4.1

Question 1

Network Reconnaissance and Discovery

Answer 1

Networks are like most infrastructure—you never see or care about it until it isn’t working. And when you do want to look, how do you do it? A wide range of tools can be used to permit you to see the inner workings of a network, and they are covered in the sections that follow.

Question 2

tracert/traceroute

Answer 2

This shows the route taken from a computer to a remote host—for example, a website. It can show any latency traveling through a particular router. It is like traffic going into a city center; the closer the traffic is to the center, the slower it is. It shows information for a maximum of 30 hops.

Question 3

nslookup/dig

Answer 3

Nslookup is a diagnostic tool for verifying the IP address of a hostname in the DNS server database. We can also use the set type=MX command, which brings back the DNS details on all mail servers in the domain.

Dig is the equivalent of nslookup in a Linux/Unix environment.

Question 4

ipconfig/ifconfig

Answer 4

These commands show the IP configuration. The Windows version is ipconfig, but Unix/Linux can use ifconfig.

Question 5

nmap

Answer 5

Nmap is a free and open-source network mapper that can be used to create an inventory of all of the devices on your network and can be used for bannergrabbing.

Question 6

ping/pathping

Answer 6

Ping is used to test connectivity to another host.

Question 7

hping

Answer 7

This tool can be used as a TCP/IP packet assembler and analyzer. It allows you to test the security of your network devices, such as firewall rules and open ports, and analyzes network traffic, including packet formats and traceroute.

Question 8

netstat

Answer 8

Netstat is a native tool that is incorporated into a Windows operating system. It used to see the established connections and the listening ports. It can also let you know what services are running a computer. If you reboot the computer, all established ports will disappear.

Question 9

netcat

Answer 9

Netcat, or nc, is a utility for showing network connections in a Linux/Unix environment.

Question 10

IP scanners

Answer 10

It will show IP addresses that are active and responding, those that are active but not responding, and those that are inactive. An attacker could use an inactive IP address to gain access to your network as they know it is not allocated to anyone.

Question 11

arp

Answer 11

ARP is used to translate the IP address to a MAC address; the arp -a command shows the ARP cache. An attacker could use ARPSpoof, ARPoison, and Ettercap to poison your ARP cache. These tools could be used to create ARP broadcasts by sending unsolicited ARP replies.

Question 12

route

Answer 12

The route command works in Linux and Windows systems to provide information on current routing parameters and to manipulate these parameters. In addition to listing the current routing table, it has the ability to modify the table.

Question 13

curl

Answer 13

This is a command-line tool used to transfer data. It can also be used in banner grabbing; this fetches remote banner information from web servers. -s is silent and -I is fetching the HTTP headers.

Question 14

theHarvester

Answer 14

This is a passive tool that comes with Kali Linux and we can use it to harvest the email addresses of an organization.

Question 15

sn1per

Answer 15

This is a pen test reconnaissance tool that can be used for automated tests. This tool can be used by pen testers, bug bounty researchers, and security teams. It can look for vulnerabilities in your network, open ports, it can diagnose DNS issues, has Nmap capabilities, and it can find application

Question 16

scanless

Answer 16

This is a port scanner that can be anonymous so that the scan cannot be traced back to your IP address.

Question 17

dnsenum

Answer 17

This tool can identify DNS records, such as MX, mail exchange servers, NS, and host A records for a domain. This way, an attacker has an idea of how large your organization is and if it is worth attacking. The internal team can also run it to see what information is available to attackers.

Question 18

Nessus

Answer 18

This is a remote scanning tool that can highlight vulnerabilities that can be exploited by hackers.

Question 19

Cuckoo

Answer 19

This tool creates a sandbox that can be used for analyzing files for malwareinspection.

Question 20

head

Answer 20

Head is a utility designed to return the first lines of a file. A common option is the number of lines one wishes to return. For example, head -5 returns the first five lines of a file.

Question 21

tail

Answer 21

Tail is a utility designed to return the last lines of a file. A common option is the number of lines one wishes to return. For example, tail -5 returns the last five lines of a file.

Question 22

cat

Answer 22

Cat is a Linux command, short for concatenate, that can be used to create and manipulate files. It can display the contents of a file, handle multiple files, and can be used to input data from stdin, which is a stream of input, to a file if the file does not exist.

Question 23

grep

Answer 23

Grep is a Linux utility that can perform pattern-matching searches on file contents.

Question 24

chmod

Answer 24

Chmod is the Linux command used to change access permissions of a file. The general form of the command is

chmod

Question 25

logger

Answer 25

The Linux command logger is how you can add log file information to /var/log/syslog. The logger command works from the command line, from scripts, or from other files, thus providing a versatile means of making log entries.

Question 26

SSH

Answer 26

SSH is a cryptographically secured means of communicating and managing a network. SSH uses port 22 and is the secure replacement for Telnet.

Question 27

Powershell

Answer 27

Another version of remote support is Microsoft's PowerShell, which will allow remote access to another machine. On the remote target, we would run the PowerShell command, Enable-PSRemoting -Force. This command would allow for remote management, and then we would use the command Enter-PSSession -ComputerName . PowerShell could be used for lateral movement across a network.

Question 28

Python

Answer 28

Python is a computer language commonly used for scripting and data analysis tasks facing system administrators and security personnel. Python is a full-fledged computer language. It supports objects, functional programming, and garbage collection, and most importantly has a very large range of libraries that can be used to bring functionality to a program. The downside is that it is interpreted, so speed is not a strong attribute. However, usability is high, and coupled with the library support, Python is a must-learn language for most security professionals.

Question 29

OpenSSL

Answer 29

OpenSSL is a general-purpose cryptography library that offers a wide range of cryptographic functions on Windows and Linux systems. Designed to be a full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, it provides so much more for real-world daily challenges.

Question 30

TCPreplay

Answer 30

This is an open-source tool that can be used to analyze .pcap files generated by either Wireshark or tcpdump and then replay the traffic and send it to the NIPS to see whether it detects it.

Question 31

Tcpdump

Answer 31

This is used by Linux/Unix as a packet sniffer command. | tcpdump -i eth0 shows information on the first Ethernet adapter

Question 32

Wireshark

Answer 32

Wireshark is the gold standard for graphical analysis of network protocols. With dissectors that allow the analysis of virtually any network protocol, this tool can allow you to examine individual packets, monitor conversations, carve out files, and more. When it comes to examining packets, Wireshark is the tool.

Question 33

dd

Answer 33

Data dump (dd) is a Linux command-line utility used to convert and copy files. On Linux systems, virtually everything is represented in storage as a file, and dd can read and/or write from/to these files, provided that function is implemented in the respective drivers. As a result, dd can be used for tasks such as backing up the boot sector of a hard drive, obtaining a fixed amount of random data, or copying (backing up) entire disks.

Question 34

Memdump

Answer 34

Linux has a utility program called memory dumper, or memdump. This program dumps system memory to the standard output stream, skipping over any holes in memory maps. By default, the program dumps the contents of physical memory (/dev/mem). The output from memdump is in the form of a raw dump. Because running memdump uses memory, it is important to send the output to a location that is off the host machine being copied, using a tool such as netcat.

Question 35

WinHex

Answer 35

WinHex is a hexadecimal file editor. This tool is very useful in forensically investigating files, and it provides a whole host of forensic functions such as the ability to read almost any file, display contents of the file, convert between character sets and encoding, perform hash verification functions, and compare files.

Question 36

Autopsy

Answer 36

FTK Imager is the company AccessData’s answer to dd. FTK Imager is a commercial program, free for use, and is designed to capture an image of a hard drive (or other device) in a forensic fashion. Forensic duplications are bit-by-bit copies, supported by hashes to demonstrate that the copy and the original are exact duplicates in all ways. As with all forensically sound collection tools, FTK Imager retains the file system metadata (and the file path) and creates a log of the files copied. This process does not change file access attributes. FTK Imager is part of the larger, and commercial, FTK suite of forensic tools.

Question 37

FTK Imager

Answer 37

Autopsy is the open source answer for digital forensic tool suites. This suite, developed by Brian Carrier, has evolved over the past couple of decades into a community-supported open source project that can perform virtually all digital forensic functions. It runs on Windows and offers a comprehensive set of tools that can enable network-based collaboration and automated, intuitive workflows. It has tools to support hard drives, removable devices, and smartphones.

Question 38

Exploitation frameworks

Answer 38

Exploitation frameworks are toolsets designed to assist hackers in the tasks associated with exploiting vulnerabilities in a system. These frameworks are important because the exploitation path typically involves multiple steps, all done in precise order on a system to gain meaningful effect. The most commonly used framework is Metasploit, a set of “tools” designed to assist a penetration tester in carrying out the steps needed to exploit a vulnerability on a system.

Question 39

Password Crackers

Answer 39

Password crackers are used by hackers to find weak passwords. Why would a system administrator use one? Same reason. Running your system’s password lists through a password cracker provides two things: an early warning of a crackable password, and peace of mind that your passwords are safe when you can’t crack any in a reasonable period of time.

Question 40

Data Sanitization

Answer 40

Data sanitization tools are tools used to destroy, purge, or otherwise identify for destruction specific types of data on systems. Before a system can be retired and disposed of, you need to sanitize the data needs. There are several approaches, the first being the whole disk approach.