Post Class Review Flashcards
What are the countermeasures against MAC Flood and MAC Spoofing attacks?
Port Security Binding IP Source Guard DAI (Dynamic Arp Inspection) ARP Watch ARP Wall
Describe DHCP Starvation attack
Exhausting the pool of IP addresses on a DHCP server
DHCP Starvation attack countermeasure
Port Security
Describe Rogue DHCP Attack
Unauthorized DHCP server
Rogue DHCP Attack countermeasure
DHCP snooping
How do you evade IDS Signature Detection
Encryption IP Fragmentation (IP Fragment Scanning)
How do you evade IDS Anomaly Detection?
Session splicing
Nmap setting for session splicing
Timing template / timing channel
T0-slowest
T5-fastest
Application proxies provide privacy (security through obscurity) and:
content filtering (data+commands)
How to defend against Spoofing, ARP poisoining?
ARPWALL
ARPWatch
Private VLANS
Using Static ARP entries for servers&routers
Full Open Scan
–>
–>
nmap -sT
TCP Connect scan completes the 3 way handshake
Half open scan
–>
nmap -sS
Stealth scan, syn scan
Scan spoof IP, bypass firewall rules (anti spoof)
XMas scan
nmap -sX
FIN, URG, PSH
Shared traits of XMAS, Null, FIN scans
No response = port open
RST = port closed
always RST = Windows
nmap switch:
TCP Connect/Full Open Scan
nmap -sT
Completes 3 way handshake
nmap switch:
Stealth Scan/Half Open Scan/Syn scan
nmap -sS
Can spoof IP, bypasses firewall rules (anti spoof)
nmap switch:
XMas scan
nmap -sX
FIN, URG, PSH
nmap switch:
FIN scan
-sF
nmap switch:
Null scan
no flags -sN
nmap switch:
Idle scan
nmap -sI
You need a zombie to determine if port is open/closed
Idle scan
IPID + 2 = port open
IPID + 1 = port closed
zombie must be idle
Nmap switch:
OS
nmap -O
Nmap switch:
output
nmap -o
Nmap syntax:
Network scan of the entire subnet 192.168.10.0
nmap -sn 192.168.10.0/24
Nmap syntax:
Network scan of all hosts from 192.168.10.200 to 192.168.10.250
nmap -sn 192.168.10.200-250
Nmap switch:
network scan
nmap -sn
ICMP Message Type
Request
8
ICMP Message Type
Response
0
ICMP Message Type
Unreachable
3
ICMP Message Type
TTP Expired
11
ICMP Message Type 3 Code 1
Host
ICMP Message Type 3 Code 0
Network
ICMP Message Type 3 Code 2
Protocol
ICMP Message Type 3 Code 3
Port
ICMP Message Type 3 Code 13
Admin Prohibited
MultiFactor Authentication
K- Know
Passwords, PINS
MultiFactor Authentication
A - Are
Biometric
MultiFactor Authentication
H - Have
Token, Card
A token is which combination of multi factors?
Know + Have
Best combination of multi factor authentication?
Know + Have + Are (Token + Biometric)
Polymorphic (XOR’d) Shellcode
Signature changes, XOR is encrypted
Metamorphic Virus
Both algorithm and signature changes
Describe Vulnerability scanning
Identify weaknesses
Limitations on vulnerability scanning
Can only discover known vulnerabilities
Auditing vs Vulnerability Scanning vs Pen Testing
Auditing- testing for compliance
Vulnerability scanning- Passive
Pen testing - active
SQL Injection:
‘
’ tests if database is susceptible to SQLi
SQL injection:
–
– is end of line/single line commands
SQL Injection:
+, ||
+, || are concatenation operators
SQL Injection:
UNION
UNION joins multiple queries
SQL Injection:
UPDATE
Update table or database
SQL injection:
DROPTABLE
Deletes table
SQL injection:
Xp_cmdshell
Invokes command shell
SQL injection:
OPENROWSET
Makes an offline copy of the database contents
Typical SQL injection syntax
blah’ or 1=1–
1=1 is what
tautology, an assertion of truth
Outcome of SQL injection in a login context
Logs in as first user in table
Outcome of SQL injection in a database search context
Dumps all records in a table
Spoofing vs Session Hijacking
Spoofing - all responses go to spoofed address
Hijacking - attacker takes over an active session
Steganography
Manipulating least significant bits within image files to hide information
Sparse infector virus
Time trigger activated virus (Friday 13th)
Stealth virus
Places itself between kernel & user programs to intercept system calls/IO operations
Macro virus
targets MSOffice applications
Trojans
Require a host file
Cannot self replicate or self propagate
Virus
Require a host file
CAN self replicate
CANNOT self propagate
Worm
NOT require a host file
CAN self replicate
CAN self propagate
Phishing
Sending to a broad audience
Spear phishing
targeting individuals
Whaling
targeting upper hierarchy/C-Levels
How does “tracert” work and what is its purpose
Uses ICMP & manipulates the TTL to discover hops
Describe Firewalking
Fingerprinting a firewall
Firewalking
Traceroute
Discover IPs of routers & firewalls
Firewalking
ACK scan
Determine if firewall is stateful or non-stateful
No response -> Stateful
RST -> not stateful
Firewalking
IKE scan
Determine if the firewall is using IPSEC
Firewalking Techniques
- Traceroute
- ACK scan
- IKE scan
- Scan vor vendor specific parts
- Banner grabbing
Session Fixation attack
taking advantage of fixed session IDs (link in password reset email)
Ways to browse the internet anonymously
Proxy
VPN
Anonymizer
HTTP tunneling
Switch sniffing techniques
- SPAN port/ Port Spanning
- MAC flood
- ARP poisoning
- DNS poisoning
- Rogue DHCP server
- Manipulating proxy server setting
What is the default RID for a Windows Administrator account
500
Bits for MD4
128
Bits for MD5
128
Bits for SHA-1
160
Bits for SHA2
256+
What is Syskey used for
Encrypt SAM file
Type of encryption used for Syskey
128 bit RC4 encryption
Port:
FTP
20,21
Port:
TFTP
69
Port:
Syslog
514
Port:
RDP
3389
Port:
LDAP
389
Port:
LDAPS
636
Port:
SSH
22
Port:
SSL
443
Port:
SMB over NetBIOS
139
Port:
SMB over TCP/IP
445
Port:
Kerberos
88
Port:
DNS Zone Transfer
TCP 53
Port:
DNS lookup
UDP 53
Port:
Network Printing
515, 631, 9100
Port:
SMTP
25
Port:
SNMP
161, 162
Port:
NTP
123
Port:
IKE
500
Port:
DHCP
67, 68
Port:
POP3
110
Port:
IMAP
143
What does the following command do:
type trojan.exe > c:\windows\system32\ping.exe:trojan.exe
Places malicious file within the ADS/Alternate Data Stream of a good file
NTFS data stream. Type and Copy are interchangeable
What does the following command do:
copy trojan.exe > c:\windows\system32\ping.exe:trojan.exe
Places malicious file within the ADS/Alternate Data Stream of a good file
NTFS data stream. Type and copy are interchangeable
Simple SQL Injection
attacker sees responses
Blind SQL injection
attacker does not see responses, uses YES or NO responses with WAITFORDELAY command
Attack that uses YES or NO responses with WAITFORDELAY command
Blind SQL injection
Difference between sniffing on a Hub network vs a Switch network
Hub - passive
Switch - active
What is the Snow tool
used for Whitespace Steganography
What type of encryption does Snow use
Ice
6 techniques of Anti-spoofing
- Packets from outside have inside/private IP as source IP
- Packets from inside have outside IP as source IP
- Packets from a new network send test packets
- TTL mismatch
- IPID mismatch
- Exceeding window size
Wireshark filter syntax:
ip.addr==10.10.1.1
All packets going to and from 10.10.1.1
Wireshark filter syntax:
ip.src==10.10.1.1
All packets coming from 10.10.1.1
Wireshark filter syntax:
ip.dest==10.10.1.1 && tcp.dstport=80
All packets going to 10.10.1.1 destination port 80
&& = OR
Wireshark filter syntax:
tcp.flagsreset==1
All packets with a Reset flag set
Wireshark filter syntax:
tcp contains wireshark
Search http text “wireshark”
Substituting non-alphanumeric characters with alphanumeric to prevent XSS attack is called: _____
< <
> >
HTML entities
Example of HTML entities
< <
> gt
How does IPS/IDS work?
IDS - passive
IPS - active
Uses signature & anomaly detection
Name of server used to provide Blackberry services
BES - Blackberry Enterprise Services
Two types of Input validation
Data boundary, length, size
Data type
Risk of data boundary input validation
Buffer overflow
Risk of data type input validation
Injection
What is Overwriting the EIP (Extended Instruction Pointer)?
Buffer overflow attack
Buffer overflow attack
- Overwriting the EIP/Extended Instruction Pointer
- Overwriting return pointer/ instruction pointer/ return address/ return register
What detects attempted buffer overflow attacks?
Canary word
What does robots.txt do?
Prevents Google, Yahoo, & Bing from accessing certain pages on the webserver
Uses for Cain & Abel
- ARP Poisoning
- Sniffing
- Password cracking
- WiFi encryption cracking (aircrack-ng, korecs algorith)
What tools use the korecs algorithm?
Cain & Abel
Aircrack-ng
Hybrid password attacks include
Brute force + dictionary
Key length of
Diffie Hellman
1536 bits
Key length of:
RSA
Variable, minimum 2048
Key length of:
DES
Total: 64
Actual: 56
Key length of:
3DES
Actual: 168
Effective: 112
Key length of:
AES
Minimum- 128, 192, 256
AES encryption:
Protocop: CCMP
Algorithm: Rijndael
Minimum key length: 128, 192, 256
Tools that - Verify Integrity - of system and data files?
Tripwire
FCIV (microsoft tool)
Tools that - Verify Authenticity - of program files?
Sigverif (microsoft)
Bit9
Command switch:
Manipulates TTL Value
-i
Command switch:
Specifies # of ping packets in Windows
-n
Command switch:
Specifies # of ping packets in Linux
-c
Hardware disk encryption
TPM, HSM
Full disk encryption
MBR encrypted
Software disk encryption
MBR not encrypted
Partial disk encryption
EFS-microsoft
Attacker sends ping/icmp packets to a broadcast address with spoofed src IP as victim’s IP
SMURF
Attack that’s the same as a SMURF attack but uses UDP
Fraggle
Attack which takes advantage of TCP 3-way handshake, sends SYN packets to victim with the source & dest IPs pointing to the victim IP
Land attack
Attack which takes advantage of TCP 3-way handshake, attacker sends SYN packets to victim with src IP spoofed to be a nonexistent/random IP, results in a large number of half open connections.
SYN flood, half open scan
Windows 32, Linux 64
Attacker sends oversized ping packetse to victim
P.O.D. Ping of death
Trinoo, TFN2k, LOIC, HOIC
DDoS tools
Embedding malicious scripts within webpages, emails, etc
XSS cross site scripting
Similar to XSS, however attacker targets an already authenticated/trusted session and forces the victim to do something they never intended to do
CSRF/XSRF cross site request forgery
If the second half of an LM hash contains a hash value of - AAD3B435B51404EE, it indicates that_______
The password length is less than 7 characters.
If the following value is on both sides of an LM hash: - AAD3B435B51404EE, ______
It means LM hash is not being stored
Factorization of 2 large prime numbers describes which agorithm?
RSA encryption
Symmetric encryption provides which of the following Cryptographic objectives:
Confidentiality
Integrity
Authentication (HMAC)
Non-Repudiation
Confidentiality
Integrity
Authentication (HMAC only)
Asymmetric encryption provides which of the following Cryptographic objectives:
Confidentiality
Integrity
Authentication
Non-Repudiation
All 4
Digital Signature provides which of the following Cryptographic objectives:
Confidentiality
Integrity
Authentication
Non-Repudiation
Integrity
Authentication
Non-repudiation
Integrity
Authentication
Non-repudiation
Digital Signature
Confidentiality
Integrity
Authentication
Non-Repudiation
Asymmetric encryption
Confidentiality
Integrity
Authentication (HMAC only)
Symmetric encryption
With a digital signature, the hash is encrypted with ____
sender’s private key
A digital signature hash being encrypted with a senders’ private key results in ____
Authenticity
For Authentication, the hash/message is encrypted with _____
sender’s private key
Symmetric encryption is most suited for ____ because of speed
Bulk data
Disadvantages of symmetric encryption?
- No non-repudiation
- Key management (not scalable)
- Key distribution (relies on out of band OOB key distribution)
WIFI encryption:
48 bit IV and 128 bit AES encryption
WPA2
WIFI encryption:
48 bit IV and 128 bit TKIP-RC4 encryption
WPA
Why is WEP considered to be an inherently weak wi-fi encryption standard?
IV is too short (24 bits)
Lacks randomization resulting in frequency patterns
Hashing algorithm:
LMHash
DES
Hashing algorithm:
NTLMv1
MD4
Hashing algorithm:
NTLMv2
MD5
What happens to a switch when the CAM table is flooded?
It breaks down into a hub
What is the broadcast address for 180.160.172.0/22?
180.160.175.255
How do you secure SNMP
- Use SNMP v3
2. Change default passwords/”community string”
2 Methods of banner grabbing using telnet?
- GET /HTTP/1.0
2. HEAD /HTTP/1.0
Is it possible to block all reconnaissance traffic completely? (ping, tracert, DNS, etc)
No
1+1 = 0 1+0 = 1 0+1 = 1 0+0 = 0
Truth table for XOR
Computer security incident response team
CSIRT
Provides guidance & solutions on how to secure and test systems
OSSTMM
Provides information on common web application flaws and solutions, OWASP top 10, injection, webgoat
OWASP
SOX
Sarbanes Oxley - Regulation to enforce financial accountability
PCI-DSS
Standard to protect PII
Types of rootkits
- Application
- Hypervisor
- Bootloader
- DLL
- Kernel
- BIOS
Key escrow
private key is split into 2 or more parts and each part is given to different CA’s for safekeeping
Recovery agent
designated account used to recover from lost or stolen keys (similar to a master key)
N-Tier architecture:
Infrastructure
The servers are logically grouped by function within individual VLAN segments
N-Tier architecture:
Application architecture
Applications are designed in a modular fashion where changes to one module does not impact other modules
What do these tools have in common?
Brutus John the Ripper Cain & Abel Kerbcrack Hydra
password crackers
Limiting the # of MACs on a switch port
Port security
Network access control, Network access protection
NAC/NAP
Sets & enforces baselines/policies on devices connected to the network
NAC/NAP
Network access control/protection
Sets & enforces baselines/policies on devices connected to the network
EAP/802.1x
RADIUS Kerberos Active directory PKI Secure token
How to disable LMHashes
- Modify registry
- Use GPOs
- Make passwords greater than 14 characters with a minimum of 15 characters
Name trust models
Web of Trust
Hierarchical
Bridge
Trust models:
Web of trust
PGP, GPG
Trust models:
HIerarchical
PKI
Trust models:
Bridge
Trust between 2 different PKI hierarchies
Take advantage of the lack of input validation within cgi scripts to gain shell access
Shellshock
An openSSL vulnerability which gave attackers access to private keys in RAM
Heartbleed
2 different pieces of text produce the same hash value
Collision
Hashing algorithms are collision-resistant. True or false?
True
Risk management:
SLE
Single loss expectancy
Asset value x Exposure factor
Risk management:
Risk
Threat x vulnerability x asset/impact
Risk management:
ALE
Annual loss expectancy
Asset value x exposure x annualized rate of occurrence (ARO)
Risk management:
ARO
Annualized rate of occurrence
Google search:
insite:www.cisco.com filetype.pdf
Locating .pdf files on www.cisco.com
HTTPMETHODS
Nmap script that tests which methods are allowed on an HTTP server: GET, PUT, POST, TRACE, etc…
Tool equivalent to Netcat that can be used to have an encrypted netcatlike session?
Cryptcat
Provides multilayer inspection, stateful inspection, maintains state table, enforces 3-way handshake
Stateful inspection firewall
Does deep packet inspection to prevent web application attacks
Web application firewall
Repository of revoked public keys
CRL, certificate revocation list
Online Certificate Status Protocol, used to check CRL in real time
OSCP
Linux tool used to change Windows passwords
CHNTPN
Used to gather metadata of public documents
Metagoofil
Radius 2.0, enhanced version of RADIUS, uses TCP for reliability & provides mobility options
DIAMETER
