Lesson 8 - Avoiding Detection and Covering Tracks Flashcards
What is the default and popular that is both quick and is able to scan thousands of ports per second
TCP SYN scan
-sS
Name some of the common Nmap command/flags to avoid detection
-sF - sends a TCP FIN to bypass a non-stateful firewall
-f - splits packets into 8 byte fragments to make it hard for packet filtering firewalls and intrusion detection to identify true purpose of the packets.
–randomize-hosts - randomize order of the hosts being scanned
Using the Nmap decoy (-D) serves what purpose?
It makes it appear as if the packets are coming from either a trusted or random device. Essentially allowing the hacker to blend in.
syntax
nmap -D 192.168.1.10 nmap.scanme.org
nmap -D RND:3 nmap.scanme.org
the random option allows you to pick how many different ones
Using the option of a fake IP address is another method but what is the limitation and detail they syntax
The scan might not return results since the target will try to respond to the fake address.
nmap -S google.com scanme.nmap.org
What is the option within Nmap that allows you to use a specific port to fool packet filters
–source-port <#>
-g 53 scanme.nmap.org
probe will appear to have originated from DNS - 53
What is the term for exploit techniques that use standard system tool and packages instead of Malware to launch an attack
Fileless Malware - which are referred to as Living off the Land (LoTL) attacks
Common System tools
Powrshell
WMI
Visual Basic Scripts
Mimikatz - kerberos API
What is one of the most common anti-forensics techniques?
Covering your Tracks
Clearing Log Entries -
Changing Log Entries
Modifying timestamps
What are some methods of clearing log entries
Metasploit meterpreter - clearev - will clear all Windows event logs
wevutil cl Application will clear the Windows app log
echo “” > /var/log/syslog - clear Linux logs
Why would removing log entries be more appropriate and name the methods
Wiping out a log entirely is very suspicious
using the SED - Stream Editor
sed -i ‘/backdr/d’ /var/log/auth.log
Why would changing the log entry also be a better method.
Instead of removing an entry by altering you can put investigators on the wrong path
What is the term when you steal a privileged users token and then perform a malicious act
Incognito
you can use Metasploit meterpreter to list available tokens
What is the Metasploit meterpreter tool used to change timestamps and why is that important
Time is critical on networks, directories, and files.
Files have modification, access, created and entry (MACE) and
TimeStomp - allows you to modify or delete time-stamp related information on files
Erasing all history is another key method for a malicious actor. Name the methods for both Linuz and Windows
You can set your History to Zero before attempting to execute commands
Bash shell - export HISTSIZE=0
BASH - echo “” > ~/.bash_history or history - c
in Windows ALT-F7 for clearing cmd.exe
in Powershell Clear-History cmdlet
When you delete a file in Windows or Linux is it completely gone?
No
You would need to shred the file
Linux - shred -zu /root/keylog.bin
Windows - Cipher /w:c:\path\to\file.ext
What is the term for hiding in plain sight referred to that Malicious Actors utilize
Steganography (Stego)
Name an Open Source tool that is used to conceal a payload in either an image or audio file
Steghide
CLI and UI version
Another tool is OpenStego which is unique since you can embed a watermark
Name some alterntaive methods to conceal information
NT File System Alternate Streams
Concealing with Whitespace - tools such as SNOW
What are some tools that allow you to conceal data in a audio file
Coagula - allows you to synthesize an image within an audio file
Using Audacity - you can display using a spectrogram and see the image
Another tool is Sonic Visualizer
Name the 3 basic elements when using Digital Steganography
Type of Carrier such as music or image
The Payload - secret message
Steganography software
What is the common protocol in Linux to communicate via a CLI (shell)
Secure Socket Shell (SSH)
What is the name of the tool that is considered the swiss army knive of hacking tools and what is its successor
Netcat
ncat
Netcat [options] [target address] [port(s)]
-l listen and default mode
-L windows only “listen harder” mode -persistent
-p port
-u starts in UDP mode (TCP is default)
-e specifies the program to execute when connection is made
What is ncat part of and what tool is it built into.
Nmap Project
Nmap
operates in two modes
Connect (client) or Listen (server) mode
Within Windows OS what are two different ways to manage a remote system via the CLI
Windows Remote Management (WinRM)
PSExec
T or F WinRM is part of the native Windows OS
True
T or F PsExec is part of the native Windows OS
Fales
It is a lightweight program that is part of sysinternals
What is the type of communication that involves using a service that acts on your behalf called and what is a common one
Proxy
Socket Secure (SOCKS)
What is the term for providing an extra layer of protection while communicating by forcing a specific TCP connection so that websites do not see your real IP address.
ProxyChaining
What is the Kali Linux CLI tool that enables PenTesters to mask their identity and/or source IP addresses by sending through intermediary or proxy servers. How does this tool stay anonymous?
ProxyChains4
by using The Onion Router (TOR) - redirects connections through proxy servers
