Midterm Flashcards
Hacking
producing an outcome that the system’s designers never intended or anticipated
Penetration Tester
Simulates cyber attacks for the purpose of improving organizational security. Focus on comprehensiveness.
Red/Purple Team
Simulates cyber attacks like a pen tester,
however, the focus is more on emulating an adversary and testing an organization’s response.
Cyber Operator
Works with or for the military to hunt threats,
protect assets, and provide access to sensitive and secure
environments
Vulnerability Researcher
Searches for yet unknown vulnerabilities
in software or hardware products
Vulnerability Analyst
Analyzes computer networks and/or systems
for the presence of known vulnerabilities
CSIRT (Computer Security Incident Response Team) Analyst or Responder
Respond to and eradicate active threats within an
organization’s computer systems or networks. “Blue” team
Cyber Crime Investigator or Forensic Analyst
Collect and analyze data from computer systems and networks to uncover certain actions or behaviors
Intelligence Analyst
Mitigate risk by collecting and disseminating
information about threats
Software Engineer
Develop and maintain software systems to be resistent to misuse
Ethical Hacking
Combining technical skills and understanding of an
attacker’s mindset to simulate a hostile attacker
IT security audit
Determine whether an organization’s deployed
controls align with the security policy. Focused more on compliance with policy and best practice than assessment
Vulnerability assessment
Survey of a system to identify as many
vulnerabilities as possible. Focused on identifying the vulnerabilities, not necessarily proving that they can be exploited
Penetration test
Assess the security posture of a scoped network
or resource by actively trying to exploit it
Red team
Assess an organization’s response to an emulated adversary
Cyber Operation
Military operation that is an ethical cyber attack or defense
What is the difference between an ethical test and an unethical cyber attack?
Consent
CIA Triad
Confidentiality
Integrity
Availability
Why would a penetration test start from “assumed breach”?
- To provide a test to the customer in the most cost-effective manner
- To accurately simulate insider threats
What are the steps of the Cyber Kill Chain?
Reconnaissance
Scanning
Infiltration and Escalation
Exfiltration
Access Extension
Assault
Obfuscation
CVE
Common Vulnerabilities and Exposures
They represent specific vulnerabilities and exposures.
CWE
Common Weakness Enumeration
They are not specific vulnerabilities, but weaknesses that can lead to vulnerabilities.
Ex. CWE-242: Use of Inherently Dangerous Function
CAPEC
Common Attack Pattern Enumeration and Classification
It is a catalog of types of attacks
Ex. CAPEC-148: Content Spoofing
NVD
National Vulnerability Database
Takes CVEs and pairs them with CVSS severity scores
Open Source Intelligence (OSINT)
derived from data and information that is available to the general public
Footprinting
An adversary engages in probing and exploration activities to
identify constituents and properties of the target
Fingerprinting
An adversary compares output from a target system to
known indicators that uniquely identify specific details about the target
What is the order of Recon?
OSINT
Footprinting
Fingerprinting
Pagodo
A python module which automates performing Google dorks.
WHOIS
allows us to figure out information about a domain and provides
contact information for that domain
RIR
Regional Internet Registry
Nslookup and Dig
query nameservers for DNS records from a particular domain
Hunter.io
used to find emails and contact info from
people at a company
DNSDumpster
Online tool that compiles information from multiple sources to get a better picture of domain information leakage. Uses multiple sources to find subdomains that you
might not know about
Attack Surface
number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data
Vulnerability
A weakness that can be exploited to gain unauthorized access to a computer system
Order of Scanning
Host Discovery
Port Scanning
OS Identification
Service Identification
Vulnerability Scanning
ICMP Host Discovery Techniques
ICMP Echo Request Ping - Expect ICMP Type 0 Echo Reply if up
ICMP Address Mask Request - Expect ICMP Type 18 Address Mask Reply if up
ICMP Timestamp Request - Expect ICMP Type 14 Timestamp Reply if up
TCP Host Discovery Techniques
TCP SYN Ping - Expect SYN/ACK if up
TCP ACK Ping - Expect RST if up
Other Host Discovery Techniques
UDP Ping - Expects an ‘ICMP port unreachable’ message if up
ARP Ping - Expect to receive ARP reply if up
System Ports
Ports 0-1023
Assigned to specific service by IANA
Usable only by privileged programs
User Ports
Ports 1024-49151
Assigned to specific service by IANA
Usable by unprivileged programs
Dynamic Ports
Ports 9152-65535
used by client programs for source ports
What are the 3 port states?
Open
Closed
Filtered
TCP Port Scanning Techniques
TCP Connect Scan - Open: Connection, Closed: RST
TCP SYN Scan - Open: SYN/ACK, Closed: RST
TCP ACK Scan - Unfiltered: RST, Filtered: No Response
Less Common TCP Port Scanning Techniques
TCP NULL Scan
TCP FIN Scan
TCP Xmas Scan
Open: No response
Closed: RST
UDP Port Scan
Open: Response from service (unlikely) or No response (could also mean filtered)
Closed: ICMP Type 3 Port unreachable error message
Banner Grabbing
Connecting to a service as if we are going to use it, but instead we’re interested in what the service tells us about itself
Masscan
tool for host discovery on large subnets
blasts SYNs without waiting for a reply. When it gets a reply, it
EyeWitness
tool that allows you to collect screenshots from
a list of hosts or from other scan results
Dirbuster
tool that allows you to brute-force enumeration of web addresses based on a wordlist
FFUF
Guesses web addresses based on a wordlist
Vulnerability Management
Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems
What is Nessus used for?
Vulnerability Scanning
Intrusion Detection Systems (IDS)
monitor for threats by looking at network traffic; near real-time
Intrusion Prevention Systems (IPS)
prevents threats found through looking at network traffic; real-time
TAPs
Test Access Points
mirror all packets using an inline device, detection is run on copies
Slow but don’t drop packets
Prefered
SPAN ports
Switch or router copies packets and sends them out another port to the security tool
Fast but drop lots of packets
Vulnerability
A weakness in a system or network which can be exploited to cause the system to act in an unintended way
Exploit (verb)
Using a vulnerability to cause a system to act in an unintended way
Exploit (noun)
Code that uses a vulnerability to cause a system to act in an
unintended way
Payload
Code which is run on the target system as a result of an exploit
Server-side Exploitation
A server is running and there is some misconfiguration or software bug which allows us to cause the server to act in an unintended way.
Ex: MS17-010, aka Eternal Blue
Client-side
exploit misconfigurations or bugs in software,
and exploits the trust relationship between the client and server
Ex: Cross-site Scripting (XSS)
Social Engineering
Here we attacking the “vulnerability” of trust relationships in and by humans.
Ex: Phishing
Post-Exploitation
anything we do after running a payload on the target system
Ex. Credential theft
Access Extension
Making it easier to come back next time
Pivoting
Gaining access to previously unreachable systems
Obfuscation
Covering our tracks
Why do we use reverse shells?
Does not create a new vulnerability on the system for other attackers to use
More likely to bypass firewall restrictions
Connections can be made out of NAT’d environments but not necessarily in
Staged Payload
The original payload fetches another payload and runs it
Pros and Cons of a Staged Payload
Pro:
The original payload is small, which allows it to be easier to use in an exploit with size requirements.
Con:
More complicated
May be easier to detect on the network
Requires additional network connectivity to run the second stage
Stageless Payload
The “real” payload is the original payload
Pros and Cons of a Stageless Payload
Pro: Simpler. No additional network connectivity required
Con: The payload itself is larger
Mfsvenom
command line tool that allows you to generate custom
payloads which interact with Metasploit
What Metasploit module is used to catch a reverse shell from an msfvenom payload?
exploit/multi/handler
DNS Domain Hierarchy
Root (.)
Top Level Domains (TLD) (ev. .com, .edu)
Second Level Domain (ex. google, example)
DNS Query Order
Root
TLD
Second Level Domain
How does the Kaminsky attack work?
- Query: Whats the ip address of qwrqqwe.example.com
- Local cache sends request to example.com’s DNS server
- Flood the local cache with spoofed replies with your own NS as the authoritative NS for the domain
How big is the TID in a DNS request or reply?
2 bytes
Username Enumeration
enum4linux - uses NULL sessions
RID Cycling
1. Assume that some common names exist. Using the NULL session,
request the SID for that username.
2. Get a SID
3. The last part is the RID It’s used to identify
different users in a domain
4. Remove the RID and add a new one, checking for existence. So, start
with 500 (administrator), 501 (guest/nobody), and work your way up
Password Spraying
guess a single (or a few) password(s) across many
usernames. Looking for at this point is any valid
credential
Password Cracking
guessing a bunch of passwords, hashed them all, and compared each one to the hash we have
Dumps the SAM database
post/windows/gather/hashdump
A meterpreter command in the ‘kiwi’ extension used to inject into LSASS
creds_all
Active directory database that cannot be copied with normal file operations
ntds.dit
Has hashes that correspond to the users in /etc/passwd
/etc/shadow
Salting hashes makes it harder to do what type of password cracking?
Rainbow table attack
When cracking a WPA/WPA2 key, why does the attacker perform a deauthentication?
To force an authentication challenge/response
What activity is most likely to cause account lockout
Password guessing
