4.1 Operations and Incident Response (IR) Flashcards
(39 cards)
1
Q
a Reconnaissance Tool-
provides a map of how data on the internet travels from its source to its destination. [this] differs in that it examines how the data moves through the internet.
• Determine the route a packet takes to a destination
– Map the entire path
• tracert (Windows) or traceroute (POSIX)
• Takes advantage of ICMP Time to Live Exceeded error
message
– The time in TTL refers to hops, not seconds or minutes
– TTL=1 is the first router, TTL=2 is the second router,
etc.
• Not all devices will reply with
ICMP Time Exceeded messages
– Some firewalls filter ICMP
– ICMP is low-priority for many devices
A
traceroute
2
Q
a Reconnaissance Tool- • Lookup information from DNS servers – Canonical names, IP addresses, cache timers, etc. • nslookup -Both Windows and POSIX-based – Lookup names and IP addresses – Deprecated (use dig instead) • dig or DiG (Domain Information Groper) – More advanced domain information – Probably your first choice – Install in Windows: https://professormesser.link/ digwin
A
nslookup and dig
3
Q
a Reconnaissance Tool-
• Most of your troubleshooting starts with your IP address
– Ping your local router/gateway
• Determine TCP/IP and network adapter information
– And some additional IP details
• ipconfig – Windows TCP/IP configuration
• ifconfig – Linux interface configuration
A
ipconfig and ifconfig
4
Q
a Reconnaissance Tool- • Network mapper – Find and learn more about network devices • Port scan – Find devices and identify open ports • Operating system scan – Discover the OS without logging in to a device • Service scan – What service is available on a device? Name, version, details • Additional scripts – Nmap Scripting Engine (NSE) • Extend capabilities, vulnerability scans
A
Nmap
5
Q
a Reconnaissance Tool-
• Test reachability
– Determine round-trip time
– Uses Internet Control Message Protocol (ICMP)
• One of your primary troubleshooting tools
– Can you ping the host?
• Written by Mike Muuss in 1983
– The sound made by sonar
– Not an acronym for Packet INternet Groper
– A backronym
A
ping
6
Q
a Reconnaissance Tool- • Combine ping and traceroute – Included with Windows NT and later • First phase runs a traceroute – Build a map • Second phase – Measure round trip time and packet loss at each hop
A
pathping
7
Q
a Reconnaissance Tool- • TCP/IP packet assembler/analyzer – A ping that can send almost anything • Ping a device – ICMP, TCP, UDP – #hping3 --destport 80 10.1.10.1 • Send crafted frames – Modify all IP, TCP, UDP, and ICMP values • A powerful tool – It’s easy to accidentally flood and DoS – Be careful!
A
hping
8
Q
a Reconnaissance Tool- • Network statistics – Many different operating systems • netstat -a – Show all active connections • netstat -b – Show binaries • netstat -n – Do not resolve names
A
netstat
9
Q
a Reconnaissance Tool- • “Read” or “write” to the network – Open a port and send or receive some traffic • Many different functions – Listen on a port number – Transfer data – Scan ports and send data to a port • Become a backdoor – Run a shell from a remote device • Other alternatives and OSes - Ncat
A
netcat
10
Q
a Reconnaissance Tool-
• Search a network for IP addresses
– Locate active devices
– Avoid doing work on an IP address that isn’t there
• Many different techniques
– ARP (if on the local subnet)
– ICMP requests (ping)
– TCP ACK
– ICMP timestamp requests
• A response means more recon can be done
– Keep gathering information - Nmap, hping, etc.
A
IP scanners
11
Q
a Reconnaissance Tool-
• Determine a MAC address based on an IP address
– You need the hardware address to communicate
• arp -a
– View local ARP table
A
Address Resolution Protocol
12
Q
a Reconnaissance Tool- • View the device’s routing table – Find out which way the packets will go • Windows: route print • Linux and macOS: netstat -r curl • Client URL – Retrieve data using a URL – Uniform Resource Locator – Web pages, FTP, emails, databases, etc. • Grab the raw data – Search – Parse – Automate
A
route
13
Q
a Reconnaissance Tool- • Gather OSINT – Open-Source Intelligence • Scrape information from Google or Bing – Find associated IP addresses • List of people from LinkedIn – Names and titles • Find PGP keys by email domain – A list of email contacts • DNS brute force – Find those unknown hosts; vpn, chat, mail, partner, etc.
A
theHarvester
14
Q
a Reconnaissance Tool-
• Combine many recon tools into a single framework
– dnsenum, metasploit, nmap, theHarvester, and much more
• Both non-intrusive and very intrusive scanning options
– You choose the volume
• Another tool that can cause problems
– Brute force, server scanning, etc
– Make sure you know what you’re doing
A
sn1per
15
Q
a Reconnaissance Tool- • Run port scans from a different host – Port scan proxy • Many different services – Choose the option for scan origination – Your IP is hidden as the scan source
A
scanless
16
Q
a Reconnaissance Tool-
• Enumerate DNS information
– Find host names
• View host information from DNS servers
– Many services and hosts are listed in DNS
• Find host names in Google
– More hosts can probably be found in the index
A
dnsenum
17
Q
a Reconnaissance Tool- • Industry leader in vulnerability scanning – Extensive support – Free and commercial options • Identify known vulnerabilities – Find systems before they can be exploited • Extensive reporting – A checklist of issues – Filter out the false positives
A
Nessus
18
Q
a Reconnaissance Tool- • A sandbox for malware – Test a file in a safe environment • A virtualized environment – Windows, Linux, macOS, Android • Track and trace – API calls, network traffic, memory analysis – Traffic captures – Screenshots
A
Cuckoo
19
Q
a File Manipulation Tools- • View the first part of a file – The head, or beginning, of the file – head [OPTION] … [FILE] … • Use -n to specify the number of lines – head -n 5 syslog
A
head
20
Q
a File Manipulation Tools- • View the last part of a file – The tail, or end, or the file – tail [OPTION] … [FILE] … • Use -n to specify the number of lines – tail -n 5 syslog
A
tail
21
Q
a File Manipulation Tools- • Concatenate – Link together in a series • Copy a file/files to the screen – cat file1.txt file2.txt • Copy a file/files to another file – cat file1.txt file2.txt > both.txt
A
cat
22
Q
a File Manipulation Tools- • Find text in a file – Search through many files at a time • grep PATTERN [FILE] – grep failed auth.log
A
grep
23
Q
a File Manipulation Tools- • Change mode of a file system object – r=read, w=write, x=execute – Can also use octal notation – Set for the file owner (u), the group(g), others(o), or all(a) – chmod mode FILE – chmod 744 script.sh • chmod 744 first.txt – User; read, write execute – Group; read only – Other; read only • chmod a-w first.txt – All users, no writing to first.txt • chmod u+x script.sh – The owner of script.sh can execute the file
A
chmod
24
Q
a File Manipulation Tools-
• Add entries to the system log
– syslog
• Adding to the local syslog file
– logger “This information is added to syslog”
• Useful for including information in a local or remote syslog file
– Include as part of an automation script
– Log an important event
A
logger
25
network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
• Encrypted console communication - tcp/22
• Looks and acts the same as Telnet
SSH (Secure Shell)
26
```
a powerful tool for automating tasks and simplifying configuration and can be used to automate almost any task in the Windows ecosystem, including active directory and exchange.
• Command line for system administrators
– .ps1 file extension
– Included with Windows 8/8.1 and 10
• Extend command-line functions
– Uses cmdlets (command-lets)
– PowerShell scripts and functions
– Standalone executables
• Automate and integrate
– System administration
– Active Domain administration
```
Windows PowerShell
27
```
a computer programming language often used to build websites and software, automate tasks, and conduct data analysis. [this] is a general-purpose language, meaning it can be used to create a variety of different programs and isn't specialized for any specific problems.
• General-purpose scripting language
– .py file extension
• Popular in many technologies
– Broad appeal and support
```
Python
28
general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
• A toolkit and crypto library for SSL/TLS
– Build certificates, manage SSL/TLS communication
• Create X.509 certificates
– Manage certificate signing requests (CSRs) and
certificate revocation lists (CRLs)
• Message digests
– Support for many hashing protocols
• Encryption and Decryption
– SSL/TLS for services
• Much more
OpenSSL
29
a Packet Tool-
a suite of free Open Source utilities for editing and replaying previously captured network traffic.
• A suite of packet replay utilities
– Replay and edit packet captures
– Open source
• Test security devices
– Check IPS signatures and firewall rules
• Test and tune IP Flow/NetFlow devices
– Send hundreds of thousands of traffic flows
per second
• Evaluate the performance of security devices
– Test throughput and flows per second
Tcpreplay
30
```
a Packet Tool-
an open source command-line tool for monitoring (sniffing) network traffic.
• Capture packets from the command line
– Display packets on the screen
– Write packets to a file
```
tcpdump
31
```
a Packet Tool
an open source tool for profiling network traffic and analyzing packets. packet sniffer and analysis tool.
• Graphical packet analyzer
– Get into the details
• Gathers frames on the network
– Or in the air
• Sometimes built into the device
– View traffic patterns
– Identify unknown traffic
– Verify packet filtering and security controls
• Extensive decodes
– View the application traffic
```
Wireshark
32
a forensic tool -
a command-line tool primarily used in Unix Operating Systems. It serves a very simple, yet useful purpose; to copy data from a specified source to a specified destination.
• A reference to the DD command in
– IBM mainframe JCL (Job Control Language)
– Data Definition (ASCII to EBCDIC converter)
• Create a bit-by-bit copy of a drive
– Used by many forensics tools
• Create a disk image
– dd if=/dev/sda of=/tmp/sda-image.img
• Restore from an image
– dd if=/tmp/sda-image.img of=/dev/sda
dd (data dump/definition/duplication)
33
a forensic tool -
a snapshot capture of computer memory data from a specific instant. A memory dump can contain valuable forensics data about the state of the system before an incident such as a crash or security compromise.
• Copy information in system memory to the standard
output stream
– Everything that happens is in memory
– Many third-party tools can read a memory dump
• Copy to another host across the network
– Use netcat, stunnel, openssl, etc.
memdump
34
```
a forensic tool -
an advanced hex editor, a tool for data analysis, editing, and recovery, a data wiping tool, and a forensics tool used for evidence gathering.
• A universal hexadecimal editor for Windows OS
• Edit disks, files, RAM
– Includes data recovery features
• Disk cloning
– Drive replication
• Secure wipe
– Hard drive cleaning
• Much more
– A full-featured forensics tool
```
Winhex
35
a forensic tool -
a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.
a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space.
• AccessData forensic drive imaging tool
– Includes file utilities and read-only image mounting
– Windows executable
• Widely supported in many forensics tools
– Third-party analysis
• Support for many different file systems and full disk
encryption methods
– Investigator still needs the password
• Can also import other image formats
– dd, Ghost, Expert Witness, etc.
FTK imager
36
a forensic tool -
```
• Perform digital forensics of hard drives, smartphones
– View and recover data from storage devices
• Extract many different data types
– Downloaded files
– Browser history and cache
– Email messages
– Databases
– Much more
```
Autopsy
37
a forensic tool -
supported software packages that contain reliable exploit modules and other useful features, such as agents used for successful repositioning.
• A pre-built toolkit for exploitations
– Build custom attacks
– Add more tools as vulnerabilities are found
– Increasingly powerful utilities
• Metasploit
– Attack known vulnerabilities
• The Social-Engineer Toolkit (SET)
– Spear phishing, Infectious media generator
Exploitation frameworks
38
```
a forensic tool -
recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password.
• The keys to the kingdom
– Find the passwords
• Online cracking
– Try username/password combinations
• Offline cracking
– Brute force a hash file
• Limitations
– Password complexity / strength (entropy)
– Hashing method and CPU power
– Graphics processors are useful hardware tools
```
Password crackers
39
```
a forensic tool -
the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form.
• Completely remove data
– No usable information remains
• Many different use cases
– Clean a hard drive for future use
– Permanently delete a single file
• A one-way trip
– Once it’s gone, it’s really gone
– No recovery with forensics tools
```
Data sanitization
