement) for any type of security assessment should be made explicit in a contractual agreement and backed by senior management. These guidelines also apply to assessments performed by employees. Some things to consider are:

A
  • Whether to use “No holds barred” or “smash and grab” testing—if agreed, the consultant will try to use any means to penetrate as far into the network and information systems as possible. Alternatively, rules can be agreed to circumscribe this freedom to act to protect data assets and system integrity.
  • Whether to stop at the perimeter—having demonstrated that a vulnerability exists at the network edge, the consultant will stop and not attempt to exploit the breach or view confidential data.
  • Attack profile—attacks come from different sources and motivations. You may wish to test both resistance to external (targeted and untargeted) and insider threats. You need to determine how much information about the network to provide to the consultant:
  • Black box (or blind)—the consultant is given no privileged information about the network and its security systems. This type of test would require the tester to perform the reconnaissance phase. Black box tests are useful for simulating the behavior of an external threat.
  • White box (or full disclosure)—the consultant is given complete access to information about the network. This type of test is sometimes conducted as a follow-up to a black box test to fully evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in this type of test. White box tests are useful for simulating the behavior of a privileged insider threat.
  • Gray box—the consultant is given some information; typically, this would resemble the knowledge of junior or non-IT staff to model particular types of insider threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
  • Test system or production environment—ideally, tests would be performed in a sandbox environment that accurately simulates the production environment. However, this is expensive to set up. It may be very difficult to create a true replica, so potential vulnerabilities may be missed. Using the production environment risks service outages and data loss, especially with the “no holds barred” approach.

Note: Both vulnerability assessments and penetration testing can be disruptive to a network. Passive types of scanning software generate a large amount of network traffic and perform “port enumeration” against devices such as servers and routers. This can overload the network and cause devices to crash. Exploit modules can self-evidently crash a network and may even damage data, if performed carelessly.

  • Out of hours—whether the consultant should only perform testing out of hours to avoid causing problems on a production network. The problem here is that network policies and intrusion detection systems are generally configured to view out of hours access as suspicious, so the penetration testing is not taking place in the network’s “real world” state.
  • Full disclosure of test results to the company in a timely manner. The report should also contain recommendations for remediating vulnerabilities.
  • Confidentiality and non-disclosure (to third parties) by the consultant.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Techniques, Tactics, and Procedures (TTP)

A

Analysis of sophisticated adversary Techniques, Tactics, and Procedures (TTP) has established various “kill chain” models of the way modern cyber-attacks are conducted. “No holds barred” penetration testing will generally use the same sort of techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Reconnaissance phase techniques

A

Reconnaissance activities can be classed as passive or active. Passive reconnaissance is not likely to alert the target of the investigation as it means querying publicly available information. Active reconnaissance has more risk of detection. Active techniques might involve gaining physical access to premises or using scanning tools on the target’s web services and other networks.

  • Open Source Intelligence (OSINT)—this refers to using web search tools and social media to obtain information about the target. It requires almost no privileged access as it relies on finding information that the company makes publicly available, whether intentionally or not.
  • Social engineering—this refers to obtaining information, physical access to premises, or even access to a user account through the art of persuasion.
  • Scanning—this refers to using software tools to obtain information about a host or network topology. Scans may be launched against web hosts or against wired or wireless network segments, if the attacker can gain physical access to them.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Initial exploitation phase (also referred to as weaponization)

A

exploit is used to gain some sort of access to the target’s network. This initial exploitation might be accomplished using a phishing email and payload or by obtaining credentials via social engineering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Persistence

A

refers to the tester’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the tester must establish a Command and Control (C2 or C&C) network to use to control the compromised host (upload tools and download data). The connection to the compromised host will typically require a malware executable to run and a connection to a network port and the attacker’s IP address (or range of IP addresses) to be available.

Persistence will be followed by further reconnaissance, where the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

pivot point

A

Having obtained a persistent foothold on the network and performed internal reconnaissance, the next likely objective is to obtain a pivot point. This is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

escalating the privileges

A

The tester likely has to find some way of escalating the privileges available to him/her. For example, the initial exploit might give him/her local administrator privileges. He or she might be able to use these to obtain system privileges on another machine and then domain administrator privileges from another pivot point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

action on objectives

A

At this point, an adversary may be in a position to perform action on objectives, such as stealing data from one or more systems (data exfiltration). From the perspective of a pen tester, it would be a matter of the scope definition whether this would be attempted. In most cases, for a pen tester to have penetrated this far would be cause for urgent remedial work on the company’s security systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Follow these guidelines when implementing penetration testing:

A
  • Consider the benefits of conducting a penetration test in addition to or instead of a vulnerability assessment.
  • Be aware of the risks involved in conducting a pen test.
  • Consider implementing pen test techniques as different phases in a simulated attack.
  • Consider conducting pen tests using different types of box testing methods.
  • Understand the different reconnaissance requirements associated with each box testing method.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Topology discovery (or “footprinting”)

A

part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network. Organizations will also use topology discovery as an auditing technique to build an asset database and identify non-authorized hosts (rogue system detection) or network configuration errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An attacker attempting to work out the network topology stealthily faces several problems:

A
  • Gaining access to the network—both the challenge of connecting to the physical wired or wireless network and of circumventing any access control or authentication mechanisms that could block his or her equipment from receiving network traffic.
  • Scanning stealthily—to prevent the network owner detecting and blocking the scans and being alerted to an intrusion event.
  • Gaining access to the wider network from the local segment—this may involve defeating access control lists on routers and firewalls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

network mapping tool

A

performs host discovery and identifies how the hosts are connected together on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ipconfig (Windows) command

A

command can be used to report the configuration assigned to the network adapter. The attacker can identify whether the network uses DHCP or a static IP addressing scheme.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ifconfig command

A

In Linux, the ifconfig command can be used to report the adapter configuration and enable or disable it or apply a different static IP configuration. Going forward, the ip command is intended to replace ifconfig. ip is a more powerful tool, with options for managing routes as well as the local interface configuration. The basic functionality of ifconfig (show the current address configuration) is performed by running ip a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

ping command

A

can be used to detect the presence of a host on a particular IP address or that responds to a particular host name. You can use ping with a simple script to perform a ping sweep.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Address Resolution Protocol (ARP)

A

A machine’s Address Resolution Protocol (ARP) cache can also be examined for host entries (using the arp -a command). The ARP cache shows the hardware (MAC) address of the interface associated with each IP address the local host has communicated with recently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Nmap Security Scanner

A

Most topology discovery is performed using a dedicated tool like the Nmap Security Scanner (https://nmap.org). Nmap can use diverse methods of host discovery, some of which can operate stealthily and serve to defeat security mechanisms such as firewalls and intrusion detection. The tool is open source software with packages for most versions of Windows, Linux, and macOS®. It can be operated with a command line or via a GUI (Zenmap).

The basic syntax of an Nmap command is to give the IP subnet (or IP address) to scan. When used without switches like this, the default behavior of Nmap is to ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is present. On a local network segment, Nmap will also perform ARP and ND (Neighbor Discovery) sweeps. If a host is detected, Nmap performs a port scan against that host to determine which services it is running. This OS fingerprinting can be time-consuming on a large IP scope and is also non-stealthy. If you want to perform only host discovery, you can use Nmap with the -sn switch (or -sP in earlier versions) to suppress the port scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

tracert (Windows) or traceroute (Linux) command

A

tools provide a simple means of probing the path from one end system (host) to another, listing the intermediate systems (routers) providing the link.

You can use source routing options within tracert to pre-determine the path taken, but to discover a complete internetwork topology, you need a more advanced tool. You can use Nmap with the ‑‑traceroute option to record the path to an IP target address. The Zenmap tool can use this information to display a graphic of the detected network topology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

whois command

A

An attacker might be able to obtain useful information by examining a company’s domain registration records by running a whois lookup against the appropriate registry. The whois command is part of Linux and for Windows users is available as one of the utilities in the Sysinternals suite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

DNS

A

An attacker may also test a network to find out if the DNS service is misconfigured. A misconfigured DNS may allow a zone transfer, which will give the attacker the complete records of every host in the domain, revealing a huge amount about the way the network is configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

nslookup command

A

You can use the nslookup command in interactive mode to attempt a zone transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

dig command from any Linux or UNIX machine

A

You can also use the dig command from any Linux or UNIX machine with the dnsutils package installed.

The command is an acronym for domain internet groper (dig). A zone transfer is often called an “axfr” after this switch sequence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

DNS harvesting

A

If DNS harvesting is successful, you will obtain IP addresses for servers in the target domain. You can use an IP geolocation tool to identify the approximate geographic location of the servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

To perform network topology discovery:

A
  • Use ipconfig to return the host address configuration of a Windows machine. Use ifconfig/iwconfig or ip on a Linux host.
  • Use the ping tool to perform a connectivity test. You can use a ping sweep and then the arp command to harvest MAC addresses of local hosts.
  • Perform host discovery and network mapping using a dedicated tool such as Nmap. The switches -sn or -sP will suppress port scanning.
  • Use tracert (Windows) or traceroute (Linux) to test the path to a host on a remote network.
  • Use whois, nslookup (Windows), and dig (Linux) to query DNS records.
30
Q

“hosts of interest”

A

Having identified active IP hosts on the network and gained an idea of the network topology, the next step for an attacker is to identify “hosts of interest.” The attacker will want to work out which operating systems are in use (for both PC hosts and network appliances, such as switches, routers, and firewalls) and which network services each host is running (and if possible, which application software is underpinning those services). This process is described as service discovery. Service discovery can also be used defensively, to probe potential rogue systems and identify the presence of unauthorized network service ports or traffic.

31
Q

fingerprinting

A

The detailed analysis of services on a particular host is often called fingerprinting. This is because each OS or application software that underpins a network service responds to probes in a unique way. This allows the scanning software to guess at the software name and version, without having any sort of privileged access to the host.

32
Q

netstat command

A

allows you to check the state of ports on the local machine (Windows or Linux). You can use netstat to check for service misconfigurations (perhaps a host is running a web or FTP server that a user installed without authorization). You may also be able to identify suspect remote connections to services on the local host or from the host to remote IP addresses. If you are attempting to identify malware, the most useful netstat output is to show which process is listening on which ports. Note that an Advanced Persistent Threat (APT) might have been able to compromise the netstat command to conceal the ports it is using, so a local scan may not be completely reliable.

33
Q

On Windows, used without switches, the command outputs active TCP connections, showing the local and foreign addresses and ports. The following additional switches can be used:

A
  • -a displays all connections (active TCP and UDP connections plus ports in the listening state).
  • -b shows the process name that has opened the port.
  • -o shows the Process ID (PID) number that has opened the port.
  • -n displays ports and addresses in numerical format. Skipping name resolution speeds up each query.
  • -s shows per protocol statistics, such as packets received, errors, discards, unknown requests, port requests, failed connections, and so on.
  • -p proto displays connections by protocol (TCP or UDP or TCPv6/UDPv6). When used with -s, this switch can also filter the statistics shown by IP, IPv6, ICMP, and ICMPv6.
  • -r shows the routing table.
  • -e displays Ethernet statistics.

The utility can also be set to run in the background by entering netstat nn, where nn is the refresh interval in seconds (press CTRL+C to stop).

34
Q

Linux supports a similar utility with some different switches. Used without switches, it shows active connections of any type.

A

If you want to show different connection types, you can use the switches for Internet connections for TCP (‑t) and UDP (‑u), raw connections (‑w), and UNIX sockets/local server ports (‑x). For example, the following command shows Internet connections (TCP and UDP) only: netstat ‑tu

35
Q

Some of the other switches are as follows:

A
  • -a includes ports in the listening state in the output.
  • -p shows the Process ID (PID) number that has opened the port (similar to -o on Windows).
  • -r shows the routing table.
  • -i displays interface statistics (similar to -e on Windows).
  • -e displays extra information.
  • -c sets output to update continuously.
36
Q

Nmap

A

When Nmap completes a host discovery scan, it will report on the state of each port scanned for each IP address in the scope. At this point, the attacker can run service discovery scans against one or more of the active IP addresses. The main problem for a malicious attacker is to perform this type of scanning without being detected. Service discovery scans can take minutes or even hours to complete and Intrusion Detection Systems (IDS) can easily be programmed with rules to detect Nmap scanning activity and block it.

Note: While we describe some scans as being more or less stealthy, you should note that a well-configured IDS will be able to detect the vast majority of Nmap scanning techniques.

37
Q

The following represent some of the main types of scanning that Nmap can perform:

A
  • TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it. The target’s response to the scan’s SYN packet identifies the port state.
  • TCP connect (-sT)—a half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap has to use the OS to attempt a full TCP connection. This type of scan is less stealthy.
  • TCP flags—you can scan by setting TCP headers in unusual ways. A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet, and an Xmas scan (-sX) sets the FIN, PSH, and URG flags. This was a means of defeating early types of firewalls and IDS.
  • UDP scans (-sU)—scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
  • Port range (-p)—by default, Nmap scans 1000 commonly used ports. Use the -p argument to specify a port range.
38
Q

OS fingerprinting

A

When services are discovered, you can use Nmap with the -sV or -A switch to probe a host more intensively to discover the following information:

  • Protocol—do not assume that a port is being used for its “well known” application protocol. Nmap can scan traffic to verify whether it matches the expected signature (HTTP, DNS, SMTP, and so on).
  • Application name and version—the software operating the port, such as Apache® web server or Internet Information Services (IIS) web server.
  • OS type and version—use the -o switch to enable OS fingerprinting (or -A to use both OS fingerprinting and version discovery).
  • Host name.
  • Device type—not all network devices are PCs. Nmap can identify switches and routers or other types of networked devices, such as NAS boxes, printers, and webcams.

Nmap comes with a database of application and version fingerprint signatures, classified using a standard syntax called Common Platform Enumeration (CPE). Unmatched responses can be submitted to a web URL for analysis by the community.

39
Q

Banner grabbing/

A

refers to probing a server to try to elicit any sort of response that will identify the server application and version number or any other interesting detail about the way the server is configured. This information allows an attacker to identify whether the server is fully patched and to look up any known software vulnerabilities that might be exposed.

To avoid being targeted through banner grabbing, it is often possible to reconfigure the services affected to modify the information returned, so as to either withhold any information that could potentially be of use to an attacker or to return plausible false values.

40
Q

Organizationally Unique Identifier (OUI) grabbing

A

The 24-bit prefix of a network interface’s MAC address (known as the OUI or Organizationally Unique Identifier) identifies the manufacturer of the network adapter and thereby the manufacturer of an appliance, such as a router, switch, network printer, and so on. An attacker can then target the device with known exploits for devices from this manufacturer, such as default login credentials. There is little that can be done to address this issue, other than to ensure that default credentials have been changed and that firmware is kept up to date so that known issues are addressed.

41
Q

protocol analyzer

A

One of the most important tools in network security (both from the perspective of an adversary and for security posture assessment) is a protocol analyzer.

42
Q

eavesdropping

A

The tool the protocol analyzer facilitates eavesdropping. Eavesdropping is also a valuable counterintelligence technique because it can be used to detect hostile or malicious traffic passing over unauthorized ports or IP ranges. For the attacker, the difficulty in performing eavesdropping lies in attaching a sniffer to the network medium at a suitable point to obtain traffic from hosts of interest. For the security analyst, all the contents of the network are fully available (if enough sensors are positioned appropriately); the problem lies in identifying suspicious traffic.

43
Q

sniffer

A

A sniffer is a tool that captures frames moving over the network medium. This might be a cabled or wireless network.

A simple software-based sniffer will simply interrogate the frames received by the network adapter by installing a special driver. Examples include libpcap (for UNIX and Linux) and its Windows version winpcap. These software libraries allow the frames to be read from the network stack and saved to a file on disk. Most also support filters to reduce the amount of data captured. A hardware sniffer might be capable of tapping the actual network media in some way or be connected to a switch port. Also, a hardware sniffer might be required to capture at wirespeed on 1+ Gbps links (or faster). A workstation with basic sniffer software may drop large numbers of frames under heavy loads.

44
Q

promiscuous mode

A

By default, a network card only receives frames that are directed to that card (unicast or multicast traffic) or broadcast messages. Most sniffers can make a network adapter work in promiscuous mode, so that it receives all traffic within the Ethernet broadcast domain, whether it is intended for the host machine or not. While this approach works for hosts connected via a hub, hubs are almost completely obsolete. On a switched network, the switch makes decisions about which port to forward traffic to, based on the destination address and what it knows about the hosts connected to each port.

45
Q

port mirroring

A

To sniff all traffic on a switched network, the switch must be overcome using an ARP poisoning attack or similar. Most switches also support port mirroring. This forwards copies of traffic on one or more standard ports to a designated mirror port. This allows legitimate sniffing applications and devices to monitor network traffic.

46
Q

protocol analyzer (or packet analyzer)

A

works in conjunction with a sniffer to perform traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) file. Protocol analyzers can decode a captured frame to reveal its contents in a readable format. You can choose to view a summary of the frame or choose a more detailed view that provides information on the OSI layer, protocol, function, and data.

47
Q

preventing eavesdropping

A

Eavesdropping requires physical access to the network and the ability to run the protocol analyzer software. This means that in order to prevent eavesdropping you need to control the use of this kind of software by making sure that it is only installed and used by authorized users. You also need to prevent the unauthorized attachment of devices. This is typically achieved by configuring some sort of switch port security. You can also mitigate eavesdropping by ensuring that the network traffic (or at least confidential information passing over the network) is encrypted.

48
Q

Any number of tools are available to perform packet capture and network monitoring:

A

TCPDUMP
tcpdump is a command-line packet capture utility for Linux, though a version of the program is available for Windows. The basic syntax of the command is tcpdump -i eth0, where eth0 is the interface to listen on (you can substitute with the keyword any to listen on all interfaces of a multi-homed host). The utility will then display captured packets until halted manually (Ctrl+C). The operation of the basic command can be modified by switches.

WIRESHARK
Wireshark is an open source graphical packet capture and analysis utility, with installer packages for most operating systems. Having chosen the interfaces to listen on, the output is displayed in a three-pane view, with the top pane showing each frame, the middle pane showing the fields from the currently selected frame, and the bottom pane showing the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers of hundreds of network protocols. You can apply a capture filter using the same expression syntax as tcpdump. You can also apply display filters using a different and more powerful set of expressions (a query can be built via the GUI tools, too). Another useful option is to use the Follow TCP Stream context command to reconstruct the packet contents for a TCP session.

49
Q

packet injection

A

Some attacks depend on sending forged or spoofed network traffic. Often network sniffing software libraries allow frames to be inserted (or injected) into the network stream. There are also tools that allow for different kinds of packets to be crafted and manipulated. Well-known tools used for packet injection include Dsniff (https://monkey.org/~dugsong/dsniff/), Ettercap (http://www.ettercap-project.org/ettercap), hping (http://hping.org), Nemesis (http://nemesis.sourceforge.net), and Scapy (http://scapy.net/).

50
Q

wireless scanner

A

Several tools are available to probe and audit wireless networks. A wireless scanner can be used to detect the presence of such networks and report the network name (SSID), the MAC address of the access point (BSSID), the frequency band (2.4 or 5 GHZ) and radio channel used by the network, and the security mode.

Tools are also available to sniff packets as they are transmitted wirelessly. As with p-mode on Ethernet, sniffing non-unicast wireless traffic requires a wireless adapter driver that supports monitor mode. While this is often possible in Linux, under Windows, it is usually necessary to obtain a wireless adapter designed specifically for packet capture.

51
Q

To decode wireless packets, an attacker most overcome (or “crack”) the encryption system. There is an Aircrack-ng suite of utilities (https://www.aircrack-ng.org) designed for wireless network security testing. Installers are available for both Linux and Windows. The principal tools in the suite are as follows:

A
  • airmon-ng—enable and disable monitor mode.
  • airodump-ng—capture 802.11 frames.
  • aireplay-ng—inject frames to perform an attack to obtain the authentication credentials for an access point.
  • aircrack-ng—decode the authentication key.
52
Q

remote access trojan (RAT)

A

software that gives an adversary the means of remotely accessing the network. From the perspective of security posture assessment, a pen tester might want to try to establish this sort of connection and attempt to send corporate information over the channel (data exfiltration). If security controls are working properly, this attempt should be defeated (or at least detected). There are any number of remote access and backdoor systems, with historical examples including BackOrifice, SubSeven, Poison Ivy, Zeus, ProRat, NJRat, XTremeRAT, KilerRat, Blackshades, and Dark Comet. Their popularity in use in actual attacks is largely driven by their ability to evade detection systems, coupled with the range of tools they provide for enumerating and exploiting the victim system.

One simple but effective tool is Netcat (nc), available for both Windows and Linux. To configure Netcat as a backdoor, you first set up a listener on the victim system (IP: 10.1.0.1) set to pipe traffic from a program, such as the command interpreter, to its handler

53
Q

Steganography

A

(literally meaning “hidden writing”) is a technique for obscuring the presence of a message. Typically, information is embedded where you would not expect to find it (a message hidden in a picture, for instance). The container document or file is called the covertext. A steganography tool is software that facilitates this (or conversely can be used to detect the presence of a hidden message within a covertext). When used to conceal information, steganography amounts to “security by obscurity,” which is usually deprecated. However, a message can be encrypted by some mechanism before embedding it, providing confidentiality. The technology can also provide integrity or non-repudiation; for example, it could show that something was printed on a particular device at a particular time, which could demonstrate that it was genuine or a fake, depending on context.

examples of steganography:

  • to encode messages within TCP packet data fields to create a covert message channel. Another approach is to change the least significant bit of pixels in an image file (the cover file); this can code a useful amount of information without distorting the original image noticeably. These methods might be used to exfiltrate data covertly, bypassing protection mechanisms such as Data Loss Prevention (DLP).
  • design and color of bank notes to embed a watermark. This method is employed by the Counterfeit Deterrence System (CDS). CDS is now incorporated on banknotes for many currencies. When a copy device or image editing software compatible with CDS detects the watermark embedded in the currency design, it prevents reproduction of the image, displaying an error message to the user. Anti-counterfeiting measures for currency are overseen by Central Bank Counterfeit Deterrence Group (CBCDG)

The use of steganography to identify the source of output is also illustrated by the automatic incorporation of watermarks on all printed output by some models of printers. These watermarks are printed as tiny yellow dots, invisible to the naked eye. The pattern identifies the printer model, serial number, and date and time of printing. This prevents output from commercial printers being used for forging secure documents, such as banknotes or passports.

54
Q

To perform host fingerprinting:

A
  • Use netstat to report local ports and connections with a switch such as -o (Windows) or -p (Linux) to show the process using the port.
  • Use Nmap scan techniques such as half-open scanning (-sS) to improve scan speeds.
  • Use Nmap’s -A switch (or use selected scripts) to perform OS fingerprinting.
55
Q

To perform packet sniffing using software tools:

A
  • Connect a sniffer to an appropriate point on the network, such as a mirrored switch port or network media tap.
  • Configure the packet capture driver utility and software to write frames to a file. Optionally, you can set a capture filter to reduce the number of frames recorded to the file.
  • Use analysis software such as Wireshark to examine captured data:
  • Frame-level information such as host MAC addresses.
  • Internet Protocol (IP)-level information such as source and destination addresses.
  • Transport-level information such as source and destination ports.
  • Application-level data.
  • Use display filters and sort tools to locate frames of interest.
  • Use a wireless scanner to locate nearby wireless networks and identify their basic configuration.
  • Use a wireless packet capture/cracker utility to record wireless traffic and attempt to decode it.
56
Q

one of the common tasks you perform as an information security professional

A

Performing vulnerability scans

57
Q

vulnerability assessment

A

A vulnerability assessment is an evaluation of a system’s security and ability to meet compliance requirements based on the configuration state of the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration (the baseline). Vulnerability assessments might involve manual inspection of security controls but are more often accomplished through automated vulnerability scanners.

58
Q

vulnerability scanner

A

A vulnerability scanner examines an organization’s systems, applications, and devices and compares the scan results to configuration templates plus lists of known vulnerabilities. The result is a report showing the current state of operation and the effectiveness of any security controls. Typical results from a vulnerability assessment will identify common misconfigurations, the lack of necessary security controls, and other related vulnerabilities. Like many other security posture assessment tools, vulnerability scanners are of the “dual-use” kind that make them useful to both those seeking to penetrate a network and those given the task of resisting such attacks.

The first phase of scanning might be to run a detection scan to discover hosts on a particular IP subnet. Each scanner is configured with a database of known vulnerabilities. In the next phase of scanning, a target range of hosts is probed to detect running services, patch level, security configuration and policies, network shares, unused accounts, weak passwords, rogue access points and servers, anti-virus configuration, and so on.

The tool then compiles a report about each vulnerability in its database that was found to be present on each host. Each identified vulnerability is categorized and assigned an impact warning. Most tools also suggest current and ongoing remediation techniques. This information is highly sensitive, so use of these tools and the distribution of the reports produced should be restricted to authorized hosts and user accounts.

59
Q

vulnerability scanner types

A

One of the best known software scanners is Tenable Nessus (https://www.tenable.com/products/nessus/nessus-professional). As a previously open source program, Nessus also provides the source code for many other scanners. Greenbone OpenVAS (http://www.openvas.org) is open source software, originally developed from the Nessus codebase at the point where Nessus became commercial software. It is available in a Community Edition VM, as an enterprise product called Greenbone Security Manager (https://www.greenbone.net), and as source code or pre-compiled packages for installation under Linux. Some other vulnerability scanners include SAINT (https://www.saintcorporation.com/security-suite), BeyondTrust Retina (https://www.beyondtrust.com/resources/datasheets/retina-network-security-scanner), and Rapid7 NeXpose (https://www.rapid7.com/products/nexpose).

Another class of scanner aims to identify web application vulnerabilities specifically. Tools such as Nikto (https://cirt.net/Nikto2) look for known software exploits, such as SQL injection and XSS, and may also analyze source code and database security to detect unsecure programming practices.

Some scanners work remotely by contacting the target host over the network. Other scanner types use agents installed locally on each host to perform the scanning and transmit a report to a management server.

As with anti-malware software, a vulnerability scanner needs to be kept up to date with information about known vulnerabilities. This database is supplied by the scanner vendor as a feed or subscription.

60
Q

Active scanning techniques

A

involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host. This is more likely to cause performance problems with the host, so active scans are very often scheduled during periods of network downtime. Active techniques are more likely to detect a wider range of vulnerabilities in host systems and can reduce false positives. A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not. It is important for you to understand the risks of acting on a false positive, as attempting to resolve a non-existent or misattributed issue by making certain configuration changes could have a significant negative impact on the security of your systems.

61
Q

Passive scanning techniques

A

A scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types vulnerabilities. A passive scanner may also use limited interaction techniques, such as banner grabbing. These passive techniques will not normally cause performance problems in the server or host being scanned but they will only return a limited amount of information.

62
Q

non-credentialed scan

A

one that proceeds without being able to log on to a host. Consequently, the only view obtained is the one that the host exposes to the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces but they are not given any sort of privileged access.

63
Q

credentialed scan

A

given a user account with logon rights to various hosts plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also demonstrates what an insider attack or one where the attacker has compromised a user account may be able to achieve.

64
Q

lack of controls

A

vulnerability scan would also look at the configuration of security controls and application settings and permissions. Generally speaking, this sort of testing requires a credentialed scan.

65
Q

misconfiguration

A

vulnerability scan would also look at the configuration of security controls and application settings and permissions. Generally speaking, this sort of testing requires a credentialed scan.

66
Q

configuration compliance scan

A

some scanners measure systems and configuration settings against best practice frameworks (a configuration compliance scan). This might be necessary for regulatory compliance or you might voluntarily want to conform to externally agreed standards of best practice.

67
Q

non-intrusive scanning type

A

Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things such as build and patch levels or system policies.

68
Q

exploitation framework

A

a means of running intrusive scanning. An exploitation framework uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities. This might involve considerable disruption to the target, including service failure, and risk data security.

The framework comprises a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures). The exploit code can be coupled with modular payloads. Depending on the access obtained via the exploit, the payload code may be used to open a command shell, create a user, install software, and so on. The custom exploit module can then be injected into the target system. The framework may also be able to disguise the code so that it can be injected past an intrusion detection system or anti-virus software.

The best-known exploit framework is Metasploit (https://www.metasploit.com). The platform is open source software, now maintained by Rapid7. There is a free framework (command-line) community edition with installation packages for Linux and Windows. Rapid7 produces pro and express commercial editions of the framework and it can be closely integrated with the Nexpose vulnerability scanner.

69
Q

honeypot

A

a computer system set up to attract attackers, with the intention of analyzing attack strategies and tools, to provide early warnings of attack attempts, or possibly as a decoy to divert attention from actual computer systems. Another use is to detect internal fraud, snooping, and malpractice.

Deploying a honeypot or honeynet can help an organization to improve its security systems, but there is the risk that the attacker can still learn a great deal about how the network is configured and protected from analyzing the honeypot system. Many honeypots are set up by security researchers investigating malware threats, software exploits, and spammers’ abuse of open relay mail systems. These systems are generally fully exposed to the Internet. On a production network, a honeypot is more likely to be located in a protected but untrusted area between the Internet and the private network, referred to as a Demilitarized Zone (DMZ), or on an isolated segment on the private network. This provides early warning and evidence of whether an attacker has been able to penetrate to a given security zone.

70
Q

honeynet

A

A honeynet is an entire decoy network. This may be set up as an actual network or simulated using an emulator.

71
Q

To configure vulnerability scanners:

A
  1. Configure a host to run the vulnerability scanner management software. This will host scanner plus-ins/subscription feeds, allow administrators to run and schedule scans, and store scan reports.
  2. Make sure the scanner is obtaining updates via a plug-in/subscription service.
  3. Optionally, configure scanners to run on different network segments or agents to scan hosts. Use credentialed scanning to allow the scan process to establish a session with each host and obtain more detailed configuration information.
  4. Create or adapt a scanning profile or template to account for your organization’s security profile and/or any framework or regulatory compliance requirement.
  5. Distribute scan reports to authorized personnel for analysis and identification of false positives and false negatives. Tune scan templates to eliminate false positives, if possible.
  6. Optionally, schedule intrusive tests with exploit framework tools to assess the risk of identified vulnerabilities.