8 - OCO Flashcards
(53 cards)
1
Q
Lockheed Martin’s Cyber Kill Chain
A
- Framework aimed to improve visibility and understanding of attacker’s TTPs
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions and Objectives
2
Q
Reconnaissance (Lockheed)
A
- Harvesting email addresses, conference information, etc
3
Q
Weaponization (Lockheed)
A
- Coupling exploit with backdoor into deliverable payload
4
Q
Delivery (Lockheed)
A
- Delivering weaponized bundle to a victim via email, web, etc
5
Q
Exploitation (Lockheed)
A
- Exploiting a vulnerability to execute code on victim’s system
6
Q
Installation (Lockheed)
A
- Installing malware on the asset
7
Q
Command and Control
A
- Command channel for remote manipulation of victim
8
Q
Actions on Objectives
A
- Intruders accomplish original goals
9
Q
MITRE ATT&CK for Enterprise
A
- Adversarial Tactics, Techniques, and Common Knowledge
– Describes actions an adversary would take against a target network - Last 4 stages of Lockheed Cyber Kill Chain broken down into:
– Initial Access
– Execution
– Persistence
– Privilege Escalation
– Defensive Evasion
– Credential Access
– Discovery
– Lateral Movement
– Collection
– Exfiltration
– Command and Control
10
Q
Hacker Methodology
A
- Footprinting
- Scanning
- Enumeration
- Gaining Access
- Escalating Privileges
- Pilfering Data
- Covering Tracks
- Creating Backdoors
- Actions on Objectives
11
Q
Footprinting (Hacker Methodology)
A
- Collecting data about your target
- Passive - no direct interaction
- Methods
– whois
– nslookup / dig
– Google
– Social Networking
12
Q
Scanning (Hacker Methodology)
A
- Bulk assessment and identification
- Active - direct interaction
- Methods
– Ping sweeps
– Trace route
– nmap (-sn also does ping sweep)
13
Q
Enumeration (Hacker Methodology)
A
- Looking for vulnerabilities
- Aggressive probing
- Methods
– Service version detection (-sV in nmap)
– OS detection (-O in nmap)
– Banner grabbing
14
Q
Gaining Access (Hacker Methodology)
A
- Establish a foothold on target system
- Methods
– default Username/passwords
– Brute force PW guessing
– Remote code execution (metasploit, phishing)
– Buffer overflow
15
Q
Escalating Privileges (Hacker Methodology)
A
- Take full control of system
- Elevate to higher system privileges
- Methods
– Hashdump
– PW Cracking
– Phishing (if from user-level)
16
Q
Pilfering Data (Hacker Methodology)
A
- Gather information from target system
- Copy, don’t move
- System configs
- Shares
- ARP tables
- Be careful of large data transfers
17
Q
Covering Tracks (Hacker Methodology)
A
- Make sure users/admins don’t know we are here
- Methods
– Log removal
– Restarting crashed services
– Timestomping
– Removing uploaded/installed malware
18
Q
Creating Backdoors (Hacker Methodology)
A
- Persist on the system
- Methods
– Rogue user accounts
– Meterpreter
– Netcat
– Cron Job/Scheduled Tasks
19
Q
Actions on Objectives (Hacker Methodology)
A
- Perform end-goal actions on target systems
- Denial of Service
– Encryption
– Password Changes
– Deleting critical system files - Installing Malware
– Spyware Ransomware - Stealing Information
– PII
– Financial
20
Q
Advanced Methods (Hacker Methodology)
A
- Post Exploitation Survey
- Tunneling
- Buffer overflows
- Rootkits
- Man in the Middle
- Triggering
- Obfuscation
- Social Engineering
21
Q
Post Exploitation Survey (Hacker Methodology)
A
- Target verification
- Information Gathering
- Look for:
– Host verification (IP, hostname, etc.)
– Host configuration (interfaces, firewall rules, installed programs, etc.)
– Situational Awareness (process list, network connections, antivirus, etc.)
– Useful Information (desktop, docs, dirwalk)
22
Q
Pivoting
A
- Using an already compromised host to further exploit deeper into a target network
23
Q
WEP
A
- Wired Equivalent Privacy
- Intended to provide data confidentiality like wired networks
- RC4 encryption
– Keys never used twice (24-bit IV)
– Reuse restriction not guaranteed on busy network, allowing WEP key crack
24
Q
WPA
A
- Wifi Protected Access
- Partial implementation in response to WEP weakness
- TKIP encryption
– Randomly generates 64 or 128 bit key per packet
– Message integrity check, replaced by CRC - Retained vulnerabilities of WEP
25
WPA2
- Wifi Protected Access II
- AES-CCMP Encryption
- Prevents
-- Frame forgeries
-- Replay Attacks
- Never re-uses encryption key
26
WPS
- Wifi Protected Setup
- 2 Mandatory connection modes
-- Push button
-- PIN (8-digit pin, last digit is checksum, first 4 digits evaluated from last 3)
- 2 Optional connection modes
-- NFC
-- USB
- 11,000 possible combinations before gaining access to system
27
WPA3
- Wifi Protected Access 3
- Simultaneous Authentication Equals (SAE)
-- Replaces WPA2 pre-shared key
- Uses forward secrecy
-- Minimal data exposure if hacked
- Easy Connect, Enhanced Open
28
airmon-ng
- Modify or show status/mode of wireless interfaces and kill network managers
29
airodump-ng
- Packet capture of raw 802.11 frames
- Suitable for collecting on WEP, WPA, and WPA2 networks
30
aireplay-ng
- Used for injecting frames
-- For WPA2, used for deauth
31
aircrack-ng
- Used for cracking WPA2 pre-shared keys (like john-the-ripper for wifi)
-- Requires packet capture of WPA2 handshake (with airodump-ng)
32
Wireless Hacking Methodology
- Network identification and monitoring
- Client ID and deauth
- Handshake capture
- Password Cracking
- Connect to network
- Must
-- Know SSID of network
-- Be in footprint of AP
-- Connect client to the AP
33
Buffer
- Region of physical memory used to temporarily store data
34
Buffer Overflow
- Entering data that exceeds the buffer size and spills over into other memory space, corrupting or overwriting data stored in that space
35
Rootkit
- Malware which hides its presence from users/OS
-- Can attach to security software to remain hidden
Types:
-- Hardware/firmware
-- Bootloader
-- Memory
-- Application
-- Kernel Mode
36
Man-in-the-Middle
- Attacker inserts his/herself into the communication between two devices
- Attacker impersonates both sides of the conversation
37
Triggering
- Interact w/ a target to have a program perform a defined function for an attacker
- May be triggered through sending packets
- Functions include:
-- Running a command
-- Starting a listener
-- Starting a reverse connection
38
Obfuscation
- Making something obscure, unclear, or unintelligible
- Goal is to alter appearance of malware to evade antivirus
- Packers
-- Compress malware
-- Hides from AV; makes it difficult to reverse engineer
- Crypters
-- Encrypt, obfuscate, and manipulate software
-- Make reverse engineering more difficult
39
Types of Obfuscation
- Network Traffic
-- Make network traffic appear to be something else (i.e. make beacon look like normal HTTP/HTTPS traffic)
- Executables
-- Use packers/obfuscation software to bypass defender programs or prevent reverse engineering
- Text
-- Multiple techniques; i.e. base64 encoding
- Steganography
-- Hiding information inside pictures (steghide on Kali)
40
Social Engineering
- Goal: Convince a target to take actions they would normally not
- Types:
-- Pretexting - Creating a believable story
-- Baiting - Using targets greed/curiosity
-- Tailgating - Attempting to gain access to restricted areas
-- Phishing - Email campaigns
41
SSH Tunnel
- Securely forward network traffic through an encrypted SSH connection
- Also known as SSH port forwarding
42
Forward SSH Tunnel
- Forward **local port to remote port**, allowing the user to **access a service running on the remote server as if it were running on the local machine**
43
Reverse SSH Tunnel
- Forward **remote port to a local port**, allowing the user to access a service **running on local machine** as if it were **running on the remote server**
44
Dynamic SSH Tunnel
- Created dynamically
- Used when multiple ports are needed, such as in port scanning
45
SSH Tunnel Options
-f - background after auth
-N - no need for remote commands
-C - request compression
46
IPTables/Firewall Redirection
- Routes traffic through prerouting and postrouting chains without touching the local system
- Won't show up on netstat
- Does not provide encryption (connection must do its own encrypting)
- System must be configured for routing
47
Industrial Control System
- Computing systems that control and monitor industrial processes
48
Programmable Logic Controllers (PLC)
- Devices that control and monitor industrial machinery
49
Modbus
- Protocol used by PLCs
- Establishes communication between devices and facilitates transfer of data between them
- Port 500
- Can be used to:
-- Change value of registers
-- Read an I/O port
-- Read values contained in registers
50
nmap port states
- open
-- Application listening on that port
- closed
-- Port is accessible but has no application listening
- filtered
-- Firewall or other network obstacle is blocking the port; nmap cannot tell if it is open or closed
- unfiltered
-- Port is accessible, but nmap is unable to determine state
- open | filtered
-- Used when nmap is unable to determine if port is open or filtered
- closed | filtered
-- Used when nmap is unable to determine if port is closed or filtered
51
netcat flags
- -v - verbose
- -w - wait x seconds for a response
- -z - do not send data to a TCP connection and limited data to UDP
- -d - tells nc to detach from the console
- -L - keep listening for connections even after the first connection disconnects
- -p - port to listen on
- -e - execute the following command after connection is made
52
Adobe_Geticon
- Exploit used to create a weaponized PDF
53
