4.1 Given a Scenarior, use the appropriate tool to access Organizational Security

Question 1

Tracert/Traceroute

Answer 1

This shows the route taken from a computer to a remote host—for example, a website. It can show any latency traveling through a particular router. It is like traffic going into a city center; the closer the traffic is to the center, the slower it is. It shows information for a maximum of 30 hops

Question 2

Nslookup/Dig

Answer 2

Nslookup is a diagnostic tool for verifying the IP address of a hostname in the DNS server database. We can also use the set type=MX command, which brings back the DNS details on all mail servers in the domain.

Dig is the equivalent of nslookup in a Linux/Unix environment.

Question 3

Ipconfig/ifconfig

Answer 3

These commands show the IP configuration. The Windows version is ipconfig, but Unix/Linux can use ifconfig.

Question 4

Nmap

Answer 4

Nmap is a free and open-source network mapper that can be used to create an inventory of all of the devices on your network and can be used for banner grabbing.

Question 5

Ping/Pathping

Answer 5

Ping is used to test connectivity to another host.

Pathping has the functionality of both ping packets and tracert. It also calculates statistics after the trace, showing the packet loss at each router it passes through

Question 6

Netstat

Answer 6

Netstat is a native tool that is incorporated into a Windows operating system. It used to see the established connections and the listening ports. It can also let you know what services are running a computer. If you reboot the computer, all established ports will disappear.

Question 7

Netcat

Answer 7

Netcat, or nc, is a utility for showing network connections in a Linux/Unix environment.

Question 8

IP scanners

Answer 8

IP scanners can scan all IP addresses in a given range. It will show IP addresses that are active and responding, those that are active but not responding, and those that are inactive. An attacker could use an inactive IP address to gain access to your network as they know it is not allocated to anyone.

Question 9

Arp

Answer 9

Address Resolution Protocol (ARP): ARP is used to translate the IP address to a MAC address; the arp -a command shows the ARP cache. An attacker could use ARPSpoof, ARPoison, and Ettercap to poison your ARP cache. These tools could be used to create ARP broadcasts by sending unsolicited ARP replies.

Question 10

Curl

Answer 10

This is a command-line tool used to transfer data. It can also be used in banner grabbing; this fetches remote banner information from web servers. -s is silent and -I is fetching the HTTP headers.

Question 11

The Harvester

Answer 11

This is a passive tool that comes with Kali Linux and we can use it to harvest the email addresses of an organization.

I want to search for the email addresses of a domain called mydomain.com, with a maximum search of 500 entries, and I want to have my source for searching as the google search engine. I would run the following syntax:

theHarvester -d mydomain.com -l 500 -b google

Question 12

Sniper

Answer 12

This is a pen test reconnaissance tool that can be used for automated tests. This tool can be used by pen testers, bug bounty researchers, and security teams. It can look for vulnerabilities in your network, open ports, it can diagnose DNS issues, has Nmap capabilities, and it can find application weaknesses.

Question 13

Scanless

Answer 13

This is a port scanner that can be anonymous so that the scan cannot be traced back to your IP address.

Question 14

Dnsenum

Answer 14

This tool can identify DNS records, such as MX, mail exchange servers, NS, and host A records for a domain. This way, an attacker has an idea of how large your organization is and if it is worth attacking. The internal team can also run it to see what information is available to attackers.

Question 15

Nessus

Answer 15

This is a remote scanning tool that can highlight vulnerabilities that can be exploited by hackers.

Question 16

Cuckoo

Answer 16

This tool creates a sandbox that can be used for analyzing files for malware inspection.

Question 17

File Manipulation

Answer 17

In a Linux environment you may want to look deeper into different files, including the log files that are produced.

Question 18

Head

Answer 18

The most important file in Linux is the /var/log/messages file, which shows system events such as shutdown and reboot. We can use the head command to check the top 10 messages from that log using the following syntax:

head /var/log/messages -n 10

Question 19

Tail

Answer 19

We can use the tail command to view the last 10 messages in the /var/log/messages log file using the following syntax:

tail /var/log/messages -n 10

Question 20

Cat

Answer 20

Concatenate (cat): The cat command in Linux can be used to create files, view files, and also concatenate several files into another file. To create a new file called rugbyfile, we use the following syntax:

cat > rugbyfile

You can also concatenate the contents of three files and combine them in an output file using the following syntax:

cat file1.txt file2.txt file3.txt | sort > samplefile.txt

Question 21

grep

Answer 21

This command is used to search text and log files for specific values. For example, if we wanted to search a file called telephone numbers for the number 236237, we would use the following syntax:

grep -f 236237 telephonenumbers.txt

If we want to search a whole directory for the word project, we can use the following syntax:

grep -r project

Question 22

chmod

Answer 22

The chmod command is used to change the permission level, for example:

chmod 766

Where the owner has rwx, the group has rw-, and the others have rw-.

Question 23

Logger

Answer 23

You can use logger to add a message to the local system log file or to a remote syslog server. We want the name of the local machine and a message of today we found a phishing attack to be added to the syslog server whose IP address is 1.1.1.1 at end of the /var/log/syslog file using the following syntax:

logger -n 1.1.1.1 ‘hostname’ today we found a phishing attack

Question 24

SSH

Answer 24

SSH is used for secure remote access. It replaces Telnet, which sends passwords in cleartext. Before you can start, you need to install the SSH keys on the network devices or servers. First of all, we procure a key pair, and private and public keys are generated. The public key is stored on the server, with the private key remaining on the administrator’s desktop. SSH is available in the command line and Graphical User Interface (GUI).

Using a tool such as OpenSSH, the ssh-keygen -t RSA command generates a public and private RSA key pair on the administrator’s desktop. The next step is to use the ssh-copy-id command to log in to the server and copy the public key across. This is added to the list of authorized key files on the server. While copying, the administrator may be asked to provide their credentials. If you are connecting to a host for the first time, you will get the following message:

Number of key(s) added:1
Now try logging into the machine, with ssh ‘username@<ip>' and check to make sure that only the key(s) you wanted is added.</ip>

If an administrator is logging in for the first time, he will use the ssh-root@server command.

Question 25

PowerShell

Answer 25

Another version of remote support is Microsoft’s PowerShell, which will allow remote access to another machine. On the remote target, we would run the PowerShell command, Enable-PSRemoting -Force. This command would allow for remote management, and then we would use the command Enter-PSSession -ComputerName <hostname>. PowerShell could be used for lateral movement across a network.</hostname>

Question 26

Python

Answer 26

Python is an interpreted programming language that includes extensive libraries, which simplify many programming tasks.

Question 27

OpenSSL

Answer 27

OpenSSL is a software library used to implement SSL and TLS protocols.

TLS has replaced SSL because of SSL vulnerabilities, so OpenSSL is primarily used with TLS, not SSL. It is accessible via the terminal in most Unix-like operating systems, such as Linux.

Question 28

Packet capture and replay

Answer 28

Packet capture refers to capturing network packets transmitted over a network, and packet replay refers to sending packets back out over the network.

Question 29

Tcpreplay

Answer 29

Tcpreplay is a suite of utilities used to edit packet captures and then send the edited packets over the network. It includes tcpreplay, tcpprep, tcprewrite, and more. It is often used for testing network devices.

As an example, administrators can modify packets to mimic known attacks and then send them to an intrusion detection system (IDS). Ideally, an IDS should always detect a known attack and send an alert. Using tcpreplay, security administrators can prove that an IDS can detect specific attacks.

Question 30

Tcpdump

Answer 30

The tcpdump command is a command-line protocol analyzer. It allows you to capture packets like you can with Wireshark. The difference is that Wireshark is a Windows-based tool and tcpdump is executed from the command line. Many administrators use tcpdump to capture the packets and later use Wireshark to analyze the packet capture.

Question 31

Wireshark

Answer 31

Protocol analyzers like Wireshark allow you to capture and view all data, including headers and payloads of individual packets. In contrast, NetFlow doesn’t include payload data and doesn’t even include individual packet headers.

Question 32

Digital forensics

Answer 32

Organizations implement digital forensic techniques when collecting information after an incident.

Question 33

data duplicator (dd)

Answer 33

One of the oldest disk imaging tools used for forensics is the dd command (short for data duplicator) available in Linux systems, including Kali Linux. It can also be installed on Windows systems.

Question 34

Memory dump (Memdump)

Answer 34

When a computer system crashes (commonly known as the blue screen of death), all of the content of the memory is saved in a dump file (.dmp). These dump files can be analyzed by using a tool such as Blue Screen Review. A Linux version would be memdump.

Question 35

WinHex

Answer 35

This can be used on any version of Windows operating systems to help forensics teams find evidence. It is a hexadecimal editor that can be used to find deleted or lost data and recover data from a corrupt drive

Question 36

FTK imager

Answer 36

FTK imager is part of the Forensic Toolkit (FTK) sold by AccessData. It can capture an image of a disk as a single file or multiple files and save the image in various formats. It also gives you the option of creating images of individual folders or files. After capturing the image, it allows you to view and analyze data within the image.

Question 37

Autopsy

Answer 37

This can be used to analyze hard drives, smartphones, and media cards. It has a built-in translator to translate foreign languages into English.

It allows users to add command-line utilities from The Sleuth Kit (TSK). The Sleuth Kit includes both Windows- and Linux-based utilities used in forensics, and it can be used to analyze data on Windows, Linux, and some Apple operating systems.

Question 38

Exploitation frameworks

Answer 38

An exploitation framework is a tool used to store information about security vulnerabilities. It is often used by penetration testers (and attackers) to detect and exploit software.

Question 39

Password crackers

Answer 39

Password crackers, such as the Cain portion of Cain and Able or LOphtcrack, can be used to crack the passwords and create password hashes. In the Security+ exam, when you see names in clear text followed by hashes, the hash is a hash of the password.

Question 40

Data Sanitization

Answer 40

Data sanitization methods ensure that data is removed or destroyed from any devices before disposing of the devices.