Lesson 8 - Avoiding Detection and Covering Tracks Flashcards
What is the default and popular that is both quick and is able to scan thousands of ports per second
TCP SYN scan
-sS
Name some of the common Nmap command/flags to avoid detection
-sF - sends a TCP FIN to bypass a non-stateful firewall
-f - splits packets into 8 byte fragments to make it hard for packet filtering firewalls and intrusion detection to identify true purpose of the packets.
–randomize-hosts - randomize order of the hosts being scanned
Using the Nmap decoy (-D) serves what purpose?
It makes it appear as if the packets are coming from either a trusted or random device. Essentially allowing the hacker to blend in.
syntax
nmap -D 192.168.1.10 nmap.scanme.org
nmap -D RND:3 nmap.scanme.org
the random option allows you to pick how many different ones
Using the option of a fake IP address is another method but what is the limitation and detail they syntax
The scan might not return results since the target will try to respond to the fake address.
nmap -S google.com scanme.nmap.org
What is the option within Nmap that allows you to use a specific port to fool packet filters
–source-port <#>
-g 53 scanme.nmap.org
probe will appear to have originated from DNS - 53
What is the term for exploit techniques that use standard system tool and packages instead of Malware to launch an attack
Fileless Malware - which are referred to as Living off the Land (LoTL) attacks
Common System tools
Powrshell
WMI
Visual Basic Scripts
Mimikatz - kerberos API
What is one of the most common anti-forensics techniques?
Covering your Tracks
Clearing Log Entries -
Changing Log Entries
Modifying timestamps
What are some methods of clearing log entries
Metasploit meterpreter - clearev - will clear all Windows event logs
wevutil cl Application will clear the Windows app log
echo “” > /var/log/syslog - clear Linux logs
Why would removing log entries be more appropriate and name the methods
Wiping out a log entirely is very suspicious
using the SED - Stream Editor
sed -i ‘/backdr/d’ /var/log/auth.log
Why would changing the log entry also be a better method.
Instead of removing an entry by altering you can put investigators on the wrong path
What is the term when you steal a privileged users token and then perform a malicious act
Incognito
you can use Metasploit meterpreter to list available tokens
What is the Metasploit meterpreter tool used to change timestamps and why is that important
Time is critical on networks, directories, and files.
Files have modification, access, created and entry (MACE) and
TimeStomp - allows you to modify or delete time-stamp related information on files
Erasing all history is another key method for a malicious actor. Name the methods for both Linuz and Windows
You can set your History to Zero before attempting to execute commands
Bash shell - export HISTSIZE=0
BASH - echo “” > ~/.bash_history or history - c
in Windows ALT-F7 for clearing cmd.exe
in Powershell Clear-History cmdlet
When you delete a file in Windows or Linux is it completely gone?
No
You would need to shred the file
Linux - shred -zu /root/keylog.bin
Windows - Cipher /w:c:\path\to\file.ext
What is the term for hiding in plain sight referred to that Malicious Actors utilize
Steganography (Stego)
