Lesson 3 Security Assessments Flashcards
Tools for footprinting the network and detecting rogue systems
ipconfig, ifconfig, ip
reports the local IP configurations
ping
test connectivity with a host
use ping sweep to detect live hosts on a subnet
arp
Address Resolution Protocol
shows IP to MAC mappings
detect spoofing (validate MAC of gateway)
Tools for understanding routing
route
shows the local routing table
identify default route and local subnet
check for suspicious entries
tracert/traceroute
test path to a remote host
pathping/mtr
measure latency
IP Scanner tool
nmap (network mapping)
host discovery
- test whether host in an IP range response to probes
port scan
- test whether TCP or UDP ports allow connections
Service Discovery tool
nmap -A
Service Directory
- scan custom TCP/UDP port ranges
Service and version detection
- fingerprint each port
- protocol
- application version
- os type
- device type
Local host and hostname resolution tools
netstat
- reports port status on local machine
- can filter by protocol
- shows process ids which opened the port
nslookup
- query name servers
- zone transfers
Other reconnaissance/discovery tools
theHArvester - collate OSINT
dnsenum - collate DNS hosting info, name records
scanless - collate results from 3rd party scanning sites
curl - craft and submit protocol requests
Nessus - perform automated vulnerability scanning
Capturing traffic on the network tools
Sniffer tools
- sw to interact with host network driver
- SPAN mirrored ports/switch port analyzer
- TAP test access port to read frames from network media
tcpdump
- attaches to traffic interfaces, like eth0
- write to pcap
- read from pcap
- filters
Network task tool
netcat
- port scanning and fingerprinting
- command prompt listener over given port
- file transfer over given port
SW vulnerabilities and Patching
Exploits for faults in SW code Applications -various impacts and exploit scenarios -client vs server apps OS -attacker can gain high level privileges change sys level files Firmware -IoT devices can be hacked Weak Patching process/management -unknown assets on network -failed updates or removed patches
zero-day vulnerabilities
New vulnerability, unknown to vendor
Unable to patch, don’t know fix for given attack
used against high value targets
Legacy platform vulnerabilities
No more patches to defend older systems/devices
usually isolate from rest of network through use of ACLs, limit who can access device
Weak host configs vulnerabilities
Using default settings, easy to obtain credentials
Unsecured root accounts
Open permissions
All allow threat actor to gain significant control of network and it’s devices to carry out attacks
Weak Network Configurations Vulnerabilities
Open ports and services
Unsecure protocols
Weak Encryption
Errors - messages which reveal too much info about system
Vulnerability impacts
Data breach Data exfiltration Identity theft Data loss and availability impacts Financial Reputation impacts
third party risks
Supply chain Vendor management outsource code development data storage cloud-based vs on premise risks